DDoS attack is a distributed source but coordinated Internet security threat that attackers either degrade or disrupt a shared service to legitimate users. It uses various methods to inflict damages on limited resources. It can be broadly classified as: flood and semantic (logic) attacks. DDoS attacking mechanisms vary from time to time and simple but powerful attacking tools are freely available on the Internet. There have been many trials on defending victims from DDoS attacks. However, many of the previous attack prevention systems lack effective handling of various attacking mechanisms and protecting legitimate users from collateral damages during detection and protection. In this paper, we proposed a distributed but synchronized DDoS defense architecture by using multiple agents, which are autonomous systems that perform their assigned mission in other networks on behalf of the victim. The major assignments of defense agents are IP spoofing verification, high traffic rate limitation, anomaly packet detection, and attack source detection.These tasks are distributed through four agents that are deployed on different domain networks. The proposed solution was tested through simulation with sample attack scenarios on the model Internet topology. The experiments showed encouraging results. A more comprehensive attack protection and legitimate users prevention from collateral damages makes this system more effective than other previous works.
Among different online attacks obstructing IT security,
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
are the most devastating attack. It also put the security experts under
enormous pressure recently in finding efficient defiance methods.
DoS attack can be performed variously with diverse codes and tools
and can be launched form different OSI model layers. This paper
describes in details DoS and DDoS attack, and explains how different
types of attacks can be implemented and launched from different OSI
model layers. It provides a better understanding of these increasing
occurrences in order to improve
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Detection of the botnets’ low-rate DDoS attacks based on self-similarity IJECEIAES
An article presents the approach for the botnets’ low-rate a DDoS-attacks detection based on the botnet’s behavior in the network. Detection process involves the analysis of the network traffic, generated by the botnets’ low-rate DDoS attack. Proposed technique is the part of botnets detection system–BotGRABBER system. The novelty of the paper is that the low-rate DDoS-attacks detection involves not only the network features, inherent to the botnets, but also network traffic self-similarity analysis, which is defined with the use of Hurst coefficient. Detection process consists of the knowledge formation based on the features that may indicate low-rate DDoS attack performed by a botnet; network monitoring, which analyzes information obtained from the network and making conclusion about possible DDoS attack in the network; and the appliance of the security scenario for the corporate area network’s infrastructure in the situation of low-rate attacks.
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSIJCNCJournal
Sniffing is one of the most prominent causes for most of the attacks in the digitized computing environment. Through various packet analyzers or sniffers available free of cost, the network packets can be captured and analyzed. The sensitive information of the victim like user credentials, passwords, a PIN which is of more considerable interest to the assailants’ can be stolen through sniffers. This is the primary reason for most of the variations of DDoS attacks in the network from a variety of its catalog of attacks. An effective and trusted framework for detecting and preventing these sniffing has greater significance in today’s computing. A counter hack method to avoid data theft is to encrypt sensitive information. This paper provides an analysis of the most prominent sniffing attacks. Moreover, this is one of the most important strides to guarantee system security. Also, a Lattice structure has been derived to prove that sniffing is the prominent activity for DoS or DDoS attacks.
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Survey: DDOS Attack on Internet of ThingsIJERD Editor
Internet of Things refer as interconnection of smart object, included from small coffee machine to
big car, communicate with each other without human interactions also called as Device to Device
communications. In current emerging world, all of the devices become smarter and can communicate with other
devices as well. With this rapid development of Internet of Things in different area like smart home, smart
hospital etc. it also have to face some difficulty to securing overall privacy due to heterogeneity nature. There
are so many types of vulnerability but here in this paper we put concentration on Distributed Denial of Service
attack (DDoS). DoS is attack which can block the usage for authentic user and make network resource
unavailable, consume bandwidth; if similar attack is penetrated from different sources its call DDoS. To prevent
from such attack it need mechanism that can detect and prevent it from attack, but due to small devices it has
limited power capacity. So that mechanism must be implemented at network entrance. In this paper we discuss
different DDoS attack and its effect on IoT.
DETECTION OF APPLICATION LAYER DDOS ATTACKS USING INFORMATION THEORY BASED ME...cscpconf
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. Recently,
there are an increasing number of DDoS attacks against online services and Web applications.
These attacks are targeting the application level. Detecting application layer DDOS attack is
not an easy task. A more sophisticated mechanism is required to distinguish the malicious flow
from the legitimate ones. This paper proposes a detection scheme based on the information
theory based metrics. The proposed scheme has two phases: Behaviour monitoring and
Detection. In the first phase, the Web user browsing behaviour (HTTP request rate, page
viewing time and sequence of the requested objects) is captured from the system log during nonattack
cases. Based on the observation, Entropy of requests per session and the trust score for
each user is calculated. In the detection phase, the suspicious requests are identified based on
the variation in entropy and a rate limiter is introduced to downgrade services to malicious
users. In addition, a scheduler is included to schedule the session based on the trust score of the
user and the system workload.
Among different online attacks obstructing IT security,
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
are the most devastating attack. It also put the security experts under
enormous pressure recently in finding efficient defiance methods.
DoS attack can be performed variously with diverse codes and tools
and can be launched form different OSI model layers. This paper
describes in details DoS and DDoS attack, and explains how different
types of attacks can be implemented and launched from different OSI
model layers. It provides a better understanding of these increasing
occurrences in order to improve
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Detection of the botnets’ low-rate DDoS attacks based on self-similarity IJECEIAES
An article presents the approach for the botnets’ low-rate a DDoS-attacks detection based on the botnet’s behavior in the network. Detection process involves the analysis of the network traffic, generated by the botnets’ low-rate DDoS attack. Proposed technique is the part of botnets detection system–BotGRABBER system. The novelty of the paper is that the low-rate DDoS-attacks detection involves not only the network features, inherent to the botnets, but also network traffic self-similarity analysis, which is defined with the use of Hurst coefficient. Detection process consists of the knowledge formation based on the features that may indicate low-rate DDoS attack performed by a botnet; network monitoring, which analyzes information obtained from the network and making conclusion about possible DDoS attack in the network; and the appliance of the security scenario for the corporate area network’s infrastructure in the situation of low-rate attacks.
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
LATTICE STRUCTURAL ANALYSIS ON SNIFFING TO DENIAL OF SERVICE ATTACKSIJCNCJournal
Sniffing is one of the most prominent causes for most of the attacks in the digitized computing environment. Through various packet analyzers or sniffers available free of cost, the network packets can be captured and analyzed. The sensitive information of the victim like user credentials, passwords, a PIN which is of more considerable interest to the assailants’ can be stolen through sniffers. This is the primary reason for most of the variations of DDoS attacks in the network from a variety of its catalog of attacks. An effective and trusted framework for detecting and preventing these sniffing has greater significance in today’s computing. A counter hack method to avoid data theft is to encrypt sensitive information. This paper provides an analysis of the most prominent sniffing attacks. Moreover, this is one of the most important strides to guarantee system security. Also, a Lattice structure has been derived to prove that sniffing is the prominent activity for DoS or DDoS attacks.
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A Survey: DDOS Attack on Internet of ThingsIJERD Editor
Internet of Things refer as interconnection of smart object, included from small coffee machine to
big car, communicate with each other without human interactions also called as Device to Device
communications. In current emerging world, all of the devices become smarter and can communicate with other
devices as well. With this rapid development of Internet of Things in different area like smart home, smart
hospital etc. it also have to face some difficulty to securing overall privacy due to heterogeneity nature. There
are so many types of vulnerability but here in this paper we put concentration on Distributed Denial of Service
attack (DDoS). DoS is attack which can block the usage for authentic user and make network resource
unavailable, consume bandwidth; if similar attack is penetrated from different sources its call DDoS. To prevent
from such attack it need mechanism that can detect and prevent it from attack, but due to small devices it has
limited power capacity. So that mechanism must be implemented at network entrance. In this paper we discuss
different DDoS attack and its effect on IoT.
DETECTION OF APPLICATION LAYER DDOS ATTACKS USING INFORMATION THEORY BASED ME...cscpconf
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. Recently,
there are an increasing number of DDoS attacks against online services and Web applications.
These attacks are targeting the application level. Detecting application layer DDOS attack is
not an easy task. A more sophisticated mechanism is required to distinguish the malicious flow
from the legitimate ones. This paper proposes a detection scheme based on the information
theory based metrics. The proposed scheme has two phases: Behaviour monitoring and
Detection. In the first phase, the Web user browsing behaviour (HTTP request rate, page
viewing time and sequence of the requested objects) is captured from the system log during nonattack
cases. Based on the observation, Entropy of requests per session and the trust score for
each user is calculated. In the detection phase, the suspicious requests are identified based on
the variation in entropy and a rate limiter is introduced to downgrade services to malicious
users. In addition, a scheduler is included to schedule the session based on the trust score of the
user and the system workload.
This document summarizes research analyzing the impact of distributed denial of service (DDoS) attacks on file transfer protocol (FTP) services. The researchers created a test network topology in the DETER cybersecurity testbed to simulate FTP traffic between clients and a server. They launched various DDoS attack types against the FTP server to measure the impact on network performance metrics like throughput, link utilization, and packet survival ratio. The attacks were found to degrade these metrics and disrupt the FTP services. The study provides insights into how DDoS attacks negatively impact network services like FTP.
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISijcsit
Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation
Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted
score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
Augmented split –protocol; an ultimate d do s defenderijcsa
Distributed Denials of Service (DDoS) attacks have become the daunting problem for businesses, state
administrator and computer system users. Prevention and detection of a DDoS attack is a major research
topic for researchers throughout the world. As new remedies are developed to prevent or mitigate DDoS
attacks, invaders are continually evolving new methods to circumvent these new procedures. In this paper,
we describe various DDoS attack mechanisms, categories, scope of DDoS attacks and their existing
countermeasures. In response, we propose to introduce DDoS resistant Augmented Split-protocol (ASp).
The migratory nature and role changeover ability of servers in Split-protocol architecture will avoid
bottleneck at the server side. It also offers the unique ability to avoid server saturation and compromise
from DDoS attacks. The goal of this paper is to present the concept and performance of (ASp) as a
defensive tool against DDoS attacks.
