Detection of Variations of Local Irregularity of Traffic under DDOS Flood Attack

The aim of distributed denial-of-service (DDOS) flood attacks is to overwhelm the attacked site or to make its service performance deterioration considerably by sending flood packets to the target from the machines distributed all over the world. This is a kind of local behavior of traffic at the protected site because the attacked site can be recovered to its normal service state sooner or later even though it is in reality overwhelmed during attack. From a view of mathematics, it can be taken as a kind of short-range phenomenon in computer networks. In this paper, we use the Hurst parameter (H) to measure the local irregularity or self-similarity of traffic under DDOS flood attack provided that fractional Gaussian noise (fGn) is used as the traffic model. As flood attack packets of DDOS make the H value of arrival traffic vary significantly away from that of traffic normally arriving at the protected site, we discuss a method to statistically detect signs of DDOS flood attacks with predetermined detection probability and false alarm probability

Bound Maxima as a Traffic Feature under DDOS Flood Attacks

This paper gives a novel traffic feature for identifying abnormal variation of traffic under DDOS flood attacks. It is the histogram of the maxima of the bounded traffic rate on an interval-by-interval basis. We use it to experiment on the traffic data provided by MIT Lincoln Laboratory under Defense Advanced Research Projects Agency (DARPA) in 1999. The experimental results profitably enhance the evidences that traffic rate under DDOS attacks is statistically higher than that of normal traffic considerably. They show that the pattern of the histogram of the maxima of bounded rate of attack-contained traffic greatly differs from that of attack-free traffic. Besides, the present traffic feature is simple in mathematics and easy to use in practice

Detecting denial of service attacks with Bayesian classifiers and the random neural network

Denial of Service (DoS) is a prevalent threat in today’s networks. While such an attack is not difficult to launch, defending a network resource against it is disproportionately difficult, and despite the extensive research in recent years, DoS attacks continue to harm. The first goal of any protection scheme against DoS is the detection of its existence, ideally long before the destructive traffic build-up. In this paper we propose a generic approach which uses multiple Bayesian classifiers, and we present and compare four different implementations of it, combining likelihood estimation and the Random Neural Network (RNN). The RNNs are biologically inspired structures which represent the true functioning of a biophysical neural network, where the signals travel as spikes rather than analog signals. We use such an RNN structure to fuse real-time networking statistical data and distinguish between normal and attack traffic during a DoS attack. We present experimental results obtained for different traffic data in a large networking testbed

Real time DDoS detection using fuzzy estimators

We propose a method for DDoS detection by constructing a fuzzy estimator on the mean packet inter arrival times. We divided the problem into two challenges, the first being the actual detection of the DDoS event taking place and the second being the identification of the offending IP addresses. We have imposed strict real time constraints for the first challenge and more relaxed constraints for the identification of addresses. Through empirical evaluation we confirmed that the detection can be completed within improved real time limits and that by using fuzzy estimators instead of crisp statistical descriptors we can avoid the shortcomings posed by assumptions on the model distribution of the traffic. In addition we managed to obtain results under a 3 sec detection window. © 2012 Elsevier Ltd. All rights reserved

Analisis Long Range Dependence Untuk Sistem Deteksi Anomali Trafik Dengan Hurst Estimator Menggunakan Metode Periodogram

Anomali trafik merupakan sebuah fenomena pada internet yang menjadi topik hangat penelitian saat ini. Beberapa contoh anomali trafik tersebut adalah Serangan DDoS dan flashcrowd. Saat ini intensitas serangan DDoS semakin meningkat. Oleh karena itu, penelitian dalam sistem deteksi trafik anomali banyak dilakukan saat ini. Banyak metode yang digunakan untuk mendeteksi trafik anomali tersebut, salah satunya adalah dengan metode statistik jaringan yaitu dengan Long Range Dependence. Pada penelitian-penelitian yang telah dilakukan sebelumnya, sebagian besar peneliti hanya menggunakan satu metode analisis saja. Sehingga hanya dapat mendeteksi serangan DDoS tanpa ada analisis penunjang untuk memperkuat akurasi pendeteksian serangan. Pada penelitian ini, dilakukan penggabungan metode analisis yaitu analisis distribusi, windowing, dan LRD. Sehingga metoda ini memiliki tingkat akurasi yang lebih baik. Hasil dari penelitian ini, ketiga analisis yang digunakan mendapatkan hasil yang sangat baik. Pada analisis distribusi menunjukkan bahwa rate data untuk DDoS selalu lebih tinggi dari data normal maupun flashcrowd. Analisis windowing juga dapat mendeteksi DDoS berdasarkan hasil residual yang didapatkan, karena hasil residual dataset DDoS selalu lebih tinggi dari dataset lainnya. Analisis LRD juga memiliki performansi yang baik. Hal ini dapat dilihat dari nilai hurst eksponen yang sesuai dengan teori penunjang yang ada. Dimana Estimasi hurst eksponen memberikan nilai antara 0,5 hingga 1 untuk pengujian dataset normal dan flashcrowd sedangkan untuk dataset DDoS memiliki nilai hurst diluar range tersebut. Kata kunci : Trafik anomali, DDoS, Long Range Dependenc

