Showing papers on "Denial-of-service attack published in 2009"

Safe and Secure Networked Control Systems under Denial-of-Service Attacks

Abstract: We consider the problem of security constrained optimal control for discrete-time, linear dynamical systems in which control and measurement packets are transmitted over a communication network. The packets may be jammed or compromised by a malicious adversary. For a class of denial-of-service (DoS) attack models, the goal is to find an (optimal) causal feedback controller that minimizes a given objective function subject to safety and power constraints. We present a semi-definite programming based solution for solving this problem. Our analysis also presents insights on the effect of attack models on solution of the optimal control problem.

Effective and efficient malware detection at the end host

Abstract: Malware is one of the most serious security threats on the Internet today. In fact, most Internet problems such as spam e-mails and denial of service attacks have malware as their underlying cause. That is, computers that are compromised with malware are often networked together to form botnets, and many attacks are launched using these malicious, attacker-controlled networks. With the increasing significance of malware in Internet attacks, much research has concentrated on developing techniques to collect, study, and mitigate malicious code. Without doubt, it is important to collect and study malware found on the Internet. However, it is even more important to develop mitigation and detection techniques based on the insights gained from the analysis work. Unfortunately, current host-based detection approaches (i.e., anti-virus software) suffer from ineffective detection models. These models concentrate on the features of a specific malware instance, and are often easily evadable by obfuscation or polymorphism. Also, detectors that check for the presence of a sequence of system calls exhibited by a malware instance are often evadable by system call reordering. In order to address the shortcomings of ineffectivemodels, several dynamic detection approaches have been proposed that aim to identify the behavior exhibited by a malware family. Although promising, these approaches are unfortunately too slow to be used as real-time detectors on the end host, and they often require cumbersome virtual machine technology. In this paper, we propose a novel malware detection approach that is both effective and efficient, and thus, can be used to replace or complement traditional antivirus software at the end host. Our approach first analyzes a malware program in a controlled environment to build a model that characterizes its behavior. Such models describe the information flows between the system calls essential to the malware's mission, and therefore, cannot be easily evaded by simple obfuscation or polymorphic techniques. Then, we extract the program slices responsible for such information flows. For detection, we execute these slices to match our models against the runtime behavior of an unknown program. Our experiments show that our approach can effectively detect running malicious code on an end user's host with a small overhead.

Monitoring the application-layer DDoS attacks for popular websites

Abstract: Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.

On cellular botnets: measuring the impact of malicious devices on a cellular network core

Abstract: The vast expansion of interconnectivity with the Internet and the rapid evolution of highly-capable but largely insecure mobile devices threatens cellular networks. In this paper, we characterize the impact of the large scale compromise and coordination of mobile phones in attacks against the core of these networks. Through a combination of measurement, simulation and analysis, we demonstrate the ability of a botnet composed of as few as 11,750 compromised mobile phones to degrade service to area-code sized regions by 93%. As such attacks are accomplished through the execution of network service requests and not a constant stream of phone calls, users are unlikely to be aware of their occurrence. We then investigate a number of significant network bottlenecks, their impact on the density of compromised nodes per base station and how they can be avoided. We conclude by discussing a number of countermeasures that may help to partially mitigate the threats posed by such attacks.

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Abstract: Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim's computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors

Abstract: Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm.

Energy-efficient link-layer jamming attacks against wireless sensor network MAC protocols

Abstract: A typical wireless sensor node has little protection against radio jamming. The situation becomes worse if energy-efficient jamming can be achieved by exploiting knowledge of the data link layer. Encrypting the packets may help to prevent the jammer from taking actions based on the content of the packets, but the temporal arrangement of the packets induced by the nature of the protocol might unravel patterns that the jammer can take advantage of, even when the packets are encrypted.By looking at the packet interarrival times in three representative MAC protocols, S-MAC, LMAC, and B-MAC, we derive several jamming attacks that allow the jammer to jam S-MAC, LMAC, and B-MAC energy efficiently. The jamming attacks are based on realistic assumptions. The algorithms are described in detail and simulated. The effectiveness and efficiency of the attacks are examined. In addition, we validate our simulation model by comparing its results with measurements obtained from actual implementation on our sensor node prototypes. We show that it takes little effort to implement such effective jammers, making them a realistic threat.Careful analysis of other protocols belonging to the respective categories of S-MAC, LMAC, and B-MAC reveals that those protocols are, to some extent, also susceptible to our attacks. The result of this investigation provides new insights into the security considerations of MAC protocols.

