DDoS Attack Detection under SDN Context

Slides:

Advertisements

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Advertisements

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Towards Software Defined Cellular Networks

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Nanxi Kang Princeton University

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Author : Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian Publisher : Presenter : Pei-Hua Huang Date : 2013/10/02 Fabric: A Retrospective.

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Computer Networks Layering and Routing Dina Katabi

Networking Components

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

1 Network Packet Generator Midway presentation Supervisor: Mony Orbach Presenting: Eugeney Ryzhyk, Igor Brevdo.

Software-Defined Networks Jennifer Rexford Princeton University.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

VeriFlow: Verifying Network-Wide Invariants in Real Time

Repeaters and Hubs Repeaters: simplest type of connectivity devices that regenerate a digital signal Operate in Physical layer Cannot improve or correct.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering.

Load-Balancing Routing in Multichannel Hybrid Wireless Networks With Single Network Interface So, J.; Vaidya, N. H.; Vehicular Technology, IEEE Transactions.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.

FirewallPK Security tool for centralized Access Control List Management th RoEduNet International Conference - Networking in Education and Research.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

DoS/DDoS attack and defense

Early Detection of DDoS Attacks against SDN Controllers

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Security System for KOREN/APII-Testbed

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

Network Security Laboratory Graduate School of Soongsil University Graduate School of Soongsil University Jeon Youngho

Network Virtualization Ben Pfaff Nicira Networks, Inc.

Denial of Service Mitigation with OpenFlow using SciPass

SDN and Security Security as a service in the cloud

SDN challenges Deployment challenges

Gijeong Kim ,Junho Kim ,Sungwon Lee Kyunghee University

University of Maryland College Park

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

Managing Secure Network Systems

Distributed Network Traffic Feature Extraction for a Real-time IDS

IEEE 802 OmniRAN Study Group: SDN Use Case

Securing the Network Perimeter with ISA 2004

What Are Routers? Routers are an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol.

A Novel Framework for Software Defined Wireless Body Area Network

Preventing Internet Denial-of-Service with Capabilities

CS 31006: Computer Networks – The Routers

Routing and Switching Essentials v6.0

Firewalls Routers, Switches, Hubs VPNs

Pong: Diagnosing Spatio-Temporal Internet Congestion Properties

Technical University of Cluj-Napoca

Implementing an OpenFlow Switch on the NetFPGA platform

Network Research Center Tsinghua Univ. Beijing, P.R.China

Authors: Ding-Yuan Lee, Ching-Che Wang, An-Yeu Wu Publisher: 2019 VLSI

Intelligent Network Services through Active Flow Manipulation

Presentation transcript:

DDoS Attack Detection under SDN Context Author: Yang Xu and Yong Liu Presentation: Haozhou Yu

Denial-of-Service Attack

Distributed Denial-of-Service Attack DDoS attack NormalTraffic

Distributed Denial-of-Service Attack

DoS Attack Flood Attacks Logic / Software Attacks TCP SYN Flood Attack Smurf IP Attack UDP Flood Attack ICMP Flood Attack Logic / Software Attacks Ping of Death Teardrop Land Echo/Chargen

Defense of DDoS attack 1. Detect 2. Filter Covariance analysis, Cluster analysis, Wavelets … 2. Filter

Detect?

Traditional Network http://www.excitingip.net/27/a-basic-enterprise-lan-network-architecture-block-diagram-and-components/

Traditional Network Protocols The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

Software Defined Networking Control Programs Global Network View Network Operating System Control via forwarding interface The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

OpenFlow usage Controller PC Alice’s Rule Alice’s code OpenFlow Switch Decision? OpenFlow Protocol OpenFlow Switch OpenFlow Switch How the actual protocol works OpenFlow offloads control intelligence to a remote software The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown 12 12

DoS on traditional network Internet management is distributed each network is run according to local policies no way to enforce global deployment of a particular security mechanism or security policy often impossible to investigate cross-network traffic behavior

Software Defined Networking Separate control plane and data plane Provides new network management methods Network measurement SDN central controller can quickly install and adapt measurement rules on all switches in a coordinated fashion.

Utilize SDN to detect DDoS attacks In this paper: Large volume DDoS attacks traffic rate deviation/asymmetry TCAM(Ternary Content-addressable memory) size for each SDN-enabled switch is very limited

Utilize SDN to detect DDoS attacks Challenges: How to capture the traffic rate feature as well as the traffic rate deviation/asymmetry feature to achieve high detection precision? How to collaboratively utilize limited TCAM available on all switches to monitor the whole network?

