Showing papers on "Denial-of-service attack published in 2010"

Lightweight DDoS flooding attack detection using NOX/OpenFlow

Abstract: Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.

An Overview of IP Flow-Based Intrusion Detection

Abstract: Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

Cache Games - Bringing Access Based Cache Attacks on AES to Practice.

Abstract: Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The source of information leakage for such attacks are the locations of memory accesses performed by a victim process. In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more – a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations. A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible. Keywords-AES; side channel; access-based cache-attacks;

A Cooperative Intrusion Detection System Framework for Cloud Computing Networks

Abstract: Cloud computing provides a framework for supporting end users easily attaching powerful services and applications through Internet. To provide secure and reliable services in cloud computing environment is an important issue. One of the security issues is how to reduce the impact of denial-of-service (DoS) attack or distributed denial-of-service (DDoS) in this environment. To counter these kinds of attacks, a framework of cooperative intrusion detection system (IDS) is proposed. The proposed system could reduce the impact of these kinds of attacks. To provide such ability, IDSs in the cloud computing regions exchange their alerts with each other. In the system, each of IDSs has a cooperative agent used to compute and determine whether to accept the alerts sent from other IDSs or not. By this way, IDSs could avoid the same type of attack happening. The implementation results indicate that the proposed system could resist DoS attack. Moreover, by comparison, the proposed cooperative IDS system only increases little computation effort compared with pure Snort based IDS but prevents the system from single point of failure attack.

Review and evaluation of security threats on the communication networks in the smart grid

Abstract: The smart grid, generally referred to as the next-generation power electric system, relies on robust communication networks to provide efficient, secure, and reliable information delivery. Thus, the network security is of critical importance in the smart grid. In this paper, we aim at classifying and evaluating the security threats on the communication networks in the smart grid. Based on a top-down analysis, we categorize the goals of potential attacks against the smart grid communication networks into three types: network availability, data integrity and information privacy. We then qualitatively analyze both the impact and feasibility of the three types of attacks. Moreover, since network availability is the top priority in the security objectives for the smart grid, we use experiments to quantitatively evaluate the impact of denial-of-service (DoS) attacks on a power substation network. Our work provides initial experimental data of DoS attacks against a power network and shows that the network performance degrades dramatically only when the DoS attack intensity approaches to the maximum.

On SCADA control system command and response injection and intrusion detection

Abstract: SCADA systems are widely used in critical infrastructure sectors, including electricity generation and distribution, oil and gas production and distribution, and water treatment and distribution. SCADA process control systems are typically isolated from the internet via firewalls. However, they may still be subject to illicit cyber penetrations and may be subject to cyber threats from disgruntled insiders. We have developed a set of command injection, data injection, and denial of service attacks which leverage the lack of authentication in many common control system communication protocols including MODBUS, DNP3, and EtherNET/IP. We used these exploits to aid in development of a neural network based intrusion detection system which monitors control system physical behavior to detect artifacts of command and response injection attacks. Finally, we present intrusion detection accuracy results for our neural network based IDS which includes input features derived from physical properties of the control system.

Integrating a network IDS into an open source Cloud Computing environment

Abstract: The success of the Cloud Computing paradigm may be jeopardized by concerns about the risk of misuse of this model aimed at conducting illegal activities. In this paper we address the issue of detecting Denial of Service attacks performed by means of resources acquired on-demand on a Cloud Computing platform. To this purpose, we propose to investigate the consequences of the use of a distributed strategy to detect and block attacks, or other malicious activities, originated by misbehaving customers of a Cloud Computing provider. In order to check the viability of our approach, we also evaluate the impact on performance of our proposed solution. This paper presents the installation and deployment experience of a distributed defence strategy and illustrates the preliminary results of the performance evaluation.

