Visible to the public Biblio

Found 103 results

Filters: Keyword is transport protocols  [Clear All Filters]
2015-04-30
Badis, H., Doyen, G., Khatoun, R..  2014.  Understanding botclouds from a system perspective: A principal component analysis. Network Operations and Management Symposium (NOMS), 2014 IEEE. :1-9.

Cloud computing is gaining ground and becoming one of the fast growing segments of the IT industry. However, if its numerous advantages are mainly used to support a legitimate activity, it is now exploited for a use it was not meant for: malicious users leverage its power and fast provisioning to turn it into an attack support. Botnets supporting DDoS attacks are among the greatest beneficiaries of this malicious use since they can be setup on demand and at very large scale without requiring a long dissemination phase nor an expensive deployment costs. For cloud service providers, preventing their infrastructure from being turned into an Attack as a Service delivery model is very challenging since it requires detecting threats at the source, in a highly dynamic and heterogeneous environment. In this paper, we present the result of an experiment campaign we performed in order to understand the operational behavior of a botcloud used for a DDoS attack. The originality of our work resides in the consideration of system metrics that, while never considered for state-of-the-art botnets detection, can be leveraged in the context of a cloud to enable a source based detection. Our study considers both attacks based on TCP-flood and UDP-storm and for each of them, we provide statistical results based on a principal component analysis, that highlight the recognizable behavior of a botcloud as compared to other legitimate workloads.

Hammi, B., Khatoun, R., Doyen, G..  2014.  A Factorial Space for a System-Based Detection of Botcloud Activity. New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on. :1-5.

Today, beyond a legitimate usage, the numerous advantages of cloud computing are exploited by attackers, and Botnets supporting DDoS attacks are among the greatest beneficiaries of this malicious use. Such a phenomena is a major issue since it strongly increases the power of distributed massive attacks while involving the responsibility of cloud service providers that do not own appropriate solutions. In this paper, we present an original approach that enables a source-based de- tection of UDP-flood DDoS attacks based on a distributed system behavior analysis. Based on a principal component analysis, our contribution consists in: (1) defining the involvement of system metrics in a botcoud's behavior, (2) showing the invariability of the factorial space that defines a botcloud activity and (3) among several legitimate activities, using this factorial space to enable a botcloud detection.

Jingtang Luo, Xiaolong Yang, Jin Wang, Jie Xu, Jian Sun, Keping Long.  2014.  On a Mathematical Model for Low-Rate Shrew DDoS. Information Forensics and Security, IEEE Transactions on. 9:1069-1083.

The shrew distributed denial of service (DDoS) attack is very detrimental for many applications, since it can throttle TCP flows to a small fraction of their ideal rate at very low attack cost. Earlier works mainly focused on empirical studies of defending against the shrew DDoS, and very few of them provided analytic results about the attack itself. In this paper, we propose a mathematical model for estimating attack effect of this stealthy type of DDoS. By originally capturing the adjustment behaviors of victim TCPs congestion window, our model can comprehensively evaluate the combined impact of attack pattern (i.e., how the attack is configured) and network environment on attack effect (the existing models failed to consider the impact of network environment). Henceforth, our model has higher accuracy over a wider range of network environments. The relative error of our model remains around 10% for most attack patterns and network environments, whereas the relative error of the benchmark model in previous works has a mean value of 69.57%, and it could be more than 180% in some cases. More importantly, our model reveals some novel properties of the shrew attack from the interaction between attack pattern and network environment, such as the minimum cost formula to launch a successful attack, and the maximum effect formula of a shrew attack. With them, we are able to find out how to adaptively tune the attack parameters (e.g., the DoS burst length) to improve its attack effect in a given network environment, and how to reconfigure the network resource (e.g., the bottleneck buffer size) to mitigate the shrew DDoS with a given attack pattern. Finally, based on our theoretical results, we put forward a simple strategy to defend the shrew attack. The simulation results indicate that this strategy can remarkably increase TCP throughput by nearly half of the bottleneck bandwidth (and can be higher) for general attack patterns.