Detecting Flooding Attacks Using Power Divergence

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Detecting Flooding Attacks Using Power Divergence"

Transcription

1 Detecting Flooding Attacks Using Power Divergence Jean Tajer IT Security for the Next Generation European Cup, Prague February, 2012 PAGE 1

2 Agenda 1- Introduction 2- K-ary Sktech 3- Detection Threshold 4- Power Divergence 5- Experimental Results - Traffic behavior under normal conditions and DDoS Attacks - SYN traffic under Power Divergence and dynamic Threshold - Receiver Operating Characteristic (ROC) 6- Conclusion PAGE 2

3 Introduction This paper deals with detection of flooding attacks which are the most common type of Denial of Service (DoS) attacks. We propose a new framework for the detection of flooding attacks by integrating Power Divergence over Sketch data structure. The performance of the proposed framework is investigated in terms of detection probability, false alarm ratio and the receiver operating characteristic (ROC). We focus on tuning the parameter of Power Divergence to optimize the performance. We conduct performance analysis over publicly available real IP traces integrated with flooding attacks. Our analysis results prove that our proposed algorithm outperforms the existing solutions. PAGE 3

4 Detection threshold In order to differentiate network anomalies from normal behavior, the use of a detection threshold for Power Divergence is really mandatory. Instead of using a static threshold, we use a dynamic one: Jacobson Fast algorithm for RTT mean and variation. Let be the current value of the Power Divergence. and are respectively the current and next exponentially smoothed average estimates of Power Divergence. Let be the deviation between the current Power measure PD(n) and the average measure The exponentially smoothed average of is denoted by The estimated threshold Thre(n + 1) is then given as follows where precision. are all modifiable parameters that can be adjusted numerically in order to improve the detection PAGE 4 "IT Security for the Next Generation", European Cup 17-19February, 2012

5 K-ary Sketch Sketch generates fixed-number of time series for anomaly detection. Sketch provides more grained analysis than aggregating whole traffic in one time series. The Sketch data structure is used for dimensionality reduction. It is based on random aggregation of traffic attribute (e.g. number of packets) in different hash tables. A Sketch S is a 2D array of H K cell (as shown in figure below), where K is the size of the hash table, and H is the number of mutual independent hash functions (universal hash functions). Each item is identified by a key κn and associated with a reward value νn. For each new arriving item (κn, νn), the associated value will be added to the cell S[i][j], where i is an index used to represent the hash function associated with ith hash table (0 i d 1), and j is the hash value (j = hi(κn))of the key by the ith hash function. Data items whose keys are hashed to the same value, will be aggregated in the same cell in the hash table, and their values will be added up to existing counter in the hash table. Each hash table (or each row) is used to derive probability distribution as the ratio of the counter in each cell to the sum of whole cell in the line. The derived probability distributions (we get K probability set, one per line) are used as inputs for divergence measures. PAGE 5

6 Power Divergence The approach used in this paper to detect the DDoS attacks is based on probabilistic decision measure. In fact, the idea is to estimate the subjective prior distribution of the traffic and to use it as a baseline probability. This probability distribution is denoted by q = [q1.qn]. In presence of attacks, the probability distribution changes. One can use this change to detect the attacks. However, with the traffic variations, this probability distribution changes also even in the absence of attacks. This is called false alarms/attacks. The objective then is to find a method that detects the attacks and remove the false alarms. This motivates the need for a quantitative measure of information or more generally a decision theoretic measure of divergence between the basic probability q and some other distribution p. We choose for this article Power Divergence. It is a measure of distance between two probability measure of order as follows: given Where Ep is the expectation with respect to posterior probability distribution p. This divergence presents some interesting special cases. For = 0.5, this divergence is proportional to the squared Hellinger distance between p and q, while for = 1 it is equal to the Kullback-Leibler (KL) measure. Obviously, this power divergence outperforms then the KL and Hellinger measures. PAGE 6 "IT Security for the Next Generation", European Cup 17-19February, 2012

7 Experimental Results We present performance analysis results of integrating Power Divergence detection algorithm over Sketch, for detecting of SYN flooding attacks. We use the real internet MAWI trans-pacific traces from 15/04/ h00 to 18h15 as few hours in the life of the internet, to test the efficiency of these used algortihms. IP addresses in the traces are scrambled by a modified version of tcpdriv tool, but correlation between addresses are conserverd. We have analysed this 06h15 of wide area network traces using sketch technique, with a key of the sketch (ki=dip), and a reward (vi=1) for SYN request only,and zero otherwise. Afterward, we inject real DDOS attacks with different intensity inside this trace to simulate distributed SYN flooding attacks. In order to proceed with test, we inject 9 real DDoS TCP SYN flooding attacks with different intensity in MAWI public traces (tcpdump files). These atatcks are inserted each 30 minutes ( at time t=31, 71, 111, etc.) and last for 10 minutes. Fig. 2 illustrates the number of SYN flooding attacks. These attacks as described before are generated 9 times for duration of 10 minutes for every 30 minutes. As we can notice, the intensity of these attacks is not constant. It begins with a value of and decreases untill 2000 attacks. PAGE 7

8 Traffic behavior under normal conditions and DDoS Attacks Fig. 3 and Fig. 6 show the variation of the total number of packets (TCP, UDP and ICMP) before and after the SYN flooding attacks. Indeed, Fig. 4 and Fig. 7 show the variation of number of TCP packets before and after the SYN flooding attacks. One can notice that the shape of traffic variation in both figures is similar. This can be explained by the fact that the intensity of SYN flooding is not large ompared to the intensity of the total number of packets. In such cases, the detection of the attack is very challenging. Fig. 5 and Fig. 8 show the variation of number of SYN before and after the SYN flooding attacks. We can notice here that the two figures have different shapes. This can be explained by the high intensity of SYN flooding attacks in comparison with the total number of SYN packets under normal condition. PAGE 8

9 SYN traffic under Power Divergence and dynamic Threshold (1) We have conducted analysis test for several values of.due to space limit we provide in this section, the results for only two values of : 0.5 and 1.5. In fact, we have found that = 1.5 is the optimal value. We compare it to the case of = 0.5. The Power Divergence of this is similar to the Hellinger Distance used in the litterature. For the parameter of the dynamic threshold, hereby the values that we used for = 0.8 and = 0.8 1) Power Divergence comparison behavior between = 0.5 and = 1.5: As described before, when applying the value of = 0.5 to the Power Divergence, this coincides with the Hellinger Distance (HD). Fig. 9 illustrates the behavior of SYN traffic with the SYN flooding attack under Power Divergence technique. It is obvious that with this value of, Power Divergence is not able to detect the 9 SYN flooding attacks. It can only detect the 7 first attacks but not the last 2 attacks at t = 310 and t = 350. Let us now take another value of =1.5. Fig. 10 shows the behavior of SYN traffic with the SYN flooding attack under Power Divergence technique. We can notice that via this value of, all the 9 attacks have been really been detected. We conclude that the value of = 1.5 is better and more adequat than = 0.5. PAGE 9

10 SYN traffic under Power Divergence and dynamic Threshold (2) 2) Dynamic Threshold Power and Divergence for = 0:5 and = 1:5 In this article we decided to introduce, instead of statistic threshold, a dynamic one to our experiments result.we applied it over the SYN traffic with SYN flooding attack under Power Divergence technique. Whenever the threshold (dashline) is above the SYN traffic, this means that there are no attack. Whenever the threshold (dash-line) is under the SYN traffic, this means that there are attacks. For the value of = 0.5, the dynamic threshold detects 7 attacks that have been generated by Power Divergence. But, we can notice also that it detects many false alarms as shown in Fig. 11. Fig. 12 shows that for = 1.5, the dynamic threshold detects all the 9 attacks that have been generated by Power Divergence. Indeed and unlike the case of = 0.5, the dynamic threshold for =1.5 doesnot detect the false alarms. The important use of dynamic threshold instead of static one in our case has been justified. If we take per example a constant threshold of value h = 0.5 for the = 1. 5, we can notice that the last attack at t = 350 will not be detected. Indeed if h = 0.2, the dynamic threshold will detect the 9 attacks plus the false alarm at t = 140. PAGE 10