Multi-vendor penetration testing in the advanced metering infrastructure

Abstract: The advanced metering infrastructure (AMI) is revolutionizing electrical grids. Intelligent AMI "smart meters" report real time usage data that enables efficient energy generation and use. However, aggressive deployments are outpacing security efforts: new devices from a dizzying array of vendors are being introduced into grids with little or no understanding of the security problems they represent. In this paper we develop an archetypal attack tree approach to guide penetration testing across multiple-vendor implementations of a technology class. In this, we graft archetypal attack trees modeling broad adversary goals and attack vectors to vendor-specific concrete attack trees. Evaluators then use the grafted trees as a roadmap to penetration testing. We apply this approach within AMI to model attacker goals such as energy fraud and denial of service. Our experiments with multiple vendors generate real attack scenarios using vulnerabilities identified during directed penetration testing, e.g., manipulation of energy usage data, spoofing meters, and extracting sensitive data from internal registers. More broadly, we show how we can reuse efforts in penetration testing to efficiently evaluate the increasingly large body of AMI technologies being deployed in the field.

ARIMA Based Network Anomaly Detection

Abstract: An early warning system on potential attacks from networks will enable network administrators or even automated network management software to take preventive measures. This is needed as we move towards maximizing the utilization of the network with new paradigms such as Web Services and Software As A Service. This paper introduces a novel approach through using Auto-Regressive Integrated Moving Average (ARIMA) technique to detect potential attacks that may occur in the network. The solution is able to provide feedback through its predictive capabilities and hence provide an early warning system. With the affirmative results, this technique can serve beyond the detection of Denial of Service (DoS) and with sufficient development; an automated defensive solution can be achieved.

NetFence: preventing internet denial of service from inside out

Abstract: Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders' traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System).

Denial of Service (DOS) Attack and Its Possible Solutions in VANET

Abstract: Vehicular Ad-hoc Network (VANET) is taking more attention in automotive industry due to the safety concern of human lives on roads. Security is one of the safety aspects in VANET. To be secure, network availability must be obtained at all times since availability of the network is critically need ed when a node sends any life critical information to other nodes. However, it can be expected that security attacks are likely to increase in the coming future due to more and more wireless applications being developed and deployed onto the well-known expose nature of the wireless medium. In this respect, the network availability is exposed to many types of attacks. In this paper, Denial of Service (DOS) attack on network availability is presented and its severity level in VANET environment is elaborated. A model to secure the VANET from the DOS attacks has been developed and some possible solutions to overcome the attacks have been discussed.

A new form of DOS attack in a cloud and its avoidance mechanism

Abstract: Data center networks are typically grossly under-provisioned. This is not a problem in a corporate data center, but it could be a problem in a shared infrastructure, such as a co-location facility or a cloud infrastructure. If an application is deployed in such an infrastructure, the application owners need to take into account the infrastructure limitations. They need to build in counter-measures to ensure that the application is secure and it meets its performance requirements. In this paper, we describe a new form of DOS attack, which exploits the network under-provisioning in a cloud infrastructure. We have verified that such an attack could be carried out in practice in one cloud infrastructure. We also describe a mechanism to detect and avoid this new form of attack.

Losing control of the internet: using the data plane to attack the control plane

Abstract: In this work, we introduce the Coordinated Cross Plane Session Termination, or CXPST, attack, a distributed denial of service attack that attacks the control plane of the Internet. CXPST extends previous work that demonstrates a vulnerability in routers that allows an adversary to disconnect a pair of routers using only data plane traffic. By carefully choosing BGP sessions to terminate, CXPST generates a surge of BGP updates that are seen by nearly all core routers on the Internet. This surge of updates surpasses the computational capacity of affected routers, crippling their ability to make routing decisions

A dynamic en-route filtering scheme for data reporting in wireless sensor networks

Abstract: In wireless sensor networks, adversaries can inject false data reports via compromised nodes and launch DoS attacks against legitimate reports. Recently, a number of filtering schemes against false reports have been proposed. However, they either lack strong filtering capacity or cannot support highly dynamic sensor networks very well. Moreover, few of them can deal with DoS attacks simultaneously. In this paper, we propose a dynamic en-route filtering scheme that addresses both false report injection and DoS attacks in wireless sensor networks. In our scheme, each node has a hash chain of authentication keys used to endorse reports; meanwhile, a legitimate report should be authenticated by a certain number of nodes. First, each node disseminates its key to forwarding nodes. Then, after sending reports, the sending nodes disclose their keys, allowing the forwarding nodes to verify their reports. We design the hill climbing key dissemination approach that ensures the nodes closer to data sources have stronger filtering capacity. Moreover, we exploit the broadcast property of wireless communication to defeat DoS attacks and adopt multipath routing to deal with the topology changes of sensor networks. Simulation results show that compared to existing solutions, our scheme can drop false reports earlier with a lower memory requirement, especially in highly dynamic sensor networks.