XDOSER, A BENCHMARKING TOOL FOR SYSTEM LOAD MEASUREMENT USING DENIAL OF SERVI...IJNSA Journal
The document describes a tool called XDoser that was developed to test system load capacity using denial of service features. XDoser uses HTTP flood attacks by continuously sending HTTP POST requests to a server, overloading it with processing-intensive requests. Testing showed XDoser was more effective at overwhelming a test server than other DoS tools, with the server failing over 80% of XDoser requests within a set time frame. However, XDoser's effectiveness decreased with longer testing durations and it had issues maintaining connections.
This document proposes a machine learning approach using the Naive Bayes algorithm to detect distributed denial of service (DDoS) attacks through network intrusion detection. It first discusses the issues with existing intrusion detection systems, including long training times and low accuracy. It then summarizes research on applying various machine learning techniques like neural networks, decision trees, and Naive Bayes to intrusion detection. The proposed system would build a classifier using Naive Bayes, which provides faster training than other methods, to distinguish normal and attack traffic. This approach aims to improve upon the training time and detection accuracy of existing intrusion detection systems.
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
This document discusses flash crowd attacks on online retail applications. It begins by introducing denial of service (DoS) and distributed denial of service (DDoS) attacks. It then explains that flash crowd attacks are a type of DDoS attack that aims to overwhelm servers with legitimate-looking requests. The document outlines the network model used to simulate flash crowd attacks and presents results analyzing the impact on server energy levels. It finds that as the number of requests increases, servers experience decreased energy and lifetime. The study aims to minimize these attacks by having servers identify real clients to prioritize sending responses.
Implementation of user authentication as a service for cloud networkSalam Shah
There are so many security risks for the users of cloud computing, but still the organizations are switching towards the cloud. The cloud provides data protection and a huge amount of memory usage remotely or virtually. The organization has not adopted the cloud computing completely due to some security issues. The research in cloud computing has more focus on privacy and security in the new categorization attack surface. User authentication is the additional overhead for the companies besides the management of availability of cloud services. This paper is based on the proposed model to provide central authentication technique so that secured access of resources can be provided to users instead of adopting some unordered user authentication techniques. The model is also implemented as a prototype.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in host’s computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology.
This document proposes a new framework to prevent DDoS attacks using multilevel filtering of distributed firewalls. At the primary level, distributed firewalls filter IP addresses from both the internet and intranet. At the secondary level, hop count and TTL based filtering provide additional secure filtration. The framework reduces limitations of previous techniques by combining benefits of distributed firewalls and dual filtering approaches. Distributed firewalls are installed throughout the network and centrally controlled. They filter traffic based on centralized security policies. Additional hop count and TTL filtering of packets further strengthens prevention of spoofed IP addresses and DDoS attacks.
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachIJLT EMAS
A Mobile ad hoc network (MANET) is self-organizing,
decentralized and infrastructure-less wireless network. The
successful transmission of the data packet depends on the
complete cooperation of each node in the network. These types of
network don’t have permanent base station, so each node in the
network acts as a router. Due to openness, decentralized, selforganizing
nature of MANET, it is vulnerable to various attacks.
So security is the main concern in MANET.
In this project, we have considered 2 attacks; Vampire
attack and DDoS attacks. Vampire attack drains the energy of
the nodes. DDoS attack exhausts the resources available to a
network, such that the node cannot provide any services. Here,
we discuss methods 2 methods as a solution to our problem; one
is to prevent the attack from happening and other to detect and
recover from the attacks.
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology
Study of flooding based ddos attacks and their effect using deter testbedeSAT Journals
Abstract Today, Internet is the primary medium for communication which is used by number of users across the Network. At the same time, its commercial nature is causing increase vulnerability to enhance cyber crimes and there has been an enormous increase in the number of DDOS (distributed denial of service attack) attacks on the internet over the past decade. Whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Network resources such as network bandwidth, web servers and network switches are mostly the victims of DDoS attacks. In this paper different types of DDoS attacks has been studied, a dumb-bell topology have been created and effect of UDP flooding attacks has been analyzed on web service by using attack tools available in DETER testbed. Throughput of web server is analyzed with and without DDoS attacks.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO
LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH
ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN
DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY
CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER
WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of nodes that interrelate with each other for switch over the information. This information is necessary for that node is reserved confidentially. Attacker in the system may capture this private information and distorted. So security is the major issue. There are several security attacks in network. One of the major intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two different behaviors they may happen obviously or it may due to some attackers .Various schemes are developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
This document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS attacks as using numerous compromised systems, or "zombie machines", to launch a coordinated attack against a target system to overwhelm its bandwidth and resources. The document then discusses how early DDoS attacks worked and how routers have evolved defenses. It describes how modern DDoS attacks are more sophisticated, using botnets of infected systems controlled remotely by attackers to amplify the scale and impact of the attacks.
This document summarizes a survey of distributed denial-of-service (DDoS) attacks based on vulnerabilities in the TCP/IP protocol stack. It begins by introducing DDoS attacks and their architecture, then classifies DDoS attacks according to the TCP/IP layer they target - application layer, transport layer, or internet layer. Specific attack types are described for each layer, including HTTP flooding, SYN flooding, Smurf attacks, and more. The document aims to provide understanding of existing DDoS attack tools, methods, and defense mechanisms.
This document summarizes research analyzing the impact of distributed denial of service (DDoS) attacks on file transfer protocol (FTP) services. The researchers created a test network topology in the DETER cybersecurity testbed to simulate FTP traffic between clients and a server. They launched various DDoS attack types against the FTP server to measure the impact on network performance metrics like throughput, link utilization, and packet survival ratio. The attacks were found to degrade these metrics and disrupt the FTP services. The study provides insights into how DDoS attacks negatively impact network services like FTP.
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISijcsit
Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation
Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted
score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
Augmented split –protocol; an ultimate d do s defenderijcsa
Distributed Denials of Service (DDoS) attacks have become the daunting problem for businesses, state
administrator and computer system users. Prevention and detection of a DDoS attack is a major research
topic for researchers throughout the world. As new remedies are developed to prevent or mitigate DDoS
attacks, invaders are continually evolving new methods to circumvent these new procedures. In this paper,
we describe various DDoS attack mechanisms, categories, scope of DDoS attacks and their existing
countermeasures. In response, we propose to introduce DDoS resistant Augmented Split-protocol (ASp).
The migratory nature and role changeover ability of servers in Split-protocol architecture will avoid
bottleneck at the server side. It also offers the unique ability to avoid server saturation and compromise
from DDoS attacks. The goal of this paper is to present the concept and performance of (ASp) as a
defensive tool against DDoS attacks.
XDOSER, A BENCHMARKING TOOL FOR SYSTEM LOAD MEASUREMENT USING DENIAL OF SERVI...IJNSA Journal
The document describes a tool called XDoser that was developed to test system load capacity using denial of service features. XDoser uses HTTP flood attacks by continuously sending HTTP POST requests to a server, overloading it with processing-intensive requests. Testing showed XDoser was more effective at overwhelming a test server than other DoS tools, with the server failing over 80% of XDoser requests within a set time frame. However, XDoser's effectiveness decreased with longer testing durations and it had issues maintaining connections.
This document proposes a machine learning approach using the Naive Bayes algorithm to detect distributed denial of service (DDoS) attacks through network intrusion detection. It first discusses the issues with existing intrusion detection systems, including long training times and low accuracy. It then summarizes research on applying various machine learning techniques like neural networks, decision trees, and Naive Bayes to intrusion detection. The proposed system would build a classifier using Naive Bayes, which provides faster training than other methods, to distinguish normal and attack traffic. This approach aims to improve upon the training time and detection accuracy of existing intrusion detection systems.
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
This document discusses flash crowd attacks on online retail applications. It begins by introducing denial of service (DoS) and distributed denial of service (DDoS) attacks. It then explains that flash crowd attacks are a type of DDoS attack that aims to overwhelm servers with legitimate-looking requests. The document outlines the network model used to simulate flash crowd attacks and presents results analyzing the impact on server energy levels. It finds that as the number of requests increases, servers experience decreased energy and lifetime. The study aims to minimize these attacks by having servers identify real clients to prioritize sending responses.
Implementation of user authentication as a service for cloud networkSalam Shah
There are so many security risks for the users of cloud computing, but still the organizations are switching towards the cloud. The cloud provides data protection and a huge amount of memory usage remotely or virtually. The organization has not adopted the cloud computing completely due to some security issues. The research in cloud computing has more focus on privacy and security in the new categorization attack surface. User authentication is the additional overhead for the companies besides the management of availability of cloud services. This paper is based on the proposed model to provide central authentication technique so that secured access of resources can be provided to users instead of adopting some unordered user authentication techniques. The model is also implemented as a prototype.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in host’s computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology.
This document proposes a new framework to prevent DDoS attacks using multilevel filtering of distributed firewalls. At the primary level, distributed firewalls filter IP addresses from both the internet and intranet. At the secondary level, hop count and TTL based filtering provide additional secure filtration. The framework reduces limitations of previous techniques by combining benefits of distributed firewalls and dual filtering approaches. Distributed firewalls are installed throughout the network and centrally controlled. They filter traffic based on centralized security policies. Additional hop count and TTL filtering of packets further strengthens prevention of spoofed IP addresses and DDoS attacks.
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
Mitigating Various Attacks in Mobile Ad-hoc Networks Using Trust Based ApproachIJLT EMAS
A Mobile ad hoc network (MANET) is self-organizing,
decentralized and infrastructure-less wireless network. The
successful transmission of the data packet depends on the
complete cooperation of each node in the network. These types of
network don’t have permanent base station, so each node in the
network acts as a router. Due to openness, decentralized, selforganizing
nature of MANET, it is vulnerable to various attacks.
So security is the main concern in MANET.
In this project, we have considered 2 attacks; Vampire
attack and DDoS attacks. Vampire attack drains the energy of
the nodes. DDoS attack exhausts the resources available to a
network, such that the node cannot provide any services. Here,
we discuss methods 2 methods as a solution to our problem; one
is to prevent the attack from happening and other to detect and
recover from the attacks.
