Showing papers on "Denial-of-service attack published in 2018"

Machine Learning DDoS Detection for Consumer Internet of Things Devices

Abstract: An increasing number of Internet of Things (IoT) devices are connecting to the Internet, yet many of these devices are fundamentally insecure, exposing the Internet to a variety of attacks. Botnets such as Mirai have used insecure consumer IoT devices to conduct distributed denial of service (DDoS) attacks on critical Internet infrastructure. This motivates the development of new techniques to automatically detect consumer IoT attack traffic. In this paper, we demonstrate that using IoT-specific network behaviors (e.g., limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks. These results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks using low-cost machine learning algorithms and traffic data that is flow-based and protocol-agnostic.

IoT Security Techniques Based on Machine Learning: How Do IoT Devices Use AI to Enhance Security?

Abstract: The Internet of things (IoT), which integrates a variety of devices into networks to provide advanced and intelligent services, has to protect user privacy and address attacks such as spoofing attacks, denial of service (DoS) attacks, jamming, and eavesdropping. We investigate the attack model for IoT systems and review the IoT security solutions based on machine-learning (ML) techniques including supervised learning, unsupervised learning, and reinforcement learning (RL). ML-based IoT authentication, access control, secure offloading, and malware detection schemes to protect data privacy are the focus of this article. We also discuss the challenges that need to be addressed to implement these ML-based security schemes in practical IoT systems.

Botnet Detection in the Internet of Things using Deep Learning Approaches

Abstract: The recent growth of the Internet of Things (IoT) has resulted in a rise in IoT based DDoS attacks. This paper presents a solution to the detection of botnet activity within consumer IoT devices and networks. A novel application of Deep Learning is used to develop a detection model based on a Bidirectional Long Short Term Memory based Recurrent Neural Network (BLSTM-RNN). Word Embedding is used for text recognition and conversion of attack packets into tokenised integer format. The developed BLSTM-RNN detection model is compared to a LSTM-RNN for detecting four attack vectors used by the mirai botnet, and evaluated for accuracy and loss. The paper demonstrates that although the bidirectional approach adds overhead to each epoch and increases processing time, it proves to be a better progressive model over time. A labelled dataset was generated as part of this research, and is available upon request.

Optimal Denial-of-Service Attack Scheduling With Energy Constraint Over Packet-Dropping Networks

Abstract: The recent years have seen a surge of security issues of cyber-physical systems (CPS). In this paper, denial-of-service (DoS) attack scheduling is investigated in depth. Specifically, we consider a system where a remote estimator receives the data packet sent by a sensor over a wireless network at each time instant, and an energy-constrained attacker that cannot launch DoS attacks all the time designs the optimal DoS attack scheduling to maximize the attacking effect on the remote estimation performance. Most of the existing works concerning DoS attacks focus on the ideal scenario in which data packets can be received successfully if there is no DoS attack. To capture the unreliability nature of practical networks, we study the packet-dropping network in which packet dropouts may occur even in the absence of attack. We derive the optimal attack scheduling scheme that maximizes the average expected estimation error, and the one which maximizes the expected terminal estimation error over packet-dropping networks. We also present some countermeasures against DoS attacks, and discuss the optimal defense strategy, and how the optimal attack schedule can serve for more effective and resource-saving countermeasures. We further investigate the optimal attack schedule with multiple sensors. The optimality of the theoretical results is demonstrated by numerical simulations.

A DDoS Attack Detection Method Based on SVM in Software Defined Network

Abstract: The detection of DDoS attacks is an important topic in the field of network security. The occurrence of software defined network (SDN) (Zhang et al., 2018) brings up some novel methods to this topic in which some deep learning algorithm is adopted to model the attack behavior based on collecting from the SDN controller. However, the existing methods such as neural network algorithm are not practical enough to be applied. In this paper, the SDN environment by mininet and floodlight (Ning et al., 2014) simulation platform is constructed, 6-tuple characteristic values of the switch flow table is extracted, and then DDoS attack model is built by combining the SVM classification algorithms. The experiments show that average accuracy rate of our method is with a small amount of flow collecting. Our work is of good value for the detection of DDoS attack in SDN.

