Catch Me If You Can: A New Low-Rate DDoS Attack Strategy Disguised by Feint

While collaborative systems provide convenience to our lives, they also face many security threats. One of them is the Low-rate Distributed Denial-of-Service (LDDoS) attack, which is a worthy concern. Unlike volumetric DDoS attacks that continuously send large volumes of traffic, LDDoS attacks are more stealthy and difficult to be detected owing to their low-volume feature. Due to its stealthiness and harmfulness, LDDoS has become one of the most destructive attacks in cloud computing. Although a few LDDoS attack detection and defense methods have been proposed, we observe that sophisticated LDDoS attacks (being more stealthy) can bypass some of the existing LDDoS defense methods. To verify our security observation, we proposed a new Feint-based LDDoS (F-LDDoS) attack strategy. In this strategy, we divide a Pulse Interval into a Feinting Interval and an Attack Interval. Unlike the previous LDDoS attacks, the bots also send traffic randomly in the Feinting Interval, thus disguise themselves as benign users during the F-LDDoS attack. In this way, although the victim detects that it is under an LDDoS attack, it is difficult to locate the attack sources and apply mitigation solutions. Experimental results show that F-LDDoS attack can degrade TCP bandwidth 6.7%-14% more than the baseline LDDoS attack. Besides, F-LDDoS also reduces the similarities between bot traffic and aggregated attack traffic, and increases the uncertainty of packet arrival. These results mean that the proposed F-LDDoS is more effective and more stealthy than normal LDDoS attacks. Finally, we discuss the countermeasures of F-LDDoS to draw the attention of defenders and improve the defense methods

Sampling techniques applied to anomalous events detection

Dissertação de mestrado integrado em Engenharia InformáticaNowadays, one of the major worries about a network is security. Since the network has become the big platform it is, the number of attacks or attempts to steal information or just harm someone or something is getting bigger to handle or harder to find. Sampling techniques help to solve these problems as they are used to reduce the scope of the analysis, as well as the resources needed to perform it. By using sample techniques to search and find the attacks in the network traffic it will become easier to detect attacks and keep the network secure. As will be seen in the following sections, joining sampling and security is not an easy task to do. Questions such as, what are the best techniques to be used, what are the best methods to be implemented, are inevitable when using sampling. However, sampling can bring more advantages than disadvantages. Besides that, depending on the chosen measurement method, sampling technique or algorithm performed to analyse the samples, the results can change a lot according to the target for the technique. To achieve results for evaluation, a Network-based Intrusion Detection System (NIDS) will be used to identify anomalous events present in the samples.Hoje em dia, uma das maiores preocupações com uma rede é a segurança. Como a rede se tornou a grande plataforma que é, o número de ataques ou tentativas de roubar informações ou apenas prejudicar alguém ou algo está cada vez maior ou mais difícil de encontrar. As téc nicas de amostragem ajudam a resolver esses problemas visto que são utilizadas para reduzir o escopo da análise assim como os recursos necessários para realizar a mesma. Usando técnicas de amostra para procurar e localizar os ataques no tráfego da rede, facilita prevenir ataques e manter a rede segura. Como será constatado nas próximas secções, juntar amostragem e segurança não é uma tarefa fácil. Questões como, quais são as melhores técnicas a serem utilizadas, quais os melhores métodos a serem implementados, são inevitáveis aquando da utilização de amostragem. Contudo, amostragem pode trazer mais vantagens do que desvan tagens. Além disso, dependendo do método de medição escolhido, técnica de amostragem ou algoritmo usado para analisar as amostras, os resultados podem variar muito consoante o alvo da técnica. Para alcançar resultados para avaliação vai ser utilizado um Network-based Intrusion Detection System (NIDS) de forma a identificar os eventos anómalos presentes nas amostragens

ADVANCED RANDOM TIME QUEUE BLOCKING WITH TRAFFIC PREDICTION FOR DEFENSE OF LOW-RATE DOS ATTACKS AGAINST APPLICATION SERVERS

