Detection of Distributed Denial of Service Attacks Carried Out by Botnets in Software-Defined Networks

Recent years witnessed a surge in network traffic due to the emergence of new online services, causing periodic saturation and complexity problems. Additionally, the growing number of IoT devices further compounds the problem. Software Defined Network (SDN) is a new architecture which offers innovative advantages that help to reduce saturation problems. Despite its benefits, SDNs not only can be affected by traditional attacks but also introduce new security challenges. In this context, Distributed Denial of Service (DDoS) is one of the most important attacks that can damage an SDN network's normal operation. Furthermore, if these attacks are executed using botnets, they can use thousands of compromised devices to disrupt critical online services. This paper proposes a framework for detecting DDoS attacks generated by a group of botnets in an SDN network. The framework is implemented using open-source tools such as Mininet and OpenDaylight and tested in a centralized network topology using BYOB and SNORT. The results demonstrate real-time attack identification by implementing an intrusion detection mechanism in the victim client. Our proposed solution offers quick and effective detection of DDoS attacks in SDN networks. The framework can successfully differentiate the type of attack with high accuracy in a short tim

A testbed design for intrusion detection and mitigation in SDN architecture by using DPI

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Son on yılda, ağları tasarlamak ve geliştirmek için kullanılan teknolojiler konusunda köklü değişiklikler yaşanmamıştır. Bu süre zarfında, ağa bağlı cihazlarının sayısı üstel olarak artarak bilgisayar ağlarının toplamı ve boyutunun artmasına yol açtı. Bu ise, veri merkezlerinde ve şirketlerde mevcut ağ yapılarının yönetimini daha da zorlaştırdı. Yazılım Tanımlı Ağ fikri, daha önce aynı cihazda sıkıştırılmış olan veri düzlemi ile denetim düzlemini birbirinden ayırmayı getirir ve böylece tüm ağ yapısının SDN denetleyici adı verilen merkezi bir yerden programlanmasına imkan verir. Bu yapı içerisindeki very düzlemi, kendisine gelen verileri SDN denetleyici tarafından belirlendiği şekilde bir sonraki düğüme ileten aptal cihazlardan oluşur. OpenFlow, SDN denetleyici ile very düzelmi cihazları arasındaki bağlantıyı sağlamak üzere yaygın olarak kullanılan haberleşme protokolüdür. Oluşturulan test düzeneği web uygulaması, anormal durum tespiti alt sistemi, floodlight denetleyiciye sahip SDN yapısı ve sFlow protokolü gibi çok sayıda bileşene sahiptir. Geliştirilen system, akan trafık üzerindeki tehditleri bulabilmek için paketlerin yük kısımlarını incelemektedir. Geliştirilen test düzeneğinin başarımını sorgulamak için DoS saldırısı göz önüne alınımıştır. Elde edilen sonuçlar SDN sistemlerin güvenliğiyle ilgili deneylerin oluşturulan bu test düzeneği ile kolayca gerçekleştirilebileceğini göstermektedir.For the last decade's technologies which is used to design and build networks have remained unchanged. In the meantime, the number of connected networking devices has raised exponentially which lead to that also the total and the size of computer networks has increased. Accordingly, the existing networks in data centers and companies have become much more difficult and harder to administrate. Software Defined Networking (SDN) idea brings the fact to separate the control plane from data plane which was previously tighten together in the same device, and thus allows the network to be programmed from a logically centralized place called SDN controller. The data plane in this structure consists of dump devices which are only capable of forwarding the data as instructed by the SDN controller. OpenFlow is the well-known protocol used to take the communication between the SDN controller and the forwarding devices. In this study, a new testbed has been implemented for anomaly detection in SDN. The testbed formed has several components such as a web based application, an anomaly detection sub-system, an SDN structure with floodlight controller and sFlow protocol. The system developed examines the payload of the packets in order to find any threats in ongoing traffic. In order to investigate the performance of the testbed developed, DoS attack has been considered. The results show that experiments related to security aspects of the SDN systems can be realized by the testbed, easily

