Showing papers on "Denial-of-service attack published in 2017"

Botnets and Internet of Things Security

Abstract: Recent distributed denial-of-service attacks demonstrate the high vulnerability of Internet of Things (IoT) systems and devices. Addressing this challenge will require scalable security solutions optimized for the IoT ecosystem.

Event-Triggered Control Systems Under Denial-of-Service Attacks

Abstract: In this paper, we propose a systematic design framework for output-based dynamic event-triggered control (ETC) systems under denial-of-service (DoS) attacks. These malicious DoS attacks are intended to interfere with the communication channel causing periods in time at which transmission of measurement data is impossible. We show that the proposed ETC scheme, if well designed, can tolerate a class of DoS signals characterized by frequency and duration properties without jeopardizing the stability, performance and Zeno-freeness of the ETC system. In fact, the design procedure of the ETC condition allows tradeoffs between performance, robustness to DoS attacks, and utilization of communication resources. The main results will be illustrated by means of a numerical example.

DeepDefense: Identifying DDoS Attack via Deep Learning

Abstract: Distributed Denial of Service (DDoS) attacks grow rapidly and become one of the fatal threats to the Internet. Automatically detecting DDoS attack packets is one of the main defense mechanisms. Conventional solutions monitor network traffic and identify attack activities from legitimate network traffic based on statistical divergence. Machine learning is another method to improve identifying performance based on statistical features. However, conventional machine learning techniques are limited by the shallow representation models. In this paper, we propose a deep learning based DDoS attack detection approach (DeepDefense). Deep learning approach can automatically extract high-level features from low-level ones and gain powerful representation and inference. We design a recurrent deep neural network to learn patterns from sequences of network traffic and trace network attack activities. The experimental results demonstrate a better performance of our model compared with conventional machine learning models. We reduce the error rate from 7.517% to 2.103% compared with conventional machine learning method in the larger data set.

A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN)

Abstract: Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

A survey of distributed denial-of-service attack, prevention, and mitigation techniques:

Abstract: Distributed denial-of-service is one kind of the most highlighted and most important attacks of today’s cyberworld. With simple but extremely powerful attack mechanisms, it introduces an immense th...

Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

Abstract: As Cloud computing is reforming the infrastructure of IT industries, it has become one of the critical security concerns of the defensive mechanisms applied to secure Cloud environment. Even if there are tremendous advancements in defense systems regarding the confidentiality, authentication and access control, there is still a challenge to provide security against availability of associated resources. Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack can primarily compromise availability of the system services and can be easily started by using various tools, leading to financial damage or affecting the reputation. These attacks are very difficult to detect and filter, since packets that cause the attack are very much similar to legitimate traffic. DoS attack is considered as the biggest threat to IT industry, and intensity, size and frequency of the attack are observed to be increasing every year. Therefore, there is a need for stronger and universal method to impede these attacks. In this paper, we present an overview of DoS attack and distributed DoS attack that can be carried out in Cloud environment and possible defensive mechanisms, tools and devices. In addition, we discuss many open issues and challenges in defending Cloud environment against DoS attack. This provides better understanding of the DDoS attack problem in Cloud computing environment, current solution space, and future research scope to deal with such attacks efficiently.

Strategic Honeypot Game Model for Distributed Denial of Service Attacks in the Smart Grid

Abstract: Advanced metering infrastructure (AMI) is an important component for a smart grid system to measure, collect, store, analyze, and operate users consumption data. The need of communication and data transmission between consumers (smart meters) and utilities make AMI vulnerable to various attacks. In this paper, we focus on distributed denial of service attack in the AMI network. We introduce honeypots into the AMI network as a decoy system to detect and gather attack information. We analyze the interactions between the attackers and the defenders, and derive optimal strategies for both sides. We further prove the existence of several Bayesian-Nash equilibriums in the honeypot game. Finally, we evaluate our proposals on an AMI testbed in the smart grid, and the results show that our proposed strategy is effective in improving the efficiency of defense with the deployment of honeypots.

DDoS attack detection using machine learning techniques in cloud computing environments

Abstract: Cloud computing is a revolution in IT technology that provides scalable, virtualized on-demand resources to the end users with greater flexibility, less maintenance and reduced infrastructure cost. These resources are supervised by different management organizations and provided over Internet using known networking protocols, standards and formats. The underlying technologies and legacy protocols contain bugs and vulnerabilities that can open doors for intrusion by the attackers. Attacks as DDoS (Distributed Denial of Service) are ones of the most frequent that inflict serious damage and affect the cloud performance. In a DDoS attack, the attacker usually uses innocent compromised computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities to send a large number of packets from these already-captured zombies to a server. This may occupy a major portion of network bandwidth of the victim cloud infrastructures or consume much of the servers time. Thus, in this work, we designed a DDoS detection system based on the C.4.5 algorithm to mitigate the DDoS threat. This algorithm, coupled with signature detection techniques, generates a decision tree to perform automatic, effective detection of signatures attacks for DDoS flooding attacks. To validate our system, we selected other machine learning techniques and compared the obtained results.

