Hakem Beitollahi

Review: Analyzing well-known countermeasures against distributed denial of service attacks

This paper reviews and analyzes well-known countermeasures against distributed denial of service (DDoS) attacks. This paper provides an in-depth analysis of each countermeasure and enumerates strengths and challenges of each technique. If it is possible, the paper designs a countermeasure against each defense mechanism from the attackers point of view. We believe that this survey is the most complete survey that analyzes the most cited DDoS defense techniques in detail. We expect that this survey will assist the potential victims to choose suitable countermeasures against DDoS attacks based on the analysis presented here and as well as the capabilities that they have to implement the techniques. The analysis done in this paper provides a great opportunity for both academic and industrial researchers to improve the state of the art countermeasures against DDoS attacks.

Tackling Application-layer DDoS Attacks

Abstract In application-layer distributed denial of service (DDoS) attacks, zombie machines attack the victim server through legitimate packets such that packets havelegitimate format and are sent through normal TCP connections. Consequently, neither intrusion detection systems (IDS) nor victim server can detects malicious packets. This paper proposes a novel scheme which is called ConnectionScore to resist against such DDoS attacks. During the attack time, anyconnection is scored based on history and statistical analysis which has been done during the normal condition. The bottleneck resources are retaken from those connections which take lower scores. Our analysis shows that connections established by the adversary give low scores. In fact, ConnectionScore technique can estimate legitimacy of connections with high probability.Toevaluate performanceofthe scheme,weperformexperimentson Emulabenvironmentusingreal traceroute data of ClarkNet WWW server.

Communication overlays and agents for dependable smart power grids

Smart grids rely on a dependable information infrastructure for the monitoring and control applications. Two elements can enhance the suitability of the communication and control infrastructure for such smart grid applications. Overlay networks allow to resiliently deal with nodes that appear and disappear, as well as with the dynamic nature of the power values these nodes represent in a smart grid. Agents-based modelling allows to simulate the smart grid applications in a scalable and flexible way before deployment. The paper discusses how both approaches can be combined for simulating a more dependable smart grid.

ICT resilience of power control systems: experimental results from the CRUTIAL testbeds

Distributed intelligence and secure interconnected communication networks constitute recognized key factors for the economic operation of electricity infrastructures in competitive power markets. Hence, electric power utilities need to extend risk management frameworks with adequate tools for assessing consequences of ICT (Information and Communication Technologies) threats on their critical business. This requires realistic probability estimates to cyber threat occurrences and consequent failure modes. Due to data sensitivity and rapid discovery of new vulnerability exploits, historical data series of ICT failures affecting power control infrastructures are not sufficient for a timely risk treatment. Such lack of data can partially be overcome by setting up testbeds to run controlled experiments and collect otherwise unavailable data related to cyber misbehaviours in power system operation. Within the project CRUTIAL (CRitical UTility InfrastructurAL resilience) two testbed platforms have been set up for experimentally evaluating malicious threats on macro and micro grid control scenarios. Results from experimental campaigns are analyzed in the paper by means of an evaluation framework.

ConnectionScore: a statistical technique to resist application-layer DDoS attacks

In an application-layer distributed denial of service (DDoS) attack, zombie machines send a large number of legitimate requests to the victim server. Since these requests have legitimate formats and are sent through normal TCP connections, intrusion detection systems cannot detect them. In these attacks, an adversary does not saturate the bandwidth of the victim server through inbound traffic, but through outbound traffic. The next aim of the adversary is to consume and exhaust computational resources (e.g., CPU cycles), memory resources, TCP/IP stack, resources of input/output devices, etc. This paper proposes a novel scheme which is called ConnectionScore to resist such DDoS attacks. During the attack time, any connection is scored based on history and statistical analysis which has been done during the normal condition. The bottleneck resources are retaken from those connections which take lower scores. Our analysis shows that connections established by the adversary give low scores. In fact, the ConnectionScore technique can estimate legitimacy of connections with high probability. The rate of suspicious connections being dropped is adjusted based on the current level of overload of the server and a threshold-level of free resources. To evaluate the performance of the scheme, we perform experiments in the Emulab environment using real traceroute data of the ClarkNet WWW server (http://ita.ee.lbl.gov/html/contrib/ClarkNet-HTTP.html).

