SlideShare a Scribd company logo

Entropy and denial of service attacks

Download as PPTX, PDF
chris zlatis
chris zlatis

Denial of Service attacks – Definitions, related surveys Traceback of DDoS Attacks – Proposed method, advantages, future work Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results The added value of entropy detection methods References

TechnologyNews & Politics
1 of 15
Master in Web Science Mathematics Department Aristotle University of Thessaloniki “Entropy and Denial of Service Attacks” Zlatis Chris
Contents • Denial of Service attacks – Definitions, related surveys • Traceback of DDoS Attacks – Proposed method, advantages, future work • Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results • The added value of entropy detection methods • References
Definitions • Distributed Denial of Service Attacks (DDoS Attacks) are defined as [4] “attempts to make a computer resource unavailable to its intended users”. – The attacker gains control of a huge number of independently owned and geographically distributed computers, called “zombies”, almost always without any knowledge of their owners. • Ping flood is a type of DDoS attack directing a huge number of “ping” requests to the target victim. It exploits the “Internet Control Message Protocol” (ICMP). [4] – Huge number of ping ‘echo requests’ from a very large number of “zombies”  unable to conduct any network activity other than answering the ping ‘echo requests’  overloaded and standstill.
Recent surveys • It has been a major threat to the Internet since year 2000, and a recent survey on the largest 70 Internet operators in the world [4] demonstrated that: 1. DDoS attacks are increasing dramatically, and individual attacks are more strong and sophisticated 2. The network security community does not have effective and efficient traceback methods to locate attackers as it is easy for attackers to disguise themselves 3. The Mafiaboy attacks of February 2000 against Amazon, eBay caused millions of dollars damage  There is a need to detect DDoS attacks as early as possible so that proper countermeasures can be applied and damage can be minimized.
Traceback of DDoS attacks • IP traceback means the capability of identifying the actual source of any packet sent across the Internet  successful if they can identify the zombies from which the DDoS attack packets entered the Internet. There are two major methods for IP traceback: [6] 1. The probabilistic packet marking (PPM) and 2. The deterministic packet marking (DPM). • The PPM strategy can only operate in a local range of the Internet (ISP network)  we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. • Both of these strategies require routers to inject marks into individual packets  vulnerable to hacking, referred to as “packet pollution”.
IP Traceback using entropy variations • IP traceback using information theoretical parameters [6]  there is no packet marking in the proposed strategy  avoid the inherited shortcomings of the packet marking mechanisms. • The packets that are passing through a router are categorized into flows [6], which are defined by the upstream router where a packet came from, and the destination address of the packet. – During non attack periods, routers are required to observe and record entropy variations of local flows. – Once a DDoS attack has been identified, the victim initiates a pushback process to identify the locations of zombies…
IP Traceback using entropy variations • The pushback process: [6] 1. The victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then 2. submits requests to the related immediate upstream routers. 3. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. 4. Once the immediate upstream routers have identified the attack flows, 5. they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further.  This procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s).
Advantages of traceback mechanism The proposed traceback mechanism possesses the following advantages: [6] • It overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space, and vulnerability to packet pollutions. • It brings no modifications on current routing software  work independently as an additional module on routers for monitoring and recording flow information. • It will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns.  It can archive real-time traceback to attackers. Once the short- term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure.
