Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+

Published byCaroline Poulin Modified over 5 years ago

Similar presentations

Presentation on theme: "Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+"— Presentation transcript:

1 Analyzing the Secure Overlay Services Architecture under Intelligent DDoS Attacks
Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+ *Dept. of Computer and Information Science, The Ohio-State University +Dept. of Computer Science, Texas A&M University 8/20/2019 The Ohio State University

2 The Ohio State University
Outline Motivation The SOS Architectures Intelligent DDoS Attacks Analysis Related Work Final Remarks 8/20/2019 The Ohio State University

3 The Ohio State University
Motivation Analyze the impacts of design features of the Secure Overlay Services (SOS) architecture on system performance under intelligent DDoS attacks 8/20/2019 The Ohio State University

4 The Secure Overlay Service Architecture
It is an intermediate forwarding overlay system. Layering: Each node only knows the next layer nodes. Access to target controlled by a set of filters. Target is known only to filters. 8/20/2019 The Ohio State University

5 The Ohio State University
Design Features The number of layers: 3 layers of hierarchy between sources and a target. Mapping degree: Number of next layer neighbors Node density: Number of nodes per layer Under random congestion attacks, path availabilities are high. 8/20/2019 The Ohio State University

6 The Generalized SOS Architecture
Design features are flexible. 8/20/2019 The Ohio State University

7 Intelligent DDoS Attacks
Combination of Congestion-based attacks and break-in based attacks Congestion attacks result in node being non-functional for the duration of the attack. Successful break-in attacks result in disclosure of next layer neighbors. 8/20/2019 The Ohio State University

8 Combination of Congestion-based and Break-in based Attacks
One-burst attack model The attacker attempts to break into nodes all at once, depending on attack resources. The attacker congests the disclosed nodes and maybe more, or less depending on resources. Successive attack model The attacker attempts to break into nodes depending on resources, in multiple rounds (R). Other attack models are possible too. 8/20/2019 The Ohio State University

9 The SOS Working Scenario under Intelligent DDoS Attacks
Some nodes will be compromised (broken-in or congested) Forwarding: Nodes will select an alive node in the next layer to do forwarding Repair: no repair and repair 8/20/2019 The Ohio State University

10 The Ohio State University
System Performance Probability that a client can find a path to communicate with the target, denoted by Ps. System performance is affected by the set of compromised nodes. 8/20/2019 The Ohio State University

11 The Ohio State University
Analysis Methodology A baseline approach Exhaustion- Listing all possible combinations of compromised nodes across layers and calculating Ps for each combination and summarizing them to get overall Ps. For a system with n nodes across L layers, we have combinations. It is un-scalable. 8/20/2019 The Ohio State University

12 The Ohio State University
Analysis Methodology We employ an average case approach to derive Ps. We calculate the average number of compromised nodes in each layer to obtain Ps. The key task is to estimate the set of compromised nodes in each layer. 8/20/2019 The Ohio State University

13 PS Computation Formula
We need to estimate individual probabilities (Pi) of finding a path between each layer We need to determine the set of compromised nodes across each layer. It is not easy. The main challenge is to discount overlaps among the set of compromised nodes, e.g., overlaps among disclosed nodes, overlaps among broken-in and disclosed nodes etc. si = ci + bi , where ci and bi are the set of congested and broken-in nodes respectively. 8/20/2019 The Ohio State University

14 The Ohio State University
System Parameters System Model N overlay nodes, of which n are in the SOS system. System consists of L layers. Number of nodes in each layer is ni . Mapping degree is mi . Probability that a first layer node is known to attacker prior to attacks is Pe. Probability of a node being broken into is Pb. Probability of a node in layer i has a neighbor in layer i+1 is Pi. Attacker resources Nt break-in resources. Nc congestion resources. 8/20/2019 The Ohio State University

15 PS Computation under the One-burst Attack Model
Total number of broken into nodes in layer i are given by Total number of congested nodes in layer i are given by When Nc ≥ Nd When Nc < Nd 8/20/2019 The Ohio State University

16 PS Computation under the Successive Attack Model
Total number of broken into nodes in layer i are given by Total number of congested nodes in layer i are given by When Nc < Nd 8/20/2019 The Ohio State University

17 Sensitivity of Ps to Layer, Mapping Degree and Node Distribution
N = 10,000, n = 100, Nc = 2000, Nt = 200, R=3, Pb = 0.5, Pe = 0.2. L = 4 is best. mi = 1 to 2 seems best. Increasing node distribution performs best. 8/20/2019 The Ohio State University

