Distinguishing DDoS attacks from flash crowds using probability metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

Effective DDoS attacks detection using generalized entropy metric

In information theory, entropies make up of the basis for distance and divergence measures among various probability densities. In this paper we propose a novel metric to detect DDoS attacks in networks by using the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. Our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order α=2, and two hops earlier to detect attacks while order α=10.) but also reduce both the false positive rate and the false negative rate clearly compared with the traditional Shannon entropy metric approach.

A microscopic competition model and its dynamics analysis on network attacks

Modeling network traffic has been a critical task in the development of Internet. Attacks and defense are prevalent in the current Internet. Traditional network models such as Poisson-related models do not consider the competition behaviors between the attack and defense parties. In this paper, we present a microscopic competition model to analyze the dynamics among the nodes, benign or malicious, connected to a router, which compete for the bandwidth. The dynamics analysis demonstrates that the model can well describe the competition behavior among normal users and attackers. Based on this model, an anomaly attack detection method is presented. The method is based on the adaptive resonance theory, which is used to learn the model by normal traffic data. The evaluation shows that it can effectively detect the network attacks.

Traceback of DDoS attacks using entropy variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantagesit is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

CALD : surviving various application-layer DDoS attacks that mimic flash crowd

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event of a popular Website. In this paper, we present the design and implementation of CALD, an architectural extension to protect Web servers against various DDoS attacks that masquerade as flash crowds. CALD provides real-time detection using mess tests but is different from other systems that use resembling methods. First, CALD uses a front-end sensor to monitor thetraffic that may contain various DDoS attacks or flash crowds. Intense pulse in the traffic means possible existence of anomalies because this is the basic property of DDoS attacks and flash crowds. Once abnormal traffic is identified, the sensor sends ATTENTION signal to activate the attack detection module. Second, CALD dynamically records the average frequency of each source IP and check the total mess extent. Theoretically, the mess extent of DDoS attacks is larger than the one of flash crowds. Thus, with some parameters from the attack detection module, the filter is capable of letting the legitimate requests through but the attack traffic stopped. Third, CALD may divide the security modules away from the Web servers. As a result, it keeps maximum performance on the kernel web services, regardless of the harassment from DDoS. In the experiments, the records from www.sina.com and www.taobao.com have proved the value of CALD.

Echo hiding based stereo audio watermarking against pitch-scaling attacks

In audio watermarking, the robustness against pitch-scaling attack, is one of the most challenging problems. In this paper, we propose an algorithm, based on traditional time-spread(TS) echo hiding based audio watermarking to solve this problem. In TS echo hiding based watermarking, pitch-scaling attack shifts the location of pseudonoise (PN) sequence which appears in the cepstrum domain. Thus, position of the peak, which occurs after correlating with PN-sequence changes by an un-known amount and that causes the error. In the proposed scheme, we replace PN-sequence with unit-sample sequence and modify the decoding algorithm in such a way it will not depend on a particular point in cepstrum domain for extraction of watermark. Moreover proposed algorithm is applied to stereo audio signals to further improve the robustness. Experimental results illustrate the effectiveness of the proposed algorithm against pitch-scaling attacks compared to existing methods. In addition to that proposed algorithm also gives better robustness against other conventional signal processing attacks.

Browsing behavior mimicking attacks on popular web sites for large botnets

With the significant growth of botnets, application layer DDoS attacks are much easier to launch using large botnet, and false negative is always a problem for intrusion detection systems in real practice. In this paper, we propose a novel application layer DDoS attack tool, which mimics human browsing behavior following three statistical distributions, the Zipf-like distribution for web page popularity, the Pareto distribution for page request time interval for an individual browser, and the inverse Gaussian distribution for length of browsing path. A Markov model is established for individual bot to generate attack request traffic. Our experiments indicated that the attack traffic that generated by the proposed tool is pretty similar to the real traffic. As a result, the current statistics based detection algorithms will result high false negative rate in general. In order to counter this kind of attacks, we discussed a few preliminary solutions at the end of this paper.

Defending against large-scale and coordinated attacks in the ubiquitous environments

Ubiquitous computing is an exciting paradigm shift where technology becomes virtually invisible in our lives. In the increasingly interconnected world, threats to our daily lives can come from unexpected sources and universal directions. Criminals and terrorists have recognized the value of leveraging the ubiquitous computing environments to facilitate the commission of crimes. The cyber criminals typically launch different forms of large-scale and coordinated attacks, causing huge financial loss and potential life hazard. In this talk, we report two innovative approaches to defend against large-scale and coordinated attacks in the ubiquitous environments: 1) Inferring the cyber crime's intent through network traffic classification to enable the early warning of potential attacks, and 2) Profiling the large-scale and coordinated cyber attacks through both microscopic and macroscopic modeling to provide better control of such attacks. These approaches are effective in finding weak symptoms caused by the attacks thus can successfully defend against the large-scale and coordinated attacks at their early stages.