Systems, methods, and devices for detecting security vulnerabilities in ip networks

Abstract: This invention is a system, method, and apparatus for detecting compromise of IP devices that make up an IP-based network. One embodiment is a method for detecting and alerting on the following conditions: (1) Denial of Service Attack; (2) Unauthorized Usage Attack (for an IP camera, unauthorized person seeing a camera image); and (3) Spoofing Attack (for an IP camera, unauthorized person seeing substitute images). A survey of services running on the IP device, historical benchmark data, and traceroute information may be used to detect a possible Denial of Service Attack. A detailed log analysis and a passive DNS compromise system may be used to detect a possible unauthorized usage. Finally, a fingerprint (a hash of device configuration data) may be used as a private key to detect a possible spoofing attack. The present invention may be used to help mitigate intrusions and vulnerabilities in IP networks.

Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks

Abstract: IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

DDoS-shield: DDoS-resilient scheduling to counter application layer attacks

Abstract: Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. In this paper, we consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. We characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, we propose a counter-mechanism namely DDoS Shield that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler. In contrast to prior work, our suspicion mechanism assigns a continuous value as opposed to a binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Using testbed experiments on a web application, we demonstrate the potency of these resource attacks and evaluate the efficacy of our counter-mechanism. For instance, we mount an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.3 seconds to 40 seconds. Under the same attack scenario, DDoS Shield improves the victims' performance to 1.5 seconds.

Mitigating control-channel jamming attacks in multi-channel ad hoc networks

Abstract: We address the problem of control-channel jamming attacks in multi-channel ad hoc networks. Deviating from the traditional view that sees jamming attacks as a physical-layer vulnerability, we consider a sophisticated adversary who exploits knowledge of the protocol mechanics along with cryptographic quantities extracted from compromised nodes to maximize the impact of his attack on higher-layer functions. We propose new security metrics that quantify the ability of the adversary to deny access to the control channel, and the overall delay incurred in re-establishing the control channel. We also propose a randomized distributed scheme that allows nodes to establish a new control channel using frequency hopping. Our method differs from classic frequency hopping in that no two nodes share the same hopping sequence, thus mitigating the impact of node compromise. Furthermore, a compromised node is uniquely identified through its hop sequence, leading to its isolation from any future information regarding the frequency location of the control channel.

A survey of attacks on web services Classification and countermeasures

Abstract: Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker’s side. This article gives a survey of vulnerabilities in the context of Web Services. As a proof of the practical relevance of the threats, exemplary attacks on widespread Web Service implementations were performed. Further, general countermeasures for prevention and mitigation of such attacks are discussed.

Managing network data transfers in a virtual computer system

Abstract: A method for protecting a virtual computer system which may be susceptible to adverse effects from a Denial of Service attack is described. The virtual computer system includes a plurality of VMs. In the method, data that is transferred between the virtual computer system and the computer network is monitored for an indication of a possible Denial of Service attack. If an indication of a possible Denial of Service attack is detected, one or more of the VMs is suspended, to reduce the risk of adverse effects on one or more other VMs.

Modeling Human Behavior for Defense Against Flash-Crowd Attacks

Abstract: Flash-crowd attacks are the most vicious form of distributed denial of service (DDoS). They flood the victim with service requests generated from numerous bots. Attack requests are identical in content to those generated by legitimate, human users, and bots send at a low rate to appear non-aggressive -- these features defeat many existing DDoS defenses. We propose defenses against flash-crowd attacks via human behavior modeling, which differentiate DDoS bots from human users. Current approaches to human-vs-bot differentiation, such as graphical puzzles, are insufficient and annoying to humans, whereas our defenses are highly transparent. We model three aspects of human behavior: a) request dynamics, by learning several chosen features of human interaction dynamics, and detecting bots that exhibit higher aggressiveness in one or more of these features, b) request semantics, by learning transitional probabilities of user requests, and detecting bots that generate valid but low-probability sequences, and c) ability to process visual cues, by embedding into server replies human-invisible objects, which cannot be detected by automated analysis, and flagging users that visit them as bots. We evaluate our defenses' performance on a series of web traffic logs, interlaced with synthetically generated attacks, and conclude that they raise the bar for a successful, sustained attack to botnets whose size is larger than the size observed in 1-5% of DDoS attacks today.

