Flooding attack is a network attack that sends a large amount of traffic to the victim networks or services to cause denial-of-service. In Software-Defined Networking (SDN) environment, this attack might not only breach the hosts and services but also the SDN controller. Besides, it will also cause a disconnection of links between the controller and the switches. Thus, an effective detection and mitigation technique of flooding attacks is required. Statistical analysis techniques are widely used for the detection and mitigation of flooding attacks. However, the effectiveness of these techniques strongly depends on the defined threshold. Defining the static threshold is a tedious job and most of the time produces a high false positive alarm .In this paper, we proposed the dynamic threshold which is calculated using modified adaptive threshold algorithm (MATA). The original ATA is based on the Exponential Weighted Moving Average (EWMA) formula which produces the high number of false alarms. To reduce the false alarms, the alarm signal will only be generated after a minimum number of consecutive violations of the threshold. This, however, has increased the false negative rate when the network is under attack. In order to reduce this false negative rate, MATA adapted the baseline traffic info of the network infrastructure. The comparative analysis of MATA and ATA are performed through the measurement of false negative rate, and accuracy of detection rate. Our experimental results show that MATA is able to reduce false negative rates up to 17.74% and increase the detection accuracy of 16.11%over the various types of flooding attacks at the transport layer.
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
ย
The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYijasa
ย
Denial of Service (DoS) or Distributed-Denial of Service (DDoS) is major threat to network security.
Network is collection of nodes that interconnect with each other for exchange the Information. This
information is required for that node is kept confidentially. Attacker in network computer captures this
information that is confidential and misuse the network. Hence security is one of the major issues. There
are one or many attacks in network. One of the major threats to internet service is DDoS (Distributed
denial of services) attack. DDoS attack is a malicious attempt to suspending or interrupting services to
target node. DDoS or DoS is an attempt to make network resource or the machine is unavailable to its
intended user. Many ideas are developed for avoiding the DDoS or DoS. DDoS happen in two ways
naturally or it may due to some botnets .Various schemes are developed defense against to this attack.
Main idea of this paper is present basis of DDoS attack. DDoS attack types, DDoS attack components,
survey on different mechanism to prevent DDoS
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
ย
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
ย
The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYijasa
ย
Denial of Service (DoS) or Distributed-Denial of Service (DDoS) is major threat to network security.
Network is collection of nodes that interconnect with each other for exchange the Information. This
information is required for that node is kept confidentially. Attacker in network computer captures this
information that is confidential and misuse the network. Hence security is one of the major issues. There
are one or many attacks in network. One of the major threats to internet service is DDoS (Distributed
denial of services) attack. DDoS attack is a malicious attempt to suspending or interrupting services to
target node. DDoS or DoS is an attempt to make network resource or the machine is unavailable to its
intended user. Many ideas are developed for avoiding the DDoS or DoS. DDoS happen in two ways
naturally or it may due to some botnets .Various schemes are developed defense against to this attack.
Main idea of this paper is present basis of DDoS attack. DDoS attack types, DDoS attack components,
survey on different mechanism to prevent DDoS
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
ย
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
Secure Data Aggregation Technique for Wireless Sensor Networks in the Presenc...1crore projects
ย
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
Consensus Routing And Environmental Discrete Trust Based Secure AODV in MANETsIJCNCJournal
ย
The Mobile Adhoc Network (MANET) is a wireless network model for infrastructure-less communication, and it provides numerous applications in different areas. The MANET is vulnerable to a Black-hole attack, and it affects routing functionality by dropping all the incoming packets purposefully. The Black-hole attackers pretend that it always has the best path to the destination node to mislead the source nodes. Trust is the critical factor for detecting and isolating the Black-hole attackers from the network. However, the harsh channel conditions make it difficult to differentiate the Black-hole routing activities and accurate trust measurement. Hence, incorporating the consensus-based trust evidence collection from the neighbouring nodes improves the accuracy of trust. For improving the accuracy of trust, this work suggests Consensus Routing and Environmental DIscrete Trust (CREDIT) Based Secure AODV. The CREDIT incorporates Discrete and Consensus trust information. The Discrete parameters represent the specific characteristics of the Black-hole attacks, such as routing behaviour, hop count deviation, and sequence number deviation. The direct trust accurately differentiates the Black-hole attackers using Discrete parameters, only when the nodes perform sufficient communication between the nodes. To solve such issues, the CREDIT includes the Consensus-based trust information. However, secure routing against the Black-hole attack is challenging due to incomplete preferences. The in-degree centrality and Importance degree measurement on the collected consensus-based trust from decisionmakers solve the incomplete preference issue as well as improves the accuracy of trust. The performance of the proposed scheme is evaluated using Network Simulator-2 (NS2). From the simulation results, it is proved that the detection accuracy and throughput of the proposed CREDIT are substantially high and the proposed CREDIT scheme outperforms the existing work.
PDS- A Profile based Detection Scheme for flooding attack in AODV based MANETijsptm
ย
One of the main challenges in MANET is to design the robust security solution that can protect MANET
from various routing attacks. Flooding attack launched at network layer is a serious routing attack which
can consume more resources like bandwidth, battery power, etc. It is more concealed form of Denial of
service attack and resource consumption attack. The route discovery scheme in reactive routing protocols
like Adhoc On Demand Distance Vector (AODV) and Dynamic Source Routing (DSR) used in MANET
makes it more easy for malicious nodes to launch connection request floods by flooding the route request
packets (RREQ) on the network. A novel detection technique based on dynamic profile with traffic pattern
analysis (PDS) is proposed. Its effectiveness in detecting and isolating the malicious node that floods the
route request packets is evaluated using java simulator jist/swans.
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM ijcseit
ย
Pushback is a mechanism for defending against Distributed Denial-of-Service (DDoS) attacks. DDoS
attacks are treated as a congestion-control problem, but because most such congestion is caused by
malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the
routers. Functionality is added to each router to detect and preferentially drop packets that probably
belong to an attack. Upstream routers are also notified to drop such packets in order that the routerโs
resources be used to route legitimate traffic hence term pushback. Client puzzles have been advocated as a
promising countermeasure to DoS attacks in the recent years. In order to identify the attackers, the victim
server issues a puzzle to the client that sent the traffic. When the client is able to solve the puzzle, it is
assumed to be authentic and the traffic from it is allowed into the server. If the victim suspects that the
puzzles are solved by most of the clients, it increases the complexity of the puzzles. This puzzle solving
technique allows the traversal of the attack traffic throughout the intermediate routers before reaching the
destination. In order to attain the advantages of both pushback and puzzle solving techniques, a hybrid
scheme called Router based Pushback technique, which involves both the techniques to solve the problem
of DDoS attacks is proposed. In this proposal, the puzzle solving mechanism is pushed back to the core
routers rather than having at the victim. The router based client puzzle mechanism checks the host system
whether it is legitimate or not by providing a puzzle to be solved by the suspected host.
A System for Denial of Service Attack Detection Based On Multivariate Corelat...IJCERT
ย
in computing world, a denial-of-service (DoS) or is an process to make a machine or network resource unavailable to its regular users.DoS attack minimizes the efficiency of the server, inorder to increase the efficiency of the server it is necessary to identify the dos attacks hence MULTIVARIATE CORRELATION ANALYSIS(MCA)is used, this approach employs triangle area for obtaining the correlation information between the ip address. Based on extracted data the denial of service-attack is discovered and the response to the particular user is blocked, this maximizes the efficiency. Our proposed system is examined using KDD Cup 99 data set, and the influence of data on the performance of the proposed system is examined.
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
ย
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Attacks Prevention and Detection Techniques In MANET: A SurveyIJERA Editor
ย
Wireless sensor network is a set of distributed sensor nodes. Which are randomly deployed in geographical area
to capture climatic changes like temperature, humidity and pressure. In Wireless Network MANET is a Mobile
Ad-Hoc Networks which is a one self-configurable network. MANET is a collection of Wireless mobile node
which is dynamically moves from one location to another location. Both attacks Active as well as Passive
attacks is in MANET. It doesnโt have a static structure. Security for wireless network is much difficult as
compare to wired networks. In last few years many security and attacks issue are face many researchers in
MANET. Attacks like Packet dropping attack, Black-Hole attack, Denial of Service attack, wormhole attacks
and Packet modification attacks found in MANET. At the time of data communication all the above mentioned
attacks access data easily without permission. To solve the problem of attacks in MANET and secure data
communication use Intrusion Detection System. In This paper propose the survey of different kinds of attacks
on MANET and Wireless sensor networks. This paper helps to young researcher for implement new hybrid
algorithm for secure intrusion detection in MANET.
DDoS Attack and Defense Scheme in Wireless Ad hoc NetworksIJNSA Journal
ย
The wireless ad hoc networks are highly vulnerable to distributed denial of service(DDoS) attacks because of its unique characteristics such as open network architecture, shared wireless medium and stringent resource constraints. These attacks throttle the tcp throughput heavily and reduce the quality of service(QoS) to end systems gradually rather than refusing the clients from the services completely. In this paper, we discussed the DDoS attacks and proposed a defense scheme to improve the performance of the ad hoc networks. Our proposed defense mechanism uses the medium access control (MAC) layer information to detect the attackers. The status values from MAC layer that can be used for detection are Frequency of receiving RTS/CTS packets, Frequency of sensing a busy channel and the number of RTS/DATA retransmissions. Once the attackers are identified, all the packets from those nodes will be blocked. The network resources are made available to the legitimate users. We perform the simulation with Network Simulator NS2 and we proved that our proposed system improves the network performance.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in hostโs computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
Limiting Self-Propagating Malware Based on Connection Failure Behavior csandit
ย
Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software to
infect servers and then use them to scan the Internet for more vulnerable servers. While the
mechanisms of worm infection and their propagation models are well understood, defense
against worms remains an open problem. One branch of defense research investigates the
behavioral difference between worm-infected hosts and normal hosts to set them apart. One
particular observation is that a worm-infected host, which scans the Internet with randomly
selected addresses, has a much higher connection-failure rate than a normal host. Rate-limit
algorithms have been proposed to control the spread of worms by traffic shaping based on
connection failure rate. However, these rate-limit algorithms can work properly only if it is
possible to measure failure rates of individual hosts efficiently and accurately. This paper points
out a serious problem in the prior method and proposes a new solution based on a highly
efficient double-bitmap data structure, which places only a small memory footprint on the
routers, while providing good measurement of connection failure rates whose accuracy can be
tuned by system parameters.
Optimal remote access trojans detection based on network behaviorIJECEIAES
ย
RAT is one of the most infected malware in the hyper-connected world. Data is being leaked or disclosed every day because new remote access Trojans are emerging and they are used to steal confidential data from target hosts. Network behavior-based detection has been used to provide an effective detection model for Remote Access Trojans. However, there is still short comings: to detect as early as possible, some False Negative Rate and accuracy that may vary depending on ratio of normal and malicious RAT sessions. As typical network contains large amount of normal traffic and small amount of malicious traffic, the detection model was built based on the different ratio of normal and malicious sessions in previous works. At that time false negative rate is less than 2%, and it varies depending on different ratio of normal and malicious instances. An unbalanced dataset will bias the prediction model towards the more common class. In this paper, each RAT is run many times in order to capture variant behavior of a Remote Access Trojan in the early stage, and balanced instances of normal applications and Remote Access Trojans are used for detection model. Our approach achieves 99 % accuracy and 0.3% False Negative Rate by Random Forest Algorithm.
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...IJCNCJournal
ย
Software-Defined Network (SDN) is an innovative network architecture with the goal of providing the
flexibility and simplicity in network operation and management through a centralized controller. These
features help SDN to easily adapt to the expansion of network requirements, but it is also a weakness when
it comes to security. With centralized architecture, SDN is vulnerable to cyber-attacks, especially
Distributed Denial of Service (DDoS) attack. DDoS is a popular attack type which consumes all network
resources and causes congestion in the entire network. In this research, we will introduce a DDoS
detection model based on the statistical method with a dynamic threshold value that changes over time.
Along with the simulation result, we build a practical SDN model to apply our method, the results show
that our method can detect DDoS attacks rapidly with high accuracy.
