An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach

Disruption from service caused by DDoS attacks is an immense threat to Internet today. These attacks can disrupt the availability of Internet services completely, by eating either computational or communication resources through sheer volume of packets sent from distributed locations in a coordinated manner or graceful degradation of network performance by sending attack traffic at low rate. In this paper, we describe a novel framework that deals with the detection of variety of DDoS attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Effectiveness of an anomaly based detection and characterization system highly depends on accuracy of threshold value settings. Inaccurate threshold values cause a large number of false positives and negatives. Therefore, in our scheme, Six-Sigma and varying tolerance factor methods are used to identify threshold values accurately and dynamically for various statistical metrics. NS-2 network simulator on Linux platform is used as simulation testbed to validate effectiveness of proposed approach. Different attack scenarios are implemented by varying total number of zombie machines and at different attack strengths. The comparison with volume-based approach clearly indicates the supremacy of our proposed system

Scalability and Resilience of Software-Defined Networking: An Overview

Software-Defined Networking (SDN) allows to control the available network resources by an intelligent and centralized authority in order to optimize traffic flows in a flexible manner. However, centralized control may face scalability issues when the network size or the number of traffic flows increases. Also, a centralized controller may form a single point of failure, thereby affecting the network resilience. This article provides an overview of SDN that focuses on (1) scalability concerning the increased control overhead faced by a central controller, and (2) resiliency in terms of protection against controller failure, network topology failure and security in terms of malicious attacks

Privacy-Preserving DDoS Attack Detection Using Cross-Domain Traffic in Software Defined Networks

Existing distributed denial-of-service attack detection in software defined networks (SDNs) typically perform detection in a single domain. In reality, abnormal traffic usually affects multiple network domains. Thus, a cross-domain attack detection has been proposed to improve detection performance. However, when participating in detection, the domain of each SDN needs to provide a large amount of real traffic data, from which private information may be leaked. Existing multiparty privacy protection schemes often achieve privacy guarantees by sacrificing accuracy or increasing the time cost. Achieving both high accuracy and reasonable time consumption is a challenging task. In this paper, we propose Predis, which is a privacypreserving cross-domain attack detection scheme for SDNs. Predis combines perturbation encryption and data encryption to protect privacy and employs a computationally simple and efficient algorithm k-Nearest Neighbors (kNN) as its detection algorithm. We also improve kNN to achieve better efficiency. Via theoretical analysis and extensive simulations, we demonstrate that Predis is capable of achieving efficient and accurate attack detection while securing sensitive information of each domain

RCNF: Real-time Collaborative Network Forensic Scheme for Evidence Analysis

Network forensic techniques help in tracking different types of cyber attack by monitoring and inspecting network traffic. However, with the high speed and large sizes of current networks, and the sophisticated philosophy of attackers, in particular mimicking normal behaviour and/or erasing traces to avoid detection, investigating such crimes demands intelligent network forensic techniques. This paper suggests a real-time collaborative network Forensic scheme (RCNF) that can monitor and investigate cyber intrusions. The scheme includes three components of capturing and storing network data, selecting important network features using chi-square method and investigating abnormal events using a new technique called correntropy-variation. We provide a case study using the UNSW-NB15 dataset for evaluating the scheme, showing its high performance in terms of accuracy and false alarm rate compared with three recent state-of-the-art mechanisms

A highly optimized flow-correlation attack

Deciding that two network flows are essentially the same is an important problem in intrusion detection and in tracing anonymous connections. A stepping stone or an anonymity network may try to prevent flow correlation by adding chaff traffic, splitting the flow in several subflows or adding random delays. A well-known attack for these types of systems is active watermarking. However, active watermarking systems can be detected and an attacker can modify the flow in such a way that the watermark is removed and can no longer be decoded. This leads to the two basic features of our scheme: a highlyoptimized algorithm that achieves very good performance and a passive analysis that is undetectable. We propose a new passive analysis technique where detection is based on Neyman-Pearson lemma. We correlate the inter-packet delays (IPDs) from both flows. Then, we derive a modification to deal with stronger adversary models that add chaff traffic, split the flows or add random delays. We empirically validate the detectors with a simulator. Afterwards, we create a watermarkbased version of our scheme to study the trade-off between performance and detectability. Then, we compare the results with other state-of-the-art traffic watermarking schemes in several scenarios concluding that our scheme outperforms the rest. Finally, we present results using an implementation of our method on live networks, showing that the conclusions can be extended to real-world scenarios. Our scheme needs only tens of packets under normal network interference and a few hundreds of packets when a number of countermeasures are taken

Parallel contact-aware simulations of deformable particles in 3D Stokes flow

We present a parallel-scalable method for simulating non-dilute suspensions of deformable particles immersed in Stokesian fluid in three dimensions. A critical component in these simulations is robust and accurate collision handling. This work complements our previous work [L. Lu, A. Rahimian, and D. Zorin. Contact-aware simulations of particulate Stokesian suspensions. Journal of Computational Physics 347C: 160-182] by extending it to 3D and by introducing new parallel algorithms for collision detection and handling. We use a well-established boundary integral formulation with spectral Galerkin method to solve the fluid flow. The key idea is to ensure an interference-free particle configuration by introducing explicit contact constraints into the system. While such constraints are typically unnecessary in the formulation they make it possible to eliminate catastrophic loss of accuracy in the discretized problem by preventing contact explicitly. The incorporation of contact constraints results in a significant increase in stable time-step size for locally-implicit time-stepping and a reduction in the necessary number of discretization points for stability. Our method maintains the accuracy of previous methods at a significantly lower cost for dense suspensions and the time step size is independent from the volume fraction. Our method permits simulations with high volume fractions; we report results with up to 60% volume fraction. We demonstrated the parallel scaling of the algorithms on up to 16K CPU cores

Network Traffic Anomaly Detection

This paper presents a tutorial for network anomaly detection, focusing on non-signature-based approaches. Network traffic anomalies are unusual and significant changes in the traffic of a network. Networks play an important role in today's social and economic infrastructures. The security of the network becomes crucial, and network traffic anomaly detection constitutes an important part of network security. In this paper, we present three major approaches to non-signature-based network detection: PCA-based, sketch-based, and signal-analysis-based. In addition, we introduce a framework that subsumes the three approaches and a scheme for network anomaly extraction. We believe network anomaly detection will become more important in the future because of the increasing importance of network security.Comment: 26 page

HybridTE: Traffic Engineering for Very Low-Cost Software-Defined Data-Center Networks

The size of modern data centers is constantly increasing. As it is not economic to interconnect all machines in the data center using a full-bisection-bandwidth network, techniques have to be developed to increase the efficiency of data-center networks. The Software-Defined Network paradigm opened the door for centralized traffic engineering (TE) in such environments. Up to now, there were already a number of TE proposals for SDN-controlled data centers that all work very well. However, these techniques either use a high amount of flow table entries or a high flow installation rate that overwhelms available switching hardware, or they require custom or very expensive end-of-line equipment to be usable in practice. We present HybridTE, a TE technique that uses (uncertain) information about large flows. Using this extra information, our technique has very low hardware requirements while maintaining better performance than existing TE techniques. This enables us to build very low-cost, high performance data-center networks

Multi-Flow Attacks Against Network Flow Watermarks: Analysis and Countermeasures

In this paper, we analyze several recent schemes for watermarking network flows that are based on splitting the flow into timing intervals. We show that this approach creates time-dependent correlations that enable an attack that combines multiple watermarked flows. Such an attack can easily be mounted in nearly all applications of network flow watermarking, both in anonymous communication and stepping stone detection. The attack can be used to detect the presence of a watermark, recover the secret parameters, and remove the watermark from a flow. The attack can be effective even if different flows are marked with different values of a watermark. We analyze the efficacy of our attack using a probabilistic model and a Markov-Modulated Poisson Process (MMPP) model of interactive traffic. We also implement our attack and test it using both synthetic and real-world traces, showing that our attack is effective with as few as 10 watermarked flows. Finally, we propose possible countermeasures to defeat the multi-flow attack

Tag Spotting at the Interference Range

In wireless networks, the presence of interference among wireless links in- troduces dependencies among flows that do not share a single link or node. As a result, when designing a resource allocation scheme, be it a medium access scheduler or a flow rate controller, one needs to consider the interdependence among nodes within interference range of each other. Specifically, control plane information needs to reach nearby nodes which often lie outside the communi- cation range, but within the interference range of a node of interest. But how can one communicate control plane information well beyond the existing communication range? To address this fundamental need we introduce tag spotting. Tag spotting refers to a communication system which allows re- liable control data transmission at SNR values as low as 0 dB. It does this by employing a number of signal encoding techniques including adding redundancy to multitone modulation, shaping the spectrum to reduce inter-carrier interfer- ence, and the use of algebraic coding. Making use of a detection theory-based model we analyze the performance achievable by our modulation as well as the trade-off between the rate of the information transmitted and the likelihood of error. Using real-world experiments on an OFDM system built with software radios, we show that we can transmit data at the target SNR value of 0 dB with a 6% overhead; that is, 6% of our packet is used for our low-SNR decodable tags (which carry up to a couple of bytes of data in our testbed), while the remain- ing 94% is used for traditional header and payload data. We also demonstrate via simulations how tag spotting can be used in implementing fair and efficient rate control and scheduling schemes.Comment: 30 page