18 Sensitivity of Ps to Break-in Attack Intensity
N = 10,000, n = 100, Nc = 2000, R=3, Pb = 0.5, Pe = 0.2, L = 4. Ps is more sensitive to mi with increasing Nt. Stable portion due to advantages offered by layering. 8/20/2019 The Ohio State University

19 Summary of Observations
L = 3 is not the best choice. Mapping degree and number of layers have opposite effects on resilience to break-in and congestion attacks. Less layers offer more protection against congestion based attacks, but are not good under break-in attacks. A larger mapping degree offers more protection against congestion based attacks, but is not good under break-in attacks. Increasing node distribution performs best in general. 8/20/2019 The Ohio State University

20 The Ohio State University
Our On-Going Work We are investigating the system performance under dynamic repair. Dynamic Repair can be classified as- Reactive repair Proactive repair 8/20/2019 The Ohio State University

21 The Ohio State University
Reactive Repair Reactive approaches can work if the system responds very quickly. 8/20/2019 The Ohio State University

22 The Ohio State University
Proactive Repair N = 5000, n = 40, mi = 1 to 5, Nt = 1000, Nc = 2000. Proactive approaches work more effectively that reactive approaches. We plan to study combination of proactive and reactive approaches. 8/20/2019 The Ohio State University

23 The Ohio State University
Related Work SOS focuses on system structure and dynamics under random congestion attacks. The layer number in SOS is fixed as 3. SOS does not consider break-in attacks. MAYDAY generalizes work in terms of providing solutions to security threats in the overlay. It does not discuss design features. UCSD work attempts to analyze intermediate forwarding systems under a simple break-in attack like model. They do not consider the congestion based attack and their combinations. 8/20/2019 The Ohio State University

24 The Ohio State University
Final Remarks Contributions We generalize the SOS architecture making design flexible. We define two novel and ‘intelligent’ DDoS attack models and an analysis approach that can be applied to analyze other similar systems. Our work provides strong guidelines to designers of such systems to enhance their resilience. Open Issues More sophisticated attack models. Timely delivery. Dynamic repair (in progress). Underlying network attack model (in progress). Self healing systems under attacks. 8/20/2019 The Ohio State University

Download ppt "Dong Xuan*, Sriram Chellappan*, Xun Wang* and Shengquan Wang+"

Similar presentations

Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Using Auxiliary Sensors for Pair-Wise Key Establishment in WSN Source: Lecture Notes in Computer Science (2010) Authors: Qi Dong and Donggang Liu Presenter:

Using Auxiliary Sensors for Pair-Wise Key Establishment in WSN Source: Lecture Notes in Computer Science (2010) Authors: Qi Dong and Donggang Liu Presenter:
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.

ITIS 6010/8010 Wireless Network Security Dr. Weichao Wang.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 1 Wenjun Gu, Xiaole Bai, Sriram Chellappan and Dong Xuan Presented by Wenjun.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering 1 Wenjun Gu, Xiaole Bai, Sriram Chellappan and Dong Xuan Presented by Wenjun.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering.
CS218 – Final Project A “Small-Scale” Application- Level Multicast Tree Protocol Jason Lee, Lih Chen & Prabash Nanayakkara Tutor: Li Lao.

CS218 – Final Project A “Small-Scale” Application- Level Multicast Tree Protocol Jason Lee, Lih Chen & Prabash Nanayakkara Tutor: Li Lao.
Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.

Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.
Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,

Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,
March 24, 2003Upadhyaya – IWIA 20031 A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.
1 User Interface Design CIS 375 Bruce R. Maxim UM-Dearborn.

1 User Interface Design CIS 375 Bruce R. Maxim UM-Dearborn.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
EQ-BGP: an efficient inter- domain QoS routing protocol Andrzej Bęben Institute of Telecommunications Warsaw University of Technology,

EQ-BGP: an efficient inter- domain QoS routing protocol Andrzej Bęben Institute of Telecommunications Warsaw University of Technology,
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering.

T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering.
GUI: GPS-Less Traffic Congestion Avoidance in Urban Area with Inter-Vehicular Communication Presenter: Zhen Jiang or

GUI: GPS-Less Traffic Congestion Avoidance in Urban Area with Inter-Vehicular Communication Presenter: Zhen Jiang or
POWER CONTROL IN COGNITIVE RADIO SYSTEMS BASED ON SPECTRUM SENSING SIDE INFORMATION Karama Hamdi, Wei Zhang, and Khaled Ben Letaief The Hong Kong University.

POWER CONTROL IN COGNITIVE RADIO SYSTEMS BASED ON SPECTRUM SENSING SIDE INFORMATION Karama Hamdi, Wei Zhang, and Khaled Ben Letaief The Hong Kong University.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Similar presentations

Ads by Google