A distributed active defense system against DDoS attacks

This thesis proposes a novel architecture of Distributed Active Defense System (DADS) against Distibuted Denial of Service (DDoS) attacks. Three sub-systems of DADS were built. For each sub-system corresponding algorithms were developed, prototypes implemented, criteria for evaluation were set up and experiments in both simulation and real network laboratory environments were carried out.

Detection on application layer DDoS using random walk model

Application Layer Distributed Denial of Service (ALDDoS) attacks have been increasing rapidly with the growth of Botnets and Ubiquitous computing. Differentiate to the former DDoS attacks, ALDDoS attacks cannot be efficiently detected, as attackers always adopt legitimate requests with real IP address, and the traffic has high similarity to legitimate traffic. In spite of that, we think, the attackers' browsing behavior will have great disparity from that of the legitimate users'. In this paper, we put forward a novel user behavior-based method to detect the application layer asymmetric DDoS attack. We introduce an extended random walk model to describe user browsing behavior and establish the legitimate pattern of browsing sequences. For each incoming browser, we observe his page request sequence and predict subsequent page request sequence based on random walk model. The similarity between the predicted and the observed page request sequence is used as a criterion to measure the legality of the user, and then attacker would be detected based on it. Evaluation results based on real collected data set has demonstrated that our method is very effective in detecting asymmetric ALDDoS attacks. © 2014 IEEE.

Extensions of the cube attack based on low degree annihilators

At Crypto 2008, Shamir introduced a new algebraic attack called the cube attack, which allows us to solve black-box polynomials if we are able to tweak the inputs by varying an initialization vector. In a stream cipher setting where the filter function is known, we can extend it to the cube attack with annihilators: By applying the cube attack to Boolean functions for which we can find low-degree multiples (equivalently annihilators), the attack complexity can be improved. When the size of the filter function is smaller than the LFSR, we can improve the attack complexity further by considering a sliding window version of the cube attack with annihilators. Finally, we extend the cube attack to vectorial Boolean functions by finding implicit relations with low-degree polynomials.

Security analysis of the non-aggressive challenge response of the DNP3 Protocol using a CPN Model

Distributed Network Protocol Version 3 (DNP3) is the de-facto communication protocol for power grids. Standard-based interoperability among devices has made the protocol useful to other infrastructures such as water, sewage, oil and gas. DNP3 is designed to facilitate interaction between master stations and outstations. In this paper, we apply a formal modelling methodology called Coloured Petri Nets (CPN) to create an executable model representation of DNP3 protocol. The model facilitates the analysis of the protocol to ensure that the protocol will behave as expected. Also, we illustrate how to verify and validate the behaviour of the protocol, using the CPN model and the corresponding state space tool to determine if there are insecure states. With this approach, we were able to identify a Denial of Service (DoS) attack against the DNP3 protocol.

INFO6003: Network Security: DDoS

A run through various aspects of Distributed Denial of Service attacks

Distinguishing DDoS attacks from flash crowds using probability metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

Resisting web proxy-based HTTP attacks by temporal and spatial locality behavior

A novel server-side defense scheme is proposed to resist the Web proxy-based distributed denial of service attack. The approach utilizes the temporal and spatial locality to extract the behavior features of the proxy-to-server traffic, which makes the scheme independent of the traffic intensity and frequently varying Web contents. A nonlinear mapping function is introduced to protect weak signals from the interference of infrequent large values. Then, a new hidden semi-Markov model parameterized by Gaussian-mixture and Gamma distributions is proposed to describe the time-varying traffic behavior of Web proxies. The new method reduces the number of parameters to be estimated, and can characterize the dynamic evolution of the proxy-to-server traffic rather than the static statistics. Two diagnosis approaches at different scales are introduced to meet the requirement of both fine-grained and coarse-grained detection. Soft control is a novel attack response method proposed in this work. It converts a suspicious traffic into a relatively normal one by behavior reshaping rather than rudely discarding. This measure can protect the quality of services of legitimate users. The experiments confirm the effectiveness of the proposed scheme.

An analytical model for optimal spectrum leasing under constraints of quality of service in CRNs

Cognitive radio improves spectrum efficiency and mitigates spectrum scarcity by allowing cognitive users to opportunistically access idle chunks of the spectrum owned by licensed users. In long-term spectrum leasing markets, secondary network operators make a decision about how much spectrum is optimal to fulfill their users' data transmission requirements. We study this optimization problem in multiple channel scenarios. Under the constrains of expected user admission rate and quality of service, we model the secondary network into a dynamic data transportation system. In this system, the spectrum accesses of both primary users and secondary users are in accordance with stochastic processes, respectively. The main metrics of quality of service we are concerned with include user admission rate, average transmission delay and stability of the delay. To quantify the relationship between spectrum provisioning and quality of service, we propose an approximate analytical model. We use the model to estimate the lower and upper bounds of the optimal amount of the spectrum. The distance between the bounds is relatively narrow. In addition, we design a simple algorithm to compute the optimum by using the bounds. We conduct numerical simulations on a slotted multiple channel dynamic spectrum access network model. Simulation results demonstrate the preciseness of the proposed model. Our work sheds light on the design of game and auction based dynamic spectrum sharing mechanisms in cognitive radio networks.

Sicurezza di rete, analisi del traffico e monitoraggio.

