Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

Jun Li,Devkishen Sisodia,Yebo Feng,Lumin Shi,Mingwei Zhang,Christopher Early,Peter Reiher

DOI: https://doi.org/10.1109/CNS59707.2023.10288699

2023-05-23

Abstract:Despite the proliferation of traffic filtering capabilities throughout the Internet, attackers continue to launch distributed denial-of-service (DDoS) attacks to successfully overwhelm the victims with DDoS traffic. In this paper, we introduce a distributed filtering system that leverages nodes distributed along the paths of DDoS traffic to filter the DDoS traffic. In particular, we focus on adaptive distributed filtering, a new direction in filtering DDoS traffic. In our design, a subscriber to the distributed filtering service can act on behalf of a DDoS victim and generate filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the preferences of the subscriber (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We design an efficient algorithm that can generate rules adaptive toward filtering granularities and objectives, which can further help determine where to deploy generated rules for the best efficacy. We evaluated our system through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithm can generate rules that adapt to every distinct filtering objective and achieve optimal results. We studied the success rate and distribution of rule deployment under different Internet-scale rule deployment profiles, and found a small number of autonomous systems can contribute disproportionately to the defense. Our pilot studies also show our adaptive distributed filtering system can effectively defend against real-world DDoS attack traces in real time.

Networking and Internet Architecture,Cryptography and Security

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

P. Dorey,C. Dunning,A. Millican-Slater,R. Tateo

DOI: https://doi.org/10.48550/arXiv.hep-th/0309054

2003-09-04

Abstract:We review some surprising links which have been discovered in the last few years between the theory of certain ordinary differential equations, and particular integrable lattice models and quantum field theories in two dimensions. An application of this correspondence to a problem in non-Hermitian (PT-symmetric) quantum mechanics is also discussed.

High Energy Physics - Theory

Ziming Zhao,Zhaoxuan Li,Zhihao Zhou,Jiongchi Yu,Zhuoxue Song,Xiaofei Xie,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103663

IF: 5.105

2023-12-21

Computers & Security

Abstract:Distributed Denial of Service (DDoS) defense is a profound research problem. In recent years, adversaries tend to complicate their attack strategies by crafting vast DDoS variants. On the one hand, this trend exacerbates both extremes of classification granularity ( i.e. , binary and attack level) in existing machine learning methods. On the other hand, massive attack categories make the filter rule table bulky, as well as cause problems of slow reaction presented in the recent state-of-the-art DDoS mitigation system. Therefore, we propose the concept of a DDoS family to reconcile/cope with these issues. The specific technical roadmap includes traffic pattern characterization, attack fingerprint production, and cross-executed family partition by community detection. Through extensive evaluations, we demonstrate the benefits of the proposal in terms of portraying similarities, guiding model classification/unknown attack detection, optimizing defense strategies, and speeding filtering reactions. For instance, our results show that using only one rule can defend 15 types of attacks due to their homogeneous behavioral representation. Particularly, we find the interesting observation that counting the backward packet is more efficient and robust against some attacks ( e.g. , Tor's Hammer Attack), which is very different from previous solutions.

computer science, information systems

A. Pavlidis,Marinos Dimolianis,B. Maglaris

DOI: https://doi.org/10.1109/ICIN51074.2021.9385540

2021-03-01

Abstract:Distributed Denial of Service (DDoS) attacks are widely used by malicious actors to disrupt network infrastructures/services. A common attack is TCP SYN Flood that attempts to exhaust memory and processing resources. Typical mitigation mechanisms, i.e. SYN cookies require significant processing resources and generate large rates of backscatter traffic to block them. In this paper, we propose a detection and mitigation schema that focuses on generating and optimizing signature-based rules. To that end, network traffic is monitored and appropriate packet-level data are processed to form signatures i.e. unique combinations of packet field values. These are fed to machine learning models that classify them to malicious/benign. Malicious signatures corresponding to specific destinations identify potential victims. TCP traffic to victims is redirected to high-performance programmable XDPenabled firewalls that filter off ending traffic according to signatures classified as malicious. To enhance mitigation performance malicious signatures are subjected to a reduction process, formulated as a multi-objective optimization problem. Minimization objectives are (i) the number of malicious signatures and (ii) collateral damage on benign traffic. We evaluate our approach in terms of detection accuracy and packet filtering performance employing traces from production environments and high rate generated attack traffic. We showcase that our approach achieves high detection accuracy, significantly reduces the number of filtering rules and outperforms the SYN cookies mechanism in high-speed traffic scenarios.

