Flow-oriented anomaly-based detection of denial of service attacks with flow-control-assisted mitigation

Flooding-based distributed denial-of-service (DDoS) attacks present a serious and major threat to the targeted enterprises and hosts. Current protection technologies are still largely inadequate in mitigating such attacks, especially if they are large-scale. In this doctoral dissertation, the Computer Network Management and Control System (CNMCS) is proposed and investigated; it consists of the Flow-based Network Intrusion Detection System (FNIDS), the Flow-based Congestion Control (FCC) System, and the Server Bandwidth Management System (SBMS). These components form a composite defense system intended to protect against DDoS flooding attacks. The system as a whole adopts a flow-oriented and anomaly-based approach to the detection of these attacks, as well as a control-theoretic approach to adjust the flow rate of every link to sustain the high priority flow-rates at their desired level. The results showed that the misclassification rates of FNIDS are low, less than 0.1%, for the investigated DDOS attacks, while the fine-grained service differentiation and resource isolation provided within the FCC comprise a novel and powerful built-in protection mechanism that helps mitigate DDoS attacks

Enriched Model of Case Based Reasoning and Neutrosophic Intelligent System for DDoS Attack Defence in Software Defined Network based Cloud

Software Defined Networking in Cloud paradigm is most suitable for dynamic functionality and reduces the computation complexity. The routers and switches located at the network's boundaries are managed by software-defined netwrking (SDN) using open protocols and specialised open programmable interfaces. But the security threats often degrade the performance of SDN due to its constraints of resource usage. The most sensitive components which are vulnerable to DDoS attacks are controller and control plane bandwidth. The existing conventional classification algorithms lacks in detection of new or unknown traffic packets which are malicious and results in degradation of SDN performance in cloud resources. Hence, in this paper double filtering methodology is devised to detect both known and unknown pattern of malicious packets which affects the bandwidth of the control panel and the controller. The case-based reasoning is adapted for determining the known incoming traffic patterns before entering the SDN system. It classifies the packets are normal or abnormal based on the previous information gathered. The traffic patterns which is not matched from the previous patterns is treated as indeterministic packet and it is defined more precisely using the triplet representation of Neutrosophic intelligent system. The grade of belongingness, non-belongingness and indeterminacyis used as the main factors to detect the new pattern of attacking packets more effectively. From the experimental outcomes it is proved that DDoS attack detection in SDN based cloud environment is improved by adopting CBR-NIS compared to the existing classification model

Preemptive modelling towards classifying vulnerability of DDoS attack in SDN environment

Software-Defined Networking (SDN) has become an essential networking concept towards escalating the networking capabilities that are highly demanded future internet system, which is immensely distributed in nature. Owing to the novel concept in the field of network, it is still shrouded with security problems. It is also found that the Distributed Denial-of-Service (DDoS) attack is one of the prominent problems in the SDN environment. After reviewing existing research solutions towards resisting DDoS attack in SDN, it is found that still there are many open-end issues. Therefore, these issues are identified and are addressed in this paper in the form of a preemptive model of security. Different from existing approaches, this model is capable of identifying any malicious activity that leads to a DDoS attack by performing a correct classification of attack strategy using a machine learning approach. The paper also discusses the applicability of best classifiers using machine learning that is effective against DDoS attack

Intelligent Inter and Intra Network Traffic Estimation Technique for DDoS Attack Detection using Fuzzy Rule Sets for QoS Improvement

