Sistema de predição de ataques de negação de serviço distribuídos

Orientadora: Profa. Dra. Michele Nogueira LimaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 23/03/2018Inclui referências: p.50-52Área de concentração: Ciência da ComputaçãoResumo: Os ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS) crescem significativamente em volume, sofisticação e impacto. Exemplos são os ataques DDoS contra a empresa francesa OVN e o provedor de nomes DYN, os quais atingiram volumes inéditos de tráfego malicioso. Em geral, esses ataques são detectados ou mitigados apenas quando se encontram em estágios avançados. Até então, estudos apresentam abordagens e técnicas focadas principalmente na detecção e mitigação desses ataques. Recentemente surgiram pesquisas que expõem artefatos focados na predição de ataques DDoS por meio de redes neurais atuando na predição da matriz de tráfego; ou através de ferramentas estatísticas, como exemplo, Markov que predizem as etapas de um ataque, ou ainda avaliam a estabilidade de séries temporais aplicando ARIMA, entre outras. Tais abordagens requerem o treinamento prévio das redes neurais ou dos respectivos algoritmos, assim sendo, exigem histórico de ataques DDoS no fluxo da rede ou assinaturas dos ataques. Desta forma, as abordagens expostas ficam limitadas a ataques previamente conhecidos. Em geral, a sobrecarga da vítima consequente de um ataque DDoS ocorre em um intervalo de tempo muito curto (milisegundos). Assim, quando as técnicas propostas pelas abordagens anteriores conseguem identificar a aproximação de um ataque na rede, a sobrecarga já está em andamento e portanto muito próxima, resultando na indisponibilidade dos serviços. Diferente de outros trabalhos, este estudo defende o prognóstico precoce de ataques DDoS a fim de evitar custos e perdas provenientes do ataque. Este trabalho apresenta o STARK, um sistema autoadaptativo de predição de ataques DDoS, que identifica indícios do ataque na rede antes deste alcançar estágios avançados. Com base na teoria da metaestabilidade, o sistema STARK provê um aprendizado estatístico não supervisionado e identifica a iminência de ataques DDoS. Isso implica em dizer que o sistema não necessita de conhecimento prévio das características do fluxo da rede, de assinaturas do ataques DDoS ou de treinamento prévio de algoritmos para que possa predizer o ataque. A avaliação do sistema STARK segue uma abordagem orientada a traços, em que três bases de dados são utilizadas. Dessa forma, são extraídas características dessas bases de dados com a finalidade de submeter aos indicadores estatísticos e assim avaliar a tendência de comportamento dos dados. De acordo com a tendência exposta é possível identificar a aproximação de uma transição crítica, neste caso a iminência de um ataque DDoS. Nas avaliações realizadas, com os diferentes traços, o sistema STARK demonstra capacidade de predizer os respectivos ataques DDoS com minutos ou horas de antecedência. Palavras-chave: Ataques, DDoS, Metaestabilidade, Predição, Segurança de redes.Abstract: Distributed Denial of Service (DDoS) attacks growsignificantly in volume, sophistication and impact. Examples are the DDoS attacks against the OVN French company and the DYN name provider which reached unprecedented volumes of malicious traffic in 2016. In general, these attacks are detected or mitigated only when they are in advanced stages. So far the studies show approaches and techniques focused mainly on the detection and mitigation of these attacks. Recently researches have emerged which expose artifacts focused on the DDoS attack prediction by means of neural networks acting on the traffic matrix prediction; or through statistical tools, for example, Markov's which predict the steps of an attack, or still evaluate the stability of temporal series applying ARIMA, among others. Such approaches require the prior training of neural networks or the respective algorithms. Hence, they demand DDoS attack history in the network flow or attack subscriptions. The exposed approaches are limited to previously known attacks. In general, the overload of a DDoS attack victim occurs in a very short interval time (milliseconds). Thus, when the proposed techniques by the previous approaches can identify the closeness of an attack in the network, the overload is already in progress and so very close, resulting in the service unavailability. Different from other works, this study defends the early prognosis of DDoS attacks in order to avoid costs and losses from the attack. This work presents STARK, a self-adaptable system for DDoS attack prediction, which identifies attack evidence in the network before it reaches advanced stages. Based on the metastability theory, the STARK system provides an unsupervised statistical learning and identifies the DDoS attack imminence. That implies saying the system does not need prior knowledge of the network flow, of DDoS attack subscriptions or prior training of algorithms to predict the attack. The STARK system evaluation follows trace-driven approach in which three datasets are used. Hence, features are extracted from these datasets in order to submit to the statistical indicators and evaluate the data behavior trends. According to the trends in the dataset behavior is possible to identify the closeness of a critical transition, in this case the DDoS attack imminence. On the carried out evaluations, with different traces, the STARK system shows capability of predicting the respective DDoS attacks in minutes or hours in advance. Keywords: Attacks, DDoS, Metastability, Prediction, Network Security