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...IJCNCJournal
ย
Software-Defined Network (SDN) is an innovative network architecture with the goal of providing the flexibility and simplicity in network operation and management through a centralized controller. These features help SDN to easily adapt tothe expansion of networkrequirements, but it is also a weakness when it comes to security. With centralized architecture, SDN is vulnerable to cyber-attacks, especially Distributed Denial of Service (DDoS) attack. DDoS is a popular attack type which consumes all network resources and causes congestion in the entire network. In this research, we will introduce a DDoS detection model based on the statistical method with a dynamic threshold value that changes over time. Along with the simulation result, we build a practical SDN model to apply our method, the results show that our method can detectD DoS attacks rapidly with high accuracy.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
ย
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Q-learning based distributed denial of service detectionIJECEIAES
ย
Distributed denial of service (DDoS) attacks the target service providers by sending a huge amount of traffic to prevent legitimate users from getting the service. These attacks become more challenging in the software-defined network paradigm, due to the separation of the control plane from the data plane. Centralized software defined networks are more vulnerable to DDoS attacks that may cause the failure of all networks. In this work, a new approach is proposed based on q-learning to enhance the detection of DDoS attacks and reduce false positives and false negatives. The results of this work are compared with entropy detection in terms of the number of received packets to detect the attack and also the continuity of service for legitimate users. Moreover, these results indicate that the proposed system detects the DDoS attack from flash crowds and redirects the traffic to the edge of the data center. A second controller is used to redirect traffic to a honeypot server that works as a mirror server. This guarantees the continuity of service for both normal and suspected traffic until further analysis is done. The results indicate an increase of up to 50% in the throughput compared to other approaches.
Secure Data Aggregation Technique for Wireless Sensor Networks in the Presenc...1crore projects
ย
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
Consensus Routing And Environmental Discrete Trust Based Secure AODV in MANETsIJCNCJournal
ย
The Mobile Adhoc Network (MANET) is a wireless network model for infrastructure-less communication, and it provides numerous applications in different areas. The MANET is vulnerable to a Black-hole attack, and it affects routing functionality by dropping all the incoming packets purposefully. The Black-hole attackers pretend that it always has the best path to the destination node to mislead the source nodes. Trust is the critical factor for detecting and isolating the Black-hole attackers from the network. However, the harsh channel conditions make it difficult to differentiate the Black-hole routing activities and accurate trust measurement. Hence, incorporating the consensus-based trust evidence collection from the neighbouring nodes improves the accuracy of trust. For improving the accuracy of trust, this work suggests Consensus Routing and Environmental DIscrete Trust (CREDIT) Based Secure AODV. The CREDIT incorporates Discrete and Consensus trust information. The Discrete parameters represent the specific characteristics of the Black-hole attacks, such as routing behaviour, hop count deviation, and sequence number deviation. The direct trust accurately differentiates the Black-hole attackers using Discrete parameters, only when the nodes perform sufficient communication between the nodes. To solve such issues, the CREDIT includes the Consensus-based trust information. However, secure routing against the Black-hole attack is challenging due to incomplete preferences. The in-degree centrality and Importance degree measurement on the collected consensus-based trust from decisionmakers solve the incomplete preference issue as well as improves the accuracy of trust. The performance of the proposed scheme is evaluated using Network Simulator-2 (NS2). From the simulation results, it is proved that the detection accuracy and throughput of the proposed CREDIT are substantially high and the proposed CREDIT scheme outperforms the existing work.
PDS- A Profile based Detection Scheme for flooding attack in AODV based MANETijsptm
ย
One of the main challenges in MANET is to design the robust security solution that can protect MANET
from various routing attacks. Flooding attack launched at network layer is a serious routing attack which
can consume more resources like bandwidth, battery power, etc. It is more concealed form of Denial of
service attack and resource consumption attack. The route discovery scheme in reactive routing protocols
like Adhoc On Demand Distance Vector (AODV) and Dynamic Source Routing (DSR) used in MANET
makes it more easy for malicious nodes to launch connection request floods by flooding the route request
packets (RREQ) on the network. A novel detection technique based on dynamic profile with traffic pattern
analysis (PDS) is proposed. Its effectiveness in detecting and isolating the malicious node that floods the
route request packets is evaluated using java simulator jist/swans.
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS DETECTION MECHANISM ijcseit
ย
Pushback is a mechanism for defending against Distributed Denial-of-Service (DDoS) attacks. DDoS
attacks are treated as a congestion-control problem, but because most such congestion is caused by
malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the
routers. Functionality is added to each router to detect and preferentially drop packets that probably
belong to an attack. Upstream routers are also notified to drop such packets in order that the routerโs
resources be used to route legitimate traffic hence term pushback. Client puzzles have been advocated as a
promising countermeasure to DoS attacks in the recent years. In order to identify the attackers, the victim
server issues a puzzle to the client that sent the traffic. When the client is able to solve the puzzle, it is
assumed to be authentic and the traffic from it is allowed into the server. If the victim suspects that the
puzzles are solved by most of the clients, it increases the complexity of the puzzles. This puzzle solving
technique allows the traversal of the attack traffic throughout the intermediate routers before reaching the
destination. In order to attain the advantages of both pushback and puzzle solving techniques, a hybrid
scheme called Router based Pushback technique, which involves both the techniques to solve the problem
of DDoS attacks is proposed. In this proposal, the puzzle solving mechanism is pushed back to the core
routers rather than having at the victim. The router based client puzzle mechanism checks the host system
whether it is legitimate or not by providing a puzzle to be solved by the suspected host.
A System for Denial of Service Attack Detection Based On Multivariate Corelat...IJCERT
ย
in computing world, a denial-of-service (DoS) or is an process to make a machine or network resource unavailable to its regular users.DoS attack minimizes the efficiency of the server, inorder to increase the efficiency of the server it is necessary to identify the dos attacks hence MULTIVARIATE CORRELATION ANALYSIS(MCA)is used, this approach employs triangle area for obtaining the correlation information between the ip address. Based on extracted data the denial of service-attack is discovered and the response to the particular user is blocked, this maximizes the efficiency. Our proposed system is examined using KDD Cup 99 data set, and the influence of data on the performance of the proposed system is examined.
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
ย
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Attacks Prevention and Detection Techniques In MANET: A SurveyIJERA Editor
ย
Wireless sensor network is a set of distributed sensor nodes. Which are randomly deployed in geographical area
to capture climatic changes like temperature, humidity and pressure. In Wireless Network MANET is a Mobile
Ad-Hoc Networks which is a one self-configurable network. MANET is a collection of Wireless mobile node
which is dynamically moves from one location to another location. Both attacks Active as well as Passive
attacks is in MANET. It doesnโt have a static structure. Security for wireless network is much difficult as
compare to wired networks. In last few years many security and attacks issue are face many researchers in
MANET. Attacks like Packet dropping attack, Black-Hole attack, Denial of Service attack, wormhole attacks
and Packet modification attacks found in MANET. At the time of data communication all the above mentioned
attacks access data easily without permission. To solve the problem of attacks in MANET and secure data
communication use Intrusion Detection System. In This paper propose the survey of different kinds of attacks
on MANET and Wireless sensor networks. This paper helps to young researcher for implement new hybrid
algorithm for secure intrusion detection in MANET.
DDoS Attack and Defense Scheme in Wireless Ad hoc NetworksIJNSA Journal
ย
The wireless ad hoc networks are highly vulnerable to distributed denial of service(DDoS) attacks because of its unique characteristics such as open network architecture, shared wireless medium and stringent resource constraints. These attacks throttle the tcp throughput heavily and reduce the quality of service(QoS) to end systems gradually rather than refusing the clients from the services completely. In this paper, we discussed the DDoS attacks and proposed a defense scheme to improve the performance of the ad hoc networks. Our proposed defense mechanism uses the medium access control (MAC) layer information to detect the attackers. The status values from MAC layer that can be used for detection are Frequency of receiving RTS/CTS packets, Frequency of sensing a busy channel and the number of RTS/DATA retransmissions. Once the attackers are identified, all the packets from those nodes will be blocked. The network resources are made available to the legitimate users. We perform the simulation with Network Simulator NS2 and we proved that our proposed system improves the network performance.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in hostโs computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
Limiting Self-Propagating Malware Based on Connection Failure Behavior csandit
ย
Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software to
infect servers and then use them to scan the Internet for more vulnerable servers. While the
mechanisms of worm infection and their propagation models are well understood, defense
against worms remains an open problem. One branch of defense research investigates the
behavioral difference between worm-infected hosts and normal hosts to set them apart. One
particular observation is that a worm-infected host, which scans the Internet with randomly
selected addresses, has a much higher connection-failure rate than a normal host. Rate-limit
algorithms have been proposed to control the spread of worms by traffic shaping based on
connection failure rate. However, these rate-limit algorithms can work properly only if it is
possible to measure failure rates of individual hosts efficiently and accurately. This paper points
out a serious problem in the prior method and proposes a new solution based on a highly
efficient double-bitmap data structure, which places only a small memory footprint on the
routers, while providing good measurement of connection failure rates whose accuracy can be
tuned by system parameters.
Optimal remote access trojans detection based on network behaviorIJECEIAES
ย
RAT is one of the most infected malware in the hyper-connected world. Data is being leaked or disclosed every day because new remote access Trojans are emerging and they are used to steal confidential data from target hosts. Network behavior-based detection has been used to provide an effective detection model for Remote Access Trojans. However, there is still short comings: to detect as early as possible, some False Negative Rate and accuracy that may vary depending on ratio of normal and malicious RAT sessions. As typical network contains large amount of normal traffic and small amount of malicious traffic, the detection model was built based on the different ratio of normal and malicious sessions in previous works. At that time false negative rate is less than 2%, and it varies depending on different ratio of normal and malicious instances. An unbalanced dataset will bias the prediction model towards the more common class. In this paper, each RAT is run many times in order to capture variant behavior of a Remote Access Trojan in the early stage, and balanced instances of normal applications and Remote Access Trojans are used for detection model. Our approach achieves 99 % accuracy and 0.3% False Negative Rate by Random Forest Algorithm.
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...IJCNCJournal
ย
Software-Defined Network (SDN) is an innovative network architecture with the goal of providing the
flexibility and simplicity in network operation and management through a centralized controller. These
features help SDN to easily adapt to the expansion of network requirements, but it is also a weakness when
it comes to security. With centralized architecture, SDN is vulnerable to cyber-attacks, especially
Distributed Denial of Service (DDoS) attack. DDoS is a popular attack type which consumes all network
resources and causes congestion in the entire network. In this research, we will introduce a DDoS
detection model based on the statistical method with a dynamic threshold value that changes over time.
Along with the simulation result, we build a practical SDN model to apply our method, the results show
that our method can detect DDoS attacks rapidly with high accuracy.
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...IJCNCJournal
ย
Software-Defined Network (SDN) is an innovative network architecture with the goal of providing the flexibility and simplicity in network operation and management through a centralized controller. These features help SDN to easily adapt tothe expansion of networkrequirements, but it is also a weakness when it comes to security. With centralized architecture, SDN is vulnerable to cyber-attacks, especially Distributed Denial of Service (DDoS) attack. DDoS is a popular attack type which consumes all network resources and causes congestion in the entire network. In this research, we will introduce a DDoS detection model based on the statistical method with a dynamic threshold value that changes over time. Along with the simulation result, we build a practical SDN model to apply our method, the results show that our method can detectD DoS attacks rapidly with high accuracy.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
ย
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
Q-learning based distributed denial of service detectionIJECEIAES
ย
Distributed denial of service (DDoS) attacks the target service providers by sending a huge amount of traffic to prevent legitimate users from getting the service. These attacks become more challenging in the software-defined network paradigm, due to the separation of the control plane from the data plane. Centralized software defined networks are more vulnerable to DDoS attacks that may cause the failure of all networks. In this work, a new approach is proposed based on q-learning to enhance the detection of DDoS attacks and reduce false positives and false negatives. The results of this work are compared with entropy detection in terms of the number of received packets to detect the attack and also the continuity of service for legitimate users. Moreover, these results indicate that the proposed system detects the DDoS attack from flash crowds and redirects the traffic to the edge of the data center. A second controller is used to redirect traffic to a honeypot server that works as a mirror server. This guarantees the continuity of service for both normal and suspected traffic until further analysis is done. The results indicate an increase of up to 50% in the throughput compared to other approaches.
USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENTIJNSA Journal
ย
With the growing deployment of host-based and network-based intrusion detection systems in increasingly
large and complex communication networks, managing low-level alerts from these systems becomes
critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or
intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be
a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators
cannot manage the large number of alerts occurring per second, in particular since most alerts are false
positives. Hence, an emerging track of security research has focused on alert correlation to better identify
true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis
(MONA). This method builds on data correlation to derive network dependencies and manage security
events by linking incoming alerts to network dependencies.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENTIJNSA Journal
ย
With the growing deployment of host-based and network-based intrusion detection systems in increasingly large and complex communication networks, managing low-level alerts from these systems becomes critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators cannot manage the large number of alerts occurring per second, in particular since most alerts are false positives. Hence, an emerging track of security research has focused on alert correlation to better identify true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis (MONA). This method builds on data correlation to derive network dependencies and manage security events by linking incoming alerts to network dependencies.
FLOODING ATTACKS DETECTION OF MOBILE AGENTS IN IP NETWORKScsandit
ย
This paper deals with detection of flooding attacks which are the most common type of Denial of Service (DoS) attacks in a Mobile Agent World. We propose a new framework for the detection of flooding attacks by integrating Divergence measures over Sketch data structure. The performance of the proposed framework is investigated in terms of detection probability and false alarm ratio. We focus on tuning the parameter of Divergence Measures to optimize the performance. We conduct performance analysis over publicly available real IP traces, in Mobile Agent Network, integrated with flooding attacks. Our analysis results prove that our proposed algorithm outperforms the existing solutions.
Design and Implementation of Artificial Immune System for Detecting Flooding ...Kent State University
ย
Academic Paper: N. B. I. Al-Dabagh and I. A. Ali, "Design and implementation of artificial immune system for detecting flooding attacks," in High Performance Computing and Simulation (HPCS), 2011 International Conference on, 2011, pp. 381-390.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
ย
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it gives good results.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
ย
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of
attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the
velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling
service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to
early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it
gives good results.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
ย
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to
early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it gives good results.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
An intelligent system to detect slow denial of service attacks in software-de...IJECEIAES
ย
Slow denial of service attack (DoS) is a tricky issue in software-defined network (SDN) as it uses less bandwidth to attack a server. In this paper, a slow-rate DoS attack called Slowloris is detected and mitigated on Apache2 and Nginx servers using a methodology called an intelligent system for slow DoS detection using machine learning (ISSDM) in SDN. Data generation module of ISSDM generates dataset with response time, the number of connections, timeout, and pattern match as features. Data are generated in a real environment using Apache2, Nginx server, Zodiac FX OpenFlow switch and Ryu controller. Monte Carlo simulation is used to estimate threshold values for attack classification. Further, ISSDM performs header inspection using regular expressions to mark flows as legitimate or attacked during data generation. The proposed feature selection module of ISSDM, called blended statistical and information gain (BSIG), selects those features that contribute best to classification. These features are used for classification by various machine learning and deep learning models. Results are compared with feature selection methods like Chi-square, T-test, and information gain.
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. A distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The proposed system suggests a mechanism based on entropy variations between normal and DDoS attack traffic. Entropy is an information theoretic concept, which is a measure of randomness. The proposed method employs entropy variation to measure changes of randomness of flows. The implementation of the proposed method brings no modifications on current routing software.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
ย
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Vehicle Ad Hoc Networks (VANETs) have become a viable technology to improve traffic flow and safety on the roads. Due to its effectiveness and scalability, the Wingsuit Search-based Optimised Link State Routing Protocol (WS-OLSR) is frequently used for data distribution in VANETs. However, the selection of MultiPoint Relays (MPRs) plays a pivotal role in WS-OLSR's performance. This paper presents an improved MPR selection algorithm tailored to WS-OLSR, designed to enhance the overall routing efficiency and reduce overhead. The analysis found that the current OLSR protocol has problems such as redundancy of HELLO and TC message packets or failure to update routing information in time, so a WS-OLSR routing protocol based on improved-MPR selection algorithm was proposed. Firstly, factors such as node mobility and link changes are comprehensively considered to reflect network topology changes, and the broadcast cycle of node HELLO messages is controlled through topology changes. Secondly, a new MPR selection algorithm is proposed, considering link stability issues and nodes. Finally, evaluate its effectiveness in terms of packet delivery ratio, end-to-end delay, and control message overhead. Simulation results demonstrate the superior performance of our improved MR selection algorithm when compared to traditional approaches.
A Novel Medium Access Control Strategy for Heterogeneous Traffic in Wireless ...IJCNCJournal
ย
So far, Wireless Body Area Networks (WBANs) have played a pivotal role in driving the development of intelligent healthcare systems with broad applicability across various domains. Each WBAN consists of one or more types of sensors that can be embedded in clothing, attached directly to the body, or even implanted beneath an individual's skin. These sensors typically serve asingle application. However, the traffic generated by each sensor may have distinct requirements. This diversity necessitates a dual approach: tailored treatment based on the specific needs of each traffic typeand the fulfillment of application requirements, such asreliability and timeliness. Never the less, the presence of energy constraints and the unreliable nature of wireless communications make QoS provisioning under such networks a non-trivial task. In this context, the current paper introduces a novel Medium AccessControl (MAC) strategy for the regular traffic applications of WBANs, designed to significantly enhance efficiency when compared to the established MAC protocols IEEE 802.15.4 and IEEE 802.15.6, with a particular focus on improving reliability, timeliness, and energy efficiency.
May_2024 Top 10 Read Articles in Computer Networks & Communications.pdfIJCNCJournal
ย
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
A Topology Control Algorithm Taking into Account Energy and Quality of Transm...IJCNCJournal
ย
The efficient use of energy in wireless sensor networks is critical for extending node lifetime. The network topology is one of the factors that have a significant impact on the energy usage at the nodes and the quality of transmission (QoT) in the network. We propose a topology control algorithm for software-defined wireless sensor networks (SDWSNs) in this paper. Our method is to formulate topology control algorithm as a nonlinear programming (NP) problem with the objective to optimizing two metrics, maximum communication range, and desired degree. This NP problem is solved at the SDWSN controller by employing the genetic algorithm (GA) to determine the best topology. The simulation results show that the proposed algorithm outperforms the MaxPower algorithm in terms of average node degree and energy expansion ratio.
Multi-Server user Authentication Scheme for Privacy Preservation with Fuzzy C...IJCNCJournal
ย
The integration of artificial intelligence technology with a scalable Internet of Things (IoT) platform facilitates diverse smart communication services, allowing remote users to access services from anywhere at any time. The multi-server environment within IoT introduces a flexible security service model, enabling users to interact with any server through a single registration. To ensure secure and privacy preservation services for resources, an authentication scheme is essential. Zhao et al. recently introduced a user authentication scheme for the multi-server environment, utilizing passwords and smart cards, claiming resilience against well-known attacks. This paper conducts cryptanalysis on Zhao et al.'s scheme, focusing on denial of service and privacy attacks, revealing a lack of user-friendliness. Subsequently, we propose a new multi-server user authentication scheme for privacy preservation with fuzzy commitment over the IoT environment, addressing the shortcomings of Zhao et al.'s scheme. Formal security verification of the proposed scheme is conducted using the ProVerif simulation tool. Through both formal and informal security analyses, we demonstrate that the proposed scheme is resilient against various known attacks and those identified in Zhao et al.'s scheme.
Advanced Privacy Scheme to Improve Road Safety in Smart Transportation SystemsIJCNCJournal
ย
In -Vehicle Ad-Hoc Network (VANET), vehicles continuously transmit and receive spatiotemporal data with neighboring vehicles, thereby establishing a comprehensive 360-degree traffic awareness system. Vehicular Network safety applications facilitate the transmission of messages between vehicles that are near each other, at regular intervals, enhancing drivers' contextual understanding of the driving environment and significantly improving traffic safety. Privacy schemes in VANETs are vital to safeguard vehiclesโ identities and their associated owners or drivers. Privacy schemes prevent unauthorized parties from linking the vehicle's communications to a specific real-world identity by employing techniques such as pseudonyms, randomization, or cryptographic protocols. Nevertheless, these communications frequently contain important vehicle information that malevolent groups could use to Monitor the vehicle over a long period. The acquisition of this shared data has the potential to facilitate the reconstruction of vehicle trajectories, thereby posing a potential risk to the privacy of the driver. Addressing the critical challenge of developing effective and scalable privacy-preserving protocols for communication in vehicle networks is of the highest priority. These protocols aim to reduce the transmission of confidential data while ensuring the required level of communication. This paper aims to propose an Advanced Privacy Vehicle Scheme (APV) that periodically changes pseudonyms to protect vehicle identities and improve privacy. The APV scheme utilizes a concept called the silent period, which involves changing the pseudonym of a vehicle periodically based on the tracking of neighboring vehicles. The pseudonym is a temporary identifier that vehicles use to communicate with each other in a VANET. By changing the pseudonym regularly, the APV scheme makes it difficult for unauthorized entities to link a vehicle's communications to its real-world identity. The proposed APV is compared to the SLOW, RSP, CAPS, and CPN techniques. The data indicates that the efficiency of APV is a better improvement in privacy metrics. It is evident that the AVP offers enhanced safety for vehicles during transportation in the smart city.
April 2024 - Top 10 Read Articles in Computer Networks & CommunicationsIJCNCJournal
ย
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
DEF: Deep Ensemble Neural Network Classifier for Android Malware DetectionIJCNCJournal
ย
Malware is one of the threats to security of computer networks and information systems. Since malware instances are available sufficiently, there is increased interest among researchers on usage of Artificial Intelligence (AI). Of late AI-enabled methods such as machine learning (ML) and deep learning paved way for solving many real-world problems. As it is a learning-based approach, accumulated training samples help in improving thequality of training and thus leveraging malware detection accuracy. Existing deep learning methods are focusing on learning-based malware detection systems. However, there is need for improving the state of the art through ensemble approach. Towards this end, in this paper we proposed a framework known as Deep Ensemble Framework (DEF) for automatic malware detection. The framework obtains features from training samples. From given malware instance a grayscale image is generated. There is another process to extract the opcode sequences. Convolutional Neural Network (CNN) and Long Short Term Memory (LSTM) techniques are used to obtain grayscale image and opcode sequence respectively. Afterwards, a stacking ensemble is employed in order to achieve efficient malware detection and classification. Malware samples collected fromthe Internet sources and Microsoft are used for theempirical study. An algorithm known as Ensemble Learning for Automatic Malware Detection (EL-AML) is proposed to realize our framework. Another algorithm named Pre-Process is proposed to assist the EL-AML algorithm for obtaining intermediate features required by CNN and LSTM.Empirical study reveals that our framework outperforms many existing methods in terms of speed-up and accuracy.
High Performance NMF Based Intrusion Detection System for Big Data IOT TrafficIJCNCJournal
ย
With the emergence of smart devices and the Internet of Things (IoT), millions of users connected to the network produce massive network traffic datasets. These vast datasets of network traffic, Big Data are challenging to store, deal with and analyse using a single computer. In this paper we developed parallel implementation using a High Performance Computer (HPC) for the Non-Negative Matrix Factorization technique as an engine for an Intrusion Detection System (HPC-NMF-IDS). The large IoT traffic datasets of order of millions samples are distributed evenly on all the computing cores for both storage and speedup purpose. The distribution of computing tasks involved in the Matrix Factorization takes into account the reduction of the communication cost between the computing cores. The experiments we conducted on the proposed HPC-IDS-NMF give better results than the traditional ML-based intrusion detection systems. We could train the HPC model with datasets of one million samples in only 31 seconds instead of the 40 minutes using one processor), that is a speed up of 87 times. Moreover, we have got an excellent detection accuracy rate of 98% for KDD dataset.
