Day 13: How can we improve DDoS/DoS detection rate?

Hey guys! Today, lets explore some ideas to make our architecture detect DDoS better. Currently, we are using entropy based algorithm to set the threshold for decide how to handle the packet. To make this architecture handle the detection more dynamically we need to make it learn the patterns of network flows. To make the architecture robust, we need to make it more accurate in drawing the fine line between anomalous and normal behavior.

How?? .... *Machine Learning* it is! Lets explore the buzz word more deeply, and do some literature survey. Each day let's cover a more recent paper than the previous day.

First on the list is  An Impact Analysis: Real Time DDoS Attack Detection and Mitigation using Machine Learning

Proposed architecture of the online monitoring system.
 This paper consists of an online monitoring system(OMS), spoofed traffic detection followed by interface based rate limiting at the network layer.

  • The OMS employs passive monitoring so that normal functioning of the network is not being disturbed avoiding additional overheads. 
  • The major objective of spoofed IP classifier is to detect spoofed traffic by constructing legitimate records with IP and the relevant hop count to the victim in non-attack mode.
    • Hop count inspection algorithm : Modern operating system uses set of default values as the initial TTL value which is treated as stored Hop count. Hop-count of the incoming packet is calculated by subtracting the obtained TTL (Tfi) from initial TTL(Tin). When calculated value (Hco) equals stored value (Hst), then the source is considered as legitimate, else it is considered as spoofed.
    • HCF - SVM : After training the SVM model for a few weeks, a normal behavior user profile is built.

Based on the assumption that, attackers try to overwhelm the victim by denying service to legitimate users, it becomes very essential to rate limit the attack traffic. The attackers causing high traffic aggregates are subjected to traffic limit at the network layer using Interface based Rate Limiting (IBRL) algorithm

The test bed architecture includes :
  • Four attacking nodes to generate DDoS attack against the victim node with TFN(Tribe Flood Network) tool that involve flooding (TCP SYN, SMURF, UDP and ICMP). 
  • The incoming packets from these nodes are collected using tshark
  • Labeled training dataset had a 3:2 attack:normal instance ratio.
  • The features considered were IP address and TTL values.
The results obtained showed that the proposed model had a better True positive rate and lesser misclassification rate than Decision tree and Random Forest. 

Tomorrow lets explore a more recent paper(2018) that used SVM to detect DDoS.
Happy learning! :)

Comments

  1. Ram P RustagiFebruary 2, 2019 at 1:33 AM

    Please consider that each DOS attack packet might come with a different src IP and thus any ML technique should not depend too much on it.

    ReplyDelete

Post a Comment

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

In the previous post, I was struggling to figure out why all controllers can install flows in all switches irrespective of the code. Well, today the mystery is getting resolved. I found this book that explains beautifully the various roles that a controller can play. The three roles are: Equal : this happens by default all the equal controllers in a network that are connected to the switch can add and delete flows from it Slave: it has a read-only limitation to the switch openflow tables Master: very similar to the switch, but only 1 master can be connected to the switch at that point of time, and no other flows can intercept the communication between switch and master. I highly recommend you go through the above link to get a better picture. Since the default role of any controller is "Equal", we couldn't really differentiate between the three controller flows yesterday. But one good news from this is that we don't really need extensive coding to assi...
Read more

Day 1: Understanding Ransomware and how to detect them?

Image
To start this journey, let’s begin at the basics and learn about what ransomwares are, what is the meaning of a ransomware attack, how have other people detected it so far? By learning the above, we will be in a position to analyze any ransomware attack and devise methods to detect, mitigate and prevent them. Definition: Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. To continue understanding and addressing the threats posed by ransomware, let us dig a little deeper. As the definition specifies, ransomware is a type of malicious software. Now, what is a malicious software? Definition: Malware (= Malicious + Software) is a software which is specifically designed to disrupt, damage, or gain authorized access to a computer system. These malwares (or simply dangerous content that can corrupt your system), can enter your system from various s...
Read more

Day 50: Tcpreplay and tcpliveplay approach

Today we shall be exploring how to copy and redirect the OpenFlow packets to more than one controller from the load balancer. The load balancer is anyway sending the OpenFlow packets to one of the slave controllers - c1 or c2. The packets sent to these two controllers needs to be sent to master controller so the master controller can update the new flows added by c1 or c2 on the switches. This ensures synchronization between controllers. There are two implementation methods to achieve the same: Copy all packets generated from the load balancer to the controller side. Only the packets having destination IP address of c1 and c2 can be redirected to the master controller. Thus we can prevent the packets which already are reaching the master controller to be sent as duplicates Copy and redirect packets from the slave controllers - c1 and c2. We need not take care of duplicate packets reaching master controller. This will reduce the time taken to redirect packets. Since the second a...
Read more