Showing papers on "Denial-of-service attack published in 2016"

Threat analysis of IoT networks using artificial neural network intrusion detection system

Abstract: The Internet of things (IoT) is still in its infancy and has attracted much interest in many industrial sectors including medical fields, logistics tracking, smart cities and automobiles. However as a paradigm, it is susceptible to a range of significant intrusion threats. This paper presents a threat analysis of the IoT and uses an Artificial Neural Network (ANN) to combat these threats. A multi-level perceptron, a type of supervised ANN, is trained using internet packet traces, then is assessed on its ability to thwart Distributed Denial of Service (DDoS/DoS) attacks. This paper focuses on the classification of normal and threat patterns on an IoT Network. The ANN procedure is validated against a simulated IoT network. The experimental results demonstrate 99.4% accuracy and can successfully detect various DDoS/DoS attacks.

Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing

Abstract: Widespread adoption of cloud computing has increased the attractiveness of such services to cybercriminals. Distributed denial of service (DDoS) attacks targeting the cloud’s bandwidth, services and resources to render the cloud unavailable to both cloud providers, and users are a common form of attacks. In recent times, feature selection has been identified as a pre-processing phase in cloud DDoS attack defence which can potentially increase classification accuracy and reduce computational complexity by identifying important features from the original dataset during supervised learning. In this work, we propose an ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection. We then perform an extensive experimental evaluation of our proposed method using intrusion detection benchmark dataset, NSL-KDD and decision tree classifier. The findings show that our proposed method can effectively reduce the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.

Error Handling of In-vehicle Networks Makes Them Vulnerable

Abstract: Contemporary vehicles are getting equipped with an increasing number of Electronic Control Units (ECUs) and wireless connectivities. Although these have enhanced vehicle safety and efficiency, they are accompanied with new vulnerabilities. In this paper, we unveil a new important vulnerability applicable to several in-vehicle networks including Control Area Network (CAN), the de facto standard in-vehicle network protocol. Specifically, we propose a new type of Denial-of-Service (DoS), called the bus-off attack, which exploits the error-handling scheme of in-vehicle networks to disconnect or shut down good/uncompromised ECUs. This is an important attack that must be thwarted, since the attack, once an ECU is compromised, is easy to be mounted on safety-critical ECUs while its prevention is very difficult. In addition to the discovery of this new vulnerability, we analyze its feasibility using actual in-vehicle network traffic, and demonstrate the attack on a CAN bus prototype as well as on two real vehicles. Based on our analysis and experimental results, we also propose and evaluate a mechanism to detect and prevent the bus-off attack.

WSN-DS: A Dataset for Intrusion Detection Systems in Wireless Sensor Networks

Abstract: Wireless Sensor Networks (WSN) have become increasingly one of the hottest research areas in computer science due to their wide range of applications including critical military and civilian applications. Such applications have created various security threats, especially in unattended environments. To ensure the security and dependability of WSN services, an Intrusion Detection System (IDS) should be in place. This IDS has to be compatible with the characteristics of WSNs and capable of detecting the largest possible number of security threats. In this paper a specialized dataset for WSN is developed to help better detect and classify four types of Denial of Service (DoS) attacks: Blackhole, Grayhole, Flooding, and Scheduling attacks. This paper considers the use of LEACH protocol which is one of the most popular hierarchical routing protocols in WSNs. A scheme has been defined to collect data from Network Simulator 2 (NS-2) and then processed to produce 23 features. The collected dataset is called WSN-DS. Artificial Neural Network (ANN) has been trained on the dataset to detect and classify different DoS attacks. The results show that WSN-DS improved the ability of IDS to achieve higher classification accuracy rate. WEKA toolbox was used with holdout and 10-Fold Cross Validation methods. The best results were achieved with 10-Fold Cross Validation with one hidden layer. The classification accuracies of attacks were 92.8%, 99.4%, 92.2%, 75.6%, and 99.8% for Blackhole, Flooding, Scheduling, and Grayhole attacks, in addition to the normal case (without attacks), respectively.

