A Survey on Defense Mechanism against Distributed Denial of Service (DDoS) Attacks in Control System

Kwon, YooJin Korea Electric Power Corporation 2015 KEPCO Journal on electric power and energy Vol.1 No.1

Denial of Service (DoS) attack is to interfere the normal user from using the information technology services. With a rapid technology improvements in computer and internet environment, small sized DoS attacks targeted to server or network infrastructure have been disabled. Thus, Distributed Denial of Service (DDoS) attacks that utilizes from tens to several thousands of distributed computers as zombie PC appear to have as one of the most challenging threat. In this paper, we categorize the DDoS attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS attacks. Then we propose a comprehensive defense mechanism against DDoS attacks in Control System to detect attacks efficiently.

IoT 네트워크 상의 머신러닝 기반 DoS 및 DRDoS 탐지연구

여승연,조소영,김지연 한국컴퓨터정보학회 2022 韓國컴퓨터情報學會論文誌 Vol.27 No.7

We propose an intrusion detection model that detects denial-of-service(DoS) and distributed reflection denial-of-service(DRDoS) attacks, based on the empirical data of each internet of things(IoT) device by training system and network metrics that can be commonly collected from various IoT devices. First, we collect 37 system and network metrics from each IoT device considering IoT attack scenarios; further, we train them using six types of machine learning models to identify the most effective machine learning models as well as important metrics in detecting and distinguishing IoT attacks. Our experimental results show that the Random Forest model has the best performance with accuracy of over 96%, followed by the K-Nearest Neighbor model and Decision Tree model. Of the 37 metrics, we identified five types of CPU, memory, and network metrics that best imply the characteristics of the attacks in all the experimental scenarios. Furthermore, we found out that packets with higher transmission speeds than larger size packets represent the characteristics of DoS and DRDoS attacks more clearly in IoT networks. 본 논문은 다수의 사물인터넷 단말에서 보편적으로 수집할 수 있는 시스템 및 네트워크 메트릭을학습하여 각 사물의 경험데이터를 기반으로 서비스거부 및 분산반사 서비스거부 공격을 탐지하는침입 탐지 모델을 제안한다. 먼저, 공격 시나리오 유형별로 각 사물에서 37종의 시스템 및 네트워크메트릭을 수집하고, 이를 6개 유형의 머신러닝 모델을 기반으로 학습하여 사물인터넷 공격 탐지 및분류에 가장 효과적인 모델 및 메트릭을 분석한다. 본 논문의 실험을 통해, 랜덤 포레스트 모델이96% 이상의 정확도로 가장 높은 공격 탐지 및 분류 성능을 보이는 것을 확인하였고, 그 다음으로는K-최근접 이웃 모델과 결정트리 모델의 성능이 우수한 것을 확인하였다. 37종의 메트릭 중에는 모든공격 시나리오에서 공격의 특징을 가장 잘 반영하는 CPU, 메모리, 네트워크 메트릭 5종을 발견하였으며 큰 사이즈의 패킷보다는 빠른 전송속도를 갖는 패킷이 사물인터넷 네트워크에서 서비스거부및 분산반사 서비스거부 공격 특징을 더욱 명확히 나타내는 것을 실험을 통해 확인하였다.

Distributed Security Control for Complex Cyber-physical Systems Against Denial-of-service Attacks

Xiaojie Huang,Da-Wei Ding,Zhiqiang Li,Cuijuan An 제어·로봇·시스템학회 2022 International Journal of Control, Automation, and Vol.20 No.2

This paper investigates the problem of distributed security control for complex cyber-physical systems against denial-of-service (DoS) attacks. A distributed security controller with interconnected control nodes is proposed on the basis of piecewise Lyapunov functions. The bounds of attack frequency and attack duration are explicitly calculated to achieve security synchronization. Meanwhile, an event-based data update strategy is proposed to resist the negative influence of DoS attacks on data transmission. Finally, a simulation example is given to verify the effectiveness of the proposed method.

