• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.7
• /
• pp.2512-2531
• /
• 2014

We propose a new Distributed Denial of Service (DDoS) defense mechanism that protects http web servers from application-level DDoS attacks based on the two methodologies: whitelist-based admission control and busy period-based attack flow detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. The stress is measured by the time interval during which a given client makes the server busy, referred to as a client-induced server busy period (CSBP). We also need to protect the servers from a sudden surge of attack flows even before the malicious flows are identified by the attack flow detection mechanism. Thus, we use whitelist-based admission control mechanism additionally to control the load on the servers. We evaluate the performance of the proposed scheme via simulation and experiment. The simulation results show that our defense system can mitigate DDoS attacks effectively even under a large number of attack flows, on the order of thousands, and the experiment results show that our defense system deployed on a linux machine is sufficiently lightweight to handle packets arriving at a rate close to the link rate.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.31 no.2C
• /
• pp.208-218
• /
• 2006

In this paper, we introduce the creation methods of attack detection model using data mining technologies that can classify the latest attack types, and can detect the modification of existing attacks as well as the novel attacks. Also, we evaluate comparatively these attack detection models in the view of detection accuracy and detection time. As the important factors for creating detection models, there are data, attribute, and detection algorithm. Thus, we used NetFlow data gathered at the real network, and KDD Cup 1999 data for the experiment in large quantities. And for attribute selection, we used a heuristic method and a theoretical method using decision tree algorithm. We evaluate comparatively detection models using a single supervised/unsupervised data mining approach and a combined supervised data mining approach. As a result, although a combined supervised data mining approach required more modeling time, it had better detection rate. All models using data mining techniques could detect the attacks within 1 second, thus these approaches could prove the real-time detection. Also, our experimental results for anomaly detection showed that our approaches provided the detection possibility for novel attack, and especially SOM model provided the additional information about existing attack that is similar to novel attack.

• Journal of the Korea Society of Computer and Information
• /
• v.21 no.7
• /
• pp.1-8
• /
• 2016

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

• Smart Media Journal
• /
• v.4 no.4
• /
• pp.24-32
• /
• 2015

Recently, SDN is actively used as datacenter networks and gradually increase its applied areas. Along with this change of networking environment, research of deploying network security systems on SDN becomes highlighted. Especially, systems for detecting network flooding attacks by monitoring every packets through ports of OpenFlow switches have been proposed. However, because of the centralized management of a SDN controller which manage multiple switches, it may be substantial overhead that the attack detection system continuously monitors all the flows. In this paper, a sampling based network flooding attack detection and prevention system is proposed to reduce the overhead of monitoring packets and to achieve reasonable functionality of attack detection and prevention. The proposed system periodically takes sample packets of network flows with the given sampling conditions, analyzes the sampled packets to detect network flooding attacks, and block the attack flows actively by managing the flow entries in OpenFlow switches. As network traffic sampler, sFlow agent is used, and snort, an opensource IDS, is used to detect network flooding attack from the sampled packets. For active prevention of the detected attacks, an OpenDaylight application is developed and applied. The proposed system is evaluated on the local testbed composed with multiple OVSes (Open Virtual Switch), and the performance and overhead of the proposed system under various sampling condition is analyzed.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.14 no.1
• /
• pp.203-209
• /
• 2014

Today, Distributed denial of service (DDoS) attack present a very serious threat to the stability of the internet. The DDoS attack, which is consuming all of the computing or communication resources necessary for the service, is known very difficult to protect. The DDoS attack usually transmits heavy traffic data to networks or servers and they cannot handle the normal service requests because of running out of resources. It is very hard to prevent the DDoS attack. Therefore, an intrusion detection system on large network is need to efficient real-time detection. In this paper, we propose the detection mechanism using analysis of flow information against DDoS attacks in order to guarantee the transmission of normal traffic and prevent the flood of abnormal traffic. The OPNET simulation results show that our ideas can provide enough services in DDoS attack.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.7
• /
• pp.3671-3689
• /
• 2019

