Speak-up as a Resource Based Defence against Application Layer Distributed Denial-of-Service Attacks

Jawad, Dina, Rosell, Felicia

January 2015

Under de senaste åren har antalet DDoS-attacker i Internets applikationsskikt ökat. Detta problem behöver adresseras. Den här rapporten presenterar ett antal existerande metoder för att upptäcka och skydda mot DDoS-attacker i applikationsskiktet. En metod för detta ändamål är att hitta avvikelser av olika typer hos de attackerande klienterna, för att urskilja mellan attackerande och vanliga klienter. Detta är ett brett utforskatförsvarsområde med många positiva resultat, men dessa metoder har ett antal brister, som att de kan resultera i både falska positiva och negativa resultat. En metod som ännu inte har undersökts tillräckligt är resurs-baserat försvar. Det är en metod med mycket potential, eftersom den tydligare kan skilja på goda och onda klienter under en DDoS-attack. Speak-up är en sådan metod och är huvudfokus i denna rapport. För- och nackdelarna med Speak-up har undersökts och resultaten visar på att Speak-up har potential till att bli ett kraftfullt verktyg mot DDoS-attacker. Speak-up har dock sina begränsningar och är därför inte det bästa alternativet under vissa typer av dessa DDoS-attacker. / In recent years, the internet has endured an increase in application layer DDoS attacks. It is a growing problem that needs to be addressed. This paper presents a number of existing detection and protection methods that are used to mitigate application layer DDoS attacks. Anomaly detection is a widely explored area for defence and there have been many findings that show positive results in mitigating attacks. However, anomaly detection possesses a number of flaws, such as causing false positives and negatives. Another method that has yet to become thoroughly examined is resource based defence. This defence method has great potential as it addresses clear differences between legitimate users and attackers during a DDoS attack. One such defence method is called Speak-up and is the center of this paper. The advantages and limitations of Speak-up have been explored and the findings suggest that Speak-up has the potential to become a strong tool in defending against DDoS attacks. However, Speak-up has its limitations and may not be the best alternative during certain types of application layer DDoS attacks.

DDoS

Application Layer

Speak-up

Denial-of-Service

Cyber Attack

Computer Sciences

Datavetenskap (datalogi)

Gestion de la sécurité des réseaux à l'aide d'un service innovant de Cloud Based Firewall / Network Security Management Using a Novel Firewall Cloud-Based Service

Guenane, Fouad Amine

13 October 2014

Le Cloud Computing a évolué au cours de la dernière décennie, passant d’un simple service de stockage à des services plus complexes, en proposant le software comme service (SaaS), les plateformes comme service(PaaS) et très récemment la sécurité comme service (SECaaS).Dans notre travail, nous sommes partis de l'idée simple d'utiliser les ressources offertes par le Cloud avec un faible coût financier pour proposer des nouvelles architectures de service de sécurité. La sécurité des environnements virtuels est un sujet majeur pour le déploiement de l’usage du Cloud. Malheureusement, comme ces environnements sont composés d’un ensemble de technologies déjà existantes, utilisées d'une manière nouvelle, de nombreuses solutions sécuritaires ne sont que des solutions traditionnelles reconditionnées à la problématique Cloud et réseaux virtuels. Le travail effectué dans le cadre de cette thèse vient répondre à la limitation de ressources des équipements physiques de sécurité comme les Firewalls et a pour objectif de proposer de nouveaux services de sécurité composés d’architectures de gestion de la sécurité des réseaux dans le Cloud basé sur le modèle Security as a Service, ainsi que des architectures de management de ces services. Nous avons pris l’initiative de proposer une architecture totalement Cloud-Based. Cette dernière, permet à un Cloud provider de proposer un service de Firewalling à ses clients. Celui-ci leur demande de s’abonner à l’offre en leur garantissant le traitement (analyse) d’une capacité de bande-passante de trafic avec des règles de filtrages fonctionnelles et d’autres proposées par l’abonné. Les résultats obtenus ont démontré les aptitudes de nos architectures à gérer et à faire face à des attaques réseaux de type DDoS et à augmenter la capacité d’analyse en distribuant le trafic sur plusieurs pare-feu virtuels. / Cloud computing has evolved over the last decade from a simple storage service for more complex services, offering the software as a service (SaaS) platforms as a service (PaaS) and most recently the security as a service (SECaaS). In our work, we started with the simple idea to use the resources offered by the Cloud with a low financial cost to propose new architectures of security service. The security of virtual environments is a major issue for the deployment of the use of the Cloud. Unfortunately, these environments are composed of a set of already existing technologies used in a new way, many security solutions are only traditional reconditioned solutions to solve the Cloud and virtual networks security issues. The work done in this thesis is a response to the resource limitations of physical security devices such as firewalls and propose new security architectures consist of management of network security in the cloud-based services following Security as a Service model and propose novel architectures for managing these services. We took the initiative to propose a completely Cloud-Based architecture. The latter allows a cloud provider to provide firewalling service to its customers. It asks them to subscribe to the offer by guaranteeing treatment (analysis) with a capacity of bandwidth traffic with functional filtering rules and other proposed by the subscriber. The results demonstrated the ability of our architecture to manage and cope with network DDoS attacks and to increase analytical capacity by distributing traffic over multiple virtual

