Keynote : Detection of and defense against distributed denial-of-service (DDoS) attacks

Distributed denial-of-service (DDoS) attacks typically exhaust bandwidth, processing capacity, or memory of a targeted machine, service or network. Despite enormous efforts in combating DDoS attacks in the past decade, DDoS attacks are still a serious threat to the security of cyberspace. In this talk I shall outline the recent efforts of my research group in detection of and defence against DDoS attacks. In particular, this talk will concentrate on the following three critical issues related to DDoS attacks: (1) Traceback of DDoS attacks; (2) Detection of low-rate DDoS attacks; and (3) Discriminating DDoS attacks from flash crowds.

Zero permission android applications - attacks and defenses

Google advertises the Android permission framework as one of the core security features present on its innovative and flexible mobile platform. The permissions are a means to control access to restricted AP/s and system resources. However, there are Android applications which do not request permissions at all.In this paper, we analyze the repercussions of installing an Android application that does not include any permission and the types of sensitive information that can be accessed by such an application. We found that even app/icaaons with no permissions are able to access sensitive information (such the device ID) and transmit it to third-parties.

Resisting web proxy-based HTTP attacks by temporal and spatial locality behavior

A novel server-side defense scheme is proposed to resist the Web proxy-based distributed denial of service attack. The approach utilizes the temporal and spatial locality to extract the behavior features of the proxy-to-server traffic, which makes the scheme independent of the traffic intensity and frequently varying Web contents. A nonlinear mapping function is introduced to protect weak signals from the interference of infrequent large values. Then, a new hidden semi-Markov model parameterized by Gaussian-mixture and Gamma distributions is proposed to describe the time-varying traffic behavior of Web proxies. The new method reduces the number of parameters to be estimated, and can characterize the dynamic evolution of the proxy-to-server traffic rather than the static statistics. Two diagnosis approaches at different scales are introduced to meet the requirement of both fine-grained and coarse-grained detection. Soft control is a novel attack response method proposed in this work. It converts a suspicious traffic into a relatively normal one by behavior reshaping rather than rudely discarding. This measure can protect the quality of services of legitimate users. The experiments confirm the effectiveness of the proposed scheme.

Developing an empirical algorithm for protecting text-based CAPTCHAs against segmentation attacks

In this paper, we aim to provide an effective and efficient method to generate text-based Captchas which are resilient against segmentation attack. Different to the popular industry practice of using very simple color schemes, we advocate to use multiple colors in our Captchas. We adopt the idea of brush and canvas when coloring our Captchas. Furthermore, we choose to use simple accumulating functions to achieve diffusion on painted colors and DES encryption to achieve a good level of confusion on the brush pattern. To facilitate ordinary users and developers, we propose an empirical algorithm with support of Taguchi method to guarantee the quality of the chosen color schemes. Our proposed methodology has at least three advantages — 1) the settings of color schemes can be fully customized by the user or developer; 2) the quality of selected colors have desirable statistical features that are ensured by Taguchi method; 3) the algorithm can be fully automated into computer programs. Moreover, our included examples and experiments prove the practicality and validity of our algorithm.

Attacks on humans by Australian Magpies (Cracticus tibicen): Territoriality, brood-defence or testosterone?

Attacks on humans by Australian Magpies (Cracticus tibicen) are a significant human-wildlife conflict in Australia, especially in suburban environments. Remarkably little is known about the phenomenon. In this study, we explored three common hypotheses - territoriality, brood-defence and testosterone - as potential and non-exclusive explanations for aggression directed at people by Magpies living in suburban areas of Brisbane, south-eastern Queensland. The response of 10 pairs of aggressive Magpies to natural levels of human intrusion was compared with that of 10 non-aggressive pairs. Behavioural observations strongly supported the contention that attacks on humans resemble brood-defence and did not support an association with territoriality. The study also found no support for the suggestion that testosterone levels correlated with aggressiveness towards humans: male testosterone peaked immediately before laying and was significantly lower during the maximum period of attacks directed at people. Moreover, there were no differences in the testosterone levels of aggressive and non-aggressive male Magpies. The pattern of testosterone production over a breeding cycle closely resembled that of many other songbirds and appeared not to influence Magpie attacks on humans. © Royal Australasian Ornithologists Union 2010.