Security in Mobile Edge Caching with Reinforcement Learning

Abstract: Mobile edge computing usually uses caching to support multimedia contents in 5G mobile Internet to reduce the computing overhead and latency. Mobile edge caching (MEC) systems are vulnerable to various attacks such as denial of service attacks and rogue edge attacks. This article investigates the attack models in MEC systems, focusing on both the mobile offloading and the caching procedures. In this article, we propose security solutions that apply reinforcement learning (RL) techniques to provide secure offloading to the edge nodes against jamming attacks. We also present lightweight authentication and secure collaborative caching schemes to protect data privacy. We evaluate the performance of the RL-based security solution for mobile edge caching and discuss the challenges that need to be addressed in the future.

Ensemble-based Multi-Filter Feature Selection Method for DDoS Detection in Cloud Computing

Abstract: Increasing interest in the adoption of cloud computing has exposed it to cyber-attacks. One of such is distributed denial of service (DDoS) attack that targets cloud bandwidth, services and resources to make it unavailable to both the cloud providers and users. Due to the magnitude of traffic that needs to be processed, data mining and machine learning classification algorithms have been proposed to classify normal packets from an anomaly. Feature selection has also been identified as a pre-processing phase in cloud DDoS attack defence that can potentially increase classification accuracy and reduce computational complexity by identifying important features from the original dataset, during supervised learning. In this work, we propose an ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection. An extensive experimental evaluation of our proposed method was performed using intrusion detection benchmark dataset, NSL-KDD and decision tree classifier. The result obtained shows that our proposed method effectively reduced the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.

Cloud-Based Cyber-Physical Intrusion Detection for Vehicles Using Deep Learning

Abstract: Detection of cyber attacks against vehicles is of growing interest. As vehicles typically afford limited processing resources, proposed solutions are rule-based or lightweight machine learning techniques. We argue that this limitation can be lifted with computational offloading commonly used for resource-constrained mobile devices. The increased processing resources available in this manner allow access to more advanced techniques. Using as case study a small four-wheel robotic land vehicle, we demonstrate the practicality and benefits of offloading the continuous task of intrusion detection that is based on deep learning. This approach achieves high accuracy much more consistently than with standard machine learning techniques and is not limited to a single type of attack or the in-vehicle CAN bus as previous work. As input, it uses data captured in real-time that relate to both cyber and physical processes, which it feeds as time series data to a neural network architecture. We use both a deep multilayer perceptron and recurrent neural network architecture, with the latter benefitting from a long-short term memory hidden layer, which proves very useful for learning the temporal context of different attacks. We employ denial of service, command injection and malware as examples of cyber attacks that are meaningful for a robotic vehicle. The practicality of computation offloading depends on the resources afforded onboard and remotely, and the reliability of the communication means between them. Using detection latency as the criterion, we have developed a mathematical model to determine when computation offloading is beneficial given parameters related to the operation of the network and the processing demands of the deep learning model. The more reliable the network and the greater the processing demands, the greater the reduction in detection latency achieved through offloading.

Real-Time Detection and Estimation of Denial of Service Attack in Connected Vehicle Systems

Abstract: Advanced connectivity features in today’s smart vehicles are giving rise to several promising intelligent transportation technologies. Connected vehicle system is one among such technologies, where a set of vehicles can communicate with each other and the infrastructure via communication networks. Connected vehicles have the potential to improve the traffic throughput, minimize the risk of accidents and reduce vehicle energy consumption. Despite these promising features, connected vehicles suffer from the safety and security issues. Especially, vehicle-to-vehicle and vehicle-to-infrastructure communication make the connected vehicles vulnerable to cyber attacks. In order to improve safety and security, advanced vehicular control systems must be designed to be resilient to such cyber attacks. The first step of designing such attack-resilient control system is detection of the occurrence of the cyber attack. In this paper, we address this need and propose a real-time scheme that can potentially 1) detect the occurrence of a particular cyber attack, namely denial of service; and 2) estimate the effect of the attack on the connected vehicle system. The scheme consists of a set of observers, which are designed using sliding mode and adaptive estimation theory. The mathematical convergence properties of the observers are analyzed via Lyapunov’s stability theory. Finally, simulation demonstrates the performance of the approach and the robustness of the scheme under several forms of uncertainties.

