Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Qian Wang,Feng Xiao,Man Zhou,Zhibo Wang,Qi Li,Zhetao Li

2017-01-01

Abstract:Link-flooding attack (LFA) has emerged as a serious threat to Internet which cuts off connections between legitimate hosts and targeted servers by flooding only a few links (e.g., target links). Several mechanisms have been proposed to mitigate LFA, however, they can only mitigate LFA after target links have been compromised by adversaries. Based on the fact that adversaries rely on network linkmap to discover weakness of the network, in this paper, we propose an active LFA mitigation mechanism, called Linkbait, that actively and preventively mitigates LFA by providing a fake linkmap to adversaries. Inspired by Moving Target Defense (MTD), we propose a link obfuscation algorithm in Linkbait that selectively reroutes probing flows to hide target links from adversaries and mislead them to consider some bait links as target links. By providing the faked linkmap to adversaries, Linkbait can actively mitigate LFA even without identifying bots and does not affect flows from legitimate hosts. In order to further reduce the junk traffic generated by adversaries from entering the network, we propose a bot detection algorithm in Linkbait that extracts unique traffic patterns from LFA and leverages Support Vector Machine to accurately distinguish bots from legitimate hosts. Finally, we evaluate the feasibility of implementing Linkbait in real Internet, and evaluate its performance by using both a real-world testbed and large-scale simulations. The analyses and experiments results demonstrate the effectiveness of Linkbait.

Qian Wang,Feng Xiao,Man Zhou,Zhibo Wang,Hongyu Ding

2017-01-01

Abstract:Link-flooding attack (LFA) has emerged as a serious threat to Internet which cuts off connections between legitimate hosts and targeted servers by flooding only a few links (e.g., target links). Several mechanisms have been proposed to mitigate LFA, however, they can only mitigate LFA passively after target links have been compromised by adversaries. Based on the fact that adversaries rely on network linkmap to launch LFA, in this paper, we propose an active LFA mitigation mechanism, called Linkbait, that actively mitigates LFA by providing a fake linkmap to adversaries. Inspired by Moving Target Defense (MTD), we propose a link obfuscation algorithm in Linkbait that selectively reroutes detecting flows to hide target links from adversaries and mislead them to consider some bait links as target links. By providing the faked linkmap to adversaries, Linkbait can actively mitigate LFA even without identifying bots and does not affect flows from legitimate hosts. In order to further reduce the junk traffic generated by adversaries from entering the network, we propose a bot detection algorithm in Linkbait that extracts unique traffic patterns from LFA and leverages Support Vector Machine to accurately distinguish bots from legitimate hosts. Finally, we evaluate the feasibility of implementing Linkbait in real Internet, and evaluate its performance by using both a real-world testbed and large-scale simulations. The analyses and experiments results demonstrate the effectiveness of Linkbait.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Xuyang Ding,Feng Xiao,Man Zhou,Zhibo Wang

DOI: https://doi.org/10.1109/trustcom50675.2020.00040

2020-01-01

Abstract:The DDoS attack is a serious threat to Internet of Things (IoT).As a new class of DDoS attack, Link-flooding attack (LFA) disrupts connectivity between legitimate IoT devices and target servers by flooding only a small number of links.In this paper, we propose an active LFA mitigation mechanism, called Linkbait, that is a proactive and preventive defense to throttle LFA for IoT.We propose a link obfuscation algorithm in Linkbait that selectively reroutes probing flows to hide target links from adversaries and mislead them to identify bait links as target links.To block attack traffic and further reduce the impact in IoT, we propose a compromised IoT devices detection algorithm that extracts unique traffic patterns of LFA for IoT and leverages support vector machine (SVM) to identify attack traffic.We evaluate the performance of Linkbait by using both real-world experiments and large-scale simulations.The experimental results demonstrate the effectiveness of Linkbait.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

DOI: https://doi.org/10.1109/tifs.2018.2815555

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usages since they require modifying routers. In this paper, we propose LinkScope, a novel system that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then correlate the performance data and traceroute data to infer the target links or areas. Although the idea is simple, we tackle a number of challenging issues, such as conducting large-scale Internet measurement through noncooperative measurement, assessing the performance on asymmetric Internet paths, and detecting LFA. We have implemented LinkScope with 7174 lines of C codes and the extensive evaluation in a testbed and the Internet show that LinkScope can quickly detect LFA with high accuracy and low false positive rate.

Xin Wang,Xiaobo Ma,Jiahao Peng,Jianfeng Li,Lei Xue,Wenjun Hu,Li Feng

DOI: https://doi.org/10.1109/access.2021.3131503

IF: 3.9

2021-01-01

IEEE Access

Abstract:The emerging link flooding attacks (LFAs) are one type of attacks that attract significant attention in both academia and industry against the routing infrastructure. The attack traffic flows originating from bots (e.g., compromised IoT devices) are deliberately aggregated at upstream critical links and grow intensified, gradually making a network connected to the critical links disconnected. Although LFAs are far more sophisticated than traditional DDoS attacks, whether such sophistication comes without a downside has never been investigated. In this paper, by modeling link flooding attacks and defenses, we tackle a series of questions concerning the practical issues of LFAs. Specifically, from the perspective of attacks, we advance a novel notion of strike precision, and reveal that LFAs may exhibit attack interference (i.e., unexpectedly interfere the connectivity of innocent networks) which might undermine the stealthiness and persistence of LFAs. From the perspective of defenses, we make the first step to study attack intention, i.e., inversely inferring the target network to disconnect based on the identified links under attack. Furthermore, we consider a strong defender who employs traffic engineering to mitigate LFAs, and formulate the game-theoretic interactions between attackers and defenders. The experiment results show that attack interference is pervasive, and our proposed SPAH flooding strategy can substantially lower attack interference and increase strike precision. Moreover, we demonstrate that LFAs can be effectively mitigated based on traffic engineering from a game-theoretic perspective, wherein the defender can adopt non-cooperative measurement techniques to achieve light-weight and multi-protocol-based robust probe deployment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ziliang Zhu,Guopu Zhu,Yu Zhang,Jiantao Shi,Xiaoxia Huang,Yuguang Fang