Software defined networking brings unique security risks such as control plane saturation attack while enhancing the performance of wireless sensor networks. The attack is a new type of distributed denial of service (DDoS) attack, which is easy to launch. However, it is difficult to detect and hard to defend. In response to this, the attack threat model is discussed firstly, and then a DDoS attack prevention extension, called FuzzyGuard, is proposed. In FuzzyGuard, a control network with both the protection of data flow and the convergence of attack flow is constructed in the data plane by using the idea of independent routing control flow. Then, the attack detection is implemented by fuzzy inference method to output the current security state of the network. Different probabilistic suppression modes are adopted subsequently to deal with the attack flow to cost-effectively reduce the impact of the attack on the network. The prototype is implemented on SDN-WISE and the simulation experiment is carried out. The evaluation results show that FuzzyGuard could effectively protect the normal forwarding of data flow in the attacked state and has a good defensive effect on the control plane saturation attack with lower resource requirements.

• The KIPS Transactions:PartC
• /
• v.13C no.4 s.107
• /
• pp.397-404
• /
• 2006

Successful software attacks require both injecting malicious code into a program's address space and altering the program's flow control to the injected code. Code section can not be changed at program's runtime, so malicious code must be injected into data section. Detoured flow control into data section is a signal of software attack. We propose a new software attack detection method which verify the target address of CALL, JMP, RET instructions, which alter program's flow control, and detect a software attack when the address is not in code section. Proposed method can detect all change of flow control related data, not only program's return address but also function pointer, buffer of longjmp() function and old base pointer, so it can detect the more attacks.

• Journal of KIISE:Information Networking
• /
• v.32 no.3
• /
• pp.279-290
• /
• 2005

Recently, as the serious damage caused by DDoS attacks increases, the rapid detection and the proper response mechanisms are urgent. However, existing security mechanisms do not effectively defend against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. In this paper, we propose a detection architecture against DDoS attack using data mining technology that can classify the latest types of DDoS attack, and can detect the modification of existing attacks as well as the novel attacks. This architecture consists of a Misuse Detection Module modeling to classify the existing attacks, and an Anomaly Detection Module modeling to detect the novel attacks. And it utilizes the off-line generated models in order to detect the DDoS attack using the real-time traffic. We gathered the NetFlow data generated at an access router of our network in order to model the real network traffic and test it. The NetFlow provides the useful flow-based statistical information without tremendous preprocessing. Also, we mounted the well-known DDoS attack tools to gather the attack traffic. And then, our experimental results show that our approach can provide the outstanding performance against existing attacks, and provide the possibility of detection against the novel attack.

• ETRI Journal
• /
• v.41 no.5
• /
• pp.560-573
• /
• 2019

Two supervised learning algorithms, a basic neural network and a long short-term memory recurrent neural network, are applied to traffic including DDoS attacks. The joint effects of preprocessing methods and hyperparameters for machine learning on performance are investigated. Values representing attack characteristics are extracted from datasets and preprocessed by two methods. Binary classification and two optimizers are used. Some hyperparameters are obtained exhaustively for fast and accurate detection, while others are fixed with constants to account for performance and data characteristics. An experiment is performed via TensorFlow on three traffic datasets. Three scenarios are considered to investigate the effects of learning former traffic on sequential traffic analysis and the effects of learning one dataset on application to another dataset, and determine whether the algorithms can be used for recent attack traffic. Experimental results show that the used preprocessing methods, neural network architectures and hyperparameters, and the optimizers are appropriate for DDoS attack detection. The obtained results provide a criterion for the detection accuracy of attacks.

• Journal of KIISE:Computing Practices and Letters
• /
• v.14 no.9
• /
• pp.901-905
• /
• 2008

In this paper, we propose a detection scheme for sinkhole attacks in wireless sensor networks. Sinkhole attack makes packets that flow network pass through attacker. So, Sinkhole attack can be extended to various kind of attacks. We analyze sinkhole attack methods in the networks that use LQI based routing. For the purpose of response to each attack method, we propose methods to detect attacks. Our scheme can work for those sensor networks which use LQI based dynamic routing protocol. And we show the detection of sinkhole attack can be achieved by using a few detector nodes.