11 Receiver Operating Characteristic (ROC) Fig. 14 and Fig. 13 show the receiver operating characteristic (ROC) curves for the Power Divergence algorithm for varying attack intensity, attack duration and normal traffic load. ROC curves display the trade-off between false alarm rate and detection rate. The performance of Power Divergence varies significantly with variation in the attack intensity. We plot the ROC by varying the values of the threshold. For For = 0.5 and as we can see from Fig. 13, we are able to achieve a detection rate of 67 % with 0 false alarm rate. = 1.5 and as we can see from Fig. 14, we are able to achieve a detection rate of 89 % with 0 false alarm rate. ROC figures has show that for = 1,5 the detection rate with 0 false alarm is better then the value of = 0.5. PAGE 11

12 Conclusion DDoS attacks are a real threat in any type traffic. In this paper, we proposed a new framework based on Sketch and power divergence for anomaly detection over high speed links. Our experimental prove the effeciency of the proposed approach through implementation and testing on real traces with DoS/DDoS. We proved that our approach is effecient through implementation and testing over real traces with distributed SYN flooding attacks. Results of our experimentations have shown the capacity of any type of detection even for low intensity of DDoS attacks. Via the ROC, Performance evaluation shows that whenever we increase the value of, Power divergence is able to preserve high detection accuracy even when the attack rate is very low. We concluded that the Power Divergence of order = 1.5 is the optimal valuethat allows to minimise the false alarm ratio of increasethe detection efficiency. We have shown that for = 1.5, our algorithm outperfmors the Hellinger Distance (which is equivalent to take = 0.5 in our algorithm). In our future work, we will focus on providing additional information to pinpoint malicious flows, in order to trigger automatic reaction against ongoing attacks. We also intend to provide a method for reducing the amount of monitoring data on high speed networks, and to analyze the impact of sampling on the precision of these divergence measures. PAGE 12

13 Thank You Jean Tajer IT Security for the Next Generation American Cup, New York February, 2012 PAGE 13

Denial of Service and Anomaly Detection

Denial of Service and Anomaly Detection Denial of Service and Anomaly Detection Vasilios A. Siris Institute of Computer Science (ICS) FORTH, Crete, Greece vsiris@ics.forth.gr SCAMPI BoF, Zagreb, May 21 2002 Overview! What the problem is and

More information

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial

More information

An Efficient Filter for Denial-of-Service Bandwidth Attacks

An Efficient Filter for Denial-of-Service Bandwidth Attacks An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special

More information

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks 2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh

More information

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer

More information

Detection of Distributed Denial of Service Attack with Hadoop on Live Network

Detection of Distributed Denial of Service Attack with Hadoop on Live Network Detection of Distributed Denial of Service Attack with Hadoop on Live Network Suchita Korad 1, Shubhada Kadam 2, Prajakta Deore 3, Madhuri Jadhav 4, Prof.Rahul Patil 5 Students, Dept. of Computer, PCCOE,

More information

Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System

Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System 1 M.Yasodha, 2 S. Umarani 1 PG Scholar, Department of Information Technology, Maharaja Engineering College,

More information

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack Abhishek Kumar Department of Computer Science and Engineering-Information Security NITK Surathkal-575025, India Dr. P. Santhi

More information

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13 COURSE TITLE : INFORMATION SECURITY COURSE CODE : 5136 COURSE CATEGORY : ELECTIVE PERIODS/WEEK : 4 PERIODS/SEMESTER : 52 CREDITS : 4 TIME SCHEDULE MODULE TOPICS PERIODS 1 Introduction to Computer Security

More information

Detecting Network Anomalies. Anant Shah

Detecting Network Anomalies. Anant Shah Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting

More information

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu

More information

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01 IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01 Tianfu Fu futianfu@huawei.com Dacheng Zhang dacheng.zdc@alibaba-inc.com Liang Xia (Frank) frank.xialiang@huawei.com Min Li

More information

Low-rate TCP-targeted Denial of Service Attack Defense

Low-rate TCP-targeted Denial of Service Attack Defense Low-rate TCP-targeted Denial of Service Attack Defense Johnny Tsao Petros Efstathopoulos University of California, Los Angeles, Computer Science Department Los Angeles, CA E-mail: {johnny5t, pefstath}@cs.ucla.edu

More information

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics. Volume 3, Issue 6, June 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Techniques to Differentiate

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

Network Traffic Anomalies Detection and Identification with Flow Monitoring

Network Traffic Anomalies Detection and Identification with Flow Monitoring Network Traffic Anomalies Detection and Identification with Flow Monitoring Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi Department of Computer Engineering, Chonnam National University, Korea

More information

Development of a Network Intrusion Detection System

Development of a Network Intrusion Detection System Development of a Network Intrusion Detection System (I): Agent-based Design (FLC1) (ii): Detection Algorithm (FLC2) Supervisor: Dr. Korris Chung Please visit my personal homepage www.comp.polyu.edu.hk/~cskchung/fyp04-05/

More information

Keywords Attack model, DDoS, Host Scan, Port Scan

Keywords Attack model, DDoS, Host Scan, Port Scan Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection

More information

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Analysis of a Distributed Denial-of-Service Attack

Analysis of a Distributed Denial-of-Service Attack Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.

More information

A Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks

A Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks Technical Report, June 2008 A Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks Christos Papadopoulos Department of Computer Science Colorado State University 1873 Campus

More information

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop

More information

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise

More information

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service

More information

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)

More information

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Prashil S. Waghmare PG student, Sinhgad College of Engineering, Vadgaon, Pune University, Maharashtra, India. prashil.waghmare14@gmail.com

More information

Contribution of the French MetroSec

Contribution of the French MetroSec Contribution of the French MetroSec project to traffic anomalies detection ti Philippe OWEZARSKI LAAS-CNRS Toulouse, France owe@laas.fr With the contribution of Patrice Abry, Pierre Borgnat, Nicolas Larrieu,

More information

Fine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch

Fine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch Fine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch Haiqin Liu, Yan Sun, and Min Sik Kim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

CS 5410 - Computer and Network Security: Intrusion Detection

CS 5410 - Computer and Network Security: Intrusion Detection CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Locked Down You re using all the techniques we will talk about over the course of the semester: Strong access

More information

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper SHARE THIS WHITEPAPER Top Selection Criteria for an Anti-DDoS Solution Whitepaper Table of Contents Top Selection Criteria for an Anti-DDoS Solution...3 DDoS Attack Coverage...3 Mitigation Technology...4

More information

Internet Worm Classification and Detection using Data Mining Techniques

Internet Worm Classification and Detection using Data Mining Techniques IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 17, Issue 3, Ver. 1 (May Jun. 2015), PP 76-81 www.iosrjournals.org Internet Worm Classification and Detection

More information

Secure SCTP against DoS Attacks in Wireless Internet

Secure SCTP against DoS Attacks in Wireless Internet Secure SCTP against DoS Attacks in Wireless Internet Inwhee Joe College of Information and Communications Hanyang University Seoul, Korea iwjoe@hanyang.ac.kr Abstract. The Stream Control Transport Protocol

More information

6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 2, February (2014), pp. 79-86, IAEME AND TECHNOLOGY (IJARET)

6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 2, February (2014), pp. 79-86, IAEME AND TECHNOLOGY (IJARET) International INTERNATIONAL Journal of Advanced JOURNAL Research OF ADVANCED in Engineering RESEARCH and Technology IN (IJARET), ENGINEERING ISSN 0976 AND TECHNOLOGY (IJARET) ISSN 0976-6480 (Print) ISSN

