Detecting Distributed Denial of Service Attacks: A Neural Network Approach

Similar documents
Detecting Denial of Service Attacks with Bayesian Classifiers and the Random Neural Network

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

CASCADAS Imperial College. Work part of WP4 related to Autonomic Infrastructure Protection

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service and Anomaly Detection

Keywords - Intrusion Detection System, Intrusion Prevention System, Artificial Neural Network, Multi Layer Perceptron, SYN_FLOOD, PING_FLOOD, JPCap

Distributed Denial of Service (DDoS)

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Intrusion Detection for Mobile Ad Hoc Networks

DDoS Attack Traceback

DDoS Protection Technology White Paper

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Distributed Denial of Service Attacks & Defenses

Padma Charan Das Dept. of E.T.C. Berhampur, Odisha, India

Radware s Behavioral Server Cracking Protection

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Security Toolsets for ISP Defense

A HYBRID APPROACH TO COUNTER APPLICATION LAYER DDOS ATTACKS

Detection of Distributed Denial of Service Attack with Hadoop on Live Network

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Role of Anomaly IDS in Network

DETECTION OF APPLICATION LAYER DDOS ATTACKS USING INFORMATION THEORY BASED METRICS

Survey on DDoS Attack Detection and Prevention in Cloud

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

CS 356 Lecture 16 Denial of Service. Spring 2013

Distributed Defence Against Denial of Service Attacks: A Practical View

Solution of Exercise Sheet 5

IDS / IPS. James E. Thiel S.W.A.T.

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

CHAPTER 1 INTRODUCTION

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Conclusions and Future Directions

Prediction of DDoS Attack Scheme

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Denial of Service Attacks, What They are and How to Combat Them

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Survey on DDoS Attack in Cloud Environment

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

How To Classify A Dnet Attack

Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System

Keywords Attack model, DDoS, Host Scan, Port Scan

Firewalls and Intrusion Detection

Efficient Detection of Ddos Attacks by Entropy Variation

DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

5 Steps to Avoid Network Alert Overload

Denial of Service Attacks

Performance Evaluation of Intrusion Detection Systems

A Novel Technique for Detecting DDoS Attacks at Its Early Stage

Firewalls Netasq. Security Management by NETASQ

D A T A M I N I N G C L A S S I F I C A T I O N

A Neural Network Based System for Intrusion Detection and Classification of Attacks

Large-Scale IP Traceback in High-Speed Internet

Packet-Marking Scheme for DDoS Attack Prevention

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Distributed Denial of Service Attack Tools

Comparison of Supervised and Unsupervised Learning Classifiers for Travel Recommendations

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Abstract. Introduction. Section I. What is Denial of Service Attack?

FLOW BASED MULTI FEATURE INFERENCE MODEL FOR DETECTION OF DDOS ATTACKS IN NETWORK IMMUNE SYSTEM

MANAGING QUEUE STABILITY USING ART2 IN ACTIVE QUEUE MANAGEMENT FOR CONGESTION CONTROL

Intrusion Detection Systems

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: Volume 1 Issue 11 (November 2014)

NETWORK MONITORING AND DECEPTIVE DEFENSES

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

A Brief Discussion of Network Denial of Service Attacks. by Eben Schaeffer SE 4C03 Winter 2004 Last Revised: Thursday, March 31

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

Company & Solution Profile

RAVEN, Network Security and Health for the Enterprise

co Characterizing and Tracing Packet Floods Using Cisco R

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DETECTING AND PREVENTING THE PACKET FOR TRACE BACK DDOS ATTACK IN MOBILE AD-HOC NETWORK

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

ATTACKS ON CLOUD COMPUTING. Nadra Waheed

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Testing Network Security Using OPNET

Predicting the Risk of Heart Attacks using Neural Network and Decision Tree

A Novel Packet Marketing Method in DDoS Attack Detection

On-Premises DDoS Mitigation for the Enterprise

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS

A Model-based Methodology for Developing Secure VoIP Systems

Monitoring and analyzing audio, video, and multimedia traffic on the network

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

FlowMonitor a network monitoring framework for the Network Simulator 3 (NS-3)

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Transcription:

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke (g.oke@imperial.ac.uk) Intelligent Systems and Networks Group Dept. of Electrical and Electronic Engineering Imperial College London Multi-Service Networks 07 12-13 July 2007

Contents 1. What is a DoS Attack? 2. Detection of DoS Attacks Using Bayesian Classifiers 3. Secondary Level Decision Taking by RNN 4. Experimental Results 5. Conclusions and Future Research

What is a DoS Attack? An attack with the purpose of preventing legitimate users from using a specific network resource Distributed DoS

1985, R.T. Morris writes: The weakness in the Internet Protocol is that the source host itself fills in the IP source host id, and there is no provision in TCP/IP to discover the true origin of a packet.. IP Spoofing SYN Flood Attack

Why is Detection Necessary? A combination of detection and response mechanisms are used to defend against such attacks. Detection would not be necessary in the ideal case of a response architecture with proactive qualities that would render impossible any DoS attack. However: - No response system is perfect to date. - Denial of Service attacks against one s network do not happen very often and at least resource-wise a proactive protection system is usually too expensive to operate in the absence of an attack. Therefore, a detection mechanism can trigger the response procedure to overcome the weaknesses stated above.

