Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS Attack Detection under SDN Context

Published byErnest Robinson Modified over 5 years ago

Similar presentations

Presentation on theme: "DDoS Attack Detection under SDN Context"— Presentation transcript:

1 DDoS Attack Detection under SDN Context
Author: Yang Xu and Yong Liu Presentation: Haozhou Yu

2 Denial-of-Service Attack

3 Distributed Denial-of-Service Attack
DDoS attack NormalTraffic

4 Distributed Denial-of-Service Attack

5 DoS Attack Flood Attacks Logic / Software Attacks TCP SYN Flood Attack
Smurf IP Attack UDP Flood Attack ICMP Flood Attack Logic / Software Attacks Ping of Death Teardrop Land Echo/Chargen

6 Defense of DDoS attack 1. Detect 2. Filter Covariance analysis,
Cluster analysis, Wavelets 2. Filter

7 Detect?

8

9 Traditional Network

10 Traditional Network Protocols
The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

11 Software Defined Networking
Control Programs Global Network View Network Operating System Control via forwarding interface The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

12 OpenFlow usage Controller PC Alice’s Rule Alice’s code OpenFlow Switch Decision? OpenFlow Protocol OpenFlow Switch OpenFlow Switch How the actual protocol works OpenFlow offloads control intelligence to a remote software The Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown 12 12

13 DoS on traditional network
Internet management is distributed each network is run according to local policies no way to enforce global deployment of a particular security mechanism or security policy often impossible to investigate cross-network traffic behavior

14 Software Defined Networking
Separate control plane and data plane Provides new network management methods Network measurement SDN central controller can quickly install and adapt measurement rules on all switches in a coordinated fashion.

15 Utilize SDN to detect DDoS attacks
In this paper: Large volume DDoS attacks traffic rate deviation/asymmetry TCAM(Ternary Content-addressable memory) size for each SDN-enabled switch is very limited

16 Utilize SDN to detect DDoS attacks
Challenges: How to capture the traffic rate feature as well as the traffic rate deviation/asymmetry feature to achieve high detection precision? How to collaboratively utilize limited TCAM available on all switches to monitor the whole network?

17 System Overview Two Steps: Two Methods: Victim Detection
Post-detection Two Methods: Sequential Method Concurrent Method

18 Sequential Method

19 Concurrent Method

20 Victim Detection Initial Rule Placement: Rule management:
Monitor all IPs in the system by separate IP ranges; Measure the flow rate asymmetry. Rule management: Dedicate one measurement rule solely for one potential victim IP range; Each rule is used to monitor both the source victim IP range and the destination victim IP range; A1 B1 B A A2 B2 A B A1 B1 A2 B2

21 Initial Rule Placement

22 Rule Placement Feasibility Check
Ford-Fulkerson algorithm: As long as there is a path from the start node to the terminate node, with available capacity on all edges in the path, we will send flow along one of these paths.

23 Detection Rule Adaptation

24 Attacker Detection Procedure

25 Concurrent Method

26 Pros & Cons Sequential Method Concurrent Method
finer victim observation IP ranges find the attacker at the same time with victim cannot find the victim in the same time use more TCAM space

27 Choose between two methods

28 Classification Method
Feature Selection Victim Identification Features Attacker Identification Features Classifiers

29 Victim Identification Features
Packet Count per Destination (P): describe the average number of packets to each destination IP in that range; Byte Count per Destination (B): describe the average number of bytes to each destination IP in that range; Packet Count Asymmetry per Destination (PA): describe the average packet count asymmetry for each destination IP in that range; Byte Count Asymmetry per Destination (BA): describe the average byte count asymmetry for each destination IP in that range.

30 Attacker Identification Features
Packet Count per Source (P): describe the average number of packets from a host in IP range i to a host in victim IP range j; Byte Count per Source (B): describe the average number of bytes from a host in IP range i to a host in victim IP range j; Packet Count Asymmetry from Source (PA): describe the average packet numbers asymmetry to victim IP range; Byte Count Asymmetry from Source (BA): describe the average bytes numbers asymmetry to victim IP range.

31 Classifiers--Self Organizing Mapping (SOM)
Randomize node’s weights in the map space. Choose one input vector I from the data space. Calculate Euclidean distance between input vector and all map’s nodes’ weight vector. Find node with smallest distance, label this node as winner node. Update the nodes in the neighborhood of winner node so that the Euclidean distance between their individual weight vector and the input vector becomes smaller. repeat procedure until weight vector has no significant change.

32 Experiment Attack Transmission (A): flows from 10, 000 randomly picked source IPs to the victim IP, with sending rate from each source IP randomly distributed within (30kbps, 70kbps) and receiving rate of each source IP randomly distributed within (1kbps, 4kbps); Normal Large Volume Transmission (N1): From one source IP to another destination IP, with sending rate within (300mbps, 700mbps) and receiving rate randomly within (300mbps, 700mbps); Normal Small Asymmetry Transmission (N2): From one source IP to another destination IP, with sending rate randomly distributed within (30kbps, 70kbps) and receiving rate randomly distributed within (1kbps, 4kbps), the number of sources sending traffic to the same destination is no more than 100; Normal Small Symmetry Transmission (N3): From one source IP to another destination IP, with sending rate randomly distributed within (30kbps, 70kbps) and receiving rate randomly distributed within (30kbps, 70kbps), number of sources sending traffic to the same destination is no more than 100.

33 Importance of Asymmetry Feature

34 Performance of Two Detection Methods

35 Performance of Two Detection Methods

36 Performance of Two Detection Methods

37 Experiment Simulation results demonstrate that capturing asymmetry feature is important to achieve high detection accuracy. Using suitable features, SOM classifier can achieve very accurate detection performance. The features obtained from finer granularity will make the detection more accurate. Experiment results show that if the priority of DDoS detection is to find victims, Sequential Method is preferable, as it can detect finer potential victim IP ranges given limited TCAM sizes. If the objective of DDoS detection is to find victims as well as attackers, Concurrent Method is preferable if TCAM sizes are abundant, as it finds victims and attackers more quickly.

38 Conclusion Use SDN on DDoS attack detection
Capture the flow volume feature as well as the flow rate asymmetry feature Propose Sequential Method as well as Concurrent Method to adaptively change the flow monitoring granularities on all switches to quickly locate the potential victims and suspicious attackers

39 Future work Refine the detection method
Evaluate methods with packet traces collected from real DDoS attacks Implement the methods in the Openflow platform

40 Q & A

Download ppt "DDoS Attack Detection under SDN Context"

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
Towards Software Defined Cellular Networks

Towards Software Defined Cellular Networks
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Nanxi Kang Princeton University

Nanxi Kang Princeton University
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
Author : Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian Publisher : Presenter : Pei-Hua Huang Date : 2013/10/02 Fabric: A Retrospective.

Author : Martín Casado, Teemu Koponen, Scott Shenker, Amin Tootoonchian Publisher : Presenter : Pei-Hua Huang Date : 2013/10/02 Fabric: A Retrospective.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
Networking Components

Networking Components
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Similar presentations

Ads by Google