Security related self-protected networks: autonomous threat detection and response (ATDR)

Doctor EducationisCybersecurity defense tools, techniques and methodologies are constantly faced with increasing challenges including the evolution of highly intelligent and powerful new generation threats. The main challenges posed by these modern digital multi-vector attacks is their ability to adapt with machine learning. Research shows that many existing defense systems fail to provide adequate protection against these latest threats. Hence, there is an ever-growing need for self-learning technologies that can autonomously adjust according to the behaviour and patterns of the offensive actors and systems. The accuracy and effectiveness of existing methods are dependent on decision making and manual input by human expert. This dependence causes 1) administration overhead, 2) variable and potentially limited accuracy and 3) delayed response time. In this thesis, Autonomous Threat Detection and Response (ATDR) is a proposed general method aimed at contributing toward security related self-protected networks. Through a combination of unsupervised machine learning and Deep learning, ATDR is designed as an intelligent and autonomous decision-making system that uses big data processing requirements and data frame pattern identification layers to learn sequences of patterns and derive real-time data formations. This system enhances threat detection and response capabilities, accuracy and speed. Research provided a solid foundation for the proposed method around the scope of existing methods and the unanimous problem statements and findings by other authors

Identification technique of cryptomining behavior based on traffic features

Recently, the growth of blockchain technology and the economic benefits of cryptocurrencies have led to a proliferation of malicious cryptomining activities on the internet, resulting in significant losses for companies and institutions. Therefore, accurately detecting and identifying these behaviors has become essential. To address low accuracy in detecting and identifying cryptomining behaviors in encrypted traffic, a technique for identifying cryptomining behavior traffic is proposed. This technique is based on the time series characteristics of network traffic and introduces the feature of long-range dependence, and the recognition effect is not easily affected by the encryption algorithm. First, 48-dimensional features are extracted from the network traffic using statistical methods and the rescaled range method, of which 47 dimensions are statistical features and 1 dimension is a long-range dependence feature. Second, because there is much less cryptomining traffic information than normal network traffic information in the dataset, the dataset is processed using oversampling to make the two types of traffic data balanced. Finally, a random forest model is used to identify the type of traffic based on its features. Experiments demonstrate that this approach achieves good detection performance and provides an effective solution for identifying encrypted network traffic with malicious cryptomining behavior. The long-range dependence features introduced therein together with the statistical features describe a more comprehensive flow characteristics, and the preprocessing of the dataset improves the performance of the identification model

Security related self-protected networks: Autonomous threat detection and response (ATDR)

>Magister Scientiae - MScCybersecurity defense tools, techniques and methodologies are constantly faced with increasing challenges including the evolution of highly intelligent and powerful new-generation threats. The main challenges posed by these modern digital multi-vector attacks is their ability to adapt with machine learning. Research shows that many existing defense systems fail to provide adequate protection against these latest threats. Hence, there is an ever-growing need for self-learning technologies that can autonomously adjust according to the behaviour and patterns of the offensive actors and systems. The accuracy and effectiveness of existing methods are dependent on decision making and manual input by human experts. This dependence causes 1) administration overhead, 2) variable and potentially limited accuracy and 3) delayed response time

Understanding the Impact of Hacker Innovation upon IS Security Countermeasures

Hackers external to the organization continue to wreak havoc upon the information systems infrastructure of firms through breaches of security defenses, despite constant development of and continual investment in new IS security countermeasures by security professionals and vendors. These breaches are exceedingly costly and damaging to the affected organizations. The continued success of hackers in the face of massive amounts of security investments suggests that the defenders are losing and that the hackers can innovate at a much faster pace. Underground hacker communities have been shown to be an environment where attackers can learn new techniques and share tools pertaining to the defeat of IS security countermeasures. This research sought to understand the manner in which hackers diffuse innovations within these communities. Employing a multi-site, positivist case study approach of four separate hacking communities, the study examined how hackers develop, communicate, and eventually adopt these new techniques and tools, so as to better inform future attempts at mitigating these attacks. The research found that three classes of change agents are influential in the diffusion and adoption of an innovation: the developer/introducer of the innovation to the community, the senior member of a community, and the author of tutorials. Additionally, the research found that three innovation factors are key to successful diffusion and adoption: the compatibility of the innovation to the needs of the community, the complexity of the innovation, and the change in image conferred upon the member from adopting the innovation. The research also described the process by which innovations are adopted within the hacking communities and detailed phases in this process which are unique to these communities