A Novel Medium Access Control Strategy for Heterogeneous Traffic in Wireless ...IJCNCJournal
ย
So far, Wireless Body Area Networks (WBANs) have played a pivotal role in driving the development of intelligent healthcare systems with broad applicability across various domains. Each WBAN consists of one or more types of sensors that can be embedded in clothing, attached directly to the body, or even implanted beneath an individual's skin. These sensors typically serve asingle application. However, the traffic generated by each sensor may have distinct requirements. This diversity necessitates a dual approach: tailored treatment based on the specific needs of each traffic typeand the fulfillment of application requirements, such asreliability and timeliness. Never the less, the presence of energy constraints and the unreliable nature of wireless communications make QoS provisioning under such networks a non-trivial task. In this context, the current paper introduces a novel Medium AccessControl (MAC) strategy for the regular traffic applications of WBANs, designed to significantly enhance efficiency when compared to the established MAC protocols IEEE 802.15.4 and IEEE 802.15.6, with a particular focus on improving reliability, timeliness, and energy efficiency.
A Topology Control Algorithm Taking into Account Energy and Quality of Transm...IJCNCJournal
ย
The efficient use of energy in wireless sensor networks is critical for extending node lifetime. The network topology is one of the factors that have a significant impact on the energy usage at the nodes and the quality of transmission (QoT) in the network. We propose a topology control algorithm for software-defined wireless sensor networks (SDWSNs) in this paper. Our method is to formulate topology control algorithm as a nonlinear programming (NP) problem with the objective to optimizing two metrics, maximum communication range, and desired degree. This NP problem is solved at the SDWSN controller by employing the genetic algorithm (GA) to determine the best topology. The simulation results show that the proposed algorithm outperforms the MaxPower algorithm in terms of average node degree and energy expansion ratio.
Multi-Server user Authentication Scheme for Privacy Preservation with Fuzzy C...IJCNCJournal
ย
The integration of artificial intelligence technology with a scalable Internet of Things (IoT) platform facilitates diverse smart communication services, allowing remote users to access services from anywhere at any time. The multi-server environment within IoT introduces a flexible security service model, enabling users to interact with any server through a single registration. To ensure secure and privacy preservation services for resources, an authentication scheme is essential. Zhao et al. recently introduced a user authentication scheme for the multi-server environment, utilizing passwords and smart cards, claiming resilience against well-known attacks. This paper conducts cryptanalysis on Zhao et al.'s scheme, focusing on denial of service and privacy attacks, revealing a lack of user-friendliness. Subsequently, we propose a new multi-server user authentication scheme for privacy preservation with fuzzy commitment over the IoT environment, addressing the shortcomings of Zhao et al.'s scheme. Formal security verification of the proposed scheme is conducted using the ProVerif simulation tool. Through both formal and informal security analyses, we demonstrate that the proposed scheme is resilient against various known attacks and those identified in Zhao et al.'s scheme.
Advanced Privacy Scheme to Improve Road Safety in Smart Transportation SystemsIJCNCJournal
ย
In -Vehicle Ad-Hoc Network (VANET), vehicles continuously transmit and receive spatiotemporal data with neighboring vehicles, thereby establishing a comprehensive 360-degree traffic awareness system. Vehicular Network safety applications facilitate the transmission of messages between vehicles that are near each other, at regular intervals, enhancing drivers' contextual understanding of the driving environment and significantly improving traffic safety. Privacy schemes in VANETs are vital to safeguard vehiclesโ identities and their associated owners or drivers. Privacy schemes prevent unauthorized parties from linking the vehicle's communications to a specific real-world identity by employing techniques such as pseudonyms, randomization, or cryptographic protocols. Nevertheless, these communications frequently contain important vehicle information that malevolent groups could use to Monitor the vehicle over a long period. The acquisition of this shared data has the potential to facilitate the reconstruction of vehicle trajectories, thereby posing a potential risk to the privacy of the driver. Addressing the critical challenge of developing effective and scalable privacy-preserving protocols for communication in vehicle networks is of the highest priority. These protocols aim to reduce the transmission of confidential data while ensuring the required level of communication. This paper aims to propose an Advanced Privacy Vehicle Scheme (APV) that periodically changes pseudonyms to protect vehicle identities and improve privacy. The APV scheme utilizes a concept called the silent period, which involves changing the pseudonym of a vehicle periodically based on the tracking of neighboring vehicles. The pseudonym is a temporary identifier that vehicles use to communicate with each other in a VANET. By changing the pseudonym regularly, the APV scheme makes it difficult for unauthorized entities to link a vehicle's communications to its real-world identity. The proposed APV is compared to the SLOW, RSP, CAPS, and CPN techniques. The data indicates that the efficiency of APV is a better improvement in privacy metrics. It is evident that the AVP offers enhanced safety for vehicles during transportation in the smart city.
DEF: Deep Ensemble Neural Network Classifier for Android Malware DetectionIJCNCJournal
ย
Malware is one of the threats to security of computer networks and information systems. Since malware instances are available sufficiently, there is increased interest among researchers on usage of Artificial Intelligence (AI). Of late AI-enabled methods such as machine learning (ML) and deep learning paved way for solving many real-world problems. As it is a learning-based approach, accumulated training samples help in improving thequality of training and thus leveraging malware detection accuracy. Existing deep learning methods are focusing on learning-based malware detection systems. However, there is need for improving the state of the art through ensemble approach. Towards this end, in this paper we proposed a framework known as Deep Ensemble Framework (DEF) for automatic malware detection. The framework obtains features from training samples. From given malware instance a grayscale image is generated. There is another process to extract the opcode sequences. Convolutional Neural Network (CNN) and Long Short Term Memory (LSTM) techniques are used to obtain grayscale image and opcode sequence respectively. Afterwards, a stacking ensemble is employed in order to achieve efficient malware detection and classification. Malware samples collected fromthe Internet sources and Microsoft are used for theempirical study. An algorithm known as Ensemble Learning for Automatic Malware Detection (EL-AML) is proposed to realize our framework. Another algorithm named Pre-Process is proposed to assist the EL-AML algorithm for obtaining intermediate features required by CNN and LSTM.Empirical study reveals that our framework outperforms many existing methods in terms of speed-up and accuracy.
High Performance NMF based Intrusion Detection System for Big Data IoT TrafficIJCNCJournal
ย
With the emergence of smart devices and the Internet of Things (IoT), millions of users connected to the network produce massive network traffic datasets. These vast datasets of network traffic, Big Data are challenging to store, deal with and analyse using a single computer. In this paper we developed parallel implementation using a High Performance Computer (HPC) for the Non-Negative Matrix Factorization technique as an engine for an Intrusion Detection System (HPC-NMF-IDS). The large IoT traffic datasets of order of millions samples are distributed evenly on all the computing cores for both storage and speedup purpose. The distribution of computing tasks involved in the Matrix Factorization takes into account the reduction of the communication cost between the computing cores. The experiments we conducted on the proposed HPC-IDS-NMF give better results than the traditional ML-based intrusion detection systems. We could train the HPC model with datasets of one million samples in only 31 seconds instead of the 40 minutes using one processor), that is a speed up of 87 times. Moreover, we have got an excellent detection accuracy rate of 98% for KDD dataset.
IoT Guardian: A Novel Feature Discovery and Cooperative Game Theory Empowered...IJCNCJournal
ย
Cyber intrusion attacks increasingly target the Internet of Things (IoT) ecosystem, exploiting vulnerable devices and networks. Malicious activities must be identified early to minimize damage and mitigate threats. Using actual benign and attack traffic from the CICIoT2023 dataset, this WORK aims to evaluate and benchmark machine-learning techniques for IoT intrusion detection. There are four main phases to the system. First, the CICIoT2023 dataset is refined to remove irrelevant features and clean up missing and duplicate data. The second phase employs statistical models and artificial intelligence to discover novel features. The most significant features are then selected in the third phase based on cooperative game theory. Using the original CICIoT2023 dataset and a dataset containing only novel features, we train and evaluate a variety of machine learning classifiers. On the original dataset, Random Forest achieved the highest accuracy of 99%. Still, with novel features, Random Forest's performance dropped only slightly (96%) while other models achieved significantly lower accuracy. As a whole, the work contributes substantial contributions to tailored feature engineering, feature selection, and rigorous benchmarking of IoT intrusion detection techniques. IoT networks and devices face continuously evolving threats, making it necessary to develop robust intrusion detection systems.
Enhancing Traffic Routing Inside a Network through IoT Technology & Network C...IJCNCJournal
ย
IoT networking uses real items as stationary or mobile nodes. Mobile nodes complicate networking. Internet of Things (IoT) networks have a lot of control overhead messages because devices are mobile. These signals are generated by the constant flow of control data as such device identity, geographical positioning, node mobility, device configuration, and others. Network clustering is a popular overhead communication management method. Many cluster-based routing methods have been developed to address system restrictions. Node clustering based on the Internet of Things (IoT) protocol, may be used to cluster all network nodes according to predefined criteria. Each cluster will have a Smart Designated Node. SDN cluster management is efficient. Many intelligent nodes remain in the network. The network design spreads these signals. This paper presents an intelligent and responsive routing approach for clustered nodes in IoT networks. An existing method builds a new sub-area clustered topology. The Nodes Clustering Based on the Internet of Things (NCIoT) method improves message transmission between any two nodes. This will facilitate the secure and reliable interchange of healthcare data between professionals and patients. NCIoT is a system that organizes nodes in the Internet of Things (IoT) by grouping them together based on their proximity. It also picks SDN routes for these nodes. This approach involves selecting one option from a range of choices and preparing for likely outcomes problem addressing limitations on activities is a primary focus during the review process. Predictive inquiry employs the process of analyzing data to forecast and anticipate future events. This document provides an explanation of compact units. The Predictive Inquiry Small Packets (PISP) improved its backup system and partnered with SDN to establish a routing information table for each intelligent node, resulting in higher routing performance. Both principal and secondary roads are available for use. The simulation findings indicate that NCIoT algorithms outperform CBR protocols. Enhancements lead to a substantial 78% boost in network performance. In addition, the end-to-end latency dropped by 12.5%. The PISP methodology produces 5.9% more inquiry packets compared to alternative approaches. The algorithms are constructed and evaluated against academic ones.
IoT Guardian: A Novel Feature Discovery and Cooperative Game Theory Empowered...IJCNCJournal
ย
Cyber intrusion attacks increasingly target the Internet of Things (IoT) ecosystem, exploiting vulnerable devices and networks. Malicious activities must be identified early to minimize damage and mitigate threats. Using actual benign and attack traffic from the CICIoT2023 dataset, this WORK aims to evaluate and benchmark machine-learning techniques for IoT intrusion detection. There are four main phases to the system. First, the CICIoT2023 dataset is refined to remove irrelevant features and clean up missing and duplicate data. The second phase employs statistical models and artificial intelligence to discover novel features. The most significant features are then selected in the third phase based on cooperative game theory. Using the original CICIoT2023 dataset and a dataset containing only novel features, we train and evaluate a variety of machine learning classifiers. On the original dataset, Random Forest achieved the highest accuracy of 99%. Still, with novel features, Random Forest's performance dropped only slightly (96%) while other models achieved significantly lower accuracy. As a whole, the work contributes substantial contributions to tailored feature engineering, feature selection, and rigorous benchmarking of IoT intrusion detection techniques. IoT networks and devices face continuously evolving threats, making it necessary to develop robust intrusion detection systems.
** Connect, Collaborate, And Innovate: IJCNC - Where Networking Futures Take ...IJCNCJournal
ย
The International Journal of Computer Networks & Communications (IJCNC) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of Computer Networks & Communications. The journal focuses on all technical and practical aspects of Computer Networks & data Communications. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on advanced networking concepts and establishing new collaborations in these areas.
