Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Zixuan Chen,Chao Zheng,Zhao Li,Jinqiao Shi,Zeyu Li

DOI: https://doi.org/10.1109/cscwd61410.2024.10580831

2024-01-01

Abstract:Stepping-stones are widely used by attackers to conceal their identities and gain unauthorized access to restricted targets. Numerous strategies have been suggested to identify stepping-stones and counteract evasive behaviors, with flow correlation standing out as the key technique used in many deanonymization methods. Existing attempts to tackle the flow correlation issue rely on long-flow observations and feature-based methods. Yet, these approaches meet substantial limitations in their suitability across diverse scenarios, network noises influence and accuracy, particularly in the stepping-stone environment. In this paper, we introduce an improved flow correlation model, FlowLinker, which aims to resolve these issues. Specifically, we combined multidimensional statistical features and cumulative flow sequences to construct a robust traffic feature. Then, we leveraged the triplet network to produce an optimized representation, amplifying the difference between unrelated representations. Consequently, it significantly reduces the false correlation rate with flows that seem similar but are unrelated. The experiments on real-world datasets from different network environments we collected show that FlowLinker outperforms other state-of-the-art methods with shorter lengths of flow observations.

Ping Yi,Futai Zou,Jianhua Li

2007-01-01

Journal of Computational Information Systems

Abstract:Wireless mesh networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. In this paper, we propose a distributed intrusion detection approach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we construct the timed automata by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.

Zong-Lin Li,Guang-Min Hu,Xingmiao Yao

DOI: https://doi.org/10.1109/icacia.2009.5361117

2009-01-01

Abstract:Distributed anomalous traffic is difficult to detect, since it is simultaneously dispersed in many links and tend to not present any obvious anomalous features in a single link. This paper proposed a multi-scale spatial detection method against distributed stealthy traffic anomaly, it can deploy early-stage detection on key nodes of network. Multi-scale wavelet packet analysis is performed separately on links at which information is available on each node, with the aim of getting abnormal frequency ranges at different time sections and reconstructing signals with anomalous features. Then from a spatial point of view, evaluate deviation degree of high dimension vectors that composed of reconstructions by kernel density estimation as anomaly indicator. Detection results on both real anomalies of American education backbone network and synthetic distributed anomalies shows, our method performs better than existing method.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Wu Liu,Hai-Xin Duan,Jian-Ping Wu,Ping Ren,Li-Hua Lu

DOI: https://doi.org/10.1007/978-3-540-24679-4_146

2004-01-01

Abstract:In this paper we present robust algorithms of transmission and reconstruction of attacking path(s) in IDS for providing traceback information in IP packets without requiring interactive operational support from Internet Service Providers, which is based on IP address compression techniques, polynomial theory and techniques from algebraic coding theory. Our best scheme has improved robustness over previous combinatorial approaches, both for noise elimination and multiple-path re-construction. Another key advantage of our schemes is that they will automatically benefit from any improvement in the underlying mathematical techniques, for which progress has been steady in recent years.

Pinghui Wang,Peng Jia,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/tkde.2018.2873319

IF: 9.235

2019-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Monitoring user behaviors over high speed links is important for applications such as network anomaly detection. Previous work focuses on monitoring anomalies such as extremely frequent users occurring in a short timeslot such as 1 minute. Little attention has been paid to detect users with stealthy behaviors (e.g., persistent, co-occurrence, anti-co-occurrence, and periodic behaviors) over a long period of time at the timeslot granularity. Due to limited computation and storage resources on routers, it is prohibitive to collect massive network traffic in a long period of time. We develop an end-to-end method for solving challenges in both long-term online traffic collection and offline user behavior analysis. We conduct extensive experiments on a variety of real-world traffic to evaluate the performance of detecting persistent, co-occurrence, anti-co-occurrence, and periodic behaviors, and the results demonstrate that our method significantly outperforms state-of-the-art methods.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

W Liu,Hx Duan,Y Feng,Yb Li,P Ren

2004-01-01

Abstract:This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. We first analyze the limitation of Edge Sampling Algorithm (ESA) [1], then present a new scheme IESA for providing traceback information in IP packets, which marking the packet with a dynamic marking probability to ensure that the victim receives all the marked packets with equal probability. This scheme can reduce greatly the possibility that a marked packet farther away from victim is remarked by the router nearer to the victim, hence greatly reduces the number of packets needed to reconstruct the attack path, and therefore greatly reduces the reconstruction time.

