FJADA: Friendship Based JellyFish Attack Detection Algorithm for Mobile Ad Hoc Networks

TCP and UDP are considered the most popular and well known transport layer protocols to facilitate the end to end communication between two nodes in the network. TCP is used as the transport layer protocol in packet delivery and error sensitive applications, where packet loss cannot be compromised. However, low-rate TCP targeted Denial of Service (DoS) attacks exploit the retransmission timeout and congestion control features of TCP protocol. These low-rate TCP targeted Denial of Service (DoS) attacks are also called JellyFish (JF) attacks. These attacks perform the malicious activities either by delaying, or periodically dropping or mis-ordering the data packets on the route from source to destination node in the network, and cause severe degradation in end-to-end throughput in the network. JellyFish attack is further classified as JF-Delay Variance Attack, JF-Periodic Drop Attack and JF-Reorder Attack based on the type of the malicious activities being performed. JellyFish attack conforms to all existing routing and packet forwarding protocol specifications, and therefore it becomes very difficult to detect its presence in the network. In this paper, a Friendship Based JellyFish Attack Detection Algorithm (FJADA) is presented for Mobile Ad Hoc Networks, where the basic concept of friendship mechanism is added to the existing Direct Trust-based Detection (DTD) algorithm to save the valuable resources of a node in monitoring the activities of its one hop neighbours, through promiscuous mode. FJADA also minimizes the possibility of overestimating the malicious behaviour of innocent nodes due to radio transmission errors, network congestion or packet collisions. The results obtained throughout the simulation experiments clearly show the feasibility and effectiveness of the proposed detection algorithm.     

Congestion control for multimedia services

The problem of congestion control in high-speed networks for multimedia traffic, such as voice and video, is considered. It is shown that the performance requirements of high-speed networks involve delay, delay-jitter, and packet loss. A framing congestion control strategy based on a packet admission policy at the edges of the network and on a service discipline called stop-and-go queuing at the switching nodes is described. This strategy provides bounded end-to-end delay and a small and controllable delay-jitter. The strategy is applicable to packet switching networks in general, including fixed cell length asynchronous transfer mode (ATM), as well as networks with variable-size packets     

Simulation Based Comparative Study of Routing Protocols Under Wormhole Attack in Manet

A Mobile Ad hoc network (manet) has emerged as an autonomous, multi-hop, wireless and temporary type of network which works within the constraints like bandwidth, power and energy. Manet can be observed as an open type of network where nodes become a part of any network at any time that’s why it is susceptible to different types of attacks. Wormhole attack is most threatening security attack in ad hoc network where an attacker node receives packet at one location and replay them at other location which is remotely located far. In this paper, we study and compare the performance of AODV, DSR and ZRP under the impact of multiple wormhole attacker nodes. Diverse scenarios are characterized as like average of 50 runs and mobility. By statistical placement of multiple wormhole nodes across the network, we evaluate the performance in terms of throughput, packet delivery ratio, packet loss, average end to end delay and jitter. Finally based on the simulation we investigated the most affected routing protocol in terms of network metrics.     

ALPi: A DDoS Defense System for High-Speed Networks

Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.     

TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network

Software-defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial-of-service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two-Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K-nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two-Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.     

基于Gnutella协议的P2P网络中DoS攻击防御机制研究

对基于Gnutella协议的P2P计算网络实施DoS攻击的特征进行了详细分析，通过设置攻击容忍度和防御起点，提出了一种简单的基于特征的DoS攻击防御策略，运用基于贝叶斯推理的异常检测方法发现攻击．使系统能根据DoS攻击的强弱，自适应调整防御机制，维持网络的服务性能。仿真结果表明，本文提出的防御策略能有效防御恶意节点对网络发动的DoS攻击，使网络服务的有效性达到98％，正常请求包被丢弃的平均概率为1．83％，预防机制平均时间开销仅占网络总开销的6．5％。     

基于Gnutella协议的P2P网络中DoS攻击防御机制

对基于Gnutella协议的P2P计算网络实施DoS攻击的特征进行了详细分析,通过设置攻击容忍度和防御起点,提出了一种简单的基于特征的DoS攻击防御策略,运用基于贝叶斯推理的异常检测方法发现攻击,使系统能根据DoS攻击的强弱,自适应调整防御机制,维持网络的服务性能.仿真结果表明,本文提出的防御策略能有效的防御恶意节点对网络发动的DoS攻击,使网络服务的有效性达到98%,正常请求包被丢弃的平均概率为1.83%,预防机制平均时间开销仅占网络总开销的6.5%.     