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology
Study of flooding based ddos attacks and their effect using deter testbedeSAT Journals
Abstract Today, Internet is the primary medium for communication which is used by number of users across the Network. At the same time, its commercial nature is causing increase vulnerability to enhance cyber crimes and there has been an enormous increase in the number of DDOS (distributed denial of service attack) attacks on the internet over the past decade. Whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Network resources such as network bandwidth, web servers and network switches are mostly the victims of DDoS attacks. In this paper different types of DDoS attacks has been studied, a dumb-bell topology have been created and effect of UDP flooding attacks has been analyzed on web service by using attack tools available in DETER testbed. Throughput of web server is analyzed with and without DDoS attacks.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO
LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH
ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN
DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY
CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER
WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of nodes that interrelate with each other for switch over the information. This information is necessary for that node is reserved confidentially. Attacker in the system may capture this private information and distorted. So security is the major issue. There are several security attacks in network. One of the major intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two different behaviors they may happen obviously or it may due to some attackers .Various schemes are developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
This document discusses distributed denial of service (DDoS) attacks. It begins by defining DDoS attacks as using numerous compromised systems, or "zombie machines", to launch a coordinated attack against a target system to overwhelm its bandwidth and resources. The document then discusses how early DDoS attacks worked and how routers have evolved defenses. It describes how modern DDoS attacks are more sophisticated, using botnets of infected systems controlled remotely by attackers to amplify the scale and impact of the attacks.
This document summarizes a survey of distributed denial-of-service (DDoS) attacks based on vulnerabilities in the TCP/IP protocol stack. It begins by introducing DDoS attacks and their architecture, then classifies DDoS attacks according to the TCP/IP layer they target - application layer, transport layer, or internet layer. Specific attack types are described for each layer, including HTTP flooding, SYN flooding, Smurf attacks, and more. The document aims to provide understanding of existing DDoS attack tools, methods, and defense mechanisms.
This document proposes using a linear prediction model to detect a wide range of flooding distributed denial of service (DDoS) attacks. It models the entropy of incoming network traffic over time using a linear prediction technique commonly applied to financial time series. The model is tested on simulated network data containing normal traffic and introduced attacks of varying rates. Results show the linear prediction model can successfully detect attacks with low rates and delays by identifying anomalies in the modeled entropy time series compared to normal traffic patterns. This approach aims to provide a fast and effective method for detecting different types of flooding DDoS attacks.
Distributed reflection denial of service attack: A critical review IJECEIAES
As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS attacks.
Encountering distributed denial of service attack utilizing federated softwar...IJECEIAES
This research defines the distributed denial of service (DDoS) problem in software-defined-networks (SDN) environments. The proposes solution uses Software defined networks capabilities to reduce risk, introduces a collaborative, distributed defense mechanism rather than server-side filtration. Our proposed network detection and prevention agent (NDPA) algorithm negotiates the maximum amount of traffic allowed to be passed to server by reconfiguring network switches and routers to reduce the ports' throughput of the network devices by the specified limit ratio. When the passed traffic is back to normal, NDPA starts network recovery to normal throughput levels, increasing ports' throughput by adding back the limit ratio gradually each time cycle. The simulation results showed that the proposed algorithms successfully detected and prevented a DDoS attack from overwhelming the targeted server. The server was able to coordinate its operations with the SDN controllers through a communication mechanism created specifically for this purpose. The system was also able to determine when the attack was over and utilize traffic engineering to improve the quality of service (QoS). The solution was designed with a sophisticated way and high level of separation of duties between components so it would not be affected by the design aspect of the network architecture.
Our world today relies heavily on informatics and the internet, as computers and communications networks have increased day by day. In fact, the increase is not limited to portable devices such as smartphones and tablets, but also to home appliances such as: televisions, refrigerators, and controllers. It has made them more vulnerable to electronic attacks. The denial of service (DoS) attack is one of the most common attacks that affect the provision of services and commercial sites over the internet. As a result, we decided in this paper to create a smart model that depends on the swarm algorithms to detect the attack of denial of service in internet networks, because the intelligence algorithms have flexibility, elegance and adaptation to different situations. The particle swarm algorithm and the bee colony algorithm were used to detect the packets that had been exposed to the DoS attack, and a comparison was made between the two algorithms to see which of them can accurately characterize the DoS attack.
This paper proposes a system called FireCol for detecting and preventing distributed denial-of-service (DDoS) attacks. FireCol uses a distributed architecture of multiple intrusion prevention systems (IPS) forming protective rings around subscribed users. The IPS devices collaborate by exchanging traffic information to calculate scores for potential attacks. If a high score indicates a potential DDoS attack, the protective rings use parallel communication to verify the attack near the source before it reaches the victim. Simulation results show FireCol can effectively detect DDoS attacks while imposing low overhead and supporting scalability.
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISMijcseit
Pushback is a mechanism for defending against Distributed Denial-of-Service (DDoS) attacks. DDoS attacks are treated as a congestion-control problem, but because most such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Upstream routers are also notified to drop such packets in order that the router’s resources be used to route legitimate traffic hence term pushback. Client puzzles have been advocated as a
promising countermeasure to DoS attacks in the recent years. In order to identify the attackers, the victim server issues a puzzle to the client that sent the traffic. When the client is able to solve the puzzle, it is assumed to be authentic and the traffic from it is allowed into the server. If the victim suspects that the
puzzles are solved by most of the clients, it increases the complexity of the puzzles. This puzzle solving technique allows the traversal of the attack traffic throughout the intermediate routers before reaching the destination. In order to attain the advantages of both pushback and puzzle solving techniques, a hybrid scheme called Router based Pushback technique, which involves both the techniques to solve the problem of DDoS attacks is proposed. In this proposal, the puzzle solving mechanism is pushed back to the core routers rather than having at the victim. The router based client puzzle mechanism checks the host system whether it is legitimate or not by providing a puzzle to be solved by the suspected host.
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM ijcseit
Pushback is a mechanism for defending against Distributed Denial-of-Service (DDoS) attacks. DDoS
attacks are treated as a congestion-control problem, but because most such congestion is caused by
malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the
routers. Functionality is added to each router to detect and preferentially drop packets that probably
belong to an attack. Upstream routers are also notified to drop such packets in order that the router’s
resources be used to route legitimate traffic hence term pushback. Client puzzles have been advocated as a
promising countermeasure to DoS attacks in the recent years. In order to identify the attackers, the victim
server issues a puzzle to the client that sent the traffic. When the client is able to solve the puzzle, it is
assumed to be authentic and the traffic from it is allowed into the server. If the victim suspects that the
puzzles are solved by most of the clients, it increases the complexity of the puzzles. This puzzle solving
technique allows the traversal of the attack traffic throughout the intermediate routers before reaching the
destination. In order to attain the advantages of both pushback and puzzle solving techniques, a hybrid
scheme called Router based Pushback technique, which involves both the techniques to solve the problem
of DDoS attacks is proposed. In this proposal, the puzzle solving mechanism is pushed back to the core
routers rather than having at the victim. The router based client puzzle mechanism checks the host system
whether it is legitimate or not by providing a puzzle to be solved by the suspected host.
Design & Implementation of Secure AODV In Multicast Routing To Detect DDOS At...IJNSA Journal
The wireless ad hoc network is particularly vulnerable to DOS attacks due to its features of open medium, dynamic changing topology, cooperative algorithms, decentralization of the protocols, and lack of a clear line of defense is a growing problem in networks today. In Mobile Ad hoc Networks (MANET), various types of Denial of Service Attacks (DOS) are possible because of the inherent limitations of its routing protocols. In this paper we will secure the MANET from the DDOS attack. DDOS attacks are similar to DOS attacks but there is a difference between them and that is DDOS attacks involve breaking in to hundreds or thousands of machines, so for this reason, this attack called Distributed. Very often, systems that use for attack is a part of the networks and users of these systems don’t know about that, their systems used for attack to another systems. This kind of attack, consume more bandwidth and uses more sources in network. . In this work, we study the effect of one of the important attacks that called DDOS in MANET on most vulnerability protocol that named AODV. The product of this study is detection of DDOS attack by
using AODV (adhoc on demand distance vector) protocol. Proposed scheme is distributed in nature it has the capability to prevent Distributed DOS (DDOS) as well..
This document summarizes methods for protecting against distributed denial of service (DDoS) attacks. It discusses traditional DDoS attack methods like ICMP floods and SYN floods. It also describes more advanced distributed techniques used by botsnets, including Trinoo, Tribe Flood Network, Stacheldraht, Shaft, and TFN2K. The document recommends ways to safeguard a network, such as using load balancing across multiple servers, increasing bandwidth capacity, and securing the DNS server. Protecting the network requires understanding various DDoS attack types and deployment of appropriate defenses.
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET Journal
This document proposes a method to detect HTTP GET flooding DDoS attacks in cloud computing environments using MapReduce processing. It involves integrating abnormal HTTP request detection rules analyzed through statistical analysis and thresholds into MapReduce. Suspected IP addresses are sent challenge values, and IP addresses that provide normal responses are initially allowed while abnormal responses are filtered for a period of time. MapReduce is used to analyze packet data and detect abnormal GET requests based on factors like the IP, port, and URI to identify malicious traffic patterns characteristic of DDoS attacks. The goal is to ensure availability of target systems and reliable detection of HTTP GET flooding attacks in cloud services.
International Journal of Computational Science and Information Technology (I...ijcsity
Denial of Service (DoS) or Distributed-Denial of Service (DDoS) is major threat to network security.Network is collection of nodes that interconnect with each other for exchange the Information. This information is required for that node is kept confidentially. Attacker in network computer captures this information that is confidential and misuse the network. Hence security is one of the major issues. There are one or many attacks in network. One of the major threats to internet service is DDoS (Distributed denial of services) attack. DDoS attack is a malicious attempt to suspending or interrupting services to target node. DDoS or DoS is an attempt to make network resource or the machine is unavailable to its intended user. Many ideas are developed for avoiding the DDoS or DoS. DDoS happen in two ways
naturally or it may due to some botnets .Various schemes are developed defense against to this attack.Main idea of this paper is present basis of DDoS attack. DDoS attack types, DDoS attack components,survey on different mechanism to prevent DDoS.
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Editor IJCATR
Among the various forms of malware attacks such as Denial of service, Sniffer, Buffer overflows are the most dreaded threats to computer networks. These attacks are known as botnet attacks and self-propagating in nature and act as an agent or user interface to control the computers which they attack. In the process of controlling a malware, Bot header(s) use a program to control remote systems through internet with the help of zombie systems. Botnets are collection of compromised computers (Bots) which are remotely controlled by its originator (Bot-Master) under a common Command-and-Control (C&C) structure. A server commands to the bot and botnet and receives the reports from the bot. The bots use Trojan horses and subsequently communicate with a central server using IRC. Botnet employs different techniques like Honeypot, communication protocols (e.g. HTTP and DNS) to intrude in new systems in different stages of their lifecycle. Therefore, identifying the botnets has become very challenging; because the botnets are upgrading their methods periodically for affecting the networks. Here, the focus on addressing the botnet detection problem in an Enterprise Network
This research introduces novel Solution to mitigate the malicious activities of Botnet attacks through the Principle of component analysis of each traffic data, measurement and countermeasure selection mechanism called Malware Hunter. This system is built on attack graph-based analytical models based on classification process and reconfigurable through update solutions to virtual network-based countermeasures.