Intrusion detection system for IoT networks for detection of DDoS attacks

PhD ThesisIn this thesis, a novel Intrusion Detection System (IDS) based on the hybridization of the Deep Learning (DL) technique and the Multi-objective Optimization method for the detection of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) networks is proposed. IoT networks consist of different devices with unique hardware and software configurations communicating over different communication protocols, which produce huge multidimensional data that make IoT networks susceptible to cyber-attacks. The network IDS is a vital tool for protecting networks against threats and malicious attacks. Existing systems face significant challenges due to the continuous emergence of new and more sophisticated cyber threats that are not recognized by them, and therefore advanced IDS is required. This thesis focusses especially on the DDoS attack that is one of the cyber-attacks that has affected many IoT networks in recent times and had resulted in substantial devastating losses. A thorough literature review is conducted on DDoS attacks in the context of IoT networks, IDSs available especially for the IoT networks and the scope and applicability of DL methodology for the detection of cyber-attacks. This thesis includes three main contributions for 1) developing a feature selection algorithm for an IoT network fulfilling six important objectives, 2) designing four DL models for the detection of DDoS attacks and 3) proposing a novel IDS for IoT networks. In the proposed work, for developing advanced IDS, a Jumping Gene adapted NSGA-II multi-objective optimization algorithm for reducing the dimensionality of massive IoT data and Deep Learning model consisting of a Convolutional Neural Network (CNN) combined with Long Short-Term Memory (LSTM) for classification are employed. The experimentation is conducted using a High-Performance Computer (HPC) on the latest CISIDS2017 datasets for DDoS attacks and achieved an accuracy of 99.03 % with a 5-fold reduction in training time. The proposed method is compared with machine learning (ML) algorithms and other state-of-the-art methods, which confirms that the proposed method outperforms other approaches.Government of Indi

