Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1016/j.cose.2022.102844

2022-07-21

Abstract:Attacks exploiting human attentional vulnerability have posed severe threats to cybersecurity. In this work, we identify and formally define a new type of proactive attentional attacks called Informational Denial-of-Service (IDoS) attacks that generate a large volume of feint attacks to overload human operators and hide real attacks among feints. We incorporate human factors (e.g., levels of expertise, stress, and efficiency) and empirical psychological results (e.g., the Yerkes-Dodson law and the sunk cost fallacy) to model the operators' attention dynamics and their decision-making processes along with the real-time alert monitoring and inspection. To assist human operators in dismissing the feints and escalating the real attacks timely and accurately, we develop a Resilient and Adaptive Data-driven alert and Attention Management Strategy (RADAMS) that de-emphasizes alerts selectively based on the abstracted category labels of the alerts. RADAMS uses reinforcement learning to achieve a customized and transferable design for various human operators and evolving IDoS attacks. The integrated modeling and theoretical analysis lead to the Product Principle of Attention (PPoA), fundamental limits, and the tradeoff among crucial human and economic factors. Experimental results corroborate that the proposed strategy outperforms the default strategy and can reduce the IDoS risk by as much as 20%. Besides, the strategy is resilient to large variations of costs, attack frequencies, and human attention capacities. We have recognized interesting phenomena such as attentional risk equivalency, attacker's dilemma, and the half-truth optimal attack strategy.

Cryptography and Security,Artificial Intelligence,Human-Computer Interaction,Machine Learning,Numerical Analysis

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Jorge Maestre Vidal,Ana Lucila Sandoval Orozco,Luis Javier García Villalba

DOI: https://doi.org/10.1016/j.swevo.2017.07.002

2024-02-12

Abstract:Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD'99, CAIDA'07 and CAIDA'08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.

Cryptography and Security

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1707.03708

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, distributed denial-of-service (DDoS) attacks overload the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch "physical" denial-of-service attacks (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. In order to model the recruitment of bots, we develop a "Poisson signaling game," a signaling game with an unknown number of receivers, which have varying abilities to detect deception. Then we use a version of this game to analyze two mechanisms (legal and economic) to deter botnet recruitment. Equilibrium results indicate that 1) defenders can bound botnet activity, and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for proactive PDoS defense.

Cryptography and Security

Zhuping Wang,Sheng Gao,Hao Zhang,Huaicheng Yan,Tenghui Li

DOI: https://doi.org/10.1109/tcns.2024.3372134

IF: 4.347

2024-01-01

IEEE Transactions on Control of Network Systems

Abstract:The energy allocation problem of malicious denial-of-service (DoS) attacks for state estimation in cyber-physical systems (CPSs) is investigated in this paper. An optimal energy allocation strategy for DoS attacks in CPSs under multi-sensor network fusion estimation is proposed. To describe the channel packet loss characteristic, a signal-to-interference-plus-noise ratio (SINR) model is introduced. Compared with the existing DoS attack strategies, the increase of the channel packet loss rate with the increase in energy injected by the attacker is considered. Meanwhile, the behavioral tendency of the attacker concerning the sensors with different parameters is taken into account, leveraging the additional sensing accuracy matrix. Moreover, the quantified relationship between the attacker and the remote estimator error covariance is derived and the optimal energy allocation strategy problem is transformed into a convex optimization problem to be solved. Finally, a simulation example is presented to verify the effectiveness of the proposed mechanism.

computer science, information systems,automation & control systems

Yuanjie Li,Hewu Li,Zhizheng Lv,Xingkun Yao,Qianru Li,Jianping Wu

DOI: https://doi.org/10.1145/3460120.3484737

2021-01-01

Abstract:We devise a simple, provably effective, and readily usable deterrence against intelligent, unknown DDoS threats: Demotivate adversaries to launch attacks via multi-hop traffic divergence. This new strategy is motivated by the fact that existing defenses almost always lag behind numerous emerging DDoS threats and evolving intelligent attack strategies. The root cause is if adversaries are smart and adaptive, no single-hop defenses (including optimal ones) can perfectly differentiate unknown DDoS and legitimate traffic. Instead, we formulate intelligent DDoS as a game between attackers and defenders, and prove how multi-hop traffic divergence helps bypass this dilemma by reversing the asymmetry between attackers and defenders. This insight results in EID, an Economical Intelligent DDoS Demotivation protocol. EID combines local weak (yet divergent) filters to provably null attack gains without knowing exploited vulnerabilities or attack strategies. It incentivizes multi-hop defenders to cooperate with boosted local service availability. EID is resilient to traffic dynamics and manipulations. It is readily deployable with random-drop filters in real networks today. Our experiments over a 49.8 TB dataset from a department at the Tsinghua campus network validate EID's viability against rational and irrational DDoS with negligible costs.