Enhancing Traffic Routing Inside a Network through IoT Technology & Network C...IJCNCJournal
ย
IoT networking uses real items as stationary or mobile nodes. Mobile nodes complicate networking. Internet of Things (IoT) networks have a lot of control overhead messages because devices are mobile. These signals are generated by the constant flow of control data as such device identity, geographical positioning, node mobility, device configuration, and others. Network clustering is a popular overhead communication management method. Many cluster-based routing methods have been developed to address system restrictions. Node clustering based on the Internet of Things (IoT) protocol, may be used to cluster all network nodes according to predefined criteria. Each cluster will have a Smart Designated Node. SDN cluster management is efficient. Many intelligent nodes remain in the network. The network design spreads these signals. This paper presents an intelligent and responsive routing approach for clustered nodes in IoT networks. An existing method builds a new sub-area clustered topology. The Nodes Clustering Based on the Internet of Things (NCIoT) method improves message transmission between any two nodes. This will facilitate the secure and reliable interchange of healthcare data between professionals and patients. NCIoT is a system that organizes nodes in the Internet of Things (IoT) by grouping them together based on their proximity. It also picks SDN routes for these nodes. This approach involves selecting one option from a range of choices and preparing for likely outcomes problem addressing limitations on activities is a primary focus during the review process. Predictive inquiry employs the process of analyzing data to forecast and anticipate future events. This document provides an explanation of compact units. The Predictive Inquiry Small Packets (PISP) improved its backup system and partnered with SDN to establish a routing information table for each intelligent node, resulting in higher routing performance. Both principal and secondary roads are available for use. The simulation findings indicate that NCIoT algorithms outperform CBR protocols. Enhancements lead to a substantial 78% boost in network performance. In addition, the end-to-end latency dropped by 12.5%. The PISP methodology produces 5.9% more inquiry packets compared to alternative approaches. The algorithms are constructed and evaluated against academic ones.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
โข Remote control: Parallel or serial interface.
โข Compatible with MAFI CCR system.
โข Compatible with IDM8000 CCR.
โข Compatible with Backplane mount serial communication.
โข Compatible with commercial and Defence aviation CCR system.
โข Remote control system for accessing CCR and allied system over serial or TCP.
โข Indigenized local Support/presence in India.
โข Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
โข Remote control: Parallel or serial interface
โข Compatible with MAFI CCR system
โข Copatiable with IDM8000 CCR
โข Compatible with Backplane mount serial communication.
โข Compatible with commercial and Defence aviation CCR system.
โข Remote control system for accessing CCR and allied system over serial or TCP.
โข Indigenized local Support/presence in India.
Application
โข Remote control: Parallel or serial interface.
โข Compatible with MAFI CCR system.
โข Compatible with IDM8000 CCR.
โข Compatible with Backplane mount serial communication.
โข Compatible with commercial and Defence aviation CCR system.
โข Remote control system for accessing CCR and allied system over serial or TCP.
โข Indigenized local Support/presence in India.
โข Easy in configuration using DIP switches.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologistโs survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
ย
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
ย
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
ย
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
ย
FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESHOLD ALGORITHM
1. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
DOI: 10.5121/ijcnc.2020.12305 75
FLOODING ATTACK DETECTION AND MITIGATION
IN SDN WITH MODIFIED ADAPTIVE
THRESHOLD ALGORITHM
Nan Haymarn Oo1
, Aris Cahyadi Risdianto2
, Teck Chaw Ling3
and Aung Htein Maw4
1
University of Computer Studies, Yangon, Myanmar
2
Gwangju Institute of Science and Technology, Korea
3
University of Malaya, Malaysia
4
University of Information Technology, Myanmar
ABSTRACT
Flooding attack is a network attack that sends a large amount of traffic to the victim networks or services
to cause denial-of-service. In Software-Defined Networking (SDN) environment, this attack might not only
breach the hosts and services but also the SDN controller. Besides, it will also cause a disconnection of
links between the controller and the switches. Thus, an effective detection and mitigation technique of
flooding attacks is required. Statistical analysis techniques are widely used for the detection and mitigation
of flooding attacks. However, the effectiveness of these techniques strongly depends on the defined
threshold. Defining the static threshold is a tedious job and most of the time produces a high false positive
alarm .In this paper, we proposed the dynamic threshold which is calculated using modified adaptive
threshold algorithm (MATA). The original ATA is based on the Exponential Weighted Moving Average
(EWMA) formula which produces the high number of false alarms. To reduce the false alarms, the alarm
signal will only be generated after a minimum number of consecutive violations of the threshold. This,
however, has increased the false negative rate when the network is under attack. In order to reduce this
false negative rate, MATA adapted the baseline traffic info of the network infrastructure. The comparative
analysis of MATA and ATA are performed through the measurement of false negative rate, and accuracy of
detection rate. Our experimental results show that MATA is able to reduce false negative rates up to
17.74% and increase the detection accuracy of 16.11%over the various types of flooding attacks at the
transport layer.
KEYWORDS
Adaptive Threshold, Flooding attack, Software-Defined Networking
1. INTRODUCTION
Flooding attack sends an extremely amount of network traffic to overwhelm the targeted
network, or a particular victim server in preventing the normal connection requests from the
benign users. Thus, it is a common type of Distributed Denial of Service (DDoS) attack. The
impact of this flooding attack can bring down the target victim within a very short time. The
target can be the network or servers running with traditional or advanced technique, software-
defined networking (SDN) [1,2].
2. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
76
The main feature of SDN is decoupling the network control plane from the data forwarding plane
and centralized controlling the network by using the controller [3]. This centralized control
feature may well be the advantages of monitoring, detecting, and mitigating the attacks. On the
other hand, it can also be the weak point of the network. The attackers may launch the flooding
attack targeting the controller ,aiming to crash the entire network with a single point of failure
[4]. Furthermore, the data forwarding switches, the links between the controller and the switches,
and the SDN hosts running a particular service can also be the targets.
There are two different types of flooding attacks: protocol exploited attack, and amplification or
reflection attack. The common protocol exploited attacks are SYN flooding, UDP flooding, and
ICMP flooding attack. DNS amplification and NTP amplification attacks are belonging to the
group of amplification or reflection attacks [5]. This research is focusing on the detection and
mitigation of SYN flooding and UDP flooding that exploits the TCP and UDP protocol,
respectively.
In the SYN flooding attack, the attackers exploit the TCPโs three-way handshaking mechanism
of connection establishment process and send a large number of SYN packets continuously. As a
result, the serverโs memory is filled with the connections requests and rejects the normal
connection requests from legitimate users eventually [6-8].In the UDP flooding attack, the
attackers send a large stream of UDP packets with the specific or random port numbers to the
target server using a spoofed source IP address. The victim server responds the ICMP packets for
the port which does not listen. As a result, the attack consumes all the network bandwidth and
overloads the server to be able to disturb normal operations [9].
The detection and mitigation of SDN-based DDoS attacks have been proposed by using the
various mechanisms such as statistical analysis (change point detection, and entropy), machine
learning, traffic pattern analysis, connection rate analysis, and integration of traffic monitoring
tool and Open Flow [5]. Although each technique has its pros and cons, the widely used
technique among them is the statistical analysis technique. The technique is comparing the
number of incoming traffic with the threshold and defines it as attack traffic when the threshold
is violated by the incoming traffic.
The value of the threshold can be defined statically or dynamically. However, the weakness of
the static threshold is raising the high number of false alarms and resulted in tedious job for the
network administrators. Thus, the dynamic threshold is commonly used in statistical analysis
techniques. The dynamic threshold for the flooding attack can be simply calculated by using
Adaptive Threshold Algorithm (ATA) [10]. This algorithm produces high rate of detection but it
also raises a high number of false alarms. In order to reduce the false alarms, the alarm signal
will only be generated after a minimum number of consecutive violations of the threshold.
However, this will increase the false negative rate when the network is under attack. Thus, this
algorithm is modified by taking into account the baseline of the network traffic. The main
objective of the Modified Adaptive Threshold Algorithm (MATA) is to produce the dynamic
threshold value that is adaptable over the incoming traffic based on the baseline.
The rest of the paper is organized as follows. Section 2 describes the related works. Section 3
presents the algorithms for calculating the dynamic threshold. Section 4 describes the processes
of the detection and mitigation of flooding attacks. Section 5 presents the experimental testbed.
Section 6 describes the detailed implementation of the experiment. Section 7 demonstrates the
evaluation results of this system. The final section 8 concludes this paper.
3. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
77
2. RELATED WORK
As the various types of DDoS attack targeted the recognized organizationโs networksbased on
either the traditional techniques or the advanced network technologies such as SDN, many
different mechanisms for the attack detection and mitigation have been implemented. The
authors of[11-13] have been detected the DDoS attacks with entropy. Although entropy has been
successfully used in measuring the randomness of the network traffic within a given period of
time, it canโt consider many different values when calculating the probability of a feature.
Moreover, the various types of machine learning techniques including Support Vector Machine
(SVM), self-organizing map (SOM), artificial neural networks and fuzzy logic principles and
concepts are used in [1][14-19]. These techniques can be effectively used to detect the malicious
activities based on the abnormal behavior of the network. However, the performance of these
techniques is relying on the training dataset.
Change point detection techniques can be effectively used for the detection of the flooding
attacks. These techniques are based on the Exponential Weighted Moving Average (EWMA)
formula. The commonly used techniques are the Adaptive Threshold Algorithm (ATA) and the
Cumulative Sum (CUSUM) algorithm. Conti et al. [20] detected the DDoS attack with the
dynamic threshold calculated by using the non-parameter CUSUM with the adaptive threshold
algorithm. Moreover, they also proposed the detection of network reconnaissance attacks by the
EWMA control chart in [21]. However, their proposed systems have a little overhead for the
collection and manipulation of traffic statistics in the SDN controller. Modified EWMA formula
has been used to detect and mitigate the application-specific DDoS attacks in [5].
ATA and CUSUM algorithms have been investigated over the SYN flooding attack in [10]. ATA
is not only simple and easy to implement but also effectively detect the flooding attack.
However, this algorithm produces a high number of false alarms. Thus, it defines the suspicious
event as the real attack after a minimum number of continuous threshold violations for avoiding
false alarms. As the consequent result, the avoiding method of false alarms in this algorithm
raises the false negative rate when the network is in a real attack. In order to reduce the false
negative rate, the existing ATA algorithm is modified by adding a static parameter to the
comparison of the current traffic and the average number of previous traffic. The parameter is
taken from the measurement of the baseline traffic of the network infrastructure. Moreover, the
sFlow-RT analyzer is used for the collection and manipulation of traffic statistics for reducing
the overhead of the SDN controller.
Arins A. proposed firewall as a service in SDN for solving the two main problems of DDoS:
distinguishing good packets from bad packets, and dropping bad packets at the closet point to
attacker networks [22]. The authors in [23] also drop the detected malicious packets as their
mitigation mechanism for protecting the IoT-based DDoS attack in SDN. Lu et al. focused on the
source-based defense mechanism against botnet-based DDoS flooding attacks through the
combination of the power of SDN and sFlow technology [24]. Conti et al. [21] also mitigated the
flooding-based DoS attack by installing the temporarily Drop flow rules. The authors of [12]
discussed the anomaly mitigation with the consideration of the centralized control feature of the
SDN network for tracing back the source of the attackers and doing the source filtering at the
source switch. All their proposed mitigation systems are discarding the detected attack with the
installation of a simple drop flow rule according to the advantages of the centralized control
feature of SDN. In this system, in order to mitigate the flooding attack effectively, drop flow
rules are installed with two options at the ingress switch of the attack. Temporarily drop flow
rules are installed for the attacks that come for the first time. Permanent drop flow rules are
installed when the same attacks come again after their respective temporarily drop flow rule
expires.
4. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
78
3. ALGORITHMS FOR DYNAMIC THRESHOLD CALCULATION
One of the effective algorithms for calculating the dynamic threshold is ATA. In this section,
both algorithms (i.e. original ATA and modified ATA) are described with their respective false
alarm avoiding method.
EWMA is commonly used in finding the dynamic threshold for the network traffic. The
calculated threshold value provides not only high detection rate but also high false positive
rate.Thus, ATA uses the twice of the EWMA result or more as its threshold value. However, it
still raises some false alarms in some cases. In order to reduce false alarms, this algorithm only
raises the alarm signalafter a minimum number of consecutive violations of the threshold.
