Presentation is loading. Please wait.

Presentation is loading. Please wait.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research."— Presentation transcript:

1 Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research

2 All Rights Reserved © Alcatel-Lucent 2007 2 | Presentation Title | May 2007 Agenda  TCP-SYN-flooding attack detection problem  Distinct samples  Distinct-Count sketches  Experimental results  Summary

3 All Rights Reserved © Alcatel-Lucent 2007 3 | Presentation Title | May 2007 TCP-SYN-flooding attack Attackers Victim Packets with spoofed source IP addresses SYN SYN-ACK ACK  Large number of half-open connections  Victim runs out of resources & crashes attacker victim

4 All Rights Reserved © Alcatel-Lucent 2007 4 | Presentation Title | May 2007 TCP-SYN-flooding attack: Salient characteristics TCP-SYN-flooding attacks are different from flash crowds  Tracking top-k destinations with the highest traffic volume to detect attack victims won’t work  Attack traffic may not be high  Right metric for robust attack detection: Top-k destinations wrt number of distinct sources with half-open connections TCP-SYN-floodsFlash crowds Traffic volumelowhigh # of half-open connections highlow # of distinct connecting sources high

5 All Rights Reserved © Alcatel-Lucent 2007 5 | Presentation Title | May 2007 System model Continuous stream of (src IP, dst IP, ±1) flow updates  +1 for SYN packet from src to dst (insert)  -1 for ACK packet from src to dst (delete) Assumptions  32-bit IP addresses; 64-bit (src, dst) pairs  Number of distinct (src, dst) pairs: U Constraints  Single pass over update stream  Small space (logarithmic in U)  Solutions that store state for U (src, dst) pairs won’t work  Small processing time per update  Continuous tracking of attack metric (top-k destinations) Attack Detector Flow update streams Top-k dst

6 All Rights Reserved © Alcatel-Lucent 2007 6 | Presentation Title | May 2007 Problem formulation Distinct frequency f v for dst v = number of distinct src’s with unacknowledged SYN pkts (half-open connections) to v Key observation: Attack victims will have high f v values  To detect attack, track top-k f v frequency values (f v1,…., f vk )  Exact tracking of f v values requires  (U) space, and is thus impractical Approximate top-k dst tracking problem: Track top-k frequencies with a small (   relative error; if f v is the estimate for top-k frequency value f v then

7 All Rights Reserved © Alcatel-Lucent 2007 7 | Presentation Title | May 2007 Distinct-Count Sketch structure  Enables tracking of top-k distinct frequencies with guaranteed accuracy  Is resilient to deletes (necessary to ignore legitimate TCP connections)  Low storage space overhead  Low update processing time Our contribution

8 All Rights Reserved © Alcatel-Lucent 2007 8 | Presentation Title | May 2007 Related work  Estan and Varghese [SIGCOMM 02] − Use samples and hash-based filtering to identify large flows − A half-opened TCP flow is not large because no packets are exchanged  Kompella et al. [IMC 04], Gao et al. [ICDCS 04] − Maintain multiple hash tables, dst that hashes into buckets with large counters in all hash tables is potential attack victim − No provable guarantees  Gibbons [VLDB 01], Cormode and Muthukrishnan [PODS 05] − Distinct samples, cascaded summaries for (distinct) frequency estimation − Cannot handle deletions in update stream  Venkataraman et al.[NDSS 05] − For threshold k, k-superspreaders identify src’s that connect to >k dst − Determining threshold k may be difficult in practice

9 All Rights Reserved © Alcatel-Lucent 2007 9 | Presentation Title | May 2007 Revisiting the basics: Distinct samples [Gibbons, VLDB 01]  Good for distinct frequency estimation, but cannot handle deletes  Stream of (src, dst, +1) flow updates (inserts) (s,d) (u,v) h(u,v) U/2 (src, dst) pairs hash into bucket 0, U/4 into bucket 1, … Hash function h maps (src, dst) pairs to buckets with exponentially decreasing probabilities Distinct sample 0 64 b (src, dst) pairs that hash into buckets b yield distinct sample of size U/2 b

