Development of Internet Protocol Traceback Scheme for Detection of Denial-of-Service Attack

To mitigate the challenges that Flash Event (FE) poses to IP-Traceback techniques, this paper presents an IP Traceback scheme for detecting the source of a DoS attack based on Shark Smell Optimization Algorithm (SSOA). The developed model uses a discrimination policy with the hop-by-hop search. Random network topologies were generated using the WaxMan model in NS2 for different simulations of DoS attacks. Discrimination policies used by SSOA-DoSTBK for the attack source detection in each case were set up based on the properties of the detected attack packets. SSOA-DoSTBK was compared with a number of IP Traceback schemes for DoS attack source detection in terms of their ability to discriminate FE traffics from attack traffics and the detection of the source of Spoofed IP attack packets. SSOA-DoSTBK IP traceback scheme outperformed ACS-IPTBK that it was benchmarked with by 31.8%, 32.06%, and 28.45% lower FER for DoS only, DoS with FE, and spoofed DoS with FE tests respectively, and 4.76%, 11.6%, and 5.2% higher performance in attack path detection for DoS only, DoS with FE, and Spoofed DoS with FE tests, respectively. However, ACS-IPTBK was faster than SSOA-DoSTBK by 0.4%, 0.78%, and 1.2% for DoS only, DoS with FE, and spoofed DoS with FE tests, respectively. Keywords: DoS Attacks Detection, Denial-of-Service, Internet Protocol, IP Traceback, Flash Event, Optimization Algorithm

Implementing Flash Event Discrimination in IP Traceback using Shark Smell Optimisation Algorithm

 Denial of service attack and its variants are the largest ravaging network problems. They are used to cause damage to network by disrupting its services in order to harm a business or organization. Flash event is a network phenomenon that causes surge in normal network flow due to sudden increase in number of network users, To curtail the menace of the Denial of service attack it is pertinent to expose the perpetrator and take appropriate action against it. Internet protocol traceback is a network forensic tool that is used to identify source of an Internet protocol packet. Most of presently available Internet protocol traceback tools that are based on bio-inspired algorithm employ flow-based search method for tracing source of a Denial of service attack without facility to differentiate flash event from the attack. Surge in network due to flash event can mislead such a traceback tool that uses flow-based search. This work present a solution that uses hop-by-hop search with an incorporated discrimination policy implemented by shark smell optimization algorithm to differentiate the attack traffic from other traffics. It was tested on performance and convergence against an existing bio-inspired traceback tool that uses flow-base method and yielded outstanding results in all the test

Defense and traceback mechanisms in opportunistic wireless networks

 In this thesis, we have identified a novel attack in OppNets, a special type of packet dropping attack where the malicious node(s) drops one or more packets (not all the packets) and then injects new fake packets instead. We name this novel attack as the Catabolism attack and propose a novel attack detection and traceback approach against this attack referred to as the Anabolism defence. As part of the Anabolism defence approach we have proposed three techniques: time-based, Merkle tree based and Hash chain based techniques for attack detection and malicious node(s) traceback. We provide mathematical models that show our novel detection and traceback mechanisms to be very effective and detailed simulation results show our defence mechanisms to achieve a very high accuracy and detection rate

A Defense Framework Against Denial-of-Service in Computer Networks

Denial-of-Service (DoS) is a computer security problem that poses a serious challenge totrustworthiness of services deployed over computer networks. The aim of DoS attacks isto make services unavailable to legitimate users, and current network architectures alloweasy-to-launch, hard-to-stop DoS attacks. Particularly challenging are the service-level DoSattacks, whereby the victim service is flooded with legitimate-like requests, and the jammingattack, in which wireless communication is blocked by malicious radio interference. Theseattacks are overwhelming even for massively-resourced services, and effective and efficientdefenses are highly needed. This work contributes a novel defense framework, which I call dodging, against service-level DoS and wireless jamming. Dodging has two components: (1) the careful assignment ofservers to clients to achieve accurate and quick identification of service-level DoS attackersand (2) the continuous and unpredictable-to-attackers reconfiguration of the client-serverassignment and the radio-channel mapping to withstand service-level and jamming DoSattacks. Dodging creates hard-to-evade baits, or traps, and dilutes the attack "fire power".The traps identify the attackers when they violate the mapping function and even when theyattack while correctly following the mapping function. Moreover, dodging keeps attackers"in the dark", trying to follow the unpredictably changing mapping. They may hit a fewtimes but lose "precious" time before they are identified and stopped. Three dodging-based DoS defense algorithms are developed in this work. They are moreresource-efficient than state-of-the-art DoS detection and mitigation techniques. Honeybees combines channel hopping and error-correcting codes to achieve bandwidth-efficientand energy-efficient mitigation of jamming in multi-radio networks. In roaming honeypots, dodging enables the camouflaging of honeypots, or trap machines, as real servers,making it hard for attackers to locate and avoid the traps. Furthermore, shuffling requestsover servers opens up windows of opportunity, during which legitimate requests are serviced.Live baiting, efficiently identifies service-level DoS attackers by employing results fromthe group-testing theory, discovering defective members in a population using the minimumnumber of tests. The cost and benefit of the dodging algorithms are analyzed theoretically,in simulation, and using prototype experiments