The quality of service of any network has higher dependency at throughput, latency and service completion strategies. In modern communication systems, there are many loopholes, which could be used by some malicious users to perform various network attacks so that the performance of the network is degraded. There are many denial of service when an approach has been discussed towards the problem of network threats, but still suffers the quality of denial of service attack detection. Propose a service-constrained approach learns the network traffic in various ways like the traffic incurred within the network and that comes from external network. The method uses various features like hop count, hop details, payload, TTl, time and so on. To maintain a rule set with fuzzy value where each rule specifies the feature of genuine packet being received. The incoming packet has to meet any of the rules and the attribute of the packet has to lie between the ranges of values in the rule. The proposed method estimates the inter traffic and intra traffic through the routes of the packet being transferred to identify the genuine nature of the packet being received. In addition, the method maintains set of logs where the packet features are stored to compute the legitimate weight of each packet being received. Based on compute inter and intra traffic values the received packets trustworthy is computed to allow or deny the packet. The proposed method increases the accuracy of DDOS attack detection and helps to improve the performance of the network. DOI: 10.17762/ijritcc2321-8169.15085

Long Short-Term Memory and Fuzzy Logic for Anomaly Detection and Mitigation in Software-Defined Network Environment

[EN] Computer networks become complex and dynamic structures. As a result of this fact, the configuration and the managing of this whole structure is a challenging activity. Software-Defined Networks(SDN) is a new network paradigm that, through an abstraction of network plans, seeks to separate the control plane and data plane, and tends as an objective to overcome the limitations in terms of network infrastructure configuration. As in the traditional network environment, the SDN environment is also liable to security vulnerabilities. This work presents a system of detection and mitigation of Distributed Denial of Service (DDoS) attacks and Portscan attacks in SDN environments (LSTM-FUZZY). The LSTM-FUZZY system presented in this work has three distinct phases: characterization, anomaly detection, and mitigation. The system was tested in two scenarios. In the first scenario, we applied IP flows collected from the SDN Floodlight controllers through emulation on Mininet. On the other hand, in the second scenario, the CICDDoS 2019 dataset was applied. The results gained show that the efficiency of the system to assist in network management, detect and mitigate the occurrence of the attacks.This work was supported in part by the National Council for Scientific and Technological Development (CNPq) of Brazil under Project 310668/2019-0, in part by the SETI/Fundacao Araucaria due to the concession of scholarships, and in part by the Ministerio de Economia y Competitividad through the Programa Estatal de Fomento de la Investigacion Cientifica y Tecnica de Excelencia, Subprograma Estatal de Generacion de Conocimiento, under Grant TIN2017-84802-C2-1-P.Novaes, MP.; Carvalho, LF.; Lloret, J.; Lemes Proença, M. (2020). Long Short-Term Memory and Fuzzy Logic for Anomaly Detection and Mitigation in Software-Defined Network Environment. IEEE Access. 8(1):83765-83781. https://doi.org/10.1109/ACCESS.2020.2992044S83765837818

Fuzzy Rule Interpolation and SNMP-MIB for Emerging Network Abnormality

It is difficult to implement an efficient detection approach for Intrusion Detection Systems (IDS) and many factors contribute to this challenge. One such challenge concerns establishing adequate boundaries and finding a proper data source. Typical IDS detection approaches deal with raw traffics. These traffics need to be studied in depth and thoroughly investigated in order to extract the required knowledge base. Another challenge involves implementing the binary decision. This is because there are no reasonable limits between normal and attack traffics patterns. In this paper, we introduce a novel idea capable of supporting the proper data source while avoiding the issues associated with the binary decision. This paper aims to introduce a detection approach for defining abnormality by using the Fuzzy Rule Interpolation (FRI) with Simple Network Management Protocol (SNMP) Management Information Base (MIB) parameters. The strength of the proposed detection approach is based on adapting the SNMP-MIB parameters with the FRI.  This proposed method eliminates the raw traffic processing component which is time consuming and requires extensive computational measures. It also eliminates the need for a complete fuzzy rule based intrusion definition. The proposed approach was tested and evaluated using an open source SNMP-MIB dataset and obtained a 93% detection rate. Additionally, when compared to other literature in which the same test-bed environment was employed along with the same number of parameters, the proposed detection approach outperformed the support vector machine and neural network. Therefore, combining the SNMP-MIB parameters with the FRI based reasoning could be beneficial for detecting intrusions, even in the case if the fuzzy rule based intrusion definition is incomplete (not fully defined)