Graduate Exam Abstract

Negar Mosharraf Ghahfarokhi

Ph.D. Preliminary
May 15, 2014, 2:00-4:00 p.m.
Mechanical Engineering Conference Room
Cooperative Defense Mechanisms for Detection, Identification and Filtering of DDoS Attacks

Abstract: A distributed responsive defense model for DDoS attacks is proposed based on identification of attack traffic in a distributed manner. The goal of this work is to present and evaluate responsive defense approaches that discriminates between legitimate and malicious packets during the attack and responds to it by dropping traffic perceived as malicious at network routers closer to the attackers. To successfully respond, the approach must accurately detect the attack and effectively respond with minimum damage to legitimate traffic, drop traffic as close to the source as possible, and minimize the cost of response points through the network. The responsive defense model contains three main components: an attack detection and identification mechanism, a cooperative mechanism among selected nodes, and a filtering mechanism. Attack detection and identification mechanisms are important procedures to direct any further actions, and they affect the overall performance of defense mechanism. It is a crucial step to identify attacks without misclassifying traffic. In general attack traffic originates from many different sources, some of which are victims themselves, to send attack traffic and overwhelm the victim in a short time. A key problem when trying to continue service under the DDoS attack is developing a model to discriminate between legitimate and attack traffic. First, we will investigate specific attacks and normal traffic features to develop an identification model for attack traffic. We look into multiple features of DDoS attacks and normal traffic to extract characteristics that give information about the occurrence of the DDoS attacks. These features are used to develop a normal traffic signature that can be used to categorize normal and attack traffic more accurately. The second component after determining identification model is to develop mechanisms that utilize the detection model in an effective way. A complete DDoS attack solution is distributed in terms of where the victim node preforms the detection and response points are located. Generally, the victim point is good point to discriminate DDoS traffic from legitimate traffic; however, it is not a good point to filter the attack packets and is not a useful reaction to reduce network traffic due to flooding attacks. Routers closer to the source of the attack and far from the victim node are efficient points to block attack traffic. Therefore, we require a distributed responsive mechanism to consider different points for different tasks for proper defense, where the second component is developed in our proposed model. Our scheme is a hybrid mechanism between defense points and responsive points as the distributed points that can be performed efficiently against DDoS attacks. Third, we will use a filtering mechanism to minimize the impact of the attack traffic on the victim and on the network. During the attack, the filters have to be propagated to the routers. Moreover, these routers must check each packet to determine whether it is legitimate or not. In particular, it is a costly task for routers to process all packets toward the victim nodes. Therefore, finding an efficient model to filter good traffic is a significant contribution. We will investigate novel data structures to reduce the communication and computation costs and the storage requirements at routers and the overall overhead to remove for malicious traffic. Real network traffic and DDoS attack dataset from sources such as DARPA, CAIDA, and Auckland University as well as ISCX intrusion detection dataset are used to evaluate the developed techniques. In addition, OPNET as a network simulation tool can be employed to analyze our model.

Adviser: Anura Jayasumana
Co-Adviser: Indrakshi Ray
Non-ECE Member: Yashwant Malaiya, CS
Member 3: Ali Pezeshki, ECE
Addional Members: N/A

N. Mosharraf, A. P. Jayasumana, I. Ray, "A Responsive Defense Mechanism against DDoS attacks" (under review)

N. Mosharraf, A. P. Jayasumana, "A Model for Path Signatures based on Packet-Pair Dispersion in Multihop Networks" (under review)

N. Mosharraf, A. P. Jayasumana, I. Ray, "Compacted Bloom Filter" (in preparation)

Program of Study: