Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Yong Feng,Fengling Han,xianchuan yu,Zahir Tari,Lilin Li,Jiankun Hu

DOI: https://doi.org/10.1007/978-3-642-31588-6_64

2012-01-01

Abstract:This paper proposes a high-order terminal sliding-mode observer used for the anomaly detection in TCP/IP networks. It can track the fluid-flow model representing the TCP/IP behaviors in a router level. A smooth control signal of the observer can be generated based on the high-order sliding-mode technique for estimation of the queue length dynamics in the router. The distributed anomaly in the TCP/IP network incurred by an abnormal behavior can be detected using the smooth control signal. The proposed scheme requires only the average queue length in a router for anomaly detection. The simulations are presented to verify the effectiveness of the proposed method. © 2012 Springer-Verlag.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Long Xu,Xinghuo Yu,Yong Feng,Fengling Han,Jiankun Hu,Zahir Tari

DOI: https://doi.org/10.1109/ICIT.2016.7475043

2016-01-01

Abstract:Anomaly detection in TCP/IP networks is very important to protect computer networks from cyber attacks. In recent years, several router-based observation schemes have been proposed for anomaly detection. Their effectiveness needs to be assessed. Furthermore, anomaly detection in TCP/UDP networks has not been fully explored using the observation schemes. In this paper, we conduct comparative studies using NS-2 to evaluate performances of four sliding mode based observation schemes, namely, sliding mode observer (SMO), terminal sliding mode observer (TSMO), super twisting observer (STO) and fast terminal sliding observer (FTSMO), for anomaly detection in TCP/UPD networks. It is shown that the FTSMO scheme performs best.

Yong Feng,Bo Wang,Fengling Han,Xinghuo Yu,Zahir Tari

DOI: https://doi.org/10.1007/978-3-642-35362-8_6

2012-01-01

Abstract:This paper proposes a chattering-free terminal sliding-mode observer used for the network behavior anomaly detection in TCP/IP networks. The proposed observer can track the fluid-flow model representing the TCP/IP behaviors in a router level. Unlike traditional sliding-mode observers, the proposed observer behaves as a full-order dynamics during the sliding-mode motion. The smooth control signal of the observer can be directly utilized to estimate the queue length dynamics representing a distributed anomaly in the TCP/IP network. The simulations are carried out to verify the effectiveness of the proposed method.

Yong Feng,Fengling Han,Xinghuo Yu,Zahir Sibel Goktepe Tari,Lilin Li,Jiankun Hu

DOI: https://doi.org/10.1109/ICCSNT.2011.6182033

2012-01-01

Abstract:This paper proposes a terminal sliding mode observer for detecting the anomaly intrusions in TCP/IP networks. A nonsingular terminal sliding mode manifold and a second-order sliding mode control strategy are designed respectively to make the observer track the fluid-flow model of the TCP/IP behaviors in the router level. The second-order sliding mode technique is utilized to soften the switching control signal, which is used to estimate the queue length dynamics representing a distributed anomaly in the TCP/IP network. The simulations are presented to validate the proposed method.

Long Xu,Wei Xiong,Minghao Zhou,Lei Chen

DOI: https://doi.org/10.3390/sym14010124

2022-01-01

Symmetry

Abstract:Dynamic traffic monitoring is a critical part of industrial communication network cybersecurity, which can be used to analyze traffic behavior and identify anomalies. In this paper, industrial networks are modeled by a dynamic fluid-flow model of TCP behavior. The model can be described as a class of systems with unmeasurable states. In the system, anomalies and normal variants are represented by the queuing dynamics of additional traffic flow (ATF) and can be considered as a disturbance. The novel contributions are described as follows: (1) a novel continuous terminal sliding-mode observer (TSMO) is proposed for such systems to estimate the disturbance for traffic monitoring; (2) in TSMO, a novel output injection strategy is proposed using the finite-time stability theory to speed up convergence of the internal dynamics; and (3) a full-order sliding-mode-based mechanism is developed to generate a smooth output injection signal for real-time estimations, which is directly used for anomaly detection. To verify the effectiveness of the proposed approach, the real traffic profiles from the Center for Applied Internet Data Analysis (CAIDA) DDoS attack datasets are used.

Xiaojie Qiu,Wenchao Meng,Jinming Xu,Qinmin Yang

DOI: https://doi.org/10.1109/TICPS.2024.3372908

2024-01-01

Abstract:This paper concentrates on the resilient control issue in multi-agent systems (MASs) with the time-varying delay subjected to denial of service (DoS) attacks. To eliminate the impact of DoS attacks, a novel resilient control framework is constructed for MASs, where a variable following the Bernoulli distribution process is utilized to denote the behaviors of the attacker. Besides, we design a novel reduced-order (RO) observer with internal time-varying delay to estimate the unknown output of the system and compensate for lost data in the channels. Different from the general observers, the designed observer can ensure both the reduced-order observation errors and the full-order ones can converge to zero. Furthermore, an RO observer-based distributed protocol is devised such that the consensus errors of the closed-loop systems asymptotically converge to zero. Simulation comparisons are provided to validate the efficiency and superiority of our approach.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Ruoyu Yan,Qinghua Zheng,Guolin Niu,Sheng Gao

DOI: https://doi.org/10.1109/ICCS.2008.4737371

2008-01-01

Abstract:Different from other research work focusing on network-wide traffic, the traffic we focus on for analysis is that of a traffic state viewed from a router¿s interior. In this paper, at first, a kind of Port-to-Port traffic in a router is introduced, which we call IF flow. IF flows can amplify the ratio of attack traffic to normal traffic. Then RLS (recursive least square) filter is used to predict IF flows. After that, a statistical method using residual filtered process is proposed to detect anomalies. Finally we respectively apply the method to three types of traffics: IF flows, input links and output links within a router, and compare the anomaly detection results using ROC curves. Results show that IF flows are more powerful than input links and output links in DDoS attacks detection.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Yang Xu,Yong Liu

DOI: https://doi.org/10.1109/infocom.2016.7524500

2016-01-01

Abstract:Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

Xiaofei Zhang,Haiping Du,Zhijuan Jia,Chi Cui,Yage Cheng,Yan Yan

DOI: https://doi.org/10.1002/oca.2975

2023-01-17

Optimal Control Applications and Methods

Abstract:Due to the increasing demand for autonomous driving, cyber‐attacks detection nowadays receives significant attention. Among several different types of attacks, Denial‐of‐Service (DoS) attacks can consume resources and cause the system under attack to stop responding, which can be considered a time delay model affecting the response of the attacked system. To detect the possible DoS attacks in Cooperative Adaptive Cruise Control platoon model, an adaptive observer design is proposed in this paper, where the time delay caused by DoS attacks can be fast and accurately estimated. To highlight the performance of the proposed adaptive observer, numerical simulations are applied and the performance is compared against the sliding mode observer in terms of the DoS attack time delay estimation convergence and accuracy.

automation & control systems,operations research & management science,mathematics, applied

Qingkai Meng,Andreas Kasis,Hao Yang,Marios M. Polycarpou

DOI: https://doi.org/10.1016/j.ejcon.2024.101037

IF: 2.649

2024-06-20

European Journal of Control

Abstract:This paper studies the problem of secure state estimation of networked switched systems in the presence of denial-of-service (DoS) attacks, as well as disturbances and measurement noise. Firstly, a state transformation rule is designed to partition the original system into two subsystems, facilitating the design of discrete and continuous state observers. Secondly, by modifying the traditional super-twisting sliding-mode method and taking into account the frequency and duration characteristics of DoS attacks, we employ dynamic differential properties between different modes to design a switching law identification strategy. We show that this strategy can accurately estimate the switching state without imposing any requirement on the switching times and sequences. Thirdly, based on the identified activated mode, a set of mode-dependent continuous state sliding-mode observers is designed, that achieves continuous state estimation in finite time. The practicality and applicability of the developed results are validated through numerical simulations.

automation & control systems

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Tian Yingxin,Li Xiang,Dong Bo,Gao Yabin,Wu Ligang

DOI: https://doi.org/10.1007/s11432-021-3375-5

2022-01-01

Science China Information Sciences

Abstract:This paper deals with the problem of estimator-based sliding mode control against denial-of-service (DoS) attacks and discrete events via a time-delay approach. A networked system is considered an uncertain dynamical system with matched and mismatched perturbations and exogenous disturbance in the network environment. A network-resource-aware event-triggering mechanism is designed with aperiodically releasing system measurements. Furthermore, to describe the DoS attack duration and inter-event time, a time-delay modeling approach considers the DOS attack duration and inter-event time as a “time delay” of the measurements between the sensor and controller over the network is proposed. Consequently, an interval-time-delay system with uncertainties is formulated. A state-observer-based sliding mode controller, by which the ideal sliding mode can be achieved, is proposed against the DoS attacks. The resulting sliding motion is proved to be robust and stable with an ℒ2 gain performance. Finally, the effectiveness and applicability of the present sliding mode control are validated in a simulated pendulum system.