인터넷 AS 레벨 토폴로지에서 분산서비스거부 공격 징후 탐지

강구홍(Koohong Kang),이희만(Heeman Lee),김익균(Ikkyun Kim),오진태(Jintae Oh),장종수(Jong Soo Jang) 한국정보과학회 2010 정보과학회논문지 : 정보통신 Vol.37 No.5

각각의 AS 레벨에서 정확한 연결구조를 얻기 위해 들이는 노력에도 불구하고 이들 AS 레벨 인터넷 토폴로지를 이용한 응용 연구들이 매우 드물다. 본 논문에서는 UCLA IRL 연구실이 제공하는 데이터를 이용해 AS 노드의 하위 스트림 AS 분포의 power-laws 특징과 인터넷 라우팅 패스 구조에 가장 중요한 역할을 하는 AS 링크 분포를 살펴 보았다. 또한, 한국과 미국 사이트를 중심으로 (발신지-목적지) 라우팅 홉 수 분포를 조사하고 이들 분포와 BGP 밸리-프리 라우팅 정책 특징을 이용하여 분산서비스거부(DDoS) 공격 시 예상되는 인터넷 트래픽 임의성(randomness)을 근거로 DDoS 공격 징후를 인터넷 AS 레벨에서 발견하는 방법을 제시하였다. Despite lots of efforts to obtain an accurate picture of structure at the level of individual ASes, there is a few application works using the AS-level Internet topology. In this paper, we show that the power-law fits the number of down-stream customer ASes very well and also present the distributions of AS links with the “public view” from UCLA IRL laboratory. Moreover, we obtain the distributions of source-destination pairs of routing hops for two sites in Korea and the United States, and then we propose a new method to decide the randomness of Internet traffic using the obtained distributions and the BGP valley-free routing policy. The randomness of traffic must be a portent of outbreak of the distributed denial-of-service attacks.

A Secured OpenFlow-Based Software Defined Networking Using Dynamic Bayesian Network

Natnaree Sophakan,Chanboon Sathitwiriyawong 제어로봇시스템학회 2019 제어로봇시스템학회 국제학술대회 논문집 Vol.2019 No.10

OpenFlow has been the main standard protocol of software defined networking (SDN) since the launch of this new networking paradigm. It is a programmable network protocol that controls traffic flows among switches and routers regardless of their platforms. Its security relies on the optional implementation of Transport Layer Security (TLS) which has been proven vulnerable. The aim of this research was to develop a secured OpenFlow, so-called Secured-OF. A stateful firewall was used to store state information for further analysis. Dynamic Bayesian Network (DBN) was used to learn denial-of-service attack and distributed denial-of-service attack. It analyzes packet states to determine the nature of an attack and adds that piece of information to the flow table entry. The proposed Secured-OF model in Ryu controller was evaluated with several performance metrics. The analytical evaluation of the proposed Secured-OF scheme was performed on an emulated network. The results showed that the proposed Secured-OF scheme offers a high attack detection accuracy at 99.5%. In conclusion, it was able to improve the security of the OpenFlow controller dramatically with trivial performance degradation compared to an SDN with no security implementation.

Distributed-SOM: A novel performance bottleneck handler for large-sized software-defined networks under flooding attacks

Phan, T.V.,Bao, N.K.,Park, M. Academic Press 2017 JOURNAL OF NETWORK AND COMPUTER APPLICATIONS - Vol.91 No.-

<P>Software-Defined Networking (SDN) is a new programmable networking model that features the detachment of control and data planes. In this network, the network brain is an SDN controller that is used to centrally monitor and control the data plane based on the OpenFlow protocol and applications located in the application layer. In recent years, a vast number of issues relating to security have been seriously debated for this networking paradigm, especially the large-scale model. In particular, flooding attacks have been on the rise, providing great challenges for the SDN architecture to cope with. In this paper, we present a novel mechanism using the Self Organizing Map (SOM) application to solve the performance bottleneck and overload problems for the upper layers in a large-sized SDN in case of flooding attacks. Our proposed approach integrates a Distributed Self Organizing Map (DSOM) system to OpenFlow Switches instead of using a standalone SOM. By exploiting SDN advantages, such as flexibility and overhead reduction, we implement and test both a DSOM system and a single SOM system on multi-criteria to compare the performance of our introduced system. Our experimental results show that the DSOM solution can effectively detect abnormal traffic, solve bottleneck problems and increase the system reaction speed to attack traffic, while presenting a smaller overhead to the network system.</P>

엔트로피를 이용한 분산 서비스 거부 공격 탐지에 효과적인 특징 생성 방법 연구

김태훈(Tae-hun Kim),서기택(Ki-taek Seo),이영훈(Young-hoon Lee),임종인(Jong-in Lim),문종섭(Jong-sub Moon) 한국정보보호학회 2010 정보보호학회논문지 Vol.20 No.4

