skip to main content
10.1145/1966913.1966955acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Formal modelling and automatic detection of resource exhaustion attacks

Published: 22 March 2011 Publication History

Abstract

Many common protocols: TCP, IPSec, etc., are vulnerable to denial of service attacks, where adversaries maliciously consume significant resources of honest principals, leading to resource exhaustion. We propose a set of cost-based rules that formalize DoS attacks by resource exhaustion and can automate their detection. Our classification separates excessive but legal protocol use (e.g., flooding) from illegal protocol manipulation that causes participants to waste computation time without reaching the protocol goals. We also distinguish simple intruder intervention leading to wasteful execution from DoS attacks proper, which can be repeatedly initiated. Our rules can highlight attacks that are undetectable by the targeted honest agents, or by all protocol participants. We have successfully tested an implementation of the methodology in a validation platform on relevant protocol examples, in what to the best of our knowledge is the first formal automated analysis of DoS attacks.

References

[1]
W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Reingold. Just fast keying: Key agreement in a hostile network. ACM Transactions on Information and System Security, 7(2):242--273, 2004.
[2]
A. Armando and L. Compagna. SAT-based model-checking for security protocols analysis. International Journal of Information Security, 7(1):3--32, 2008.
[3]
T. Aura, P. Nikander, and J. Leiwo. DOS-resistant authentication with client puzzles. In 8th International Workshop on Security Protocols (SP'00), LNCS vol. 2133, pages 170--177. Springer, 2001.
[4]
The AVANTSSAR project. http://avantssar.eu/.
[5]
The AVISPA project. http://avispa-project.org/.
[6]
D. A. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. Int'l. J. of Information Security, 4(3):181--208, 2005.
[7]
L. Chen, P. Morrissey, N. Smart, and B. Warinschi. Security notions and generic constructions for client puzzles. In Advances in Cryptology --- ASIACRYPT, LNCS vol. 5912, pages 505--523. Springer, 2009.
[8]
W. Diffie, P. C. van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Cryptography, 2(2):107--125, 1992.
[9]
C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In Advances in Cryptology: CRYPTO, LNCS vol. 740, pages 139--147. Springer, 1993.
[10]
R. Focardi, R. Gorrieri, and F. Martinelli. Secrecy in security protocols as non interference. In DERA/RHUL Workshop on Secure Architectures and Information Flow, 1999.
[11]
L. Gong and P. Syverson. Fail-stop protocols: An approach to designing secure protocols. In Dependable Computing for Critical Applications 5, pages 79--100, 1998.
[12]
A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Network and Distributed Systems Security Symposium, pages 151--165, 1999.
[13]
G. Lowe. Some new attacks upon security protocols. In 9th IEEE Computer Security Foundations Workshop, pages 162--169, 1996.
[14]
G. Lowe. A hierarchy of authentication specifications. In 10th IEEE Computer Security Foundations Workshop, pages 31--44, 1997.
[15]
W. Mao and K. G. Paterson. On the plausible deniability feature of Internet protocols. Published online, 2002.
[16]
K. Matsuura and H. Imai. Protection of authenticated key-agreement protocol against a denial-of-service attack. In International Symposium on Information Theory and Its Applications (ISITA), pages 466--470, 1998.
[17]
K. Matsuura and H. Imai. Modification of internet key exchange resistant against denial-of-service. In Pre-Proceedings of Internet Workshop (IWS 2000), pages 167--174, 2000.
[18]
C. Meadows. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security, 9(1/2):143--164, 2001.
[19]
A. Perrig, R. Canetti, D. Song, and J. D. Tygar. Efficient and secure source authentication for multicast. In Network and Distributed System Security Symposium (NDSS), pages 35--46, 2001.
[20]
A. Perrig, R. Canetti, J. D. Tygar, and D. Song. Efficient authentication and signing of multicast streams over lossy channels. In IEEE Symposium on Security and Privacy, pages 56--73, 2000.
[21]
V. Ramachandran. Analyzing DoS-resistance of protocols using a cost-based framework. Technical Report DCS/TR-1239, Yale University, 2002.
[22]
J. Smith, J. M. González Nieto, and C. Boyd. Modelling denial of service attacks on JFK with Meadows's cost-based framework. In 4th Australasian Information Security Workshop, pages 125--134, 2006.
[23]
D. Stebila and B. Ustaoglu. Towards denial-of-service-resilient key agreement protocols. In 14th Australasian Conference on Information Security and Privacy, LNCS vol. 5594, pages 389--406. Springer, 2009.
[24]
Y.-M. Tseng. Efficient authenticated key agreement protocols resistant to a denial-of-service attack. International Journal of Network Management, 15(3):193--202, 2005.
[25]
M. Turuani. The CL-Atse protocol analyser. In 17th Int'l. Conference on Term Rewriting and Applications, LNCS vol. 4098, pages 277--286. Springer, 2006.

Cited By

View all
  • (2024)A Survey on Energy-Aware Security Mechanisms for the Internet of ThingsFuture Internet10.3390/fi1604012816:4(128)Online publication date: 8-Apr-2024
  • (2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
  • (2022)N-Tube: Formally Verified Secure Bandwidth Reservation in Path-Aware Internet Architectures2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919646(147-162)Online publication date: Aug-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
March 2011
527 pages
ISBN:9781450305648
DOI:10.1145/1966913
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. automated verification
  2. denial of service
  3. formal modeling

Qualifiers

  • Research-article

Funding Sources

Conference

ASIA CCS '11
Sponsor:

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)1
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Survey on Energy-Aware Security Mechanisms for the Internet of ThingsFuture Internet10.3390/fi1604012816:4(128)Online publication date: 8-Apr-2024
  • (2023)Detecting Anomalies Through Sequential Performance Analysis in Virtualized EnvironmentsIEEE Access10.1109/ACCESS.2023.329364311(70716-70740)Online publication date: 2023
  • (2022)N-Tube: Formally Verified Secure Bandwidth Reservation in Path-Aware Internet Architectures2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919646(147-162)Online publication date: Aug-2022
  • (2022)CVFuzzFuture Generation Computer Systems10.1016/j.future.2021.09.006127:C(384-395)Online publication date: 1-Feb-2022
  • (2019)An Authentication Scheme to Defend Against UDP DrDoS Attacks in 5G NetworksIEEE Access10.1109/ACCESS.2019.29575657(175970-175979)Online publication date: 2019
  • (2018)PerfFuzz: automatically generating pathological inputsProceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3213846.3213874(254-265)Online publication date: 12-Jul-2018
  • (2017)Mitigating DoS attacks in publish-subscribe IoT networks2017 9th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)10.1109/ECAI.2017.8166463(1-6)Online publication date: Jun-2017
  • (2017)Practical and Accurate Runtime Application Protection Against DoS AttacksResearch in Attacks, Intrusions, and Defenses10.1007/978-3-319-66332-6_20(450-471)Online publication date: 12-Oct-2017
  • (2016)Why Software DoS Is Hard to Fix: Denying Access in Embedded Android PlatformsApplied Cryptography and Network Security10.1007/978-3-319-39555-5_11(193-211)Online publication date: 9-Jun-2016
  • (2015)RadminProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_24(515-537)Online publication date: 2-Nov-2015
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media