Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Proactive Distributed Denial of Service Attacks Defenses

Published byAngelica Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Towards Proactive Distributed Denial of Service Attacks Defenses"— Presentation transcript:

1 Towards Proactive Distributed Denial of Service Attacks Defenses
Aziz Mohaisen University of Central Florida Nov 30, 2017 Joint work with Songqing Chen (GMU)

2 Motivation: Prevalent Problem
Distributed Denial of Services (DDoS) prevalent Attacks on the rise: 245% Q/Q and 140% Y/Y; 2016Q4 Effective and easy to launch; dark DDoS Not limited to sophisticated machines Attacks using dryers, refrigerators; IoT devices Attacks using smartphone are on the rise Victims are not limited to typical suspects Targets include all verticals of critical infrastructure: finance, energy, manufacturing, health industry, etc.

3 Key Ideas

4 Goals, Challenges and Approach
Goal: Proactive defenses optimizing resources Challenge: how, where, and when to defend? Approach: Model attackers as a first step to defenses: capabilities, protocols, strategies, .. Characterize source and target of DDoS attacks Discover target preference in time and space Identify botnet collaborative behaviors Utilize predictive models for effective defenses

5 Aggregated Statistics (Source/Target)
Summary of Attackers Bots (#) 310950 Botnet (gen.) 674 Botnet Family 23 Source Countries 186 Source Cities 2897 Organization 3498 Traffic Types 7 DDoS (#) 50704 Aldibot BlackEnergy Colddeath Darkshell DDoSer DirtJumper Nitol Optima Pandora Summary of Victims Targets 9026 Countries 84 Cities 616 Organizations 1074 # Attacks # Attacks Attack Mechanisms

6 Overview of DDoS Attacks Data
Timestamp DDoS ID T1 036C810D-FDAE-37EF-8D2F CFDA9E T2 ACF7C2A4-643A-360C-91AE-7E53E9F94C0E T3 D403C30C-F4CD-384A-B B8167DE9 T4 0DAFE95D-C1C7-34A7-BA53-77DCCCF7AFB2 …... Each DDoS is uniquely identified Each attack associated with a timestamp Multiple attacks ordered by timestamps

7 General Attack Distributions
How many attacks over time? Any patterns? Average of 243 attacks a day; peak on 08/30/2012

8 Attack Intervals “inter-arrival time of attacks” 85% 15% 59 Days
More than 50% of the attacks are concurrent

9 Source Analysis: Preprocessing
Timestamp Creation Time Bot IPs T1 1h T2 , 1h T3 , , 1h T4 , , , …… Each attack is represented by a series of bots

10 Source Analysis: Visualization
Characterize and predict source distribution: Find the geo-center of bots over time Find the distance between each bot and the center as a representation of attack spread Latitude: 46.53 Longitude: 6.67

11 Source Analysis: Visualization
A representation of the average distance between bots km

12 Source Analysis: Prediction
Split distance; training and testing (50% ea.) Use ARIMA to forecast a trained model

13 Source Analysis: Prediction, cont.
Family Group Mean Standard Deviation Cosine Similarity BlackEnergy Prediction 0.96 Ground Truth Pandora 562.62 0.95 569.21 DirtJumper 925.84 0.85 Optima 0.94 Colddeath 356.47 753.24 0.81 341.61 933.82

14 Predicting Other Variables
Other attack variables Volume of attacks Turnaround time Activity level of bots Activity level of botnet family Source distribution of bots Botnet state (Active/Inactive) Target affinity Spatial: Exact source distribution prediction Family RMSE Mean STD DirtJumper 0.0008 Pandora 0.0041 Temporal: number of bots over time Family MSE Cosine DirtJumper 5756 0.97 Pandora 89.20 0.99

15 Collaborative Attacks
Attack collaborations are a new phenomenon Underlying ecosystem Possible evolution in defenses Learning such patterns improve defenses: Provisioning: anticipating correlated attacks Attribution: Understanding malicious actors Understanding the underlying ecosystem Understanding evolution of botnet families

Download ppt "Towards Proactive Distributed Denial of Service Attacks Defenses"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,

1 VLDB 2006, Seoul Mapping a Moving Landscape by Mining Mountains of Logs Automated Generation of a Dependency Model for HUG’s Clinical System Mirko Steinle,
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
SeCoGIS 20081 Managing Sensor Data of Urban Traffic M. Joliveau 1, F.De Vuyst 1, G. Jomier 2, C.M. Bauzer Medeiros 3 ACI Masses de Données CADDY (2003-2007)

SeCoGIS Managing Sensor Data of Urban Traffic M. Joliveau 1, F.De Vuyst 1, G. Jomier 2, C.M. Bauzer Medeiros 3 ACI Masses de Données CADDY ( )
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.

University of Buffalo The State University of New York Spatiotemporal Data Mining on Networks Taehyong Kim Computer Science and Engineering State University.
Dr. Yukun Bao School of Management, HUST Business Forecasting: Experiments and Case Studies.

Dr. Yukun Bao School of Management, HUST Business Forecasting: Experiments and Case Studies.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
MBA 8452 Systems and Operations Management MBA 8452 Systems and Operations Management Product Design & Process Selection —Service.

MBA 8452 Systems and Operations Management MBA 8452 Systems and Operations Management Product Design & Process Selection —Service.
1/27 Ensemble Visualization for Cyber Situation Awareness of Network Security Data Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North.

1/27 Ensemble Visualization for Cyber Situation Awareness of Network Security Data Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Learning user preferences for 2CP-regression for a recommender system Alan Eckhardt, Peter Vojtáš Department of Software Engineering, Charles University.

Learning user preferences for 2CP-regression for a recommender system Alan Eckhardt, Peter Vojtáš Department of Software Engineering, Charles University.
Using Classification to Protect the Integrity of Spectrum Measurements in White Space Networks Omid Fatemieh, Ali Farhadi, Ranveer Chandra*, Carl A. Gunter.

Using Classification to Protect the Integrity of Spectrum Measurements in White Space Networks Omid Fatemieh, Ali Farhadi, Ranveer Chandra*, Carl A. Gunter.
©2015 Apigee Corp. All Rights Reserved. Preserving signal in customer journeys Joy Thomas, Apigee Jagdish Chand, Visa.

©2015 Apigee Corp. All Rights Reserved. Preserving signal in customer journeys Joy Thomas, Apigee Jagdish Chand, Visa.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Similar presentations

Ads by Google