Detecting Distributed Denial of Service Attacks Using Data Mining Techniques

Abstract: Users and organizations find it continuously challenging to deal with distributed denial of service (DDoS) attacks. . The security engineer works to keep a service available at all times by dealing with intruder attacks. The intrusion-detection system (IDS) is one of the solutions to detecting and classifying any anomalous behavior. The IDS system should always be updated with the latest intruder attack deterrents to preserve the confidentiality, integrity and availability of the service. In this paper, a new dataset is collected because there were no common data sets that contain modern DDoS attacks in different network layers, such as (SIDDoS, HTTP Flood). This work incorporates three well-known classification techniques: Multilayer Perceptron (MLP), Naive Bayes and Random Forest. The experimental results show that MLP achieved the highest accuracy rate (98.63%).

Malware Detection in Cloud Computing Infrastructures

Abstract: Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over $90$ percent whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions.

A Survey and Analysis of the GNSS Spoofing Threat and Countermeasures

Abstract: Detection and prevention of global navigation satellite system (GNSS) “spoofing” attacks, or the broadcast of false global navigation satellite system services, has recently attracted much research interest. This survey aims to fill three gaps in the literature: first, to assess in detail the exact nature of threat scenarios posed by spoofing against the most commonly cited targets; second, to investigate the many practical impediments, often underplayed, to carrying out GNSS spoofing attacks in the field; and third, to survey and assess the effectiveness of a wide range of proposed defences against GNSS spoofing. Our conclusion lists promising areas of future research.

DDoS attack detection under SDN context

Abstract: Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model and Chaotic System in Computer Networks

Abstract: This letter deals with the problem of detecting DoS and DDoS attacks. First of all, two features including number of packets and number of source IP addresses are extracted from network traffics as detection metrics in every minute. Hence, a time series based on the number of packets is built and normalized using a Box-Cox transformation. An ARIMA model is also employed to predict the number of packets in every following minute. Then, the chaotic behavior of prediction error time series is examined by computing the maximum Lyapunov exponent. The local Lyapunov exponent is also calculated as a suitable indicator for chaotic and nonchaotic errors. Finally, a set of rules are proposed based on repeatability of chaotic behavior and enormous growth in the ratio of number of packets to number of source IP addresses during attack times to classify normal and attack traffics from each other. Simulation results show that the proposed algorithm can accurately classify 99.5% of traffic states.

Threat analysis of BlackEnergy malware for synchrophasor based real-time control and monitoring in smart grid

Abstract: The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time from a simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has a persistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyber physical attacks including the recent Ukraine power grid attack in December 2015. This paper investigates the evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model used by BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threats of BlackEnergy for synchrophasor based systems which are used for real-time control and monitoring functionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated by exploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118 and (ii) IEC 61850-90-5. Further, the paper also investigates protection strategies for detection and prevention of BlackEnergy based cyber physical attacks.

Ghost-in-ZigBee: Energy Depletion Attack on ZigBee-Based Wireless Networks

Abstract: ZigBee has been widely recognized as an important enabling technique for Internet of Things (IoT). However, the ZigBee nodes are normally resource-limited, making the network susceptible to a variety of security threats. This paper closely investigates a severe attack on ZigBee networks termed as ghost , which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the nodes. We show that the impact of ghost is very large and that it can facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows

Abstract: A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.

A survey and taxonomy of DoS attacks in cloud computing

Abstract: Denial-of-service DoS attacks are one of the major security challenges in the emerging cloud computing models. Currently, numerous types of DoS attacks are conducted against the various cloud services and resources, which target their availability, service level agreements, and performance. This paper presents an in-depth study of the various types of the DoS attacks proposed for the cloud computing environment and classifies them based on the cloud components or services, which they target. Besides, it provides a comprehensive analysis of the vulnerabilities utilized in these DoS attacks and investigates about the state-of-the-art solutions presented in the literature to prevent, detect, or deal with each kind of DoS attacks in the cloud. Finally, it presents open research issues. Copyright © 2016 John Wiley & Sons, Ltd.

Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event

Abstract: Distributed Denial-of-Service (DDoS) attacks continue to be a major threat on the Internet today. DDoS attacks overwhelm target services with requests or other traffic, causing requests from legitimate users to be shut out. A common defense against DDoS is to replicate a service in multiple physical locations/sites. If all sites announce a common prefix, BGP will associate users around the Internet with a nearby site, defining the catchment of that site. Anycast defends against DDoS both by increasing aggregate capacity across many sites, and allowing each site's catchment to contain attack traffic, leaving other sites unaffected. IP anycast is widely used by commercial CDNs and for essential infrastructure such as DNS, but there is little evaluation of anycast under stress. This paper provides the first evaluation of several IP anycast services under stress with public data. Our subject is the Internet's Root Domain Name Service, made up of 13 independently designed services ("letters", 11 with IP anycast) running at more than 500 sites. Many of these services were stressed by sustained traffic at 100× normal load on Nov. 30 and Dec. 1, 2015. We use public data for most of our analysis to examine how different services respond to stress, and identify two policies: sites may absorb attack traffic, containing the damage but reducing service to some users, or they may withdraw routes to shift both good and bad traffic to other sites. We study how these deployment policies resulted in different levels of service to different users during the events. We also show evidence of collateral damage on other services located near the attacks.

Method and system for mitigation of distributed denial of service (ddos) attacks

Abstract: A system and method for mitigating the effects of malicious internet traffic, including DDOS attacks and email bombs, by utilizing a DNS Traffic Analyzer and Firewall to analyze network traffic intended for a DNS server and preventing some network traffic from accessing the DNS server.

FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers

Abstract: Distributed Denial of Service attack (DDoS) is one of the severe security problems in data centers. In present times, data center operators adopt several hardware based dedicated measures for detection and mitigation of such attacks. It is a challenging task always to detect and mitigate DDoS attacks completely. Software Defined Network (SDN) provides a central control over the network which helps in getting the global view of the network. In this paper, we propose an SDN framework for data centers named FlowTrApp which performs DDoS detection and mitigation using some bounds on two per flow based traffic parameters i.e., flow rate and flow duration of a flow. It attempts to detect attack traffic ranging from low rate to high rate and long lived to short lived attacks using an SDN engine consisting of sFlow based flow analytics engine sFlow-RT and an OpenFlow controller. The proposed framework of FlowTrApp has been implemented in mininet emulator which outperforms an OpenFlow based QoS approach for DoS attack mitigation.

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Abstract: Software Defined Networking (SDN) has recently emerged as a new networking technology offering an unprecedented programmability that allows network operators to dynamically configure and manage their infrastructures. The main idea of SDN is to move the control plane into a central controller that is in charge of taking all routing decisions in the network. However, despite all the advantages offered by this technology, Deny-of-Service (DoS) attacks are considered a major threat to such networks as they can easily overload the controller processing and communication capacity and flood switch CAM tables, resulting in a critical degradation of the overall network performance. To address this issue, we propose in this paper SDN-Guard, a novel scheme able to efficiently protect SDN networks against DoS attacks by dynamically (1) rerouting potential malicious traffic, (2) adjusting flow timeouts and (3) aggregating flow rules. Realistic experiments using Mininet show that the proposed solution succeeds in minimizing by up to 32% the impact of DoS attacks on~the controller performance, switch memory usage and control plane bandwidth and thereby maintaining acceptable network performance during such attacks.

On Denial of Service Attacks in Software Defined Networks

Abstract: Software defined networking greatly simplifies network management by decoupling control functions from the network data plane. However, such a decoupling also opens SDN to various denial of service attacks: an adversary can easily exhaust network resources by flooding short-lived spoofed flows. Toward this issue, we present a comprehensive study of DoS attacks in SDN, and propose multi-layer fair queueing (MLFQ), a simple but effective DoS mitigation method. MLFQ enforces fair sharing of an SDN controller’s resources with multiple layers of queues, which can dynamically expand and aggregate according to controller load. Both testbed-based and emulation-based experiments demonstrate the effectiveness of MLFQ in mitigating DoS attacks targeted at SDN controllers.