Heng Zhang,Peng Cheng,Ling Shi,Jiming Chen

DOI: https://doi.org/10.1109/cdc.2013.6760746

2013-01-01

Abstract:Security of Cyber-Physical System (CPS) has gained increasing attention in recent years. Most existing works mainly investigate the system performance given the attacking patterns. In this paper, we investigate how the attacker should design its DoS attacking policy so that the system performance can be deteriorated as much as possible. Specifically, we consider the scenario where a sensor sends its data to a remote estimator through a wireless channel for state estimation, while an attacker decides whether to jam the channel at each sampling time. For two typical system performance indexes, i.e., the expected average estimation error and the expected terminal estimation error, we construct optimal attack scheduling schemes, respectively. We also propose the optimal attack schedules to avoid the given intruder detection mechanism. Numerical examples are presented to demonstrate the effectiveness of our results.

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1705.00682

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, DDoS attacks work by overflowing the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch a "physical" denial-of-service attack (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. To model the recruitment of bots, we extend a traditional game-theoretic concept and create a "Poisson signaling game." Then we analyze two different mechanisms (legal and economic) to deter botnet recruitment. We find that 1) defenders can bound botnet activity and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for designing proactive defense against PDoS attacks.

Cryptography and Security

Benjamin Tag,Niels van Berkel,Sunny Verma,Benjamin Zi Hao Zhao,Shlomo Berkovsky,Dali Kaafar,Vassilis Kostakos,Olga Ohrimenko

DOI: https://doi.org/10.48550/arXiv.2212.03980

2022-12-08

Abstract:Artificial Intelligence (AI) systems have been increasingly used to make decision-making processes faster, more accurate, and more efficient. However, such systems are also at constant risk of being attacked. While the majority of attacks targeting AI-based applications aim to manipulate classifiers or training data and alter the output of an AI model, recently proposed Sponge Attacks against AI models aim to impede the classifier's execution by consuming substantial resources. In this work, we propose \textit{Dual Denial of Decision (DDoD) attacks against collaborative Human-AI teams}. We discuss how such attacks aim to deplete \textit{both computational and human} resources, and significantly impair decision-making capabilities. We describe DDoD on human and computational resources and present potential risk scenarios in a series of exemplary domains.

Human-Computer Interaction,Artificial Intelligence,Machine Learning

A. Pavlidis,Marinos Dimolianis,B. Maglaris

DOI: https://doi.org/10.1109/ICIN51074.2021.9385540

2021-03-01

Abstract:Distributed Denial of Service (DDoS) attacks are widely used by malicious actors to disrupt network infrastructures/services. A common attack is TCP SYN Flood that attempts to exhaust memory and processing resources. Typical mitigation mechanisms, i.e. SYN cookies require significant processing resources and generate large rates of backscatter traffic to block them. In this paper, we propose a detection and mitigation schema that focuses on generating and optimizing signature-based rules. To that end, network traffic is monitored and appropriate packet-level data are processed to form signatures i.e. unique combinations of packet field values. These are fed to machine learning models that classify them to malicious/benign. Malicious signatures corresponding to specific destinations identify potential victims. TCP traffic to victims is redirected to high-performance programmable XDPenabled firewalls that filter off ending traffic according to signatures classified as malicious. To enhance mitigation performance malicious signatures are subjected to a reduction process, formulated as a multi-objective optimization problem. Minimization objectives are (i) the number of malicious signatures and (ii) collateral damage on benign traffic. We evaluate our approach in terms of detection accuracy and packet filtering performance employing traces from production environments and high rate generated attack traffic. We showcase that our approach achieves high detection accuracy, significantly reduces the number of filtering rules and outperforms the SYN cookies mechanism in high-speed traffic scenarios.

Computer Science,Engineering

Heng Zhang,Peng Cheng,Ling Shi,Jiming Chen

DOI: https://doi.org/10.1109/tac.2015.2409905

IF: 6.549

2015-01-01

IEEE Transactions on Automatic Control

Abstract:Security of Cyber-Physical Systems (CPS) has gained increasing attention in recent years. Most existing works mainly investigate the system performance given some attacking patterns. In this technical note, we investigate how an attacker should schedule its Denial-of-Service (DoS) attacks to degrade the system performance. Specifically, we consider the scenario where a sensor sends its data to a remote estimator through a wireless channel, while an energy-constrained attacker decides whether to jam the channel at each sampling time. We construct optimal attack schedules to maximize the expected average estimation error at the remote estimator. We also provide the optimal attack schedules when a special intrusion detection system (IDS) at the estimator is given. We further discuss the optimal attack schedules when the sensor has energy constraint. Numerical examples are presented to demonstrate the effectiveness of the proposed optimal attack schedules.