A Blockchain-Based Architecture for Collaborative DDoS Mitigation with Smart Contracts

Abstract: The rapid growth in the number of insecure portable and stationary devices and the exponential increase of traffic volume makes Distributed Denial-of-Service (DDoS) attacks a top security threat to services provisioning. Existing defense mechanisms lack resources and flexibility to cope with attacks by themselves, and by utilizing other’s companies resources, the burden of the mitigation can be shared. Emerging technologies such as blockchain and smart contracts allows for the sharing of attack information in a fully distributed and automated fashion. In this paper, the design of a novel architecture is proposed by combining these technologies introducing new opportunities for flexible and efficient DDoS mitigation solutions across multiple domains. Main advantages are the deployment of an already existing public and distributed infrastructure to advertise white or blacklisted IP addresses, and the usage of such infrastructure as an additional security mechanism to existing DDoS defense systems, without the need to build specialized registries or other distribution mechanisms, which enables the enforcement of rules across multiple domains.

Machine Learning Based DDoS Attack Detection from Source Side in Cloud

Abstract: Denial of service (DOS) attacks are a serious threat to network security. These attacks are often sourced from virtual machines in the cloud, rather than from the attacker's own machine, to achieve anonymity and higher network bandwidth. Past research focused on analyzing traffic on the destination (victim's) side with predefined thresholds. These approaches have significant disadvantages. They are only passive defenses after the attack, they cannot use the outbound statistical features of attacks, and it is hard to trace back to the attacker with these approaches. In this paper, we propose a DOS attack detection system on the source side in the cloud, based on machine learning techniques. This system leverages statistical information from both the cloud server's hypervisor and the virtual machines, to prevent network packages from being sent out to the outside network. We evaluate nine machine learning algorithms and carefully compare their performance. Our experimental results show that more than 99.7% of four kinds of DOS attacks are successfully detected. Our approach does not degrade performance and can be easily extended to broader DOS attacks.

SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks

Abstract: Software defined networking (SDN) is a novel networking paradigm which decouples control plane from data plane. This separation facilitates a high level of programmability and manageability. On the other hand, it makes the SDN controller a bottleneck and hence vulnerable to control plane saturation attack. One of the key mechanism to achieve control plane saturation is via TCP SYN flooding attack. This is one of the most effective and popular denial of service attack, in which the attacker produces many half-open TCP connections on the targeted server in order to degrade its availability. Furthermore, when applied to SDN, TCP SYN flooding attack also introduces control plane saturation attack . In particular, the attacker generates a significant number of TCP SYN packets and imposes data plane switches to forward them to the controller. As a result, the performance of the controller degrades and the controller will not be able to respond genuine requests in acceptable time. In this paper, we propose SLICOTS, an effective and efficient countermeasure to mitigate TCP SYN flooding attack in SDN. SLICOTS takes the advantage of dynamic programmability nature of SDN to detect and prevent attacks. SLICOTS is implemented in the controller, it surveils ongoing TCP connection requests, and blocks malicious hosts. We implemented SLICOTS as an extension module of OpenDayLight controller and evaluated it under different attack scenarios. The experimental results confirm that, compared to the state-of-art, SLICOTS reduces the response time overhead up to some 50%, while ensuring the same level of protection.

FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks

Abstract: The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.

Millions of targets under attack: a macroscopic characterization of the DoS ecosystem

Abstract: Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all / 24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS.

LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking

Abstract: Software defined networking (SDN) is a new networking paradigm that in recent years has revolutionized network architectures. At its core, SDN separates the data plane, which provides data forwarding functionalities, and the control plane, which implements the network control logic. The separation of these two components provides a virtually centralized point of control in the network, and at the same time abstracts the complexity of the underlying physical infrastructure. Unfortunately, while promising, the SDN approach also introduces new attacks and vulnerabilities. Indeed, previous research shows that, under certain traffic conditions, the required communication between the control and data plane can result in a bottleneck. An attacker can exploit this limitation to mount a new, network-wide, type of denial of service attack, known as the control plane saturation attack . This paper presents LineSwitch, an efficient and effective data plane solution to tackle the control plane saturation attack. LineSwitch employs probabilistic proxying and blacklisting of network traffic to prevent the attack from reaching the control plane, and thus preserve network functionality. We implemented LineSwitch as an extension of the reference SDN implementation, OpenFlow, and run a thorough set of experiments under different traffic and attack scenarios. We compared LineSwitch to the state of the art, and we show that it provides at the same time, the same level of protection against the control plane saturation attack, and a reduced time overhead by up to 30%.

