Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Xun Gong,Negar Kiyavash,Nabíl Schear,Nikita Borisov

DOI: https://doi.org/10.48550/arXiv.1109.0097

2011-09-01

Abstract:Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic analysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers. To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.

Cryptography and Security

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Tieming Chen,Xuebo Qiu,Zhengqiu Weng,Tiantian Zhu,Mingqi Lv,Keda Sun

DOI: https://doi.org/10.1155/2024/6964759

IF: 1.968

2024-11-08

Security and Communication Networks

Abstract:Anomaly detection is essential to ensuring system security and reliability. As one of the basic techniques in the cyberattack, the existing malicious traffic classification method has been facing diverse challenges such as insufficient samples, poor denoising ability, and weak generalization of the classification model. In this paper, we propose a novel method for detecting malicious HTTP traffic based on a framework (HTTPSmell; it refers to the sniffing of some network attacks launched by exploiting the HTTP protocol.)), and XSS dataset obtained from GitHub that automatically applies a deep learning model with high generalization ability even under a small training dataset. With HTTPSmell, we are able to achieve positive results from a semisupervised model that leverages the unsupervised data augmentation (UDA) and the keywords library avoidance (KLA)‐based data augmentation method that holds higher learning generalization, higher scenario coverage rate, and better detection efficiency in the smaller training samples. Finally, we demonstrate through comprehensive experiments in the realistic enterprise environment that HTTPSmell can achieve an accuracy of 96.77% for identifying complex and advanced cyberattacks, while only maintaining a constant 60 MB of memory and sustaining up to 27 k/s throughput.

computer science, information systems,telecommunications

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Pinghui Wang,Peng Jia,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/tkde.2018.2873319

IF: 9.235

2019-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Monitoring user behaviors over high speed links is important for applications such as network anomaly detection. Previous work focuses on monitoring anomalies such as extremely frequent users occurring in a short timeslot such as 1 minute. Little attention has been paid to detect users with stealthy behaviors (e.g., persistent, co-occurrence, anti-co-occurrence, and periodic behaviors) over a long period of time at the timeslot granularity. Due to limited computation and storage resources on routers, it is prohibitive to collect massive network traffic in a long period of time. We develop an end-to-end method for solving challenges in both long-term online traffic collection and offline user behavior analysis. We conduct extensive experiments on a variety of real-world traffic to evaluate the performance of detecting persistent, co-occurrence, anti-co-occurrence, and periodic behaviors, and the results demonstrate that our method significantly outperforms state-of-the-art methods.

Yuqi Yu,Hanbing Yan,Hongchao Guan,Hao Zhou

DOI: https://doi.org/10.48550/arXiv.1810.12751

2018-10-30

Cryptography and Security

Abstract:In the Internet age, cyber-attacks occur frequently with complex types. Traffic generated by access activities can record website status and user request information, which brings a great opportunity for network attack detection. Among diverse network protocols, Hypertext Transfer Protocol (HTTP) is widely used in government, organizations and enterprises. In this work, we propose DeepHTTP, a semantics structure integration model utilizing Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism to model HTTP traffic as a natural language sequence. In addition to extracting traffic content information, we integrate structural information to enhance the generalization capabilities of the model. Moreover, the application of attention mechanism can assist in discovering critical parts of anomalous traffic and further mining attack patterns. Additionally, we demonstrate how to incrementally update the data set and retrain model so that it can be adapted to new anomalous traffic. Extensive experimental evaluations over large traffic data have illustrated that DeepHTTP has outstanding performance in traffic detection and pattern discovery.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

严芬,王佳佳,陈轶群,殷新春,黄皓

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.09.019

2008-01-01

Computer Science

Abstract:An efficient light-weight method for defending against DDoS attacks at the source-end is designed.We use Bloom Filter to pick up the Abstract of packets,and then use change point computation technology to detect abnormity.The method can not only detect the existence of SYN Flooding attacks,but also avoid the false alarm of normal congestion.In experiment environment,DARPA data is replayed and the result shows that our method obtains more accurate detection result with less computation than other similar methods.

Xinhao Deng,Qi Li,Ke Xu

2024-07-01

Abstract:Website Fingerprinting (WF) attacks identify the websites visited by users by performing traffic analysis, compromising user privacy. Particularly, DL-based WF attacks demonstrate impressive attack performance. However, the effectiveness of DL-based WF attacks relies on the collected complete and pure traffic during the page loading, which impacts the practicality of these attacks. The WF performance is rather low under dynamic network conditions and various WF defenses, particularly when the analyzed traffic is only a small part of the complete traffic. In this paper, we propose Holmes, a robust and reliable early-stage WF attack. Holmes utilizes temporal and spatial distribution analysis of website traffic to effectively identify websites in the early stages of page loading. Specifically, Holmes develops adaptive data augmentation based on the temporal distribution of website traffic and utilizes a supervised contrastive learning method to extract the correlations between the early-stage traffic and the pre-collected complete traffic. Holmes accurately identifies traffic in the early stages of page loading by computing the correlation of the traffic with the spatial distribution information, which ensures robust and reliable detection according to early-stage traffic. We extensively evaluate Holmes using six datasets. Compared to nine existing DL-based WF attacks, Holmes improves the F1-score of identifying early-stage traffic by an average of 169.18%. Furthermore, we replay the traffic of visiting real-world dark web websites. Holmes successfully identifies dark web websites when the ratio of page loading on average is only 21.71%, with an average precision improvement of 169.36% over the existing WF attacks.