A Pheromone-Aided Multipath QoS Routing Protocol and its Applications in MANETs

In this paper, we present an ant-based multipath QoS routing protocol that utilizes a single link metric combiningmultiple weighted criteria. The metric is applied to the proposed energy efficient multipath algorithm that considers both energy and latency. Energy efficiency is an important issue in mobile ad hoc networks (MANETs) since node energy supplies are stored in batteries. In order to increase the network lifetime it is important to maximize the minimum node energy along a path. As the network topology changes, failures may occur on active routes,resulting in the need for new route discoveries if only singleroutes per flow are maintained. Frequent new route discovery would, however, increase routing overhead and increase mean and peak packet latency. Using multiple routes simultaneously per flow can be a solution to these problems. Also, a special case of the multipath QoS routing protocol that considers throughput is applied to a security context. A compromised node can obstruct network communication by simply dropping packets that are supposed to be forwarded. In our approach, messages aredistributed over multiple paths between source and destination using ant-based QoS routing. In proportion to the throughput of each path, a pheromone-aided routing table is updated and, subsequently, paths that contain malicious nodes are naturally avoided

An examination of the Asus WL-HDD 2.5 as a nepenthes malware collector

The Linksys WRT54g has been used as a host for network forensics tools for instance Snort for a long period of time. Whilst large corporations are already utilising network forensic tools, this paper demonstrates that it is quite feasible for a non-security specialist to track and capture malicious network traffic. This paper introduces the Asus Wireless Hard disk as a replacement for the popular Linksys WRT54g. Firstly, the Linksys router will be introduced detailing some of the research that was undertaken on the device over the years amongst the security community. It then briefly discusses malicious software and the impact this may have for a home user. The paper then outlines the trivial steps in setting up Nepenthes 0.1.7 (a malware collector) for the Asus WL-HDD 2.5 according to the Nepenthes and tests the feasibility of running the malware collector on the selected device. The paper then concludes on discussing the limitations of the device when attempting to execute Nepenthes

Linguistic Abstractions in Children’s Very Early Utterances

How early do children produce multiword utterances? Do children\u27s early utterances reflect abstract syntactic knowledge or are they the result of data-driven learning? We examine this issue through corpus analysis, computational modeling, and adult simulation experiments. Chapter 1 investigates when children start producing multiword utterances; we use corpora to establish the development of multiword utterances and a probabilistic computational model to account for the quantitative change of early multiword utterances. We find that multiword utterances of different lengths appear early in acquisition and increase together, and the length growth pattern can be viewed as a probabilistic and dynamic process. Chapter 2 asks whether very early combinatorial speech reflects abstract syntactic knowledge or simply item-based learning driven by linguistic input. We use different language models (LMs) to track syntactic and lexical development separately. The results show that the syntactic structure behind children’s early combinatorial speech may exceed the development of word combinations acquired from the learning input. Chapter 3 investigates whether the ungrammatical utterances produced by children at an early age (such as \u27key-open-door\u27) have adult-like syntactic structure despite their incorrect word choices or missing words, or whether those sequences come from data-driven learning of words without syntactic knowledge. We ask a) adult native speakers, b) statistical LMs, and c) deep neural LMs to produce intelligible utterances from scrambled children\u27s multiword utterances (e.g., \u27door-key-open\u27). We found that the statistical LMs involving local statistical learning trained on child-directed speech can account for the production of those early multiword utterances. The predictive fit of a simple statistical model is as good as or even better than human subjects and the neural model which assumes more complex learning mechanisms and was trained on larger size data. Taken together, the three chapters provide a new, systematic account of when and how children\u27s very early combinatorial speech develops

Tracking Paths in Planar Graphs

We consider the NP-complete problem of tracking paths in a graph, first introduced by Banik et al. [Banik et al., 2017]. Given an undirected graph with a source s and a destination t, find the smallest subset of vertices whose intersection with any s-t path results in a unique sequence. In this paper, we show that this problem remains NP-complete when the graph is planar and we give a 4-approximation algorithm in this setting. We also show, via Courcelle\u27s theorem, that it can be solved in linear time for graphs of bounded-clique width, when its clique decomposition is given in advance