Ejaz Ahmed

A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic

The effects of network attacks may result in abrupt changes in network traffic parameters. The speedy identification of these changes is critical for smooth network operation. This paper illustrates a sequential analysis technique for detecting these unknown abrupt changes in asymmetric network traffic. A novel sliding window based adaptive cumulative sum (CUSUM) algorithm is used to detect the cause of such variations in network traffic. The significance of the proposed algorithm is two-fold: (1) automatic adjustment of the change detection threshold while minimising the false alarm rate, and (2) timely detection of an end to the anomalous traffic. The validity of the proposed technique is investigated by experimentation on simulated data and on 18 months of real network traces collected from a class C darknet. Comparative analysis of the proposed technique with a traditional CUSUM method demonstrates its superior performance with high detection accuracy and low false alarm rate.

Parametric Differences between a Real-world Distributed Denial-of-Service Attack and a Flash Event

Distributed Denial-of-Service (DDoS) attacks continue to be one of the most pernicious threats to the delivery of services over the Internet. Not only are DDoS attacks present in many guises, they are also continuously evolving as new vulnerabilities are exploited. Hence accurate detection of these attacks still remains a challenging problem and a necessity for ensuring high-end network security. An intrinsic challenge in addressing this problem is to effectively distinguish these Denial-of-Service attacks from similar looking Flash Events (FEs) created by legitimate clients. A considerable overlap between the general characteristics of FEs and DDoS attacks makes it difficult to precisely separate these two classes of Internet activity. In this paper we propose parameters which can be used to explicitly distinguish FEs from DDoS attacks and analyse two real-world publicly available datasets to validate our proposal. Our analysis shows that even though FEs appear very similar to DDoS attacks, there are several subtle dissimilarities which can be exploited to separate these two classes of events.

Spectrum-aware dynamic channel assignment in cognitive radio networks

During the past few years, cognitive radio networks (CRNs) have emerged as a solution for the problems created due to fixed spectrum allocation such as inefficient usage of licensed spectrum. CRNs aim at solving this problem by exploiting the spectrum holes (the spectrum not being used by primary radio nodes at a particular time) and allocating the spectrum dynamically. In this paper, we address the problem of dynamic channel assignment for cognitive radio users in multi-radio multichannel cognitive radio networks (MRMC-CRNs). We propose an efficient spectrum-aware dynamic channel assignment (SA-DCA) strategy for such networks. SA-DCA utilizes available channels and assigns them to multiple radio interfaces of cognitive radio nodes based on primary radio unoccupancy, minimum interference to primary radio nodes, maximum connectivity and minimum interference between cognitive radio nodes. We perform simulations in NS-2 and compare the performance of SA-DCA with two related strategies. Simulation results show that SA-DCA assigns channels efficiently and results in significantly reduced interference to primary radio nodes and increased packet delivery ratio in MRMC-CRNs.

Effective Change Detection in Large Repositories of Unsolicited Traffic

When monitoring unsolicited network traffic automated detection and characterization of abrupt changes in the traffics statistical properties is important. These abrupt changes can either be due to a single or multiple anomalous activities taking place at the same time. The start of a new anomalous activity while another anomalous activity is in operation will result in a new change nested within the previous change. Although detection of abrupt changes to identify malicious activities has received considerable attention in the past, automated detection of nested changes has not been addressed. In this paper a dynamic sliding window cumulative sum (CUSUM) algorithm is proposed to automatically identify these nested changes. The novelty of the proposed technique lies in its ability to automatically detect nested changes, without which interesting activities may go undetected, and its effectiveness in identifying both the start and the end of the individual changes. Using an analysis of real network traces, we show that the identified nested changes were indeed due to distinct malicious behaviours taking place in parallel.

Use of IP Addresses for High Rate Flooding Attack Detection

High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy.

Unified channel assignment for unicast and broadcast traffic in Cognitive Radio Networks

The rising density of wireless devices, combined with the availability of a plethora of wireless web applications, has overcrowded the radio frequency spectrum. Majority of the present wireless radio spectrum is already licensed; however, studies have shown that the licensed spectrum is significantly underutilized. Cognitive Radio Networks (CRNs) are envisioned to utilize the radio spectrum more efficiently. CRNs may be required to handle both unicast and broadcast traffic, which makes the task of channel assignment in CRNs more challenging, as communication mode required for each type of traffic is different. Unicast traffic may suffer due to interference if the same channel is assigned to and used by neighboring nodes; on the other hand for broadcast traffic if a larger set of neighbors share a common channel, any particular node may exploit wireless broadcast advantage to communicate with a maximum number of neighbors in a single transmission. Existing channel assignment schemes either favor unicast or broadcast traffic only. In this paper a Unified Channel Assignment (UCA) algorithm is proposed which assigns channels according to their respective interference and connectivity parameters depending on the proportions of unicast and broadcast traffic in the network.

