Detection and avoidance technique of anomalous congestion at the network gateways

Active queue management (AQM) techniques are used to maintain congestion at network routers. Random Early Detection (RED) is the most used technique among the existing AQMs, as it can avoid network congestion at the early stage. The RED technique avoids congestion by prompting users to reduce their windows size when the queue average exceeds a predefined threshold. However, RED technique is unable to identify users who do not respond to these notifications, and therefore, RED drops all packets in the queue. This generates false positive alarms as packets of legal users will be dropped as well. This paper proposes a technique for monitoring gateways' queues and discarding only the misbehaving traffic. In particular, the proposed technique monitors users' behavior at the network gateways to identify the real sources of misbehaving traffic that causes the congestion on the network. Congested RED-gateways report the packet transfer rate (PTR) of end-users connected with them to service level agreement unit (SLA-unit). The SLA-unit then discovers end-users who have exceeded their bandwidth shares predefined in the SLA as sources of the anomalous congestion on the network. The obtained results show that the proposed technique is promising in detecting and avoiding anomalous congestion without dropping normal traffic of legitimate end-users

The Dynamics of Internet Traffic: Self-Similarity, Self-Organization, and Complex Phenomena

The Internet is the most complex system ever created in human history. Therefore, its dynamics and traffic unsurprisingly take on a rich variety of complex dynamics, self-organization, and other phenomena that have been researched for years. This paper is a review of the complex dynamics of Internet traffic. Departing from normal treatises, we will take a view from both the network engineering and physics perspectives showing the strengths and weaknesses as well as insights of both. In addition, many less covered phenomena such as traffic oscillations, large-scale effects of worm traffic, and comparisons of the Internet and biological models will be covered.Comment: 63 pages, 7 figures, 7 tables, submitted to Advances in Complex System

Detecting DDoS Attacks in Stub Domains

DoS attacks have least impact when mitigated close to the attacks' source. This is more important for Distributed DoS (DDoS) attacks since they are difficult to road Hudson, NH zipmitigate at the victim without affecting service to legitimate flows. This is a challenging task since DDoS attack traffic may have relatively low flow rates and attack packets are indistinguishable from legitimate packets. Current source-end detection schemes such as MULTOPS and D-WARD are centralized and hence, are not easily deployable in multi-gateway stub networks with asymmetric traffic. We present a scalable, distributed DDoS detection system that can be deployed in single- as well as multi-homed stub networks to detect DDoS attacks using TCP packets. The detection system can detect attacks with very low flow rates and in multi-gateway networks, even with significant asymmetric TCP flows. We evaluate the performance of our detection system using extensive packet level simulations under different attack scenarios. Our results show that with relatively less node state and processing, in networks with symmetric flows, our system can accurately detect attack flows that are one-third the intensity of an average flow in the network. In the case of multi-gateway networks, the detection system can detect all attacks for all rates of asymmetry when the attack rate is at least five times the average flow rate in the network. We extend the system to detect attacks aimed at multiple hosts in a subnet instead of a single host. Subnet attacks seem more diffused for detection schemes designed to detect host attacks. Hence, it is harder for these schemes to detect these attacks. Our subnet attack detection scheme can detect attacks that target hosts in large subnets (/21) and in the presence of non-attack traffic to other hosts in the subnet. Our packet level simulations show that, in single gateway networks, our scheme can detect attacks with an aggregate flow intensity equal to an average flow in the network in less than a minute. Using these simulations, we also show that our scheme detects attacks in networks with up to four gateways and when up to 50\% of the flows are asymmetric

Improving network intrusion detection system performance through quality of service configuration and parallel technology

This paper outlines an innovative software development that utilizes Quality of Service (QoS) and parallel technologies in Cisco Catalyst Switches to increase the analytical performance of a Network Intrusion Detection and Protection System (NIDPS) when deployed in highspeed networks. We have designed a real network to present experiments that use a Snort NIDPS. Our experiments demonstrate the weaknesses of NIDPSes, such as inability to process multiple packets and propensity to drop packets in heavy traffic and high-speed networks without analysing them. We tested Snort’s analysis performance, gauging the number of packets sent, analysed, dropped, filtered, injected, and outstanding. We suggest using QoS configuration technologies in a Cisco Catalyst 3560 Series Switch and parallel Snorts to improve NIDPS performance and to reduce the number of dropped packets. Our results show that our novel configuration improves performance

Deep Learning Based Anomaly Detection for Fog-Assisted IoVs Network

Internet of vehicles (IoVs) allows millions of vehicles to be connected and share information for various purposes. The main applications of IoVs are traffic management, emergency messages delivery, E-health, traffic, and temperature monitoring. On the other hand, IoVs lack in location awareness and geographic distribution, which is critical for some IoVs applications such as smart traffic lights and information sharing in vehicles. To support these topographies, fog computing was proposed as an appealing and novel term, which was integrated with IoVs to extend storage, computation, and networking. Unfortunately, it is also challenged with various security and privacy hazards, which is a serious concern of smart cities. Therefore, we can formulate that Fog-assisted IoVs (Fa-IoVs), are challenged by security threats during information dissemination among mobile nodes. These security threats of Fa-IoVs are considered as anomalies which is a serious concern that needs to be addressed for smooth Fa-IoVs network communication. Here, smooth communication refers to less risk of important data loss, delay, communication overhead, etc. This research work aims to identify research gaps in the Fa-IoVs network and present a deep learning-based dynamic scheme named CAaDet (Convolutional autoencoder Aided anomaly detection) to detect anomalies. CAaDet exploits convolutional layers with a customized autoencoder for useful feature extraction and anomaly detection. Performance evaluation of the proposed scheme is done by using the F1-score metric where experiments are carried out by exploiting a benchmark dataset named NSL-KDD. CAaDet also observes the behavior of fog nodes and hidden neurons and selects the best match to reduce false alarms and improve F1-score. The proposed scheme achieved significant improvement over existing schemes for anomaly detection. Identified research gaps in Fa-IoVs can give future directions to researchers and attract more attention to this new era

On modeling and mitigating new breed of dos attacks

Denial of Service (DoS) attacks pose serious threats to the Internet, exerting in tremendous impact on our daily lives that are heavily dependent on the good health of the Internet. This dissertation aims to achieve two objectives:1) to model new possibilities of the low rate DoS attacks; 2) to develop effective mitigation mechanisms to counter the threat from low rate DoS attacks. A new stealthy DDoS attack model referred to as the quiet attack is proposed in this dissertation. The attack traffic consists of TCP traffic only. Widely used botnets in today\u27s various attacks and newly introduced network feedback control are integral part of the quiet attack model. The quiet attack shows that short-lived TCP flows used as attack flows can be intentionally misused. This dissertation proposes another attack model referred to as the perfect storm which uses a combination of UDP and TCP. Better CAPTCHAs are highlighted as current defense against botnets to mitigate the quiet attack and the perfect storm. A novel time domain technique is proposed that relies on the time difference between subsequent packets of each flow to detect periodicity of the low rate DoS attack flow. An attacker can easily use different IP address spoofing techniques or botnets to launch a low rate DoS attack and fool the detection system. To mitigate such a threat, this dissertation proposes a second detection algorithm that detects the sudden increase in the traffic load of all the expired flows within a short period. In a network rate DoS attacks, it is shown that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. A novel filtering scheme is proposed to drop the low rate DoS attack packets. The simulation results confirm attack mitigation by using proposed technique. Future research directions will be briefly discussed