Protecting web applications from DDoS attacks by an active distributed defense system

In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Distributed defense against distributed denial-of-service attacks

Distributed defense is a promising way to neutralize the distributed Denial-of-Service attacks by detecting and responding the attacking sources widespread around the Internet. Components of the distributed defense system will cooperate with each other to combat the attacks. Compared with the centralized defense systems, distributed defense systems can discover the attacks more timely from both source end and victim end, fight the attacks with more resources and take advantage of more flexible strategies. This paper investigates 7 distributed defense systems which make use of various strategies to mitigate the DDoS attacks. Different architectures are designed in these 7 systems to provide distributed DDoS defense solutions. We evaluate these systems in terms of deployment, detection, response, security, robustness and implementation. For each criteria, we give a recommendation on which technologies are best suitable for a successful distributed defense system based on the analysis result. Finally we propose our idea on the design of an effective distributed defense system.

A distributed active defense system against DDoS attacks

This thesis proposes a novel architecture of Distributed Active Defense System (DADS) against Distibuted Denial of Service (DDoS) attacks. Three sub-systems of DADS were built. For each sub-system corresponding algorithms were developed, prototypes implemented, criteria for evaluation were set up and experiments in both simulation and real network laboratory environments were carried out.

A defense system against DDoS attacks by large-scale IP traceback

In this paper, we present a new approach, called Flexible Deterministic Packet Marking (FDPM), to perform a large-scale IP traceback to defend against Distributed Denial of Service (DDoS) attacks. In a DDoS attack the victim host or network is usually attacked by a large number of spoofed IP packets coming from multiple sources. IP traceback is the ability to trace the IP packets to their sources without relying on the source address field of the IP header. FDPM provides many flexible features to trace the IP packets and can obtain better tracing capability than current IP traceback mechanisms, such as Probabilistic Packet Marking (PPM), and Deterministic Packet Marking (DPM). The flexibilities of FDPM are in two ways, one is that it can adjust the length of marking field according to the network protocols deployed; the other is that it can adjust the marking rate according to the load of participating routers. The implementation and evaluation demonstrates that the FDPM needs moderately only a small number of packets to complete the traceback process; and can successfully perform a large-scale IP traceback, for example, trace up to 110,000 sources in a single incident response. It has a built-in overload prevention mechanism, therefore this scheme can perform a good traceback process even it is heavily loaded.

Multi-core Defense System (MSDS) for protecting computer infrastructure against DDoS attacks

Distributed Denial of Service attacks is one of the most challenging areas to deal with in Security. Not only do security managers have to deal with flood and vulnerability attacks. They also have to consider whether they are from legitimate or malicious attackers. In our previous work we developed a framework called bodyguard, which is to help security software developers from the current serialized paradigm, to a multi-core paradigm. In this paper, we update our research work by moving our bodyguard paradigm, into our new Ubiquitous Multi-Core Framework. From this shift, we show a marked improvement from our previous result of 20% to 110% speedup performance with an average cost of 1.5 ms. We also conducted a second series of experiments, which we trained up Neural Network, and tested it against actual DDoS attack traffic. From these experiments, we were able to achieve an average of 93.36%, of this attack traffic.

Design of a distributed power system stabiliser

A new design method for a distributed power system stabiliser for interconnected power systems is introduced in this paper. The stabiliser is of a low order, dynamic and robust. To generate the required local control signals, each local stabiliser requires information about either the rotor speed or the load angle of the other subsystems. A simple MATLAB based design algorithm is given and used on a three-machine unstable power system. The resulting stabiliser is simulated and sample results are presented.

Design of a distributed power system stabiliser

A new design method for a distributed power system stabiliser for interconnected power systems is introduced in this paper. The stabiliser is of a low order, dynamic and robust. To generate the required local control signals, each local stabiliser requires information about either the rotor speed or the load angle of the other subsystems. A simple MATLAB based design algorithm is given and used on a three-machine unstable power system. The resulting stabiliser is simulated and sample results are presented.