Detection of DoS Attacks 1. Methods Based on Identification of the Source Address 2. Methods Based on Analysis of Traffic A robust DoS detection scheme must satisfy the following: High detection rates Minimal false alarm rates Real-time detection with low memory and CPU-time requirements Invariance in evolutionary trends in DoS attacks

Defence techniques Detection Passive tests - Loyal clients (beyond suspicion) - Hop-count filtering (check the TTL) Active tests - CAPTCHAs - Cryptographic puzzles Classification (signatured- & anomaly-based) Learning techniques Statistical signal analysis Wavelet transform analysis Multiple agents Fuzzy Aspects of Defence Response Proactive server roaming Pushback Secure overlay tunneling Dynamic resource pricing

Detection Using Bayesian Classifiers Select the Input Features Total incoming bit rate Change in total incoming bit rate (acceleration) Entropy Hurst Parameter Delay Delay Rate Gather statistical information on DoS and normal traffic Obtain histograms Evaluate likelihood ratios Set thresholds Real-time decision taking Measure the real-time values of the input features from the actual traffic 1 st level decision (evaluate likelihood ratios) 2 nd level decision (Average Likelihood or RNN)

Compute the histogram f(x H0) of normal traffic Compute the histogram f(x H1) of attack traffic evaluate the likelihood ratios: f ( x H1) l x = f x H ( ) 0 Decision Variables Bit rate Change in bit rate (acc) Entropy Self-similarity (Hurst) Delay Delay Rate l l l Bitrate Entropy Delay, l, l, l Acc, Hurst, DelayRate Averaging likelihood OR RNN

Randomness Entropy S = Self-Similarity n i= 1 f i log 2 f i The Hurst Parameter represents the degree of self-similarity. We have used the R/S statistic to calculate the Hurst parameter s x : incoming bit rate ( R / N S) N N 1 = N n= 1 ( R / S) = N 1 s max 1 n N N N ( x x) min ( x x) = N ( x x) cn H 2 n= 1 1/ 2 1 n N n= 1

Random Neural Network (RNN) RNNs represent better approximation of the true functioning of a biophysical neural network, where the signals travel as spikes rather than analog signals They are computationally efficient structures. They are easy to simulate since each neuron is simply represented by a counter. j w w + + ( p ( i, j) + p ( i, j) ) + d( i) = 1 + ( j, i) = r( i) p ( i, j) 0 ( j, i) = r( i) p ( i, j) 0 The potential for neuron i is: q i = ( i) ( ) N D i + ( i) = q w ( j i) + Λ( i) N, D r j j + + ( i) = r( i) q w ( j, i) λ( i) = + + ( i) w ( i, j) w ( i, j) j j j

Feedforward RNN An input layer of six neurons, a hidden layer with twelve neurons and an output layer with two neurons. Each output neuron stands for a decision; attack or not. The final decision is determined according to the ratio of the two output neurons.

Recurrent RNN It consists of an input layer with twelve neurons and an output layer with two neurons. In the input layer, there are two neurons for each input variable; one for the excitatory signals and one for the inhibitory signals. Each neuron sends excitatory signals to same type of neuron and inhibitory signals to opposite type of neuron. At the output layer, excitatory signals are collected at one neuron and inhibitory signals are summed up at the second neuron.

Experimental Results Topology of the test-bed used in the experiments (Node 20 is the victim)

We have used four data sets: 1) Normal traffic we have designed 2) Attack traffic we have designed 3) Attack traffic extracted from traces downloaded from an online repository of traces (trace1) 4) Attack traffic extracted from traces downloaded from an online repository of traces (trace2)

Our Dataset --- Normal Traffic Averaged Likelihood Feedforward RNN Recurrent RNN

Our Dataset --- Attack Traffic Averaged Likelihood False Alarms: 0 % Correct Detections: 80 % Feedforward RNN False Alarms: 16.7 % Correct Detections: 96 % Recurrent RNN False Alarms: 5.5 % Correct Detections: 96 %

Trace1 --- Attack Traffic Averaged Likelihood False Alarms: 2.8 % Correct Detections: 88 % Feedforward RNN False Alarms: 11 % Correct Detections: 96 % Recurrent RNN False Alarms: 11 % Correct Detections: 96 %

Trace2 --- Attack Traffic Averaged Likelihood False Alarms: 0 % Correct Detections: 76 % Feedforward RNN False Alarms: 8.3 % Correct Detections: 84 % Recurrent RNN False Alarms: 2.8 % Correct Detections: 80 %

Future Research Currently, we are working on the combination of this detection mechanism and previously studied response approaches to build an integrated defence scheme against DoS. The Bayesian detectors will monitor the traffic and compute a likelihood value for the possibility of an ongoing attack. Based on this value the response mechanism will take action by prioritization and rate limiting. We are also planning to design a dynamic defence distribution scheme which allocates nodes to rate-limit or drop packets based on predetermined thresholds.

Thanks Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information