Christos Siaterlis

Towards multisensor data fusion for DoS detection

In our present work we introduce the use of data fusion in the field of DoS anomaly detection. We present Dempster-Shafers Theory of Evidence (D-S) as the mathematical foundation for the development of a novel DoS detection engine. Based on a data fusion paradigm, we combine multiple evidence generated from simple heuristics to feed our D-S inference engine and attempt to detect flooding attacks.Our approach has as its main advantages the modeling power of Theory of Evidence in expressing beliefs in some hypotheses, the ability to add the notions of uncertainty and ignorance in the system and the quantitative measurement of the belief and plausibility in our detection results.We evaluate our detection engine prototype through a set of experiments, that were conducted with real network traffic and with the use of common DDoS tools. We conclude that data fusion is a promising approach that could increase the DoS detection rate and decrease the false alarm rate.

Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics

Detection of distributed denial of service attacks should ideally take place near their sources, at edge networks, where countermeasures are most effective. DDoS detection by monitoring an over-provisioned backbone link either near the source or the victim is challenging because congestion isnt the identifying anomaly signature. Most research efforts try to identify a single detection metric that can reliably detect DDoS attacks. On the contrary, we use multiple metrics to successfully detect flooding attacks at the edge and classify them as incoming or outgoing attacks with an artificial neural network (ANN). We explore the DDoS detection ability of multi-layer perceptrons (MLP) as classifiers we can teach by example. The inputs of the MLP are metrics coming from different types of passive measurements that are available today to network administrators. We use these metrics to feed our MLP, train it and evaluate its performance in terms of false positive and true positive rates in the face of new data. Our analysis is based on data from several experiments that were conducted with the use of common DDoS tools in the production network of a university network. We show that the MLP is capable of classifying the state of the monitored edge network as DDoS source, DDoS victim or normal. This way an edge network can use a single mechanism to protect itself from incoming DDoS attacks and at the same time protect the rest of the network from outgoing attacks.

Analyzing Cyber-Physical Attacks on Networked Industrial Control Systems

Considerable research has focused on securing SCADA systems and protocols, but an efficient approach for conducting experiments that measure the impact of attacks on the cyber and physical components of the critical infrastructure is not yet available. This paper attempts to address the issue by presenting an innovative experimental framework that incorporates cyber and physical systems. An emulation testbed based on Emulab is used to model cyber components while a soft real-time simulator based on Simulink is used to model physical processes. The feasibility and performance of the prototype is evaluated through a series of experiments. The prototype supports experimentation with networked industrial control systems and helps understand and measure the consequences of cyber attacks on physical processes.

One step ahead to multisensor data fusion for DDoS detection

This work introduces the use of data fusion in the field of DDoS anomaly detection. We present Dempster-Shafer Theory of Evidence (D-S), the mathematical foundation for the development of a novel DDoS detection engine. Based on a data fusion paradigm, we combine evidence generated from multiple simple metrics to feed our D-S inference engine and detect attacks on a single network element (high bandwidth link).The main advantages of our approach are the modeling power of the Theory of Evidence in expressing beliefs in some hypotheses, its flexibility to handle uncertainty and ignorance and its ability to provide quantitative measurement of the belief and plausibility in our detection results. Furthermore we propose a system that can be trained (supervised learning) with minimum human effort, using in parallel expert knowledge about each metric detection ability.We evaluate our detection engine prototype through an extensive set of experiments on an operational network using real network traffic, with the use of a popular DDoS attack generator. Based on these results we discuss the performance of our D-S scheme in contrast to simple thresholds on single metrics, as well as against an alternative data fusion technique based on an Artificial Neural Network. We conclude that our data fusion is a promising approach that significantly increases the DDOS detection rate (true positives) while keeping the false positive alarm rate low.

Cyber-physical testbeds

EPIC helps assess cyberthreats against the cyber and physical dimensions of networked critical infrastructures.

Detecting DDoS attacks with passive measurement based heuristics

Network traffic anomalies such as distributed denial of service attacks or the propagation of a new worm are hard to detect on noncongested ISP backbone links. The research community hasnt managed to offer reliable detection metrics that can be implemented with the current technology constraints to network administrators yet. In this work we explore and evaluate the effectiveness of several potential heuristics in detecting flooding attacks. Our observations are based on a daily network traffic analysis for a period longer than 3 months and on more than 40 experiments that were conducted with the use of common DDoS tools in the production network of an academic ISP. The data analyzed are based on different types of passive measurements that are available today to ISPs. We identify multiple effective detection metrics that could give network administrators insight to malicious activities passing through their networks.

A Preliminary Study of a Wireless Process Control Network Using Emulation Testbeds

The increasing dependence of Critical Infrastructures (CI) from Information and Communication Technologies might encompass significant risks to our society. Experimentation with CI before introducing a new technology has always been difficult mainly because the architecture complexity, the inability to conduct experiments within a mission critical environment as well as the lack of specialized tools for recreating a CI. In this paper we present the first results of a study that was conducted in a specialized environment for experimenting with CI. We propose the use of an emulation testbed (Emulab driven) along with SCADA-aware components in order to recreate a typical Process Control Network (PCN). We present here experimental results of the risks that operators might face while installing Wi-Fi access technologies within a PCN. This work is indicative of the approach, that operators could follow, to measure, understand and minimize undesirable consequences to the resilience of a CI.

A Review of Available Software for the Creation of Testbeds for Internet Security Research

The increasing use of experimental platforms for networking research is due to their ability to support experimentation with complex systems, like the Internet, that simplistic simulators and small scale testbeds fail to reproduce. Therefore many projects and research initiatives have spawned - mainly in the field of Future Internet architectures. Although numerous publications can be found, most of them refer to prototypes and work in progress rather than to publicly available software that is ready to be widely used for the creation of testbeds. The first contribution is the development of a framework for comparing the available software based on their features. The second contribution is a literature review of state-of-the-art tools and their comparison under common criteria. This systematic analysis allows other researchers to make informed decisions about the usability of already available tools and decrease the initial cost of developing a new testbed, leading to an even wider use of such platforms. Our work provides the reader with a useful reference list of readily available software to choose from while designing or upgrading a research infrastructure, laboratory or experimentation facility.

Designing repeatable experiments on an Emulab testbed

Emulation testbeds are increasingly used in an effort to promote repeatable experiments in the area of distributed systems and networking. In this paper we are studying how different design choices, e.g. use of specific tools, can affect the repeatability of experiments of an emulation testbed (e.g. based on the Emulab software).

Generating high quality data for the protection of modern critical infrastructures

This paper discusses the main issues regarding the procedures for generating High Quality Data (HQD) as support for conducting realistic cyber security studies on Modern Critical Infrastructures (CI). It identifies the most important requirements of what constitutes HQD: accuracy/realism, representation, and completeness. Based on these requirements, it discusses two strategies to achieve these requirements: the data collection strategy and the data generation strategy. While in the traditional Information & Technologies Communication (ICT) sector we find a variety of freely available datasets, in CI research data sources are scarce and of limited size. On the other hand, the data generation strategy has given birth to a new body of research built on the development of simulation software and of research testbeds. The paper describes two frameworks aimed at facilitating the generation of HQD for CI security research. Experimental results including the Tennessee-Eastman chemical process and the IEEE 14-bus electricity grid demonstrate the effectiveness of the developed frameworks.