Multi-core security defense system (MSDS)

Today's security program developers are not only facing an uphill battle of developing and implementing. But now have to take into consideration, the emergence of next generation of multi-core system, and its effect on security application design. In our previous work, we developed a framework called bodyguard. The objective of this framework was to help security software developers, shift from their use of serialized paradigm, to a multi-core paradigm. Working within this paradigm, we developed a security bodyguard system called Farmer. This abstract framework placed particular applications into categories, like security or multi-media, which were ran on separate core processors within the multi-core system. With further analysis of the bodyguard paradigm, we found that this paradigm was suitable to be used in other computer science areas, such as spam filtering and multi-media. In this paper, we update our research work within the bodyguard paradigm, and showed a marked improvement of 110% speedup performance with an average cost of 1.5 ms.

Programmer friendly and efficient distributed shared memory integrated into a distributed operating system

Distributed Shared Memory (DSM) provides programmers with a shared memory environment in systems where memory is not physically shared. Clusters of Workstations (COWs), an often untapped source of computing power, are characterised by a very low cost/performance ratio. The combination of Clusters of Workstations (COWs) with DSM provides an environment in which the programmer can use the well known approaches and methods of programming for physically shared memory systems and parallel processing can be carried out to make full use of the computing power and cost advantages of the COW. The aim of this research is to synthesise and develop a distributed shared memory system as an integral part of an operating system in order to provide application programmers with a convenient environment in which the development and execution of parallel applications can be done easily and efficiently, and which does this in a transparent manner. Furthermore, in order to satisfy our challenging design requirements we want to demonstrate that the operating system into which the DSM system is integrated should be a distributed operating system. In this thesis a study into the synthesis of a DSM system within a microkernel and client-server based distributed operating system which uses both strict and weak consistency models, with a write-invalidate and write-update based approach for consistency maintenance is reported. Furthermore a unique automatic initialisation system which allows the programmer to start the parallel execution of a group of processes with a single library call is reported. The number and location of these processes are determined by the operating system based on system load information. The DSM system proposed has a novel approach in that it provides programmers with a complete programming environment in which they are easily able to develop and run their code or indeed run existing shared memory code. A set of demanding DSM system design requirements are presented and the incentives for the placement of the DSM system with a distributed operating system and in particular in the memory management server have been reported. The new DSM system concentrated on an event-driven set of cooperating and distributed entities, and a detailed description of the events and reactions to these events that make up the operation of the DSM system is then presented. This is followed by a pseudocode form of the detailed design of the main modules and activities of the primitives used in the proposed DSM system. Quantitative results of performance tests and qualitative results showing the ease of programming and use of the RHODOS DSM system are reported. A study of five different application is given and the results of tests carried out on these applications together with a discussion of the results are given. A discussion of how RHODOS’ DSM allows programmers to write shared memory code in an easy to use and familiar environment and a comparative evaluation of RHODOS DSM with other DSM systems is presented. In particular, the ease of use and transparency of the DSM system have been demonstrated through the description of the ease with which a moderately inexperienced undergraduate programmer was able to convert, write and run applications for the testing of the DSM system. Furthermore, the description of the tests performed using physically shared memory shows that the latter is indistinguishable from distributed shared memory; this is further evidence that the DSM system is fully transparent. This study clearly demonstrates that the aim of the research has been achieved; it is possible to develop a programmer friendly and efficient DSM system fully integrated within a distributed operating system. It is clear from this research that client-server and microkernel based distributed operating system integrated DSM makes shared memory operations transparent and almost completely removes the involvement of the programmer beyond classical activities needed to deal with shared memory. The conclusion can be drawn that DSM, when implemented within a client-server and microkernel based distributed operating system, is one of the most encouraging approaches to parallel processing since it guarantees performance improvements with minimal programmer involvement.

Information provenance for open distributed collaborative system

In autonomously managed distributed systems for collaboration, provenance can facilitate reuse of information that are interchanged, repetition of successful experiments, or to provide evidence for trust mechanisms that certain information existed at a certain period during collaboration. In this paper, we propose domain independent information provenance architecture for open collaborative distributed systems. The proposed system uses XML for interchanging information and RDF to track information provenance. The use of XML and RDF also ensures that information is universally acceptable even among heterogeneous nodes. Our proposed information provenance model can work on any operating systems or workflows.