Deep learning approach to DDoS attack with imbalanced data at the application...TELKOMNIKA JOURNAL
A distributed denial of service (DDoS) attack is where one or more computers attack or target a server computer, by flooding internet traffic to the server. As a result, the server cannot be accessed by legitimate users. A result of this attack causes enormous losses for a company because it can reduce the level of user trust, and reduce the company’s reputation to lose customers due to downtime. One of the services at the application layer that can be accessed by users is a web-based lightweight directory access protocol (LDAP) service that can provide safe and easy services to access directory applications. We used a deep learning approach to detect DDoS attacks on the CICDDoS 2019 dataset on a complex computer network at the application layer to get fast and accurate results for dealing with unbalanced data. Based on the results obtained, it is observed that DDoS attack detection using a deep learning approach on imbalanced data performs better when implemented using synthetic minority oversampling technique (SMOTE) method for binary classes. On the other hand, the proposed deep learning approach performs better for detecting DDoS attacks in multiclass when implemented using the adaptive synthetic (ADASYN) method.
Similar to A SYNCHRONIZED DISTRIBUTED DENIAL OF SERVICE PREVENTION SYSTEM (20)
ANALYSIS OF LAND SURFACE DEFORMATION GRADIENT BY DINSAR cscpconf
The progressive development of Synthetic Aperture Radar (SAR) systems diversify the exploitation of the generated images by these systems in different applications of geoscience. Detection and monitoring surface deformations, procreated by various phenomena had benefited from this evolution and had been realized by interferometry (InSAR) and differential interferometry (DInSAR) techniques. Nevertheless, spatial and temporal decorrelations of the interferometric couples used, limit strongly the precision of analysis results by these techniques. In this context, we propose, in this work, a methodological approach of surface deformation detection and analysis by differential interferograms to show the limits of this technique according to noise quality and level. The detectability model is generated from the deformation signatures, by simulating a linear fault merged to the images couples of ERS1 / ERS2 sensors acquired in a region of the Algerian south.
4D AUTOMATIC LIP-READING FOR SPEAKER'S FACE IDENTIFCATIONcscpconf
A novel based a trajectory-guided, concatenating approach for synthesizing high-quality image real sample renders video is proposed . The lips reading automated is seeking for modeled the closest real image sample sequence preserve in the library under the data video to the HMM predicted trajectory. The object trajectory is modeled obtained by projecting the face patterns into an KDA feature space is estimated. The approach for speaker's face identification by using synthesise the identity surface of a subject face from a small sample of patterns which sparsely each the view sphere. An KDA algorithm use to the Lip-reading image is discrimination, after that work consisted of in the low dimensional for the fundamental lip features vector is reduced by using the 2D-DCT.The mouth of the set area dimensionality is ordered by a normally reduction base on the PCA to obtain the Eigen lips approach, their proposed approach by[33]. The subjective performance results of the cost function under the automatic lips reading modeled , which wasn’t illustrate the superior performance of the
method.
MOVING FROM WATERFALL TO AGILE PROCESS IN SOFTWARE ENGINEERING CAPSTONE PROJE...cscpconf
Universities offer software engineering capstone course to simulate a real world-working environment in which students can work in a team for a fixed period to deliver a quality product. The objective of the paper is to report on our experience in moving from Waterfall process to Agile process in conducting the software engineering capstone project. We present the capstone course designs for both Waterfall driven and Agile driven methodologies that highlight the structure, deliverables and assessment plans.To evaluate the improvement, we conducted a survey for two different sections taught by two different instructors to evaluate students’ experience in moving from traditional Waterfall model to Agile like process. Twentyeight students filled the survey. The survey consisted of eight multiple-choice questions and an open-ended question to collect feedback from students. The survey results show that students were able to attain hands one experience, which simulate a real world-working environment. The results also show that the Agile approach helped students to have overall better design and avoid mistakes they have made in the initial design completed in of the first phase of the capstone project. In addition, they were able to decide on their team capabilities, training needs and thus learn the required technologies earlier which is reflected on the final product quality
PROMOTING STUDENT ENGAGEMENT USING SOCIAL MEDIA TECHNOLOGIEScscpconf
This document discusses using social media technologies to promote student engagement in a software project management course. It describes the course and objectives of enhancing communication. It discusses using Facebook for 4 years, then switching to WhatsApp based on student feedback, and finally introducing Slack to enable personalized team communication. Surveys found students engaged and satisfied with all three tools, though less familiar with Slack. The conclusion is that social media promotes engagement but familiarity with the tool also impacts satisfaction.
A SURVEY ON QUESTION ANSWERING SYSTEMS: THE ADVANCES OF FUZZY LOGICcscpconf
In real world computing environment with using a computer to answer questions has been a human dream since the beginning of the digital era, Question-answering systems are referred to as intelligent systems, that can be used to provide responses for the questions being asked by the user based on certain facts or rules stored in the knowledge base it can generate answers of questions asked in natural , and the first main idea of fuzzy logic was to working on the problem of computer understanding of natural language, so this survey paper provides an overview on what Question-Answering is and its system architecture and the possible relationship and
different with fuzzy logic, as well as the previous related research with respect to approaches that were followed. At the end, the survey provides an analytical discussion of the proposed QA models, along or combined with fuzzy logic and their main contributions and limitations.
DYNAMIC PHONE WARPING – A METHOD TO MEASURE THE DISTANCE BETWEEN PRONUNCIATIONS cscpconf
Human beings generate different speech waveforms while speaking the same word at different times. Also, different human beings have different accents and generate significantly varying speech waveforms for the same word. There is a need to measure the distances between various words which facilitate preparation of pronunciation dictionaries. A new algorithm called Dynamic Phone Warping (DPW) is presented in this paper. It uses dynamic programming technique for global alignment and shortest distance measurements. The DPW algorithm can be used to enhance the pronunciation dictionaries of the well-known languages like English or to build pronunciation dictionaries to the less known sparse languages. The precision measurement experiments show 88.9% accuracy.
INTELLIGENT ELECTRONIC ASSESSMENT FOR SUBJECTIVE EXAMS cscpconf
In education, the use of electronic (E) examination systems is not a novel idea, as Eexamination systems have been used to conduct objective assessments for the last few years. This research deals with randomly designed E-examinations and proposes an E-assessment system that can be used for subjective questions. This system assesses answers to subjective questions by finding a matching ratio for the keywords in instructor and student answers. The matching ratio is achieved based on semantic and document similarity. The assessment system is composed of four modules: preprocessing, keyword expansion, matching, and grading. A survey and case study were used in the research design to validate the proposed system. The examination assessment system will help instructors to save time, costs, and resources, while increasing efficiency and improving the productivity of exam setting and assessments.
TWO DISCRETE BINARY VERSIONS OF AFRICAN BUFFALO OPTIMIZATION METAHEURISTICcscpconf
African Buffalo Optimization (ABO) is one of the most recent swarms intelligence based metaheuristics. ABO algorithm is inspired by the buffalo’s behavior and lifestyle. Unfortunately, the standard ABO algorithm is proposed only for continuous optimization problems. In this paper, the authors propose two discrete binary ABO algorithms to deal with binary optimization problems. In the first version (called SBABO) they use the sigmoid function and probability model to generate binary solutions. In the second version (called LBABO) they use some logical operator to operate the binary solutions. Computational results on two knapsack problems (KP and MKP) instances show the effectiveness of the proposed algorithm and their ability to achieve good and promising solutions.
DETECTION OF ALGORITHMICALLY GENERATED MALICIOUS DOMAINcscpconf
In recent years, many malware writers have relied on Dynamic Domain Name Services (DDNS) to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmicallygenerated domain names. Findings from this study show that domain names made up of English characters “a-z” achieving a weighted score of < 45 are often associated with DGA. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
GLOBAL MUSIC ASSET ASSURANCE DIGITAL CURRENCY: A DRM SOLUTION FOR STREAMING C...cscpconf
The document proposes a blockchain-based digital currency and streaming platform called GoMAA to address issues of piracy in the online music streaming industry. Key points:
- GoMAA would use a digital token on the iMediaStreams blockchain to enable secure dissemination and tracking of streamed content. Content owners could control access and track consumption of released content.
- Original media files would be converted to a Secure Portable Streaming (SPS) format, embedding watermarks and smart contract data to indicate ownership and enable validation on the blockchain.
- A browser plugin would provide wallets for fans to collect GoMAA tokens as rewards for consuming content, incentivizing participation and addressing royalty discrepancies by recording
IMPORTANCE OF VERB SUFFIX MAPPING IN DISCOURSE TRANSLATION SYSTEMcscpconf
This document discusses the importance of verb suffix mapping in discourse translation from English to Telugu. It explains that after anaphora resolution, the verbs must be changed to agree with the gender, number, and person features of the subject or anaphoric pronoun. Verbs in Telugu inflect based on these features, while verbs in English only inflect based on number and person. Several examples are provided that demonstrate how the Telugu verb changes based on whether the subject or pronoun is masculine, feminine, neuter, singular or plural. Proper verb suffix mapping is essential for generating natural and coherent translations while preserving the context and meaning of the original discourse.
EXACT SOLUTIONS OF A FAMILY OF HIGHER-DIMENSIONAL SPACE-TIME FRACTIONAL KDV-T...cscpconf
In this paper, based on the definition of conformable fractional derivative, the functional
variable method (FVM) is proposed to seek the exact traveling wave solutions of two higherdimensional
space-time fractional KdV-type equations in mathematical physics, namely the
(3+1)-dimensional space–time fractional Zakharov-Kuznetsov (ZK) equation and the (2+1)-
dimensional space–time fractional Generalized Zakharov-Kuznetsov-Benjamin-Bona-Mahony
(GZK-BBM) equation. Some new solutions are procured and depicted. These solutions, which
contain kink-shaped, singular kink, bell-shaped soliton, singular soliton and periodic wave
solutions, have many potential applications in mathematical physics and engineering. The
simplicity and reliability of the proposed method is verified.