10 All Rights Reserved © Alcatel-Lucent 2007 10 | Presentation Title | May 2007 Top-k frequency estimation procedure Let v 1,..., v k be dst with highest frequencies (say f v1, …, f vk ) in distinct sample from buckets b Return (v 1, f v1 = 2 b f v1 ), …, (v k, f vk = 2 b f vk ) Key result: If distinct sample size, then for each top-k distinct frequency f v whp s s s s

11 All Rights Reserved © Alcatel-Lucent 2007 11 | Presentation Title | May 2007 Distinct-Count Sketch Distinct-Count Sketches produce distinct samples in the presence of deletions h(u,v) first level hash buckets (as before) r second level hash tables g r (u,v) g 1 (u,v) count0 1 count0 i count0 64 count1 1 count1 i count1 64 1 bit counts 0 bit counts rs second level hash buckets 1 1 s s Hash function g j randomly maps (src, dst) pairs to one of the s buckets of hash table j Number of (src, dst) pairs in bucket with i th bit 0/1  Counts help to extract (src, dst) pair in bucket when there are deletions count0 1 count0 i count0 64 count1 1 count1 i count1 64 0 64

12 All Rights Reserved © Alcatel-Lucent 2007 12 | Presentation Title | May 2007 Maintenance procedure for incoming stream update (u, v,  Example (updating counts): h(u,v) g r (u,v) g 1 (u,v) If i th bit of (u, v) is 0/1 then adjust count0/1 i by  Consider first-level hash bucket h(u,v) For j = 1 to r Update counts in second-level bucket g j (u,v) 2 0 0 2 0 2 2 0 0 bit 1 bit 3 0 0 3 0 3 3 0 No collision (u,v) = 0110,  2 0 0 2 0 2 2 0 0 bit 1 bit 2 1 0 3 1 2 3 0 Collision (u,v) = 1010,  count0 1 count0 i count0 64 count1 1 count1 i count1 64 count0 1 count0 i count0 64 count1 1 count1 i count1 64

13 All Rights Reserved © Alcatel-Lucent 2007 13 | Presentation Title | May 2007 Extracting (src, dst) pair from second-level bucket If for all i=1 to 64, exactly one of count0 i or count1 i is non-zero /* no collision */ Then (src, dst) = sequence of bit values with non-zero counts Return (src, dst) Else /* collision */ Return “empty (src, dst)” Example (extracting (src, dst) pair): 0 bit 1 bit 3 0 0 3 0 3 3 0 no collision 0 bit 1 bit 2 1 0 3 1 2 3 0 collision (src, dst) = 0110 empty (src, dst)

14 All Rights Reserved © Alcatel-Lucent 2007 14 | Presentation Title | May 2007 Top-k frequency estimation procedure Let DS l be (src, dst) pairs from (second-level buckets of) first-level buckets l Let b be the largest first-level bucket such that size of distinct sample DS b >  (s) Let v 1,..., v k be dst with highest frequencies (say f v1, …, f vk ) in distinct sample DS b Return (v 1,f v1 = 2 b f v1 ), …, (v k, f vk = 2 b f vk ) s s s s First-level bucket b r second-level hash tables Distinct sample size >  (s) Extract (src, dst) pairs from second-level buckets 0 64 1 s 1 s count0 1 count0 i count0 64 count1 1 count1 i count1 64 count0 1 count0 i count0 64 count1 1 count1 i count1 64

15 All Rights Reserved © Alcatel-Lucent 2007 15 | Presentation Title | May 2007 Distinct-Count Sketch: Key result Intuition: Consider first-level bucket with  (s) (src, dst) pairs  With r =  (log streamsize) second-level hash tables with s buckets each, every pair occurs without collisions in some second-level bucket whp  Thus, possible to obtain a distinct sample of size Key result: If, then for each top-k distinct frequency f v whp