3.1. Adaptive Threshold Algorithm (ATA)
Let ๐ถ๐น๐กbe the current number of incoming frames at time ๐ก, ๐๐น๐กโ1 is the average number of
frames estimated from the measurement prior to ๐ก, and ๐ is the percentage parameter, ๐ > 0.
If ๐ถ๐น๐ก โฅ (๐ + 1)๐๐น๐กโ1 then the alarm signalled at time ๐ก. (1)
The percentage parameter is used to indicate the anomalous behaviour when the defined
percentage of the previous average number of frames is exceeded by the current number of
incoming frames.
EWMA formula is used to pre-calculate the average number of incoming frames that will be
used in the comparison for the next second as shown in equation (2):
๐๐น๐ก = ๐ผ๐๐น๐กโ1 + (1 โ ๐ผ)๐ถ๐น๐ก (2)
๐ผ is the factor parameter used in making the decision of the factors of current number of frames
and average number of previous frames for calculating the average number of previous frames to
be used at the next calculation.
Applying the algorithm directly would yield a high number of false alarms. Thus, a simple
modification is made to signal an alarm after a minimum number of consecutive violations of the
threshold as shown in equation (3):
Ifโ 1{๐ถ๐น ๐โฅ(๐ผ+1)๐๐น ๐โ1} โฅ kn
i=nโk+1 then the alarm signalled at time t. (3)
In this equation, ๐ is the parameter that indicates the number of consecutive intervals the
threshold must be violated for alarm to be raised,๐ > 1.
3.2. Modified Adaptive Threshold Algorithm (MATA)
For reducing the false negative value while avoiding the false alarms, MATA is taken into
account the baseline traffic,๐,in the traffic comparison. Thus, the value for the baseline traffic is
needed to define at the initial state.
The baseline of a network can be identified by analysing the monitoring result of the network for
a period of time. In this system, the sFlow analyzer is used as the monitoring tool and the
monitoring result (i.e. the event information) is analysed for defining the value of the baseline.
The process of defining baseline can be divided into four steps:
5. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
79
Step 1: Collect all event information from the various types of service produced by the analyzer.
Step 2: Categorize the collected information according to their type of service (i.e. Web, FTP,
Mail, NTP, DHCP and DNS).
Step 3: Find the maximum number of frames per second for each type of service from the
collected event information.
Step 4: Define the maximum number of frames per second as the value of the baseline.
According to the step 3 and 4, the baseline traffic for Web service is defined as the maximum
number of SYN frames per second from the Web event information produced by the
sFlowanalyzer as shown in equation (4).
๐ ๐ค๐๐ = ๐๐๐ฅ(๐๐ข๐๐๐๐ ๐๐ ๐๐๐ ๐๐๐๐๐๐ ๐๐๐ ๐ ๐๐๐๐๐ ๐๐๐ ๐ค๐๐ ๐ ๐๐๐ฃ๐๐๐) (4)
Similar to the Web service, the baseline traffic of other TCP services such as FTP, and mail are
identified. For the UDP services, the baseline traffic for the DNS service is identified as the
maximum number of frames per second from the DNS event information as shown in equation
(5).
๐ ๐ท๐๐ = ๐๐๐ฅ(๐๐ข๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐ ๐ ๐๐๐๐๐ ๐๐๐ ๐ท๐๐ ๐ ๐๐๐ฃ๐๐๐) (5)
The baseline traffic of the NTP and DHCP services are similarly identified as the baseline
definition of DNS service.
Thus, in general, the baseline of a particular service,๐ ๐๐,is identified as the maximum number of
frames per secondfor the service, ๐๐๐ฅ(๐ ๐๐),as shown inequation (6).
๐ ๐๐ = ๐๐๐ฅ(๐ ๐๐) (6)
In the equation (6), ๐ is the baseline traffic parameter, ๐๐ is represented for a particular service,
๐ is the number of frames per second containing in the event information. The calculation of
baseline traffic over an emulated SDN network environment is described in detail in section
6.1.2.
After getting the baseline value, the equation (1) of ATA is modified by adding the baseline
traffic parameter, ๐๐๐ ,for indicating the anomalous behaviour when the total number of the
defined percentage of the average number of previous frames and the number of frames of the
baseline traffic is exceeded by the current number of incoming frames. The modified equation is
shown in equation (7):
If ๐ถ๐น๐ก โฅ ( ๐ + 1) ๐๐น๐กโ1 + ๐ ๐๐ then the alarm signalled at time ๐ก. (7)
As the original ATA, the average number of incoming frames for the next second is pre-
calculated by using the EWMA formula as shown in equation (2) of session 3.1.
4. FLOODING ATTACK DETECTION AND MITIGATION SYSTEM
The overall architecture of flooding attack detection and mitigation system is composed of two
main phases: flooding attack detection, and mitigation of the detected attacks as shown inFigure
1. In the detection phase, the various types of frames from the SDN hosts incoming into the Open
vSwitch are collected and detected by sFlow-RT analyzer [25] in order to differentiate the
normal frames and the malicious frames of the flooding attack. If the malicious flooding frames
6. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
80
are incoming into the switches, then the analyzer produces abnormal event information. The
mitigation application running in ONOS controller [26] instantaneously discards the frames
when it receives the event information from the analyzer.
Figure 1. Overall architecture of flooding attack detection and mitigation
4.1. Detection Phase
Flooding attack detection phase is implemented by using sFlow-RT analyzer in order to reduce
the load of traffic statistic in the SDN controller. It is composed of three parts: flow definition,
flow handling, and event handling.
4.1.1. Flow definition
The analyzer collects the incoming flow of each service according to the predefined polling
interval. As this system is detecting the flooding attack at the transport layer, it has two types of
flow definitions for TCP and UDP protocols. Moreover, this system is especially detecting only
the SYN flooding attack for TCP protocol.Thus, the analyzeronly collects SYN frames from the
incoming TCP traffic of Web, FTP, and MAIL server by using the flow keys (i.e. source MAC,
destination MAC, source IP, destination IP, and destination port) with filtering the TCPโs SYN
flag and destination port of that frames. For UDP protocol, the analyzer collects all frames from
each type of the incoming UDP traffic such as DNS, DHCP, and NTP service with the same flow
keys as TCP and only one filtering key (i.e. destination port).
4.1.2. Flow handling
The analyzer handles the various types of incoming flows in every second. It also controls the
time of handling for each service to handle every flows incoming from the various types of
service alternatively. The process of flow handling function for each service can be sub-divided
into two parts: frame comparing, and new threshold calculation.
Frame comparing: The sFlow analyzer compares the number of incoming frames with the
respective dynamic and adaptive threshold value calculated in the previous second. In the
beginning of the frame comparing (i.e. t = 0s), the analyzer compares the number of frames with
the predefined initial threshold. For ATA, the initial value of threshold and the average number
of previous frame is 0. For MATA, the two values are initialized by the baseline traffic.
7. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
81
New threshold calculation: The number of incoming SYN frames collected from the flow
definition is counted by the analyzer for each TCP service. Similarly, the analyzer counts the
number of all incoming frames from the respective UDP flow definition for each UDP service.
After counting the number of frames, the average number of previous frames for the next second
is calculated by using equation (2) of the ATA, EWMA formula, described in section 3.1. Then
the new threshold value is calculated by taking the combination of the twice of the EWMA result
and the baseline.
4.1.3. Event handling
According to the frame comparing function, once the threshold is violated by the number of
incoming frames, the sFlow analyzer produces the alert messages for indicating that the
abnormal event is occurring in the network.
4.2. Mitigation Phase
The DDoS Mitigation application running in ONOS controller periodically takes the abnormal
event information from the sFlow analyzer via REST API in every second. In this mitigation
phase, MATA and ATA operate in a different way over the event information from the sFlow
analyzer because the analyzer produced the different abnormal event information in the detection
phase.
4.2.1. MATA โbased mitigation
As soon as the DDoS Mitigation application receives the information, it firstly extracts the
source and destination IP address from the information, and finds the source switch connected
with the attacker host by using source IP address. Then, the application installs temporarily drop
flow rule for 60 seconds into the source switch of the attack for discarding the flooding packets
at the nearest point to the attacker host. If the application receives again the previous event
information when the flow rule has been expired, it installs permanent drop flow rules for such
event information.
4.2.2. ATA โbased mitigation
The ATA-based DDoS Mitigation application does not discard any frames as soon as it receives
the event information from the analyzer. It firstly confirms whether the received event
information is really signalled the attacks or not because some information might be the false
alarms. In order to define the event formation that is not false alarms, the algorithm predefines
the number of consecutive threshold violation within a period of time for each service according
to the equation (3) of ATA. Thus, the DDoS Mitigation application monitors and counts the
number of consecutive event information within a predefined time and compares the number of
information with the predefined value. If the predefined value is exceeded by the number of
received information, then it finds the source switch connected with the attacker host. Finally, the
application installs drop flow rule into the source switch of the attack.
5. EXPERIMENTAL TESTBED
The testbed for testing the flooding attack detection and mitigation system is composed of four
Open Flow switches, one controller, six servers, and twelve clients as shown in Figure 2.One
switch is connected with all servers and the others are connected with the clients. One of the
client hosts is treated as an attacker and the remaining clients are benign users. Each server is a
target victim alternatively.
8. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
82
The links connected between the switch and the servers and those among the switches are
configured with 1000 Mbps and those connections between the switch and the clients are
configured with 100 Mbps. The network topology is constructed by using mininet [27] emulator.
Two laptops PC are used in setting up this system. ONOS controller and sFlow-RT analyzer are
running in one virtual machine on Dell Laptop PC with Intel(R) Core(TM) i7-4500U CPU @
1.80GHz, 64 bits and 8GiB memory and the based mininet network is running on another Dell
Laptop PC with Intelยฎ Coreโข i5-4790 CPU @3.60GHz, 64 bits, and 4GiB memory. The two
PCs are connected by an Ethernet cable. Since the two PCs for mininet and analyzer are directly
connected, the sampling rate and polling interval in the sFlowanalyzer is defined as 1.
Table 1. Testbed information
Type Host name IP address
Servers h1 โ h6 10.0.0.1 โ 10.0.0.6
Clients h7 โ h17 10.0.0.7 โ 10.0.0.17
Attacker h18 10.0.0.18
Switches s1 โ s4 -
Figure 2. Network topology for the experimental testbed
6. EXPERIMENTAL IMPLEMENTATION
The detection and mitigation of flooding attack is implemented with detection phase and
mitigation phase based on the original ATA and modified ATA algorithm alternatively in order
to evaluate this system. Moreover, an attack scenario is used to test and evaluate this system.
6.1. Detection Phase
The sFlow analyzer is mainly used in the detection phase of this system. According to the
workflow of the analyzer, this system collects the incoming frames, compares the number of
incoming frames with the dynamic and adaptive threshold, raises alert when the threshold is
violated, and calculates the average number of previous frames and the new threshold value for
the next second with EWMA formula as described in section 4.1.
In order to take into account the equal amount of current incoming frames and the average
number of previous frames when calculating the average number of frames for the next time, the
factor parameter ๐ผ of EWMA formula is identified as 0.5. Moreover, the percentage parameter ๐
inequation (1) is defined as 1 for doubling or taking twice the previous number of frames (i.e.
EWMA result)which is to be used as a threshold in the process of frame comparing. As both the
dynamic calculation methods (i.e. ATA and MATA) are based on the EWMA formula, they raise
a high number of false alarms and must avoid them.
9. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
83
6.1.1. False alarms avoidance in ATA-based detection
The ATA raises the alarm signal after a minimum number of consecutive threshold violations for
avoiding false alarms. According to the result from the analysis of sFlow event information, the
real abnormal event information and false alarms are differentiated by defining the number of
same event information occurring continuously within a period of time.
As shown in Figure 3, the sFlow analyzer continuously produced the same three NTP serviceโs
abnormal event information during the two seconds. Actually, these events information are false
alarms occurring in normal conditions. Thus, more than three same event information that
occurred within the two seconds is defined as the real abnormal event information for NTP
service. Similarly, the number of event information and its duration are analysed and predefined
for each service as shown in Table 2.