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
The document discusses automated penetration testing and provides an overview. It compares manual and automated penetration testing, noting that automated testing allows for faster, more standardized and repeatable tests but has limitations in developing new exploits. It also reviews some current automated penetration testing methodologies and tools, including those using HTTP/TCP/IP attacks, linking common scanning tools, a Python-based tool targeting databases, and one using POMDPs for multi-step penetration test planning under uncertainty. The document concludes that automated testing is more efficient than manual for known vulnerabilities but cannot replace manual testing for discovering new exploits.
CLASSIFICATION OF ALZHEIMER USING fMRI DATA AND BRAIN NETWORKcscpconf
Since the mid of 1990s, functional connectivity study using fMRI (fcMRI) has drawn increasing
attention of neuroscientists and computer scientists, since it opens a new window to explore
functional network of human brain with relatively high resolution. BOLD technique provides
almost accurate state of brain. Past researches prove that neuro diseases damage the brain
network interaction, protein- protein interaction and gene-gene interaction. A number of
neurological research paper also analyse the relationship among damaged part. By
computational method especially machine learning technique we can show such classifications.
In this paper we used OASIS fMRI dataset affected with Alzheimer’s disease and normal
patient’s dataset. After proper processing the fMRI data we use the processed data to form
classifier models using SVM (Support Vector Machine), KNN (K- nearest neighbour) & Naïve
Bayes. We also compare the accuracy of our proposed method with existing methods. In future,
we will other combinations of methods for better accuracy.
VALIDATION METHOD OF FUZZY ASSOCIATION RULES BASED ON FUZZY FORMAL CONCEPT AN...cscpconf
The document proposes a new validation method for fuzzy association rules based on three steps: (1) applying the EFAR-PN algorithm to extract a generic base of non-redundant fuzzy association rules using fuzzy formal concept analysis, (2) categorizing the extracted rules into groups, and (3) evaluating the relevance of the rules using structural equation modeling, specifically partial least squares. The method aims to address issues with existing fuzzy association rule extraction algorithms such as large numbers of extracted rules, redundancy, and difficulties with manual validation.
PROBABILITY BASED CLUSTER EXPANSION OVERSAMPLING TECHNIQUE FOR IMBALANCED DATAcscpconf
In many applications of data mining, class imbalance is noticed when examples in one class are
overrepresented. Traditional classifiers result in poor accuracy of the minority class due to the
class imbalance. Further, the presence of within class imbalance where classes are composed of
multiple sub-concepts with different number of examples also affect the performance of
classifier. In this paper, we propose an oversampling technique that handles between class and
within class imbalance simultaneously and also takes into consideration the generalization
ability in data space. The proposed method is based on two steps- performing Model Based
Clustering with respect to classes to identify the sub-concepts; and then computing the
separating hyperplane based on equal posterior probability between the classes. The proposed
method is tested on 10 publicly available data sets and the result shows that the proposed
method is statistically superior to other existing oversampling methods.
CHARACTER AND IMAGE RECOGNITION FOR DATA CATALOGING IN ECOLOGICAL RESEARCHcscpconf
Data collection is an essential, but manpower intensive procedure in ecological research. An
algorithm was developed by the author which incorporated two important computer vision
techniques to automate data cataloging for butterfly measurements. Optical Character
Recognition is used for character recognition and Contour Detection is used for imageprocessing.
Proper pre-processing is first done on the images to improve accuracy. Although
there are limitations to Tesseract’s detection of certain fonts, overall, it can successfully identify
words of basic fonts. Contour detection is an advanced technique that can be utilized to
measure an image. Shapes and mathematical calculations are crucial in determining the precise
location of the points on which to draw the body and forewing lines of the butterfly. Overall,
92% accuracy were achieved by the program for the set of butterflies measured.
SOCIAL MEDIA ANALYTICS FOR SENTIMENT ANALYSIS AND EVENT DETECTION IN SMART CI...cscpconf
Smart cities utilize Internet of Things (IoT) devices and sensors to enhance the quality of the city
services including energy, transportation, health, and much more. They generate massive
volumes of structured and unstructured data on a daily basis. Also, social networks, such as
Twitter, Facebook, and Google+, are becoming a new source of real-time information in smart
cities. Social network users are acting as social sensors. These datasets so large and complex
are difficult to manage with conventional data management tools and methods. To become
valuable, this massive amount of data, known as 'big data,' needs to be processed and
comprehended to hold the promise of supporting a broad range of urban and smart cities
functions, including among others transportation, water, and energy consumption, pollution
surveillance, and smart city governance. In this work, we investigate how social media analytics
help to analyze smart city data collected from various social media sources, such as Twitter and
Facebook, to detect various events taking place in a smart city and identify the importance of
events and concerns of citizens regarding some events. A case scenario analyses the opinions of
users concerning the traffic in three largest cities in the UAE
SOCIAL NETWORK HATE SPEECH DETECTION FOR AMHARIC LANGUAGEcscpconf
The anonymity of social networks makes it attractive for hate speech to mask their criminal
activities online posing a challenge to the world and in particular Ethiopia. With this everincreasing
volume of social media data, hate speech identification becomes a challenge in
aggravating conflict between citizens of nations. The high rate of production, has become
difficult to collect, store and analyze such big data using traditional detection methods. This
paper proposed the application of apache spark in hate speech detection to reduce the
challenges. Authors developed an apache spark based model to classify Amharic Facebook
posts and comments into hate and not hate. Authors employed Random forest and Naïve Bayes
for learning and Word2Vec and TF-IDF for feature selection. Tested by 10-fold crossvalidation,
the model based on word2vec embedding performed best with 79.83%accuracy. The
proposed method achieve a promising result with unique feature of spark for big data.
GENERAL REGRESSION NEURAL NETWORK BASED POS TAGGING FOR NEPALI TEXTcscpconf
This article presents Part of Speech tagging for Nepali text using General Regression Neural
Network (GRNN). The corpus is divided into two parts viz. training and testing. The network is
trained and validated on both training and testing data. It is observed that 96.13% words are
correctly being tagged on training set whereas 74.38% words are tagged correctly on testing
data set using GRNN. The result is compared with the traditional Viterbi algorithm based on
Hidden Markov Model. Viterbi algorithm yields 97.2% and 40% classification accuracies on
training and testing data sets respectively. GRNN based POS Tagger is more consistent than the
traditional Viterbi decoding technique.
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
2. 10 Computer Science & Information Technology (CS & IT)
sites, etc. For instance, large organizations like Microsoft, Amazon, eBay, CNN, and Yahoo have
experienced DDoS attacks in the year 2000 [2, 14, 20].
The losses caused by DDoS attacks are tremendous, especially to E-Commerce sites.
Unacceptable download times often caused by DDoS attacks are estimated to have caused losses
of up to $4.35 billion in the US. E-Commerce sales and worldwide businesses experienced about
3.3% of unplanned downtime in 1999, translating to $1.6 trillion in lost revenue [5]. According
to a survey done by FBI [21] collected from 251 organizations, DoS attacks were the second
most expensive computer crime, with a cost of more than 65 million dollars in the year 2003. In
another survey, DoS attacks had caused losses for almost 3 billion dollars and have been in the
top five attacks indexed by economic loses of the previous 3 years [15, 18]. According to a study
by Arbor Networks [22], in 2007, the largest DDoS bandwidth attack was recorded as 40
Gigabits per second on Internet Service Providers (ISPs) but this size nearly doubled in 2008
from the previous year.
DDoS attacks range from small to large scale versions launched from thousands of bots, affecting
not only the target victim, but also the infrastructure of the service provider [3]. In October 2002,
an attacker flooded the root Domain Name Service (DNS) servers with traffic in an effort to deny
the Internet of the DNS name lookup service which would have paralyzed the majority of
Internet applications. Only five out of thirteen root servers were able to withstand the attack.
Thus, accessing Internet services was degraded in the globe till the problem was solved [15, 22].
As some studies showed [14], regardless of the diligence, effort, and resources spent securing
against intrusion, Internet connected systems face a consistent and real threat from DDoS attacks
because of different reasons.
2. DENIAL OF SERVICE ATTACKS
DoS attacks cause either disruption or degradation on victims’ shared resources, preventing
legitimate users from using their access right on those resources. DoS attacks may target a
specific component of a computer, the entire computer system, certain networking infrastructure,
or even the entire Internet infrastructure. Attacks can be either by exploiting the natural weakness
of a system, which is known as Logic attack or overloading the victim with high volume of
traffic, which is called Flood attack [11].
A distributed form of DoS attack, called DDoS attack, is generated by many compromised
machines to coordinately attack a victim [19]. DDoS attacks consist of at least four core
elements: attack source, control master(s), agents, and victim. Attack source or control masters
may use valid or spoofed IP addresses during the attack based on the attacking strategies they
follow. By spoofing, the actual attacker can hide its identity and reduce the chance of being
claimed by the victim.
DDoS attacks can be performed by using powerful attacking tools such as Trin00, TFN, TFN2K,
Stacheldracht, and Shaft, which are easily available on the Internet. Ease of availability of
various powerful DDoS attacking tools and variant natures of DDoS attacking strategies makes
DDoS attack defense a challenging problem [4, 10].
3. RELATED WORK
Based on their deployment location, we present related works as: Source Network, Intermediate
Network, Victim Network, or Cooperative Defense solutions.
3. Computer Science & Information Technology (CS & IT) 11
Mirkovi´c et al. in [6] proposed a source side DDoS defense system which is a self-regulating
reverse-feedback system. It consists of observation and throttling components that can be part of
the source router itself, or can belong to a separate unit that interacts with the source router to
obtain traffic statistics and install rate-limiting rules. The observation component monitors all
packets passing through the source router and gathers statistics on two-way communication
between the police address set and the rest of the Internet. This monitoring can be performed by
sniffing the traffic at the source router interfaces. Periodically, statistics are compared to models
of normal traffic and results are passed to the throttling component which adjusts and transfers
the new rate limit rules into the source router. The imposed rate limits modify associated traffic
flows and thus affect future observations, closing the feedback loop.
Shu and Dasgupta [7] proposed a router based DDoS prevention system, called denying Denial-
of-Service Attacks. Accordingly, the routers are modified to provide encryption, digital
signatures, and authentication, enabling the tracing of a packet back to its origin and thus
stopping further traffic at the closest intelligent router point. Every group of collaborating routers
is called a “hardened network”. The hardened routers should be implemented at the border and
access point of an Autonomous System. When arriving at the first hardened router, the packet’s
payload is encrypted together with one byte of its IP address and the last hardened router before
the host will decrypt it. This way the packet can be traced back to the first hardened router, and
an attack can be stopped at that point.