Computer Science,Engineering

Jie Ma,Wei Su,Yikun Li,Yihua Peng

DOI: https://doi.org/10.1016/j.future.2023.12.033

IF: 7.307

2024-01-05

Future Generation Computer Systems

Abstract:The availability of SD-IoT is now under complex and serious cyber threats, especially distributed denial-of-service attacks. However, traditional defense schemes suffer from coarse-grained centralized sampling approaches, low accuracy of detection models, and inefficient mitigation methods. In this paper, a novel DDoS defense scheme is proposed, which consists of a high-accuracy detection mechanism based on a Graph Convolutional Neural Network learning model and a mitigation mechanism based on fast traffic migration. In the detection stage, a fine-grained INT sampling approach is utilized to obtain multidimensional network topology and status information. The Graph Convolutional Neural Network learning model detects switches containing DDoS attack traffic with high accuracy because the detection model not only extracts and utilizes multiple temporal and spatial features of the collected information, but also has a better learning and representation capability. In the mitigation stage, the enhanced whitelist with dynamic threshold-based values is automatically adapted to the real-time state of the network environment for enhanced mitigation flexibility. The fast programmable segment rerouting strategy can block attack traffic in time and ensure the continuity of network services. The results of several comparison experiments show that the proposed scheme can detect DDoS attacks more accurately and mitigate them more effectively than traditional schemes.

computer science, theory & methods

Omer Elsier Tayfour,Muhammad Nadzir Marsono

DOI: https://doi.org/10.1007/s11036-020-01552-0

2020-06-04

Mobile Networks and Applications

Abstract:This paper presents a collaborative technique to detect and mitigate Distributed Denial-of-Service (DDoS) flooding attacks on Software-Defined Network (SDN). This technique integrates sflow-RT application and Snort rules for the detection of DDoS traffic flows in an SDN controller. Redis Simple Message Queue (RSMQ) acts as a mechanism to share DDoS detection and mitigation rules among multiple Ryus SDN controllers. The rule-sharing allows a reduction of the controller's overhead for processing DDoS detection and mitigation. The experimental results show that using the RSMQ mechanism can significantly detect and prevent DDoS attacks detection across multi-controller domains. It also provides early detection and mitigation of DDoS at lower controller overhead.

computer science, information systems,telecommunications, hardware & architecture

Jun Li,HanPing Hu,Qiao Ke,Naixue Xiong

DOI: https://doi.org/10.3390/s17030553

2017-03-09

Abstract:With the rapid development of virtual machine technology and cloud computing, distributed denial of service (DDoS) attacks, or some peak traffic, poses a great threat to the security of the network. In this paper, a novel topology link control technique and mitigation attacks in real-time environments is proposed. Firstly, a non-invasive method of deploying virtual sensors in the nodes is built, which uses the resource manager of each monitored node as a sensor. Secondly, a general topology-controlling approach of resisting the tolerant invasion is proposed. In the proposed approach, a prediction model is constructed by using copula functions for predicting the peak of a resource through another resource. The result of prediction determines whether or not to initiate the active defense. Finally, a minority game with incomplete strategy is employed to suppress attack flows and improve the permeability of the normal flows. The simulation results show that the proposed approach is very effective in protecting nodes.

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Katerina J. Argyraki,David R. Cheriton

DOI: https://doi.org/10.1109/TNET.2008.2007431

2004-05-24

Abstract:A distributed denial-of-service (DDoS) attack can flood a victim site with malicious traffic, causing service disruption or even complete failure. Public-access sites like amazon or ebay are particularly vulnerable to such attacks, because they have no way of a priori blocking unauthorized traffic. We present Active Internet Traffic Filtering (AITF), a mechanism that protects public-access sites from highly distributed attacks by causing undesired traffic to be blocked as close as possible to its sources. We identify filters as a scarce resource and show that AITF protects a significant amount of the victim's bandwidth, while requiring from each participating router a number of filters that can be accommodated by today's routers. AITF is incrementally deployable, because it offers a substantial benefit even to the first sites that deploy it.

