1 / 31

Presenter Name Yatin Manjrekar

Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao . Presenter Name Yatin Manjrekar. Agenda. Introduction Overview of Packetscore approach Packetscore Methodologies

annelise
Download Presentation

Presenter Name Yatin Manjrekar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks:Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao Presenter Name Yatin Manjrekar

  2. Agenda • Introduction • Overview of Packetscore approach • Packetscore Methodologies • Performance Evaluation • Conclusion

  3. Introduction • Denial-of-service attack overload the server to bring it down • Distributed Denial-of-service attack End point attacks Infrastructure attack • Limitations of Manual detection

  4. Introduction cont.. • D-WARD approach • Statistical traffic profiling at the edge of the network • Aims at stopping attack near source. • Viability hinges on cooperation of ingress network administrator • Deployment issue. (backbone network ?) • Available Commercial products do not fully automate packet differentiation , filter enforcement

  5. Overview of Packetscore approach • Three Phases (3D-R) • Detect the onset of an attack • Differentiate between legitimate/attack packets using CLP • Discard packets selectively • What is Packetscore ? Score based filtering approach.

  6. Packetscore methodologies • Packet differentiation via fine grain traffic profile comparison • Assumption: Some traffic characteristics are stable during normal operation • Increase in frequency of packet attribute indicate attacking packet • Can One guess Distribution of attribute ?

  7. Attribute value distribution

  8. Attribute value distribution cont..

  9. Attribute value distribution cont.

  10. Conditional Legitimate Probability (CLP) • The likelihood of suspicious packet being legitimate • Each packet carries a set of discrete-valued attributes • Joint distribution for strongly correlated attributes • Marginal distribution for other attributes

  11. Conditional Legitimate Probability (CLP)

  12. CLP cont..

  13. Variation of Nominal profiles • The nominal traffic profile is function of time • The traffic profile changes with day of week, time of day • These profile changes could be handled using periodic recalibration • Used 95 percentile to save storage

  14. Managing Nominal traffic profiles. • Iceberg style histograms • Traffic profile of each target stored in the form of normalized histograms • Iceberg Histograms only includes most frequent entries • Missing entries assume relative upper bound frequency • Per target profile is kept to manageable size and saves on storage requirement

  15. Real Time Profiling • The packet attribute distributions are updated with packet arrival • Update is decoupled from computing CLP and done in parallel at different time scale • CLP is computed based on recent snapshot of measured histogram • Generate set of scorebooks which map to specific combination of attributes

  16. Real Time traffic profiling

  17. Selective Packet discarding • On arrival of suspicious packet • CLP as differentiating metric • The aggregate arrival rate is adjusted. Which in turn changes load shedding algorithm • Packet attributes are used to update traffic profile. • CLP based score is computed using frozen /snapshot scorebooks • Discard packet if CLP is less than threshold • Immunity rules could be used for certain minimum throughput requirement packets

  18. Performance Evaluation

  19. Performance Criteria Difference in score distribution RA & RL Score distribution has long/thin tail with outliers MinL(MaxA) is 1st(99th) percentile used

  20. Different evaluated attack types • Generic Attack • TCP-SYN flood attack • SQL Slammer Worm attack • Nominal attack • Mixed attack • Changing attack

  21. Effect of increasing Attack intensity

  22. Nominal Profile sensitivity

  23. Different options of scoring Strategies

  24. Scoring strategy

  25. Setting thresholds

  26. Conclusion • Collaboration of 3D-R and DCS defend against DDoS attacks • The proposed scheme leverages hardware implementation of data stream processing technique • We studied Performance and design tradeoffs of proposed packet scoring scheme • It can tackle never seen before DDoS attack (Weak claim ? Too many parameters?)

  27. Q & A Comments ?

More Related