Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification of Repeated Denial of Service Attacks

Published byJonathan Thibodeau Modified over 5 years ago

Similar presentations

Presentation on theme: "Identification of Repeated Denial of Service Attacks"— Presentation transcript:

1 Identification of Repeated Denial of Service Attacks
Alefiya Hussain, John Heidemann, Christos Papadopoulos 16 November 2018

2 Why detect repeated attacks?
DoS used as a weapon for extortion, vandalism, and ideological attacks Attribution – ability to quantify and associate repeated attacks on a victim to the same attackers Assist in criminal and civil prosecution Copyright 2004, USC/ISI All rights reserved.

3 Repeated Attack Scenarios
M monitors series of attacks Converts each attack packet trace ti to fingerprint F(ti) Each fingerprint uniquely identifies an attack scenario Attack scenario – combination of attack troops and attack tool F(t1) similar to F(t2) F(t1) not similar to F(t3) V1 M V2 Copyright 2004, USC/ISI All rights reserved.

4 Our Approach Goal: Test is attack scenario has occurred earlier
Build on our previous work (SIGCOMM 2003) F(Y) C F(Z) Step I: Create a fingerprint Step II: Compare F(Z) to C Copyright 2004, USC/ISI All rights reserved.

5 Defining fingerprint Step Ia: Feature Extraction
Power spectral density of attack trace Dominant frequencies in attack spectra Step Ib: Estimate fingerprint Mean vector and Covariance matrix of dominant frequencies Copyright 2004, USC/ISI All rights reserved.

6 Step I: Create fingerprint for Z
Segment attack trace in K section xk(t) of packets Estimate psd for each xk(t) Extract dominant frequencies from each psd to form matrix Xk Estimate distribution parameters: Mean vector Covariance matrix Copyright 2004, USC/ISI All rights reserved.

7 Step II: Comparing Attacks
Pattern recognition techniques Divergence between the probability distributions - Maximum-likelihood classifier Similar attack scenarios have small divergence Using cdf of divergence test if attack have small divergence lowCZ rangeCZ Copyright 2004, USC/ISI All rights reserved.

8 Step II: Compare C to F(Z)
Segment attack trace into L sections of xl(t) packets Estimate psd for each xl(t) Extract dominant frequencies to form matrix Xl Compute divergence Copyright 2004, USC/ISI All rights reserved.

9 Interpreting Match Data
Are the comparisons accurate? Does attack C match well with F(Z)? Are the comparisons precise? Does attack C have a small divergence with F(Z)? Summarize set LCZ highCZ as 95% quantile of LCZ lowCZ as 5% quantile of LCZ rangeCZ as difference between highCZ and lowCZ Accurate match -> small lowCZ value Precise match -> small rangeCZ value C and F(Z) match iff both accurate and precise Copyright 2004, USC/ISI All rights reserved.

10 Results Database of 18 attacks captured at Los Nettos
Attack duration > 400s to create fingerprint Real world attacks Emulate similar attack scenarios by comparing the head and tail of the same attack Tests different attack scenarios Experimental evaluation for factors affecting the fingerprint Copyright 2004, USC/ISI All rights reserved.

11 Detect repeated Scenario
Example: comparing head & tail of same attack comparing different attacks Detected seven repeated attack scenarios over a period of five months lowFF=172, rangeFF=57 lowFJ =223, rangeFJ=768333 Copyright 2004, USC/ISI All rights reserved.

12 Robustness of Fingerprints
What factors affect the fingerprint? OS CPU speed Attack tool LM1 LM2 LM3 FM1 FM2 FM3 Victim M Attack Scenario = Troop + Tool Do not affect fingerprint Host Load Less than 60% cross-traffic Copyright 2004, USC/ISI All rights reserved.

13 Future Work Alternate feature definitions Clustering Algorithms
Wavelet Energy vectors Clustering Algorithms K-means and hierarchical clustering Temporal Stability Portability Copyright 2004, USC/ISI All rights reserved.

14 Technical report located at
Thank You Technical report located at Copyright 2004, USC/ISI All rights reserved.

Download ppt "Identification of Repeated Denial of Service Attacks"

Similar presentations

WATERSENSE: WATER FLOW DISAGGREGATION USING MOTION SENSORS Vijay Srinivasan, John Stankovic, Kamin Whitehouse Department of Computer Science University.