FOSeL: Filtering by Helping an Overlay Security Layer to Mitigate DoS Attacks

Denial of service (DoS) attacks are major threat against availability in the Internet. A large number of countermeasure techniques try to detect attack and then filter out DoS attack packets. Unfortunately these techniques that filter DoS traffic by looking at known attack patterns or statistical anomalies in the traffic patterns can be defeated by changing the attack patterns and masking the anomalies that are sought by the filter. Hence, detecting DoS traffic is one of the main challenges for filtering techniques. Furthermore techniques that drop any malicious packet need to process the packet and processing is time-consuming. This paper addresses how an efficient and good filter can be designed by helping an overlay network layer to mitigate DoS attacks. Fosel (filtering by helping an overlay security layer) filter is independent from DoS attack types, so we do not worry about the changing attack patterns. Furthermore it reduces processing time noticeably. Through simulation this paper shows by employing Fosel filter, DoS attacks have a negligible chance to saturate the target by malicious packets. Our simulation demonstrates that Fosel architecture reduces the probability of successful attack to minuscule levels. Furthermore Fosel is between 10% and 50% faster than SOS (secure overlay services) (Keromytis et al., 2002) architecture to drop malicious packets based on attack rate.

Fault-Tolerant Partitioning Scheduling Algorithms in Real-Time Multiprocessor Systems

This paper presents the performance analysis of several well-known partitioning scheduling algorithms in real-time and fault-tolerant multiprocessor systems. Both static and dynamic scheduling algorithms are analyzed. Partitioning scheduling algorithms, which are studied, are heuristic algorithms that are formed by combining any of the bin-packing algorithms with any of the schedulability conditions for the rate-monotonic (RM) and earliest-deadline-first (EDF) policies. A tool is developed which enables to experimentally evaluate the performance of the algorithms from the graph of tasks. The results show that among several partitioning algorithms evaluated, the RM-small-task (RMST) algorithm is the best static algorithm and the EDF-best-fit (EDF-BF) is the best dynamic algorithm, for non fault-tolerant systems. For fault-tolerant systems which require about 49% more processors, the results show that the RM-first-fit decreasing utilization (RM-FFDU) is the best static algorithm and the EDF-BF is the best dynamic algorithm. To decrease the number of processors in fault-tolerant systems, the RMST is modified. The results show that the modified RMST decreases the number of required processors between 7% and 78% in comparison with the original RMST, the RM-FFDU and other well-known static partitioning scheduling algorithms

Fault-Tolerant Earliest-Deadline-First Scheduling Algorithm

The general approach to fault tolerance in uniprocessor systems is to maintain enough time redundancy in the schedule so that any task instance can be re-executed in presence of faults during the execution. In this paper a scheme is presented to add enough and efficient time redundancy to the earliest-deadline-first (EDF) scheduling policy for periodic real-time tasks. This scheme can be used to tolerate transient faults during the execution of tasks. We describe a recovery scheme which can be used to re-execute tasks in the event of transient faults and discuss conditions that must be met by any such recovery scheme. For performance evaluation of this idea a tool is developed.

A Robust Semantic Overlay Network for Microgrid Control Applications

In an electric power converting apparatus comprising a plurality of branches each including a plurality of serially connected semiconductor switching elements, a non-linear resistor is connected in parallel with each semiconductor switching element, and a voltage division element including serially connected capacitor and a resistor is connected in parallel with each semiconductor switching element. A reactor is connected in series with each one of the branches and an arrestor is connected in parallel with a serially connected reactor and an associated branch.

An overlay protection layer against Denial-of-Service attacks

Today Internet is becoming an emerging technology for remote control of industrial applications, where one site needs to control another site remotely (e.g. power plants controllers). Denial-of-Service (DoS) attacks may cause significant disruptions to the Internet which will threaten the operation of such network based control systems. Overlay networks have been proposed to protect Internet application sites by location-hiding technique. This paper analyzes a large domain of previous approaches against this problem. This paper addresses how an interface to an overlay network can be designed such that communication services among geographically distributed application sites are secured against DoS attacks. This paper presents a novel architecture called overlay protection layer (OPL) that proactively protect application sites from DoS attacks. Through simulation this paper shows DoS attacks have a negligible chance to disrupt communications services via the OPL architecture. Even if attackers attack 50% of overlay nodes via a Distributed DoS attack still 75% of communication channels are available.