Tag Archives: DDoS detection

Are DDoS attacks about to die? – 3 top projects that might make you think twice.

 

Denial of service or DoS attacks and distributed denial of service attacks or DDoS are on the rise.  Many of the worlds companies have been forced to deal with DoS attacks or DDoS attacks as a potential threat.  (Zetter, 2016) defines DoS attacks as, “an attack that overwhelms a system with data—most commonly a flood of simultaneous requests sent to a website to view its pages, causing the web server to crash or simply become inoperable as it struggles to respond to more requests than it can handle.”  Since their initial uses an emergence of DDoS attacks have come about.  This is distributed denial of service attacks, largely attacks from multiple computers to one or more. These computers are usually a part of a larger botnet which their location is spread about all over the world.  DDoS attacks are hard to deal with since merely blocking an IP address from malicious traffic is more difficult to identify.  The end result of both DDoS and DoS attacks are legitimate users not being able to use computer systems for their intended purpose.  There are new methods and techniques to deal with these DDoS attacks that are on the rise.

Anomaly Based detection system with Multivariate Correlation Analysis

One of the more promising solutions to DDoS attacks is the Multivariate Correlation Analysis system, or MCA.  This research paper identifies multiple mitigation techniques in the detection process.  The overall solution is built for speed of detection which is a very powerful element in thwarting DDoS attacks.  This system differentiates between old misuse based detection systems and newer anomaly based systems such as itself.  The misuse based detection systems identifies malicious network traffic based on previously known attacks. The problem with this is the ability to identify new DDoS attacks or variations of old attacks.  Also there is trouble in keeping a valid signature database updated which becomes very labor intensive.  Because of the cybersecurity industry was on the lookout for better detection system.  Anomaly based solutions were then sought out heavily since catching the DDoS attacks themselves were hard to identify, it is a lot easier to identify normal traffic on a network and then compare it to the current traffic.

Anomaly based detection system

Anomaly based detection systems have the ability to identify a base line of traffic for a company within its normal usage and then sift out the remaining as malicious traffic.  Unfortunately, anomaly based systems are prone to false positives and false negatives due to lack of training and simplistic models being used.  This new system, multivariate correlation analysis system has proved promising to solve this issue. This solutions framework can be broken up into three distinct levels like the following:

  1. Creates a normalization model record from internet traffic to the internal network. This level takes incoming traffic data to pass to the level 2.
  2. Multi correlation analysis is applied with Triangle area map generation. In this step the normalization model records in level 1 are compared to find correlations.
  3. Decision Making is the final level that determines legitimate record set from DDoS attack or illegitimate records.
    1. Training Phase builds normal profile of traffic.
    2. Test Phase builds profiles of individual observed traffic records.

Triangle area map mitigation technique

The triangle area map technique was used to help speed up the MCA process.  The triangle area map approach allows for quickness in the comparison of two triangle area map records.  If one was to picture the triangle map record as a picture they would be able to tell any differences in the two triangle sides when they weren’t identical because this would be reflected in the bottom part of the triangle.  Allowing the system to focus on inspecting the bottom part of the triangle which will decrease the amount of data needed to analyze and query.  The resulting speed is roughly two thirds faster than running the normal MCA process.

 

Mahalanobis Distance mitigation technique

The Mahalanobis distance mitigation technique or MD allows the solution to be more accurate when identifying variations.  This model can be well explained in conceptual anology with baking spices in a recipe.  If you have a x and y axis and plot all the different volume levels in the recipe of all the different spices this wouldn’t change the flavor profile of the recipe.  However, if you add more of one ingredient say salt or butter you would definitely taste the difference in recipe.   Mahalanobis distance mitigation technique works in the same way as it allows the variation of critical indicators to not focus predominantly on volume but a more on distinct flavor based off of powerfulness of different ingredients.

While the triangle area map was used to identify similarities in record sets faster, MD is used to identify the dissimilarity between traffic records.  (Tan, Jamdagni, He, Nanda, & Liu, 2011, p. xx), says “This is because MD has been successfully and widely used in cluster analysis, classification and multivariate outlier detection techniques.”