BotFetcher : uma arquitetura para predição de ataques DDOS e detecção de bots

Orientador: Profa. Dra. Michele Nogueira LimaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 15/03/2021Inclui referências: p. 80-85Resumo: O aumento do numero de usuarios, de dispositivos e da velocidade de acesso a Internet tem modificado como as pessoas e empresas se relacionam entre si. Esse crescimento, que e exponencial, vem trazendo muitos beneficios a sociedade, tais como facilidades na comunicacao, acesso a informacao e entretenimento. Entretanto, mecanismos de seguranca acabam sendo relegados a segundo plano, deixando os dispositivos vulneraveis a ataques. Uma forma de ataque a esses dispositivos e atraves de botnets, uma ameaca para a seguranca dos usuarios e dispositivos conectados a Internet. Botnets representam uma ameaca a redes de computadores, pois podem interromper seus servicos atraves da coordenacao entre uma quantidade massiva de dispositivos infectados (bots). Estas ameacas buscam atacar tres pilares dos dados e sistemas: confidencialidade (um dado privado e tornado publico), integridade (um dado se torna ilegivel) e disponibilidade (o dado ou sistema nao esta disponivel para acessos legitimos). Para evitar os danos causados por botnets, e necessario identificar os dispositivos que a compoem. Diversas tecnicas foram propostas para identificar botnets: analisando todo o trafego para identificar caracteristicas conhecidas como ataque; tecnicas de identificacao de caracteristicas relevantes; com o crescimento do trafego, buscou-se inferir o comportamento dos nos da rede sem a analise do conteudo do trafego. Porem, em resposta, os atacantes se tornaram mais agressivos, melhorando suas formas de comunicacao com os dispositivos comprometidos, a arquitetura da botnet e tecnicas de evasao dos bots. A deteccao dessas botnets e desafiadora devido a quantidade massiva de dados e as limitacoes de processamento e memoria dos dispositivos presentes na rede. Este trabalho apresenta BotFetcher, uma arquitetura para predicao de ataques de negacao de servico distribuido (DDoS) e deteccao dos bots, capaz de lidar com um volume crescente e massivo de dados. Apresenta-se a fundamentacao teorica que subsidia a proposta, indicando como as botnets operam, como obter informacoes para identificacao destas e as tecnicas para a realizacao da deteccao. BotFetcher contribui para a deteccao em escala de botnets, realizando a predicao de ataques DDoS em redes locais. Identificado um possivel ataque, o trafego e agregado com outras redes, computando a coordenacao dos nos, que caracterizam as botnets. Para tanto, BotFetcher se utiliza de indicadores estatisticos para a predicao dos ataques. Para a deteccao, BotFetcher realiza a extracao das caracteristicas do trafego, selecionando as que propiciam a melhor representacao dos dados. Apos isso, BotFetcher realiza um agrupamento pelo comportamento dos nos presentes naquele trafego. O comportamento e indicado pelas caracteristicas apresentadas. Por fim, a deteccao e realizada em cada grupo a partir de indicios de causalidade entre os dispositivos. A avaliacao teve como entrada as bases de dados CTU-13 e CAIDA. BotFetcher detectou o(s) bot(s) presentes nas bases de dados, com uma precisao maior de 99%. Tambem, comparou-se a presente proposta com tecnicas de aprendizagem de maquina, mostrando que os resultados obtidos sao pertinentes e competem com a literatura existente. A solucao proposta e capaz de operar em um grande volume de dados, reduzindo o volume de dados analisado a cada etapa e propiciando uma analise eficaz e capaz de detectar bots presentes no trafego. Palavras-chave: Botnet. Deteccao de Botnets. Seguranca. Redes de Computadores.Abstract: The growth in the number of users, devices and bandwidth at the Internet has changed how people and companies interact with each other. This exponential growth is bringing a lot of benefits to mankind, facilitating communication, access to information and entertainment. However, security measures are often relegated and overlooked, letting the devices vulnerable to attacks. One way to attack these devices is through botnets, a threat to the security of Internet-connected users and devices. Botnets represent a threat to computer networks as they can disrupt its services through the coordination of a huge amount of infected devices (bots). These threats three data and systems fundations: confidentiality (data that is private becomes public), integrity (data becomes unreadable) and availability (data or system is not available for legit requests). Thus, to avoid damage that can be caused by botnets, identifying the devices that belongs to them is required. Several techniques were proposed to identify these botnets: analyzing all the traffic to identify features known as attacks; relevant feature identification techniques; with the traffic growth, efforts were made to characterize the behavior of the network nodes without analyzing the traffic content. But, as a response, attackers became more aggressive, improving their communication techniques with compromised devices, the botnet architecture and bots' evasion techniques. The detection of these botnets is challenging due to the enormous amount of data and the processing and memory limitations of the devices on the network. In this paper, we present BotFetcher, an architecture for DDoS prediction and bot detection, able to deal with an ever increasing and massive data volume. It is presented as the theoretical basis that allows the proposal of BotFetcher, showing how botnets work, how to obtain data to identify these botnets and the techniques that can detect bots. BotFetcher contributes to a scalable botnet detection, performing the prediction of DDoS attacks in local networks. Once a possible attack is identified, traffic is merged with other networks, computing its coordination between nodes, which characterize botnets. Therefore, BotFetcher calculates statistical indicators for the attack prediction. For the detection, BotFetcher extracts features from the traffic and, among them, selects the ones that provide a better data representation. After that, it clusters the nodes on the traffic by its behavior. The behavior is indicated by the features presented. Finally, the detection is done in each cluster, based on causality signaling between devices. The architecture was evaluated using as input the CTU-13 and CAIDA datasets. BotFetcher detected the bot(s) on these datasets with a precision over 99%. Also, the proposal was compared with machine learning techniques, showing that the results are relevant and compete with the existing literature. It has been shown that BotFetcher is able to operate with a massive dataset, reducing the volume of analyzed data at each phase, providing an effective analysis, providing an effective and capable way to detect bots in the traffic. Keywords: Botnet. Botnet Detetion. Security. Computer Networks

Predictive Modeling for Fair and Efficient Transaction Inclusion in Proof-of-Work Blockchain Systems