Il lavoro è stato suddiviso in tre macro-aree. Una prima riguardante un'analisi teorica di come funzionano le intrusioni, di quali software vengono utilizzati per compierle, e di come proteggersi (usando i dispositivi che in termine generico si possono riconoscere come i firewall). Una seconda macro-area che analizza un'intrusione avvenuta dall'esterno verso dei server sensibili di una rete LAN. Questa analisi viene condotta sui file catturati dalle due interfacce di rete configurate in modalità promiscua su una sonda presente nella LAN. Le interfacce sono due per potersi interfacciare a due segmenti di LAN aventi due maschere di sotto-rete differenti. L'attacco viene analizzato mediante vari software. Si può infatti definire una terza parte del lavoro, la parte dove vengono analizzati i file catturati dalle due interfacce con i software che prima si occupano di analizzare i dati di contenuto completo, come Wireshark, poi dei software che si occupano di analizzare i dati di sessione che sono stati trattati con Argus, e infine i dati di tipo statistico che sono stati trattati con Ntop. Il penultimo capitolo, quello prima delle conclusioni, invece tratta l'installazione di Nagios, e la sua configurazione per il monitoraggio attraverso plugin dello spazio di disco rimanente su una macchina agent remota, e sui servizi MySql e DNS. Ovviamente Nagios può essere configurato per monitorare ogni tipo di servizio offerto sulla rete.

Increased availability and scalability for clustered services via the wait time calculation, trust based filtering and redirection of TCP connection requests

The paper describes two new transport layer (TCP) options and an expanded transport layer queuing strategy that facilitate three functions that are fundamental to the dispatching-based clustered service. A transport layer option has been developed to facilitate. the use of client wait time data within the service request processing of the cluster. A second transport layer option has been developed to facilitate the redirection of service requests by the cluster dispatcher to the cluster processing member. An expanded transport layer service request queuing strategy facilitates the trust based filtering of incoming service requests so that a graceful degradation of service delivery may be achieved during periods of overload - most dramatically evidenced by distributed denial of service attacks against the clustered service. We describe how these new options and queues have been implemented and successfully tested within the transport layer of the Linux kernel.

Detecting Botnets Through Log Correlation

Botnets, which consist of thousands of compromised machines, can cause a significant threat to other systems by launching Distributed Denial of Service attacks, keylogging, and backdoors. In response to this threat, new effective techniques are needed to detect the presence of botnets. In this paper, we have used an interception technique to monitor Windows Application Programming Interface system calls made by communication applications. Existing approaches for botnet detection are based on finding bot traffic patterns. Our approach does not depend on finding patterns but rather monitors the change of behaviour in the system. In addition, we will present our idea of detecting botnet based on log correlations from different hosts.

Intrusion Detection System for Network Security in Synchrophasor Systems

Synchrophasor systems will play a crucial role in next generation Smart Grid monitoring, protection and control. However these systems also introduce a multitude of potential vulnerabilities from malicious and inadvertent attacks, which may render erroneous operation or severe damage. This paper proposes a Synchrophasor Specific Intrusion Detection System (SSIDS) for malicious cyber attack and unintended misuse. The SSIDS comprises a heterogeneous whitelist and behavior-based approach to detect known attack types and unknown and so-called ‘zero-day’ vulnerabilities and attacks. The paper describes reconnaissance, Man-in-the-Middle (MITM) and Denial-of-Service (DoS) attack types executed against a practical synchrophasor system which are used to validate the real-time effectiveness of the proposed SSIDS cyber detection method.

Mutual authentication with malware protection for a RFID system

Radio Frequency Identification (RFID) system is a remote identification technology which is taking the place of barcodes to become electronic tags of an object. However, its radio transmission nature is making it vulnerable in terms of security. Recently, research proposed that an RFID tag can contain malicious code which might spread viruses, worms and other exploits to middleware and back-end systems. This paper is proposing a framework which will provide protection from malware and ensure the data privacy of a tag. The framework will use a sanitization technique with a mutual authentication in the reader level. This will ensure that any malicious code in the tag is identified. If the tag is infected by malicious code it will stop execution of the code in the RFIF system. Here shared unique parameters are used for authentication. It will be capable of protecting an RFID system from denial of service (DOS) attack, forward security and rogue reader better than existing protocols. The framework is introducing a layer concept on a smart reader to reduce coupling between different tasks. Using this framework, the RFID system will be protected from malware and also the privacy of the tag will be ensured.

Cluster scheduling and load balancing via TCP options

This paper describes an experiment in designing, implementing and testing a Transport layer cluster scheduling and dispatching architecture. The motivation for the experiment was the hypothesis that a Transport layer clustering solution may offer advantantages over the existing industry-standard Network layer and Data Link Layer approaches. The critical success factors initially established to guide and evaluate the experiment were reduced dispatcher work load, reduced dispatcher internal state memory requirements, distributed denial of service resilience, and cluster software design simplicity. The functional design stage of the experiment produced a Transport layer strategy for scheduling and load balancing based on the specification of two new TCP options. Implementation required the introduction of the newly specified TCP options into the Linux (2.4) kernel. The implementation produced an extended Linux Socket API to facilitate user-process access to the additional TCP capability. The testing stage of the experiment confirmed the operational efficiency of the solution.