111 research outputs found
FLAD: Adaptive Federated Learning for DDoS Attack Detection
Federated Learning (FL) has been recently receiving increasing consideration
from the cybersecurity community as a way to collaboratively train deep
learning models with distributed profiles of cyberthreats, with no disclosure
of training data. Nevertheless, the adoption of FL in cybersecurity is still in
its infancy, and a range of practical aspects have not been properly addressed
yet. Indeed, the Federated Averaging algorithm at the core of the FL concept
requires the availability of test data to control the FL process. Although this
might be feasible in some domains, test network traffic of newly discovered
attacks cannot be always shared without disclosing sensitive information. In
this paper, we address the convergence of the FL process in dynamic
cybersecurity scenarios, where the trained model must be frequently updated
with new recent attack profiles to empower all members of the federation with
latest detection features. To this aim, we propose FLAD (adaptive Federated
Learning Approach to DDoS attack detection), a FL solution for cybersecurity
applications based on an adaptive mechanism that orchestrates the FL process by
dynamically assigning more computation to those members whose attacks profiles
are harder to learn, without the need of sharing any test data to monitor the
performance of the trained model. Using a recent dataset of DDoS attacks, we
demonstrate that FLAD outperforms the original FL algorithm in terms of
convergence time and accuracy across a range of unbalanced datasets of
heterogeneous DDoS attacks. We also show the robustness of our approach in a
realistic scenario, where we retrain the deep learning model multiple times to
introduce the profiles of new attacks on a pre-trained model
Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4
Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to
modern telecommunications networks: detecting and counteracting them is still a
crucial unresolved challenge for network operators. DDoS attack detection is
usually carried out in one or more central nodes that collect significant
amounts of monitoring data from networking devices, potentially creating issues
related to network overload or delay in detection. The dawn of programmable
data planes in Software-Defined Networks can help mitigate this issue, opening
the door to the detection of DDoS attacks directly in the data plane of the
switches. However, the most widely-adopted data plane programming language,
namely P4, lacks supporting many arithmetic operations, therefore, some of the
advanced network monitoring functionalities needed for DDoS detection cannot be
straightforwardly implemented in P4. This work overcomes such a limitation and
presents two novel strategies for flow cardinality and for normalized network
traffic entropy estimation that only use P4-supported operations and guarantee
a low relative error. Additionally, based on these contributions, we propose a
DDoS detection strategy relying on variations of the normalized network traffic
entropy. Results show that it has comparable or higher detection accuracy than
state-of-the-art solutions, yet being simpler and entirely executed in the data
plane.Comment: Accepted by TDSC on 24/09/202
Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration
Growing traffic demands and increasing security awareness are driving the
need for secure services. Current solutions require manual configuration and
deployment based on the customer's requirements. In this work, we present an
architecture for an automatic intent-based provisioning of a secure service in
a multilayer - IP, Ethernet, and optical - network while choosing the
appropriate encryption layer using an open-source software-defined networking
(SDN) orchestrator. The approach is experimentally evaluated in a testbed with
commercial equipment. Results indicate that the processing impact of secure
channel creation on a controller is negligible. As the time for setting up
services over WDM varies between technologies, it needs to be taken into
account in the decision-making process.Comment: Parts of the presented work has received funding from the European
Commission within the H2020 Research and Innovation Programme, under grant
agreeement n.645127, project ACIN
Application-Centric Provisioning of Virtual Security Network Functions
Network Function Virtualization (NFV) enables flexible implementation and provisioning of network functions as virtual machines running on commodity servers. Due to the availability of multiple hosting servers, such network functions (also called Virtual Network Functions (VNFs)) can be placed where they are actually needed, dynamically migrated, duplicated, or deleted according to the current network requirements. However, the placement of VNFs within the physical network is one of the main challenges in the NFV domain as it has a critical impact on the performance of the network. In this work we focus on efficient placement of Virtual Security Network Functions (VSNFs), i.e. the placement of virtual network functions whose purpose is to prevent or mitigate network security threats. In this regard, we tackle the placement problem not only considering performance optimization aspects, but also trying to find solutions that are consistent from the security viewpoint. Specifically, the main contribution of this paper is the formulation of the placement problem by taking into account both Security and Quality of Service (QoS) requirements of user applications
Resource-aware Cyber Deception in Cloud-Native Environments
Cyber deception can be a valuable addition to traditional cyber defense
mechanisms, especially for modern cloud-native environments with a fading
security perimeter. However, pre-built decoys used in classical computer
networks are not effective in detecting and mitigating malicious actors due to
their inability to blend with the variety of applications in such environments.
On the other hand, decoys cloning the deployed microservices of an application
can offer a high-fidelity deception mechanism to intercept ongoing attacks
within production environments. However, to fully benefit from this approach,
it is essential to use a limited amount of decoy resources and devise a
suitable cloning strategy to minimize the impact on legitimate services
performance. Following this observation, we formulate a non-linear integer
optimization problem that maximizes the number of attack paths intercepted by
the allocated decoys within a fixed resource budget. Attack paths represent the
attacker's movements within the infrastructure as a sequence of violated
microservices. We also design a heuristic decoy placement algorithm to
approximate the optimal solution and overcome the computational complexity of
the proposed formulation. We evaluate the performance of the optimal and
heuristic solutions against other schemes that use local vulnerability metrics
to select which microservices to clone as decoys. Our results show that the
proposed allocation strategy achieves a higher number of intercepted attack
paths compared to these schemes while requiring approximately the same number
of decoys
In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches
Volumetric distributed Denial-of-Service (DDoS) attacks have become one of
the most significant threats to modern telecommunication networks. However,
most existing defense systems require that detection software operates from a
centralized monitoring collector, leading to increased traffic load and delayed
response. The recent advent of Data Plane Programmability (DPP) enables an
alternative solution: threshold-based volumetric DDoS detection can be
performed directly in programmable switches to skim only potentially hazardous
traffic, to be analyzed in depth at the controller. In this paper, we first
introduce the BACON data structure based on sketches, to estimate
per-destination flow cardinality, and theoretically analyze it. Then we employ
it in a simple in-network DDoS victim identification strategy, INDDoS, to
detect the destination IPs for which the number of incoming connections exceeds
a pre-defined threshold. We describe its hardware implementation on a
Tofino-based programmable switch using the domain-specific P4 language, proving
that some limitations imposed by real hardware to safeguard processing speed
can be overcome to implement relatively complex packet manipulations. Finally,
we present some experimental performance measurements, showing that our
programmable switch is able to keep processing packets at line-rate while
performing volumetric DDoS detection, and also achieves a high F1 score on DDoS
victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management
Special issue on Latest Developments for Security Management of Networks and
Service
- …