Figure 3. Event information from sFlow analyzer
Table 2. Number of consecutive threshold violation
Type of service No. of event information (n) Time (second)
Web n > 1 2
FTP n > 1 2
Mail n > 1 2
DNS n > 6 2
NTP n > 3 2
6.1.2. False alarms avoidance in MATA-based detection
As this algorithm is taken into account the baseline traffic of the network for avoiding the false
alarms, sFlow analyzer produces the dynamic threshold which adaptable with the baseline and it
can reduce the false alarms significantly.
In order to define the value of baseline traffic for the current network topology, we observed the
network for one minute while all normal users are accessing all available network services
concurrently. As we are doing the experiment in the virtual mininet network environment, in
10. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
84
order to get the baseline similar to the actual baseline traffic of the real network environment, we
used D-ITG (Distributed Internet Traffic Generator) tool [28] for generating the network
traffic in the virtual network. This tool generates the traffic with Inter Departure Time (IDT) and
Packet Size (PS) using stochastic models such as uniform, constant, exponential, pareto, cauchy,
normal, poisson, gamma, and weibull distribution. It can also generate the transport layer traffic
(i.e. TCP, UDP) and application layer traffic (i.e. DNS, Telnet, VoIP).
The traffic generation model [29] described that poisson distribution can be used to generate the
traffic with the number of incoming packets or calls per time unit (i.e. IDT). Moreover, the traffic
including the length of each phone call (i.e. PS) can be generated by the exponential distribution.
Theoretical traffic model [30] can be summarized as shown in Table 3. The IDT for the telnet
traffic and new network transfer protocol (NNTP) traffic can be generated by using poisson
distribution and weibull distribution respectively. Moreover, both IDT and PS of VoIP traffic are
generated by using the exponential distribution. The PS of NNTP , SMTP, and FTP traffic during
the whole session are generated by using log2-normal distribution. In addition, pareto distribution
is used to produce the PS of Web and FTP traffic during a burst session.
Table 3. Theoretical traffic model for generating IDT and PS for each service
Service IDT PS
Telent Poisson distribution -
New Network Transfer
Protocol (NNTP)
Weibull distribution Log2-normal distribution
SMTP - Log2-normal distribution
FTP - Log2-normal distribution during the
whole session
Pareto distribution during a burst session
Web - Pareto distribution
VoIP Exponential distribution Exponential distribution
We referenced the combination of the traffic generation model and theoretical traffic model for
generating the various types of virtual network traffic similar to the real network traffic as shown
in Table 4. The IDT of all traffic is generated by using poisson distribution. Log2 normal
distribution is used for the generation of PS for SMTP and FTP traffic. Moreover, the PS of Web
traffic is generated by the pareto distribution. According to the description of the theoretical
traffic model, we generate each type of traffic with different percentages of the packet as shown
in Table 5.
Table 4. Assumption for generating IDT and PS for each service
Service IDT PS
NTP, DHCP, DNS Poisson distribution -
SMTP Poisson distribution Log2-normal distribution
FTP Poisson distribution Log2-normal distribution
Web Poisson distribution Pareto distribution
After defining the traffic generation format, firstly we setup the NTP, DHCP, DNS, SMTP, FTP,
and Web server on the mininet host h1, h2, h3, h4, h5, and h6, respectively. Then, all client hosts
except the attacker host h18 access the server concurrently according to the traffic generation
format including specific IDT and PS for each service as shown in Table 4 and the packet
generation rate as shown in Table 5.
11. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
85
Table 5. Assumption for packet generation rate
Service Percentage of the packet (%)
TCP
Web 70
FTP 10
SMTP 5
UDP
NTP 5
DNS 5
DHCP 5
Table 6. List of baseline for each service
Service Baseline
NTP 64.60285
DHCP 76.64288
DNS 8.8075
SMTP 4.761905
FTP 4.761905
Web 4.761905
In order to get all possible event information from the sFlow analyzer, the initial baseline and
threshold value is defined as zero and the DDoS Mitigation application is not activated in the
ONOS controller. The final value for the baseline traffic of each service is defined according to
the process and equation which previously described in section 3.2. By applying equation (6), the
value for the baseline traffic of the NTP service ๐ ๐๐๐ is 64.60285 which is the maximum number
of frames per second of the service. Similarly, the baseline values for the other services are
defined as the NTP service and these values are listed in Table 6.
6.2. Mitigation Phase
The mitigation phase is implemented in the DDoS Mitigation application in the ONOS
controller. It has two main functions in the application: regular taking event information from the
sFlow analyzer, and installation of drop flow rule according to the information in the event
information. The MATA-based application installs drop flow rule as soon as it received event
information. However, the ATA-based application installs drop flow rule according to the
predefined number of events within a period of time as described in Table 2.
6.3. Scenario
To evaluate this system with various types of experimental results, a scenario is used for testing
the virtualized SDN network with flooding attacks and captures the monitoring results of it. The
duration for testing and evaluation time is three minutes. During this time, all client hosts are
accessing all available servers in the network concurrently and one attacker host launches the
flooding attack for one minute. This scenario includes four steps:
Step 1: We set up NTP, DHCP, DNS, SMTP, FTP, and Web server on the host h1, h2, h3, h4,
h5, and h6, respectively.
Step 2: After setting up the servers, all clients (from host h7 to h17) access all the servers
concurrently for three minutes (18000 seconds). At the same time, we monitor the victim server
by capturing all of its incoming and outgoing traffic with a packet capturing tool (i.e. tcpdump)
[31].
12. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
86
Step 3: After one minute from the start of monitoring, attacker host h18 launches the flooding
attack to a particular victim server for one minute by using hping3 tool [32].
Step 4: After one minute attack, we check the number of flooding packets that can be able to
filter by this system. Since this flooding attack detection and mitigation system installs flow rule
in the ingress switch s4 of the attacker hosts h18, we check the number of packet in the drop flow
rule at the switch s4.
6.4 Performance Parameter
The value of each performance parameter for network security is defined according to the result
from the scenario.
๏ง True positive (TP): The number of packets passing through the drop flow rule is defined
as the value of TP.
๏ง False Negative (FN): The number of packets from the filtering traffic (i.e. from the
attacker host h18 to victim server host) including in the results of packet capturing tool is
considered as the value of FN.
๏ง True Negative (TN): The number of packets getting from the subtraction of the number
of the packet of all capturing traffic from the captured result to the value of FN.
๏ง False Positive (FP): The value of FP is zero because this system is implemented with the
avoidance of false alarms mechanism.
After defining the value of each performance parameter, the rate of false negative rate (FNR),
detection rate (DR), and accuracy(ACC) is calculated by using the formula as shown in the
equations (8), (9), and (10), respectively.
๐น๐๐ (%) =
๐น๐
๐น๐ + ๐๐
โ 100
(8)
๐ท๐ (%) =
๐๐
๐๐ + ๐น๐
โ 100
(9)
๐ด๐ถ๐ถ(%) =
๐๐ + ๐๐
๐๐ + ๐๐ + ๐น๐ + ๐น๐
โ 100
(10)
7. EXPERIMENTAL RESULT
Since this system is implemented with the detection phase and mitigation phase, the experimental
results for these two phases are separately described in two sub-sections: detection results and
mitigation results.
7.1. Detection Results
The detection results consist of three parts. The first part presents the dynamic threshold values
adaptable with the incoming traffic produced by each algorithm. The second part shows the
comparative results of various performance parameters (i.e. detection rate, false negative rate,
and accuracy) over MATA and ATA algorithms to prove why the modified algorithm is chosen
to use in detecting the flooding attacks. The evaluation results of the MATA with various rates of
the attack are described in the third part of this section for indicating how the MATA can detect
the various types of attacks.
13. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
87
7.1.1. Comparative results of adaptive threshold over incoming traffic
Figures4 and 5 show the DNS trafficโs adaptive threshold dynamically produced by the sFlow
analyzer based on the ATA and MATA, respectively. The main difference between the results of
the two algorithms is that the false alarms can be seen at the initial state and normal state of the
result produced by ATA while the MATA does not produce any of them. The reason is that the
MATA reduces the occurrence of false alarms in the detection phase by using its modified
technique. However, ATA raises some false alarms in the detection phase and avoids them in the
mitigation phase. Each comparative result is divided into three states: initial state (before 10s),
attack state (60s - 120s), and normal state ((11s - 59s) and (121s โ 180s)).
Figure 4. Adaptive threshold produced by ATA
Figure 5. Adaptive threshold produced by MATA
Initial state: In the ATA result, the threshold value is initialized as zero because of no traffic at
the beginning. Thus, as soon as the traffic is incoming into the network, the threshold is violated
by the incoming traffic as shown in the initial state of Figure 4.In the MATA result, the initial
threshold value is defined as the value of the baseline. As a result, there is no false alarm at the
initial state as shown in the initial state of Figure 5.
Attack state :According to the result of the attack state of each figure, both algorithms could
detect the flooding packets immediately when the attack is launching by the attacker.
14. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
88
Normal state :In the ATA result ,the false alarms might be raised when the current rate of the
incoming frames is slightly stronger than the previous rate as shown in the normal state of Figure
4. In the MATA result, there is no false alarm in this state because the minimum threshold value
itself is the same as the baseline traffic and then the threshold values are adaptable with the
incoming frames.
7.1.2. Comparative results of performance parameters
In general, the performance parameters used in the evaluation of the network security include
detection rate, false positive rate, false negative rate, and accuracy. Thus, this system also
evaluates its performance by using general performance parameters. However, it does not
describe the false positive rate because this system reduces them in its implementation (i.e. the
false positive rate is zero). The results are produced by calculating the performance parameters as
described in section 6.4. Moreover, the average percentage of each performance parameter is
obtained by calculating the average value of ten runs.
Figure 6. Comparisons of detection rate over various types of services
The comparison of detection rate produced by MATA and ATA over various types of services is
described in Figure 6. The detection rate of MATA is slightly higher than the rate of ATA and
the rate of the two algorithms is not extremely different because this system modified the original
ATA especially in reducing the false negative rate while avoiding false alarms.
Figure 7. Comparisons of false negative rate over various types of services
15. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
89
The comparative result of the false negative rate for each service isshown in Figure 7. ATA
produces the different false negative rates for the services because it distinguishes the normal and
malicious packets by considering the number of continuous incoming packets within a time
andthe incoming rate of continuous packets is different depending on the type of services.
In this figure, ATA produces a high value of FNR in DNS service because the incoming normal
DNS packet rate is higher than the other services and the number of continuous incoming packets
during the two seconds is about 6. Thus, ATA defines the incoming packet as the abnormal one
when the number of the continuous incoming packet within the two seconds is more than 6
packets as listed in Table 2. As a result, the number of the attack reaches the victim DNS server
is high when the network is under attack. In contrast, the number of continuous incoming SYN
packets within two seconds is 1 for the Web service. Since the normal incoming packet rate itself
is very low, the attack can be detected early as soon as the number of the packet is greater than 1.
However, MATA produces similar false negative rates for all services because it uses the same
definition based on their baseline to differentiate the normal and malicious packets.
Figure 8. Comparisons of accuracy over various types of services
Similarly, ATA produces a different percentage of accuracy for the services because the
calculation of accuracy is also depending on its false negative rate. It provides about 97.4% as its
maximum percentage that can be seen in Web service. The minimum percentage provided by
ATA is around 83.2%. However, MATA produces an accuracy above 99% for each service as
shown in Figure 8.
By reviewing the comparative average number of percentage for detection rate, false negative
rate and accuracy produced by MATA and ATA, MATA is an appropriate algorithm for the
detection and mitigation of the flooding attacks because it provides a higher percentage of
detection rate and accuracy, and a lower percentage of false negative rate for all services than
ATA.