DOI: https://doi.org/10.1109/tnse.2024.3501396

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Link flooding attack is a kind of attack based on the topology information of a network. Sophisticated attackers tend to conduct network reconnaissance before they launch effective attacks to infer key information about the whole network. Existing active defense methods against link flooding attacks either focus on protecting the key links within the network or safeguarding the key nodes with the simple degree centrality. This paper proposes a novel network topology obfuscation method called EigenObfu to protect the key nodes. Instead of using the degree centrality in existing defense methods, our eigenvector centrality-based EigenObfu comprehensively utilizes network topology information and better measures the importance of nodes in a network. EigenObfu is designed to output a secure obfuscated topology suitable for networks, regardless of their sizes, by hiding important nodes while maintaining connectivity and ensuring the protection of key nodes. We evaluate EigenObfu through several comparison experiments on nine different topologies. The results confirm the effectiveness of our method.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

2018-01-01

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usage since they require either additional modules to enhance routers or using the software-defined network (SDN) to replace the traditional routers. In this paper, we propose a novel framework that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then locate the target links or areas whenever possible, and develop a prototype of the framework named LinkScope. Although using network measurement to capture network anomaly is not new, we tackle a number of challenging issues, such as conducting large-scale Internet path monitoring via non-cooperative measurement so that users do not need to install LinkScope on every host, profiling the performance of asymmetric Internet paths, and detecting LFA. The extensive evaluation in a testbed and the Internet shows that with limited bandwidth and computational overhead LinkScope can achieve timely detection and diagnosis of LFA with high detection rate and low false positive rate.

Binbin Wang,Zhitang Li,Dong Li,Feng Liu,Hao Chen

DOI: https://doi.org/10.1109/EBISS.2010.5473532

2010-01-01

Abstract:Botnet has become a prevalent platform for malicious attacks, which poses a significant threat to Internet security. Recently, botnets are inclined to utilize HTTP to route their command and control (C&C) communication instead of using the protocol Internet Relay Chat (IRC). And these web-based C&C bots try to blend into normal HTTP traffic, which makes them more difficult to be identified. In this work, we propose an automatic approach to identify web-based C&C bots by modeling the essential network behavior of web-based bots in supervised network. Experimental results show the proposed approach is very efficient and can detect web-base bots with low false positive ratio.

Li Sheng,Liu Zhiming,He Jin,Deng Gaoming,Huang Wen

DOI: https://doi.org/10.1109/IMCCC.2012.36

2012-01-01

Abstract:Bonnet is extremely harmful to computer network security which could cause many network attacks(like spam, DDoS, phishing etc). In this paper, we design a distributed Bonnet detecting approach based on network traffic analysis. A botnet detection framework is proposed, which composed of two sections: Data Collection and Filter, Bonnet Detection and Identify. The first section is deployed in distributed hosts in order to capture network traffic data, filter data and classify data. The second section is deployed in centralized place which collectes all data from distributed hosts and detected the botnet using data amalgamation algorithms and characteristic identified algorithms. The detecting approach works efficiently and can detect botnet in the experiment environment.

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Sun Hancun,Chen Xu,Luo Yantian,Ge Ning

DOI: https://doi.org/10.23919/jcc.fa.2024-0209.202411

2024-12-04

China Communications

Abstract:Link flooding attack (LFA) is a type of covert distributed denial of service (DDoS) attack. The attack mechanism of LFAs is to flood critical links within the network to cut off the target area from the Internet. Recently, the proliferation of Internet of Things (IoT) has increased the quantity of vulnerable devices connected to the network and has intensified the threat of LFAs. In LFAs, attackers typically utilize low-speed flows that do not reach the victims, making the attack difficult to detect. Traditional LFA defense methods mainly reroute the attack traffic around the congested link, which encounters high complexity and high computational overhead due to the aggregation of massive attack traffic. To address these challenges, we present an LFA defense framework which can mitigate the attack flows at the border switches when they are small in scale. This framework is lightweight and can be deployed at border switches of the network in a distributed manner, which ensures the scalability of our defense system. The performance of our framework is assessed in an experimental environment. The simulation results indicate that our method is effective in detecting and mitigating LFAs with low time complexity.

telecommunications

Ruidong Chen,Weina Niu,Xiaosong Zhang,Zhongliu Zhuo,Fengmao Lv

DOI: https://doi.org/10.1155/2017/4934082

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_ RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1145/1533057.1533063

2009-01-01

Abstract:Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1109/tifs.2010.2086445

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Botnets dominate today's attack landscape. In this work, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes." In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer-using purely local observation-information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.