Networking and Internet Architecture

Trung V. Phan,Minho Park

DOI: https://doi.org/10.1109/access.2019.2896783

IF: 3.9

2019-01-01

IEEE Access

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet infrastructure to be more programmable, configurable, and manageable. However, critical cyber-threats in the SDN-based cloud environment are rising rapidly, in which distributed denial-of-service (DDoS) attack is one of the most damaging cyber attacks. In this paper, we propose an efficient solution to tackle DDoS attacks in the SDN-based cloud environment. We first introduce a new hybrid machine learning model based on support vector machine and self-organizing map algorithms to improve the traffic classification. Then, we propose an enhanced history-based IP filtering scheme ( $eHIPF$ ) to improve the attack detection rate and speed. Finally, we introduce a novel mechanism that combines both the hybrid machine learning model and the $eHIPF$ scheme to make a DDoS attack defender for the SDN-based cloud environment. The testbed is implemented in an SDN-based cloud with service function chaining. Through practical experiments, the proposed DDoS attack defender is proven to outperform existing mechanisms for DDoS attack classification and detection. The comprehensive experiments conducted with various DDoS attack levels prove that the proposed mechanism is an effective, innovative approach to defend DDoS attacks in the SDN-based cloud.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yi Zhong,Lei Jiao,Ruiting Zhou,Liujing Song

DOI: https://doi.org/10.1109/secon55815.2022.9918591

2022-01-01

Abstract:To mitigate Distributed Denial-of-Service (DDoS) attacks towards enterprise networks, we study the problem of scheduling DDoS traffic through on-premises scrubbing at the local edge and on-demand scrubbing in the remote clouds. We model this problem as a nonlinear mixed-integer program, which is characterized by the inputs of arbitrary dynamics and the trade-offs between staying at suboptimal scrubbing locations and using different best locations with switching overhead. We first design a prediction-oblivious online algorithm which consists of a carefully-designed fractional algorithm to pursue the long-term total cost minimization but avoid excessive switching overhead over time, and a randomized rounding algorithm to derive the flow-based, integral decisions. We next design a prediction-aware online algorithm which leverages the predicted inputs and can make even better scheduling decisions through invoking our prediction-oblivious online algorithm and improving its solutions via re-solving the original problem slice over each prediction window. We further rigorously prove the worst-case, constant competitive performance guarantees of our online algorithms. We finally conduct extensive evaluations and validate the superiority of our approach over multiple existing alternatives.

Ajit Kumar Singh Yadav,R. Radhika,V.R. Balaji,D. Sivaganesan,J Cynthia,M. Thomas Jeyanth

DOI: https://doi.org/10.1142/s1793962324410204

2024-08-24

International Journal of Modeling Simulation and Scientific Computing

Abstract:International Journal of Modeling, Simulation, and Scientific Computing, Ahead of Print. Distributed Denial of Service (DDoS) attacks remain a persistent and formidable threat in the ever-changing world of cyber security. These attacks have the potential to disrupt internet services and cause substantial financial and reputational concerns. The major challenge is developing an adaptable and real-time Intrusion Detection System (IDS) that can detect and neutralize DDoS attacks effectively and quickly, even when attackers use increasingly advanced ways to avoid detection. The problem concerns the development of a dynamic and real-time intrusion detection technique that combines the benefits of logistic regression for anomaly detection with GoogLeNet for deep learning-based network traffic analysis. This paper proposes a unique framework for intrusion detection that blends logistic regression-based anomaly detection with GoogLeNet deep learning capabilities. The combination of these technologies makes it easier to identify and mitigate DDoS attacks, hence improving the security of internet-based systems. The proposed IDS framework utility is proved through experimental evaluations, which highlight its capacity to effectively identify DDoS attacks while minimizing false positives. The use of this technology in real-time during security games demonstrates its potential to improve online service security infrastructure and reduce the impact of DDoS attacks on critical networks and data resources.

