Early detection of Crossfire attacks using deep learning

Similar documents
CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks

Crossfire Attack Detection using Deep Learning in Software Defined ITS Networks

Automated Website Fingerprinting through Deep Learning

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures. ECE Department and CyLab, Carnegie Mellon University

DDOS Attack Prevention Technique in Cloud

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Diffusion Convolutional Recurrent Neural Network: Data-Driven Traffic Forecasting

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Deep Learning Approach to Network Intrusion Detection

Basic Concepts in Intrusion Detection

Configuring attack detection and prevention 1

Intrusion Detection Systems

Next Steps in Data Mining. Sistemas de Apoio à Decisão Cláudia Antunes

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Introduction to Security. Computer Networks Term A15

NETWORK SECURITY. Ch. 3: Network Attacks

Restricted Boltzmann Machines. Shallow vs. deep networks. Stacked RBMs. Boltzmann Machine learning: Unsupervised version

Multi-phase IRC Botnet & Botnet Behavior Detection Model

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer

Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow

Configuring attack detection and prevention 1

Outline. Motivation. Our System. Conclusion

Distributed Anomaly Detection using Autoencoder Neural Networks in WSN for IoT

Deep Learning. Deep Learning. Practical Application Automatically Adding Sounds To Silent Movies

CS231N Section. Video Understanding 6/1/2018

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

A Survey of Defense Mechanisms Against DDoS Flooding A

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Deep-Q: Traffic-driven QoS Inference using Deep Generative Network

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Anti-DDoS. User Guide. Issue 05 Date

DENIAL OF SERVICE ATTACKS

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

CLASSIFICATION OF LINK BASED IDENTIFICATION RESISTANT TO DRDOS ATTACKS

Chapter 7. Denial of Service Attacks

Network Security. Chapter 0. Attacks and Attack Detection

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee

Combining Speak-up with DefCOM for Improved DDoS Defense

Comprehensive datacenter protection

Intrusion Detection Systems (IDS)

Detection of DDoS Attack on the Client Side Using Support Vector Machine

Lecture 12. Application Layer. Application Layer 1

Low-rate and High-rate Distributed DoS Attack Detection Using Partial Rank Correlation

The Protocols that run the Internet

DDOS - Fighting Fire with Fire Michael Walfish, Hari Balakrishnan, David Karger, and Scott Shenker.

Distributed Denial of Service (DDoS)

Beauty and the Burst

Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses

The UCSD Network Telescope

Network Operations Intelligence. Evolving network operations by the power of intelligence

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

This Lecture. BUS Computer Facilities Network Management. Switching Network. Simple Switching Network

No Time for Zero-Day Solutions John Muir, Managing Partner

Generic Architecture. EECS 122: Introduction to Computer Networks Switch and Router Architectures. Shared Memory (1 st Generation) Today s Lecture

MITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES

CS 155 Final Exam. CS 155: Spring 2009 June 2009

DDoS Defense by Offense

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Deep Learning. Deep Learning provided breakthrough results in speech recognition and image classification. Why?

Flow-based Anomaly Intrusion Detection System Using Neural Network

Machine Learning on Encrypted Data

Deep Learning Benchmarks Mumtaz Vauhkonen, Quaizar Vohra, Saurabh Madaan Collaboration with Adam Coates, Stanford Unviersity

2 OVERVIEW OF RELATED WORK

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

CoDef: Collaborative Defense Against Large-Scale Link-Flooding Attacks

EECS 122: Introduction to Computer Networks Switch and Router Architectures. Today s Lecture

Check Point DDoS Protector Introduction

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

BIG-IP Application Security Manager : Implementations. Version 13.0

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Active defence through deceptive IPS

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Machine Learning. Deep Learning. Eric Xing (and Pengtao Xie) , Fall Lecture 8, October 6, Eric CMU,

Non-Profiled Deep Learning-Based Side-Channel Attacks

A Deep Learning Framework for Authorship Classification of Paintings

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

A Novel Approach to Denial-of-Service Attack Detection with Tracebacking

Deep Learning in Visual Recognition. Thanks Da Zhang for the slides

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Detecting malware even when it is encrypted

Database and Knowledge-Base Systems: Data Mining. Martin Ester

Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users

Knowledge-Defined Networking: Towards Self-Driving Networks

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

End-To-End Spam Classification With Neural Networks

Deep Tracking: Biologically Inspired Tracking with Deep Convolutional Networks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

NETWORKING. 8. ITDNW08 Congestion Control for Web Real-Time Communication

Review on Data Mining Techniques for Intrusion Detection System

Security Information & Event Management (SIEM)

