DoS and DDoS Attacks: Defense, Detection and Traceback Mechanisms - A Survey

Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks are typically explicit attempts to exhaust victim2019;s bandwidth or disrupt legitimate users2019; access to services. Traditional architecture of internet is vulnerable to DDoS attacks and it provides an opportunity to an attacker to gain access to a large number of compromised computers by exploiting their vulnerabilities to set up attack networks or Botnets. Once attack network or Botnet has been set up, an attacker invokes a large-scale, coordinated attack against one or more targets. Asa result of the continuous evolution of new attacks and ever-increasing range of vulnerable hosts on the internet, many DDoS attack Detection, Prevention and Traceback mechanisms have been proposed, In this paper, we tend to surveyed different types of attacks and techniques of DDoS attacks and their countermeasures. The significance of this paper is that the coverage of many aspects of countering DDoS attacks including detection, defence and mitigation, traceback approaches, open issues and research challenges

Detection of Denial of Service (DoS) Attacks in Local Area Networks Based on Outgoing Packets

Denial of Service (DoS) is a security threat which compromises the confidentiality of information stored in Local Area Networks (LANs) due to unauthorized access by spoofed IP addresses. DoS is harmful to LANs as the flooding of packets may delay other users from accessing the server and in severe cases, the server may need to be shut down, wasting valuable resources, especially in critical real-time services such as in e-commerce and the medical field. The objective of this project is to propose a new DoS detection system to protect organizations from unauthenticated access to important information which may jeopardize the confidentiality, privacy and integrity of information in Local Area Networks. The new DoS detection system monitors the traffic flow of packets and filters the packets based on their IP addresses to determine whether they are genuine requests for network services or DoS attacks. Results obtained demonstrate that the detection accuracy of the new DoS detection system was in good agreement with the detection accuracy from the network protocol analyzer, Wireshark. For high-rate DoS attacks, the accuracy was 100% whereas for low-rate DoS attacks, the accuracy was 67%

Developing an Advanced IPv6 Evasion Attack Detection Framework

Internet Protocol Version 6 (IPv6) is the most recent generation of Internet protocol. The transition from the current Internet Version 4 (IPv4) to IPv6 raised new issues and the most crucial issue is security vulnerabilities. Most vulnerabilities are common between IPv4 and IPv6, e.g. Evasion attack, Distributed Denial of Service (DDOS) and Fragmentation attack. According to the IPv6 RFC (Request for Comment) recommendations, there are potential attacks against various Operating Systems. Discrepancies between the behaviour of several Operating Systems can lead to Intrusion Detection System (IDS) evasion, Firewall evasion, Operating System fingerprint, Network Mapping, DoS/DDoS attack and Remote code execution attack. We investigated some of the security issues on IPv6 by reviewing existing solutions and methods and performed tests on two open source Network Intrusion Detection Systems (NIDSs) which are Snort and Suricata against some of IPv6 evasions and attack methods. The results show that both NIDSs are unable to detect most of the methods that are used to evade detection. This thesis presents a detection framework specifically developed for IPv6 network to detect evasion, insertion and DoS attacks when using IPv6 Extension Headers and Fragmentation. We implemented the proposed theoretical solution into a proposed framework for evaluation tests. To develop the framework, “dpkt” module is employed to capture and decode the packet. During the development phase, a bug on the module used to parse/decode packets has been found and a patch provided for the module to decode the IPv6 packet correctly. The standard unpack function included in the “ip6” section of the “dpkt” package follows extension headers which means following its parsing, one has no access to all the extension headers in their original order. By defining, a new field called all_extension_headers and adding each header to it before it is moved along allows us to have access to all the extension headers while keeping the original parse speed of the framework virtually untouched. The extra memory footprint from this is also negligible as it will be a linear fraction of the size of the whole set of packet. By decoding the packet, extracting data from packet and evaluating the data with user-defined value, the proposed framework is able to detect IPv6 Evasion, Insertion and DoS attacks. The proposed framework consists of four layers. The first layer captures the network traffic and passes it to second layer for packet decoding which is the most important part of the detection process. It is because, if NIDS could not decode and extract the packet content, it would not be able to pass correct information into the Detection Engine process for detection. Once the packet has been decoded by the decoding process, the decoded packet will be sent to the third layer which is the brain of the proposed solution to make a decision by evaluating the information with the defined value to see whether the packet is threatened or not. This layer is called the Detection Engine. Once the packet(s) has been examined by detection processes, the result will be sent to output layer. If the packet matches with a type or signature that system admin chose, it raises an alarm and automatically logs all details of the packet and saves it for system admin for further investigation. We evaluated the proposed framework and its subsequent process via numerous experiments. The results of these conclude that the proposed framework, called NOPO framework, is able to offer better detection in terms of accuracy, with a more accurate packet decoding process, and reduced resources usage compared to both exciting NIDs

Sistema de predição de ataques de negação de serviço distribuídos

Orientadora: Profa. Dra. Michele Nogueira LimaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 23/03/2018Inclui referências: p.50-52Área de concentração: Ciência da ComputaçãoResumo: Os ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS) crescem significativamente em volume, sofisticação e impacto. Exemplos são os ataques DDoS contra a empresa francesa OVN e o provedor de nomes DYN, os quais atingiram volumes inéditos de tráfego malicioso. Em geral, esses ataques são detectados ou mitigados apenas quando se encontram em estágios avançados. Até então, estudos apresentam abordagens e técnicas focadas principalmente na detecção e mitigação desses ataques. Recentemente surgiram pesquisas que expõem artefatos focados na predição de ataques DDoS por meio de redes neurais atuando na predição da matriz de tráfego; ou através de ferramentas estatísticas, como exemplo, Markov que predizem as etapas de um ataque, ou ainda avaliam a estabilidade de séries temporais aplicando ARIMA, entre outras. Tais abordagens requerem o treinamento prévio das redes neurais ou dos respectivos algoritmos, assim sendo, exigem histórico de ataques DDoS no fluxo da rede ou assinaturas dos ataques. Desta forma, as abordagens expostas ficam limitadas a ataques previamente conhecidos. Em geral, a sobrecarga da vítima consequente de um ataque DDoS ocorre em um intervalo de tempo muito curto (milisegundos). Assim, quando as técnicas propostas pelas abordagens anteriores conseguem identificar a aproximação de um ataque na rede, a sobrecarga já está em andamento e portanto muito próxima, resultando na indisponibilidade dos serviços. Diferente de outros trabalhos, este estudo defende o prognóstico precoce de ataques DDoS a fim de evitar custos e perdas provenientes do ataque. Este trabalho apresenta o STARK, um sistema autoadaptativo de predição de ataques DDoS, que identifica indícios do ataque na rede antes deste alcançar estágios avançados. Com base na teoria da metaestabilidade, o sistema STARK provê um aprendizado estatístico não supervisionado e identifica a iminência de ataques DDoS. Isso implica em dizer que o sistema não necessita de conhecimento prévio das características do fluxo da rede, de assinaturas do ataques DDoS ou de treinamento prévio de algoritmos para que possa predizer o ataque. A avaliação do sistema STARK segue uma abordagem orientada a traços, em que três bases de dados são utilizadas. Dessa forma, são extraídas características dessas bases de dados com a finalidade de submeter aos indicadores estatísticos e assim avaliar a tendência de comportamento dos dados. De acordo com a tendência exposta é possível identificar a aproximação de uma transição crítica, neste caso a iminência de um ataque DDoS. Nas avaliações realizadas, com os diferentes traços, o sistema STARK demonstra capacidade de predizer os respectivos ataques DDoS com minutos ou horas de antecedência. Palavras-chave: Ataques, DDoS, Metaestabilidade, Predição, Segurança de redes.Abstract: Distributed Denial of Service (DDoS) attacks growsignificantly in volume, sophistication and impact. Examples are the DDoS attacks against the OVN French company and the DYN name provider which reached unprecedented volumes of malicious traffic in 2016. In general, these attacks are detected or mitigated only when they are in advanced stages. So far the studies show approaches and techniques focused mainly on the detection and mitigation of these attacks. Recently researches have emerged which expose artifacts focused on the DDoS attack prediction by means of neural networks acting on the traffic matrix prediction; or through statistical tools, for example, Markov's which predict the steps of an attack, or still evaluate the stability of temporal series applying ARIMA, among others. Such approaches require the prior training of neural networks or the respective algorithms. Hence, they demand DDoS attack history in the network flow or attack subscriptions. The exposed approaches are limited to previously known attacks. In general, the overload of a DDoS attack victim occurs in a very short interval time (milliseconds). Thus, when the proposed techniques by the previous approaches can identify the closeness of an attack in the network, the overload is already in progress and so very close, resulting in the service unavailability. Different from other works, this study defends the early prognosis of DDoS attacks in order to avoid costs and losses from the attack. This work presents STARK, a self-adaptable system for DDoS attack prediction, which identifies attack evidence in the network before it reaches advanced stages. Based on the metastability theory, the STARK system provides an unsupervised statistical learning and identifies the DDoS attack imminence. That implies saying the system does not need prior knowledge of the network flow, of DDoS attack subscriptions or prior training of algorithms to predict the attack. The STARK system evaluation follows trace-driven approach in which three datasets are used. Hence, features are extracted from these datasets in order to submit to the statistical indicators and evaluate the data behavior trends. According to the trends in the dataset behavior is possible to identify the closeness of a critical transition, in this case the DDoS attack imminence. On the carried out evaluations, with different traces, the STARK system shows capability of predicting the respective DDoS attacks in minutes or hours in advance. Keywords: Attacks, DDoS, Metastability, Prediction, Network Security

Mitigating Insider Threat Risks in Cyber-physical Manufacturing Systems

Cyber-Physical Manufacturing System (CPMS)—a next generation manufacturing system—seamlessly integrates digital and physical domains via the internet or computer networks. It will enable drastic improvements in production flexibility, capacity, and cost-efficiency. However, enlarged connectivity and accessibility from the integration can yield unintended security concerns. The major concern arises from cyber-physical attacks, which can cause damages to the physical domain while attacks originate in the digital domain. Especially, such attacks can be performed by insiders easily but in a more critical manner: Insider Threats. Insiders can be defined as anyone who is or has been affiliated with a system. Insiders have knowledge and access authentications of the system\u27s properties, therefore, can perform more serious attacks than outsiders. Furthermore, it is hard to detect or prevent insider threats in CPMS in a timely manner, since they can easily bypass or incapacitate general defensive mechanisms of the system by exploiting their physical access, security clearance, and knowledge of the system vulnerabilities. This thesis seeks to address the above issues by developing an insider threat tolerant CPMS, enhanced by a service-oriented blockchain augmentation and conducting experiments & analysis. The aim of the research is to identify insider threat vulnerabilities and improve the security of CPMS. Blockchain\u27s unique distributed system approach is adopted to mitigate the insider threat risks in CPMS. However, the blockchain limits the system performance due to the arbitrary block generation time and block occurrence frequency. The service-oriented blockchain augmentation is providing physical and digital entities with the blockchain communication protocol through a service layer. In this way, multiple entities are integrated by the service layer, which enables the services with less arbitrary delays while retaining their strong security from the blockchain. Also, multiple independent service applications in the service layer can ensure the flexibility and productivity of the CPMS. To study the effectiveness of the blockchain augmentation against insider threats, two example models of the proposed system have been developed: Layer Image Auditing System (LIAS) and Secure Programmable Logic Controller (SPLC). Also, four case studies are designed and presented based on the two models and evaluated by an Insider Attack Scenario Assessment Framework. The framework investigates the system\u27s security vulnerabilities and practically evaluates the insider attack scenarios. The research contributes to the understanding of insider threats and blockchain implementations in CPMS by addressing key issues that have been identified in the literature. The issues are addressed by EBIS (Establish, Build, Identify, Simulation) validation process with numerical experiments and the results, which are in turn used towards mitigating insider threat risks in CPMS

