Mohammad Hashem Haghighat
ABSTRACT
Dozens of signature and anomaly based solutions have been proposed to detect malicious activities in computer networks. However, the number of successful attacks are increasing every day. In this paper, we developed a novel entropy based technique, called Edmund, to detect and mitigate Network attacks. While analyzing full payload network traffic was not recommended due to users' privacy, Edmund used netflow data to detect abnormal behavior.
The experimental results showed that Edmund was able to highly accurate detect (around 95%) different application, transport, and network layers attacks. It could identify more than 100K malicious flows raised by 1168 different attackers in our campus. Identifying the attackers, is a great feature, which enables the network administrators to mitigate DDoS effects during the attack time.
- Akamai. 2017. Akamai's Quarterly Reports on State of the Internet Security. (2017). https://www.akamai.com/us/en/our-thinking/state-of-theinternet-report/global-state-of-the-internet-security-ddosattack-reports.jspGoogle Scholar
- A. Bakshi and Y. B. Dujodwala. 2010. Securing cloud from DDoS attacks using intrusion detection system in virtual machine. In Communication Software and Networks, 2010. ICCSN'10. Second International Conference on. IEEE, 260--264. Google ScholarDigital Library
- CTU. 2011. CTU-13 Botnet Traffic dataset. (2011). https://mcfp.weebly.com/the-ctu-13-dataset-a-labeleddataset-with-botnet-normal-and-background-traffic.htmlGoogle Scholar
- J. David and C. Thomas. 2015. DDoS attack detection using fast entropy approach on flow-based network traffic. Procedia Computer Science 50 (2015), 30--36.Google ScholarCross Ref
- C. Douligeris and A. Mitrokotsa. 2004. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks 44, 5 (2004), 643--666. Google ScholarDigital Library
- K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris. 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks 62 (2014), 122--136. Google ScholarDigital Library
- J. Ioannidis and S. M. Bellovin. 2002. Implementing Pushback: Router-Based Defense Against DDoS Attacks.. In NDSS.Google Scholar
- J.-H. Jun, C.-W. Ahn, and S.-H. Kim. 2014. DDoS attack detection by using packet sampling and flow features. In proceedings of the 29th annual ACM symposium on applied computing. ACM, 711--712. Google ScholarDigital Library
- Kaspersky-Labs. 2014. GLOBAL IT SECURITY RISKS SURVEY 2014 DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS. (2014). http://media.kaspersky.com/en/B2B-International-2014- Survey-DDoS-Summary-Report.pdfGoogle Scholar
- D. Linthicum. 2013. As cloud use grows so will rate of DDoS attacks. InfoWorld. February 5th (2013).Google Scholar
- A. M. Lonea, D. E. Popescu, and H. Tianfield. 2013. Detecting DDoS attacks in cloud computing environment. International Journal of Computers Communications & Control 8, 1 (2013), 70--78.Google ScholarCross Ref
- X. Ma and Y. Chen. 2014. DDoS detection method based on chaos analysis of network traffic entropy. IEEE Communications Letters 18, 1 (2014), 114--117.Google ScholarCross Ref
- S. A. Mehdi, J. Khalid, and S. A. Khayam. 2011. Revisiting traffic anomaly detection using software defined networking. In International workshop on recent advances in intrusion detection. Springer, 161--180. Google ScholarDigital Library
- C. E. Shannon. 1948. A mathematical theory of communication. Bell system technical journal 27, 3 (1948), 379--423. Google ScholarDigital Library
- SPAMfighter-News. 2015. Survey - With DDoS Attacks Companies Lose around 100k/Hr. (2015). http://www.spamfighter.com/News-19554-Survey-WithDDoS-Attacks-Companies-Lose-around-100kHr.htmGoogle Scholar
- D. S. Terzi, R. Terzi, and S. Sagiroglu. 2017. Big data analytics for network anomaly detection from netflow data. In Computer Science and Engineering (UBMK), 2017 International Conference on. IEEE, 592--597.Google Scholar
- V. Vaidya. 2001. Dynamic signature inspection-based network intrusion detection. (Aug. 21 2001). US Patent 6,279,113.Google Scholar
- J. M. Vidal, A. L. S. Orozco, and L. J. G. Villalba. 2018. Adaptive artificial immune networks for mitigating DoS flooding attacks. Swarm and Evolutionary Computation 38 (2018), 94--108.Google ScholarCross Ref
- J. Wang, X. Yang, and K. Long. 2010. A new relative entropy based app-DDoS detection method. In Computers and Communications (ISCC), 2010 IEEE Symposium on. IEEE, 966--968. Google ScholarDigital Library
- R. Wang, Z. Jia, and L. Ju. 2015. An entropy-based distributed DDoS detection mechanism in software-defined networking. In Trustcom/BigDataSE/ISPA, 2015 IEEE, Vol. 1. IEEE, 310--317. Google ScholarDigital Library
- Z. Xiao and Y. Xiao. 2013. Security and privacy in cloud computing. IEEE Communications Surveys & Tutorials 15, 2 (2013), 843--859.Google ScholarCross Ref
- J. Zhang, Z. Qin, L. Ou, P. Jiang, J. Liu, and A. X. Liu. 2010. An advanced entropybased DDOS detection scheme. In Information Networking and Automation (ICINA), 2010 International Conference on, Vol. 2. IEEE, V2--67.Google Scholar
Index Terms
- Edmund: Entropy based attack Detection and Mitigation engine Using Netflow Data
Recommendations
SFTO-Guard: Real-time detection and mitigation system for slow-rate flow table overflow attacks
AbstractThe simplified data plane of Software-Defined Network (SDN) should be able to process packets from the entire network. However, the flow table size constrains the data plane forwarding capacity and may cause malicious attacks. In this ...
Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks
DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual-level attack detection D-LAD scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors MaLAD attempt to ...
On scalable attack detection in the network
Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow ...
Comments