Future work on Traceback methods Future work could be carried out in the following promising directions: [6] • 1. The metric for DDoS attack flows could be further explored. The proposed method deals with the packet flooding type of attacks perfectly.  The attacks with small number attack packet rates, e.g., if the attack strength is less than seven times of the strength of non attack flows, the current metric cannot discriminate it. Therefore, a metric of finer granularity is required to deal with such situations. • 2. Location estimation of attackers with partial information. When the attack strength is less than seven times of the normal flow packet rate, the proposed method cannot succeed at the moment.  The attack can be detected with the information that we have accumulated so far using traditional methods or recently developed tools.
Detection methods with Shannon and Renyl cross entropy An entropy-based method [1] is proposed to detect network attack: • The Shannon entropy is used to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length that reflect the regularity of network status – When the monitored network runs in normal way, the entropy values are relatively smooth. Otherwise, the entropy value of one or more features would change. • Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The Renyi cross entropy of these features is calculated to measure the network status and detect network attacks.
Previous works on entropy detection methods • Gina investigated the extent of false alerts problem in Snort using the 1999 DARPA IDS evaluation data. – They found that 69% of total generated alerts are considered to be false alerts. [1] These problems make it a frustrating task for security officers to detect network attack quickly and accurately. • Gu proposed an approach to detect anomalies in the network traffic using Maximum Entropy estimation. – The packet distribution of the benign traffic was estimated using Maximum Entropy framework and used as a baseline to detect the anomalies. • Qin used Renyi cross entropy to detect dynamic changes in network traffic of large enterprises. Three traffic features were proposed to capture dynamic changes of traffic. • A. Wagner and B Plattner applied entropy to detect worm and anomaly in fast IP networks. The entropy contents of IP addresses were used to indicate a massive network event.
Dataset and results • Methodology: [1] Use of Snort to monitor 32 C-class subnets in the campus network for two weeks, which include more than 3,000 end users. – Alerts in Mar. 2nd as the experimental data: 1,147,906 alerts in this day with 79 signatures, 32,409 source IP addresses, 12,642 destination IP addresses  two alerts sets collected from different time period in Mar. 2nd as training and test data. The statistical results of alerts suggest several interesting results: 1. More alerts were generated in daytime than that in night due to people’s living habit. There were two peaks of alerts: 12:00 to 14:00 and 21:00 to 23:30  the end users are campus students. 2. The destination IP addresses change abruptly from 0:00 to 4:00, 6:00 to 10:00, 12:00 to 16:00 and 18:00 to 22:00. By analyzing the alerts, they found many host scan attacks at these time periods.
The added value of Entropy methods • The Shannon entropy is used to analyze the alerts to measure the regularity of current network status. – They are relative smooth when no attack occurs; otherwise, one or some of the values would change abruptly. • The Renyi cross entropy is employed to detect network attack. – The Renyi cross entropy value is near 0 when the network runs in normal, otherwise the value will change abruptly when attack occurs. • However, although the Shannon entropies reflect the regularity of network status, it is difficult to detect attack directly by using five fixed thresholds [1], because the Shannon entropy value varies with the activities of end users even the network runs in normal way.
References [1] Zhiwen Wang, Qin Xia, “An Approach on Detecting Network Attack Based on Entropy”, Xi’an Jiaotong University, China [2] Hoa Dinh Nguyen, Sandeep Gutta, Qi Cheng, “An Active Distributed Approach for Cyber Attack Detection”, Oklahoma State University [3] Tsern-Huei Lee - Jyun-De He, “Entropy-Based Profiling of Network Traffic for Detection of Security Attack”, National Chiao Tung University, Taiwan [4] Anna T. Lawniczak, Bruno N. Di Stefano, Hao Wu, “Detection & Study of DDoS Attacks Via Entropy in Data Network Models”, CISDA, 2009 [5] Stephen Schwab, Brett Wilson, Roshan Thomas, “Methodologies and Metrics for the Testing and Analysis of Distributed Denial of Service Attacks and Defenses”, SPARTA Inc. [6] Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, “Traceback of DDoS Attacks Using Entropy Variations”, IEEE, March 2011
Thank you.