Detecting and mitigating denial of service attacks

Abstract: Embodiments of this invention provide methods for detecting a denial of service attack (DoS) and isolating traffic that relates to the attack. The method may begin by collecting network traffic data by observing individual packets carried over the network. The data may then be compiled into a time series comprising network traffic data relating successive time-intervals. A difference value based upon the entry in the time series for a large time-window and for a small time-window. A deviation score may then be determined by calculating the ratio of the difference values. The deviation score may indicate whether an attack occurred. In an embodiment of the invention, an attack is deemed to occur if the deviation score is between 0.6 and 1.4.

System and method for mitigating a denial of service attack using cloud computing

Abstract: A system and method for mitigating a denial of service attack that includes distributing network communication messages directed at a resource within a resource cloud, directing the distributed network communication messages, filtering the network communication messages according to filter parameters that relate to the legitimacy of the communication message, and sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate.

Mitigating selective forwarding attacks with a channel-aware approach in WMNS

Abstract: In this paper, we consider a special case of denial of service (DoS) attack in wireless mesh networks (WMNs) known as selective forwarding attack (a.k.a gray hole attacks). With such an attack, a misbehaving mesh router just forwards a subset of the packets it receives but drops the others. While most of the existing studies on selective forwarding attacks focus on attack detection under the assumption of an error-free wireless channel, we consider a more practical and challenging scenario that packet dropping may be due to an attack, or normal loss events such as medium access collision or bad channel quality. Specifically, we develop a channel aware detection (CAD) algorithm that can effectively identify the selective forwarding misbehavior from the normal channel losses. The CAD algorithm is based on two strategies, channel estimation and traffic monitoring. If the monitored loss rate at certain hops exceeds the estimated normal loss rate, those nodes involved will be identified as attackers. Moreover, we carry out analytical studies to determine the optimal detection thresholds that minimize the summation of false alarm and missed detection probabilities. We also compare our CAD approach with some existing solutions, through extensive computer simulations, to demonstrate the efficiency of discriminating selective forwarding attacks from normal channel losses.

Fast Anomaly Detection for Large Data Centers

Abstract: Recent spates of cyber attacks towards cloud computing services running in large data centers have made it imperative to develop effective techniques to detect anomalous behaviors in the "clouds". In this paper, we propose to use the distributions of IP address octets and centroid based measures to characterize the inherent IP structure in high-volume data center traffic, and subsequently design a simple yet effective algorithm to detect abnormal traffic patterns caused by network attacks such as worms, virus, and denial of service attacks. We evaluate the effectiveness and efficiency of this algorithm with synthetic traffic that combines real data center traffic collected from a large Internet content provider with worm traces and denial of service attacks. The experiment results show that our algorithm consistently diagnoses the abnormal traffic from normal ones, and does so in a short time with a low false alarm rate. We believe that the proposed approach could be potentially deployed in real-time data center environments to enhance the security and high availability of cloud computing.

DDoS attack detection based on neural network

Abstract: DDoS attack is a major Internet security problem-DoS is that lots of clients simultaneously send service requests to certain server on the internet such that this server is too busy to provide normal services for others. Attackers using legitimate packets and often changing package information, so that traditional detection methods based on feature descriptions is difficult to detect it. This paper present an artificial intelligence DDoS attack detection method based on neural networks. In this method, analysis of server resources and network traffic, To training the ability of detection normal or abnormal, it have better results for detect DDoS attack.

Location Privacy against Traffic Analysis Attacks in Wireless Sensor Networks

Abstract: Traffic analysis attacks are passive attacks that try to deduce the traffic pattern based on the eavesdropped information. Through analyzing the packet traffic, it can deduce the location of strategic nodes, and then launch an active attack to those locations, such as DoS attack. Therefore, defending against a traffic analysis attack is to prevent the adversary from tracing the location of critical sensor nodes. Due to the open wireless communication media exposing the context information to adversaries, we cannot use traditional encryption and authentication to prevent the adversaries from eavesdropping on the wireless communication. In this paper, we propose three schemes to defend against the traffic analysis attacks. Firstly, a random routing scheme (RRS) is proposed to provide path diversity. Secondly, we combine RRS with a dummy packet injection scheme (DPIS) to confuse the adversary by tracing or tracing back the forwarded packet to reach the receiver or source. Finally, an anonymous communication scheme (ACS) is proposed to hide the identities of all nodes that participate in packets transmission. Through security analysis and simulation, we can see that our proposed schemes can efficiently defend against traffic analysis attacks, take less delivery time and achieve uniform energy consumption.

Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach

Abstract: Application DoS attack, which aims at disrupting application service rather than depleting the network resource, has emerged as a larger threat to network services, compared to the classic DoS attack. Owing to its high similarity to legitimate traffic and much lower launching overhead than classic DDoS attack, this new assault type cannot be efficiently detected or prevented by existing detection solutions. To identify application DoS attack, we propose a novel group testing (GT)-based approach deployed on back-end servers, which not only offers a theoretical method to obtain short detection delay and low false positive/negative rate, but also provides an underlying framework against general network attacks. More specifically, we first extend classic GT model with size constraints for practice purposes, then redistribute the client service requests to multiple virtual servers embedded within each back-end server machine, according to specific testing matrices. Based on this framework, we propose a two-mode detection mechanism using some dynamic thresholds to efficiently identify the attackers. The focus of this work lies in the detection algorithms proposed and the corresponding theoretical complexity analysis. We also provide preliminary simulation results regarding the efficiency and practicability of this new scheme. Further discussions over implementation issues and performance enhancements are also appended to show its great potentials.

On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks

Abstract: As cyber attacks continue to grow in number, scope, and severity, the cyber security problem has become increasingly important and challenging to both academic researchers and industry practitioners. We explore the applicability of game theoretic approaches to the cyber security problem with focus on active bandwidth depletion attacks. We model the interaction between the attacker and the defender as a two-player non-zero-sum game in two attack scenarios: (i) one single attacking node for Denial of Service (DoS) and (ii) multiple attacking nodes for Distributed DoS (DDoS). The defender's challenge is to determine optimal firewall settings to block rogue traffics while allowing legitimate ones. Our analysis considers the worst-case scenario where the attacker also attempts to find the most effective sending rate or botnet size. In either case, we build both static and dynamic game models to compute the Nash equilibrium that represents the best strategy of the defender. We validate the effectiveness of our game theoretic defense mechanisms via extensive simulation-based experiments using NS-3.

An Authentication Framework for Wireless Sensor Networks using Identity-Based Signatures

Abstract: In Wireless Sensor Networks (WSNs), authentication is a crucial security requirement to avoid attacks against secure communication, and to mitigate DoS attacks exploiting the limited resources of sensor nodes. Resource constraints of sensor nodes are hurdles in applying strong public key cryptographic based mechanisms in WSNs. To address the problem of authentication in WSNs, we propose an efficient and secure framework for authenticated broadcast/multicast by sensor nodes as well as for outside user authentication, which utilizes identity based cryptography and online/offline signature schemes. The primary goals of this framework are to enable all sensor nodes in the network, firstly, to broadcast and/or multicast an authenticated message quickly; secondly, to verify the broadcast/multicast message sender and the message contents; and finally, to verify the legitimacy of an outside user. The proposed framework is also evaluated using the most efficient and secure identity-based signature schemes.

Sketch-Based Streaming PCA Algorithm for Network-Wide Traffic Anomaly Detection

Abstract: Internet has become an essential part of the daily life for billions of users worldwide, who are using a large variety of network services and applications everyday. However, there have been serious security problems and network failures that are hard to resolve, for example, botnet attacks, polymorphic worm/virus spreading, DDoS, and flash crowds. To address many of these problems, we need to have a network-wide view of the traffic dynamics, and more importantly, be able to detect traffic anomalies in a timely manner. Spatial analysis methods have been proved to be effective in detecting network-wide traffic anomalies that are not detectable at a single monitor. To our knowledge, Principle Component Analysis (PCA) is the best-known spatial detection method for the coordinated low-profile traffic anomalies. However, existing PCA-based solutions have scalability problems in that they require linear running time and space to analyze the traffic measurements within a sliding window, which makes it often infeasible to be deployed for monitoring large-scale high-speed networks. We propose a sketch-based streaming PCA algorithm for the network-wide traffic anomaly detection in a distributed fashion. Our algorithm only requires logarithmic running time and space at both local monitors and Network Operation Centers (NOCs), and can detect both high-profile and coordinated low-profile traffic anomalies with bounded errors.