This dissertation investigates the strategic integration of Proof-of-Work(PoW)-based blockchains and ML models to improve transaction inclusion, and consequently molding transaction fees, for clients using cryptocurrencies such as Bitcoin. The research begins with an in-depth exploration of the Bitcoin fee market, focusing on the interdependence between users and miners, and the emergence of a fee market in PoW-based blockchains. Our observations are used to formalize a transaction inclusion pattern. To support our research, we developed the Blockchain Analytics System (BAS) to acquire, store, and pre-process a local dataset of the Bitcoin blockchain. BAS employs various methods for data acquisition, including web scraping, web browser APIs, and direct access to the blockchain using Bitcoin Core software. We utilize time-series data analysis as a tool for predicting future trends, and transactions are sampled on a monthly basis with a fixed interval, incorporating a notion of relative time represented by block-creation epochs. We create a comprehensive model for transaction inclusion in a PoW-based blockchain system, with a focus on factors of revenue and fairness. Revenue serves as an incentive for miners to participate in the network and validate transactions, while fairness ensures equal opportunity for all users to have their transactions included upon paying an adequate fee value. The ML architecture used for prediction consists of three critical stages: the ingestion engine, the pre-processing stage, and the ML model. The ingestion engine processes and transforms raw data obtained from the blockchain, while the pre-processing phase transforms the data further into a suitable form for analysis, including feature extraction and additional data processing to generate a complete dataset. Our ML model showcases its effectiveness in predicting transaction inclusion, with an accuracy of more than 90%. Such a model enables users to save at least 10% on transaction fees while maintaining a likelihood of inclusion above 80%. Furthermore, adopting such model based on fairness and revenue, demonstrates that miners' average loss is never higher than 1.3%. Our research proves the efficacy of a formal transaction inclusion model and ML prototype in predicting transaction inclusion. The insights gained from our study shed light on the underlying mechanisms governing miners' decisions, improving the overall user experience, and enhancing the trust and reliability of cryptocurrencies. Consequently, this enables Bitcoin users to better select suitable fees and predict transaction inclusion with notable precision, contributing to the continued growth and adoption of cryptocurrencies

Making a name for Anonymous. Digital culture , anonymous publics and transgressie subjectivities

Recently, researchers from various domains of social sciences have been particularly concerned with the social, cultural, and political impacts of digital media. To give an account of the specific processes behind the formation of Anonymous, I develop a microsociological framework for the analysis of disembodied global forms – anchoring such forms in intersubjective reciprocity. In order to move beyond interpretative sociology’s emphasis on language as society’s integrative function, I privileged the dimensions of temporality, rhythms and patterns. I also focused on how “disembodied” internet collectives are enacted and assembled within computer screens, terminals, and the digital networks that connect them. My analysis takes into account those temporalities, projections and reflections, which point to the non-symbolic components of mediated sociality. Those dynamic interconnections behind the Anonymous collective are approached through the notions of publics, networks or even swarms.Recientemente, investigadores de diversos campos de las ciencias sociales se han enfocado en los impactos sociales, culturales y políticos de los medios digitales. Para dar cuenta de los procesos específicos detrás de la formación de Anonymous, yo desarrollo un marco microsociológico para el análisis de formas globales “desencarnadas” de sociabilidad, anclando estas formas en la reciprocidad intersubjetiva mediada. Para ir más allá del énfasis en el lenguaje como función integrativa de la sociedad de la sociología interpretativa, privilegié las dimensiones de la temporalidad, los ritmos y los patrones en mi análisis. También me enfoqué a ver cómo los colectivos de Internet "desencarnados" se construyen en pantallas de computadora, terminales y las redes digitales que los conectan. Mi análisis tiene en cuenta esas temporalidades, proyecciones y reflexiones, que apuntan a los componentes no simbólicos de la socialidad mediada. Esas interconexiones dinámicas detrás del colectivo Anónimo se acercan a través de las nociones de públicos, redes y enjambres.Recentment, investigadors de diversos camps de les ciències socials s'han enfocat en els impactes socials, culturals i polítics dels mitjans digitals. Per donar compte dels processos específics darrere de la formació d'Anonymous, jo desenvolupament un marc miocrosociològic per a l'anàlisi de formes globals "desencarnades" de sociabilitat, ancorant aquestes formes en la reciprocitat intersubjectiva intervinguda. Per anar més enllà de l'èmfasi en el llenguatge com a funció integrativa de la societat de la sociologia interpretativa, privilegiï les dimensions de la temporalitat, els ritmes i els patrons en la meva anàlisi. També vaig focalitzar a veure com els col·lectius d'Internet "desencarnats" es construeixen en pantalles d'ordinador, terminals i les xarxes digitals que els connecten. La meva anàlisi té en compte aquestes temporalitats, projeccions i reflexions, que apunten als components no simbòlics de la socialitat intervinguda. Aquestes interconnexions dinàmiques darrere del col·lectiu Anònim s'acosten a través de les nocions de públics, xarxes i eixams

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Sistema de predição de ataques de negação de serviço distribuídos

