Graduate Exam Abstract
Negar Mosharraf Ghahfarokhi
Ph.D. Preliminary
May 15, 2014, 2:00-4:00 p.m.
Mechanical Engineering Conference Room
Cooperative Defense Mechanisms for Detection, Identification and Filtering of DDoS Attacks
Abstract: A distributed responsive defense model for DDoS
attacks is proposed based on identification of
attack traffic in a distributed manner. The goal
of this work is to present and evaluate responsive
defense approaches that discriminates between
legitimate and malicious packets during the attack
and responds to it by dropping traffic perceived
as malicious at network routers closer to the
attackers. To successfully respond, the approach
must accurately detect the attack and effectively
respond with minimum damage to legitimate traffic,
drop traffic as close to the source as possible,
and minimize the cost of response points through
the network.
The responsive defense model contains three main
components: an attack detection and
identification mechanism, a cooperative mechanism
among selected nodes, and a filtering mechanism.
Attack detection and identification mechanisms are
important procedures to direct any further
actions, and they affect the overall performance
of defense mechanism. It is a crucial step to
identify attacks without misclassifying traffic.
In general attack traffic originates from many
different sources, some of which are victims
themselves, to send attack traffic and overwhelm
the victim in a short time. A key problem when
trying to continue service under the DDoS attack
is developing a model to discriminate between
legitimate and attack traffic.
First, we will investigate specific attacks and
normal traffic features to develop an
identification model for attack traffic. We look
into multiple features of DDoS attacks and normal
traffic to extract characteristics that give
information about the occurrence of the DDoS
attacks. These features are used to develop a
normal traffic signature that can be used to
categorize normal and attack traffic more
accurately.
The second component after determining
identification model is to develop mechanisms that
utilize the detection model in an effective way. A
complete DDoS attack solution is distributed in
terms of where the victim node preforms the
detection and response points are located.
Generally, the victim point is good point to
discriminate DDoS traffic from legitimate traffic;
however, it is not a good point to filter the
attack packets and is not a useful reaction to
reduce network traffic due to flooding attacks.
Routers closer to the source of the attack and far
from the victim node are efficient points to block
attack traffic. Therefore, we require a
distributed responsive mechanism to consider
different points for different tasks for proper
defense, where the second component is developed
in our proposed model. Our scheme is a hybrid
mechanism between defense points and responsive
points as the distributed points that can be
performed efficiently against DDoS attacks.
Third, we will use a filtering mechanism to
minimize the impact of the attack traffic on the
victim and on the network. During the attack, the
filters have to be propagated to the routers.
Moreover, these routers must check each packet to
determine whether it is legitimate or not. In
particular, it is a costly task for routers to
process all packets toward the victim nodes.
Therefore, finding an efficient model to filter
good traffic is a significant contribution. We
will investigate novel data structures to reduce
the communication and computation costs and the
storage requirements at routers and the overall
overhead to remove for malicious traffic.
Real network traffic and DDoS attack dataset from
sources such as DARPA, CAIDA, and Auckland
University as well as ISCX intrusion detection
dataset are used to evaluate the developed
techniques. In addition, OPNET as a network
simulation tool can be employed to analyze our
model.
Adviser: Anura Jayasumana
Co-Adviser: Indrakshi Ray
Non-ECE Member: Yashwant Malaiya, CS
Member 3: Ali Pezeshki, ECE
Addional Members: N/A
Publications:
N. Mosharraf, A. P. Jayasumana, I. Ray, "A Responsive Defense Mechanism against DDoS attacks" (under review)
N. Mosharraf, A. P. Jayasumana, "A Model for Path Signatures based on Packet-Pair Dispersion in Multihop Networks" (under review)
N. Mosharraf, A. P. Jayasumana, I. Ray, "Compacted Bloom Filter" (in preparation)
Program of Study:
ECE658
CS556
CS560
CS656
CS533
ECE799
CS799
N/A
