Flexible deterministic packet marking: an IP traceback system to find the real source of attacks

Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.

Defending grid web services from XDoS attacks by SOTA

Grid Web Services are still relevantly a new to business systems, and as more systems are being attached to it, any threat to it could bring collapse and huge harm. Some of these potential threats to Grid Web services come in a new form of a new denial of service attack (DoS), called XML Denial of Service or XDOS attacks. Though, as yet, there have not been any reported attacks from the media, we have observed these attacks are actually far less complex to implement than any previous Denial of Service (DoS), but still just as affective. Current security applications for grid web services (WS-Security for example), based on our observations, and are not up to job of handling the problem. In this paper, we build on our previous work called Service Oriented Traceback Architecture (SOTA), and apply our model to Grid Networks that employ web services. We further introduce a filter defence system, called XDetector, to work in combination with SOTA. Our results show that SOTA in conjunction with XDetector makes for an effective defence against XDoS attacks and upcoming DXDoS.

Distinguishing DDoS attacks from flash crowds using probability metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

Effective DDoS attacks detection using generalized entropy metric

In information theory, entropies make up of the basis for distance and divergence measures among various probability densities. In this paper we propose a novel metric to detect DDoS attacks in networks by using the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. Our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order α=2, and two hops earlier to detect attacks while order α=10.) but also reduce both the false positive rate and the false negative rate clearly compared with the traditional Shannon entropy metric approach.

Beyond the separation of powers : judicial review and the regulatory proscription of terrorist organisations

Administrative law remains the key defence against an over-zealous executive arm of government, but administrative law needs to be understood in an international context. Perhaps nowhere is this more apparent than in relation to legislation designed to counter terrorist activities. The co-ordination of terrorist activities knows no borders, and state-centered executive action designed to address the threat of terrorism necessarily operates in a broader global environment. An important but controversial part of Australia's counter-terrorism legislation suite is the power to proscribe terrorist organisations. The authors contend that the scope of judicial review available in relation to decisions of the Commonwealth executive to proscribe terrorist organisations is inadequate and may jeapordise Australia's compliance with international standards, such as those provided in the International Covenant on Civil and Political Rights. Now is an opportune time to reassess the structure and operation of the power to proscribe organisations in Australia.

A microscopic competition model and its dynamics analysis on network attacks

Modeling network traffic has been a critical task in the development of Internet. Attacks and defense are prevalent in the current Internet. Traditional network models such as Poisson-related models do not consider the competition behaviors between the attack and defense parties. In this paper, we present a microscopic competition model to analyze the dynamics among the nodes, benign or malicious, connected to a router, which compete for the bandwidth. The dynamics analysis demonstrates that the model can well describe the competition behavior among normal users and attackers. Based on this model, an anomaly attack detection method is presented. The method is based on the adaptive resonance theory, which is used to learn the model by normal traffic data. The evaluation shows that it can effectively detect the network attacks.

Traceback of DDoS attacks using entropy variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantagesit is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

CALD : surviving various application-layer DDoS attacks that mimic flash crowd

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event of a popular Website. In this paper, we present the design and implementation of CALD, an architectural extension to protect Web servers against various DDoS attacks that masquerade as flash crowds. CALD provides real-time detection using mess tests but is different from other systems that use resembling methods. First, CALD uses a front-end sensor to monitor thetraffic that may contain various DDoS attacks or flash crowds. Intense pulse in the traffic means possible existence of anomalies because this is the basic property of DDoS attacks and flash crowds. Once abnormal traffic is identified, the sensor sends ATTENTION signal to activate the attack detection module. Second, CALD dynamically records the average frequency of each source IP and check the total mess extent. Theoretically, the mess extent of DDoS attacks is larger than the one of flash crowds. Thus, with some parameters from the attack detection module, the filter is capable of letting the legitimate requests through but the attack traffic stopped. Third, CALD may divide the security modules away from the Web servers. As a result, it keeps maximum performance on the kernel web services, regardless of the harassment from DDoS. In the experiments, the records from www.sina.com and www.taobao.com have proved the value of CALD.

Echo hiding based stereo audio watermarking against pitch-scaling attacks

In audio watermarking, the robustness against pitch-scaling attack, is one of the most challenging problems. In this paper, we propose an algorithm, based on traditional time-spread(TS) echo hiding based audio watermarking to solve this problem. In TS echo hiding based watermarking, pitch-scaling attack shifts the location of pseudonoise (PN) sequence which appears in the cepstrum domain. Thus, position of the peak, which occurs after correlating with PN-sequence changes by an un-known amount and that causes the error. In the proposed scheme, we replace PN-sequence with unit-sample sequence and modify the decoding algorithm in such a way it will not depend on a particular point in cepstrum domain for extraction of watermark. Moreover proposed algorithm is applied to stereo audio signals to further improve the robustness. Experimental results illustrate the effectiveness of the proposed algorithm against pitch-scaling attacks compared to existing methods. In addition to that proposed algorithm also gives better robustness against other conventional signal processing attacks.

Browsing behavior mimicking attacks on popular web sites for large botnets

With the significant growth of botnets, application layer DDoS attacks are much easier to launch using large botnet, and false negative is always a problem for intrusion detection systems in real practice. In this paper, we propose a novel application layer DDoS attack tool, which mimics human browsing behavior following three statistical distributions, the Zipf-like distribution for web page popularity, the Pareto distribution for page request time interval for an individual browser, and the inverse Gaussian distribution for length of browsing path. A Markov model is established for individual bot to generate attack request traffic. Our experiments indicated that the attack traffic that generated by the proposed tool is pretty similar to the real traffic. As a result, the current statistics based detection algorithms will result high false negative rate in general. In order to counter this kind of attacks, we discussed a few preliminary solutions at the end of this paper.

Defending against large-scale and coordinated attacks in the ubiquitous environments

Ubiquitous computing is an exciting paradigm shift where technology becomes virtually invisible in our lives. In the increasingly interconnected world, threats to our daily lives can come from unexpected sources and universal directions. Criminals and terrorists have recognized the value of leveraging the ubiquitous computing environments to facilitate the commission of crimes. The cyber criminals typically launch different forms of large-scale and coordinated attacks, causing huge financial loss and potential life hazard. In this talk, we report two innovative approaches to defend against large-scale and coordinated attacks in the ubiquitous environments: 1) Inferring the cyber crime's intent through network traffic classification to enable the early warning of potential attacks, and 2) Profiling the large-scale and coordinated cyber attacks through both microscopic and macroscopic modeling to provide better control of such attacks. These approaches are effective in finding weak symptoms caused by the attacks thus can successfully defend against the large-scale and coordinated attacks at their early stages.

Discriminating DDoS attacks from flash crowds using flow correlation coefficient

Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice.

Predicted packet padding for anonymous web browsing against traffic analysis attacks

Anonymous communication has become a hot research topic in order to meet the increasing demand for web privacy protection. However, there are few such systems which can provide high level anonymity for web browsing. The reason is the current dominant dummy packet padding method for anonymization against traffic analysis attacks. This method inherits huge delay and bandwidth waste, which inhibits its use for web browsing. In this paper, we propose a predicted packet padding strategy to replace the dummy packet padding method for anonymous web browsing systems. The proposed strategy mitigates delay and bandwidth waste significantly on average. We formulated the traffic analysis attack and defense problem, and defined a metric, cost coefficient of anonymization (CCA), to measure the performance of anonymization. We thoroughly analyzed the problem with the characteristics of web browsing and concluded that the proposed strategy is better than the current dummy packet padding strategy in theory. We have conducted extensive experiments on two real world data sets, and the results confirmed the advantage of the proposed method.