A DDoS Attack Detection and Mitigation With Software-Defined Internet of Things Framework

Abstract: With the spread of Internet of Things’ (IoT) applications, security has become extremely important. A recent distributed denial-of-service (DDoS) attack revealed the ubiquity of vulnerabilities in IoT, and many IoT devices unwittingly contributed to the DDoS attack. The emerging software-defined anything (SDx) paradigm provides a way to safely manage IoT devices. In this paper, we first present a general framework for software-defined Internet of Things (SD-IoT) based on the SDx paradigm. The proposed framework consists of a controller pool containing SD-IoT controllers, SD-IoT switches integrated with an IoT gateway, and IoT devices. We then propose an algorithm for detecting and mitigating DDoS attacks using the proposed SD-IoT framework, and in the proposed algorithm, the cosine similarity of the vectors of the packet-in message rate at boundary SD-IoT switch ports is used to determine whether DDoS attacks occur in the IoT. Finally, experimental results show that the proposed algorithm has good performance, and the proposed framework adapts to strengthen the security of the IoT with heterogeneous and vulnerable devices.

DoS Attack Energy Management Against Remote State Estimation

Abstract: This paper considers a remote state estimation problem, where a sensor measures the state of a linear discrete-time process and has computational capability to implement a local Kalman filter based on its own measurements. The sensor sends its local estimates to a remote estimator over a communication channel that is exposed to a Denial-of-Service (DoS) attacker. The DoS attacker, subject to limited energy budget, intentionally jams the communication channel by emitting interference noises with the purpose of deteriorating estimation performance. In order to maximize attack effect, following the existing answer to “when to attack the communication channel”, in this paper we manage to solve the problem of “how much power the attacker should use to jam the channel in each time”. For the static attack energy allocation problem, when the system matrix is normal, we derive a sufficient condition for when the maximum number of jamming operations should be used. The associated jamming power is explicitly provided. For a general system case, we propose an attack power allocation algorithm and show the computational complexity of the proposed algorithm is not worse than $\mathcal{O}(T)$ , where $T$ is the length of the time horizon considered. When the attack can receive the real-time ACK information, we formulate a dynamic attack energy allocation problem, and transform it to a Markov Decision Process to find the optimal solution.

A Multi-Level DDoS Mitigation Framework for the Industrial Internet of Things

Abstract: The Industrial Internet of Things is growing fast. But the rapid growth of IIoT devices raises a number of security concerns, because the IIoT device is weak in defending against malware, and the method of managing a large number of IIoT devices is awkward and inconvenient. This article proposes a multi-level DDoS mitigation framework (MLDMF) to defend against DDoS attacks for IIoT, which includes the edge computing level, fog computing level, and cloud computing level. Software defined networking is used to manage a large number of IIoT devices and to mitigate DDoS attacks in IIoT. Experimental results show the effectiveness of the proposed framework.

JESS: Joint Entropy-Based DDoS Defense Scheme in SDN

Abstract: Software-defined networking (SDN) is a communication paradigm that brings cost efficiency and flexibility through software-defined functions resident on centralized controllers Although SDN applications are introduced in a limited scope with related technologies still under development, operational SDN networks already face major security threats Therefore, comprehensive and efficient solutions are crucial Especially, large-scale security threats such as distributed-denial-of-service (DDoS) attacks are jeopardizing safety and availability of data and services in these systems A DDoS attack is aimed at making resources unavailable to legitimate users via overloading systems with excessive superfluous traffic from distributed sources In this paper, we describe and evaluate a joint entropy-based security scheme (JESS) to enhance the SDN security with the aim of a reinforced SDN architecture against DDoS attacks In particular, our proposed model devises a statistical solution to detect and mitigate these hazards To the best of our knowledge, JESS is the first model that utilizes joint entropy for DDoS detection and mitigation in the SDN environment Since it relies on a statistical model, it mitigates not only known attacks but also unfamiliar types in an efficient manner

Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis

Abstract: Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

SkyShield: A Sketch-Based Defense System Against Application Layer DDoS Attacks

Abstract: Application layer distributed denial of service (DDoS) attacks have become a severe threat to the security of web servers. These attacks evade most intrusion prevention systems by sending numerous benign HTTP requests. Since most of these attacks are launched abruptly and severely, a fast intrusion prevention system is desirable to detect and mitigate these attacks as soon as possible. In this paper, we propose an effective defense system, named SkyShield, which leverages the sketch data structure to quickly detect and mitigate application layer DDoS attacks. First, we propose a novel calculation of the divergence between two sketches, which alleviates the impact of network dynamics and improves the detection accuracy. Second, we utilize the abnormal sketch to facilitate the identification of malicious hosts of an ongoing attack. This improves the efficiency of SkyShield by avoiding the reverse calculation of malicious hosts. We have developed a prototype of SkyShield and carefully evaluated its effectiveness using real attack data collected from a large-scale web cluster. The experimental results show that SkyShield can quickly reduce malicious requests, while posing a limited impact on normal users.