Viral RNA silencing suppressors (RSS) : novel strategy of viruses to ablate the host RNA interference (RNAi) defense system

Pathogenic viruses have developed a molecular defense arsenal for their survival by counteracting the host anti-viral system known as RNA interference (RNAi). Cellular RNAi, in addition to regulating gene expression through microRNAs, also serves as a barrier against invasive foreign nucleic acids. RNAi is conserved across the biological species, including plants, animals and invertebrates. Viruses in turn, have evolved mechanisms that can counteract this anti-viral defense of the host. Recent studies of mammalian viruses exhibiting RNA silencing suppressor (RSS) activity have further advanced our understanding of RNAi in terms of host–virus interactions. Viral proteins and non-coding viral RNAs can inhibit the RNAi (miRNA/siRNA) pathway through different mechanisms. Mammalian viruses having dsRNA-binding regions and GW/WG motifs appear to have a high chance of conferring RSS activity. Although, RSSs of plant and invertebrate viruses have been well characterized, mammalian viral RSSs still need in-depth investigations to present the concrete evidences supporting their RNAi ablation characteristics. The information presented in this review together with any perspective research should help to predict and identify the RSS activity-endowed new viral proteins that could be the potential targets for designing novel anti-viral therapeutics.

Experiences gained from building a services-based distributed operating system

The goal of this paper is to present the experiences gained over 15 years of research into the design and development of a services-based distributed operating system. The lessons learnt over this period, we hope, will be of value to researchers involved in the design and development of operating systems that wish to harness the collective resources of ever-expanding distributed systems.

Effects of omega-3 PUFA on the vitamin E and glutathione antioxidant defense system in individuals at ultra-high risk of psychosis

BACKGROUND: Oxidative stress and impaired antioxidant defenses are reported in schizophrenia and are associated with disturbed neurodevelopment, brain structural alterations, glutamatergic imbalance, increased negative symptoms, and cognitive impairment. There is evidence that oxidative stress predates the onset of acute psychotic illness. Here, we investigate the effects of omega-3 PUFA on the vitamin E and glutathione antioxidant defense system (AODS). METHOD: In 64 help-seeking UHR-individuals (13-25 years of age), vitamin E levels and glutathione were investigated before and after 12 weeks of treatment with either 1.2g/d omega-3 (PUFA-E) or saturated fatty acids (SFA-E), with each condition also containing 30.4mg/d alpha-tocopherol to ensure absorption without additional oxidative risk. RESULTS: In multivariate tests, the effects on the AODS (alpha-tocopherol, total glutathione) were not significantly different (p=0.13, p=0.11, respectively) between treatment conditions. According to univariate findings, only PUFA-E caused a significant alpha-tocopherol increase, while PUFA-E and SFA-E caused a significant gamma- and delta-tocopherol decrease. Total glutathione (GSHt) was decreased by PUFA-E supplementation. CONCLUSION: Effects of the PUFA-E condition on the vitamin E and glutathione AODS could be mechanisms underlying its clinical effectiveness. In terms of the vitamin E protection system, PUFA-E seems to directly support the antioxidative defense at membrane level. The effect of PUFA-E on GSHt is not yet fully understood, but could reflect antioxidative effects, resulting in decreased demand for glutathione. It is still necessary to further clarify which type of PUFA/antioxidant combination, and in which dose, is effective at each stage of psychotic illness.

Protect grids from DDoS attacks

Recently a number of highly publicised incidents of Distributed Denial of Service (DDoS) attacks have made people aware of the importance of providing available securely the grids’ data and services to users. This paper introduces the vulnerability of grids to DDoS attacks, and proposes a distributed defense system that has a mixture deployment of sub-systems to protect grids from DDoS attacks. According to the simulation experiments, this system is effective to defend grids against attacks. It can avoid overall network congestion and provide more resources to legitimate grid users.