Detection of distributed denial of service attacks in software defined networks

Abstract: Software Defined Network (SDN) architecture is a new and novel way of network management. In SDN, switches do not process the incoming packets. They match for the incoming packets in the forwarding tables and if there is none it will be sent to the controller for processing which is the operating system of the SDN. A Distributed Denial of Service (DDoS) attack is a biggest threat to cyber security in SDN network. The attack will occur at the network layer or the application layer of the compromised systems that are connected to the network. In this paper we discuss the DDoS attacks from the traces of the traffic flow. We use different machine learning algorithms such as Naive Bayes, K-Nearest neighbour, K-means and K-medoids to classify the traffic as normal and abnormal. Then these algorithms are measured using parameters such as detection rate and efficiency. The algorithm having more accuracy is chosen to implement Signature IDS and results of it are then processed by Advanced IDS which detects anomalous behaviour based on open connections and provides accurate results of the hosts specifying which hosts is involved in the DDOS attack.

A Denial of Service Attack Method for an IoT System

Abstract: In recent years, Internet of things (IoT) is widely used in various domains. However, the security of the IoT system becomes a challenge. If the IoT system is attacked, a great property loss will happen. In this paper, a denial of service (DoS) attack to an IoT system is shown. The attack tool is Kali Linux, A Denial of Service (DOS) attack is launched by using 3 different methods. The comparison between the 3 DoS attack methods is also given.

A novel framework for modeling and mitigating distributed link flooding attacks

Abstract: Distributed link-flooding attacks constitute a new class of attacks with the potential to segment large areas of the Internet. Their distributed nature makes detection and mitigation very hard. This work proposes a novel framework for the analytical modeling and optimal mitigation of such attacks. The detection is modeled as a problem of relational algebra, representing the association of potential attackers (bots) to potential targets. The analysis seeks to optimally dissolve all but the malevolent associations. The framework is implemented at the level of online Traffic Engineering (TE), which is naturally triggered on link-flooding events. The key idea is to continuously re-route traffic in a manner that makes persistent participation to link-flooding events highly improbable for any benign source. Thus, bots are forced to adopt a suspicious behavior to remain effective, revealing their presence. The load-balancing objective of TE is not affected at all. Extensive simulations on various topologies validate our analytical findings.

Detection of Application Layer DDoS attack by feature learning using Stacked AutoEncoder

Abstract: An Application Layer Distributed Denial of Service Attack (DDoS) is one of the biggest concerns for web security. Many detection methods are designed to mitigate DDoS attack based on IP and TCP layer instead of the Application layer. These methods are not suitable for detection of Application layer DDoS attack since most of the IP and TCP layer DDoS attacks are based on request flooding attack. But Application layer DDoS attacks consist of request flooding, session flooding, and asymmetric attack. The solutions available to detect Application layer DDoS attack, detect only limited number of Application layer DDoS attacks. The solutions that detect all types of Application layer DDoS attacks have huge algorithm complexity. One of the major challenges in the detection of an Application layer DDoS attack is the non-availability of features to detect such attacks. Hence it is difficult to model normal user behavior from attack behavior. In this paper, Deep learning architecture is introduced to learn deep features of Application layer DDoS attack. Deep learning architecture consist of very deep neural network, typically more than three layers. In the proposed work the concept of AutoEncoder is applied, which is one of the deep learning based models that learns deep useful features in the Application layer DDoS attack dataset. The Stacked AutoEncoder deep learning architecture, is aimed to receive high level features. The performance of the proposed method was evaluated in terms of the metrics such as false positive rate and detection rate. Comparison of the proposed method with the existing methods reveals that the proposed method performs better than the existing methods.

Entropy-Based Application Layer DDoS Attack Detection Using Artificial Neural Networks

Abstract: Distributed denial-of-service (DDoS) attack is one of the major threats to the web server. The rapid increase of DDoS attacks on the Internet has clearly pointed out the limitations in current intrusion detection systems or intrusion prevention systems (IDS/IPS), mostly caused by application-layer DDoS attacks. Within this context, the objective of the paper is to detect a DDoS attack using a multilayer perceptron (MLP) classification algorithm with genetic algorithm (GA) as learning algorithm. In this work, we analyzed the standard EPA-HTTP (environmental protection agency-hypertext transfer protocol) dataset and selected the parameters that will be used as input to the classifier model for differentiating the attack from normal profile. The parameters selected are the HTTP GET request count, entropy, and variance for every connection. The proposed model can provide a better accuracy of 98.31%, sensitivity of 0.9962, and specificity of 0.0561 when compared to other traditional classification models.