Patchwork-based audio watermarking method robust to de-synchronization attacks

This paper presents a patchwork-based audio watermarking method to resist de-synchronization attacks such as pitch-scaling, time-scaling, and jitter attacks. At the embedding stage, the watermarks are embedded into the host audio signal in the discrete cosine transform (DCT) domain. Then, a set of synchronization bits are implanted into the watermarked signal in the logarithmic DCT (LDCT) domain. At the decoding stage, we analyze the received audio signal in the LDCT domain to find the scaling factor imposed by an attack. Then, we modify the received signal to remove the scaling effect, together with the embedded synchronization bits. After that, watermarks are extracted from the modified signal. Simulation results show that at the embedding rate of 10 bps, the proposed method achieves 98.9% detection rate on average under the considered de-synchronization attacks. At the embedding rate of 16 bps, it can still obtain 94.7% detection rate on average. So, the proposed method is much more robust to de-synchronization attacks than other patchwork watermarking methods. Compared with the audio watermarking methods designed for tackling de-synchronization attacks, our method has much higher embedding capacity.

Defense against packet dropping attacks in opportunistic networks

Opportunistic networks (OppNets) are an interesting topic that are seen to have a promising future. Many protocols have been developed to accommodate the features of OppNets such as frequent partitions, long delays, and no end-to-end path between the source and destination nodes. Embedding security into these protocols is challenging and has taken a lot of attention in research. One of the attacks that OppNets are exposed to is the packet dropping attack, where the malicious node attempts to drop some packets and forwards an incomplete number of packets which results in the distortion of the message. To increase the security levels in OppNets, this paper presents an algorithm developed to detect packet dropping attacks, and finds the malicious node that attempted the attack. The algorithm detects the attack by using an indicative field in the header section of each packet; the indicative field has 3 sub fields - the identification field, the flag field, and the offset field. These 3 fields are used to find if a node receives the complete original number of packets from the previous node. The algorithm will have the advantage of detecting packets dropped by each intermediate node, this helps solve the difficulties of finding malicious nodes by the destination node only.

Detection and defense of application-layer DDoS attacks in backbone web traffic

Web servers are usually located in a well-organized data center where these servers connect with the outside Internet directly through backbones. Meanwhile, the application-layer distributed denials of service (AL-DDoS) attacks are critical threats to the Internet, particularly to those business web servers. Currently, there are some methods designed to handle the AL-DDoS attacks, but most of them cannot be used in heavy backbones. In this paper, we propose a new method to detect AL-DDoS attacks. Our work distinguishes itself from previous methods by considering AL-DDoS attack detection in heavy backbone traffic. Besides, the detection of AL-DDoS attacks is easily misled by flash crowd traffic. In order to overcome this problem, our proposed method constructs a Real-time Frequency Vector (RFV) and real-timely characterizes the traffic as a set of models. By examining the entropy of AL-DDoS attacks and flash crowds, these models can be used to recognize the real AL-DDoS attacks. We integrate the above detection principles into a modularized defense architecture, which consists of a head-end sensor, a detection module and a traffic filter. With a swift AL-DDoS detection speed, the filter is capable of letting the legitimate requests through but the attack traffic is stopped. In the experiment, we adopt certain episodes of real traffic from Sina and Taobao to evaluate our AL-DDoS detection method and architecture. Compared with previous methods, the results show that our approach is very effective in defending AL-DDoS attacks at backbones. © 2013 Elsevier B.V. All rights reserved.

Can we beat DDoS attacks in clouds?

Cloud is becoming a dominant computing platform. Naturally, a question that arises is whether we can beat notorious DDoS attacks in a cloud environment. Researchers have demonstrated that the essential issue of DDoS attack and defense is resource competition between defenders and attackers. A cloud usually possesses profound resources and has full control and dynamic allocation capability of its resources. Therefore, cloud offers us the potential to overcome DDoS attacks. However, individual cloud hosted servers are still vulnerable to DDoS attacks if they still run in the traditional way. In this paper, we propose a dynamic resource allocation strategy to counter DDoS attacks against individual cloud customers. When a DDoS attack occurs, we employ the idle resources of the cloud to clone sufficient intrusion prevention servers for the victim in order to quickly filter out attack packets and guarantee the quality of the service for benign users simultaneously. We establish a mathematical model to approximate the needs of our resource investment based on queueing theory. Through careful system analysis and real-world data set experiments, we conclude that we can defeat DDoS attacks in a cloud environment. © 2013 IEEE.

Cyber attacks against supply chain management systems: A short note

Supply chain management (SCM) is increasingly dependent on electronic systems. At the same time, the vulnerability of these systems to attack from malicious individuals or groups is growing. This paper examines some of the forms such attacks can take, and their relevance to the supply function. Provides examples of attacks. Concludes that companies should consider the security aspects of electronic commerce before developing their systems. © MCB University Press.