WATERSENSE: WATER FLOW DISAGGREGATION USING MOTION SENSORS Vijay Srinivasan, John Stankovic, Kamin Whitehouse Department of Computer Science University.
Face Recognition and Biometric Systems Elastic Bunch Graph Matching.

Face Recognition and Biometric Systems Elastic Bunch Graph Matching.
12-5-2015 Challenge the future Delft University of Technology Blade Load Estimations by a Load Database for an Implementation in SCADA Systems Master Thesis.

Challenge the future Delft University of Technology Blade Load Estimations by a Load Database for an Implementation in SCADA Systems Master Thesis.
Multiple People Detection and Tracking with Occlusion Presenter: Feifei Huo Supervisor: Dr. Emile A. Hendriks Dr. A. H. J. Stijn Oomes Information and.

Multiple People Detection and Tracking with Occlusion Presenter: Feifei Huo Supervisor: Dr. Emile A. Hendriks Dr. A. H. J. Stijn Oomes Information and.
Clustering (1) Clustering Similarity measure Hierarchical clustering Model-based clustering Figures from the book Data Clustering by Gan et al.

Clustering (1) Clustering Similarity measure Hierarchical clustering Model-based clustering Figures from the book Data Clustering by Gan et al.
Copyright ©2013 by SJTU, IWCT. Dongchuan Road #800, Minhang, Shanghai,200240 All rights reserved. Indoor Localization with a Crowdsourcing based Fingerprints.

Copyright ©2013 by SJTU, IWCT. Dongchuan Road #800, Minhang, Shanghai, All rights reserved. Indoor Localization with a Crowdsourcing based Fingerprints.
Uncertainty Representation. Gaussian Distribution variance Standard deviation.

Uncertainty Representation. Gaussian Distribution variance Standard deviation.
Face Recognition & Biometric Systems, 2005/2006 Face recognition process.

Face Recognition & Biometric Systems, 2005/2006 Face recognition process.
Signal coding Definitions Types of coding schemes Inferring sender and receiver coding Signal function and coding.

Signal coding Definitions Types of coding schemes Inferring sender and receiver coding Signal function and coding.
ICIP 2000, Vancouver, Canada IVML, ECE, NTUA Face Detection: Is it only for Face Recognition?  A few years earlier  Face Detection Face Recognition 

ICIP 2000, Vancouver, Canada IVML, ECE, NTUA Face Detection: Is it only for Face Recognition?  A few years earlier  Face Detection Face Recognition 
Civil and Environmental Engineering Carnegie Mellon University Sensors & Knowledge Discovery (a.k.a. Data Mining) H. Scott Matthews April 14, 2003.

Civil and Environmental Engineering Carnegie Mellon University Sensors & Knowledge Discovery (a.k.a. Data Mining) H. Scott Matthews April 14, 2003.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
LYU0103 Speech Recognition Techniques for Digital Video Library Supervisor : Prof Michael R. Lyu Students: Gao Zheng Hong Lei Mo.

LYU0103 Speech Recognition Techniques for Digital Video Library Supervisor : Prof Michael R. Lyu Students: Gao Zheng Hong Lei Mo.
Multiple Human Objects Tracking in Crowded Scenes Yao-Te Tsai, Huang-Chia Shih, and Chung-Lin Huang Dept. of EE, NTHU International Conference on Pattern.

Multiple Human Objects Tracking in Crowded Scenes Yao-Te Tsai, Huang-Chia Shih, and Chung-Lin Huang Dept. of EE, NTHU International Conference on Pattern.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
Object Class Recognition Using Discriminative Local Features Gyuri Dorko and Cordelia Schmid.

Object Class Recognition Using Discriminative Local Features Gyuri Dorko and Cordelia Schmid.
AdvAIR Supervised by Prof. Michael R. Lyu Prepared by Alex Fok, Shirley Ng 2002 Fall An Advanced Audio Information Retrieval System.

AdvAIR Supervised by Prof. Michael R. Lyu Prepared by Alex Fok, Shirley Ng 2002 Fall An Advanced Audio Information Retrieval System.
Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.

Pattern Recognition. Introduction. Definitions.. Recognition process. Recognition process relates input signal to the stored concepts about the object.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google