1,236 research outputs found
DDoS Attack Detection Method Based on Network Abnormal Behavior in Big Data Environment
Distributed denial of service (DDoS) attack becomes a rapidly growing problem
with the fast development of the Internet. The existing DDoS attack detection
methods have time-delay and low detection rate. This paper presents a DDoS
attack detection method based on network abnormal behavior in a big data
environment. Based on the characteristics of flood attack, the method filters
the network flows to leave only the 'many-to-one' network flows to reduce the
interference from normal network flows and improve the detection accuracy. We
define the network abnormal feature value (NAFV) to reflect the state changes
of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS
attack detection method based on NAFV real-time series is built to identify the
abnormal network flow states caused by DDoS attacks. The experiments show that
compared with similar methods, this method has higher detection rate, lower
false alarm rate and missing rate
Internet Anomaly Detection based on Complex Network Path
Detecting the anomaly behaviors such as network failure or Internet
intentional attack in the large-scale Internet is a vital but challenging task.
While numerous techniques have been developed based on Internet traffic in past
years, anomaly detection for structured datasets by complex network have just
been of focus recently. In this paper, a anomaly detection method for
large-scale Internet topology is proposed by considering the changes of network
crashes. In order to quantify the dynamic changes of Internet topology, the
network path changes coefficient(NPCC) is put forward which will highlight the
Internet abnormal state after it is attacked continuously. Furthermore we
proposed the decision function which is inspired by Fibonacci Sequence to
determine whether the Internet is abnormal or not. That is the current Internet
is abnormal if its NPCC is beyond the normal domain which structured by the
previous k NPCCs of Internet topology. Finally the new Internet anomaly
detection method was tested over the topology data of three Internet anomaly
events. The results show that the detection accuracy of all events are over
97%, the detection precision of each event are 90.24%, 83.33% and 66.67%, when
k = 36. According to the experimental values of the index F_1, we found the the
better the detection performance is, the bigger the k is, and our method has
better performance for the anomaly behaviors caused by network failure than
that caused by intentional attack. Compared with traditional anomaly detection,
our work may be more simple and powerful for the government or organization in
items of detecting large-scale abnormal events.Comment: 10 pages, 7 figures, pape
DDoS Attacks: Tools, Mitigation Approaches, and Probable Impact on Private Cloud Environment
The future of the Internet is predicted to be on the cloud, resulting in more
complex and more intensive computing, but possibly also a more insecure digital
world. The presence of a large amount of resources organized densely is a key
factor in attracting DDoS attacks. Such attacks are arguably more dangerous in
private individual clouds with limited resources. This paper discusses several
prominent approaches introduced to counter DDoS attacks in private clouds. We
also discuss issues and challenges to mitigate DDoS attacks in private clouds
Adaptive DDoS attack detection method based on multiple-kernel learning
Distributed denial of service (DDoS) attacks have caused huge economic losses
to society. They have become one of the main threats to Internet security. Most
of the current detection methods based on a single feature and fixed model
parameters cannot effectively detect early DDoS attacks in cloud and big data
environment. In this paper, an adaptive DDoS attack detection method (ADADM)
based on multiple kernel learning (MKL) is proposed. Based on the burstiness of
DDoS attack flow, the distribution of addresses and the interactivity of
communication, we define five features to describe the network flow
characteristic. Based on the ensemble learning framework, the weight of each
dimension is adaptively adjusted by increasing the inter-class mean with a
gradient ascent and reducing the intra-class variance with a gradient descent,
and the classifier is established to identify an early DDoS attack by training
simple multiple kernel learning (SMKL) models with two characteristics
including inter-class mean squared difference growth (M-SMKL) and intra-class
variance descent (S-SMKL). The sliding window mechanism is used to coordinate
the S-SMKL and M-SMKL to detect the early DDoS attack. The experimental results
indicate that this method can detect DDoS attacks early and accurately
Securing Heterogeneous IoT with Intelligent DDoS Attack Behavior Learning
The rapid increase of diverse Internet of things (IoT) services and devices
has raised numerous challenges in terms of connectivity, computation, and
security, which networks must face in order to provide satisfactory support.
This has led to networks evolving into heterogeneous IoT networking
infrastructures characterized by multiple access technologies and mobile edge
computing (MEC) capabilities. The heterogeneity of the networks, devices, and
services introduces serious vulnerabilities to security attacks, especially
distributed denial-of-service (DDoS) attacks, which exploit massive IoT devices
to exhaust both network and victim resources. As such, this study proposes
MECshield, a localized DDoS prevention framework leveraging MEC power to deploy
multiple smart filters at the edge of relevant attack-source/destination
networks. The cooperation among the smart filters is supervised by a central
controller. The central controller localizes each smart filter by feeding
appropriate training parameters into its self-organizing map (SOM) component,
based on the attacking behavior. The performance of the MECshield framework is
verified using three typical IoT traffic scenarios. The numerical results
reveal that MECshield outperforms existing solutions.Comment: This work has been submitted to the IEEE journal for possible
publication. Copyright may be transferred without notice, after which this
version may no longer be accessibl
Towards the Development of Realistic Botnet Dataset in the Internet of Things for Network Forensic Analytics: Bot-IoT Dataset
The proliferation of IoT systems, has seen them targeted by malicious third
parties. To address this, realistic protection and investigation
countermeasures need to be developed. Such countermeasures include network
intrusion detection and network forensic systems. For that purpose, a
well-structured and representative dataset is paramount for training and
validating the credibility of the systems. Although there are several network,
in most cases, not much information is given about the Botnet scenarios that
were used. This paper, proposes a new dataset, Bot-IoT, which incorporates
legitimate and simulated IoT network traffic, along with various types of
attacks. We also present a realistic testbed environment for addressing the
existing dataset drawbacks of capturing complete network information, accurate
labeling, as well as recent and complex attack diversity. Finally, we evaluate
the reliability of the BoT-IoT dataset using different statistical and machine
learning methods for forensics purposes compared with the existing datasets.