최근 분산 서비스 거부 공격의 근원인 악성 봇 프로그램이 널리 유포되고 있으며 보안이 유지되지 않는 PC를 통하여 악성 봇이 설치된 PC의 수가 기하급수적으로 증가하고 있다. 이를 통한 분산 서비스 거부 공격이 계속적으로 발생하고 있으며 최근 금품을 요구하는 사례도 발견되었다. 따라서 분산 서비스 거부 공격에 대응하기 위한 연구가 필요하며 본 논문에서는 네트워크 패킷 헤더의 속성에 대해 불확실성을 나타내는 척도인 엔트로피를 이용하는, 분산 서비스 거부 공격 탐지에 효과적인 특징 생성 방법을 제안한다. DARPA 2000 데이터셋과 직접 실험을 통해 구성한 분산 서비스 거부 공격 데이터셋에 대해 향상된 엔트로피 수식과 효율적인 엔트로피 계산 기법, 다양한 엔트로피 특징 값을 사용하는 제안 기법을 적용해보고 베이지안 네트워크 분류기를 이용하여 분류함으로써 제안하는 방법이 효과적인지를 검증해 본다. Malicious bot programs, the source of distributed denial of service attack, are widespread and the number of PCs which were infected by malicious bot program are increasing geometrically thesedays. The continuous distributed denial of service attacks are happened constantly through these bot PCs and some financial incident cases have found lately. Therefore researches to response distributed denial of service attack are necessary so we propose an effective feature generation method for distributed denial of service attack detection using entropy. In this paper, we apply our method to both the DARPA 2000 datasets and also the distributed denial of service attack datasets that we composed and generated ourself in general university. And then we evaluate how the proposed method is useful through classification using bayesian network classifier.

Impact Evaluation of Distributed Denial of Service Attacks using NS2

Raghav Vadehra,Nitika Chowdhary,Jyoteesh Malhotra 보안공학연구지원센터 2015 International Journal of Security and Its Applicat Vol.9 No.8

Distributed Denial of Service (DDoS) attacks has been a prominent threat to the Internet community. The attack effect is recognized by large number of client base due to the dependency of majority users on World Wide Web. In such an attack, the attacker targets a machine or a server to thwart its services to the intended users. These attacks are majorly motivated by the presence of multiple groups of hackers present on the Internet. As the research has progressed in this field, researchers have encountered a lot many ways through which attacks have been successful launched. In early years of its birth, the Internet was not designed keeping in mind various possible security aspects thus it lacked this immunity in present day. This paper covers the advent of the DDoS attacks along-with their types. We have also designed certain simulation scenarios based on flooding based DDoS attacks to measure its impact on legitimate users. A discussion on the present solutions to combat such attack situations concludes our work.

Comprehensive Study of Various Techniques for Detecting DDoS Attacks in Cloud Environment

Navdeep Singh,Abhinav Hans,Kapil Kumar,Mohit Pal Singh Birdi 보안공학연구지원센터 2015 International Journal of Grid and Distributed Comp Vol.8 No.3

Cloud computing is the most dynamic field of IT industry. It is becoming very famous due to its less resource consuming and higher output. Though Cloud computing is very vast and useful technology but it is not remained untouched from attackers or hackers. The most common attack notified on the cloud environment is DDoS attack. DDoS attacks i.e. Distributed Denial of service attacks happens on a cloud environment in such a way that, two or more than two attackers sends the multiple SOAP requests at the same cloud server and consume all the legitimate resources. From the study it has been concluded that, none a system is developed so far to prevent the DDoS attacks completely because even the detection of DDoS attacks is a major issue and prevention is a very big thing to achieve after detection and mitigation. This paper is focused on underlying the introduction about DDoS attacks and the next part of the paper is followed by the comparative analysis of the different techniques and algorithms used in detecting the DDoS attacks in cloud environment.

Reliable DDoS Detection using Multiphase Approach in Distributed Sensor Network

정성모,최이정 보안공학연구지원센터 2013 보안공학연구논문지 Vol.10 No.3

Recently, the trend in network security is the growing number of malicious attacks which resulted in abnormal network data traffic as well as direct damaging of the system. Specifically, Distributed denial of service (DDoS) attacks use bandwidth flooding of intended victims where the bandwidth consumption of these attacks influences the entire network performance. These attacks aggregate at a target's access router which implies that attacks are most readily detectable at access routers. The accuracy of detection dictates data traffic monitoring but performing such monitoring for the numerous devices in a distributed sensor network presents serious scalability issues. This paper describes the design space for distributed sensor network DDoS detection and propose a multiphase distributed approach that detect DDoS attacks to provide reliability and scalability.