Security as a Service

Cloud Computing

Sécurité de réseau

DDoS

Firewall

Cloud computing

Security Management

005.8

Bezpečnostní systém pro eliminaci útoků na webové aplikace / Security System for Web Application Attacks Elimination

Vašek, Dominik

January 2021

Nowadays, botnet attacks that aim to overwhelm the network layer by malformed packets and other means are usually mitigated by hardware intrusion detection systems. Application layer botnet attacks, on the other hand, are still a problem. In case of web applications, these attacks contain legitimate traffic that needs to be processed. If enough bots partake in this attack, it can lead to inaccessibility of services provided and other problems, which in turn can lead to financial loss. In this thesis, we propose a detection and mitigation system that can detect botnet attacks in realtime using statistical approach. This system is divided into several modules that together cooperate on the detection and mitigation. These parts can be further expanded. During the testing phase, the system was able to capture approximately 60% of botnet attacks that often focused on spam, login attacks and also DDoS. The number of false positive addresses is below 5%.

Dopad COVID-19 na bezpečnostní politiku států v oblasti kybernetické bezpečnosti / Impact of COVID-19 on Security Policies of States in the Area of Cyber Security

Rieger, Anastasiya

January 2022

CHARLES UNIVERSITY FACULTY OF SOCIAL SCIENCES Master of International Security Systems Anastasiya Neskoromna/Rieger Impact of COVID 19 on Security Policies of States in the Area of Cyber Security Abstract Prague 2022 Author: Ms. Anastasiya Neskoromna/Rieger Supervisor: prof. David Erkomashvile, Ph.D. Academic Year: 2021/2022 Abstract The SARS-Cov-19 or in different wording the global Covid pandemic outburst have created an unprecedented scenario for various organizations, agencies and structures. The COVID-19 pandemic in 2020 has become an extraordinary and shocking event for the world community and the global economy. On the part of the authorities, the COVID-19 pandemic is accompanied by sometimes harsh and ambiguous decisions, the consequences of which are felt by people in many countries of the world: movement between countries was stopped, businesses and enterprises were closed, the restriction was created, those who were sick or at risk of infection were isolated. There was also no possible assumption regarding how long such a mode of life will last. Many factors as a consequential chain of reactions from the pandemic in the aggregate have created a pleasant environment for altering and modifying the cybercrime landscape. This work aims to analyze the factorial presence of modification in the sphere...

PERFORMANCE EVALUATION OF A TTL-BASED DYNAMIC MARKING SCHEME IN IP TRACEBACK

Devasundaram, Shanmuga Sundaram

January 2006

No description available.

Computer Science

IP traceback

distributed denial-of-service attacks

DDoS

DoS

dynamic packetmarking

traceback

Robust Anomaly Detection in Critical Infrastructure

Abdelaty, Maged Fathy Youssef

14 September 2022

Critical Infrastructures (CIs) such as water treatment plants, power grids and telecommunication networks are critical to the daily activities and well-being of our society. Disruption of such CIs would have catastrophic consequences for public safety and the national economy. Hence, these infrastructures have become major targets in the upsurge of cyberattacks. Defending against such attacks often depends on an arsenal of cyber-defence tools, including Machine Learning (ML)-based Anomaly Detection Systems (ADSs). These detection systems use ML models to learn the profile of the normal behaviour of a CI and classify deviations that go well beyond the normality profile as anomalies. However, ML methods are vulnerable to both adversarial and non-adversarial input perturbations. Adversarial perturbations are imperceptible noises added to the input data by an attacker to evade the classification mechanism. Non-adversarial perturbations can be a normal behaviour evolution as a result of changes in usage patterns or other characteristics and noisy data from normally degrading devices, generating a high rate of false positives. We first study the problem of ML-based ADSs being vulnerable to non-adversarial perturbations, which causes a high rate of false alarms. To address this problem, we propose an ADS called DAICS, based on a wide and deep learning model that is both adaptive to evolving normality and robust to noisy data normally emerging from the system. DAICS adapts the pre-trained model to new normality with a small number of data samples and a few gradient updates based on feedback from the operator on false alarms. The DAICS was evaluated on two datasets collected from real-world Industrial Control System (ICS) testbeds. The results show that the adaptation process is fast and that DAICS has an improved robustness compared to state-of-the-art approaches. We further investigated the problem of false-positive alarms in the ADSs. To address this problem, an extension of DAICS, called the SiFA framework, is proposed. The SiFA collects a buffer of historical false alarms and suppresses every new alarm that is similar to these false alarms. The proposed framework is evaluated using a dataset collected from a real-world ICS testbed. The evaluation results show that the SiFA can decrease the false alarm rate of DAICS by more than 80%. We also investigate the problem of ML-based network ADSs that are vulnerable to adversarial perturbations. In the case of network ADSs, attackers may use their knowledge of anomaly detection logic to generate malicious traffic that remains undetected. One way to solve this issue is to adopt adversarial training in which the training set is augmented with adversarially perturbed samples. This thesis presents an adversarial training approach called GADoT that leverages a Generative Adversarial Network (GAN) to generate adversarial samples for training. GADoT is validated in the scenario of an ADS detecting Distributed Denial of Service (DDoS) attacks, which have been witnessing an increase in volume and complexity. For a practical evaluation, the DDoS network traffic was perturbed to generate two datasets while fully preserving the semantics of the attack. The results show that adversaries can exploit their domain expertise to craft adversarial attacks without requiring knowledge of the underlying detection model. We then demonstrate that adversarial training using GADoT renders ML models more robust to adversarial perturbations. However, the evaluation of adversarial robustness is often susceptible to errors, leading to robustness overestimation. We investigate the problem of robustness overestimation in network ADSs and propose an adversarial attack called UPAS to evaluate the robustness of such ADSs. The UPAS attack perturbs the inter-arrival time between packets by injecting a random time delay before packets from the attacker. The attack is validated by perturbing malicious network traffic in a multi-attack dataset and used to evaluate the robustness of two robust ADSs, which are based on a denoising autoencoder and an adversarially trained ML model. The results demonstrate that the robustness of both ADSs is overestimated and that a standardised evaluation of robustness is needed.

