Walter Scott, Jr. College of Engineering

Graduate Exam Abstract

Negar Mosharraf Ghahfarokhi
Ph.D. Final
May 31, 2016, 1:00 pm - 3:00 pm
B4 Engineering
Cooperative Defense Mechanisms for Detection, Identification and Filtering of DDoS Attacks
Abstract: Title: Cooperative Defense Mechanisms for Detection, Identification
and Filtering of DDoS Attacks
Abstract: Distributed Denial of Service (DDoS) attacks, which are
intended to make services unavailable for legitimate users,
originate in a highly
distributed manner providing the illusion of legitimate traffic. The
number of attacks and the volume of traffic associated with attacks
continue to increase dramatically. At these traffic intensities the
network infrastructure upstream from the intended victim also becomes
severely affected necessitating that attack traffic be filtered as
close as possible to the attack sources. However, it is difficult to
anticipate and identify such nodes as the attacks originate at widely
distributed nodes and spread through various routes. To
successfully respond by dropping traffic, the mitigating approach must
identify routers on traffic paths with significant attack traffic and
respond with minimum effect on legitimate traffic. We develop a suite
of solutions to address this problem.

Cooperative Defense
Mechanism (CDM), a distributed responsive defense mechanism for DDoS
attacks is presented. CDM allows the identification of
network routers closer to the attack sources and provides these
routers a profile that facilitates discrimination between legitimate
malicious packets during the attack and thus enables them to drop
traffic perceived as malicious in a distributed manner.
The cooperative defense model consists of three main components: (1)
an attack traffic identification mechanism, (2) a filtering
mechanism, and (3) a cooperative mechanism to identify the most
effective points for filtering.

First, we investigate the features of attack and normal traffic to
develop an identification model for the attack traffic. The main
challenge is to detect attack traffic without misclassifying legitimate traffic
thus avoiding the disruption of normal services. The parameters such
as source/destination IP address, port number, size of packet are
employed to establish the identification model and develop a scoring
mechanism that provides the basis to create a history-based profile.
The effectiveness of this approach is in blocking attack traffic and
allowing the legitimate traffic at upstream routers. Experimental
results, based on a recent traffic trace from Colorado State
University, indicate that the filtering model is able to protect the victim node
on average from ~95% of attack traffic while preserving ~75% of the
normal legitimate traffic.

Second component, the filtering mechanism, is aimed at dropping attack
traffic closer to the sources while minimizing the impact on
legitimate traffic. The filters are propagated to selected upstream
routers during the attack, keeping the communication and memory
overhead associated low. A Bloom filter based mechanism is proposed to
efficiently implement and disseminate the proposed history-
based profile. Moreover, we introduce a novel data structure, which we
refer to as the Compacted Bloom Filter (CmBF) that further
improves performance, uses less storage, reduces the communication and
computation costs, and provides the same functionality as a
standard Bloom filter. However, unlike the standard Bloom filter, CmBF
limits false positives significantly at the expense of false
negatives in membership queries. Our work is motivated by a class of
applications that must transmit Bloom filters over a network and
endpoint machines having limitations on memory availability to meet
specific false positive probability. We derive expressions for the
false positive and false negative rates. Simulation results are used
to validate the derived expressions and explore the tradeoffs when
using the CmBF.

The third component identifies the most effective points where the
Bloom filter based mechanism can be placed to mitigate the attacks.
We do this by monitoring the network traffic during the attack period.
The approach tries to minimize the modifications required to the
routers and the current protocols to combat DDoS attacks. Such
modifications will have a low complexity and will be scalable. Our
solution benefits by using a recently developed technology, typically
implemented as Small Formfactor Probes (SFP) using FPGAs,
which helps gather, distribute, and analyze information from a
distributed Ethernet network. SFProbes can plug into any SFP
compatible elements such as routers in a way that does not interfere with the
traffic flow. Our approach uses a subset of probes to identify the
nodes that carry attack traffic. Extensive simulation in OPNET? with
CAIDA attack dataset shows that our solution is able to place all the
filtering routers in the vicinity of the attacker nodes (within the
first three routers) and stops 95% of attack traffic while allowing
77% of the legitimate traffic to reach the victim node when the percentage of
participating SFProbes in the network is 80%. Results also
demonstrate the effectiveness of the mechanism in preserving valuable
network resources and link utilizations for other end-users during
the attack time, thereby preserving the service availability and
minimizing the attack impact.

An analytical model for packet-pair dispersion signature in multi-hop
networks is presented in the last part of our investigation. Path
signature is an essential tool for numerous applications that need to
distinguish between different network paths, diagnose problems,
test protocols for realistic network conditions, and determine if two
paths share common links. Our approach is a passive technique that
relies on existing network traffic and hence does not consume network
resources for measurements. The relationship between the input
and the output gaps of packet-pairs and the corresponding distribution
of end-to-end packet-pair dispersion are derived. This
derivation is then used to determine the signature characterizing the
path where the path signatures can provide other properties of a
path, such as an available bandwidth estimate, utilization, and
bottleneck capacity of the path to monitor and diagnose network
problems. The analytical model was verified using OPNET simulations
and was used to evaluate the impact of factors such as the
number of hops, initial dispersion, link capacities, and cross traffic
that affect the shape of the signature.

The proposed solutions are evaluated based on either real world or realistic
data to establish performance and accuracy. Real network traffic and
DDoS attack datasets from sources such as Colorado State University
(FRGP Continuous Flow Data), DARPA, CAIDA 2007 as well as
Auckland University dataset were used to evaluate the performance of the developed

Adviser: Anura P. Jayasumana
Co-Adviser: Indrakshi Ray
Non-ECE Member: Yashwant Malaiya, Computer Science
Member 3: Ali Pezeshki, Electrical & Computer Engineering
Addional Members: N/A
N. Mosharraf, A. P. Jayasumana and I. Ray, ‘A Responsive Defense Mechanism Against DDoS Attacks,’ Foundations and Practice of Security, F. Cuppens et al. (Eds.), LNCS 8930, Springer, pp. 347–355, 2015.

N. Mosharraf, A. P. Jayasumana and I. Ray, ‘A Responsive Defense Mechanism against DDoS Attacks,’ Proc. 7th International Symposium on Foundations and Practice of Security (FPS 2014), Montreal, Canada, Nov. 3-5, 2014.

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘Compacted Bloom Filter,’ Journal paper (Under review).

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘A Distributed Mechanism to Protect against DDoS Attacks,’ Conference paper (Under review).

N.Mosharraf, A. P. Jayasumana, ‘Packet-Pair Dispersion Signatures in Multihop Networks,’ Conference paper (Under review).

N.Mosharraf, A. P. Jayasumana, I. Ray, ‘An Identification History-Based Profile Model to Protect against DDoS Attacks,’ Journal paper (To be submitted).
Program of Study:
ECE 658 - Internet Engineering
CS 556 - Computer Security
CS 656 - Advanced Topics in Computer Security - Mo
CS 560 - Foundations of Fine-Grain Parallelism
CS 533 - Database Management Systems
ECE 799 - Dissertation
CS 799 - Dissertation