Application Layer DDOS Attack Detection Using Hybrid Machine Learning Approach

Deep Learning. Volker Tresp Summer 2014

Check Point DDoS Protector Simple and Easy Mitigation

Transcription:

Early detection of Crossfire attacks using deep learning Saurabh Misra, Mengxuan Tan, Mostafa Rezazad, Ngai-Man Cheung Singapore University of Technology and Design

Content The Crossfire Attack A brief introduction Detection approach Network Data Simulation of data Methods for detection Baseline method Deep Autoencoder Convolutional Neural Network (CNN) Long Short-Term Memory Network (LSTM) Page 1

Traditional DDoS Attack Distributed Denial of Service attack (DDos) Attacker targets victims (i.e., web servers) directly Attacker overwhelms victim with network traffic Intended users are unable to access the servers Target Attacker Bots Page 2

The Crossfire Attack Introduction A sophisticated DDoS attack Disconnects an entire area from the Internet Targeting a link or set of links Distributed attack at source and destination level Using Botnet to generate traffic Traffic destined to many public servers (decoy servers) sharing the same network link Internet Target Link Target Link It is hard to detect Traffic is normal web traffic Traffic flow is very small in terms of size Attack can be very dynamic with changing source, destination and target link Source: Min Suk Kang, Soo Bum Lee, Virgil D. Gligor, The Crossfire Attack, 2013 IEEE Symposium on Security and Privacy Page 3

The Crossfire Attack Early Detection at the Warm-up period Warm-up Period: Time difference between the time of the first bot-flow of the attack reaches the target link and the moment the target link is down. Target Link Intermediate Link Decoy Server 2 Objective: Early detection of the the attack during the warm-up period. Link is Flooded! Page 4

The Crossfire Attack Stages of the attack Stage 1: Link map construction Stage 2: Target links selection Internet Target Link Target Link Stage 3: Bot coordination Source: Min Suk Kang, Soo Bum Lee, Virgil D. Gligor, The Crossfire Attack, 2013 IEEE Symposium on Security and Privacy Page 5

Our Research Contribution Detection Approach Analyse pros and cons of monitoring network traffic at different locations. Proposing location to monitor network traffic by providing justifications. Methods of Detection Analyse performances of three deep-learning models on detecting the attack at the proposed location. Page 6

The Crossfire Attack Detection Approach Internet Target Link Target Link Page 7

The Crossfire Attack Detection Approach Advantages Fastest way to stop an attack Internet Target Link Target Link 1 Disadvantages Unknown location of bots Page 8

The Crossfire Attack Detection Approach Advantages Disadvantages Target areas are usually equipped for self-defense. Internet Target Link Target Link 2 If no decoy servers are inside the target area, early detection is impossible. Page 9

The Crossfire Attack Detection Approach Advantages Disadvantages A simple threshold based detection system could detect the trend of the incoming traffic. Internet Target Link Target Link 3 Locations of target links are unknown. Attacker may switch target links during an attack Page 10

The Crossfire Attack Detection Approach Advantages Disadvantages Allow defenders to examine the correlation of attack traffic in the servers Internet Target Link Target Link The assumption that the decoy servers are not far from the target area must be made Defenders can actively respond to the attack 4 Page 11

The Crossfire Attack Detection Approach Target Link Intermediate Link Decoy Server 2 Difficulty of detection at decoy servers: Attack traffic is almost indistinguishable from background traffic Page 12

Network Data Data Simulation Features of data The data is the link utilization of 80 decoy servers. Distribution of data Background traffic is modelled by a Gaussian distribution When an attack happens, the link utilization slowly increases due to new attack traffic. This is called as the warmup phase of the attack. We attempt to detect the attack during this warmup period. Page 13

Detection Method Random Forest (Baseline) Deep-autoencoders Convolutional Neural Network (CNN) Long Short-Term Memory (LSTM) Page 14

Detection Method Random Forest Data Each sample consists of 80 variables representing network traffic value at each of the 80 decoy servers at one time step. tt 1 Number of decoy servers (80).. tt 2.. Internet Target Link Target Link. tt NN.. Page 15

Detection Method Baseline Performance Threshold Precision Recall F1 RF (Baseline) 0.38 0.81 0.66 0.73 Page 16

Detection Method Deep Autoencoders Method Auto-encoder to extract intrinsic features from data Exploit spatiotemporal information from the data. Random Forest for classification of the extracted data Deep-autoencoder for datapreprocessing Random Forest for classification Page 17