More information

For information on our service: Please call us on 800 188, visit our website at du.ae/en/business/product-and-services/business-managed-services or

For information on our service: Please call us on 800 188, visit our website at du.ae/en/business/product-and-services/business-managed-services or For information on our service: Please call us on 800 188, visit our website at du.ae/en/business/product-and-services/business-managed-services or email us at managedservices@du.ae Securing Data Centers:

More information

Source-domain DDoS Prevention

Source-domain DDoS Prevention bhattacharjee, LTS S 05 Page: 0 Source-domain DDoS Prevention Bobby Bhattacharjee Christopher Kommareddy Mark Shayman Dave Levin Richard La Vahid Tabatabaee University of Maryland bhattacharjee, LTS S

More information

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of

More information

On Entropy in Network Traffic Anomaly Detection

On Entropy in Network Traffic Anomaly Detection On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015 Jayro Santiago-Paz, Deni Torres-Roman. 1/19 On Entropy in Network

More information

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity Prevention, Detection and Mitigation of DDoS Attacks Randall Lewis MS Cybersecurity DDoS or Distributed Denial-of-Service Attacks happens when an attacker sends a number of packets to a target machine.

More information

Analysis of a DDoS Attack

Analysis of a DDoS Attack Analysis of a DDoS Attack December 2014 CONFIDENTIAL CORERO INTERNAL USE ONLY Methodology around DDoS Detection & Mitigation Corero methodology for DDoS protection Initial Configuration Monitoring and

More information

Denial-of-Service Shrew Attacks

Denial-of-Service Shrew Attacks Denial-of-Service Shrew Attacks Bhuvana Mahalingam mbhuvana@cs.bu.edu 1. Introduction A Denial of Service Attack is defined as An incident in which a user or organization is deprived of the services of

More information

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Keywords: Intelligent Next-Generation Firewall (ingfw), Unknown Threat, Abnormal Parameter, Abnormal Behavior,

More information

A Defense Framework for Flooding-based DDoS Attacks

A Defense Framework for Flooding-based DDoS Attacks A Defense Framework for Flooding-based DDoS Attacks by Yonghua You A thesis submitted to the School of Computing in conformity with the requirements for the degree of Master of Science Queen s University

More information

TrustGuard: A Flow-level Reputation-based DDoS Defense System

TrustGuard: A Flow-level Reputation-based DDoS Defense System TrustGuard: A Flow-level Reputation-based DDoS Defense System Haiqin Liu, Yan Sun, Victor C. Valgenti, and Min Sik Kim School of Electrical Engineering and Computer Science Washington State University

More information

Flash Crowds & Denial of Service Attacks

Flash Crowds & Denial of Service Attacks Flash Crowds & Denial of Service Attacks Characterization and Implications for CDNs and Web sites Jaeyeon Jung MIT Laboratory for Computer Science Balachander Krishnamurthy and Michael Rabinovich AT&T

More information

Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad

Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad M. Lakshmi Narayana, M.Tech CSE Dept, CMRTC, Hyderabad Abstract:

More information

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended

More information

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi

More information

arxiv:0908.2310v1 [stat.ap] 17 Aug 2009

arxiv:0908.2310v1 [stat.ap] 17 Aug 2009 The Annals of Applied Statistics 2009, Vol. 3, No. 2, 637 662 DOI: 10.1214/08-AOAS232 c Institute of Mathematical Statistics, 2009 DETECTION AND LOCALIZATION OF CHANGE-POINTS IN HIGH-DIMENSIONAL NETWORK

More information

Signal Processing Methods for Denial of Service Attack Detection

Signal Processing Methods for Denial of Service Attack Detection 0 Signal Processing Methods for Denial of Service Attack Detection Urbashi Mitra Ming Hsieh Department of Electrical Engineering Viterbi School of Engineering University of Southern California Los Angeles,

More information

Application Security Backgrounder

Application Security Backgrounder Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International

More information

An Evaluation of Machine Learning Method for Intrusion Detection System Using LOF on Jubatus