Quantifying the Multiple Cognitive Radio Interfaces Advantage

In recent times, wireless communications has established itself as a popular access technology due to the user preference for the flexibility of untethered communication. The single biggest problem that still impedes broader uptake of wireless technology is scarceness of wireless capacity. The lack of wireless capacity scaling is primarily due to two factors: firstly, wireless interference that limits a wireless channel to only possible transmission at any given time, and secondly, the current radio spectrum management scheme based on licensing frequency spectrum which is known to be very inefficient. Two well-known techniques that address parts of our considered problem space in wireless networks include: 1) cognitive radio networks (CR) or dynamic-spectrum-access (DSA) networks that utilize programmable software defined radios to address the wireless standards interoperability problem, and 2) multi-radiomulti-channel (MRMC) technology, which addresses the wireless scalability problem, in which each node is equipped with multiple radio interfaces (that can tune to any one of the available orthogonal channel) to allow multiple overlapping transmissions. In this work, we aim to investigate the benefits of a hybrid of these approaches: an approach that call C-MRMC technology. In C-MRMC wireless networks, each node is equipped with multiple cognitive radio interfaces. We investigate in our work the potential improvement in performance (which we gauge in metrics such as throughput, packet delivery ratio) gained by such an approach through extensive simulations. Our results demonstrate that having such an approach is viable and can lead to significant performance gains.

A Distributed Denial of Service Testbed

The Denial of Service Testing Framework (dosTF) being developed as part of the joint India-Australia research project for ’Protecting Critical Infrastructure from Denial of Service Attacks’ allows for the construction, monitoring and management of emulated Distributed Denial of Service attacks using modest hardware resources. The purpose of the testbed is to study the effectiveness of different DDoS mitigation strategies and to allow for the testing of defense appliances. Experiments are saved and edited in XML as abstract descriptions of an attack/defense strategy that is only mapped to real resources at run-time. It also provides a web-application portal interface that can start, stop and monitor an attack remotely. Rather than monitoring a service under attack indirectly, by observing traffic and general system parameters, monitoring of the target application is performed directly in real time via a customised SNMP agent.

Mitigating On-Off attacks in reputation-based secure data aggregation for wireless sensor networks

In-network aggregation is considered as an efficient way to reduce the energy consumption in wireless sensor networks (WSNs). However, it opens doors for a compromised node to distort the integrity of the aggregated data by altering the data and disrupting transmission of the aggregation results. Thus, several secure data aggregation protocols were designed to mitigate the effect of the node compromise attack and ensure data integrity. Most protocols can detect the manipulation of the aggregation results and then reject them at the base station, which gives a single node compromise the opportunity to disrupt the limited resources in the network. Reputation-based secure data aggregation protocols take a step further in helping to identify compromised nodes as early as possible. However, reputation-based protocols are prone to On-Off attacks (OOs) in which a compromised node is able to affect the aggregation results without being detected. The compromised node behaves maliciously now and then to ensure that its reputation value is within the trustable level. A solution to defeat this attack is proposed in this paper. The significance of the proposal is twofold: (i) it extends Alzaid et al.s protocol and mitigates the effect of the OO on the aggregation results, and (ii) it considers non-homogeneous environments, which requires distinguishing between abrupt and incipient changes. In a comparative analysis of our proposal with Alzaid et al.s protocol, plain estimate, and reputation-based estimate shows its superior performance in mitigating the effect of the attack. Copyright

Detection and Mitigation of High-Rate Flooding Attacks

Because high-rate flooding attacks constitute such a potent threat to the delivery of Internet-based services, the early and reliable detection of the onset of such an attack together with the formulation and implementation of an effective mitigation strategy are key security goals. However, the continuously evolving nature of such attacks means that they remain an area of active research and investigation. This chapter focuses largely on our research into attack detection, with some discussion of mitigation through IP address filtering. The chapter outlines leading-edge work on developing detection techniques that have the potential to identify a high-rate flooding attack reliably and in real time or, at least, in near real time. In addition, it formulates an architecture for a DoS Mitigation Module (DMM) to provide a vehicle for integrating the elements of the solution.