Download presentation
Presentation is loading. Please wait.
Published byCorey Carroll Modified over 6 years ago
1
Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki Kadobayashi**, and A. Govardhan* *Jawaharlal Nehru Technological University **Nara Institute of Science and Technology mail : Good afternoon everybody. I am Jema David , Tanzanian national, Mtech CNIS finalist at JNTUH. Today, I here to present our paper which is entitled “Web Server Protection against Application Layer DDoS attacks using Machine Learning and Traffic Authentication”. This work is done by our former intern. I will present this paper in place of him. 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
2
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Background Related Work Proposal Experimental Results Limitations and Future works Summary Conclusion 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
3
IEEE COMPSAC Workshop NETSAP2015
Key Terms False Positives Mimicry Malicious Traffic Application Layer DDoS attacks Decoy Web Server Bait Web Server 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015
4
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
DDoS Attacks Distributed Denial of Service Attacks Classic, but still major issue on the Internet Type of DDoS Volume Based Attacks saturate the bandwidth of the victim side e.g. UDP Flood Application Layer Attacks abusing application-server memory and performance limitations e.g. HTTP Get Flood First, I give our research background and objectives. Our research target is Application Layer DDoS attacks 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
5
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
DDoS Attacks Distributed Denial of Service Attacks Classic, but still major issue on the Internet Type of DDoS Volume Based Attacks saturate the bandwidth of the victim side e.g. UDP Flood Application Layer Attacks abusing application-server memory and performance limitations e.g. HTTP Get Flood First, I give our research background and objectives. Our research target is Application Layer DDoS attacks 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
6
Application Layer DDoS Attacks
Low rate attackers sends low rate TCP packets to victims waste server resources : CPU / Memory Hard to identify attack or not mimicry malicious traffic similar to legitimate traffic → Leads miss-classification and increase false positive rate 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
7
Application Layer DDoS problem
Attacker Mimicry traffic Web Server IDS/IPS User 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015 7 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
8
Source Authentication
CAPTCHA the most popular authentication method annoys users some CAPTCHA image has no readability smart AI bots can solve the puzzles barrier to dyslexia 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
9
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Keep Obliviousness Mitigation should be oblivious attackers easily identify simple mitigations e.g. simple traffic filtering when they will change attack strategies e.g. change attack sources 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
10
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Proposal Machine learning-based traffic classification generates redirection rules on NIPS the NIPS redirecting malicious traffic to decoy servers Decoy Web servers hold same contents with original servers attacker hard to identify the decoy or the original Active user authentication reduce false positive on the decoy server 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
11
Our Mitigation Architecture
Real Web Server Regular authenticated traffic generate redirection rules Custom Snort NIPS Bait Web Server Internet Authenticated FP traffic Normal Traffic Incoming Traffic Decoy Web Server Un-authenticated traffic Random Tree Machine Learning Algorithm Decision Rules on Snort IDS: with iptables+fwsnort FP Packets +Malicious traffic JavaScript authenticator 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
12
JavaScript Authenticator
Real Web Server On loading index.html JS +ve action Authenticated FP traffic JS -ve action Decoy Web Server JS -ve action Malicious Traffic 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
13
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Advantages JS authenticator Retentive of false positive packets Reduce server loads Mitigate mimicry traffic in front of servers 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
14
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
System Validations Machine Learning-based Classification How accurately classify traffic by machine learning methods? Mitigation Performance How the architecture reduce original servers’ loads? 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
15
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Experiment Setup Machine Learning Algorithm Random Tree Traffic Datasets MAWI NETRESEC Learning Tool WEKA MAWILab - NETRESEC - 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
16
Classification Result
Fine grained classification over fitting to the datasets For live traffic miss-classification will be occurred Instances Training Cross-Validation Testing Correctly Classified 100% % 99.022% Incorrectly Classified 0% % 0.978% False Positive Rate 0.000 0.027 0.011 7/3/2018 IEEE COMPSACW Annual International Conference Workshop NETSAP2015
17
Mitigation Performance
Purpose To determine how best custom IPS and authentication method protect Web server Metrics Response Time “curl” command CPU Usage “Dstat” command 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
18
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Experiment Topology Without NIPS Real Web Server Client Tools: Mozilla Browser Send Requests NIPS Keep same contents Legitimate Bait Web Server Launch Attacks Tools: TCP Replay SlowLoris R.U.D.Y LOIC Malicious Decoy Web Server Attacker 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
19
Response Time : without IPS
Bait Server response time is long under attack traffic Response Time (Sec) Experiment Time (Sec) 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
20
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
CPU Utilization 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
21
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Experiment Topology With NIPS Real Web Server Client Tools: Mozilla Browser Send Requests NIPS Keep same contents Legitimate Bait Web Server Launch Attacks Tools: TCP Replay SlowLoris R.U.D.Y LOIC Malicious Decoy Web Server Attacker 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
22
Response Time : with IPS
Improved the Bait Web server response attack traffic are redirected in front of the server Response Time (sec) Experiment Time (sec) 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
23
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
CPU Utilization 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
24
Default vs. Customized Snort IPS
Real 7/3/20187/3/2018 IEEE COMPSAC Workshop NETSAP2015
25
Summary of the Validations
Machine Learning-based Classification fine grained classification Mitigation Performance custom NIPS reduces the load on the web servers 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
26
Limitations and Future Works
JavaScript engines are required on clients UI for visually impaired users audio authentication Evaluate with actual traffic and DDoS tools 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
27
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Conclusion Application layer DDoS attacks hard to identify attack or legitimate traffic Machine Learning + JavaScript authenticator redirect false positive traffic from decoy servers to original servers Validated the architecture with basic scenarios improve real Web server’s performance 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
28
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Acknowledgement This research has been supported by the Strategic International Collaborative R&D Promotion Project of the Ministry of Internal Affairs and Communication in Japan (MIC) and by the European Union Seventh Framework Programme (FP7/ ) under grant agreement No (NECOMA). 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
29
IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Conclusion Application layer DDoS attacks hard to identify attack or legitimate traffic Machine Learning + JavaScript authenticator redirect false positive traffic from decoy servers to original servers Validated the architecture with basic scenarios improve real Web server’s performance 7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
30
Thanks for your attention. Questions, Discussion are welcomed
7/3/2018 IEEE COMPSACW Annual International Conference & Workshop NETSAP2015
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.