7.1.3. Comparisons of performance over the various attack rates
Depending on the rate of the attack, the percentage of the detection rate and false negative rate is
different. As this system is implemented the flooding attack at the transport layer, the
performance comparison of attack rate is described separately for TCP and UDP protocols. Web
and DNS service is used to represent the TCP and UDP protocol, respectively. Five different
rates of attack (i.e. 10 packets per second, 100 packets per second, 1000 packets per second,
10000 packets per second, and 10000 packets per second) are used to test the performance of the
16. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
90
system. For testing each rate of attack, hping3 command is used with u100000, u10000, u1000,
u100, u10 and u1 to send the attack packet with 10 packets per second, 100 packets second,
1,000 packets per second, 10,000 packets per second, and 100,000 packets per second,
respectively. These results are produced by averaging the results of ten runs.
Figure 9. Performance comparisons of various attack rates over Web service
Figure 10. Performance comparisons of various attack rates over DNS service
According to the results of the detection rate and false negative rate as shown in Figures9 and 10,
the detection rate of the MATA algorithm can be determined as the higher the attack rate, the
higher the detection rate. In contrast, the false negative rate can be defined as the higher the
attack rate, the lower the false negative rate. Although the detection mechanism using this
algorithm can detect all attack rates for Web traffic, it is not capable to detect the lowest rate of
attack (i.e. 10 packets per second) for DNS traffic because the rate of the normal packet of the
UDP protocol itself is high. However, it can be starting to detect the attack with the rate of 100
packets per second.
7.2. Mitigation Results
The mitigation results consist of two parts: filtering results, and network performance. The
filtering results are produced from two types of comparison: the comparison of network traffic
with and without filtering by using DDoS Mitigation application, and the comparison of the
percentage of attack packet reaches the victim servers. Moreover, the performance of the
network during attack filtering is measured to prove that the source-based Defense mechanism is
more effective than the destination-based one.
17. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
91
7.2.1. Filtering results
The DDoS Mitigation application drops the abnormal traffic depending on the alert information
obtained from the sFlow analyzer. The application takes the information from the analyzer via
REST API every second. Thus, the maximum delay time between the detection and mitigation is
one second.
Figure 11. Comparison of network traffic with and without filtering
By filtering the network with the DDoS Mitigation application, the normal users can access a
particular service without interrupting even though when the server is under attack. In contrast,
without filtering the network with the application, the server can be down as soon as it is under
attack, and the service will no longer be available for normal users. The comparative result of
filtering the network with and without DDoS Mitigation application is shown in Figure 11. These
results are produced from the I/O graphs of the captured results of the network for one minute.
Figure 12. Comparison of attack packets reach the victim servers
Moreover, Figure 12 describes the percentage of the attack packet that reaches the victim server
while the network is filtering with the DDoS Mitigation application implemented with two
different defense mechanisms (i.e. source-based defense mechanism and destination-based
mechanism). To decide how many percentages of the attack packet that can be reduced by each
mechanism, the figure also describes the percentage of the attack packet that reaches the victim
server when the network is not filtering with the DDoS Mitigation application
.
18. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
92
Table 7. Reduction of attack packets reach the victim servers
Mechanism Web Mail FTP DNS NTP
Source-based defense 76.6 84.2 93.8 78.8 94.6
Destination-based defense 73.5 63.6 81.3 28.9 31.4
By reviewing the results of the percentage of attack packet that reaches the victim server, the
source-based defense mechanism could reduce the attack packet up to 94.6% while the
destination-based mechanism only reduce them to 31.4% for NTP service as listed in Table 7.
Thus, the source-based defense mechanism is more effective than destination-based defense
mechanism for the flooding attacks with non-spoofing IP address.
7.2.2. Network performance
Figure 13 shows the comparative results ofaverage network performance while the network is
being in attack and filtering with source-based and destination-based defense mechanism. The
performance is measured by pinging with ten packets from client host h8 to h17. The average
performance is also calculated by monitoring the ten times of average time to live (i.ettl) from
pinging and averaging the results.
Since the former mechanism is dropping the attack packets nearest to the source of the attack, the
network will not be congested with those attack packets.Thus, the source-based defense
mechanism maintains higher performance than the destination-based defense mechanism. As
shown in Figure 13, the latency of the source-based defense mechanism for each service is about
doubling the latency of the destination-based defense mechanism.
However, the source-based defense mechanism can only protect the direct attack because it must
know the exact location of the attack so that it can install drop flow rule into the ingress switch of
the attack host. If it does not know the location of the attack, the destination-based mechanism is
preferred. Although this method can protect the attack with spoof IP addresses, the network
might be congested because of attack traffic.
Figure 13. Comparative results for network performance during the network is being in attack
19. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
93
8. CONCLUSIONS
Flooding attack might fail the whole SDN network or services during a short period of time. Our
proposed flooding attack detection and mitigation using the MATA algorithm could detect and
mitigate the attack effectively by modifying the original ATA with the consideration of the
baseline info of the network infrastructure.
By using the MATA algorithm, the false negative rate is reduced up to 0.7% and the accuracy is
increased around 99% for all network services. Although this method has a little overhead for
finding the baseline traffic info of the network infrastructure, it considerably reduces the false
alarms by producing the dynamic and adaptive threshold based on the baseline. Consequently,
the false negative rate is significantly reduced because the attack might be discarded as soon as
the DDoS Mitigation application received the abnormal event information. Moreover, since the
application regularly takes the event information from the sFlow analyzer in every second, the
maximum delay time between detection and mitigation is one second. Therefore, we can
conclude that MATA is an effective algorithm for the various types of flooding attack detection
and mitigation
.
REFERENCES
[1] Braga, R., de Souza Mota, E. and Passito, A., (2010, October). โLightweight DDoS flooding attack
detection using NOX/OpenFlowโ. In LCN, Vol. 10, pp408-415.
[2] Hu, D., Hong, P., & Chen, Y. (2017, December). โFADM: DDoS flooding attack detection and
mitigation system in software-defined networkingโ. In GLOBECOM 2017-2017 IEEE Global
Communications Conference pp1-7.
[3] ONF, (2012) โSoftware-defined networking: The new norm for networks,โ ONF White Paper, vol. 2,
pp2โ6.
[4] Dharma, N.G., Muthohar, M.F., Prayuda, J.A., Priagung, K. and Choi, D., (2015, August). โTime-
based DDoS detection and mitigation for SDN controllerโ. In 2015 17th Asia-Pacific Network
Operations and Management Symposium (APNOMS), pp550-553. IEEE.
[5] Bawany, N. Z., Shamsi, J. A., & Salah, K. (2017). โDDoS attack detection and mitigation using
SDN: methods, practices, and solutionsโ. Arabian Journal for Science and Engineering, 42(2),
pp425-441.
[6] Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018) โSAFETY: Early detection and
mitigation of TCP SYN flood utilizing entropy in SDNโ. IEEE Transactions on Network and Service
Management, 15(4), pp1545-1559.
[7] Ubale, T., & Jain, A. K. (2018, March). โSRL: An TCP SYNFLOOD DDoS Mitigation Approach in
Software-Defined Networksโ. In 2018 Second International Conference on Electronics,
Communication and Aerospace Technology (ICECA), pp956-962. IEEE.
[8] Mohammadi, R., Javidan, R., & Conti, M. (2017). โSlicots: An sdn-based lightweight
countermeasure for tcpsyn flooding attacksโ. IEEE Transactions on Network and Service
Management, 14(2), pp487-497.
[9] Wei, H. C., Tung, Y. H., & Yu, C. M. (2016, June). โCounteracting UDP flooding attacks in SDNโ.
In 2016 IEEE NetSoft Conference and Workshops (NetSoft) pp367-371. IEEE.
[10] Siris, V. A., &Papagalou, F. (2004, November). โApplication of anomaly detection algorithms for
detecting SYN flooding attacksโ. In IEEE Global Telecommunications Conference, 2004.
GLOBECOM'04, Vol. 4, pp2050-2054. IEEE.
[11] Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., &Maglaris, V. (2014). โCombining
OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on
SDN environmentsโ. Computer Networks, 62, pp122-136.
[12] Wang, R., Jia, Z., & Ju, L. (2015, August). โAn entropy-based distributed DDoS detection
mechanism in software-defined networkingโ. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1,
pp310-317. IEEE.
20. International Journal of Computer Networks & Communications (IJCNC) Vol.12, No.3, May 2020
94
[13] Mehdi, S. A., Khalid, J., &Khayam, S. A. (2011, September). โRevisiting traffic anomaly detection
using software-defined networkingโ. In International workshop on recent advances in intrusion
detection, pp161-180. Springer, Berlin, Heidelberg.
[14] Dotcenko, S., Vladyko, A., &Letenko, I. (2014, February). โA fuzzy logic-based information security
management for software-defined networksโ. In 16th International Conference on Advanced
Communication Technology, pp167-171. IEEE.
[15] Priyadarshini, R., & Barik, R. K. (2019). โA deep learning based intelligent framework to mitigate
DDoS attack in fog environmentโ, Journal of King Saud University-Computer and Information
Sciences.
[16] Phan, T. V., Van Toan, T., Van Tuyen, D., Huong, T. T., & Thanh, N. H. (2016, July).
โOpenflowsia: An optimized protection scheme for software-defined networks from flooding
attacksโ. In 2016 IEEE Sixth International Conference on Communications and Electronics (ICCE)
pp13-18. IEEE.
[17] Nam, T. M., Phong, P. H., Khoa, T. D., Huong, T. T., Nam, P. N., Thanh, N. H., ... &Loi, V. D.
(2018, January). โSelf-organizing map-based approaches in DDoS flooding detection using SDNโ. In
2018 International Conference on Information Networking (ICOIN) pp249-254. IEEE.
[18] Kalliola, A., Lee, K., Lee, H., & Aura, T. (2015, October). โFlooding DDoS mitigation and traffic
management with software-defined networkingโ. In 2015 IEEE 4th International Conference on
Cloud Networking (CloudNet), pp248-254. IEEE.
[19] Latah, M., &Toker, L. (2018). โA novel intelligent approach for detecting DoS flooding attacks in
software-defined networksโ. International Journal of Advances in Intelligent Informatics, 4(1), pp11-
20.
[20] Conti, M., Gangwal, A., & Gaur, M. S. (2017, October). โA comprehensive and effective mechanism
for DDoS detection in SDNโ. In 2017 IEEE 13th International Conference on Wireless and Mobile
Computing, Networking and Communications (WiMob), pp1-8. IEEE.
[21] Conti, M., &Gangwal, A. (2017, November). โBlocking intrusions at border using software defined-
internet exchange point (sd-ixp)โ.In 2017 IEEE Conference on Network Function Virtualization and
Software-Defined Networks (NFV-SDN), pp1-6. IEEE.
[22] Arins, A. (2015, November). โFirewall as a service in SDN OpenFlow networkโ, In 2015 IEEE 3rd
Workshop on Advances in Information, Electronic and Electrical Engineering (AIEEE) pp1-5. IEEE.
[23] รzรงelik, M., Chalabianloo, N., &Gรผr, G. (2017, August). โSoftware-defined edge defense against
IoT-based DDoSโ.In 2017 IEEE International Conference on Computer and Information Technology
(CIT), pp308-313. IEEE.
[24] Lu, Y., & Wang, M, (2016, June)โAn easy defense mechanism against botnet-based DDoS flooding
attack originated in SDN environment using sFlowโ. In Proceedings of the 11th International
Conference on Future Internet Technologies, pp14-20. ACM.
[25] sFlow-RT, May 2014 [Online]. Available from: https://www.inmon.com.
[26] ONOS [Online]. Available from: https://onosproject.org.
[27] Mininet [Online]. Available from: http://mininet.org.
[28] D-ITG Tool [Online]. Available from: http://www.grid.unina.it/software/ITG/
[29] Traffic generation model, https://en.wikipedia.org/wiki/Traffic_generation_model
[30] Avallone, S., Emma, D., Pescapรฉ, A., &Ventre, G. (2005). โPerformance evaluation of an open
distributed platform for realistic traffic generationโ, Performance Evaluation, 60(1-4), pp359-392.
[31] Tcpdump [online]. Available from: https://www.tcpdump.org/manpages/tcpdump.1.html.
[32] Hping3 Security Tool [online]. Available from: http://www.hping.org/hping3.html.