Graduate Exam Abstract

Negar Mosharraf Ghahfarokhi

Ph.D. Final

May 31, 2016, 1:00 pm - 3:00 pm

B4 Engineering

Cooperative Defense Mechanisms for Detection, Identification and Filtering of DDoS Attacks

Abstract: Title: Cooperative Defense Mechanisms for Detection, Identification and Filtering of DDoS Attacks Abstract: Distributed Denial of Service (DDoS) attacks, which are intended to make services unavailable for legitimate users, originate in a highly distributed manner providing the illusion of legitimate traffic. The number of attacks and the volume of traffic associated with attacks continue to increase dramatically. At these traffic intensities the network infrastructure upstream from the intended victim also becomes severely affected necessitating that attack traffic be filtered as close as possible to the attack sources. However, it is difficult to anticipate and identify such nodes as the attacks originate at widely distributed nodes and spread through various routes. To successfully respond by dropping traffic, the mitigating approach must identify routers on traffic paths with significant attack traffic and respond with minimum effect on legitimate traffic. We develop a suite of solutions to address this problem. Cooperative Defense Mechanism (CDM), a distributed responsive defense mechanism for DDoS attacks is presented. CDM allows the identification of network routers closer to the attack sources and provides these routers a profile that facilitates discrimination between legitimate and malicious packets during the attack and thus enables them to drop traffic perceived as malicious in a distributed manner. The cooperative defense model consists of three main components: (1) an attack traffic identification mechanism, (2) a filtering mechanism, and (3) a cooperative mechanism to identify the most effective points for filtering. First, we investigate the features of attack and normal traffic to develop an identification model for the attack traffic. The main challenge is to detect attack traffic without misclassifying legitimate traffic thus avoiding the disruption of normal services. The parameters such as source/destination IP address, port number, size of packet are employed to establish the identification model and develop a scoring mechanism that provides the basis to create a history-based profile. The effectiveness of this approach is in blocking attack traffic and allowing the legitimate traffic at upstream routers. Experimental results, based on a recent traffic trace from Colorado State University, indicate that the filtering model is able to protect the victim node on average from ~95% of attack traffic while preserving ~75% of the normal legitimate traffic. Second component, the filtering mechanism, is aimed at dropping attack traffic closer to the sources while minimizing the impact on legitimate traffic. The filters are propagated to selected upstream routers during the attack, keeping the communication and memory overhead associated low. A Bloom filter based mechanism is proposed to efficiently implement and disseminate the proposed history- based profile. Moreover, we introduce a novel data structure, which we refer to as the Compacted Bloom Filter (CmBF) that further improves performance, uses less storage, reduces the communication and computation costs, and provides the same functionality as a standard Bloom filter. However, unlike the standard Bloom filter, CmBF limits false positives significantly at the expense of false negatives in membership queries. Our work is motivated by a class of applications that must transmit Bloom filters over a network and endpoint machines having limitations on memory availability to meet specific false positive probability. We derive expressions for the false positive and false negative rates. Simulation results are used to validate the derived expressions and explore the tradeoffs when using the CmBF. The third component identifies the most effective points where the Bloom filter based mechanism can be placed to mitigate the attacks. We do this by monitoring the network traffic during the attack period. The approach tries to minimize the modifications required to the routers and the current protocols to combat DDoS attacks. Such modifications will have a low complexity and will be scalable. Our solution benefits by using a recently developed technology, typically implemented as Small Formfactor Probes (SFP) using FPGAs, which helps gather, distribute, and analyze information from a distributed Ethernet network. SFProbes can plug into any SFP compatible elements such as routers in a way that does not interfere with the traffic flow. Our approach uses a subset of probes to identify the nodes that carry attack traffic. Extensive simulation in OPNET? with CAIDA attack dataset shows that our solution is able to place all the filtering routers in the vicinity of the attacker nodes (within the first three routers) and stops 95% of attack traffic while allowing 77% of the legitimate traffic to reach the victim node when the percentage of participating SFProbes in the network is 80%. Results also demonstrate the effectiveness of the mechanism in preserving valuable network resources and link utilizations for other end-users during the attack time, thereby preserving the service availability and minimizing the attack impact. An analytical model for packet-pair dispersion signature in multi-hop networks is presented in the last part of our investigation. Path signature is an essential tool for numerous applications that need to distinguish between different network paths, diagnose problems, test protocols for realistic network conditions, and determine if two paths share common links. Our approach is a passive technique that relies on existing network traffic and hence does not consume network resources for measurements. The relationship between the input and the output gaps of packet-pairs and the corresponding distribution of end-to-end packet-pair dispersion are derived. This derivation is then used to determine the signature characterizing the path where the path signatures can provide other properties of a path, such as an available bandwidth estimate, utilization, and bottleneck capacity of the path to monitor and diagnose network problems. The analytical model was verified using OPNET simulations and was used to evaluate the impact of factors such as the number of hops, initial dispersion, link capacities, and cross traffic that affect the shape of the signature. The proposed solutions are evaluated based on either real world or realistic data to establish performance and accuracy. Real network traffic and DDoS attack datasets from sources such as Colorado State University (FRGP Continuous Flow Data), DARPA, CAIDA 2007 as well as Auckland University dataset were used to evaluate the performance of the developed techniques.

Adviser: Anura P. Jayasumana
Co-Adviser: Indrakshi Ray
Non-ECE Member: Yashwant Malaiya, Computer Science
Member 3: Ali Pezeshki, Electrical & Computer Engineering
Addional Members: N/A

N. Mosharraf, A. P. Jayasumana and I. Ray, ‘A Responsive Defense Mechanism Against DDoS Attacks,’ Foundations and Practice of Security, F. Cuppens et al. (Eds.), LNCS 8930, Springer, pp. 347–355, 2015.

N. Mosharraf, A. P. Jayasumana and I. Ray, ‘A Responsive Defense Mechanism against DDoS Attacks,’ Proc. 7th International Symposium on Foundations and Practice of Security (FPS 2014), Montreal, Canada, Nov. 3-5, 2014.

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘Compacted Bloom Filter,’ Journal paper (Under review).

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘A Distributed Mechanism to Protect against DDoS Attacks,’ Conference paper (Under review).

N.Mosharraf, A. P. Jayasumana, ‘Packet-Pair Dispersion Signatures in Multihop Networks,’ Conference paper (Under review).

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘An Identification History-Based Profile Model to Protect against DDoS Attacks,’ Journal paper (To be submitted).

Program of Study:
ECE 658 - Internet Engineering
CS 556 - Computer Security
CS 656 - Advanced Topics in Computer Security - Mo
CS 560 - Foundations of Fine-Grain Parallelism
CS 533 - Database Management Systems
ECE 799 - Dissertation
CS 799 - Dissertation