 

Tracemax DDoS System

The Tracemax system is another project that shows potential.  The Tracemax system takes a slightly different approach in detecting DDoS attacks.  Tracemax is software installed on downstream devices throughout the internet say for instance an ISP.  The Tracemax system can be installed at the customer level, however at the ISP level this would allow for the ISP to blacklist attackers or bots, identifying botnets within the ISPs network or verify malicious ISPs, (Hillmann, Tietze, & Rodosek, 2015, p. xx).   The reason for selection of this research is because it clearly identifies a very important problem in cyber security at the moment which is attribution.  Identifying the potential initiator of attacks allows law enforcement, government, and state officials to take further action.

The devices running the Tracemax software are able to then label each packet and trace its exact path based off a given generated abstract ID. This ID is stored in the options header of a packet. This allows Tracemax to deal with a larger number of hops more than any other existing tracing tool known to the general public to date.  See table 1.  The benefit of using the Tracemax software are as follows:

  1. Single packet traceback. Which allows users to detect sophisticated attackers.
  2. Detecting and differentiating multiple attackers.
  3. Fast path reconstruction, even during an attack. With short attack detection time and fast preventive actions.
  4. Minimal additional network load and performance.
  5. Ability to trace hops or locations of more than 50 plus hops.

 

Tracemax preventive system

            As a preventive measure Tracemax is installed on all devices which the packets would travel through.  Tracemax allows for the system to detect DDoS for small networks and alert ISP as to malicious packets entering in networks so that an ISP can take necessary steps to deny malicious packets and malicious outside nodes.  This approach could prevent new DDoS attacks from spawning on different internet nodes.  This would also allow a ISP to identify DDoS attacks coming from their own networks.

 

Tracemax mitigation technique

Tracemax creates its own labeling system which is its mitigation technique.  DDoS attacks for the most part done from spoofed IP addresses and the packets vary from different paths to the target. Dynamic paths and spoofed IP packets aren’t referenced.  Instead Tracemax looks at the options field for the abstract ID’s which were created through packets travel from device to device.  It’s very simple to reconstruct a malicious packets full path at the end by using this method.

 

Tracemax alternate mitigation technique 

A slightly different mitigation technique is that if the traced IP packet were to fall into the wrong hands and reverse engineered the IP packet doesn’t give up the ISP’s network topology because of the abstract ID system it uses. This is a big concern as many packets can be reversed engineered at some point.  However, because Tracemax not only label each packet with an abstract ID it can also change its entire abstraction method so that users without the software it would render the packet useless in detecting where the trace is coming from.

 

Hybrid Intrusion Detection System for DDoS Attacks

The solution to DDoS attacks is proving to be extremely difficult.  As the previous projects focused predominantly on DDoS and DoS attacks on general networks.  It isn’t practical to not mention wireless networks.  This next research project focuses a best of both worlds approach.  As the name suggest the Hybrid Intrusion Detection System or (H-IDS) uses the misuse database or signature based approach and combines it with the anomaly based approach.  The joining controlling centralized node is referred to as the hybrid detection engine (HDE). See figure 1. The benefits of using this system is with the low frequency of false positives in signature based IDS systems and combining the flexibility of the pattern recognition this increases speed and improves on efficiency.  The HDE is defined as follows:

  1. Collecting the outputs of anomaly-based detector and signature based detector
  2. Calculating the attack probability
  3. Controlling the security levels of the detectors
  4. Updating anomaly detector’s normal network model
  5. Updating the signature based detectors rule set

 

Detection method with SNORT

The HDE uses SNORT for an appropriate signature based detection system.  SNORT is widely used among the industry.  SNORT can be run in three modes sniffer, packet logger, network IDS.  For the implementation of H-IDS the periodically updated rules version can be used.  The HDE uses SNORT however the HDE controls the sensitivity levels of SNORT.

 

Anomaly Mitigation Expectation Maximization Algorithm

The key mitigation strategy which differentiates the HDE system from other mixed model systems is that it uses an algorithm for the maximum likelihood estimate problems.  These are huge problems in mixed model systems.  The algorithm that is used is the Expectation Maximization Algorithm or EM.  This is a mitigation strategy which focuses on using EM over other approaches such as gradient-ascent or Newton.  This EM algorithm enables the HDE to take parameter estimations in a probabilistic model with incomplete data.  It is largely efficient when working with incomplete data.  When taking in models from both signature based and anomaly based detection systems.  This is of high importance.