Saleh Darzi,Attila A. Yavuz

2024-08-09

Abstract:Given the rise in cyber threats to networked systems, coupled with the proliferation of AI techniques and enhanced processing capabilities, Denial of Service (DoS) attacks are becoming increasingly sophisticated and easily executable. They target system availability, compromising entire systems without breaking underlying security protocols. Consequently, numerous studies have focused on preventing, detecting, and mitigating DoS attacks. However, state-of-the-art systematization efforts have limitations such as isolated DoS countermeasures, shortcomings of AI-based studies, and a lack of DoS integration features like privacy, anonymity, authentication, and transparency. Additionally, the emergence of quantum computers is a game changer for DoS from attack and defense perspectives, yet it has remained largely unexplored. This study aims to address these gaps by examining (counter)-DoS in the AI era while also considering post-quantum (PQ) security when it applies. We highlight the deficiencies in the current literature and provide insights into synergistic techniques to bridge these gaps. We explore AI mechanisms for DoS intrusion detection, evaluate cybersecurity properties in cutting-edge machine learning models, and analyze weaponized AI in the context of DoS. We also investigate collaborative and distributed counter-DoS frameworks via federated learning and blockchains. Finally, we assess proactive approaches such as honeypots, puzzles, and authentication schemes that can be integrated into next-generation network systems for DoS prevention and mitigation.

Cryptography and Security

Pedro Manso,Jose Moura,Carlos Serrao

DOI: https://doi.org/10.3390/info10030106

2021-04-15

Abstract:The current paper addresses relevant network security vulnerabilities introduced by network devices within the emerging paradigm of Internet of Things (IoT) as well as the urgent need to mitigate the negative effects of some types of Distributed Denial of Service (DDoS) attacks that try to explore those security weaknesses. We design and implement a Software-Defined Intrusion Detection System (IDS) that reactively impairs the attacks at its origin, ensuring the normal operation of the network infrastructure. Our proposal includes an IDS that automatically detects several DDoS attacks, and then as an attack is detected, it notifies a Software Defined Networking (SDN) controller. The current proposal also downloads some convenient traffic forwarding decisions from the SDN controller to network devices. The evaluation results suggest that our proposal timely detects several types of cyber-attacks based on DDoS, mitigates their negative impacts on the network performance, and ensures the correct data delivery of normal traffic. Our work sheds light on the programming relevance over an abstracted view of the network infrastructure to timely detect a Botnet exploitation, mitigate malicious traffic at its source, and protect benign traffic.

Cryptography and Security,Networking and Internet Architecture

Wenjie Liu,Lidong Li,Jian Sun,Fang Deng,Gang Wang,Jie Chen

2024-06-06

Abstract:The rise of cyber-security concerns has brought significant attention to the analysis and design of cyber-physical systems (CPSs). Among the various types of cyberattacks, denial-of-service (DoS) attacks and false data injection (FDI) attacks can be easily launched and have become prominent threats. While resilient control against DoS attacks has received substantial research efforts, countermeasures developed against FDI attacks have been relatively limited, particularly when explicit system models are not available. To address this gap, the present paper focuses on the design of data-driven controllers for unknown linear systems subject to FDI attacks on the actuators, utilizing input-state data. To this end, a general FDI attack model is presented, which imposes minimally constraints on the switching frequency of attack channels and the magnitude of attack matrices. A dynamic state feedback control law is designed based on offline and online input-state data, which adapts to the channel switching of FDI attacks. This is achieved by solving two data-based semi-definite programs (SDPs) on-the-fly to yield a tight approximation of the set of subsystems consistent with both offline clean data and online attack-corrupted data. It is shown that under mild conditions on the attack, the proposed SDPs are recursively feasible and controller achieves exponential stability. Numerical examples showcase its effectiveness in mitigating the impact of FDI attacks.

Systems and Control

Sijia Zhan,Dan Tang,Jianping Man,Rui Dai,Xiyin Wang

DOI: https://doi.org/10.3390/s20010189

IF: 3.9

2019-12-29

Sensors

Abstract:Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jiahu Qin,Menglin Li,Jie Wang,Ling Shi,Yu Kang,Wei Xing Zheng

DOI: https://doi.org/10.1016/j.automatica.2020.109090

IF: 6.4

2020-01-01

Automatica

Abstract:We consider a scenario in which a DoS attacker with the limited power resource and the purpose of degrading the system performance, jams a wireless network through which the packet from a sensor is sent to a remote estimator. To degrade the estimation quality most effectively with a given energy budget, the attacker aims to solve the problem of how much power to obstruct the channel each time, which is the recently proposed optimal attack energy management problem. The existing works are built on an ideal network model in which the packet dropout never occurs when the attack is absent. To encompass wireless transmission losses, we introduce the signal-to-interference-plus-noise ratio-based network. First we focus on the case when the attacker employs the constant power level. To maximize the expected terminal estimation error at the remote estimator, we provide some more relaxed sufficient conditions compared with the existing work for the existence of an explicit solution to the optimal static attack energy management problem and the solution is constructed. For the other important index of system performance, the average expected estimation error, the associated sufficient conditions are also derived based on a different analysis approach with the existing work. And a feasible method is presented for both indexes to seek the optimal constant attack power level when the system fails to meet the proposed sufficient conditions. Then when the real-time ACK information can be acquired, a Markov decision process (MDP) based algorithm is designed to solve the optimal dynamic attack energy management problem. We further study the optimal tradeoff between attack energy and system degradation. Specifically, by moving the energy constraint into the objective function to maximize the system index and minimize the energy consumption simultaneously, the other MDP based algorithm is proposed to find the optimal dynamic attack power policy which is further shown to have a monotone structure. The theoretical results are illustrated by simulations.