Cryptography and Security,Artificial Intelligence,Machine Learning

Li Xu,Zhenxin Zhan,Shouhuai Xu,Keyin Ye

DOI: https://doi.org/10.48550/arXiv.1408.1993

2014-08-09

Abstract:Malicious websites are a major cyber attack vector, and effective detection of them is an important cyber defense task. The main defense paradigm in this regard is that the defender uses some kind of machine learning algorithms to train a detection model, which is then used to classify websites in question. Unlike other settings, the following issue is inherent to the problem of malicious websites detection: the attacker essentially has access to the same data that the defender uses to train its detection models. This 'symmetry' can be exploited by the attacker, at least in principle, to evade the defender's detection models. In this paper, we present a framework for characterizing the evasion and counter-evasion interactions between the attacker and the defender, where the attacker attempts to evade the defender's detection models by taking advantage of this symmetry. Within this framework, we show that an adaptive attacker can make malicious websites evade powerful detection models, but proactive training can be an effective counter-evasion defense mechanism. The framework is geared toward the popular detection model of decision tree, but can be adapted to accommodate other classifiers.

Cryptography and Security,Artificial Intelligence

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Qilei Yin,Zhuotao Liu,Qi Li,Tao Wang,Qian Wang,Chao Shen,Yixiao Xu

DOI: https://doi.org/10.1109/tdsc.2021.3104869

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In Website Fingerprinting (WF) attack, a local passive eavesdropper utilizes network flow information to identify which web pages a user is browsing. Previous researchers have demonstrated the feasibility and effectiveness of WF attacks under a strong Single Page Assumption: the network flow extracted by the adversary belongs to a single web page. In reality, the assumption may not hold because users tend to open multiple tabs simultaneously (or within a short period of time) so that their network traffic is mixed. In this article, we propose an automated multi-tab Website Fingerprinting attack that is able to accurately classify websites regardless of the number of simultaneously opened pages. Our design is powered by two innovative designs. First, we develop a split point classification method to dynamically identify the split point between the first page and its subsequent pages. As a result, the network traffic before the split point is solely generated for the first page. Then, we propose a new chunk-based WF classifier to infer the websites based on the initial chunk of clean traffic. For both classifiers, we apply automated feature selection to select a concise yet representative feature set. We implement a prototype of our design and perform extensive evaluations using SSH and Tor-based datasets to demonstrate the effectiveness of both our system components individually and the integrated system as a whole.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

Qi-Xian Huang,Min-Yi Chiu,Ying-Feng Chen,Hung-Min Sun

DOI: https://doi.org/10.1155/2022/3121177

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Until the development of HTTP request smuggling in 2005, individual HTTP requests were considered as independent entities and could not be split or merged. This is a security problem caused by inconsistent content length interpretation approach between web servers, or the web server is not fully implemented in accordance with the RFC standard. It is especially dangerous for web services with complex web architectures. It can route the victims to receive malicious responses, amplify the impact of certain low-threat vulnerabilities, steal user credentials, or bypass network devices’ defenses. However, since its concept and implementation are quite difficult to overcome, it is often ignored by many network administrators, making users who browse such websites vulnerable to the HTTP request smuggling attacks. This paper proposes a general solution to deal with various HTTP request smuggling attacks. A reverse proxy implemented by Flask validates and cleans dubious HTTP requests from the client side and ensures that the original requests comply with RFC standards. Therefore, the website administrators no longer need to configure complicated network settings or customize some open-source project codes to resist or minimize the risk of the HTTP request smuggling attacks. A series of experiments demonstrate that this method is effective and practical.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Oliver Rutishauser

DOI: https://doi.org/10.48550/arXiv.1801.08938

2018-01-26

Networking and Internet Architecture

Abstract:The detection of a volumetric attack involves collecting statistics on the network traffic, and identifying suspicious activities. We assume that available statistical information includes the number of packets and the number of bytes passed per flow. We apply methods of machine learning to detect malicious traffic. A prototype project is implemented as a module for the Floodlight controller. The prototype was tested on the Mininet simulation platform. The simulated topology includes a number of edge switches, a connected graph of core switches, and a number of server and user hosts. The server hosts run simple web servers. The user hosts simulate web clients. The controller employs Dijkstra's algorithm to find the best flow in the graph. The controller periodically polls the edge switches and provides current and historical statistics on each active flow. The streaming analytics evaluates the traffic volume and detects volumetric attacks.