BotGAD: detecting botnets by capturing group activities in network traffic

Abstract: Recent malicious attempts are intended to obtain financial benefits using a botnet which has become one of the major Internet security problems. Botnets can cause severe Internet threats such as DDoS attacks, identity theft, spamming, click fraud. In this paper, we define a group activity as an inherent property of the botnet. Based on the group activity model and metric, we develop a botnet detection mechanism, called BotGAD (Botnet Group Activity Detector). BotGAD enables to detect unknown botnets from large scale networks in real-time. Botnets frequently use DNS to rally infected hosts, launch attacks and update their codes. We implemented BotGAD using DNS traffic and showed the effectiveness by experiments on real-life network traces. BotGAD captured 20 unknown and 10 known botnets from two day campus network traces.

Mitigation of Control Channel Jamming under Node Capture Attacks

Abstract: Availability of service in many wireless networks depends on the ability for network users to establish and maintain communication channels using control messages from base stations and other users. An adversary with knowledge of the underlying communication protocol can mount an efficient denial of service attack by jamming the communication channels used to exchange control messages. The use of spread spectrum techniques can deter an external adversary from such control channel jamming attacks. However, malicious colluding insiders or an adversary who captures or compromises system users is not deterred by spread spectrum, as they know the required spreading sequences. For the case of internal adversaries, we propose a framework for control channel access schemes using the random assignment of cryptographic keys to hide the location of control channels. We propose and evaluate metrics to quantify the probabilistic availability of service under control channel jamming by malicious or compromised users and show that the availability of service degrades gracefully as the number of colluding insiders or compromised users increases. We propose an algorithm called GUIDE for the identification of compromised users in the system based on the set of control channels that are jammed. We evaluate the estimation error using the GUIDE algorithm in terms of the false alarm and miss rates in the identification problem. We discuss various design trade-offs between robustness to control channel jamming and resource expenditure.

Application of artificial neural network in detection of DOS attacks

Abstract: A solo attack may cause a big loss in computer and network systems, its prevention is, therefore, very inevitable. Precise detection is very important to prevent such losses. Such detection is a pivotal part of any security tools like intrusion detection system, intrusion prevention system, and firewalls etc. Therefore, an approach is provided in this paper to analyze denial of service attack by using a supervised neural network. The methodology used sampled data from Kddcup99 dataset, an attack database that is a standard for judgment of attack detection tools. The system uses multiple layered perceptron architecture and resilient backpropagation for its training and testing. The developed system is then applied to denial of service attacks. Moreover, its performance is also compared to other neural network approaches which results more accuracy and precision in detection rate.

Communication pattern anomaly detection in process control systems

Abstract: Digital control systems are increasingly being deployed in critical infrastructure such as electric power generation and distribution. To protect these process control systems, we present a learning-based approach for detecting anomalous network traffic patterns. These anomalous patterns may correspond to attack activities such as malware propagation or denial of service. Misuse detection, the mainstream intrusion detection approach used today, typically uses attack signatures to detect known, specific attacks, but may not be effective against new or variations of known attacks. Our approach, which does not rely on attack-specific knowledge, may provide a complementary detection capability for protecting digital control systems.

ShadowWalker: peer-to-peer anonymous communication using redundant structured topologies

Abstract: Peer-to-peer approaches to anonymous communication promise to eliminate the scalability concerns and central vulnerability points of current networks such as Tor. However, the P2P setting introduces many new opportunities for attack, and previous designs do not provide an adequate level of anonymity. We propose ShadowWalker: a new low-latency P2P anonymous communication system, based on a random walk over a redundant structured topology. We base our design on shadows that redundantly check and certify neighbor information; these certifications enable nodes to perform random walks over the structured topology while avoiding route capture and other attacks.We analytically calculate the anonymity provided by ShadowWalker and show that it performs well for moderate levels of attackers, and is much better than the state of the art. We also design an extension that improves forwarding performance at a slight anonymity cost, while at the same time protecting against selective DoS attacks. We show that our system has manageable overhead and can handle moderate churn, making it an attractive new design for P2P anonymous communication.