Ioannidis and Bellovin [9] proposed a network-based solution, Pushback, which tries to solve the
problem of DDoS attacks from within the network using the congestion level between different
routers. When a link’s congestion level reaches a certain threshold, the sending router starts
dropping packets and tries to identify illegitimate traffic by counting the number of times packets
are dropped for a certain destination IP address, since the attacker constantly changes the source
IP address. The router then sends a pushback message to the routers connecting it to other
congested links, asking them to limit the traffic arriving to this destination.
Jin et al. [8] proposed Hop-count filtering (HCF), which is a victim based solution relying on the
fact that the number of hops between source and destination is indirectly indicated by the time-
to-live (TTL) field in an IP packet. Linking the source IP with the statistical number of hops to
reach the destination is used as a reference to assess the authenticity of the claimed IP source. A
hop-count based filtering scheme that detects and discards spoofed IP packets to conserve system
resources is used. Their proposed scheme inspects the hop-count of each incoming packet to
validate the legitimacy of the packet. Using moderate amount of storage, HCF constructs an
accurate IP to Hop Count mapping table via IP address aggregation and hop-count clustering. A
pollution-proof mechanism initializes and updates entries in the mapping table. By default, HCF
stays in alert state, monitoring abnormal IP to Hop Count mapping behaviors without discarding
any packet. Once spoofed DDoS traffic is detected, HCF switches to action state and discards
most of the spoofed packets.
Because of the nature of DDoS attacks, it is not sufficient to prevent DDoS attacks with single
point defense strategy [12]. Thus, current works focus on cooperative defense strategies. The
following works show how distributed and coordinated defense techniques are intended to work
for DDoS attacks prevention.
Cooperative Defense against DDoS Attacks which was proposed by Zhang and Parashar [13] is a
global DDoS defense infrastructure built as an overlay network on top of the Internet. The
scheme consists of two stages. In the first stage, each defense node detects traffic anomalies
locally using a variety of existing intrusion detection system tools. According to its local defense
4. 12 Computer Science & Information Technology (CS & IT)
policy, each local defense node sets a rate limit to the traffic identified as attack traffic. In the
second stage, gossip based communication mechanism is used to share information among the
defense nodes that is expected to enhance the accuracy of the defense mechanism. A gossip-
based scheme is used to get global information about DDoS attacks by information sharing. The
proposed system continuously monitors the network. When an attack begins, individual defense
nodes drop attack traffic identified according to the local information and mitigate load to the
target victim. However, as local detection has a high false alarm rate, legitimate traffic will also
be dropped. By correlating the attack information of each individual node, the scheme can get
more information about the network attack and thus can defend against DDoS attacks more
effectively.
In [1, 23] another collaborative DDoS defence system is proposed by Oikonomou et al. and Xuan
et al. in which routers act as gateways, detecting DDoS attacks locally and identifying and
dropping packets from misbehaving flows. Gateways are installed and communicate only within
the source and the victim domains, thus providing cooperative defense of a limited scope.
Similarly, Papadopoulos et al. [24] proposed a multicast group of defense nodes which are
deployed at source and victim networks. Each defense node can autonomously detect the attack
and issue an attack alert to the group. Sources involved in the attack cooperate with the victim to
suppress it. Since intermediate networks do not participate in the defense, the solutions proposed
in [23] and [24] cannot control attack traffic from networks that do not deploy the proposed
defense.
From the review we derived that, there should be at least these three critical defense
functionalities that any DDoS defense approach need to achieve: accurate attack detection, rate
limiting of traffic to free critical resources, and traffic differentiation to separate the legitimate
from the attack traffic to minimize collateral damage. Thus any defense effectiveness should be
evaluated based on these functionalities.
Besides, based on the deployment location, the defense mechanisms will have the following
advantages and limitations.
Defense mechanisms deployed near the victim can identify DDoS attacks easily and accurately
because it can view the aggregate attack traffic, but tracing back the source of the attack is hard
and the amount of traffic to analyze is large. Moreover, large amount of flood may not give a
chance to detect and react to the attack.
Intermediate network solutions, deployed at the core network infrastructure, have the advantage
to rate limit large floods that would overwhelm the victim’s access links as early as possible
before aggregating and congesting the victim. However, accurate detection of illegitimate traffic
and the willingness of service providers for deployment are somehow challenging.
A source-end solution, deployed at the edges of the Internet, has the advantage of easily tracing
back to attack sources since the amount of traffic and address diversity to analyze is minimal.
However, it suffers from the deployment issue as it is a pure source-end solution and it doesn’t
handle legitimate congestion problems.
4. PROPOSED SOLUTION
To counteract the diverse nature of DDoS attacks and protecting legitimate traffic from collateral
damage, it is not sufficient to use simple message exchange among nodes about the attacks and
reacting with a single point of defense location [13]. There must be a distributed defense system
for effective handling of the problem. Thus, we designed a distributed and coordinated multi-
5. Computer Science & Information Technology (CS & IT) 13
agent DDoS attack with the central coordinator defense that realizes the strengths of various
deployment locations. These agents will monitor the network and will trace the incoming and
outgoing packets which are addressed to a specified destination and will have the ability to read
and take appropriate actions on them based on a given mission within their working boundary.
Here, agents are autonomous systems that work on behalf of targeted victims within the given
and others’ domain networks. They are algorithm implementers and information exchangers. The
algorithms they implement include: IP spoofing verifier, packet filter (classification and packet
marking), rate limiter, anomaly detector, and attack source tracer.
Figure 1 presents a complete flowchart of the packet screening process of the proposed DDoS
attack defense mechanism.
Figure 1: Flow of packet screening processes by an agent
As it is shown in Figure 1, the entire screening process can be performed by an independent
agent. However, to minimize the work load and to maximize the effectiveness of the problem
solving capacity of an agent, the processes among various agents that will be deployed at
different locations are distributed. Each component is described in the sequel.
IP spoofing verifier: checks the validity of the source IP address of packets before they come-out
through source stub borders or come-in to destination stub borders. The verifier at stub borders
ensures that a packet leaving its domain has a source address from inside the domain, and a
packet entering has one from outside. It checks packets’ IP address field values for source
address spoofing. It also identifies attack source identity during an actual attack source
investigation process. A source side verifier evaluates each outgoing packet’s source IP address
6. 14 Computer Science & Information Technology (CS & IT)
based on pre-established active domain members address list, which may be stored in a hash
table or a database.
However, as figure 2 shows destination side verifier evaluates source address spoofing by using
other methods such as hop-count filter (HCF). HCF is a light weight victim side IP spoofing
validation algorithm. It is computed based on the packet time-to-live (TTL) value. TTL value is
primarily used for determining a life time of a packet staying in transit. TTL value will be
reduced by one when that packet passes through a hop. Thus, indirectly, this value can indicate
how much route a packet travels to reach its destiny by deducing initial TTL value from final
TTL value i.e., hop-count (HC = initial TTL – final TTL). Ideally, packets that are generated
from one source will have same hop-count value unless they are spoofed.
Packet filter: focuses on classifying traffic type as TCP, ICMP, and UDP flows, evaluates their
behaviour, and marking them as “good”, ”unknown”, or “bad” according to their behaviour.
Then, forwards “unknown” packets to the next component for rate limiting and “good” packets
for service priority. However, “bad” packets will be dropped and recorded in a blacklist table.
Figure 3 shows the process of flow classification and counting independent flow rates of
incoming and outgoing traffic.
Figure 2: Source IP spoof inspection algorithm
Figure 3: Packet classifier and packets counter processes
Traffic behaviour is evaluated based on to-fro (out-in) ratio for TCP packets, request-reply ratio
for ICMP packets, and flow rate (number of packets per time interval) for UDP packets, and
packet size (min-max range) for ICMP ping packet communication.
To detect TCP-based attacks, we adopt the concept of disproportionate TCP packet rates to and
from peers. This idea is first proposed in [16]. TCP is a reliable communication protocol that
7. Computer Science & Information Technology (CS & IT) 15
guarantees the delivery of packets by exchanging acknowledgment between peers. According to
[16], for normal TCP-based communication, the number of packets sent to and received from a
host should be constant and the ratio is suggested as not more than 3. Thus, non-proportional
communication is good indication of DDOS attacks. During attack, there is large number of
packets sent but a few or no reply from the other side will be received by the sources since the
attacker usually forges its source address to redirect the reply of the receiver, or repeatedly resets
the connection to make a destination machine busy with unnecessary processes. This assumption
also works for ICMP request/reply communication.
UDP and ICMP packets are mainly used by bandwidth consumption attacks. As these traffic
types generally utilize small amounts of bandwidth, a sudden change in the transferred ICMP or
UDP bytes per second or individual packet’s payload size are good indications of attacks.
During attack detection, the current sampled flow ratio or flow rate value will be compared with
a benchmarked threshold value in a given time interval. Then, the flow is classified as “bad”
(attack) flow if its packet ratio or rate is above the threshold; “unknown” if its rate or ratio is
suspicious range; otherwise, it is considered a “good” flow. Figure 4 shows the process of
evaluating flow behaviour.
Figure 4: Packet filtering and rate limitation process
After classifying flows, there will be a process of packet marking according to their behaviour
with a unique signature that can be interpreted by subsequent components. This signature can be
behaviour in the option field of the packet header.
“Unknown” flow is determined by an agent based on the local knowledge of that agent about that
flow. So, “unknown” flow can either be “bad” or “good” when it is detected by other agents. In
addition, an agent can attach the degree of confidence value about “unknown” flow based on its
information. This confidence value is further used as an input by the rate limiter to assign the
degree of rate limit on that particular flow. The degree of confidence about a flow can range
between 0 and 1, where 0 means certainly bad flow and 1 is certainly good flow. As the
fractional value increases, the certainty of a flow being good will increase. As a result, a good
flow could get its maximum bandwidth while a bad flow could be penalized by the rate limiter
based on the confidence level. Therefore, unknown flow is attached with additional information
such as flow identity (fid), degree of confidence I, and its destination (d) before it is forwarded to
the rate limiter.
