Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Sangodoyin, Abimbola O.

January 2019

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks.

Software Defined Networks (SDN)

Network security

Attack detection

Attack mitigation

Controller

Network Anomaly Detection with Incomplete Audit Data

Patcha, Animesh

04 October 2006

With the ever increasing deployment and usage of gigabit networks, traditional network anomaly detection based intrusion detection systems have not scaled accordingly. Most, if not all, systems deployed assume the availability of complete and clean data for the purpose of intrusion detection. We contend that this assumption is not valid. Factors like noise in the audit data, mobility of the nodes, and the large amount of data generated by the network make it difficult to build a normal traffic profile of the network for the purpose of anomaly detection. From this perspective, the leitmotif of the research effort described in this dissertation is the design of a novel intrusion detection system that has the capability to detect intrusions with high accuracy even when complete audit data is not available. In this dissertation, we take a holistic approach to anomaly detection to address the threats posed by network based denial-of-service attacks by proposing improvements in every step of the intrusion detection process. At the data collection phase, we have implemented an adaptive sampling scheme that intelligently samples incoming network data to reduce the volume of traffic sampled, while maintaining the intrinsic characteristics of the network traffic. A Bloom filters based fast flow aggregation scheme is employed at the data pre-processing stage to further reduce the response time of the anomaly detection scheme. Lastly, this dissertation also proposes an expectation-maximization algorithm based anomaly detection scheme that uses the sampled audit data to detect intrusions in the incoming network traffic. / Ph. D.

high speed networks

Anomaly detection

weighted sampling

denial-of-service

expectation-maximization

Multi-Cloud architecture attacks through Application Programming Interfaces

Lander, Theodore Edward, Jr.

10 May 2024

Multi-cloud applications are becoming a universal way for organizations to build and deploy systems. Multi-cloud systems are deployed across several different service providers, whether this is due to company mergers, budget concerns, or services provided with each provider. With the growing concerns of potential cyber attacks, security of multi-cloud is an important subject, especially within the communications between systems through Application Programming Interfaces (APIs). This thesis presents an in depth analysis of multi-cloud, looking at APIs and security, creates a mock architecture for a multi-cloud system, and executes a cyber attack on this architecture to demonstrate the catastrophic effects that could come of these systems if left unprotected. Finally, some solutions for security are discussed as well as the potential plan for more testing of cyber attacks in this realm

Detecting DDoS Attacks with Machine Learning : A Comparison between PCA and an autoencoder / Att Upptäcka DDoS-attacker med Maskininlärning : En Jämförelse mellan PCA och en autoencoder

Johansson, Sofie

January 2024

Distibuted denial of service (DDoS) attacks are getting more and more common in society as the number of devices connected to the Internet is increasing. To reduce the impact of such attacks it is important to detect them as soon as possible. Many papers have investigated how well different machine learning algorithms can detect DDoS attacks. However, most papers are focusing on supervised learning algorithms which require a lot of labeled data, which is hard to find. This thesis compares two unsupervised learning algorithms, an autoencoder and principal component analysis (PCA), in how well they detect DDoS attacks. The models are implemented in the Python libraries Keras, Tensorflow and scikit-learn. They are then trained and tested with data that has its origin in the CICDDOS2019 dataset. There are normal data and nine different types of DDoS attacks in the used dataset. The models are compared by computing the Receiver Operating Characteristic (ROC) curve and its Area Under the Curve (AUC) score, and the F1 score of the models. For both measures the mean value of the results of all attack types are used. The computations show that the autoencoder perform better than PCA with respect to both the mean AUC score (0.981 compared to 0.967) and the mean F1 score (0.987 compared to 0.978). The thesis goes on to discussing why the autoencoder performs better than PCA and, finally draws conclusions based on the insights of the analysis.

machine learning

distributed denial of service attack

DDoS

autoencoder

pca

Computer Engineering

Datorteknik

Resilient Cooperative Control of Cyber-Physical Systems: Enhancing Robustness Against Significant Time Delays and Denial-of-Service Attacks

Babu Venkateswaran, Deepalakshmi

01 January 2024

A cyber-physical control system (CPS) typically consists of a set of physical subsystems, their remote terminal units, a central control center (if applicable), and local communication networks that interconnect all the components to achieve a common goal. Applications include energy systems, autonomous vehicles, and collaborative robots. Ensuring stability, performance, and resilience in CPS requires thorough analysis and control design, utilizing robust algorithms to handle delays, communication failures, and potential cyber-attacks. Time delays are a challenge in CPS, particularly in teleoperation systems, where human operators remotely control robotic systems. These delays cause chattering, oscillations, and instability, making it difficult to achieve smooth and stable remote robot control. Applications like remote surgery, space exploration, and hazardous environment operations are highly susceptible to these disruptions. To address this issue, a novel passivity-shortage framework is proposed, that enables systems to maintain stability and transparency despite time-varying communication delays and environmental disturbances. CPS are prone to attacks, particularly Denial-of-Service (DoS) attacks, which disrupt the normal functioning of a network by overwhelming it with excessive internet traffic, rendering the communication channels unavailable to legitimate users. These attacks threaten the stability and functionality of CPS. To enhance resilience in multi-agent systems, novel distributed algorithms are proposed. These graph theory-based algorithms mitigate network vulnerabilities by incorporating strategically placed additional communication channels, thereby increasing tolerance to attacks in large, dynamic networks. The effectiveness of these proposed approaches is validated through simulations, experiments, and numerical examples. The passivity-shortage teleoperation strategies are tested using Phantom Omni devices and they show reduced chattering and better steady-state error convergence. A case study demonstrates how the proposed distributed algorithms effectively achieve consensus, even when some agents are disconnected from the network due to DoS attacks.