Among many strategies of Denial of Services, low-rate traffic denial-of-service (DoS) attacks are more significant. This strategy denies the services of a network by detection of the vulnerabilities in performance of the application. In this research, an efficient defence methodology is developed against low-rate DoS attack in the application servers. Though, the Improved Random Time Queue Blocking (IRTQB) technique can eliminate the vulnerabilities in the network and also avoiding the attacker from capturing all the server queue positions by defining a spatial similarity metric (SSM). However, the differentiation of the attack requests from the legitimate users’ is not always efficient since only the source IP addresses and the record timestamp are considered in the SSM. It was improved by using Advanced Random Time Queue Blocking (ARTQB) scheme that employed Bandwidth utilization of attacker in IRTQB to detect the DoS attack that normally consumes a huge number of resources of the server. However, this method becomes ineffective when the attack consumes more network traffic. In this paper, an efficient detection technique called Advanced Random Time Queue Blocking with Traffic Prediction (ARTQB-TP) is proposed for defining SSM which contains, Source IP, timestamp, Bandwidth between two requests and the difference between the attack traffic and legitimate traffic. The ARTQB-TP technique is utilized to reduce the attack efficiency in 18 different server configurations which are more vulnerable to the DoS attacks and where the attacks may also have a chance to improve its effectiveness. Experimental results show that the proposed system performs better protection of application servers against the LRDoS attacks by solving its impacts on any kind of server architectures and reduced the attack efficiencies of all the types of attack strategies

Improvement of DDoS attack detection and web access anonymity

The thesis has covered a range of algorithms that help to improve the security of web services. The research focused on the problems of DDoS attack and traffic analysis attack against service availability and information privacy respectively. Finally, this research significantly advantaged DDoS attack detection and web access anonymity.<br /

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Introducing the SlowDrop Attack

In network security, Denial of Service (DoS) attacks target network systems with the aim of making them unreachable. Last generation threats are particularly dangerous because they can be carried out with very low resource consumption by the attacker. In this paper we propose SlowDrop, an attack characterized by a legitimate-like behavior and able to target different protocols and server systems. The proposed attack is the first slow DoS threat targeting Microsoft IIS, until now unexploited from other similar attacks. We properly describe the attack, analyzing its ability to target arbitrary systems on different scenarios, by including both wired and wireless connections, and comparing the proposed attack to similar threats. The obtained results show that by executing targeted attacks, SlowDrop is successful both against conventional servers and Microsoft IIS, which is closed source and required us the execution of so called \u201cnetwork level reverse engineering\u201d activities. Due to its ability to successfully target different servers on different scenarios, the attack should be considered an important achievement in the slow DoS field

Development of a data acquisition system using silicon detectors for PET applications