Rate limiter: focuses on protecting victims from over flooded packets during communication. It
works based on the aggressiveness of flows with respect to the serving capacity of a given node
(host or router) in a given time frame. Traffic will be rate-limited if its behaviour is assumed as
congestion causing to the next destiny. Traffic behaviour is evaluated based on flow rate (packets
Benchmarked flow
ratio, rate, or packet
8. 16 Computer Science & Information Technology (CS & IT)
per second) for UDP packets, to-fro ratio for TCP packets, request-replay ratio for ICMP packets,
packet size (min-max range) for ICMP ping packet communication.
The rate limiter receives an “unknown” flow with unique flow id (fid), in-flow rate (rate-in),
confidence value I, and forwarded destination address (d). Then it sends limited rate flow by
computing rate-out according to the confidence value.
Anomaly detector: focuses on protecting victims from semantic (logic) attacks before causing
confusion and freezing normal service. In semantic attack, the attacker generates invalid packet
content that causes an application to freeze or crash. Thus, the anomaly detector works based on
the predefined signature for known attack types and learning through time from the requests for
new types of attacks. The signature can be set according to local network security policy. These
signatures can be stored in a database, similar to virus definition in an antivirus engine.
Attack source tracer: focuses on identifying the origin and stopping further attack originating
from that source. It includes investigating detailed attacking strategies and collecting and
analyzing post attack reports from remote agents.
Generally, these algorithms are used as a means of knowledge of agents to perform the entire
packet screening process during DDoS attacks.
To realize the above algorithms, we identified four defense agents that can accomplish their
assigned mission based on a given situation by implementing one or more of the previously
discussed algorithms. These agents include Source Agent (S-Agent), Intermediate Agent (I-
Agent), Destination Agent (D-Agent), and Master Agent (Magent). Though their structure and
components look similar, their functionality defers and is determined by their location and the
information they have about the network traffic.
As it is shown in Figure 5, each agent has four core components that communicate with each
other to accomplish its assigned tasks. These components include sensor, sampler, detector, and
filter. However, some particular agents like M-Agent may have other components such as
investigator. An agent is designed to detect and react for various DDoS attacks by changing its
assigned mission according to its working location and a given situation. The components of an
agent are described in the sequel.
Figure 5: Structure and components of a basic defense agent
Sensor: is an initial information processing component that gathers statistical data by sniffing the
traffic while it passes through a given node interface. Moreover, it calculates the amount of
traffic (bits per second, number of packets per second, ratio of two-way communication flow in a
certain period, etc.), determines the addresses of hosts that make the largest traffic, and
Detector
9. Computer Science & Information Technology (CS & IT) 17
determines the validity of a source address by implementing different IP spoofing verifier
methods based on the location it is deployed.
Sampler: is a secondary information processing component that works in two modes: learning
and normal mode. In learning mode, it processes the network packets and constructs a benchmark
of normal flows of a given network. Then, in normal mode, it analyses and compares current
traffic with the benchmarked normal traffic. It picks the addresses of hosts that do not correspond
to the benchmark and sends them to the detector.
Detector: its general goal is to make a decision about the beginning of attack on the basis of
sensor and sampler results. A detector sends the list of attack addresses received from the sensor
and the sampler to the filter.
Filter: categorizes flows as good, unknown, or bad on the basis of detector results. It takes
appropriate actions such as dropping accurately detected bad packets, marking unknown
(suspicious) packets for rate limitation or further detection, and prioritizing good packets.
Investigator: is a special component of an M-Agent, which is not shown in the basic agent
structure of Figure 5. Its general goal is to trace the attack source and attack slaves. After
receiving a message from the detector, it examines the obtained IP addresses for the presence of
attack agents.
We divided the overall DDoS defense requirements and assigned them to each of our specialized
agents as follows:
S-Agent: is a source end autonomous system that has the ability to read and modify each packet
which passes through border routers of source stub network.
I-Agent: is an intermediate (core) node traffic monitoring system which has the ability to
measure the impact of aggregate traffic which are generated by different source stubs towards a
specified destination.
D-Agent: is a destination stub system which monitors and reacts on flows that are destined to
victim networks.
M-Agent: is a master agent that coordinates the overall defense activities and manages
investigation of actual attack source during back trace. It is the place where logical (semantic)
attacks will be detected by tracing each packet’s content & analyzing packet’s intention
according to local services. This agent may perform the tasks of an S-Agent and an I-Agent if
packets are originated from the local network and not observed by previous agents. It also
prioritizes packets based on their behaviour, keeps records of each agent’s activities, and
communicates with others for further tracing of attack source and attack slaves.
These agents are expected to work as a team with a common goal of defending the victim from
various DDoS attacks. Messaging is the means of communication among agents. It can be
through one-way communication where only either of two parties sends the message or two-way
communication where two parties exchange with each other. Thus, during packet screening,
agents communicate with each other about their status using secured messaging. Figure 6 shows
the coordination and communication of the four agents during DDoS attack defense.
As it is shown in Figure 6, packets will be verified for not forging their original source address
by using S-Agents at the border router of source domain network. Note that, as there are
10. 18 Computer Science & Information Technology (CS & IT)
thousands of source stub domain networks in the Internet, it is not possible to fully deploy S-
Agents. Thus, the second layer I-Agents will receive screened packets from sources which have
deployed S-Agents or unscreened packets from sources which have not deployed S-Agents, then
do their job and forward them to their next destination. At the destination stub domain network, a
D-Agent will receive screened packets from an intermediate node which uses I-Agents or
unscreened packets from local domain network, then perform their mission and forward them to
their final destination.
Finally, an M-Agent at the destination network does the final screening process and delivers
normal packets to access the available services.
Figure 6: Coordination and communication of Multi-agent DDoS defense system
5. EXPERIMENTATION OF THE PROPOSED SOLUTION
To evaluate the performance of the proposed solution, we conducted a simulation experiment by
established sample data sets and attacking scenarios. Our simulation experiment setup and
scenarios specify the following four important features that are assumed as influential variables
for the defense’s effectiveness. These are network topology, legitimate traffic, event scheduling,
and attack traffic. We use these variables to establish realizable simulation setup according to
actual DDoS attack behaviours and some theoretical background of Internet services.
The goals of this simulation experiments are: illustrating the effectiveness of the proposed
solution, evaluating the performance of legitimate users during attacks in the presence and
absence of the defense system, and measuring collateral damages of the defense system during
attack detection and prevention.
Scenario 1: Evaluating the performance of legitimate traffic (a) in the absence of both attack &
defense mechanisms, (b) in the presence of flood attack but in the absence of defense system, and
(c) in the presence of both flood attack & defense mechanisms.
In this first set of experiments, we switched 5% of the potential traffic generating nodes (which
are around 90 of the 1800) from legitimate to attack users. They are randomly distributed
throughout the different source stub domains. These nodes are attached with TCP traffic (agent)
by a modified UDP agent such that it sends packets marked as TCP but it does not respond to
S-Detector
I-Detector M-Detector
D-Detector
11. Computer Science & Information Technology (CS & IT) 19
congestion. The victim side uses Ns2 FullTcp receiver agents to generate acknowledgments as it
would be on real machines.
The bottleneck link is assumed to be 50Mbps, has a delay of 0.5s and a queue of size 1000
packets. All other input links that join have bandwidth of 50 Mbps and a delay of 0.5s. Each
attack node sends out 100 Kbps modified UDP traffic with an average 0.22 second interval
between packets to the victim. A good user makes request with traffic rates chosen randomly and
uniformly in the range [1Kbps, 15Kbps]. If a request arrives at the server successfully, the server
will return the result within a certain delay of processing time. The attack starts at 30 seconds
after the start of legitimate traffic and ends at 90 seconds. Finally, we measured the packet rate of
a selected client at the FTP server and evaluate its performance during the simulation period,
which is a total of 120 seconds. Figure 7 shows the result of the simulation experiment. The X
axis represents time intervals in seconds and the Y axis represents the rate of packets in bytes
received at the server of a selected legitimate client in different situations.
Figure 7: Simulation experiment result of scenario-1
Result Analysis: as it is shown in Figure 7a, more than 14000 bytes successfully arrived at the
FTP server in a normal use of the network. However, in the presence of attack and in the absence
of defense (Figure 7b), packet rate dramatically dropped down starting from 30 seconds till 90
seconds. The graph shows some progress after 90 seconds since the attack traffic lasts at 90
seconds in the simulation time. Finally, the legitimate packet rate shows significant improvement
in the presence of both attacks and defense mechanism (Figure 7c).
Scenario 2: Evaluating the IP spoofing verification performance of full deployment of S-Agents
and D-Agents.
In these set of experiments, we performed test runs in the simulated topology by deliberately
modifying the original source address of packets, which are generated from 900 (50% of the
1800) source nodes. These nodes are randomly selected from 60 source stub domains. Each of
them generates spoofed packet flows with normal rate in the range [1Kbps, 15Kbps] to the victim
during the simulation time. We used a random IP spoofing mechanism to assign a forged IP to
generated packets. We set queue monitor objects at edge nodes of source and victim nodes to
monitor and analyze the packets departure and arrival rate from selected compromised and non-
compromised source nodes. We deployed S-agents at edge nodes of source stubs, which have the
address list of members’ nodes in an array variable. A D-Agent is deployed at the edge node of
the victim server, which has the maximum HC threshold (in our case, HC= 3 since it passes only
3 nodes from source to destination). In this experiment, we separately evaluated the performance
of S-Agents and D-Agents under full and partial deployment conditions. Figure 8 presents the
simulation result of scenario 2.
Result Analysis: Figure 8 shows the effect of full deployment of S-Agents and D-Agents. Figure
8a shows the successful arrival rate of packets at the destination node which originated from
selected non-compromised source nodes. It indicates that the IP spoof verification process of
12. 20 Computer Science & Information Technology (CS & IT)
defense agents will not affect the performance of legitimate users. Most of the packets generated
from selected legitimate users successfully arrived at the destination node.
Figure 8: Simulation results scenario-2
Figure 8b shows the successful arrival rate of spoofed packets which are generated from selected
compromised nodes and filtered by D-Agents. This result indicates that our D-Agent IP spoof
verification mechanism is not detecting the spoofed source packets in the simulation. This is
because we set a fixed maximum HC threshold value (i.e., HC=3), and all legitimate and
compromised source nodes are located on the same distance, which is 3 nodes away from the
target in the simulated network topology. Thus, HC value is 3 for all traffic generating nodes in
this simulated network. As a result, D-Agents will not differentiate between valid and spoofed
source packets. Note that D-Agents verify forged source packets based on HC difference.