Understanding and Advancing the Status Quo of DDoS Defense

Two decades after the first distributed denial-of-service (DDoS) attack, the Internet remains challenged by DDoS attacks as they evolve. Not only is the scale of attacks larger than ever, but they are also harder to detect and mitigate. Nevertheless, the Internet's fundamental design, based on which machines are free to send traffic to any other machines, remains the same. This thesis reinvestigates the prior DDoS defense solutions to find less studied but critical issues in existing defense solutions. It proposes solutions to improve the input, design, and evaluation of DDoS defense. Specifically, we show why DDoS defense systems need a better view of the Internet's traffic at the autonomous system (AS) level. We use a novel attack to expose the inefficiencies in the existing defense systems. Finally, we reason why a defense solution needs a sound empirical evaluation and provide a framework that mimics real-world networks to facilitate DDoS defense evaluation. This dissertation includes published and unpublished co-authored materials

Resilience to DDoS attacks

Tese de mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasDistributed Denial-of-Service (DDoS) is one of the most common cyberattack used by malicious actors. It has been evolving over the years, using more complex techniques to increase its attack power and surpass the current defense mechanisms. Due to the existent number of different DDoS attacks and their constant evolution, companies need to be constantly aware of developments in DDoS solutions Additionally, the existence of multiple solutions, also makes it hard for companies to decide which solution best suits the company needs and must be implemented. In order to help these companies, our work focuses in analyzing the existing DDoS solutions, for companies to implement solutions that can lead to the prevention, detection, mitigation, and tolerance of DDoS attacks, with the objective of improving the robustness and resilience of the companies against DDoS attacks. In our work, it is presented and described different DDoS solutions, some need to be purchased and other are open-source or freeware, however these last solutions require more technical expertise by cybersecurity agents. To understand how cybersecurity agents protect their companies against DDoS attacks, nowadays, it was built a questionnaire and sent to multiple cybersecurity agents from different countries and industries. As a result of the study performed about the different DDoS solutions and the information gathered from the questionnaire, it was possible to create a DDoS framework to guide companies in the decisionmaking process of which DDoS solutions best suits their resources and needs, in order to ensure that companies can develop their robustness and resilience to fight DDoS attacks. The proposed framework it is divided in three phases, in which the first and second phase is to understand the company context and the asset that need to be protected. The last phase is where we choose the DDoS solution based on the information gathered in the previous phases. We analyzed and presented for each DDoS solutions, which DDoS attack types they can prevent, detect and/or mitigate

IntelliFlow : um enfoque proativo para adicionar inteligência de ameaças cibernéticas a redes definidas por software

Orientador: Christian Rodolfo Esteve RothenbergDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Segurança tem sido uma das principais preocupações enfrentadas pela computação em rede principalmente, com o aumento das ameaças à medida que a Internet comercial e economias afins crescem rapidamente. Tecnologias de virtualização que permitem serviços em nuvem em escala colocam novos desafios para a segurança das infraestruturas computacionais, exigindo novos mecanismos que combinem o best-of-breed para reagir contra as metodologias de ataque emergentes. Nosso trabalho busca explorar os avanços na Cyber Threat Intelligence (CTI) no contexto da arquitetura de redes definidas por software, ou em inglês, Software Defined Networking (SDN). Enquanto a CTI representa uma abordagem recente para o combate de ameaças baseada em fontes confiáveis, a partir do compartihamento de informação e conhecimento sobre atividades criminais virtuais, a SDN é uma tendência recente na arquitetura de redes computacionais baseada em princípios de modulação e programabilidade. Nesta dissertação, nós propomos IntelliFlow, um sistema de detecção de inteligência para SDN que segue a abordagem proativa usando OpenFlow para efetivar contramedidas para as ameaças aprendidas a partir de um plano de inteligência distribuida. Nós mostramos a partir de uma implementação de prova de conceito que o sistema proposto é capaz de trazer uma série de benefícios em termos de efetividade e eficiência, contribuindo no plano geral para a segurança de projetos de computação de rede modernosAbstract: Security is a major concern in computer networking which faces increasing threats as the commercial Internet and related economies continue to grow. Virtualization technologies enabling scalable Cloud services pose further challenges to the security of computer infrastructures, demanding novel mechanisms combining the best-of-breed to counter certain types of attacks. Our work aims to explore advances in Cyber Threat Intelligence (CTI) in the context of Software Defined Networking (SDN) architectures. While CTI represents a recent approach to combat threats based on reliable sources, by sharing information and knowledge about computer criminal activities, SDN is a recent trend in architecting computer networks based on modularization and programmability principles. In this dissertation, we propose IntelliFlow, an intelligent detection system for SDN that follows a proactive approach using OpenFlow to deploy countermeasures to the threats learned through a distributed intelligent plane. We show through a proof of concept implementation that the proposed system is capable of delivering a number of benefits in terms of effectiveness and efficiency, altogether contributing to the security of modern computer network designsMestradoEngenharia de ComputaçãoMestre em Engenharia Elétrica159905/2013-3CNP

An intelligent context-aware threat detection and response model for smart cyber-physical systems

Smart cities, businesses, workplaces, and even residences have all been converged by the Internet of Things (IoT). The types and characteristics of these devices vary depending on the industry 4.0 and have rapidly increased recently, especially in smart homes. These gadgets can expose users to serious cyber dangers because of a variety of computing constraints and vulnerabilities in the security-by-design concept. The smart home network testbed setup presented in this study is used to evaluate and validate the protection of the smart cyber-physical system. The context-aware threat intelligence and response model identifies the states of the aligned smart devices to distinguish between real-world typical and attack scenarios. It then dynamically writes specific rules for protection against potential cyber threats. The context-aware model is trained on IoT Research and Innovation Lab - Smart Home System (IRIL-SHS) testbed dataset. The labeled dataset is utilized to create a random forest model, which is subsequently used to train and test the context-aware threat intelligence SHS model's effectiveness and performance. Finally, the model's logic is used to gain rules to be included in Suricata signatures and the firewall rulesets for the response system. Significant values of the measuring parameters were found in the results. The presented model can be used for the real-time security of smart home cyber-physical systems and develops a vision of security challenges for Industry 4.0

Network Threat Detection Using Machine/Deep Learning in SDN-Based Platforms: A Comprehensive Analysis of State-of-the-Art Solutions, Discussion, Challenges, and Future Research Direction

A revolution in network technology has been ushered in by software defined networking (SDN), which makes it possible to control the network from a central location and provides an overview of the network’s security. Despite this, SDN has a single point of failure that increases the risk of potential threats. Network intrusion detection systems (NIDS) prevent intrusions into a network and preserve the network’s integrity, availability, and confidentiality. Much work has been done on NIDS but there are still improvements needed in reducing false alarms and increasing threat detection accuracy. Recently advanced approaches such as deep learning (DL) and machine learning (ML) have been implemented in SDN-based NIDS to overcome the security issues within a network. In the first part of this survey paper, we offer an introduction to the NIDS theory, as well as recent research that has been conducted on the topic. After that, we conduct a thorough analysis of the most recent ML- and DL-based NIDS approaches to ensure reliable identification of potential security risks. Finally, we focus on the opportunities and difficulties that lie ahead for future research on SDN-based ML and DL for NIDS.publishedVersio

Cybersecurity of Digital Service Chains

This open access book presents the main scientific results from the H2020 GUARD project. The GUARD project aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation; the description of the Smart Mobility use case developed at the end of the project gives a practical example of how the GUARD platform and related technologies can be deployed in practical scenarios. We expect the book to be interesting for the broad group of researchers, engineers, and professionals daily experiencing the inadequacy of outdated cybersecurity models for modern computing environments and cyber-physical systems

Cybersecurity of Digital Service Chains

This open access book presents the main scientific results from the H2020 GUARD project. The GUARD project aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation; the description of the Smart Mobility use case developed at the end of the project gives a practical example of how the GUARD platform and related technologies can be deployed in practical scenarios. We expect the book to be interesting for the broad group of researchers, engineers, and professionals daily experiencing the inadequacy of outdated cybersecurity models for modern computing environments and cyber-physical systems