Este trabajo describe el desarrollo de parte de la electr´onica elaborada para el diseño de un escáner de Tomografíıa de Emisión de Positrones (PET) denominado Petete. Dicho escáner debe identificar offline los eventos de coincidencia y utilizar la técnica de ToF (Time of Flight) para descartar el ruido de fondo, lo cual permite contribuir a la mejora de la relación señal-ruido (SNR) y por lo tanto al aumento de la calidad de las imágenes médicas. El principal uso del escáner PET será en la investigación para el estudio y prueba de diferentes detectores para la mejora de las prestaciones del escáner PET en términos de resolución espacial, tiempo de adquisición (lo cual implica la reducción del tiempo de exposición del paciente a la radiación), la sensibilidad y calidad de imagen. El escáner conste en 16 módulos de detectores, basados en fotomultiplicadores de silicio, contando con un total de 1024 canales. Para poder recoger la información de ToF, la electrónica de proximidad (Front-end) debe registrar el tiempo de llegada de los eventos válidos detectados con una precisión del orden de cientos de picosegundos. Dado el número no despreciable de canales, y el reducido espacio disponible, la electrónica Front-end debe estar basada en un circuito integrado de aplicación específica (ASIC). Cada módulo de detectores se ubica en una tarjeta denominada tarjeta híbrida, que contiene al menos un ASIC para el registro del tiempo de llegada. Para el presente trabajo se han identificado y trabajado con dos ASICs que se adecúan a las necesidades del escáner: el Vata64hdr16 y el STiC. La electrónica desarrollada consta de dos partes: Por una parte se ha desarrollado completamente el sistema de adquisición de datos que realiza la lectura de los detectores de silicio, incluyendo tanto el hardware como el firmware necesario. Esta tarjeta de adquisición es la encargada de controlar los ASICs, realizar proceso de adquisición de datos, gestionar la comunicación con el ordenador y llevar a cabo la transferencia de datos. Para cubrir el escáner completo, son necesarias en total cuatro tarjetas de adquisición de datos que deben trabajar en paralelo, cubriendo cada una un total de 256 canales. El sistema se controla por un programa software diseñado para esta aplicación e instalado en un ordenador. El sistema de adquisici´on de datos está diseñado para que sea compacto, flexible, rápido y adaptable a las ASICs mencionadas. Por otra parte, es importante destacar que una parte del presente trabajo se ha dedicado al desarrollo de parte de la electrónica digital de STiC. Este trabajo se ha desarrollado en la Universidad de Heidelberg (Alemania) y ha permitido profundizar en el desarrollo de un sistema de adquisici´on de datos en este caso desde el punto de vista de la síntesis de un ASIC. La electrónica y el software implementado en el sistema satisfacen completamente las necesidades del escáner Petete, lo que constituye un sistema multi-configurable con transmisión de datos rápida a través de Gigabit Ethernet. El diseño se ha realizado de forma que se pueden seleccionar diferentes configuraciones, tales como diferentes modos de lectura, diferentes opciones de prueba y configuraci´on separada para cada tarjeta híbrida. Las pruebas experimentales llevadas a cabo verifican el comportamiento funcional correcto de todos los sub-sistemas, tales como ADC, DAC, TDC, triggers, señales de control, comunicación y otros, como se explica en la memoria presentada. Está previsto que el sistema sea utilizado para la investigación en el laboratorio de diferentes sensores de silicio y centelladores, dado que el sistema se ha diseñado de formare configurable y fácil de adaptar con los nuevos detectores. Hasta este momento la tarjera HDRDAQ se ha testado con dos tarjetas híbridas con 64 canales cada uno. En un futuro próximo están previstas las pruebas del sistema completo con cuatro tarjetas hibridas y con cuatro módulos detectores. Otras pruebas planeadas son el uso de varias tarjetas HDRDAQ en paralelo trabajando de modo sincronizado para cubrir el número de módulos detectores del scanner completo. La estructura del presente trabajo es la siguiente: En el primer capítulo se han estudiado las características de los detectores, además de describir el escáner Petete y definir los requerimientos del sistema de adquisición de datos. En el capítulo dos se ha dado una introducción a los fotomultiplicadores de silicio y a las características de los ASICs con los que se ha trabajado: el Vata64hdr16 y el STiC. Además también se ha llevado a cabo el desarrollo de las tarjetas hibridas que forman los módulos del escáner PET. El capítulo 3 se centra en el chip STiC y en el desarrollo de la electrónica digital del diseño ASIC que se ha llevado a cabo. En el capítulo 4 se desarrolla de forma detallada la electrónica de adquisición que lleva a cabo el proceso de control de los chips y la comunicación con el ordenador. Para el diseño de tarjeta de adquisición se ha tenido en cuenta la geometría del escáner, el número de las tarjetas hibridas necesarias que hay que controlar y los requisitos específicos de los ASICs. Para controlar el escáner y la electrónica desde el ordenador se ha desarrollado un programa específico. El capítulo 5 est´a dedicado al desarrollo firmware realizado, y el cap´ıtulo 6 se describe brevemente el software. El ultimo capitulo se ha dedicado al desarrollo de las pruebas en el laboratorio para verificar la funcionalidad de sistema con sus diferentes partes como el software, electrónica y detectores. Finalmente se incluyen las conclusiones del trabajo completo