An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem with the fast development of the Internet. There're multitude DDoS detection approaches, however, three major problems about DDoS attack detection appear in the big data environment. Firstly, to shorten the respond time of the DDoS attack detector, secondly, to reduce the required compute resources, and lastly, to achieve a high detection rate with low false alarm rate. In the paper, we propose an abnormal network flow feature sequence prediction approach which could fit to be used as a DDoS attack detector in the big data environment and solve aforementioned problems. We define a network flow abnormal index as PDRA with the percentage of old IP addresses, the increment of the new IP addresses, the ratio of new IP addresses to the old IP addresses and average accessing rate of each new IP address. We design an IP address database using sequential storage model which has a constant time complexity. The autoregressive integrated moving average (ARIMA) trending prediction module will be started if and only if the number of continuous PDRA sequence value, which all exceed an PDRA abnormal threshold (PAT), reaches a certain preset threshold. And then calculate the probability that is the percentage of forecasting PDRA sequence value which exceed the PAT. Finally we identify the DDoS attack based on the abnormal probability of the forecasting PDRA sequence. Both theorem and experiment show that the method we proposed can effectively reduce the compute resources consumption, identify DDoS attack at its initial stage with higher detection rate and lower false alarm rate.

Privacy-Preserving DDoS Attack Detection Using Cross-Domain Traffic in Software Defined Networks

Abstract: Existing distributed denial-of-service attack detection in software defined networks (SDNs) typically perform detection in a single domain. In reality, abnormal traffic usually affects multiple network domains. Thus, a cross-domain attack detection has been proposed to improve detection performance. However, when participating in detection, the domain of each SDN needs to provide a large amount of real traffic data, from which private information may be leaked. Existing multiparty privacy protection schemes often achieve privacy guarantees by sacrificing accuracy or increasing the time cost. Achieving both high accuracy and reasonable time consumption is a challenging task. In this paper, we propose Predis , which is a privacy-preserving cross-domain attack detection scheme for SDNs. Predis combines perturbation encryption and data encryption to protect privacy and employs a computationally simple and efficient algorithm k-Nearest Neighbors (kNN) as its detection algorithm. We also improve kNN to achieve better efficiency. Via theoretical analysis and extensive simulations, we demonstrate that Predis is capable of achieving efficient and accurate attack detection while securing sensitive information of each domain.

A Statistical Approach to Detect Jamming Attacks in Wireless Sensor Networks

Abstract: Wireless Sensor Networks (WSNs), in recent times, have become one of the most promising network solutions with a wide variety of applications in the areas of agriculture, environment, healthcare and the military. Notwithstanding these promising applications, sensor nodes in WSNs are vulnerable to different security attacks due to their deployment in hostile and unattended areas and their resource constraints. One of such attacks is the DoS jamming attack that interferes and disrupts the normal functions of sensor nodes in a WSN by emitting radio frequency signals to jam legitimate signals to cause a denial of service. In this work we propose a step-wise approach using a statistical process control technique to detect these attacks. We deploy an exponentially weighted moving average (EWMA) to detect anomalous changes in the intensity of a jamming attack event by using the packet inter-arrival feature of the received packets from the sensor nodes. Results obtained from a trace-driven simulation show that the proposed solution can efficiently and accurately detect jamming attacks in WSNs with little or no overhead.

SDN-Assisted Slow HTTP DDoS Attack Defense Method

Abstract: A Slow HTTP distributed denial of service (DDoS) attack causes a Web server to be unavailable, but it is difficult to detect in a network, because its traffic patterns are similar to those of legitimate clients. In this letter, we propose a network-based Slow HTTP DDoS attack defense method, which is assisted by a software-defined network that can detect and mitigate Slow HTTP DDoS attacks in the network. Simulation results show that the proposed Slow HTTP DDoS attack defense method successfully protects Web servers against Slow HTTP DDoS attacks.