Control Systems Design

Resilient Control

Teleoperation Stability

Time-Delay

Denial of Service Attacks

Multi-Agent Systems

Evaluation of and Mitigation against Malicious Traffic in SIP-based VoIP Applications in a Broadband Internet Environment

Wulff, Tobias

January 2010

Voice Over IP (VoIP) telephony is becoming widespread, and is often integrated into computer networks. Because of his, it is likely that malicious software will threaten VoIP systems the same way traditional computer systems have been attacked by viruses, worms, and other automated agents. While most users have become familiar with email spam and viruses in email attachments, spam and malicious traffic over telephony currently is a relatively unknown threat. VoIP networks are a challenge to secure against such malware as much of the network intelligence is focused on the edge devices and access environment. A novel security architecture is being developed which improves the security of a large VoIP network with many inexperienced users, such as non-IT office workers or telecommunication service customers. The new architecture establishes interaction between the VoIP backend and the end users, thus providing information about ongoing and unknown attacks to all users. An evaluation of the effectiveness and performance of different implementations of this architecture is done using virtual machines and network simulation software to emulate vulnerable clients and servers through providing apparent attack vectors.

Voice over IP (VoIP)

Session Initiation Protocol (SIP)

Denial of Service (DoS)

malware

Intrusion Detection System (IDS)

event correlation

security architecture

Um Sistema de Detecção de Intrusão para Detecção de Ataques de Negação de Serviço na Internet das Coisas. / An Intrusion Detection System for Detection of Attacks Service Denial on the Internet of Things.

SOUSA, Breno Fabrício Lira Melo

21 December 2016

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-01T15:17:20Z No. of bitstreams: 1 Breno Fabricio.pdf: 3022898 bytes, checksum: d3e376b3280034170ef737c756a8bb30 (MD5) / Made available in DSpace on 2017-08-01T15:17:20Z (GMT). No. of bitstreams: 1 Breno Fabricio.pdf: 3022898 bytes, checksum: d3e376b3280034170ef737c756a8bb30 (MD5) Previous issue date: 2016-12-21 / The paradigm of the Internet of Things (in english, Internet of Things - IoT) came to allow intercommunication between different objects via Internet, and thereby facilitate the form of how the end user will interact with a wide variety of devices that surround him in everyday life. The availability of features that these devices have is a factor that deserves great attention because the use of such resources inappropriately can cause serious damage. Therefore, since such devices are connected to the internet, they are vulnerable to various threats, such as, denial-of-service attack (DoS). In order to tackle DoS type threats in IoT, an Intrusion Detection System (IDS) is proposed for IoT, aiming at detecting some types of DoS attacks. / O paradigma da Internet das Coisas (em inglês, Internet of Things - IoT) surgiu para possibilitar a intercomunicação entre os diferentes objetos através da Internet, e, com isso, facilitar a forma de como o usuário final interagirá com a grande variedade de dispositivos que o cerca no dia a dia. A disponibilidade de recursos que estes dispositivos possuem é um fator que merece uma grande atenção, pois o uso de tais recursos de forma não apropriada pode gerar graves danos. Para tanto, uma vez que tais dispositivos estão conectados à Internet, estes estão vulneráveis a diversas ameaças, como, por exemplo, ataque de negação de serviço (DoS). A fim de enfrentar ameaças do tipo DoS em IoT, propõe-se um IDS (Intrusion Detection System) para IoT, objetivando a detecção de alguns ataques do tipo DoS.

Arquitetura de Sistemas de Computação

Prilog razvoju metode za detekciju napada ometanjem usluge na Internetu / A contribution to the method for detection of denial of service attacks inInternet

Petković Miodrag

24 September 2018

<p>U ovoj doktorskoj disertaciji predložen je i analiziran metod koji kombinuje primenu entropije odabranih obeležja mrežnog saobraćaja i Takagi-Sugeno-Kang (TSK) neuro-fazi modela u detekciji DoS napada. Entropija je primenjena jer omogućava detekciju širokog spektra statističkih anomalija uzrokovanih DoS napadima dok TSK neuro-fazi model daje dodatni kvalitet u konačnom određivanju tačaka početka i kraja napada povećavajući odnos ispravno i pogrešno detektovanih napada.</p> / <p>In this thesis a new method for DoS attack detection is proposed. This method<br />combines the use of entropy of some characteristic parameters of network traffic<br />and Takagi-Sugeno-Kang (TSK) neuro-fuzzy model. Entropy has been used because<br />it enables detection of wide spectar of network anomalies caused by DoS attacks,<br />while TSK adds new value to final detection of the start and the end of an attack<br />increasing ratio between true and false detections.</p>