Ultrafast X-ray and Optical Spectroscopy of Binuclear Molecular Complexes

In this thesis we followed the synergetic approach of combining ultrafast optical and X-ray spectroscopies to unravel the electronic and geometric structural dynamics of the solvated binuclear transition metal complex [Pt2(P2O5H2)4] 4- (PtPOP). This molecule belongs to a broader class of d8 – d8 compounds that are known for their interesting photophysical properties and rich photochemical and photocatalytic reactivity. Broadband femtosecond fluorescence up-conversion and transient absorption spectroscopy have revealed the ultrafast vibrational-electronic relaxation pathways following excitation into the 1A2u (σ*dz2 → σpz) excited state for different solvents and excitation wavelengths. Both sets of data exhibit clear signatures of vibrational cooling (∼2 ps) and wave packet oscillations of the Pt-Pt stretch vibration in the 1A2u state with a period of 224 fs, that decay on a 1-2 ps time scale, and of intersystem crossing into the 3A2u state within 10-30 ps. The vibrational relaxation and intersystem crossing times exhibit a clear solvent dependence. We also extract from the transient absorption measurements the spectral distribution of the wave packet at given time delays, which reflects the distribution of Pt-Pt bond distances as a function of time, i.e. the structural dynamics of the system. We clearly establish the vibrational relaxation and coherence decay processes and we demonstrate that PtPOP represents a clear example of an harmonic oscillator that does not comply with the optical Bloch description due to very efficient coherence transfer between vibronic levels. We conclude that a direct Pt-solvent energy dissipation channel accounts for the vibrational cooling in the singlet state. Intersystem crossing from the 1A2u to the 3A2u state is induced by spin-vibronic coupling with a higher-lying triplet state and/or (transient) symmetry breaking in the 1A2u excited state. The particular structure, energetics and symmetry of the molecule play a decisive role in determining the relatively slow rate of intersystem crossing, despite the large spin-orbit coupling strength of the Pt atoms. Ultrafast X-ray absorption spectroscopy (XAS) is a powerful tool to observe electronic and geometric structures of short-lived reaction intermediates. We have measured the photoinduced changes in the Pt LIII X-ray absorption spectrum of PtPOP with picosecondix nanosecond resolution. A rigorous analysis of the time-resolved EXAFS results allowed us to establish the structure of the lowest triplet 3A2u excited state. We found that the Pt atoms contract by as much as 0.31(5) Å due to the formation of a new intermetallic bond. In addition, a significant, though minute, elongation of 0.010(6) Å of the coordination bonds could be derived from the transient X-ray absorption spectrum for the first time. Using state-of-the-art theoretical XAS codes, we were also able to assign photoinduced changes in the XANES spectrum, to changes in Pt d-electron density, ligand field splitting and orbital hybridization in the excited state. Spectral changes in the XANES multiplescattering features were used to derive a semi-quantitative value for the Pt-Pt contraction of ∼0.3 Å, which is in excellent agreement with the time-resolved EXAFS results. Application of ultrafast XAS and the data analysis methods to other chemical and biological systems in liquids offers an exciting perspective; in particular, in view of the recent development of intense free electron laser sources delivering ∼100 fs X-ray pulses, opening new venues in X-ray science that scientists could hitherto only dream of

New Data Protection Abstractions for Emerging Mobile and Big Data Workloads

Two recent shifts in computing are challenging the effectiveness of traditional approaches to data protection. Emerging machine learning workloads have complex access patterns and unique leakage characteristics that are not well supported by existing protection approaches. Second, mobile operating systems do not provide sufficient support for fine grained data protection tools forcing users to rely on individual applications to correctly manage and protect data. My thesis is that these emerging workloads have unique characteristics that we can leverage to build new, more effective data protection abstractions. This dissertation presents two new data protection systems for machine learning work-loads and a new system for fine grained data management and protection on mobile devices. First is Sage, a differentially private machine learning platform addressing the two primary challenges of differential privacy: running out of budget and the privacy utility tradeoff. The second system, Pyramid, is the first selective data system. Pyramid leverages count featurization to reduce the amount of data exposed while training classification models by two orders of magnitude. The final system, Pebbles, provides users with logical data objects as a new fine grained data management and protection primitive allowing data management at a higher level of abstraction. Pebbles, leverages high level storage abstractions in mobile operating systems to discover user recognizable application level data objects in unmodified mobile applications