System Overview Two Steps: Two Methods: Victim Detection Post-detection Two Methods: Sequential Method Concurrent Method

Sequential Method

Concurrent Method

Victim Detection Initial Rule Placement: Rule management: Monitor all IPs in the system by separate IP ranges; Measure the flow rate asymmetry. Rule management: Dedicate one measurement rule solely for one potential victim IP range; Each rule is used to monitor both the source victim IP range and the destination victim IP range; A1 B1 B A A2 B2 A B A1 B1 A2 B2

Initial Rule Placement

Rule Placement Feasibility Check Ford-Fulkerson algorithm: As long as there is a path from the start node to the terminate node, with available capacity on all edges in the path, we will send flow along one of these paths.

Detection Rule Adaptation

Attacker Detection Procedure

Concurrent Method

Pros & Cons Sequential Method Concurrent Method finer victim observation IP ranges find the attacker at the same time with victim cannot find the victim in the same time use more TCAM space

Choose between two methods

Classification Method Feature Selection Victim Identification Features Attacker Identification Features Classifiers

Victim Identification Features Packet Count per Destination (P): describe the average number of packets to each destination IP in that range; Byte Count per Destination (B): describe the average number of bytes to each destination IP in that range; Packet Count Asymmetry per Destination (PA): describe the average packet count asymmetry for each destination IP in that range; Byte Count Asymmetry per Destination (BA): describe the average byte count asymmetry for each destination IP in that range.

Attacker Identification Features Packet Count per Source (P): describe the average number of packets from a host in IP range i to a host in victim IP range j; Byte Count per Source (B): describe the average number of bytes from a host in IP range i to a host in victim IP range j; Packet Count Asymmetry from Source (PA): describe the average packet numbers asymmetry to victim IP range; Byte Count Asymmetry from Source (BA): describe the average bytes numbers asymmetry to victim IP range.

Classifiers--Self Organizing Mapping (SOM) Randomize node’s weights in the map space. Choose one input vector I from the data space. Calculate Euclidean distance between input vector and all map’s nodes’ weight vector. Find node with smallest distance, label this node as winner node. Update the nodes in the neighborhood of winner node so that the Euclidean distance between their individual weight vector and the input vector becomes smaller. repeat procedure 2 - 4 until weight vector has no significant change.

Experiment Attack Transmission (A): flows from 10, 000 randomly picked source IPs to the victim IP, with sending rate from each source IP randomly distributed within (30kbps, 70kbps) and receiving rate of each source IP randomly distributed within (1kbps, 4kbps); Normal Large Volume Transmission (N1): From one source IP to another destination IP, with sending rate within (300mbps, 700mbps) and receiving rate randomly within (300mbps, 700mbps); Normal Small Asymmetry Transmission (N2): From one source IP to another destination IP, with sending rate randomly distributed within (30kbps, 70kbps) and receiving rate randomly distributed within (1kbps, 4kbps), the number of sources sending traffic to the same destination is no more than 100; Normal Small Symmetry Transmission (N3): From one source IP to another destination IP, with sending rate randomly distributed within (30kbps, 70kbps) and receiving rate randomly distributed within (30kbps, 70kbps), number of sources sending traffic to the same destination is no more than 100.

Importance of Asymmetry Feature

Performance of Two Detection Methods

Performance of Two Detection Methods

Performance of Two Detection Methods

Experiment Simulation results demonstrate that capturing asymmetry feature is important to achieve high detection accuracy. Using suitable features, SOM classifier can achieve very accurate detection performance. The features obtained from finer granularity will make the detection more accurate. Experiment results show that if the priority of DDoS detection is to find victims, Sequential Method is preferable, as it can detect finer potential victim IP ranges given limited TCAM sizes. If the objective of DDoS detection is to find victims as well as attackers, Concurrent Method is preferable if TCAM sizes are abundant, as it finds victims and attackers more quickly.

Conclusion Use SDN on DDoS attack detection Capture the flow volume feature as well as the flow rate asymmetry feature Propose Sequential Method as well as Concurrent Method to adaptively change the flow monitoring granularities on all switches to quickly locate the potential victims and suspicious attackers

Future work Refine the detection method Evaluate methods with packet traces collected from real DDoS attacks Implement the methods in the Openflow platform

Q & A