 

OR Mitigation Method

            In most multi detector systems the possibility of one detector detecting an intrusion while the other doesn’t.  The mitigation strategy to alleviate this problem HDE uses an OR relation, meaning it will send an intrusion present in the event that one or the other finds an intrusion whether through pattern recognition or through SNORT signature based detection.   This ultimately gives the best of both world approach to the DDoS attack scenario.

 

Conclusion

With the three different approaches covered in detecting, preventing and mitigating DDoS and DoS attacks.  It’s extremely easy to be excited about all three approaches.  However, Tracemax as a concept is very bold in going after the attribution theory in cyber security.  But the concept of Tracemax falls apart when getting to a realistic implementation of the software.  The adoption rate would need to be accepted globally for this approach to work.  For this reason, we can see that we are very far from Tracemax becoming a reality.  The most feasible are the MCA anomaly based detection system and the hybrid intrusion detection system, H-IDS.  As the H-IDS system works in theory bringing best of both worlds together.  The speed of detecting a DDoS is a critical part of the detection equation and for this reason we would need to compare both H-IDS system versus the MCA anomaly systems.  As both target improving on the speed of detection.  Within H-IDS system research paper the researchers tested against a standard anomaly based detection system.  With the added MCA component to a normal anomaly system, it would be interesting to see the results.  We could only conclude that the speed would be better in the MCA anomaly based detection system and the accuracy is only slightly better in the H-IDS system. (Brox, 2002), “Anomaly testing requires trained and skilled personnel, but then so does signature-based IDS. And, anomaly testing methods can be guaranteed to provide far more effective protection against hacker incidents.”  Ultimately one would have to believe the speed isn’t the only factor and decision has to be based on a company’s line of business and size.  Both solution would catch the DDoS and be able to identify how to block access, but how much maintenance is required due to false positives?  This is the deciding question that needs to be addressed and can only be done on a company by company bases when adopting one of these methods covered.

 

tracemax_table

Table 1. Tracemax compared to other trace programs.

hybriddetectorids

Figure 1. Model of hybrid IDS system

References

Grace, C. J. C., Karthika, P., & Gomathi, S. (2016). A System for Distributed Denial-of-Service Attacks Detection Based on Multivariate Correlation Analysis. system. American Psychological Association. (2010). Publication manual of the American Psychological Association (6th ed.). Washington, DC: Author.

Hillmann, P., Tietze, F., & Rodosek, G. D. (2015). Strategies for Tracking Individual IP Packets Towards DDoS. PIK – Praxis Der Informationsverarbeitung Und Kommunikation, 38(1/2), 15-21. doi:10.1515/pik-2015-0010

Somani, G., Gaur, M. S., Sanghi, D., Conti, M., & Buyya, R. (2015). DDoS Attacks in Cloud Computing: Issues, Taxonomy, and Future Directions.Somani, G., Gaur, M. S., Sanghi, D., Conti, M., & Buyya, R. (2015). DDoS Attacks in Cloud Computing: Issues, Taxonomy, and Future Directions.

Cepheli, Ö., Büyükçorak, S., & Karabulut Kurt, G. (2016). Hybrid intrusion detection system for ddos attacks. Journal of Electrical and Computer Engineering2016, 1-8. doi:10.1155/2016/1075648

Brox, A. (2002, May 1). Signature-based or anomaly-based intrusion detection: the practice and pitfalls. Retrieved from http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-and-pitfalls/article/30471/

ARBOR NETWORKS SECURES PATENTS FOR DDOS DETECTION. (2015). Computer Security Update, 16(7), 4-6.

Zetter, K. (2016, January 16). Hacker lexicon: what are dos and ddos attacks? | wired. Retrieved from https://www.wired.com/2016/01/hacker-lexicon-what-are-dos-and-ddos-attacks/

Manohar, R. P., & Baburaj, E. (2016). Detection of stealthy denial of service (s-dos) attacks in wireless sensor networks. International Journal of Computer Science and Information Security14(3), 343-348.