1 / 34

Kavita Chada & Viji Avali CSCE 790

Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos. Kavita Chada & Viji Avali CSCE 790. …. …. …. …. …. …. Introduction. What is Denial-Of-Service Attack (DOS)?

almetas
Download Presentation

Kavita Chada & Viji Avali CSCE 790

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Framework For Classifying Denial of Service AttacksAlefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790

  2. … … … … … Introduction • What is Denial-Of-Service Attack (DOS)? Adversary A can send huge amount of messages to y to block m from arriving at y A m ????? x y

  3. Introduction • DOS can be Single source attack - Only one host Multi source attack (DDOS)- multiple hosts • Launching is trivial but detection and response are not.

  4. Previous techniques used • Anomaly detection detects ongoing attacks by the significant disproportional difference between packet rates going from and to the victim or attacker. • Trace back techniques assist in tracking down attackers post-mortem • Signature-scan techniques Try to detect attackers by monitoring network links over which the attackers’ traffic transits. • Backscatter technique Allows detection of attacks that uniformly spoof source addresses in the complete IP address space.

  5. Attack taxonomy • Software exploits • Flooding attacks • Single source attacks • Multi source attacks • Reflector attacks

  6. Attack Taxonomy

  7. Attack Taxonomy

  8. Attack Taxonomy

  9. Attack classification • Header content • Transient Ramp-up behavior • Spectral Characteristics

  10. Attack classification • Header content -Using ID field Many Operating systems sequentially increment the ID field for each successive packet. -Using TTL value TTL value remains constant for the same source-destination pair.

  11. Attack Classification • Using Header Contents Pseudo code to identify number of attackers based on header content. • Let P ={attack packets}, Pi ⊂ P, P = If ∀ p ∈ P ID value increases monotonically and TTL value remains constant then Single-source elseif ∀ p ∈ Pi ID value increases monotonically and TTL value remains constant Then Multi-source with n attackers else Unclassified

  12. Attack Classification • Using Ramp-up behavior • Single source attacks do not exhibit ramp-up behavior. • Multi-source attacks do exhibit ramp-up. • Cannot robustly identify single-source attacks.

  13. Attack Classification

  14. Attack Classification • Using Spectral Analysis • Single source attacks have a linear cumulative spectrum due to dominant frequencies spread across the spectrum. • Multi-source attacks shift spectrum to lower frequencies.

  15. Attack Classification

  16. Attack classification

  17. Attack Classification

  18. Attack Classification

  19. Evaluation • Attack Detection • Packet Headers Analysis • Arrival Rate Analysis • Ramp-up Behavior Analysis • Spectral Content Analysis

  20. Evaluation

  21. Evaluation

  22. Evaluation

  23. Evaluation

  24. Evaluation

  25. Evaluation

  26. Evaluation

  27. Validation • Observations from an alternate site • Experimental Confirmation Clustered Topology Distributed Topology • Understanding Multi-Source Effects

  28. Validation

  29. Validation

  30. Validation Understanding Multi-Source Effects 1. Aggregation of multiple sources at either slightly, or very different rates. 2. Bunching of traffic due to queuing behavior. 3. Aggregation of multiple sources, each at different phase.

  31. Validation

  32. Validation

  33. Applications • Automating Attack Detection will be useful in selecting the appropriate response mechanism. • Modeling Attacks will help in the attack detection and response. • Inferring DoS Activity in the Internet will be useful at approximating attack prevalence if we can increase the size and duration of the monitored region.

  34. Conclusion • This paper presented a framework to classify DoS attacks into single and multi-source attacks. • If the spectral characteristics were altered, this paper does not give a method to classify those DoS attacks into single or multi-source attacks.

More Related