Secured Self Organizing Network Architecture in Wireless Personal Networks

Secured self organizing network is an approach to computer network architecture that seeks to address the technical issues in heterogeneous networks that may lack continuous network connectivity. In delay tolerant network packets storage exists when there is any link breakage between the nodes in the network so delay is tolerable in this type of network during the data transmission. But this delay is not tolerable in wireless network for voice packet transmission. This evokes the use of wireless networks. In a network, different wireless network topologies are interoperating with each other so the communication across the network is called overlay network. This network is vulnerable to attacks due to mobile behaviour of nodes and frequent changes in topologies of the network. The attacks are wormhole attack and blackhole attack is analysed in this paper. They are critical threats to normal operation in wireless networks which results in the degradation of the network performance. The proposed recovery algorithm for wormhole and the isolation of blackhole will increase the performance of the network. The performance metrics such as throughput, packet delivery ratio, end–end delay and routing overhead of the network are evaluated.

     

Multimedia Broadcast Authentication Based on Batch Signature [Advances in Mobile Multimedia]

Conventional block-based broadcast authentication protocols overlook the heterogeneity of receivers in mobile computing by letting the sender choose the block size, divide a broadcast stream into blocks, associate each block with a signature, and spread the effect of the signature across all the packets in the block through hash or coding algorithms. They suffer from some drawbacks. First, they require that the entire block with its signature be collected before authenticating every packet in the block. This authentication latency can lead to the jitter effect on real-time applications at receivers. Second, the block-based approach is vulnerable to packet loss in mobile computing in the sense that the loss of some packets makes the other packets unable to be authenticated, especially when the block signature is lost. Third, they are also vulnerable to DoS attacks caused by the injection of forged packets. In this article we propose a novel broadcast authentication protocol based on an efficient cryptographic primitive called a batch signature. Our protocol supports the verification of the authenticity of any number of packets simultaneously and avoids the shortcomings of the block-based approach.     

Secure access of resources in software‐defined networks using dynamic access control list

Software‐defined networking (SDN) creates a platform to dynamically configure the networks for on‐demand services. SDN can easily control the data plane and the control plane by implementing the decoupling concept. SDN controller will regulate the traffic flow and creates the new flow label based on the packet dump received from the OpenFlow virtual switches. SDN governs both data information and control information toward the destination based on flow label, but it does not contain security measure to restrict the malicious traffic. The malicious denial‐of‐service (DoS) attack traffic is generated inside the SDN environment; it leads to the service unavailability. This paper is mainly focused on the detection of DoS attacks and also mitigates the malicious traffic by dynamically configuring the firewall. The SDN with dynamic access control list properties is emulated by mininet, and the experimental results exemplify the service unavailable gap between acceptance and rejection ratio of the packets.     

An Experimental Study of the Performance Impact of Path-Based DoS Attacks in Wireless Mesh Networks

Wireless mesh networks (WMNs) are considered as cost effective, easily deployable and capable of extending Internet connectivity. However, one of the major challenges in deploying reliable WMNs is preventing their nodes from malicious attacks, which is of particular concern as attacks can severely degrade network performance. When a DoS attack is targeted over an entire communication path, it is called a path-based DoS attack. We study the performance impact of path-based DoS attacks by considering attack intensity, medium errors, physical diversity, collusion and hop count. We setup a wireless mesh testbed and configure a set of experiments to gather realistic measurements, and assess the effects of different factors. We find that medium errors have significant impact on the performance of WMNs when a path-based DoS attack is carried out, and the impact is exacerbated by the MAC layer retransmissions. We show that due to physical diversity, a far attacker can lead to an increased performance degradation than a close-by attacker. Additionally, we demonstrate that the joint impact of two colluding attackers is not as severe as the joint result of individual attacks. We also discuss a strategy to counter path-based DoS attacks which can potentially alleviate the impact of the attack significantly.     

An elastic intrusion detection system for software networks

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.     

Quality of service concerns in IP-based control systems

The popularity of network-based control systems (NBCS) is continuously growing. One of the most intriguing aspects is the transportation of control network data over IP-based networks using accepted standards such as EIA-852. To a large extent the actual quality of control (QoC) in such systems depends on the network timing such as delay and delay jitter. This paper presents a classification of relevant quality of service parameters and identifies application classes. Subsequently, the paper focuses on the effect of delay jitter at a fixed mean delay on the QoC. Two sources of delay jitter are identified in IP-based control systems: 1) network traffic induced and 2) protocol induced. As an example of a simple control loop implemented over an EIA-852-based system we investigate how the induced jitter affects the QoC using a time-discrete simulation model. Conclusions are drawn as to how the findings in the EIA-852 system can be interpreted and extended to a generalized NBCS.     

SDN跨层回环攻击的检测与防御

软件定义网络（Software Define Network,SDN）将控制层和数据层进行分离,给网络带来灵活性、开放性以及可编程性.然而,分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击,使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞,并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此,本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径,从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案,并在Mininet仿真器上对其性能进行了评估,结果表明本方案能够实时检测并有效防御跨层回环攻击.     