XIAO Zheng-hong,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.05.023

2006-01-01

Abstract:At first this paper introduces the development process of intrusion detection, then it describes the detection. Secondly, intrusion detection techniques for statistics analysis based on network traffic are thoroughly discussed in this paper, and it also points the future research aspects. Finally we document some remaining problems and challenges, and give the possible solution.

Jiazhong Lu,Xiaosong Zhang,Wang Junfeng,Ying Lingyun

DOI: https://doi.org/10.1109/ICITBS.2016.87

2016-01-01

Abstract:APT(Advanced persist threat) is an emerging attack on the Internet. Attackers may combine phishing emails, malware, social engineering and botnets to create a series of attacks in one APT attack which makes it quite difficult for detection. In this way, attackers can remotely control the infected host, or steal sensitive information. In this paper, we proposed a time transform features approach for distinguishing APT attacks based on the observation that malicious payload must be transferred to the target hosts in an APT attack. By comparing the normal traffic with the traffic containing a malicious payload, we are able to catch the signal of malicious payload and further infer the existence of APT attacks. Then we use machine learning methods to detect APT attacks in big data. To verify this approach, we placed a device on the gateway of our university for catching the real Internet traffic of the university for one month. Then we mixed the APT traffic with these flows, and see whether our approach can identify the malicious payloads. We found our approach is not only accurate but also efficient for catching APT attacks.

Dehu Li,Haixin Duan,Jian Jiang

DOI: https://doi.org/10.1109/bcgin.2013.253

2013-01-01

Abstract:Research on evasion attack of intrusion detection plays an important role in anti-evasion research and the testing of Intrusion Detection Systems. However, the widely used "fragroute" evasion tool has some significant defects such as: the evasion techniques are quite simple and the semantics of attack can probably be disrupted in evasion test. This paper proposed a signature based overlapping segmentation evasion technique and implemented it. The new technique has the following advantages: the semantics of attack won't be disrupted during evasion test, and the TCP (Transmission Control Protocol) data gram can be segmented accurately at the location of signatures, the segment reassembly policy can also be customized according to the reassembly policy of the target OS (Operating System). At the end of this paper, the popular Snort IDS were used to test the new technique. Our test with Snort shows that the new technique can evade Snort effectively. We also found that Snort's Stream5 preprocessor which aims to reassemble overlapped segments cannot work properly in most situations.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Yan Gao,Yao Zhao,Robert Schweller,Shobha Venkataraman,Yan Chen,Dawn Song,Ming-Yang Kao

DOI: https://doi.org/10.1109/iwqos.2007.376561

2007-01-01

Abstract:We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques fail to detect spreaders such as bot scans in which each scanning host scans only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Yujiao Lv,Jianquan Lu,Yang Liu,Lingzhong Zhang

DOI: https://doi.org/10.1016/j.ins.2023.118964

IF: 8.1

2023-05-04

Information Sciences

Abstract:Network attacks always threaten economic operations and personal privacy, which have resulted in severe and irreparable damage. Therefore, the investigation of network attacks is essential for network security. This paper concentrates on designing two stealthy attack strategies for remote state estimation with intermittent observations, where the attackers can select one of the designed stealthy attack strategies depending on their capabilities, available resources, and information. Furthermore, for real-time communication rates, a novel detector is introduced to determine if the system is compromised by attackers at each moment. Then, an algorithm for state estimation is derived under the proposed stealthy attack strategies. Furthermore, the attack parameters in the proposed attack strategies are discussed by applying linear matrix inequalities. Finally, a numerical example illustrates the effects of the detector and attack strategies.

computer science, information systems