Intrusion Detection on Distributed Attacks

Cheng, Wei-Cheng

29 July 2003

The number of significant security incidents tends to increase day by day in recent years. The distributed denial of service attacks and worm attacks extensively influence the network and cause serious damages. In the thesis, we analyze these two critical distributed attacks. We propose an intrusion detection approach against this kind of attacks and implement an attack detection system based on the approach. We use anomaly detection of intrusion detecting techniques and observed the anomalous distribution of packet fields to perform the detection. The proposed approach records the characteristics of normal traffic volumes so that to make detections more flexible and more precise. Finally, we evaluated our approach by experiments.

distributed denial of service attack

worm

intrusion detection

Trestněprávní a kriminologické aspekty kyberkriminality se zaměřením na útoky typu odepření služby / Criminal and criminological aspects of cybercrime with a focus on denial of service attacks

Přívozník, Lukáš

January 2019

Criminal and criminological aspects of cybercrime with a focus on denial of service attacks Abstract The aim of this master thesis is to analyze the criminal law assessment of denial of service (DoS) cyber-attacks and related criminological aspects. The author deals with the technical characteristics and typology of this type of attack. He analyzes its individual variants, as the way of performing the attack, that is reflected in its criminal assessment. The thesis also describes the facts concerning the largest series of DoS attacks that occurred in the Czech Republic in 2013. Next, the author deals with the criminological aspects of cybercrime, namely its expansion and latency, the perpetrators and victims of the denial of service attack and related prevention, including techniques and methods of defense against this attack. In the main part of the thesis, the author analyzes the criminal law aspects of this specific type of crime. The thesis deals with the development of law in this area at international level, within the European Union and at national level. It also deals with the analysis of the factual situation of cybercrime provided for in Sections 230 to 232 of the Criminal Code and the criminal law assessment of individual variants of the attack. The thesis deals with related problematic points,...

Distributed Denial of Service : Svenska bankers uppfattning om hotbilden av DDoS-attacker

Macchiavello, Sabrina, Wulkan, Linnea

January 2023

As the financial sector has become increasingly digitized, its vulnerability to cyberattacks has increased. Distributed Denial of Service attacks are one of the biggest threats on the internet today and has been growing steadily for the last few years. The increase applies to both the size and frequency of the attacks. DDoS-attacks have been a threat especially towards banks and therefore it is important to have a well functional cyber security strategy to withstand the attacks. This thesis investigates Swedish banks perception regarding the threat picture of DDoS-attacks against banks. As a result of a qualitative case study, Swedish banks opinion has been investigated through interviews with IT security managers at Swedish banks. The banks are considered to have effective strategies to prevent and manage DDoS-attacks but the threat of cyber attacks continues to increase. The participants mention various factors that show an increase in DDoS-attacks and the media can be an influence. The empirical material is analyzed using the National Cybersecurity Strategy (NCSS) framework developed by the European Union Agency for Cybersecurity (ENISA).

Distributed Denial of Service attack

Denial of Service attack

överbelastningsattack

finansiell sektor

bank

cybersäkerhet

cyberhot

cyberattack

National Cybersecurity Strategy

NCSS

Information Systems

The Research of Network Security in IP Traceback

Tseng, Yu-kuo

29 September 2004

With the dramatic expansion of computers and communication networks, computer crimes, such as threatening letters, fraud, and theft of intellectual property have been growing at a dreadful rate. The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. The problems of protecting data and information on computers and communication networks has become even more critical and challenging, since the widespread adoption of the Internet and the Web. Consequently, it is very urgent to design an integrated network-security architecture so as to make information safer, proactively or reactively defeat any network attack, make attackers accountable, and help the law enforcement system to collect the forensic evidences. Among a variety of attacks on computer servers or communication networks, a prevalent, famous, and serious network-security subject is known as "Denial of Service" (DoS) or "Distributed Denial of Service" (DDoS) attacks. According to an investigation on computer crime conducted by CSI/FBI in 2003, Internet DoS/DDoS have increased in frequency, severity, and sophistication, and have caught international attentions to the vulnerability of the Internet. DoS/DDoS attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Such attacks are among the hardest security problems to address because they are simple to implement, difficult to prevent, and very difficult to trace. Therefore, this dissertation will firstly concentrate on how to resolve these troublesome DoS/DDoS problems. This is considered as the first step to overcome generic network security problems, and to achieve the final goal for accomplishing a total solution of network security. Instead of tolerating DoS/DDoS attacks by mitigating their effect, to trace back the attacking source for eliminating the attacker is an aggressive and better approach. However, it is difficult to find out the true attacking origin by utilizing the incorrect source IP address faked by the attacker. Accordingly, this dissertation will aim at conquering this representative network security problem, i.e. DoS/DDoS attacks, with IP traceback, and designing an optimal IP traceback. IP traceback ¡X the ability to trace IP packets to their origins¡Xis a significant step toward identifying, and thus stopping, attackers. A promising solution to the IP traceback is probabilistic packet marking (PPM). This traceback approach can be applied during or after an attack, and it does not require any additional network traffic, router storage, or packet size increase. Therefore, the IP traceback research on countering DoS/DDoS attacks will be based on PPM scheme. In this dissertation, three outstanding improvements among four PPM criteria¡Xthe convergency, the computational overhead, and the incomplete PPM deployment problem¡Xhas been achieved. PPM-NPC is proposed to improve the PPM convergency and computational overhead. With non-preemptively compensation, the probability of each marked packet arrived at the victim equals its original marking probability. Therefore, PPM-NPC will efficiently achieve the optimal convergent situation by simply utilizing a 2-byte integer counter. Another better scheme, CPPM, is also proposed, such that the marked packets can be fully compensated as well while they are remarked. With CPPM, the probability of each marked packet arrived at the victim will also equal its original marking probability. Consequently, CPPM will achieve the optimal convergent situation efficiently as well. Furthermore, RPPM-NPC is presented to advance the accuracy of a reconstructed path in an incomplete PPM deployment environment by correcting and recovering any discontinuous individual transparent router and any segment of consecutive double transparent routers. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. Except for these improved criteria, PPM robustness, some weak assumptions in PPM, and a few unsolved problems for PPM, e.g. reflective DDoS attacks, will also be improved in the future. It is also interesting in combining other network security researches, such as IDS, system access control mechanism, etc., for constructing a more complete network security architecture. Therefore, this research hereby is done in order to completely resolve the troublesome flood-style DoS/DDoS problems, and as the basis for accomplishing a total solution of network security.

IP traceback

probabilitic packet marking

denial of service attack

computer network security

MACHINE LEARNING ALGORITHMS and THEIR APPLICATIONS in CLASSIFYING CYBER-ATTACKS on a SMART GRID NETWORK

Aribisala, Adedayo, Khan, Mohammad S., Husari, Ghaith

01 January 2021

Smart grid architecture and Software-defined Networking (SDN) have evolved into a centrally controlled infrastructure that captures and extracts data in real-time through sensors, smart-meters, and virtual machines. These advances pose a risk and increase the vulnerabilities of these infrastructures to sophisticated cyberattacks like distributed denial of service (DDoS), false data injection attack (FDIA), and Data replay. Integrating machine learning with a network intrusion detection system (NIDS) can improve the system's accuracy and precision when detecting suspicious signatures and network anomalies. Analyzing data in real-time using trained and tested hyperparameters on a network traffic dataset applies to most network infrastructures. The NSL-KDD dataset implemented holds various classes, attack types, protocol suites like TCP, HTTP, and POP, which are critical to packet transmission on a smart grid network. In this paper, we leveraged existing machine learning (ML) algorithms, Support vector machine (SVM), K-nearest neighbor (KNN), Random Forest (RF), Naïve Bayes (NB), and Bagging; to perform a detailed performance comparison of selected classifiers. We propose a multi-level hybrid model of SVM integrated with RF for improved accuracy and precision during network filtering. The hybrid model SVM-RF returned an average accuracy of 94% in 10-fold cross-validation and 92.75%in an 80-20% split during class classification.

denial of service attack

detecting Cyberat-tacks

FDIA

hybrid SVM

NSL-KDD data set

SVM

Computing

Multi-Cloud architecture attacks through Application Programming Interfaces

Lander, Theodore Edward, Jr.

10 May 2024

Multi-cloud applications are becoming a universal way for organizations to build and deploy systems. Multi-cloud systems are deployed across several different service providers, whether this is due to company mergers, budget concerns, or services provided with each provider. With the growing concerns of potential cyber attacks, security of multi-cloud is an important subject, especially within the communications between systems through Application Programming Interfaces (APIs). This thesis presents an in depth analysis of multi-cloud, looking at APIs and security, creates a mock architecture for a multi-cloud system, and executes a cyber attack on this architecture to demonstrate the catastrophic effects that could come of these systems if left unprotected. Finally, some solutions for security are discussed as well as the potential plan for more testing of cyber attacks in this realm

Detecting DDoS Attacks with Machine Learning : A Comparison between PCA and an autoencoder / Att Upptäcka DDoS-attacker med Maskininlärning : En Jämförelse mellan PCA och en autoencoder

Johansson, Sofie

January 2024

Distibuted denial of service (DDoS) attacks are getting more and more common in society as the number of devices connected to the Internet is increasing. To reduce the impact of such attacks it is important to detect them as soon as possible. Many papers have investigated how well different machine learning algorithms can detect DDoS attacks. However, most papers are focusing on supervised learning algorithms which require a lot of labeled data, which is hard to find. This thesis compares two unsupervised learning algorithms, an autoencoder and principal component analysis (PCA), in how well they detect DDoS attacks. The models are implemented in the Python libraries Keras, Tensorflow and scikit-learn. They are then trained and tested with data that has its origin in the CICDDOS2019 dataset. There are normal data and nine different types of DDoS attacks in the used dataset. The models are compared by computing the Receiver Operating Characteristic (ROC) curve and its Area Under the Curve (AUC) score, and the F1 score of the models. For both measures the mean value of the results of all attack types are used. The computations show that the autoencoder perform better than PCA with respect to both the mean AUC score (0.981 compared to 0.967) and the mean F1 score (0.987 compared to 0.978). The thesis goes on to discussing why the autoencoder performs better than PCA and, finally draws conclusions based on the insights of the analysis.

machine learning

distributed denial of service attack

DDoS

autoencoder

pca

Computer Engineering

Datorteknik

Denial-of-service attack : A realistic implementation of a DoS attack / Denial-of-service attack : En realistisk implementering

Skog Andersen, Jonas, Alderhally, Ammar

January 2015

This report describes some of the most well known denial of service attacks (DoS-attacks). This will be done in the first part of the report, the second part describes an implementation of a DoS-attack. The main purpose of its first part is to closer examine common DoS-attacks, the purpose of such attacks, the protection methods that can be deployed to mitigate these attacks and the ways that are used to measure these attacks. The second part describes a implementation of a practical attack implemented using HTTP POST requests to overwhelm a web server, so called HTTP POST attack. The attack was carried out using different number of attack nodes, up to the default maximum limit for Apache web server. The attack succeeded after several attempts with different parameters. As a result of the experiments we learnt that a successful HTTP POST attack needs to take between 15% and 100% of the maximum permitted clients to make an impact on the server’s response time. The server that was attacked had no defence mechanism to protect itself against DoS-attacks. One important thing to note is that this attack is carried out in a protected environment so as not to affect the external environment.

DOS

DDOS

Attack

Denial of Service

Distributed denial of service attack

HTTP POST

HTTP POST attack

Computer Sciences

Datavetenskap (datalogi)

Impact of mobile botnet on long term evolution networks: a distributed denial of service attack perspective

Kitana, Asem

31 March 2021

In recent years, the advent of Long Term Evolution (LTE) technology as a prominent component of 4G networks and future 5G networks, has paved the way for fast and new mobile web access and application services. With these advantages come some security concerns in terms of attacks that can be launched on such networks. This thesis focuses on the impact of the mobile botnet on LTE networks by implementing a mobile botnet architecture that initiates a Distributed Denial of Service (DDoS) attack. First, in the quest of understanding the mobile botnet behavior, a correlation between the mobile botnet impact and different mobile device mobility models, is established, leading to the study of the impact of the random patterns versus the uniform patterns of movements on the mobile botnet’s behavior under a DDoS attack. Second, the impact of two base transceiver station selection mechanisms on a mobile botnet behavior launching a DDoS attack on a LTE network is studied, the goal being to derive the effect of the attack severity of the mobile botnet. Third, an epidemic SMS-based cellular botnet that uses an epidemic command and control mechanism to initiate a short message services (SMS) phishing attack, is proposed and its threat impact is studied and simulated using three random graphs models. The simulation results obtained reveal that (1) in terms of users’ mobility patterns, the impact of the mobile botnet behavior under a DDoS attack on a victim web server is more pronounced when an asymmetric mobility model is considered compared to a symmetric mobility model; (2) in terms of base transceiver station selection mechanisms, the Distance-Based Model mechanism yields a higher threat impact on the victim server compared to the Signal Power Based Model mechanism; and (3) under the Erdos-and-Reyni Topology, the proposed epidemic SMS-based cellular botnet is shown to be resistant and resilient to random and selective cellular device failures. / Graduate

Mobile Botnet

LTE

Long Term Evolution Network

Distributed Denial of Service Attack

DDoS

Cellular Botnet

Botnet

Cybersecurity

Cyber Security

Cyber Attacks

Αναγνώριση επιθέσεων web σε web-servers

Στυλιανού, Γεώργιος

09 July 2013

Οι επιθέσεις στο Διαδίκτυο και ειδικά οι επιθέσεις άρνησης εξυπηρέτησης (Denial of Service, DoS) αποτελούν ένα πολύ σοβαρό πρόβλημα για την ομαλή λειτουργία του Διαδικτύου. Αυτό το είδος επιθέσεων στοχεύει στην διατάραξη της καλής λειτουργίας ενός συστήματος, καταναλώνοντας τους πόρους του ή προκαλώντας υπερφόρτωση στο δίκτυο, καθιστώντας το ανίκανο να παρέχει στους πελάτες του τις υπηρεσίες για τις οποίες προορίζεται. Η αντιμετώπιση των επιθέσεων αυτών έχει απασχολήσει πολλούς ερευνητές τα τελευταία χρόνια και έχουν προταθεί πολλές διαφορετικές μέθοδοι πρόληψης, ανίχνευσης, και απόκρισης. Στα πλαίσια της παρούσας διπλωματικής επιχειρείται αρχικά ο ορισμός και η ταξινόμηση των επιθέσεων DoS και DDoS, με ιδιαίτερη αναφορά στις επιθέσεις DoS στον Παγκόσμιο Ιστό. Στη συνέχεια αναλύονται διάφοροι τρόποι αναγνώρισης επιθέσεων, με κύριους άξονες την αναγνώριση υπογραφής και την ανίχνευση ανωμαλιών. Γίνεται εμβάθυνση στο πεδίο της ανίχνευσης ανωμαλιών και πραγματοποιείται η μελέτη ενός συστήματος που ανιχνεύει ανωμαλίες σε δεδομένα κίνησης δικτύου που περιέχουν επιθέσεις. / Attacks in the Internet, and especially Denial of Service attacks, are a very serious threat to the normal function of the Internet. This kind of attack aims to the disruption of the normal function of a system, by consuming its resources or overloading the network, making it incapable to provide services, that is designed for, to the clients. In recent years many researchers have tried to propose solutions to prevent, detect and respond effectively to attacks. In this thesis, first a definition, and then a classification of DoS and DDoS attacks is proposed, with distinctive reference to attacks in the World Wide Web. Several ways of attack detection are analyzed, with signature detection and anomaly detection being the most significant. Afterwards, the field of anomaly detection is thoroughly analyzed, and a system that detects anomalies to a dataset of network traffic that contains attacks, is examined.

Αναγνώριση επιθέσεων

Ανίχνευση ανωμαλιών

005.8

Internet attacks

Attack detection

Anomaly detection

Security anomalies