An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment

Abstract: Although the number of cloud projects has dramatically increased over the last few years, ensuring the availability and security of project data, services, and resources is still a crucial and challenging research issue. Distributed denial of service (DDoS) attacks are the second most prevalent cybercrime attacks after information theft. DDoS TCP flood attacks can exhaust the cloud’s resources, consume most of its bandwidth, and damage an entire cloud project within a short period of time. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. In this paper, we present a new classifier system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) in public clouds. The proposed CS_DDoS system offers a solution to securing stored records by classifying the incoming packets and making a decision based on the classification results. During the detection phase, the CS_DDOS identifies and determines whether a packet is normal or originates from an attacker. During the prevention phase, packets, which are classified as malicious, will be denied to access the cloud service and the source IP will be blacklisted. The performance of the CS_DDoS system is compared using the different classifiers of the least squares support vector machine (LS-SVM), naive Bayes, K-nearest, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is adopted. It can detect DDoS TCP flood attacks with about 97% accuracy and with a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy with a Kappa coefficient of 0.9 when under attack from multiple attackers. Finally, the results are discussed in terms of accuracy and time complexity, and validated using a K-fold cross-validation model.

FADM: DDoS Flooding Attack Detection and Mitigation System in Software-Defined Networking

Abstract: Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Security Analysis of LoRaWAN Join Procedure for Internet of Things Networks

Abstract: Currently one of the most established protocols for machine to machine (M2M) communications is LoRaWAN, designed to provide low power wide area network with features specifically needed to support low-cost, mobile, secure bidirectional communication for the Internet of Things (IoT). In this context security is of pivotal importance, as IoT constitutes a pervasive network of devices highly integrated with our daily life. In this paper we examine key security issues of the procedure used in LoRaWAN to allow an end device to establish a connection with the network server. We have identified vulnerabilities in this protocol, in particular with reference to the use of a random number in the join procedure packet, meant to prevent replay attacks. We first discuss the options that a network server has when detecting a replay attack and then we examine a) the possibility that a legitimate receiver is considered an attacker because of the random number generation issues and b) the possibility for an attacker to exploit this protocol to generate a denial of service (DoS). A wide set of experiments has been conducted using a widely used LoRaWAN chip showing the vulnerabilities of the protocol.

Use of honeypots for mitigating DoS attacks targeted on IoT networks

Abstract: Every day, a new technology comes up and the primary reason why it fails to attract many people in this era is the concern of privacy and security. Each day, along with the new technology comes a load of vulnerabilities waiting to be exploited. IoT (Internet of Things) is the latest trend and like all technology, it is open for exploitation. The most common attack which is used to bring down a whole network, without even finding a loophole in the security — DoS can be used to pull down any IoT network as well. In this paper, we propose a honeypot model for mitigating DoS attacks launched on IoT devices. Honeypots are commonly used in online servers as a decoy to the main server so that the attack is mitigated to the decoy instead of the main server. Here a similar methodology is used to avoid the whole IoT system from being shut down due to a DoS attack.

SIRC: A Secure Incentive Scheme for Reliable Cooperative Downloading in Highway VANETs

Abstract: In this paper, we propose a secure incentive scheme to achieve fair and reliable cooperative (SIRC) downloading in highway vehicular ad hoc networks (VANETs). SIRC can stimulate vehicle users to help download-and-forward packets for each other and consists of cooperative downloading and forwarding phase. During the cooperative downloading phase, SIRC utilizes “virtual checks” associated with the designated verifier signature to ensure fair and secure cooperation. Meanwhile, to minimize the payment risk of the client vehicle, partial prepayment strategy is adopted, i.e., the vehicles involved in downloading packets can only obtain part of the check before the client vehicle confirms the packet reception. During the cooperative forwarding phase, a profit-sharing model associated with an aggregating Camenisch–Lysyanskaya (CL) signature can stimulate cooperation and reduce the authentication overhead. In addition, we develop a reputation system to encourage cooperation and punish malicious vehicles. The aggregating CL signature and the symmetric cryptosystem are applied to resist various attacks, including injection/removing attack, free riding attack, submission refusal attack, and denial of service attacks. Extensive simulation results are given to show that the proposed SIRC can achieve a high download success rate and low average download delay with moderate cryptographic computation and communication overhead.

