Presentation is loading. Please wait.

Presentation is loading. Please wait.

Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo!

Published byMilton Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo!"— Presentation transcript:

1 Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo! Research USA Bell Labs India Bell Labs USA ICDCS’07 27th international Conference on Distributed Computing Systems

2 Introduction Distributed Denial-of-Service (DDoS): A DDoS attack directs hundreds or even thousands of “zombie” hosts against a single victim

3 Introduction (cont.) TCP-SYN flooding attack 1. SYN 2. SYN-Ack 3. Ack IPtimeTTL 1.2.3.410 Fake IP Out of Memory Crash! ×

4 Problem Formulation A stream of flow updates: (source, dest, ±1) Bad guy: Occur(u, v, +1) > Occur(u, v, -1) 1. SYN 2. SYN-Ack 3. Ack +1 Distinct source frequency f v = # of bad guys to v Continuously track the top-k distinct source frequency destinations over the stream of flow updates

5 Main idea of the solution: Sampling Directly sample from the stream? – For estimating the counts of an item: OK – For counting the number of distinct items: NO Construct the synopsis for the stream and then sample from the synopsis a, a, a, a, a, a, a, a, a, a, b (a, 10), (b, 1)

6 Distinct-Count Sketch: structure Domain of IP: [m] = {0, m-1} (source, dest) pairs: [m 2 ] First level hash function h: [m 2 ] → {0, …, Θ( logm)} with Pr[h(x) = l] = 1/2 l+1 – ½ of the distinct values in [m 2 ] mapping to bucket 0 – ¼ of the distinct values in [m 2 ] mapping to bucket 1 – 1/8 of the distinct values in [m 2 ] mapping to bucket 2 Second level hash function g i : [m 2 ] → [s] uniformly

7 Distinct-Count Sketch: structure (cont.) 0 Θ(logm) h(u, v) = b r hash tables 1 s g 1 (u, v) g 2 (u, v) g r (u, v) … … … … … … … 01 2logm Total element count Bit location counts Total element count: the total number of the tuples hashed into the bucket Bit location counts: the total number of the tuples hashed into the bucket with BIT j (u, v) = 1 11 1001 1 … Binary representation of (u, v): ☆☆ ☆☆ ☆ χ[i, j, k, l]: the i th first level bucket, the j th hash table, the k th second level bucket, the l th count- signature location

8 Distinct-Count Sketch: maintenance For each incoming update/tuple (u, v, ±1), update its corresponding count-signatures For all j = 1 to r – χ[h(u, v), j, g j (u, v), 0] = χ[h(u, v), j, g j (u, v), 0] ±1 – For each l = 1 to 2logm If BIT l (u, v) = 1 – χ[h(u, v), j, g j (u, v), l] = χ[h(u, v), j, g j (u, v), l] ±1

9 Top-k Frequency Estimation Generate distinct sample from the distinct-count sketch Scan the first level hash table until |dSample| < (1+ ε)s/16 or b ≥ 0 Check the count-signatures – For all l = 1 to 2logm Either Χ[b, j, k, l] = Χ[b, j, k, 0] or Χ[b, j, k, l] = 0 Add the (u, v) to dSample 0 Θ(logm) r hash tables 1 s g 1 (u, v) g 2 (u, v) g r (u, v) … … … … … … … 88 8008 8 8 11 1001 1 … 56 6001 2 7 → (u, v) 2 0 0 2 0 2 2 0 0 bit 1 bit 2 1 0 3 1 2 3 0 Collision (u,v) = 1010

10 Top-k Frequency Estimation (cont.) After obtaining the dSample – (a, v), (u, v), (m, v), (a, w), (b, w), (c, w), (d, w), …. – f w in dS = 4, f v in dS= 3, …

11 Error guaranteed Input: Flow-update stream, k, error ε, and confidence δ Output: continuously track a list L of k destination IP addresses and guaranteed that with probability of at least 1-δ – 1. Any destination address v in L has frequency f v ≥ (1-ε)f vk – 2. For any destination address v in L, n = the upper bound on the number of update tuples in the streams

12 Conclusion Seem to combine the FM sketch and the Count-Min sketch to reduce the collisions and then using BIT operations to identify the destination addresses

Download ppt "Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks S. Ganguly M. Garofalakis R. Rastogi K.Sabnani Indian Inst. Of Tech. India Yahoo!"

Similar presentations

Optimal Approximations of the Frequency Moments of Data Streams Piotr Indyk David Woodruff.

Optimal Approximations of the Frequency Moments of Data Streams Piotr Indyk David Woodruff.
The Data Stream Space Complexity of Cascaded Norms T.S. Jayram David Woodruff IBM Almaden.

The Data Stream Space Complexity of Cascaded Norms T.S. Jayram David Woodruff IBM Almaden.
Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.

Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.
Counting Distinct Objects over Sliding Windows Presented by: Muhammad Aamir Cheema Joint work with Wenjie Zhang, Ying Zhang and Xuemin Lin University of.

Counting Distinct Objects over Sliding Windows Presented by: Muhammad Aamir Cheema Joint work with Wenjie Zhang, Ying Zhang and Xuemin Lin University of.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
Finding Frequent Items in Data Streams Moses CharikarPrinceton Un., Google Inc. Kevin ChenUC Berkeley, Google Inc. Martin Franch-ColtonRutgers Un., Google.

Finding Frequent Items in Data Streams Moses CharikarPrinceton Un., Google Inc. Kevin ChenUC Berkeley, Google Inc. Martin Franch-ColtonRutgers Un., Google.
Mining Data Streams.

Mining Data Streams.
Estimating Join-Distinct Aggregates over Update Streams Minos Garofalakis Bell Labs, Lucent Technologies (Joint work with Sumit Ganguly, Amit Kumar, Rajeev.

Estimating Join-Distinct Aggregates over Update Streams Minos Garofalakis Bell Labs, Lucent Technologies (Joint work with Sumit Ganguly, Amit Kumar, Rajeev.
Kiyoshi Irie, Tomoaki Yoshida, and Masahiro Tomono 2011 IEEE International Conference on Robotics and Automation Shanghai International Conference Center.

Kiyoshi Irie, Tomoaki Yoshida, and Masahiro Tomono 2011 IEEE International Conference on Robotics and Automation Shanghai International Conference Center.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
New Sampling-Based Summary Statistics for Improving Approximate Query Answers P. B. Gibbons and Y. Matias (ACM SIGMOD 1998) Rongfang Li Feb 2007.

New Sampling-Based Summary Statistics for Improving Approximate Query Answers P. B. Gibbons and Y. Matias (ACM SIGMOD 1998) Rongfang Li Feb 2007.
Distributed Set-Expression Cardinality Estimation Abhinandan Das (Cornell U.) Sumit Ganguly (I.I.T. Kanpur) Minos Garofalakis (Bell Labs.) Rajeev Rastogi.

Distributed Set-Expression Cardinality Estimation Abhinandan Das (Cornell U.) Sumit Ganguly (I.I.T. Kanpur) Minos Garofalakis (Bell Labs.) Rajeev Rastogi.
Algorithms for Distributed Functional Monitoring Ke Yi HKUST Joint work with Graham Cormode (AT&T Labs) S. Muthukrishnan (Google Inc.)

Algorithms for Distributed Functional Monitoring Ke Yi HKUST Joint work with Graham Cormode (AT&T Labs) S. Muthukrishnan (Google Inc.)
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Ph.D. DefenceUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:

Ph.D. DefenceUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:

Similar presentations

Ads by Google