Recommended

Cs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT VCs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT V
pkaviya
 
introduction for web connectivity (IoT)
introduction for web connectivity (IoT)introduction for web connectivity (IoT)
introduction for web connectivity (IoT)
FabMinds
 
WebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceWebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST Microservice
Rick Hightower
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
rjain51
 
Network layer
Network layerNetwork layer
Network layer
Hasib Shaikh
 
Module: Welcome to Web 3.0
Module: Welcome to Web 3.0Module: Welcome to Web 3.0
Module: Welcome to Web 3.0
Ioannis Psaras
 

Recommended

Cs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT VCs8591 Computer Networks - UNIT V
Cs8591 Computer Networks - UNIT V
pkaviya
 
introduction for web connectivity (IoT)
introduction for web connectivity (IoT)introduction for web connectivity (IoT)
introduction for web connectivity (IoT)
FabMinds
 
WebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceWebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST Microservice
Rick Hightower
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
rjain51
 
Network layer
Network layerNetwork layer
Network layer
Hasib Shaikh
 
Module: Welcome to Web 3.0
Module: Welcome to Web 3.0Module: Welcome to Web 3.0
Module: Welcome to Web 3.0
Ioannis Psaras
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
AlgoSec
 
Security of RPL in IoT
Security of RPL in IoTSecurity of RPL in IoT
Security of RPL in IoT
Abhishek858
 
Internet connectivity
Internet connectivityInternet connectivity
Internet connectivity
FabMinds
 
Nat presentation
Nat presentationNat presentation
Nat presentation
hassoon3
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
Aurobindo Nayak
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
Joel W. King
 
Routing Algorithm
Routing AlgorithmRouting Algorithm
Routing Algorithm
Kamal Acharya
 
Layered Architecture
Layered ArchitectureLayered Architecture
Layered Architecture
Dr Anjan Krishnamurthy
 
Adoptive flowcontrol in TCP
Adoptive flowcontrol in TCPAdoptive flowcontrol in TCP
Adoptive flowcontrol in TCP
selvakumar_b1985
 
Dynamic routing
Dynamic routingDynamic routing
Dynamic routing
Najmul Hossain Nayan
 
Vanet Presentation
Vanet PresentationVanet Presentation
Vanet Presentation
Sayed_Hossain
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes Everything
Lori MacVittie
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
Information Technology
 
Quality of service
Quality of serviceQuality of service
Quality of service
Yasser El Harbili
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
Rajkattamuri
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
Coursenvy.com
 
Social network analysis basics
Social network analysis basicsSocial network analysis basics
Social network analysis basics
Pradeep Kumar
 
HTTP
HTTPHTTP
HTTP
bhavanatmithun
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 

More Related Content

What's hot

Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
Information Technology
 
Social network analysis basics
Social network analysis basicsSocial network analysis basics
Social network analysis basics
Pradeep Kumar
 

What's hot (20)

Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
 
Security of RPL in IoT
Security of RPL in IoTSecurity of RPL in IoT
Security of RPL in IoT
 
Internet connectivity
Internet connectivityInternet connectivity
Internet connectivity
 
Nat presentation
Nat presentationNat presentation
Nat presentation
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
Routing Algorithm
Routing AlgorithmRouting Algorithm
Routing Algorithm
 
Layered Architecture
Layered ArchitectureLayered Architecture
Layered Architecture
 
Adoptive flowcontrol in TCP
Adoptive flowcontrol in TCPAdoptive flowcontrol in TCP
Adoptive flowcontrol in TCP
 
Dynamic routing
Dynamic routingDynamic routing
Dynamic routing
 
Vanet Presentation
Vanet PresentationVanet Presentation
Vanet Presentation
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes Everything
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
Quality of service
Quality of serviceQuality of service
Quality of service
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Wireshark
WiresharkWireshark
Wireshark
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Social network analysis basics
Social network analysis basicsSocial network analysis basics
Social network analysis basics
 
HTTP
HTTPHTTP
HTTP
 

Viewers also liked

kevin's powerpoint chapt 6
kevin's powerpoint chapt 6kevin's powerpoint chapt 6
kevin's powerpoint chapt 6
kkajairo
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 

Viewers also liked (12)

DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
kevin's powerpoint chapt 6
kevin's powerpoint chapt 6kevin's powerpoint chapt 6
kevin's powerpoint chapt 6
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
 
Super Effective Denial of Service Attacks
Super Effective Denial of Service AttacksSuper Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
IDS Survey on Entropy
IDS Survey on Entropy IDS Survey on Entropy
IDS Survey on Entropy
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
 

Similar to Entropy and denial of service attacks

ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
IJNSA Journal
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...
UltraUploader
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
talkaton
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppteabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
raosg
 

Similar to Entropy and denial of service attacks (20)

Black hole attack
Black hole attackBlack hole attack
Black hole attack
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 
L017317681
L017317681L017317681
L017317681
 
G0421040042
G0421040042G0421040042
G0421040042
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
 
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
An improved ip traceback mechanism for network
An improved ip traceback mechanism for networkAn improved ip traceback mechanism for network
An improved ip traceback mechanism for network
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
 
An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppteabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
Wormhole attack
Wormhole attackWormhole attack
Wormhole attack
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 

More from chris zlatis

CAP Gemini IAF Project
CAP Gemini IAF Project CAP Gemini IAF Project
CAP Gemini IAF Project
chris zlatis
 

More from chris zlatis (11)

Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.
 
Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media
 
Mobile Advertising And Showroom
Mobile Advertising And ShowroomMobile Advertising And Showroom
Mobile Advertising And Showroom
 
Dorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-GovernmentDorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-Government
 
Wireless Mesh Networks
Wireless Mesh NetworksWireless Mesh Networks
Wireless Mesh Networks
 
Zappos & Customer Care
Zappos & Customer CareZappos & Customer Care
Zappos & Customer Care
 
Business & Social Media
Business & Social MediaBusiness & Social Media
Business & Social Media
 
Innovator Consulting Services project for HRM
Innovator Consulting Services project for HRMInnovator Consulting Services project for HRM
Innovator Consulting Services project for HRM
 
Dunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising conceptDunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising concept
 
wi-fi technology
wi-fi technology wi-fi technology
wi-fi technology
 
CAP Gemini IAF Project
CAP Gemini IAF Project CAP Gemini IAF Project
CAP Gemini IAF Project
 

Recently uploaded

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Recently uploaded (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Entropy and denial of service attacks

  • 1. Master in Web Science Mathematics Department Aristotle University of Thessaloniki “Entropy and Denial of Service Attacks” Zlatis Chris
  • 2. Contents • Denial of Service attacks – Definitions, related surveys • Traceback of DDoS Attacks – Proposed method, advantages, future work • Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results • The added value of entropy detection methods • References
  • 3. Definitions • Distributed Denial of Service Attacks (DDoS Attacks) are defined as [4] “attempts to make a computer resource unavailable to its intended users”. – The attacker gains control of a huge number of independently owned and geographically distributed computers, called “zombies”, almost always without any knowledge of their owners. • Ping flood is a type of DDoS attack directing a huge number of “ping” requests to the target victim. It exploits the “Internet Control Message Protocol” (ICMP). [4] – Huge number of ping ‘echo requests’ from a very large number of “zombies”  unable to conduct any network activity other than answering the ping ‘echo requests’  overloaded and standstill.
  • 4. Recent surveys • It has been a major threat to the Internet since year 2000, and a recent survey on the largest 70 Internet operators in the world [4] demonstrated that: 1. DDoS attacks are increasing dramatically, and individual attacks are more strong and sophisticated 2. The network security community does not have effective and efficient traceback methods to locate attackers as it is easy for attackers to disguise themselves 3. The Mafiaboy attacks of February 2000 against Amazon, eBay caused millions of dollars damage  There is a need to detect DDoS attacks as early as possible so that proper countermeasures can be applied and damage can be minimized.
  • 5. Traceback of DDoS attacks • IP traceback means the capability of identifying the actual source of any packet sent across the Internet  successful if they can identify the zombies from which the DDoS attack packets entered the Internet. There are two major methods for IP traceback: [6] 1. The probabilistic packet marking (PPM) and 2. The deterministic packet marking (DPM). • The PPM strategy can only operate in a local range of the Internet (ISP network)  we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. • Both of these strategies require routers to inject marks into individual packets  vulnerable to hacking, referred to as “packet pollution”.
  • 6. IP Traceback using entropy variations • IP traceback using information theoretical parameters [6]  there is no packet marking in the proposed strategy  avoid the inherited shortcomings of the packet marking mechanisms. • The packets that are passing through a router are categorized into flows [6], which are defined by the upstream router where a packet came from, and the destination address of the packet. – During non attack periods, routers are required to observe and record entropy variations of local flows. – Once a DDoS attack has been identified, the victim initiates a pushback process to identify the locations of zombies…
  • 7. IP Traceback using entropy variations • The pushback process: [6] 1. The victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then 2. submits requests to the related immediate upstream routers. 3. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. 4. Once the immediate upstream routers have identified the attack flows, 5. they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further.  This procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s).
  • 8. Advantages of traceback mechanism The proposed traceback mechanism possesses the following advantages: [6] • It overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space, and vulnerability to packet pollutions. • It brings no modifications on current routing software  work independently as an additional module on routers for monitoring and recording flow information. • It will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns.  It can archive real-time traceback to attackers. Once the short- term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure.