An Evaluation of Machine Learning Method for Intrusion Detection System Using LOF on Jubatus An Evaluation of Machine Learning Method for Intrusion Detection System Using LOF on Jubatus Tadashi Ogino* Okinawa National College of Technology, Okinawa, Japan. * Corresponding author. Email: ogino@okinawa-ct.ac.jp

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Joint Entropy Analysis Model for DDoS Attack Detection

Joint Entropy Analysis Model for DDoS Attack Detection 2009 Fifth International Conference on Information Assurance and Security Joint Entropy Analysis Model for DDoS Attack Detection Hamza Rahmani, Nabil Sahli, Farouk Kammoun CRISTAL Lab., National School

More information

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,

More information

Quick Detection of Stealthy SIP Flooding Attacks in VoIP Networks

Quick Detection of Stealthy SIP Flooding Attacks in VoIP Networks This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 211 proceedings Quick Detection of Stealthy SIP Flooding Attacks

More information

Introducing FortiDDoS. Mar, 2013

Introducing FortiDDoS. Mar, 2013 Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline

More information

Large-Scale IP Traceback in High-Speed Internet

Large-Scale IP Traceback in High-Speed Internet 2004 IEEE Symposium on Security and Privacy Large-Scale IP Traceback in High-Speed Internet Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Technology (Joint

More information

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture

More information

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

More information

An Aggregation Technique for Traffic Monitoring. Kenjiro Cho, Ryo Kaizaki, and Akira Kato {kjc,kaizaki,kato}@wide.ad.jp

An Aggregation Technique for Traffic Monitoring. Kenjiro Cho, Ryo Kaizaki, and Akira Kato {kjc,kaizaki,kato}@wide.ad.jp An Aggregation Technique for Traffic Monitoring Kenjiro Cho, Ryo Kaizaki, and Akira Kato {kjc,kaizaki,kato}@wide.ad.jp motivation for long-term monitoring flow-based monitoring needs predefined rules problems

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

NADA Network Anomaly Detection Algorithm

NADA Network Anomaly Detection Algorithm NADA Network Anomaly Detection Algorithm Sílvia Farraposo 1, Philippe Owezarski 2, Edmundo Monteiro 3 1 School of Technology and Management of Leiria Alto-Vieiro, Morro do Lena, 2411-901 Leiria, Apartado

More information

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Krishnamoorthy.D 1, Dr.S.Thirunirai Senthil, Ph.D 2 1 PG student of M.Tech Computer Science and Engineering, PRIST University,

More information

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory. : Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

Port Hopping for Resilient Networks

Port Hopping for Resilient Networks Port Hopping for Resilient Networks Henry C.J. Lee, Vrizlynn L.L. Thing Institute for Infocomm Research Singapore Email: {hlee, vriz}@i2r.a-star.edu.sg Abstract With the pervasiveness of the Internet,

More information

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Application of Netflow logs in Analysis and Detection of DDoS Attacks International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in

More information

Conclusions and Future Directions

Conclusions and Future Directions Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE WE ARE NOT FOR EVERYONE JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME Don t let a DDoS attack bring your online business to a halt we can protect any server in any location DON T GET STUCK ON THE ROAD OF

More information

Introduction about DDoS. Security Functional Requirements

Introduction about DDoS. Security Functional Requirements S W G IT P Security Functional Requirements for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr) TTA, Korea Global Leader of ICT Standardization & Certification Ⅰ Introduction about DDoS Ⅱ Security

More information

Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

More information

Analysis of Network Packets. C DAC Bangalore Electronics City

Analysis of Network Packets. C DAC Bangalore Electronics City Analysis of Network Packets C DAC Bangalore Electronics City Agenda TCP/IP Protocol Security concerns related to Protocols Packet Analysis Signature based Analysis Anomaly based Analysis Traffic Analysis

More information

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS) Denial of Service Attacks and Countermeasures Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS) Student Objectives Upon successful completion of this module,

More information

Passive Queue Management

Passive Queue Management , 2013 Performance Evaluation of Computer Networks Objectives Explain the role of active queue management in performance optimization of TCP/IP networks Learn a range of active queue management algorithms

