Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki.

Slides:

Advertisements

Similar presentations

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Advertisements

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Security Awareness: Applying Practical Security in Your World

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Web server security Dr Jim Briggs WEBP security1.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Lecture 15 Denial of Service Attacks

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Evil DDos Attacks and Strong Defenses Group 6: Yisi Lu, YuanTong Lu, Hao Wu, YuChen Liu, Hua Li.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Security Evaluation of Pattern Classifiers under Attack.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

--Harish Reddy Vemula Distributed Denial of Service.

Transmission Control Protocol TCP. Transport layer function.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Who Is Peeping at Your Passwords at Starbucks? To Catch an Evil Twin Access Point DSN 2010 Yimin Song, Texas A&M University Chao Yang, Texas A&M University.

1 Welcome to CSC 301 Web Programming Charles Frank.

27/8/2007 APAN August 27, The Effects of Filtering Malicious Traffic under DoS Attacks Chinawat Wongvivitkul Sudsanguan Ngamsuriyaroj Department.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Empirical Quantification of Opportunities for Content Adaptation in Web Servers Michael Gopshtein and Dror Feitelson School of Engineering and Computer.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

Denial of Service detection and mitigation on GENI

Detecting Web Attacks Using Multi-Stage Log Analysis

SDN and Security Security as a service in the cloud

Denial of Service detection and mitigation on GENI

Internet Quarantine: Requirements for Containing Self-Propagating Code

19 – Multimedia Networking

BotTracer: Bot User Detection Using Clustering Method in RecDroid

DDoS Attacks on Financial Institutions Presentation

The DPIaaS Controller Prototype

Xenia Mountrouidou (Dr. X)

CONNECTING TO THE INTERNET

A Real and Rising Concern

Distributed Network Traffic Feature Extraction for a Real-time IDS

Quick UDP Internet Connections

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

Data Virtualization Tutorial… CORS and CIS

SECURING NETWORK TRAFFIC WITH IPSEC

Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.

Defending Against DDoS

Intro to Denial of Serice Attacks

Automatic and Precise Client-Side Protection against CSRF Attacks

DDoS Attack Detection under SDN Context

AKAMAI INTELLIGENT PLATFORM™

Edge computing (1) Content Distribution Networks

Detecting Targeted Attacks Using Shadow Honeypots

iSRD Spam Review Detection with Imbalanced Data Distributions

Remah Alshinina and Khaled Elleithy DISCRIMINATOR NETWORK

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Advanced Computer Networks

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Autonomous Network Alerting Systems and Programmable Networks

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Session 20 INST 346 Technologies, Infrastructure and Architecture

Intrusion Detection Systems

NetWarden: Mitigating Network Covert Channels without Performance Loss

Presentation transcript:

Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki Kadobayashi**, and A. Govardhan* *Jawaharlal Nehru Technological University **Nara Institute of Science and Technology mail : jemablue86@gmail.com Good afternoon everybody. I am Jema David , Tanzanian national, Mtech CNIS finalist at JNTUH. Today, I here to present our paper which is entitled “Web Server Protection against Application Layer DDoS attacks using Machine Learning and Traffic Authentication”. This work is done by our former intern. I will present this paper in place of him. 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Background Related Work Proposal Experimental Results Limitations and Future works Summary Conclusion 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSAC Workshop NETSAP2015 Key Terms False Positives Mimicry Malicious Traffic Application Layer DDoS attacks Decoy Web Server Bait Web Server 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 DDoS Attacks Distributed Denial of Service Attacks Classic, but still major issue on the Internet Type of DDoS Volume Based Attacks saturate the bandwidth of the victim side e.g. UDP Flood Application Layer Attacks abusing application-server memory and performance limitations e.g. HTTP Get Flood First, I give our research background and objectives. Our research target is Application Layer DDoS attacks 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 DDoS Attacks Distributed Denial of Service Attacks Classic, but still major issue on the Internet Type of DDoS Volume Based Attacks saturate the bandwidth of the victim side e.g. UDP Flood Application Layer Attacks abusing application-server memory and performance limitations e.g. HTTP Get Flood First, I give our research background and objectives. Our research target is Application Layer DDoS attacks 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Application Layer DDoS Attacks Low rate attackers sends low rate TCP packets to victims waste server resources : CPU / Memory Hard to identify attack or not mimicry malicious traffic similar to legitimate traffic → Leads miss-classification and increase false positive rate 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Application Layer DDoS problem Attacker Mimicry traffic Web Server IDS/IPS User 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015 7 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Source Authentication CAPTCHA the most popular authentication method annoys users some CAPTCHA image has no readability smart AI bots can solve the puzzles barrier to dyslexia 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Keep Obliviousness Mitigation should be oblivious attackers easily identify simple mitigations e.g. simple traffic filtering when they will change attack strategies e.g. change attack sources 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Proposal Machine learning-based traffic classification generates redirection rules on NIPS the NIPS redirecting malicious traffic to decoy servers Decoy Web servers hold same contents with original servers attacker hard to identify the decoy or the original Active user authentication reduce false positive on the decoy server 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Our Mitigation Architecture Real Web Server Regular authenticated traffic generate redirection rules Custom Snort NIPS Bait Web Server Internet Authenticated FP traffic Normal Traffic Incoming Traffic Decoy Web Server Un-authenticated traffic Random Tree Machine Learning Algorithm Decision Rules on Snort IDS: with iptables+fwsnort FP Packets +Malicious traffic JavaScript authenticator 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