Attack Detection and Distributed Forensics in Machine-to-Machine Networks

Abstract: The advanced idea of machine-to-machine technology has attracted a new period of network revolution, evolving into a method to monitor and control global industrial user assets, machines, and the production process. M2M networks are considered to be the intelligent connection and communication between machines. However, the security issues have been further amplified with the development of M2M networks. Consequently, it is essential to pour attention into attack detection and forensics problems in M2M networks. This article puts forward the hybrid attack detection and forensics model in M2M networks. It contains two modules: the attack detection module and the forensics analysis module. In addition, we present a distributed anti-honeypot- based forensics strategy to cope with DDoS attacks in the forensics analysis module. Finally, we also discuss some challenges in M2M network security and forensics.

Mitigating Crossfire Attacks Using SDN-Based Moving Target Defense

Abstract: Recent research demonstrated that software defined networking (SDN) can be leveraged to enable moving target defense (MTD) to mitigate distributed denial of service (DDoS) attacks. The network states are continuously changed in MTD by effectively collecting information from the network and enforcing certain security measures on the fly in order to deceive the attackers. Being motivated from the success of SDN-based maneuvering, this work targets an emerging type of DDoS attacks, called Crossfire, and proposes an SDN-based MTD mechanism to defend against such attacks. We analyze Crossfire attack planning and utilize the analyzed results to develop the defense mechanism which in turn reorganize the routes in such a way that the congested links are avoided during packet forwarding. The detection and mitigation techniques are implemented using Mininet emulator and Floodlight SDN controller. The evaluation results show that the route mutation can effectively reduce the congestion in the targeted links without making any major disruption on network services.

Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic

Abstract: Nowadays, zero-day Denial-of-Service (DoS) attacks become frighteningly common in high-speed networks due to constantly increasing number of vulnerabilities. Moreover, these attacks become more sophisticated, and, therefore, they are hard to detect before they damage several networks and hosts. Due to these reasons, real-time monitoring, processing and network anomaly detection must be among key features of a modern DoS prevention system. In this paper, we present a method which allows us to timely detect various denial-of-service attacks against a computer or a network system. We focus on detection of application-layer DoS attacks that utilize encrypted protocols by applying an anomaly-detection-based approach to statistics extracted from network packets. Since network traffic decryption can violate ethical norms and regulations on privacy, the detection scheme proposed analyzes network traffic without its decryption. The scheme includes the analysis of conversations between a web server and its clients, the construction of a model of normal user behavior by dividing these conversations into clusters and the examination of distribution of these conversations among the resulting clusters with the help of the stacked auto-encoder which belongs to a class of deep learning algorithms. Conversations of clients that deviate from those normal patterns are classified as anomalous. The proposed technique is tested on the data obtained with the help of a realistic cyber environment.

New facets of mobile botnet: architecture and evaluation

Abstract: It is without a doubt that botnets pose a growing threat to the Internet, with DDoS attacks of any kind carried out by botnets to be on the rise. Nowadays, botmasters rely on advanced Command and Control (C&C) infrastructures to achieve their goals and most importantly to remain undetected. This work introduces two novel botnet architectures that consist only of mobile devices and evaluates both their impact in terms of DNS amplification and TCP flooding attacks, and their cost pertaining to the maintenance of the C&C channel. The first one puts forward the idea of using a continually changing mobile HTTP proxy in front of the botherder, while the other capitalizes on DNS protocol as a covert channel for coordinating the botnet. That is, for the latter, the messages exchanged among the bots and the herder appear as legitimate DNS transactions. Also, a third architecture is described and assessed, which is basically an optimized variation of the first one. Namely, it utilizes a mixed layout where all the attacking bots are mobile, but the proxy machines are typical PCs not involved in the actual attack. For the DNS amplification attack, which is by nature more powerful, we report an amplification factor that fluctuates between 32.7 and 34.1. Also, regarding the imposed C&C cost, we assert that it is minimal (about 0.25 Mbps) per bot in the worst case happening momentarily when the bot learns about the parameters of the attack.