A novel support vector machine based intrusion detection system for mobile ad hoc networks

Abstract: The performance of mobile ad hoc networks (MANETs) is significantly affected by the malicious nodes. One of the most common attacks in MANETs is denial of service (DoS); a type of intrusion specifically designed to target service integrity and availability of a certain network node. Hence, it is important to use an efficient intrusion detection system (IDS) that detects and removes the malicious nodes in the network to improve the performance by monitoring the network traffic continuously. The main contribution of this paper is the integration of an IDS into MANETs as a reliable and potent solution. A new approach to intrusion detection is developed based on support vector machine algorithm. The proposed IDS can detect the DoS type attacks at a high detection rate with a simple structure and short computing time. It is shown by extensive computer simulation that the proposed IDS improves the reliability of the network significantly by detecting and removing the malicious nodes in the system. The performance of the suggested approach is independent of the network routing protocol. The detection rate of the system is also not effected by node mobility and network size.

Pulse: An adaptive intrusion detection for the Internet of Things

Abstract: The number of diverse interconnected Internet of Things (IoT) devices keeps increasing exponentially, introducing new security and privacy challenges. These devices tend to become more pervasive than mobile phones and already have access to very sensitive personal information such as usernames, passwords, etc., making them a target for cyber-attacks. Given that smart devices are vulnerable to a variety of attacks, they can be considered to be the weakest link for breaking into a secure infrastructure. For instance, IoT devices have recently been employed as part of botnets, such as Mirai, and have launched several of the largest Distributed Denial of Service (DDoS) and spam attacks in history. As a result, there is a need to develop an Intrusion Detection System (IDS) dedicated to monitor IoT ecosystems, which will be able to adapt to this heterogeneous environment and detect malicious activity on the network. In this paper, we describe the initial stages of developing Pulse; a novel IDS for the IoT, which employs Machine Learning (ML) methodologies and is capable of successfully identifying network scanning probing and simple forms of Denial of Service (DoS) attacks.

Adaptive artificial immune networks for mitigating DoS flooding attacks

Abstract: Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD’99, CAIDA’07 and CAIDA’08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.

Delving Into Internet DDoS Attacks by Botnets: Characterization and Analysis

Abstract: Internet distributed denial of service (DDoS) attacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally. In this paper, we present an in-depth analysis based on 50 704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9026 victim IPs belonging to 1074 organizations in 186 countries. Our analysis reveals several interesting findings about today’s Internet DDoS attacks. Some highlights include: 1) geolocation analysis shows that the geospatial distribution of the attacking sources follows certain patterns, which enables very accurate source prediction of future attacks for most active botnet families; 2) from the target perspective, multiple attacks to the same target also exhibit strong patterns of inter-attack time interval, allowing accurate start time prediction of the next anticipated attacks from certain botnet families; and 3) there is a trend for different botnets to launch DDoS attacks targeting the same victim, simultaneously or in turn. These findings add to the existing literature on the understanding of today’s Internet DDoS attacks and offer new insights for designing new defense schemes at different levels.

IoT Security Techniques Based on Machine Learning.

Abstract: Internet of things (IoT) that integrate a variety of devices into networks to provide advanced and intelligent services have to protect user privacy and address attacks such as spoofing attacks, denial of service attacks, jamming and eavesdropping. In this article, we investigate the attack model for IoT systems, and review the IoT security solutions based on machine learning techniques including supervised learning, unsupervised learning and reinforcement learning. We focus on the machine learning based IoT authentication, access control, secure offloading and malware detection schemes to protect data privacy. In this article, we discuss the challenges that need to be addressed to implement these machine learning based security schemes in practical IoT systems.

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Abstract: Cloud Computing services are often delivered through HTTP protocol. This facilitates access to services and reduces costs for both providers and end-users. However, this increases the vulnerabilities of the Cloud services face to HTTP DDoS attacks. HTTP request methods are often used to address web servers’ vulnerabilities and create multiple scenarios of HTTP DDoS attack such as Low and Slow or Flooding attacks. Existing HTTP DDoS detection systems are challenged by the big amounts of network traffic generated by these attacks, low detection accuracy, and high false positive rates. In this paper we present a detection system of HTTP DDoS attacks in a Cloud environment based on Information Theoretic Entropy and Random Forest ensemble learning algorithm. A time-based sliding window algorithm is used to estimate the entropy of the network header features of the incoming network traffic. When the estimated entropy exceeds its normal range the preprocessing and the classification tasks are triggered. To assess the proposed approach various experiments were performed on the CIDDS-001 public dataset. The proposed approach achieves satisfactory results with an accuracy of 99.54%, a FPR of 0.4%, and a running time of 18.5s.