Detection Method Deep Autoencoders Data Spatio-temporal data (Windows of 5 time-steps) 400.... tt 1 tt 2 tt 5. tt NN 5 tt NN 4 tt NN Page 18

Detection Method Deep Autoencoders Autoencoder structure 400-390-350-100-350-390-400 400 390 350 100 350 390 400 Page 19

Detection Method Deep Autoencoders performance Threshold Precision Recall F1 RF (Baseline) 0.38 0.81 0.66 0.73 Autoencoder 0.35 0.71 0.63 0.66 Page 20

Detection Method CNN Intuition The Temporal Filter Learns the pattern for the attack only in the time axis independent of the servers. Target Link The Spatial Filter Discover the correlation between different servers as they are under attack at the same time. Internet Target Link Fully Connected layer Spatial Dimension Binary Output: Attack or not? Page 21

Detection Method CNN Structure Page 22

Detection Method 1 st convolution step Input Data: 15 X 80 windows Number of decoy servers (80) Temporal filters: 16 @ 9x1 filters Number of time steps.... (15).. Page 23

Detection Method 1 st convolution step Input Data: 15 X 80 windows Number of decoy servers (80) Temporal filters: 16 @ 9x1 filters Number of time steps.... (15).. Page 24

Detection Method Output of first convolution step: 16 Feature Maps of size 7 x 80 1 st convolution step 7...... 16 80 Page 25

Detection Method 2 nd convolution step Input Data: 16 feature maps Spatial filters: 20 @ 6x80x16 filters.... 6 16. 80 Page 26

Detection Method 2 nd convolution step.... X 20 Page 27

Detection Method Last convolution step 40 Non - attack Attack Page 28

Detection Method CNN Performance Threshold Precision Recall F1 RF (Baseline) 0.38 0.81 0.66 0.73 Autoencoder 0.35 0.71 0.63 0.66 CNN 0.50 0.74 0.97 0.84 Page 29

Detection Method LSTM intuition LSTM LSTM Two stacked LSTMs to learn time series data Fully Connected layer for binary classification Circular buffer to reduce false positives Page 30

Detection Method LSTM Input Data: 64 X 80 windows Number of decoy servers (80) Number of time steps.... (64).. Page 31

Detection Method LSTM.... LSTM LSTM Page 32

Detection Method LSTM Number of hidden units in LSTM Non - attack Attack Circular buffer size of 7 Is there an attack in the window? For each time step Page 33

Detection Method LSTM Performance Threshold Precision Recall F1 RF (Baseline) 0.38 0.81 0.66 0.73 Autoencoder 0.35 0.71 0.63 0.66 CNN 0.50 0.74 0.97 0.84 LSTM 0.50 1.00 0.998 0.999 Page 34

Conclusion Research Focus Proposing location for detection Develop deep-learning models for attack detection Performance of models Long Short-Term Memory Network (LSTM) has the best performance Future work Simulate actual Crossfire Attack on testbeds Test models Page 35

Detection Method Simulating more realistic attack condition Current Assumption All 80 servers are decoy servers Page

Detection Method Simulating more realistic attack condition Simulating actual attack scenario Only 70 servers are decoy servers Page

Detection Method Performance of new attack condition Convolutional Neural Network (CNN) Servers under attack Threshold Precision Recall F1 80/80 0.50 0.74 0.97 0.84 70/80 0.50 0.759 0.78 0.773 Long Short-Term Memory Network (LSTM) Servers under attack Threshold Precision Recall F1 80/80 0.50 1.00 0.998 0.999 70/80 0.50 0.995 0.964 0.979 Page

The Crossfire Attack Stages of the attack Stage 1: Link map construction The attacker determines the topology of the network and creates a link map. Source: Min Suk Kang, Soo Bum Lee, Virgil D. Gligor, The Crossfire Attack, 2013 IEEE Symposium on Security and Privacy Page

The Crossfire Attack Stages of the attack Stage 2: Target links selection The attacker selects the set of target links after evaluating their stability and utilization Source: Min Suk Kang, Soo Bum Lee, Virgil D. Gligor, The Crossfire Attack, 2013 IEEE Symposium on Security and Privacy Page

The Crossfire Attack Stages of the attack Stage 3: Bot coordination The attacker coordinates the bot to generate lowrate traffic to the decoy servers which aggregate at the target links. Source: Min Suk Kang, Soo Bum Lee, Virgil D. Gligor, The Crossfire Attack, 2013 IEEE Symposium on Security and Privacy Page

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback