Fingerprinting Internet DNS Amplification DDoS Activities

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.Comment: 5 pages, 2 figure

A Survey of Intrusion Detection Techniques in Computer Network

As advances in the networking technology help to connect distant corners of the globe and as the Internet continues to expand its influence as a medium for communication, the threat from attackers and criminal enterprises has also grown accordingly. The increasing occurrence of network attacks is a very big issue to the network services. So, Intrusion Detection System has become a necessary component of network security. It is used for detection of many known and unknown network vulnerabilities in wired networks. While the Internet service for any purpose is used, normally who are attacking on the computer network is not known by us. Those network attacks can cause network services slow, temporarily unavailable, or down for a long period of time. The concern on this work is to perusal various methods of networking attacks detection and compare them against these methods by considering their pros and cons

A Comparison of Generalizability for Anomaly Detection

In security-related areas there is concern over the novel “zeroday” attack that penetrates system defenses and wreaks havoc. The best methods for countering these threats are recognizing “non-self” as in an Artificial Immune System or recognizing “self” through clustering. For either case, the concern remains that something that looks similar to self could be missed. Given this situation one could logically assume that a tighter fit to self rather than generalizability is important for false positive reduction in this type of learning problem. This article shows that a tight fit, although important, does not supersede having some model generality. This is shown using three systems. The first two use sphere and ellipsoid clusters with a k-means algorithm modified to work on the one-class/blind classification problem. The third is based on wrapping the self points with a multidimensional convex hull (polytope) algorithm capable of learning disjunctive concepts via a thresholding constant. All three of these algorithms are tested on an intrusion detection problem and a steganalysis problem with results exceeding published results using an Artificial Immune System

A Predictive Model to Predict Cyberattack Using Self-Normalizing Neural Networks

Cyberattack is a never-ending war that has greatly threatened secured information systems. The development of automated and intelligent systems provides more computing power to hackers to steal information, destroy data or system resources, and has raised global security issues. Statistical and Data mining tools have received continuous research and improvements. These tools have been adopted to create sophisticated intrusion detection systems that help information systems mitigate and defend against cyberattacks. However, the advancement in technology and accessibility of information makes more identifiable elements that can be used to gain unauthorized access to systems and resources. Data mining and classification tools such as K-Nearest Neighbors, Support vector machines, and Decision trees, among others, have been improved over time and used to build models for intrusion detection systems. This enables information systems, internet-connected devices, or devices running on a computer network to gain immunity against cyberattacks. However, these classification models hit some limitations as the sample size of data increases. Neural networks is an artificial intelligence tool that has been in active research over recent years. It has proven to handle big data and understand complex relationships better than the previous classification methods. Recent studies have demonstrated to build better models by showing better accuracy for intrusion detection systems using neural networks. In this thesis, we use a class of neural networks known as Self-Normalizing Neural Networks, which implements a scaled exponential linear unit activation function (SELU) developed by Klambauer et al. [12], to build a predictive model to detect cyberattacks against normal network traffic or connections using classification, in the KDD CUP 99 dataset from the Third International Knowledge Discovery and Data Mining Tools Competition, that was held in 1999. The accuracy and precision of the self-normalizing neural networks is compared with that of the k-nearest neighbors and support vector machines. The self-normalizing neural network appears to perform better. It is an excellent classifier for denial-of-service attacks, probe attacks, and user-to-root attacks while efficiently predicting normal connection. The result in this thesis is also compared with existing literature which appears to perform better

An approach for detection of DDoS attacks against the control plane of software defined networks

Security of the infrastructure of Software De ned Net-works (SDN) is a challenging problem. SDN introduces new threat vectors in addition to those inherited from legacy networks. Thus, it becomes an attractive target for attackers. SDN separates the control and data planes, and migrates the control functions to a logically centralized entity called controller which might be an attractive target for Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks. These attacks can be executed easily using open access tools and without requiring specialized or high performance hardware. According to the literature, the protection of the SDN infrastructure, specially against this kind of threats has not been widely addressed. Thus, we propose an algorithm to detect DDoS attacks against SDN control plane. Our algorithm considers both the OpenFlow trafc towards the control plane and speci c interfaces of OpenFlow switches (local perspective detection) or the whole agreggated OpenFlow trac on the control channel (global perspective detection). In our evaluation, we achieved a 99.94% of accuracy in detecting attacks with a 0.04% of false positives and 0.07% of false negatives.Resumen: La seguridad de la infraestructura de las Redes Definidas por Software (SDN por sus siglas en inglés) es un problema difícil. SDN introduce nuevos vectores de amenaza adicionales a aquellos heredados de las redes tradicionales. SDN se convierte entonces en un objetivo atractivo para los atacantes. SDN separa el plano de control y el plano de datos, y de manera que las funciones de control se migran a una entidad centralizada desde el punto de vista lógico, llamada controlador el cual puede ser un objetivo atractivo para ataques de Denegación de Servicios (DoS) y de Denegación on de Servicio Distribuidos (DDoS). Estos ataques pueden ser ejecutados fácilmente usando herramientas de acceso libre y sin requerir hardware especializado o de alto rendimiento. Según la literatura, la protección de la infraestructura SDN, especialmente contra este tipo de amenazas no ha sido abordada ampliamente. Proponemos un algoritmo para detectar ataques DDoS contra el plano de control SDN. Nuestro algoritmo considera el tráfico que pasa entre el plano de control y las interfaces específicas de los suiches OpenFlow (perspectiva local de detección) y todo el tráfico OpenFlow agregado en el canal de control (perspectiva global de detección). En nuestra evaluación, logramos un 99.94% de precisión en la detección de los ataques con un 0.04% de falsos positivos (eventos que no corresponden a ataques) y un 0.07% de falsos negativos (eventos de ataques que fueron ignorados).Maestrí

Using Relational Schemata in a Computer Immune System to Detect Multiple-Packet Network Intrusions

Given the increasingly prominent cyber-based threat, there are substantial research and development efforts underway in network and host-based intrusion detection using single-packet traffic analysis. However, there is a noticeable lack of research and development in the intrusion detection realm with regard to attacks that span multiple packets. This leaves a conspicuous gap in intrusion detection capability because not all attacks can be found by examining single packets alone. Some attacks may only be detected by examining multiple network packets collectively, considering how they relate to the big picture, not how they are represented as individual packets. This research demonstrates a multiple-packet relational sensor in the context of a Computer Immune System (CIS) model to search for attacks that might otherwise go unnoticed via single-packet detection methods. Using relational schemata, multiple-packet CIS sensors define self based on equal, less than, and greater than relationships between fields of routine network packet headers. Attacks are then detected by examining how the relationships among attack packets may lay outside of the previously defined self

Anomaly-Based Intrusion Detection System

Anomaly-based network intrusion detection plays a vital role in protecting networks against malicious activities. In recent years, data mining techniques have gained importance in addressing security issues in network. Intrusion detection systems (IDS) aim to identify intrusions with a low false alarm rate and a high detection rate. Although classification-based data mining techniques are popular, they are not effective to detect unknown attacks. Unsupervised learning methods have been given a closer look for network IDS, which are insignificant to detect dynamic intrusion activities. The recent contributions in literature focus on machine learning techniques to build anomaly-based intrusion detection systems, which extract the knowledge from training phase. Though existing intrusion detection techniques address the latest types of attacks like DoS, Probe, U2R, and R2L, reducing false alarm rate is a challenging issue. Most network IDS depend on the deployed environment. Hence, developing a system which is independent of the deployed environment with fast and appropriate feature selection method is a challenging issue. The exponential growth of zero-day attacks emphasizing the need of security mechanisms which can accurately detect previously unknown attacks is another challenging task. In this work, an attempt is made to develop generic meta-heuristic scale for both known and unknown attacks with a high detection rate and low false alarm rate by adopting efficient feature optimization techniques

Development of a Response Planner Using the UCT Algorithm for Cyber Defense

A need for a quick response to cyber attacks is a prevalent problem for computer network operators today. There is a small window to respond to a cyber attack when it occurs to prevent significant damage to a computer network. Automated response planners offer one solution to resolve this issue. This work presents Network Defense Planner System (NDPS), a planner dependent on the effectiveness of the detection of the cyber attack. This research first explores making classification of network attacks faster for real-time detection, the basic function Intrusion Detection System (IDS) provides. After identifying the type of attack, learning the rewards to use in the NDPS is the second important area of this research. For NDPS to assemble the optimal plan, learning the rewards for resulting network states is critical and often depends on the preferences of the network operator. Using neural networks, the second area of this research demonstrates that capturing the preferences through samples is feasible. After training the neural network, a model can be created to obtain reward estimates. The research performed in these two areas complement the final portion of the research which is assembling the optimal plan through using the Upper Bounds on Confidence for Trees (UCT) algorithm. NDPS is implemented using the UCT algorithm which allows for quick plan formulation by searching through predicted network states based on available network actions. UCT can effectively create a plan quickly and is guaranteed to provide the optimal plan, according to rewards used, if enough time is allotted. NDPS is tested against eight random attack scenarios. For each attack scenario, the plan is polled at specific time intervals to test how quickly the optimal plan can be formulated. Results demonstrate the feasibility of NDPS to be used in real world scenarios since the optimal plans for each attack type can be formulated in real-time allowing for a rapid system response