Figure 8c shows arrived packet rates generated by selected compromised nodes and screened by
S-Agents. The result shows that our S-Agents successfully screened and dropped spoofed source
packets at source stub edge before they forwarded them to the destination. Some of the
successfully arrived packets might be the result of random address generation mechanism, since
there is a possibility of some of the randomly generated addresses being subset of the domain
member’s address list which is stored in an array variable.
Scenario 3: Evaluating the performance of defense agents on protecting the victim from
overflowing.
To test this scenario, we constructed a simplified transit-stub network topology with 100 traffic
generating (source) nodes and each source node is directly connected to a corresponding edge
node where the traffic is marked according to the parameters that will be specified. The edge
nodes are connected to a single core node, and then through another edge node, to a destination
node. Each traffic generating node sends legitimate TCP requests but in different rates. Our aim
is evaluating the performance of defense agents on congestion causing traffic. The bandwidth
and delay of links are assigned based on the random distribution of the proposed ranges as shown
in Table 1. The bottleneck link between a destination edge node and a destination node is
assigned 50 Mbps. The average traffic transfer rate is 10 Kbps and has a Pareto distribution with
shape parameter 1.25. Traffic sent arrives at the bottleneck link according to a Poisson process.
Several sessions can simultaneously be activated by the same source node. Queue is built-up at
the bottleneck link which has 100 packets size. We chose three parameters for three priority
levels (red, yellow, and green). These parameters are chosen and assigned only for simulation
purpose. In actual implementation, these are assumed to be automatically determined based on
agents’ sampler and sensor data. For each category of flow (red, yellow, and green), the average
queue size is monitored (this is done using the standard exponential averaging with parameter wq
= 0.01). Packets of a given color start to be dropped when the average number of queued packets
exceeds the minimum weight (minw); we choose minw = 15 packets; this drop probability
increases linearly with the average queue size until it reaches the maximum value maxw=45,
where the drop probability is taken to be maxp=0.5. When this value exceeds, the drop
13. Computer Science & Information Technology (CS & IT) 21
probability is 1. The differentiation is then done by using the RIO-D approach, in which the
rejection probability of each type of color depends on the average number of packets of that type.
Thus to have green packets dropped less than yellow, and yellow packets dropped less than red
ones, we properly chose three committed information rate (CIR) values which are used to
determine the fraction of packets that will be marked green, yellow, or red. The simulation takes
120 seconds. Table 1 shows the simulation result.
Table 1: Performance of defense agents on Congestion causing traffic
Key:
Code point 10 – is for green packets (good rated packets),
Code point 11 - is for yellow (unknown rated) packets, and
Code point 12 – is for red (over rated) packets.
Result Analysis: As it is shown in Table 1, the defense agent filters and totally drops high rated
traffic; it rate limits unknown traffic flow, and forwards good rated traffic.
6. CONCLUSION AND FUTURE WORK
DDoS attack is a serious security issue of the Internet community since it is becoming a major
cause of economic loss for many countries. It is the malicious act of attackers to disrupt or
degrade network resources of legitimate users.
There have been many attempts of protecting DDoS attacks through various ways and still many
scholars spend much of their time on proposing comprehensive defense systems. However, many
of these attempts lack some of the critical features (functionalities) of DDoS defense such as
accurate attack detection, collateral damage prevention, or comprehensive attack protection. In
this paper, we proposed a distributed but synchronized DDoS prevention architecture using
multiple defense agents which work in others’ networks on behalf of the victim. These agents are
given various missions to autonomously perform their tasks within their working boundaries and
communicate with each other about their actions during defense.
We evaluated the performance of our system by implementing the functionalities of the defense
schemes as queue objects in Ns-2 simulation tool. We performed intensive simulation
experiments by defining sample attacking scenarios on predefined experimentation setup. We
developed four scenarios which allow us to evaluate the effectiveness of the proposed solution
with regards to protecting legitimate users from collateral damage, accurate congestion causing
packets detection, spoof sourced packets verification functionalities and partial & full defense
deployment. The experiments showed encouraging results.
As future work, we will focus on the following issues:
14. 22 Computer Science & Information Technology (CS & IT)
1. In this work, defense agents were deployed on selected fixed place (border nodes of
different domain networks). In the future, defense agents shall be mobile and self
determinant for efficient working locations to maximize their effectiveness.
2. Securing the defense agents from being compromised by attackers during communication
shall be the other consideration since attackers can possibly target our own defense
agents for their malicious actions.
3. During implementation and experimentation, due to time limitation, we didn’t give much
attention on anomaly detection and attack source tracing functionalities; we were
focusing on IP spoof validation and high traffic rate limitation. Thus, we will deal in
detail on these issues to make this work more comprehensive and effective.
4. Finally, we have to deal with some legal and technical issues and limitations as we send
our remote agents to others’ network to work on behalf of victim a network.
REFERENCES
[1] G. Oikonomou, J. Mirkovic, P. Reiher, and M. Robinson. 2006. A Framework for Collaborative DDoS
Defense. In Proceedings of ACSAC, December 2006.
[2] Cruce Schneider, 2005. Attack Trends: Beyond the Numbers. Counterpane Internet Security, Inc.
January-October, 2005
[3] Juniper Network. 2006. Combating Bots and Mitigating DDoS Attacks (Solution brief). Juniper
Networks, Inc.
[4] Kevin J. Houle, CERT/CC, George M. Weaver, CERT/CC, In collaboration with: Neil Long, Rob
Thomas. 2001. Trends in Denial of Service Attack Technology. Carnegie Mellon University, 2001.
[5] Suhail Mohiuddin, shlomo Hershkop, Rahul Bhan, & Sal Stolfo. 2002. Defending Against large scale
Denial of Service attacks. In proceedings of the 2002 IEEE workshop on information Assurance &
Security, west point, NY.
[6] J. Mirkovic. 2003. D-WARD: source-end defense against distributed denial-of-service attacks. PhD
thesis, UCLA.
[7] Z. Shu and P. Dasgupta. 2003. Denying Denial-of-Service Attacks: A Router Based Solution. In
International Conference on Internet Computing, pages 301–307.
[8] Jin, G., Wang, H., and Shin, K. G. 2003. Hop-count filtering: an effective defense against spoofed
DDoS traffic. In Proceedings of the 10th ACM conference on Computer and communication security,
Washington D.C.
[9] J. Ioannidis and S. M. Bellovin. 2002. Implementing Pushback: Router Based Defense against DDoS
Attacks. In ISOC Symposium on Network and Distributed System Security, February 2002.
[10] Distributed Denial of Service Attack Tools. 2002. Internet Security Systems (ISS), Atlanta, GA.
[11] Jelena Mirkovic, Peter Reiher.2004. Taxonomy of DDoS Attack and DDoS Defense Mechanisms.
2004. DOI= http://www.eecis.udel.edu/~sunshine/publications/ccr.pdf
[12] Shibiao Lin, Tzi-cker Chiueh. A Survey on Solutions to Distributed Denial of Service Attacks. DOI=
http://www.ecsl.cs.sunysb.edu/tr/TR201.pdf.
[13] Guangsen Zhang and Manish Parashar. 2006. Cooperative Defense against DDoS Attacks. Journal of
Research and Practice in Information Technology, Vol. 38, No. 1, February 2006.
[14] Robert Richardson. 2009. Computer Crime and Security Survey.DOI=
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml. Visited on January 2009.
[15] D. McGuire and B. Krebs. Attack on internet called largest ever. Oct. 2002. DOI=
http://www.washingtonpost.com/wpdyn/articles/A828-2002Oct22.html. Visited on January 14, 2009.
15. Computer Science & Information Technology (CS & IT) 23
[16] T. M. and Poleto, M. 2001. Multops: a data-structure for bandwidth attack detection. In Proceedings
of 10th Usenix Security Symposium, Washington, D.C., USA, 23–28.
[17] WatchGuard Technologies,Inc,. Distributed Denial of Service. WatchGuard Designing peace of Mind,
Seattle,WA., February 2000. DOI= www.watchguard com
[18] Abraham Yaar, Adrian Perrig, Dawn Song. Pi: A Path Identification Mechanism to Defend against
DoS Attacks. Carnegie Mellon University
[19] Felix Lau, Stuart H. Rubin, Michael H. Smith, Lj ilj ana Traj koviC. 2000. Distributed Denial of
Service Attacks. Proceedings in IEEE. June 2000.
[20] Williams, M.. EBay, Amazon, Buy.com hit by attacks. 2000.
http://www.nwfusion.com/news/2000/0209attack.html. Visited on August 2008
[21] CSI/FBI. Cyber Attacks Continue, but Financial Losses are Down. 2003, DOI=
http://www.gocsi.com/press/20030528.jhtml?_requestid=335314. Visited on August 2008.
[22] Robert Vamosi. 2008. Study: DDoS attacks threaten ISP infrastructure. Visited: December 04, 2008
10:20 AM PST http://news.cnet.com/8300-1009_3-83.html Posted: November 11, 2008
[23] Xuan, D., Bettati, R. and Zhao, W. 2001. A gateway-based defense system for distributed dos attacks in
high-speed networks. In Proceedings of 2001 IEEE Workshop on Information Assurance and Security.
[24] Padopoulos, C., Lindell, R., Mehringer, J., Hussain, A. and Govindan, R. 2003. Cossack: Coordinated
suppression of simultaneous attacks. In DARPA Information Survivability Conference and Exposition,
Washington, DC, 1: 2–13.
Authors
Metasebia Kassa received his B.Sc. in Information System and M. Sc. in
Computer Science from Addis Ababa University. He is currently working as
senior technical Engineer (Technical Trainer) at ZTE (H.K.) Limited
Ethiopian Branch (ZTE University). He has also been working as part-time
Lecturer in the Department of Computer Science of Addis Ababa University.
Metasebia has a broad research interest on Future Internet, Cloud Computing,
Mobile Computing, and Security related topics.
Dr. Mulugeta Libsie received his B. Sc. in Statistics and Mathematics from
Addis Ababa University, an M. Sc. in Computer Science from the University
of Essex in England and a PhD in Computer Science from the University of
Klagenfurt in Austria. Dr. Mulugeta is the author and co-author of several
journal papers, conference proceedings and textbooks. He is currently an
Assistant Professor in Computer Science at Addis Ababa University and
Chairperson of the Doctoral Program Research Committee (DPRC). His
research interest is in the area of distributed information systems.