Robust and secure monitoring and attribution of malicious behaviors

Srivastava, Abhinav

08 July 2011

Worldwide computer systems continue to execute malicious software that degrades the systemsâ performance and consumes network capacity by generating high volumes of unwanted traffic. Network-based detectors can effectively identify machines participating in the ongoing attacks by monitoring the traffic to and from the systems. But, network detection alone is not enough; it does not improve the operation of the Internet or the health of other machines connected to the network. We must identify malicious code running on infected systems, participating in global attack networks. This dissertation describes a robust and secure approach that identifies malware present on infected systems based on its undesirable use of network. Our approach, using virtualization, attributes malicious traffic to host-level processes responsible for the traffic. The attribution identifies on-host processes, but malware instances often exhibit parasitic behaviors to subvert the execution of benign processes. We then augment the attribution software with a host-level monitor that detects parasitic behaviors occurring at the user- and kernel-level. User-level parasitic attack detection happens via the system-call interface because it is a non-bypassable interface for user-level processes. Due to the unavailability of one such interface inside the kernel for drivers, we create a new driver monitoring interface inside the kernel to detect parasitic attacks occurring through this interface. Our attribution software relies on a guest kernelâ s data to identify on-host processes. To allow secure attribution, we prevent illegal modifications of critical kernel data from kernel-level malware. Together, our contributions produce a unified research outcome --an improved malicious code identification system for user- and kernel-level malware.

Systems security

Virtualization

Malware detection

Security architecture

Malware (Computer software)

Denial of service attacks

Cyberterrorism

Computer viruses

Kernel functions

Estratégias para tratamento de ataques de negação de serviço na camada de aplicação em redes IP

Dantas, Yuri Gil

14 July 2015

Submitted by Viviane Lima da Cunha (viviane@biblioteca.ufpb.br) on 2016-02-15T12:15:56Z No. of bitstreams: 1 arquivototal.pdf: 3158533 bytes, checksum: 99b0075b0671ec0e3c4fdda3a82a360f (MD5) / Made available in DSpace on 2016-02-15T12:15:56Z (GMT). No. of bitstreams: 1 arquivototal.pdf: 3158533 bytes, checksum: 99b0075b0671ec0e3c4fdda3a82a360f (MD5) Previous issue date: 2015-07-14 / Distributed Denial of Service (DDoS) attacks remain among the most dangerous and noticeable attacks on the Internet. Differently from previous attacks, many recent DDoS attacks have not been carried out over the Transport Layer, but over the Application Layer. The main difference is that in the latter, an attacker can target a particular application of the server, while leaving the others applications still available, thus generating less traffic and being harder to detected. Such attacks are possible by exploiting application layer protocols used by the target application. This work proposes a novel defense, called SeVen, for Application Layer DDoS attacks (ADDoS) based on the Adaptive Selective Verification (ASV) defense used for Transport Layer DDoS attacks. We used two approches to validate the SeVen: 1) Simulation: The entire defense mechanism was formalized in Maude tool and simulated using the statistical model checker (PVeStA). 2) Real scenario experiments: Analysis of efficiency SeVen, implemented in C++, in a real experiment on the network. We investigate the resilience for mitigating three attacks using the HTTP protocol: HTTPPOST, Slowloris, and HTTP-GET. The defence is effective, with high levels of availability, for all three types of attacks, despite having different attack profiles, and even for a relatively large number of attackers. / Ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS) estão entre os ataques mais perigosos na Internet. As abordagens desses ataques vêm mudando nos últimos anos, ou seja, os ataques DDoS mais recentes não têm sido realizados na camada de transporte e sim na camada de aplicação. A principal diferença é que, nesse último, um atacante pode direcionar o ataque para uma aplicação específica do servidor, gerando menos tráfego na rede e tornando-se mais difícil de detectar. Tais ataques exploram algumas peculiaridades nos protocolos utilizados na camada de aplicação. Este trabalho propõe SeVen, um mecanismo de defesa probabilístico para mitigar ataques DDoS na camada de aplicação, baseada em Adaptive Selective Verification (ASV), um mecanismo de defesa para ataques DDoS na camada de transporte. Foram utilizadas duas abordagens para validar o SeVen: 1) Simulação: Todo o mecanismo de defesa foi formalizado na ferramenta computacional, baseada em lógica de reescrita, chamada Maude e simulado usando um modelo estatístico (PVeStA). 2) Experimentos na rede: Análise da eficiência do SeVen, implementado em C++, em um experimento real na rede. Em particular, foram investigados três ataques direcionados ao Protocolo HTTP: GET FLOOD, Slowloris e o POST. Nesses ataques, apesar de terem perfis diferentes, o SeVen obteve um elevado índice de disponibilidade.

Ataques de negação de serviço

Camada de aplicação

Mecanismo de defesa

Application layer

Defense mechanism

Denial of Service