mathematics, interdisciplinary applications,multidisciplinary sciences

Saurav Kumar,Ajit kumar Keshri

DOI: https://doi.org/10.1016/j.knosys.2024.112052

IF: 8.139

2024-06-21

Knowledge-Based Systems

Abstract:The Internet of Things enables the creation of transmitted use cases for interconnected devices and complementary channels. The varied structure of it creates additional security needs and problems. In particular, the safeguards used in the IoT should adjust to the changing environment. One of the major dangers to the World Wide Web (WWW) things is Distributed Denial of Service (DDoS). Therefore, in this work, an intelligent Game Theory-based Adaptive security (GT-AS) mathematical model was developed to maximize the effectiveness of DDoS attack mitigation. Moreover, this strategy can strongly derive the five parameters such as energy channel, memory, intruder, and hybrid. These all can achieve a stronger defense posture against DDoS attacks from the newly designed IoT. Consequently, the Recurrent Bat (RB) framework is developed to classify the nodes into two classes such as trusted node and malicious node. In addition, the proposed frameworks analyze how protection effectiveness and energy consumption interact when evaluating adaptive security techniques. To analyze the effectiveness of the suggested paradigm, researchers also give the outcomes of simulation experiments. Researchers demonstrate that, in comparison to existing models, the developed approach has increased the lifespan of the connected objects by 47 %. Also, the developed strategy has attained better accuracy and lower error rates when comparing traditional strategies. Moreover, the packet delivery ratio is 60 KB, energy consumption is 116 KJ, Mean Location Error is 0.078 and resource usage is 148.

computer science, artificial intelligence

Xu Chen,Liang Xiao,Wei Feng,Ning Ge,Xianbin Wang

DOI: https://doi.org/10.1109/jiot.2021.3138094

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The proliferation of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) not only threatens the security of digital devices and infrastructure but also severely degrades IoT system performance due to the overly consumed network resources. With the knowledge of identity information of devices and signaling data, Internet service providers (ISPs) can detect and block DDoS traffic by monitoring the upstream IoT packets, and thereby, improve network efficiency. However, inspecting all data packets online for DDoS detection will significantly increase both the network delay and the computational overhead. Therefore, the packet sampling strategy is crucial for the defenders to detect DDoS attacks. To this end, this article formulates a Stackelberg game model to analyze the collaborative IoT packet sampling against DDoS attacks. Through the equilibrium analysis of the DDoS game, we derive the lower bound of packet sampling rate (PSR) that can effectively deter potential attackers. Unlike traditional offline detection, our proposed packet sampling strategy can support both the online detection and proactive prevention of DDoS traffic. As a use case, a multipoint DDoS defense framework is developed to address the IP spoofing in 5G networks based on the proposed packet sampling strategy, which deters DDoS attacks and reduces the packet sampling cost, and thereby, maximizes the IoT utility, compared with existing methods. In typical reflection attacks (in which no more than five packets of response are triggered by a request packet), our proposed scheme not only reduces more than 70% of the sampling rate but also demonstrates superior robustness against boundary condition variation.

Manish Kumar Rajak,Dr. Ravindra Tiwari

DOI: https://doi.org/10.29070/hc5qzn85

2024-09-03

Journal of Advances and Scholarly Researches in Allied Education

Abstract:Distributed Denial of Service (DDoS) persists in Online Applications as One of those significant threats. Attackers can execute DDoS by the more natural steps. Then with the high productivity to slow the consumer access services down. To detect an attack on DDoS and using machine learning algorithms. The Overseen to detect and mitigate the attack, machine learning algorithms such as Naive Bayes, decision tree, k-nearest neighbours (k-NN) and random forest are used. There are three steps: gathering information, preprocessing and feature Extraction in "Normal or DDoS" classification algorithm for detection Attack use Dataset NSL-KDD. Similar algorithms have different functions Conduct that is dependent on the features selected. DDOS-attack performance Detection is compared, and it indicates the best algorithm. Attempts at Distributed Denial of Service ( DDoS) Were the most powerful attacks of the last period. A Virtual Network. The intrusion detection system (NIDS) should be designed seamlessly to Fight the latest strategies and trends of those attackers NIDS on DDoS. In this paper, we propose an NIDS capable of detecting Current DDoS attacks, as well as new forms. The main characteristic of Our NIDS is the combination of various classifiers using an ensemble Models, with the concept of each classifier being able to target different Aspects/types of intrusions, and more effective in doing so Mechanism for protecting against new intrusions. Additionally, we perform a detailed study of and based on, DDoS attacks check the reduced set of functions [27, 28] to be essential to Enhance accuracy. We are playing with and analyzing NSL-KDD Dataset with a feature set reduced, and our proposed NIDS will Detect 99.1 per cent of active DDoS attacks. Let's compare our Tests with other methods which already exist. Our approach to NIDS has Able to learn to keep up with existing and evolving DDoS Attack trends.