Anomaly Detection

Deep Learning

Robustne

Industrial Control System

Adversarial Training

DDoS Attack

Securing SDN Data Plane:Investigating the effects of IP SpoofingAttacks on SDN Switches and its Mitigation : Simulation of IP spoofing using Mininet

JABBU, SHIVAKUMAR YADAV, MADIRAJU, ANIRUDH SAI

January 2023

Background:Software-Defined Networking (SDN) represents a network architecture that offers a separate control and data layer, facilitating its rapid deployment and utilization for diverse purposes. However, despite its ease of implementation, SDN is susceptible to numerous security attacks, primarily stemming from its centralized nature. Among these threats, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks pose the most substantial risks. In the event of a successful attack on the SDNcontroller, the entire network may suffer significant disruption. Hence, safe guarding the controller becomes crucial to ensure the integrity and availability of the SDN network. Objectives:This thesis focuses on examining the IP spoofing attack and its impact on the Data Plane, particularly concerning the metrics of an SDN switch. The investigation centers around attacks that manipulate flow-rules to amplify the number of rules and deplete the resources of a switch within the Data Plane of an SDN network. To conduct the study, a software-defined network architecture was constructed using Mininet, with a Ryu controller employed for managing network operations. Various experiments were carried out to observe the response of the SDN system when subjected to an IP spoofing attack, aiming to identify potential mitigation strategies against such threats. Method and Results: To simulate the resource exhaustion scenario on the SDN network’s Data Plane,we deliberately triggered an escalation in the number of flow-rules installed in the switch. This was achieved by sending packets with spoofed IP addresses, there by exploiting the switch’s limited resources. Specifically, we focused on monitoring the impact on CPU utilization, storage memory, latency, and throughput within the switch. Detailed findings were presented in the form of tables, accompanied by graphical representations to visually illustrate the effects of increasing flow rules on the switches. Furthermore, we explored potential mitigation measures by developing an application that actively monitors the flow rules on the Ryu controller, aiming to detect and counteract such resource-exhausting effects.

Software Defined Networking

IP Spoofing

Flooding

DDoS Attacks

Data Plane

Mininet

Telecommunications

Telekommunikation

A Prevention Technique for DDoS Attacks in SDN using Ryu Controller Application

Adabala, Yashwanth Venkata Sai Kumar, Devanaboina, Lakshmi Venkata Raghava Sudheer

January 2024

Software Defined Networking (SDN) modernizes network control, offering streamlined management. However, its centralized structure makes it more vulnerable to distributed Denial of Service (DDoS) attacks, posing serious threats to network stability. This thesis explores the development of a DDoS attack prevention technique in SDN environments using the Ryu controller application. The research aims to address the vulnerabilities in SDN, particularly focusing on flooding and Internet Protocol (IP) spoofing attacks, which are a significant threat to network security. The study employs an experimental approach, utilizing tools like Mininet-VM (VirtualMachine), Oracle VM VirtualBox, and hping3 to simulate a virtual SDN environment and conduct DDoS attack scenarios. Key methodologies include packet sniffing and rule-based detection by integrating Snort IDS (Intrusion Detection System), which is critical for identifying and mitigating such attacks. The experiments demonstrate the effectiveness of the proposed prevention technique, highlighting the importance of proper configuration and integration of network security tools in SDN. This work contributes to enhancing the resilience of SDN architectures against DDoS attacks, offering insights into future developments in network security.

Software Defined Networking

SDN

IP Spoofing

Flooding

DDoS Attacks

Mininet

Snort IDS

Network Security

Telecommunications

Telekommunikation

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Sangodoyin, Abimbola O.

January 2019

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks.

Software Defined Networks (SDN)

Network security

Attack detection

Attack mitigation

Controller

Design and Implementation of a Deep Learning based Intrusion Detection System in Software-Defined Networking Environment

Niyaz, Quamar

January 2017

No description available.

Computer Engineering

Computer Science