JavaScript Authenticator Real Web Server On loading index.html JS +ve action Authenticated FP traffic JS -ve action Decoy Web Server JS -ve action Malicious Traffic 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Advantages JS authenticator Retentive of false positive packets Reduce server loads Mitigate mimicry traffic in front of servers 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 System Validations Machine Learning-based Classification How accurately classify traffic by machine learning methods? Mitigation Performance How the architecture reduce original servers’ loads? 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Experiment Setup Machine Learning Algorithm Random Tree Traffic Datasets MAWI NETRESEC Learning Tool WEKA MAWILab - http://mawi.wide.ad.jp/ NETRESEC - http://www.netresec.com/ 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Classification Result Fine grained classification over fitting to the datasets For live traffic miss-classification will be occurred Instances Training Cross-Validation Testing Correctly Classified 100% 97.5542 % 99.022% Incorrectly Classified 0% 2.4458 % 0.978% False Positive Rate 0.000 0.027 0.011 7/3/2018 IEEE COMPSACW Annual International Conference Workshop NETSAP2015

Mitigation Performance Purpose To determine how best custom IPS and authentication method protect Web server Metrics Response Time “curl” command CPU Usage “Dstat” command 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Experiment Topology Without NIPS Real Web Server Client Tools: Mozilla Browser Send Requests NIPS Keep same contents Legitimate Bait Web Server Launch Attacks Tools: TCP Replay SlowLoris R.U.D.Y LOIC Malicious Decoy Web Server Attacker 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Response Time : without IPS Bait Server response time is long under attack traffic Response Time (Sec) Experiment Time (Sec) 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 CPU Utilization 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Experiment Topology With NIPS Real Web Server Client Tools: Mozilla Browser Send Requests NIPS Keep same contents Legitimate Bait Web Server Launch Attacks Tools: TCP Replay SlowLoris R.U.D.Y LOIC Malicious Decoy Web Server Attacker 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Response Time : with IPS Improved the Bait Web server response attack traffic are redirected in front of the server Response Time (sec) Experiment Time (sec) 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 CPU Utilization 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Default vs. Customized Snort IPS Real 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015

Summary of the Validations Machine Learning-based Classification fine grained classification Mitigation Performance custom NIPS reduces the load on the web servers 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Limitations and Future Works JavaScript engines are required on clients UI for visually impaired users audio authentication Evaluate with actual traffic and DDoS tools 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Conclusion Application layer DDoS attacks hard to identify attack or legitimate traffic Machine Learning + JavaScript authenticator redirect false positive traffic from decoy servers to original servers Validated the architecture with basic scenarios improve real Web server’s performance 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Acknowledgement This research has been supported by the Strategic International Collaborative R&D Promotion Project of the Ministry of Internal Affairs and Communication in Japan (MIC) and by the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement No. 608533 (NECOMA). 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

IEEE COMPSACW Annual International Conference & Workshop NETSAP2015 Conclusion Application layer DDoS attacks hard to identify attack or legitimate traffic Machine Learning + JavaScript authenticator redirect false positive traffic from decoy servers to original servers Validated the architecture with basic scenarios improve real Web server’s performance 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015

Thanks for your attention. Questions, Discussion are welcomed 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015