More information

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Intrusion Forecasting Framework for Early Warning System against Cyber Attack Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting

More information

Quality Certificate for Kaspersky DDoS Prevention Software

Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Table of Contents Definitions 3 1. Conditions of software operability 4 2. General

More information

Prevention, Detection, Mitigation

Prevention, Detection, Mitigation Thesis for the Degree of DOCTOR OF PHILOSOPHY Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation Zhang Fu Division of Networks and Systems Department

More information

Evaluation of Machine Learning Method for Intrusion Detection System on Jubatus

Evaluation of Machine Learning Method for Intrusion Detection System on Jubatus International Journal of Machine Learning and Computing, Vol. 5, No. 2, April 2015 Evaluation of Machine Learning Method for Intrusion Detection System on Jubatus Tadashi Ogino technologies. As a preliminary

More information

Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic

Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic Amit Khajuria 1, Roshan Srivastava 2 1 M. Tech Scholar, Computer Science Engineering, Lovely Professional University,

More information

Analysis of Methods Organization of the Modelling of Protection of Systems Client-Server

Analysis of Methods Organization of the Modelling of Protection of Systems Client-Server Available online at www.globalilluminators.org GlobalIlluminators Full Paper Proceeding MI-BEST-2015, Vol. 1, 63-67 FULL PAPER PROCEEDING Multidisciplinary Studies ISBN: 978-969-9948-10-7 MI-BEST 2015

More information

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India

More information

Master s Thesis. A Study on Active Queue Management Mechanisms for. Internet Routers: Design, Performance Analysis, and.

Master s Thesis. A Study on Active Queue Management Mechanisms for. Internet Routers: Design, Performance Analysis, and. Master s Thesis Title A Study on Active Queue Management Mechanisms for Internet Routers: Design, Performance Analysis, and Parameter Tuning Supervisor Prof. Masayuki Murata Author Tomoya Eguchi February

More information

Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints

Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints Michael Bauer, Srinivasan Ravichandran University of Wisconsin-Madison Department of Computer Sciences {bauer, srini}@cs.wisc.edu

More information

A Double-Filter Structure Based Scheme for Scalable Port Scan Detection

A Double-Filter Structure Based Scheme for Scalable Port Scan Detection A Double-Filter Structure Based Scheme for Scalable Port Scan Detection Shijin Kong 1, Tao He 2, Xiaoxin Shao 3, Changqing An 4 and Xing Li 5 Department of Electronic Engineering, Tsinghua University,

More information

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module While HTTP Flood and DoS attacks are spreading nowadays, there is a new attack surface reduction

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 12 (2014), pp. 1167-1173 International Research Publications House http://www. irphouse.com Vulnerability

More information

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

More information

Effective Worm Detection for Various Scan Techniques

Effective Worm Detection for Various Scan Techniques Effective Worm Detection for Various Scan Techniques Jianhong Xia, Sarma Vangala, Jiang Wu and Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts at Amherst Amherst,

More information

An Efficient Distributed Algorithm to Identify and Traceback DDoS Traffic

An Efficient Distributed Algorithm to Identify and Traceback DDoS Traffic Ó The Author 26. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions, please email: journals.permissions@oxfordjournals.org doi:1.193/comjnl/bxl26

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation Shanofer. S Master of Engineering, Department of Computer Science and Engineering, Veerammal Engineering College,

More information

Discriminating DDoS Attack Traffic from Flash Crowd through Packet Arrival Patterns

Discriminating DDoS Attack Traffic from Flash Crowd through Packet Arrival Patterns The First International Workshop on Security in Computers, Networking and Communications Discriminating DDoS Attack Traffic from Flash Crowd through Packet Arrival Patterns Theerasak Thapngam, Shui Yu,

More information

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers Whitepaper SHARE THIS WHITEPAPER Table of Contents The Rising Threat of Cyber-Attack Downtime...3 Four Key Considerations

More information