Testing and Defending Methods Against DOS Attack in State Estimation

Abstract: In this paper, we consider a state estimation problem. In this problem, a sensor measures the state of a linear discrete-time system and sends measurements to an estimator via a packet-dropping communication link. We are concerned with the effect of Denial-of-Service (DoS) attacks on stability of the estimation system, and particularly focus on how to examine whether the communication channel is under DoS attack or not as well as how to defend accordingly, if defense is possible. We formulate the detection problem as a hypothesis testing problem provided that the statistics of the communication channel is known a priori. Two defense countermeasures are proposed: one of which uses a secured packet coding approach to partly compensate the previous packet loss; and in the other the sensor's transmission power is raised to resist the jamming effect brought by the DoS attack. Simulations are provided to demonstrate the main results.

Quantifying the reflective DDoS attack capability of household IoT devices

Abstract: Distributed Denial-of-Service (DDoS) attacks are increasing in frequency and volume on the Internet, and there is evidence that cyber-criminals are turning to Internet-of-Things (IoT) devices such as cameras and vending machines as easy launchpads for large-scale attacks. This paper quantifies the capability of consumer IoT devices to participate in reflective DDoS attacks. We first show that household devices can be exposed to Internet reflection even if they are secured behind home gateways. We then evaluate eight household devices available on the market today, including lightbulbs, webcams, and printers, and experimentally profile their reflective capability, amplification factor, duration, and intensity rate for TCP, SNMP, and SSDP based attacks. Lastly, we demonstrate reflection attacks in a real-world setting involving three IoT-equipped smart-homes, emphasising the imminent need to address this problem before it becomes widespread.

Distributed secure average consensus for linear multi-agent systems under DoS attacks

Abstract: This paper studies event-triggered secure cooperative control of linear multi-agent systems under Denial-of-Service (DoS) attacks. The DoS attacks refer to interruptions of communication on the control channels carried out by an intelligent adversary. We consider time-sequence-based DoS attacks allowed to occur aperiodically in an unknown attack strategy. The frequency and duration of DoS attacks are analyzed and investigated for a secure average consensus problem. A distributed event-triggered control law is developed and scheduling of controller updating times is determined in the presence of DoS attacks. It is shown that under the proposed distributed control scheme, the agents can achieve secure consensus exponentially. The effectiveness of the developed methods is illustrated through example and numerical simulations on multi-robot coordination.

Resilience of DoS Attacks in Designing Anonymous User Authentication Protocol for Wireless Sensor Networks

Abstract: Wireless sensor networks (WSNs) include spatially allotted autonomous instruments that employ sensors to check environmental or physical conditions. These autonomous instruments or nodes blend with routers or gateway to make several WSN-based real-time applications. In many critical applications, an external user can directly access the real-time data from sensor node. In this context, before offering access, the legitimacy of the user is required to be verified through a secure authentication scheme. Since, in WSN-based real-time applications, the privacy of the user is greatly important, the authentication scheme for such environment should be anonymous. Till now, impressive efforts have been made in designing lightweight anonymous authentication protocol for WSN-based real-time applications. However, most of such protocols are vulnerable to DoS attacks, which are occurred due to the loss of synchronization between the participants. Furthermore, to rebuilt synchronization between the participants, a protocol may need to compromise un-link-ability property. Therefore, it can be argued that the problem of DoS attack has not been addressed properly in the existing literatures. In this paper, we present a way to deal with DoS attacks in designing lightweight anonymous authentication protocol for WSN-based real-time applications without compromising any anonymity support. We argue that our proposed solution can easily be incorporated with the existing schemes to be resilient to DoS attacks.

Detection of distributed denial of service attacks using machine learning algorithms in software defined networks

Abstract: Software Defined Networking (SDN) is a new promising networking concept which has a centralized control over the network and separates the data and control planes. This new approach provides abstraction of lower-level functionality and allows the network administrators to initialize, control, change, and manage network behavior programmatically. The centralized control, being the major advantage of SDN can sometimes also be a major security threat. If the intruder succeeds in attacking the central controller, he would get access to the entire system. The controller is highly vulnerable to Distributed Denial of Service (DDoS) attacks which lead to exhaustion of the system resources which causes non-availability of the services given by the controller. It is critical to detect the attacks in the controller at earlier stage. Many algorithms and techniques have been discovered for this purpose. But less work has been done in the field of SDN networks. Using machine learning algorithms for classifying the connections into legitimate and illegitimate is one such solution. We use two machine learning algorithms namely, the Support Vector Machine (SVM) classifier and the Neural Network (NN) classifier to detect the suspicious and harmful connections.