Orientadora: Profa. Dra. Michele Nogueira LimaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 23/03/2018Inclui referências: p.50-52Área de concentração: Ciência da ComputaçãoResumo: Os ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS) crescem significativamente em volume, sofisticação e impacto. Exemplos são os ataques DDoS contra a empresa francesa OVN e o provedor de nomes DYN, os quais atingiram volumes inéditos de tráfego malicioso. Em geral, esses ataques são detectados ou mitigados apenas quando se encontram em estágios avançados. Até então, estudos apresentam abordagens e técnicas focadas principalmente na detecção e mitigação desses ataques. Recentemente surgiram pesquisas que expõem artefatos focados na predição de ataques DDoS por meio de redes neurais atuando na predição da matriz de tráfego; ou através de ferramentas estatísticas, como exemplo, Markov que predizem as etapas de um ataque, ou ainda avaliam a estabilidade de séries temporais aplicando ARIMA, entre outras. Tais abordagens requerem o treinamento prévio das redes neurais ou dos respectivos algoritmos, assim sendo, exigem histórico de ataques DDoS no fluxo da rede ou assinaturas dos ataques. Desta forma, as abordagens expostas ficam limitadas a ataques previamente conhecidos. Em geral, a sobrecarga da vítima consequente de um ataque DDoS ocorre em um intervalo de tempo muito curto (milisegundos). Assim, quando as técnicas propostas pelas abordagens anteriores conseguem identificar a aproximação de um ataque na rede, a sobrecarga já está em andamento e portanto muito próxima, resultando na indisponibilidade dos serviços. Diferente de outros trabalhos, este estudo defende o prognóstico precoce de ataques DDoS a fim de evitar custos e perdas provenientes do ataque. Este trabalho apresenta o STARK, um sistema autoadaptativo de predição de ataques DDoS, que identifica indícios do ataque na rede antes deste alcançar estágios avançados. Com base na teoria da metaestabilidade, o sistema STARK provê um aprendizado estatístico não supervisionado e identifica a iminência de ataques DDoS. Isso implica em dizer que o sistema não necessita de conhecimento prévio das características do fluxo da rede, de assinaturas do ataques DDoS ou de treinamento prévio de algoritmos para que possa predizer o ataque. A avaliação do sistema STARK segue uma abordagem orientada a traços, em que três bases de dados são utilizadas. Dessa forma, são extraídas características dessas bases de dados com a finalidade de submeter aos indicadores estatísticos e assim avaliar a tendência de comportamento dos dados. De acordo com a tendência exposta é possível identificar a aproximação de uma transição crítica, neste caso a iminência de um ataque DDoS. Nas avaliações realizadas, com os diferentes traços, o sistema STARK demonstra capacidade de predizer os respectivos ataques DDoS com minutos ou horas de antecedência. Palavras-chave: Ataques, DDoS, Metaestabilidade, Predição, Segurança de redes.Abstract: Distributed Denial of Service (DDoS) attacks growsignificantly in volume, sophistication and impact. Examples are the DDoS attacks against the OVN French company and the DYN name provider which reached unprecedented volumes of malicious traffic in 2016. In general, these attacks are detected or mitigated only when they are in advanced stages. So far the studies show approaches and techniques focused mainly on the detection and mitigation of these attacks. Recently researches have emerged which expose artifacts focused on the DDoS attack prediction by means of neural networks acting on the traffic matrix prediction; or through statistical tools, for example, Markov's which predict the steps of an attack, or still evaluate the stability of temporal series applying ARIMA, among others. Such approaches require the prior training of neural networks or the respective algorithms. Hence, they demand DDoS attack history in the network flow or attack subscriptions. The exposed approaches are limited to previously known attacks. In general, the overload of a DDoS attack victim occurs in a very short interval time (milliseconds). Thus, when the proposed techniques by the previous approaches can identify the closeness of an attack in the network, the overload is already in progress and so very close, resulting in the service unavailability. Different from other works, this study defends the early prognosis of DDoS attacks in order to avoid costs and losses from the attack. This work presents STARK, a self-adaptable system for DDoS attack prediction, which identifies attack evidence in the network before it reaches advanced stages. Based on the metastability theory, the STARK system provides an unsupervised statistical learning and identifies the DDoS attack imminence. That implies saying the system does not need prior knowledge of the network flow, of DDoS attack subscriptions or prior training of algorithms to predict the attack. The STARK system evaluation follows trace-driven approach in which three datasets are used. Hence, features are extracted from these datasets in order to submit to the statistical indicators and evaluate the data behavior trends. According to the trends in the dataset behavior is possible to identify the closeness of a critical transition, in this case the DDoS attack imminence. On the carried out evaluations, with different traces, the STARK system shows capability of predicting the respective DDoS attacks in minutes or hours in advance. Keywords: Attacks, DDoS, Metastability, Prediction, Network Security