Collaborative Intrusion Detection in Federated Cloud Environments using Dempster-Shafer Theory of Evidence

Moving services to the Cloud environment is a trend that has been increasing in recent years, with a constant increase in sophistication and complexity of such services. Today, even critical infrastructure operators are considering moving their services and data to the Cloud. As Cloud computing grows in popularity, new models are deployed to further the associated benefits. Federated Clouds are one such concept, which are an alternative for companies reluctant to move their data out of house to a Cloud Service Providers (CSP) due to security and confidentiality concerns. Lack of collaboration among different components within a Cloud federation, or among CSPs, for detection or prevention of attacks is an issue. For protecting these services and data, as Cloud environments and Cloud federations are large scale, it is essential that any potential solution should scale alongside the environment adapt to the underlying infrastructure without any issues or performance implications. This thesis presents a novel architecture for collaborative intrusion detection specifically for CSPs within a Cloud federation. Our approach offers a proactive model for Cloud intrusion detection based on the distribution of responsibilities, whereby the responsibility for managing the elements of the Cloud is distributed among several monitoring nodes and brokering, utilising our Service-based collaborative intrusion detection – “Security as a Service” methodology. For collaborative intrusion detection, the Dempster-Shafer (D-S) theory of evidence is applied, executing as a fusion node with the role of collecting and fusing the information provided by the monitoring entities, taking the final decision regarding a possible attack. This type of detection and prevention helps increase resilience to attacks in the Cloud. The main novel contribution of this project is that it provides the means by which DDoS attacks are detected within a Cloud federation, so as to enable an early propagated response to block the attack. This inter-domain cooperation will offer holistic security, and add to the defence in depth. However, while the utilisation of D-S seems promising, there is an issue regarding conflicting evidences which is addressed with an extended two stage D-S fusion process. The evidence from the research strongly suggests that fusion algorithms can play a key role in autonomous decision making schemes, however our experimentation highlights areas upon which improvements are needed before fully applying to federated environments

The 1st International Conference on Computational Engineering and Intelligent Systems

Computational engineering, artificial intelligence and smart systems constitute a hot multidisciplinary topic contrasting computer science, engineering and applied mathematics that created a variety of fascinating intelligent systems. Computational engineering encloses fundamental engineering and science blended with the advanced knowledge of mathematics, algorithms and computer languages. It is concerned with the modeling and simulation of complex systems and data processing methods. Computing and artificial intelligence lead to smart systems that are advanced machines designed to fulfill certain specifications. This proceedings book is a collection of papers presented at the first International Conference on Computational Engineering and Intelligent Systems (ICCEIS2021), held online in the period December 10-12, 2021. The collection offers a wide scope of engineering topics, including smart grids, intelligent control, artificial intelligence, optimization, microelectronics and telecommunication systems. The contributions included in this book are of high quality, present details concerning the topics in a succinct way, and can be used as excellent reference and support for readers regarding the field of computational engineering, artificial intelligence and smart system

A framework for correlation and aggregation of security alerts in communication networks. A reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective.

The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations¿ sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information

Cybersecurity of Digital Service Chains

This open access book presents the main scientific results from the H2020 GUARD project. The GUARD project aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation; the description of the Smart Mobility use case developed at the end of the project gives a practical example of how the GUARD platform and related technologies can be deployed in practical scenarios. We expect the book to be interesting for the broad group of researchers, engineers, and professionals daily experiencing the inadequacy of outdated cybersecurity models for modern computing environments and cyber-physical systems