This work provides the baseline for allowing botnet identificaiton across
IoT-specifc networks. The Bot-IoT dataset can be accessed at [1]
Exploring Information Centrality for Intrusion Detection in Large Networks
Modern networked systems are constantly under threat from systemic attacks.
There has been a massive upsurge in the number of devices connected to a
network as well as the associated traffic volume. This has intensified the need
to better understand all possible attack vectors during system design and
implementation. Further, it has increased the need to mine large data sets,
analyzing which has become a daunting task. It is critical to scale monitoring
infrastructures to match this need, but a difficult goal for the small and
medium organization. Hence, there is a need to propose novel approaches that
address the big data problem in security. Information Centrality (IC) labels
network nodes with better vantage points for detecting network-based anomalies
as central nodes and uses them for detecting a category of attacks called
systemic attacks. The main idea is that since these central nodes already see a
lot of information flowing through the network, they are in a good position to
detect anomalies before other nodes. This research first dives into the
importance of using graphs in understanding the topology and information flow.
We then introduce the usage of information centrality, a centrality-based
index, to reduce data collection in existing communication networks. Using
IC-identified central nodes can accelerate outlier detection when armed with a
suitable anomaly detection technique. We also come up with a more efficient way
to compute Information centrality for large networks. Finally, we demonstrate
that central nodes detect anomalous behavior much faster than other non-central
nodes, given the anomalous behavior is systemic in nature.Comment: 14 pages, 4 figures, 18th Annual Security Conferenc
ATTENTION: ATTackEr traceback using MAC layer abNormality detecTION
Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks can cause serious
problems in wireless networks due to limited network and host resources.
Attacker traceback is a promising solution to take a proper countermeasure near
the attack origins, to discourage attackers from launching attacks, and for
forensics. However, attacker traceback in Mobile Ad-hoc Networks (MANETs) is a
challenging problem due to the dynamic topology, and limited network resources.
It is especially difficult to trace back attacker(s) when they are moving to
avoid traceback. In this paper, we introduce the ATTENTION protocol framework,
which pays special attention to MAC layer abnormal activity under attack.
ATTENTION consists of three classes, namely, coarse-grained traceback,
fine-grained traceback and spatio-temporal fusion architecture. For
energy-efficient attacker searching in MANETs, we also utilize small-world
model. Our simulation analysis shows 79% of success rate in DoS attacker
traceback with coarse-grained attack signature. In addition, with fine-grained
attack signature, it shows 97% of success rate in DoS attacker traceback and
83% of success rate in DDoS attacker traceback. We also show that ATTENTION has
robustness against node collusion and mobility
N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders
The proliferation of IoT devices which can be more easily compromised than
desktop computers has led to an increase in the occurrence of IoT based botnet
attacks. In order to mitigate this new threat there is a need to develop new
methods for detecting attacks launched from compromised IoT devices and
differentiate between hour and millisecond long IoTbased attacks. In this paper
we propose and empirically evaluate a novel network based anomaly detection
method which extracts behavior snapshots of the network and uses deep
autoencoders to detect anomalous network traffic emanating from compromised IoT
devices. To evaluate our method, we infected nine commercial IoT devices in our
lab with two of the most widely known IoT based botnets, Mirai and BASHLITE.
Our evaluation results demonstrated our proposed method's ability to accurately
and instantly detect the attacks as they were being launched from the
compromised IoT devices which were part of a botnet.Comment: Accepted for publication in July September issue of IEEE Pervasive
Computin
Online Multivariate Anomaly Detection and Localization for High-dimensional Settings
This paper considers the real-time detection of anomalies in high-dimensional
systems. The goal is to detect anomalies quickly and accurately so that the
appropriate countermeasures could be taken in time, before the system possibly
gets harmed. We propose a sequential and multivariate anomaly detection method
that scales well to high-dimensional datasets. The proposed method follows a
nonparametric, i.e., data-driven, and semi-supervised approach, i.e., trains
only on nominal data. Thus, it is applicable to a wide range of applications
and data types. Thanks to its multivariate nature, it can quickly and
accurately detect challenging anomalies, such as changes in the correlation
structure and stealth low-rate cyberattacks. Its asymptotic optimality and
computational complexity are comprehensively analyzed. In conjunction with the
detection method, an effective technique for localizing the anomalous data
dimensions is also proposed. We further extend the proposed detection and
localization methods to a supervised setup where an additional anomaly dataset
is available, and combine the proposed semi-supervised and supervised
algorithms to obtain an online learning algorithm under the semi-supervised
framework. The practical use of proposed algorithms are demonstrated in DDoS
attack mitigation, and their performances are evaluated using a real IoT-botnet
dataset and simulations.Comment: 16 pages, LaTeX; references adde
- …