Discriminating DDoS attacks from flash crowds using flow correlation coefficient

Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice.

Predicted packet padding for anonymous web browsing against traffic analysis attacks

Anonymous communication has become a hot research topic in order to meet the increasing demand for web privacy protection. However, there are few such systems which can provide high level anonymity for web browsing. The reason is the current dominant dummy packet padding method for anonymization against traffic analysis attacks. This method inherits huge delay and bandwidth waste, which inhibits its use for web browsing. In this paper, we propose a predicted packet padding strategy to replace the dummy packet padding method for anonymous web browsing systems. The proposed strategy mitigates delay and bandwidth waste significantly on average. We formulated the traffic analysis attack and defense problem, and defined a metric, cost coefficient of anonymization (CCA), to measure the performance of anonymization. We thoroughly analyzed the problem with the characteristics of web browsing and concluded that the proposed strategy is better than the current dummy packet padding strategy in theory. We have conducted extensive experiments on two real world data sets, and the results confirmed the advantage of the proposed method.

Content validity of visual analog scales to assess symptom severity of acute angioedema attacks in adults with hereditary angioedema : an interview study

Background: Hereditary angioedema (HAE) is a rare, debilitating, potentially life-threatening condition characterized by recurrent acute attacks of edema of the skin, face/upper airway, and gastrointestinal and urogenital tracts. During a laryngeal attack, people with HAE may be at risk of suffocation, while other attacks are often associated with intense pain, disfigurement, disability, and/or vomiting. The intensity of some symptoms is known only to the person experiencing them. Thus, interview studies are needed to explore such experience and patient-reported outcome measures (PROMs) are required for systematic assessment of symptoms in the clinical setting and in clinical trials of treatments for acute HAE attacks.

Objective: The aim of this interview study was to assess the content validity and suitability of four visual analog scale (VAS) instruments for use in clinical studies. The VAS instruments were designed to assess symptoms at abdominal, oro-facial-pharyngeal-laryngeal, peripheral, and urogenital attack locations. This is the first known study to report qualitative data about the patient's experience of the rare disorder, HAE.

Methods: Semi-structured exploratory and cognitive debriefing interviews were conducted with 27 adults with a confirmed clinical/laboratory diagnosis of HAE (baseline plasma level of functional plasma protein C1 esterase inhibitor [C1INH] <50% of normal without evidence for acquired angioedema). There were 17 participants from the US and 10 from Italy, with mean age 42.5 (SD 14.5) years, range 18–72 years, mean HAE duration 21.3 (SD 14.1) years, range 1–45 years, 67% female, and 44% VAS-naïve. Experience of acute angioedema attacks was first explored, noting spontaneous mentions by participants of HAE symptomatology. Cognitive debriefing of the VAS instruments was undertaken to assess the suitability, comprehensibility, and relevance of the VAS items. Asymptomatic participants completed the VAS instruments relevant to their angioedema experience, reporting as if they were experiencing an acute angioedema attack at the time. Interviews were conducted in the clinic setting in the US and Italy over an 8-month period.

Results: Participants mentioned spontaneously almost all aspects of acute angioedema attacks covered by the four VAS instruments, thus providing strong support for inclusion of nearly all VAS items, with no important symptoms missing. Predominant symptoms found to be associated with acute angioedema attacks were edema and pain, and there was evidence of varying degrees of disruption to everyday activities supporting the inclusion of an overall severity item reflecting the disabling effects of HAE symptoms. VAS item wording was understood by participants.

Conclusion: This interview study explored and reported the patient experience of HAE attacks. It demonstrated the content validity of the four anatomical location HAE VAS instruments and their suitability for use in clinical trials of recombinant human C1INH (rhC1INH) treatment for ascertaining trial participants' assessments of the severity of acute angioedema symptoms.

Detecting and mitigating HX-DoS attacks against cloud web services

Cyber-Physical Systems allow for the interaction of the cyber world and physical worlds using as a central service called Cloud Web Services. Cloud Web Services can sit well within three models of Cyber- Physical Systems, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a- Service (IaaS). With any Cyber-Physical system use Cloud Web Services it inherits a security problem, the HX-DoS attack. HX-DoS attack is a combination of HTTP and XML messages that are intentionally sent to flood and destroy the communication channel of the cloud service provider. The relevance of this research is that TCP/IP flood attacks are a common problem and a lot of research to mitigate them has previously been discussed. But HTTP denial of service and XML denial of service problem has only been addressed in a few papers. In this paper, we get closer to closing this gap on this problem with our new defence system called Pre- Decision, Advance Decision, Learning System (ENDER). In our previous experiments using our Cloud Protector, we were successful at detecting and mitigate 91% with a 9% false positive of HX-DoS attack traffic. In this paper, ENDER was able to improve upon this result by being trained and tested on the same data, but with a greater result of 99% detection and 1% false positive.