16 All Rights Reserved © Alcatel-Lucent 2007 16 | Presentation Title | May 2007 Experimental results Synthetic data generator used to produce stream of (src, dst) pair updates  Number of distinct (src, dst) pairs (U): 8 million  Number of distinct dst: 50K  Dst IP addresses follow Zipf distribution − Zipf parameter varied between 1 and 2.5 to control skew Distinct-Count Sketch  r=3 second-level hash tables with s=5 buckets each  Size = 4.5 MB  over an order of magnitude space savings  Space to maintain counts for 8 million (src, dst) pairs = 96 MB  Processing time per stream update = 40-60 microsec on 1GHz Pentium-III

17 All Rights Reserved © Alcatel-Lucent 2007 17 | Presentation Title | May 2007 Top-k recall  Recall for top-5 dst is almost always 100% (for all skew values z)  For z 86% and >73% for top-10 and top-15 dst, respectively

18 All Rights Reserved © Alcatel-Lucent 2007 18 | Presentation Title | May 2007 Estimate relative errors  Relative error is < 17% for top-5 dst (for all skew values z)  For z<2, relative error is < 25% and < 35% for top-10 and top-15 dst, respectively

19 All Rights Reserved © Alcatel-Lucent 2007 19 | Presentation Title | May 2007 Robust, real-time TCP-SYN-flooding attack detection requires the ability to track top-k destinations wrt  Number of distinct connecting sources (as opposed to traffic volumes)  Number of half-open connections (to distinguish from flash crowds) Our proposed Distinct-Count Sketch  Enables tracking of top-k distinct frequencies with guaranteed accuracy  Is resilient to deletes (necessary to ignore legitimate TCP connections) Experimental results indicate that Distinct-Count Sketches can accurately track top-k frequent destinations  Low storage space overhead  Low update processing time  Low errors Summary

Download ppt "Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research."

Similar presentations

An Optimal Algorithm for the Distinct Elements Problem

An Optimal Algorithm for the Distinct Elements Problem
Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.

Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.
Counting Distinct Objects over Sliding Windows Presented by: Muhammad Aamir Cheema Joint work with Wenjie Zhang, Ying Zhang and Xuemin Lin University of.

Counting Distinct Objects over Sliding Windows Presented by: Muhammad Aamir Cheema Joint work with Wenjie Zhang, Ying Zhang and Xuemin Lin University of.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.

Fine-Grained Latency and Loss Measurements in the Presence of Reordering Myungjin Lee, Sharon Goldberg, Ramana Rao Kompella, George Varghese.
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.

Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
New Sampling-Based Summary Statistics for Improving Approximate Query Answers P. B. Gibbons and Y. Matias (ACM SIGMOD 1998) Rongfang Li Feb 2007.

New Sampling-Based Summary Statistics for Improving Approximate Query Answers P. B. Gibbons and Y. Matias (ACM SIGMOD 1998) Rongfang Li Feb 2007.
SIGMOD 2006University of Alberta1 Approximately Detecting Duplicates for Streaming Data using Stable Bloom Filters Presented by Fan Deng Joint work with.

SIGMOD 2006University of Alberta1 Approximately Detecting Duplicates for Streaming Data using Stable Bloom Filters Presented by Fan Deng Joint work with.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Ph.D. DefenceUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:

Ph.D. DefenceUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:
1 Distributed Streams Algorithms for Sliding Windows Phillip B. Gibbons, Srikanta Tirthapura.

1 Distributed Streams Algorithms for Sliding Windows Phillip B. Gibbons, Srikanta Tirthapura.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Ph.D. SeminarUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:

Ph.D. SeminarUniversity of Alberta1 Approximation Algorithms for Frequency Related Query Processing on Streaming Data Presented by Fan Deng Supervisor:
Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines By F. Bonomi et al. Presented by Kenny Cheng, Tonny Mak Yui Kuen.

Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines By F. Bonomi et al. Presented by Kenny Cheng, Tonny Mak Yui Kuen.

Similar presentations

Ads by Google