Apparatus for detecting and filtering application layer ddos attack of web service

Abstract: Disclosed is a DDoS attack detection and response apparatus. The DDoS attack detection and response apparatus comprises: a receiver unit receiving HTTP requests from a client terminal which is characterized as an IP address; a data measuring unit computing the number of HTTP requests by IP and the number of URIs per HTTP over a certain time period; a DDoS discrimination unit comparing the number of HTTPs per URI with a threshold value and defining an access of the client terminal having the IP address as a DDoS attack when the number of HTTPs per URI is larger than the threshold value; and a blocking unit blocking packets from the IP address when the DDoS discrimination unit detects a DDoS attack.

Voice-over-IP Security: Research and Practice

Abstract: Consumers and enterprises alike are rapidly adopting voice-over-IP (VoIP) technologies, which offer higher flexibility and more features than traditional telephony infrastructures. They can also potentially lower costs through equipment consolidation and, for the consumer market, new business models. However, VoIP systems also represent high complexity in terms of architecture, protocols, and implementation, with a corresponding increase in the potential for misuse. The author conducted survey of published vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database and in two IETF RFC Internet drafts. These issues ranged from relatively straightforward problems that can lead to server or equipment crashes (denial of service [DoS]) to more serious problems that let adversaries eavesdrop on communications, remotely take over servers or handsets, impersonate users, avoid billing or charge another user (toll fraud), and so on.

A Novel Cross Layer Intrusion Detection System in MANET

Abstract: Intrusion detection System forms a vital component of internet security. To keep pace with the growing trends, there is a critical need to replace single layer detection technology with multi layer detection. Different types of Denial of Service (DoS) attacks thwart authorized users from gaining access to the networks and we tried to detect as well as alleviate some of those attacks. In this paper, we have proposed a novel cross layer intrusion detection architecture to discover the malicious nodes and different types of DoS attacks by exploiting the information available across different layers of protocol stack in order to improve the accuracy of detection. We have used cooperative anomaly intrusion detection with data mining technique to enhance the proposed architecture. We have implemented fixed width clustering algorithm for efficient detection of the anomalies in the MANET traffic and also generated different types of attacks in the network. The simulation of the proposed architecture is performed in OPNET simulator and we got the result as we expected.

Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition

Abstract: Recently, many new types of distributed denial of service (DDoS) attacks have emerged, posing a great challenge to intrusion detection systems. In this paper, we introduce a new type of DDoS attacks called stealthy DDoS attacks, which can be launched by sophisticated attackers. Such attacks are different from traditional DDoS attacks in that they cannot be detected by previous detection methods effectively. In response to this type of DDoS attacks, we propose a detection approach based on time-series decomposition, which divides the original time series into trend and random components. It then applies a double autocorrelation technique and an improved cumulative sum technique to the trend and random components, respectively, to detect anomalies in both components. By separately examining each component and synthetically evaluating the overall results, the proposed approach can greatly reduce not only false positives and negatives but also detection latency. In addition, to make our method more generally applicable, we apply an adaptive sliding-window to our real-time algorithm. We evaluate the performance of the proposed approach using real Internet traces, demonstrating its effectiveness.

Different flavours of Man-In-The-Middle attack, consequences and feasible solutions

Abstract: Man-In-The-Middle (MITM) attack is one of the primary techniques employed in computer based hacking. MITM attack can successfully invoke attacks such as Denial of service (DoS), DNS spoofing and Port stealing. MITM attack is particularly suitable in a LAN environment, Where it is typically performed through ARP poisoning. MITM attack of every kind has lot of surprising consequences in store for users such as, stealing online account userid, password, stealing of local ftp id, ssh or telnet session etc. This paper emphasizes on different types of MITM attacks, their consequences and feasible solutions under different circumstances giving users options to choose one from various solutions. ARP spoofing and its effect in a LAN environment is studied in detail to achieve the stated objective.