  • 9. Future work on Traceback methods Future work could be carried out in the following promising directions: [6] • 1. The metric for DDoS attack flows could be further explored. The proposed method deals with the packet flooding type of attacks perfectly.  The attacks with small number attack packet rates, e.g., if the attack strength is less than seven times of the strength of non attack flows, the current metric cannot discriminate it. Therefore, a metric of finer granularity is required to deal with such situations. • 2. Location estimation of attackers with partial information. When the attack strength is less than seven times of the normal flow packet rate, the proposed method cannot succeed at the moment.  The attack can be detected with the information that we have accumulated so far using traditional methods or recently developed tools.
  • 10. Detection methods with Shannon and Renyl cross entropy An entropy-based method [1] is proposed to detect network attack: • The Shannon entropy is used to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length that reflect the regularity of network status – When the monitored network runs in normal way, the entropy values are relatively smooth. Otherwise, the entropy value of one or more features would change. • Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The Renyi cross entropy of these features is calculated to measure the network status and detect network attacks.
  • 11. Previous works on entropy detection methods • Gina investigated the extent of false alerts problem in Snort using the 1999 DARPA IDS evaluation data. – They found that 69% of total generated alerts are considered to be false alerts. [1] These problems make it a frustrating task for security officers to detect network attack quickly and accurately. • Gu proposed an approach to detect anomalies in the network traffic using Maximum Entropy estimation. – The packet distribution of the benign traffic was estimated using Maximum Entropy framework and used as a baseline to detect the anomalies. • Qin used Renyi cross entropy to detect dynamic changes in network traffic of large enterprises. Three traffic features were proposed to capture dynamic changes of traffic. • A. Wagner and B Plattner applied entropy to detect worm and anomaly in fast IP networks. The entropy contents of IP addresses were used to indicate a massive network event.
  • 12. Dataset and results • Methodology: [1] Use of Snort to monitor 32 C-class subnets in the campus network for two weeks, which include more than 3,000 end users. – Alerts in Mar. 2nd as the experimental data: 1,147,906 alerts in this day with 79 signatures, 32,409 source IP addresses, 12,642 destination IP addresses  two alerts sets collected from different time period in Mar. 2nd as training and test data. The statistical results of alerts suggest several interesting results: 1. More alerts were generated in daytime than that in night due to people’s living habit. There were two peaks of alerts: 12:00 to 14:00 and 21:00 to 23:30  the end users are campus students. 2. The destination IP addresses change abruptly from 0:00 to 4:00, 6:00 to 10:00, 12:00 to 16:00 and 18:00 to 22:00. By analyzing the alerts, they found many host scan attacks at these time periods.
  • 13. The added value of Entropy methods • The Shannon entropy is used to analyze the alerts to measure the regularity of current network status. – They are relative smooth when no attack occurs; otherwise, one or some of the values would change abruptly. • The Renyi cross entropy is employed to detect network attack. – The Renyi cross entropy value is near 0 when the network runs in normal, otherwise the value will change abruptly when attack occurs. • However, although the Shannon entropies reflect the regularity of network status, it is difficult to detect attack directly by using five fixed thresholds [1], because the Shannon entropy value varies with the activities of end users even the network runs in normal way.
  • 14. References [1] Zhiwen Wang, Qin Xia, “An Approach on Detecting Network Attack Based on Entropy”, Xi’an Jiaotong University, China [2] Hoa Dinh Nguyen, Sandeep Gutta, Qi Cheng, “An Active Distributed Approach for Cyber Attack Detection”, Oklahoma State University [3] Tsern-Huei Lee - Jyun-De He, “Entropy-Based Profiling of Network Traffic for Detection of Security Attack”, National Chiao Tung University, Taiwan [4] Anna T. Lawniczak, Bruno N. Di Stefano, Hao Wu, “Detection & Study of DDoS Attacks Via Entropy in Data Network Models”, CISDA, 2009 [5] Stephen Schwab, Brett Wilson, Roshan Thomas, “Methodologies and Metrics for the Testing and Analysis of Distributed Denial of Service Attacks and Defenses”, SPARTA Inc. [6] Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, “Traceback of DDoS Attacks Using Entropy Variations”, IEEE, March 2011