Sunny Behal

Detection of DDoS attacks and flash events using novel information theory metrics

Distributed Denial of Service (DDoS) is an austere menace to network security. The in-time detection of DDoS attacks poses a stiff challenge to network security professionals. In this paper, the authors initiatively propose using a novel set of information theory metrics called -Entropy and -Divergence metrics for detecting DDoS attacks and flash events. The proposed metrics are highly sensitive towards detecting meek variations in the network traffic and elicit more information distance between legitimate and attack traffic flows as compared to existing predominantly used Generalized Entropy (GE) and Generalized Information Divergence (GID) metrics. As part of this work, a generalized detection algorithm has been proposed which uses the entropy difference between traffic flows to detect different types of DDoS attacks and FEs. The proposed detection algorithm has been validated using various publically available datasets of MIT Lincoln, CAIDA, FIFA and synthetically generated DDoSTB dataset in terms of various detection system evaluation parameters.

An experimental analysis for malware detection using extrusions

Today, the comprehensive protection of a computer network from malware is extremely important. The increasing usage of interactive internet applications in the areas of stock trades, medicine, weather forecasting, banks, businesses, education, defense, research etc. has induced a rise in risks and possibilities of misuse of computer networks. Over the last decade, malicious software or malware in the form of viruses, worms, Trojan horses, Botnets has risen to become a primary source of most of the threats used for scanning, distributed denial-of-service (DDoS) activities and direct attacks, taking place across the Internet. A number of solutions have been proposed in literature to defend against such threats from malware. Majority of these solutions uses the concept of inbound traffic approach for detection. The main goal of this paper is to work out a pragmatic solution to protect the network from the malware by exploring the feasibility of the concept of analysis of outbound traffic i.e Extrusion traffic only instead of intrusion traffic. Four different types of malware have been analyzed to check the validity of the proposed approach.

Detection of DDoS attacks and flash events using information theory metricsAn empirical investigation

Investigates the preeminence of GE and GID metrics in detecting DDoS attacks.Proposes the use of GE and GID metrics to discriminate HR-DDoS attacks from FEs.The GID metric is shown to compare favorably with popular information distance measures.Proposed methodology is generalized, and hence can detect future attacks and FE events. Preeminence of Generalized Entropy (GE) and Generalized Information Distance (GID) detection metrics as compared to extensively used Shannon Entropy, KL Divergence, and other popular detection metrics in detecting DDoS attacks and Flash Events, Sunny Behal, Krishan Kumar, Journal of Computer Communications.Display Omitted A Distributed Denial of Service (DDoS) attack is an austere menace to extensively used Internet-based services. The in-time detection of DDoS attacks poses a tough challenge to network security. Revealing a low-rate DDoS (LR-DDoS) attack is comparatively more difficult in modern high speed networks, since it can easily conceal itself due to its similarity with legitimate traffic, and so eluding current anomaly based detection methods. This paper investigates the aptness and impetus of the information theory-based generalized entropy (GE) and generalized information distance (GID) metrics in detecting different types of DDoS attacks. The results of GE and GID metrics are compared with Shannon entropy and other popular information divergence measures. In addition, the feasibility of using these metrics in discriminating a high-rate DDoS (HR-DDoS) attack from a similar looking legitimate flash event (FE) is also verified. We used real and synthetically generated datasets to elucidate the efficiency and effectiveness of the proposed detection scheme in detecting different types of DDoS attacks and FEs. The results clearly show that the GE and GID metrics perform well in comparison with other metrics and have reduced false positive rate (FPR).

D-FACE: An anomaly based distributed approach for early detection of DDoS attacks and flash events

Abstract In the present computer era, though the Internet-based applications are the driving force of social evolution, yet its architectural vulnerabilities proffer plethoric leisure to the attackers for conquering diversity of attacks on its services. Distributed Denial of Service (DDoS) is one of such prominent attack that constitutes a lethal threat to Internet domain that harnesses its computing and communication resources. Despite the presence of enormous defense solutions, ensuring the security and availability of data, resources, and services to end users remains an ongoing research challenge. In addition, the increase in network traffic rates of legitimate traffic and flow similarity of attack traffic with legitimate traffic has further made DDoS problem more crucial. The current research has deployed DDoS defense solutions primarily at the victim-end because of the inherent advantages of easy deployment and availability of complete attack information. However, the huge network traffic volume generated by DDoS attacks and lack of sufficient computational resources at the victim-end makes defense solution itself vulnerable to these attacks. This paper proposes an ISP level distributed, flexible, automated, and collaborative (D-FACE) defense system which not only distributes the computational and storage complexity to the nearest point of presence (PoPs) routers but also leads to an early detection of DDoS attacks and flash events (FEs). The results show that D-FACE defense system outperformed the existing Entropy-based systems on various defense system evaluation metrics.

Distributed Denial of Service Attacks and Defense Mechanisms: Current Landscape and Future Directions

Societal dependence on Information and Communication Technology (ICT) over the past two decades has brought with it an increased vulnerability to a large variety of cyber-attacks. One such attack is a Distributed Denial-of-Service (DDoS) attack which harnesses the power of a larger number of compromised and geographically distributed computers and other networked machines to attack information-providing services, often resulting in significant downtime and thereby causing a denial-of-service to legitimate clients. The size, frequency, and sophistication of such attacks have exponentially risen over the past decade. In order to develop a better understanding of these attacks and defense system against this ever-growing threat, it is essential to understand their modus operandi, latest trends and other most widely-used tactics. Consequently, the study of DDoS attacks and techniques to accurately and reliably detect and mitigate their impact is an important area of research. This chapter largely focuses on the current landscape of DDoS attack detection and defense mechanisms and provides detailed information about the latest modus operandi of various network and application layer DDoS attacks, and presents an extended taxonomy to accommodate the novel attack types. In addition, it provides directions for future research in DDoS attack detection and mitigation.