Network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or “spoofed,” source addresses. We describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet service providers (ISPs). Moreover, this traceback can be performed “post mortem”-after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backward compatible, and can be efficiently implemented using conventional technology     

Serving radio network controller relocation for UMTS all-IP network

To support real-time multimedia services in UMTS all-IP network, Third-Generation Partnership Project TR 25.936 proposed two approaches to support real-time serving radio network controller (SRNC) switching, which require packet duplication during SRNC relocation. These approaches significantly consume extra system resources. This paper proposes the fast SRNC relocation (FSR) approach that does not duplicate packets. In FSR, a packet buffering mechanism is implemented to avoid packet loss at the target RNC. We propose an analytic model to investigate the performance of FSR. The numerical results show that packet loss at the source RNC can be ignored. Furthermore, the expected number of packets buffered at the target RNC is small, which does not prolong packet delay.     

A novel congestion control protocol with AQM support for IP-based networks

Multimedia services (Real-time and Non real-time) have different demands, including the need for high bandwidth and low delay, jitter and loss. TCP is a dominant protocol on the Internet. In order to have the best performance in TCP, the congestion window size must be set according to some parameters, since the TCP source is not aware of the window size. TCP emphasizes more on reliability than timeliness, so TCP is not suitable for real-time traffic. In this paper an active Queue management support TCP (QTCP) model is presented. Source rate is regulated based on the feedback which is received from intermediate routers. Furthermore, in order to satisfy the requirements of multimedia applications, a new Optimization Based active Queue management (OBQ) mechanism has been developed. OBQ calculates packet loss probabilities based on the queue length, packets priority and delay in routers and the results are sent to source, which can then regulate its sending rate. Simulation results indicate that the QTCP reduces packet loss and buffer size in intermediate nodes, improves network throughput and reduces delay.     

基于深度学习的实时DDoS攻击检测

分布式拒绝服务(DDoS)攻击是一种分布式、协作式的大规模网络攻击方式,提出了一种基于深度学习的DDoS攻击检测方法,该方法包含特征处理和模型检测两个阶段:特征处理阶段对输入的数据分组进行特征提取、格式转换和维度重构;模型检测阶段将处理后的特征输入深度学习网络模型进行检测,判断输入的数据分组是否为DDoS攻击分组.通过ISCX2012数据集训练模型,并通过实时的DDoS攻击对模型进行验证.结果表明,基于深度学习的DDoS攻击检测方法具有高检测精度、对软硬件设备依赖小、深度学习网络模型易于更新等优点.     

An innovative approach to identify the IP address in denial‐of‐service (DoS) attacks based on Cauchy's integral theorem

Denial‐of‐service (DoS) and distributed denial‐of‐service (DDoS) are two of the most severe attacks against computer networks, especially the Internet. Despite its destructive effect, planning these attacks is a feasible task. Given that most attackers usually spoof the source address in packet headers, countermeasures can be based on two steps. First of all, some information from the attack space of the offender must be gathered. Fortunately, packets that reach a victim carry important data that can be acquired by means of a data collection process. One possibility is to use the probabilistic packet marking (PPM) approach for data acquisition. Once this is achieved, the next step consists of reconstructing the attack path, which can be carried out by several methods available in the literature. However, none of them provides a precise solution. In this paper, a new theoretical tracking model for the identification of DoS attackers is presented. The model unites the PPM approach and the concept of winding number, derived from the well‐known Cauchy's integral theorem. The winding number is a hydraulic analogy of the amount of attacking packets growing from a router. A suitable transformation allows seeing the packet traffic, in the attack environment, as a fluid flux in the space of complex variables. The method of solving the tracking problem and identifying the sources of attack presents an additional motivation: the use of continuous techniques when approaching a problem that occurs in a discrete environment. Such association will contribute to the development of further solutions possibly more robust than the one dealt with here. This paper shows that the new model can correctly identify the IP address of the router from which the attack comes by using an integral equation derived from the winding number expression. Copyright © 2008 John Wiley & Sons, Ltd.     

软件定义网络中基于密码标识的报文转发验证机制

针对软件定义网络(SDN)中缺乏安全高效的数据来源验证机制问题,该文提出基于密码标识的报文转发验证机制。首先,建立基于密码标识的报文转发验证模型,将密码标识作为IP报文进出网络的通行证。其次,设计SDN批量匿名认证协议,将SDN控制器的验证功能下放给SDN交换机,由SDN交换机进行用户身份验证和密码标识验证,快速过滤伪造、篡改等非法报文,提高SDN控制器统一认证与管理效率,同时可为用户提供条件隐私保护。提出基于密码标识的任意节点报文抽样验证方案,任何攻击者无法通过推断采样来绕过报文检测,确保报文的真实性的同时降低其处理延迟。最后,进行安全性分析和性能评估。结果表明该机制能快速检测报文伪造和篡改及抵抗ID分析攻击,但同时引入了大约9.6%的转发延迟和低于10%的通信开销。