Not-a-Bot: improving service availability in the face of botnet attacks

Abstract: A large fraction of email spam, distributed denial-of-service (DDoS) attacks, and click-fraud on web advertisements are caused by traffic sent from compromised machines that form botnets. This paper posits that by identifying human-generated traffic as such, one can service it with improved reliability or higher priority, mitigating the effects of botnet attacks. The key challenge is to identify human-generated traffic in the absence of strong unique identities. We develop NAB ("Not-A-Bot"), a system to approximately identify and certify human-generated activity. NAB uses a small trusted software component called an attester, which runs on the client machine with an untrusted OS and applications. The attester tags each request with an attestation if the request is made within a small amount of time of legitimate keyboard or mouse activity. The remote entity serving the request sends tshe request and attestation to a verifier, which checks the attestation and implements an application-specific policy for attested requests. Our implementation of the attester is within the Xen hypervisor. By analyzing traces of keyboard and mouse activity from 328 users at Intel, together with adversarial traces of spam, DDoS, and click-fraud activity, we estimate that NAB reduces the amount of spam that currently passes through a tuned spam filter by more than 92%, while not flagging any legitimate email as spam. NAB delivers similar benefits to legitimate requests under DDoS and click-fraud attacks.

Mitigating attacks on open functionality in SMS-capable cellular networks

Abstract: The transformation of telecommunications networks from homogeneous closed systems providing only voice services to Internet-connected open networks that provide voice and data services presents significant security challenges. For example, recent research illustrated that a carefully crafted DoS attack via text messaging could incapacitate all voice communications in a metropolitan area with little more than a cable modem. This attack highlights a growing threat to these systems; namely, cellular networks are increasingly exposed to adversaries both in and outside the network. In this paper, we use a combination of modeling and simulation to demonstrate the feasibility of targeted text messaging attacks. Under realistic network conditions, we show that adversaries can achieve blocking rates of more than 70% with only limited resources. We then develop and characterize five techniques from within two broad classes of countermeasures--queue management and resource provisioning. Our analysis demonstrates that these techniques can eliminate or extensively mitigate even the most intense targeted text messaging attacks. We conclude by considering the tradeoffs inherent to the application of these techniques in current and next generation telecommunications networks.

Chaos theory based detection against network mimicking DDoS attacks

Abstract: DDoS attack traffic is difficult to differentiate from legitimate network traffic during transit from the attacker, or zombies, to the victim. In this paper, we use the theory of network self-similarity to differentiate DDoS flooding attack traffic from legitimate self-similar traffic in the network. We observed that DDoS traffic causes a strange attractor to develop in the pattern of network traffic. From this observation, we developed a neural network detector trained by our DDoS prediction algorithm. Our preliminary experiments and analysis indicate that our proposed chaotic model can accurately and effectively detect DDoS attack traffic. Our approach has the potential to not only detect attack traffic during transit, but to also filter it.

Intrusion Detection Systems for Wireless Sensor Networks: A Survey

Abstract: Wireless sensor networks (WSNs) are vulnerable to different types of security threats that can degrade the performance of the whole network; that might result in fatal problems like denial of service (DoS) attacks, routing attacks, Sybil attack etc. Key management protocols, authentication protocols and secure routing cannot provide security to WSNs for these types of attacks. Intrusion detection system (IDS) is a solution to this problem. It analyzes the network by collecting sufficient amount of data and detects abnormal behavior of sensor node(s). IDS based security mechanisms proposed for other network paradigms such as ad hoc networks, cannot directly be used in WSNs. Researchers have proposed various intrusion detection systems for wireless sensor networks during the last few years. We classify these approaches into three categories i.e. purely distributed, purely centralized and distributed-centralized. In this paper, we present a survey of these mechanisms. These schemes are further differentiated in the way they perform intrusion detection.

Detection of Radio Interference Attacks in VANET

Abstract: Due to their nature, Vehicular Ad hoc NETwork (VANET) is vulnerable to Denial of Service (DoS) attacks, such as jamming attack. The objective of a jammer is to interfere with legitimate wireless communications, and to degrade the overall QoS of the network. In this paper, we propose a model to detect a particular class of Jamming attack, in which the jammer transmits only when valid radio activity is signaled from its radio hardware. This detection model is based upon the measurement of error distribution.

Defending against Distributed Denial of Service Attacks: Issues and Challenges

Abstract: Distributed Denial of Service (DDoS) attacks on user machines, organizations, and infrastructures of the Internet have become highly publicized incidents and call for immediate solution. It is a complex and difficult problem characterized by an explicit attempt of the attackers to prevent access to resources by legitimate users for which they have authorization. Several schemes have been proposed on how to defend against these attacks, yet the problem still lacks a complete solution. The main purpose of this paper is therefore twofold. First is to present a comprehensive study of a wide range of DDoS attacks and defense methods proposed to combat them. This provides better understanding of the problem, current solution space, and future research scope to defend against DDoS attacks. Second is to propose an integrated solution for completely defending against flooding DDoS attacks at the Internet Service Provider (ISP) level.