Detecção de ataques DDoS usando correlação espaço-temporal bayesiana
Abstract
DDoS attacks have caused considerable damage over the years. To mitigate their impact, detection should preferably occur close to the attack origin. We propose in this work a lightweight DDoS detection system that solely employs byte and packet counts from off-the-shelf home routers. To detect attacks with limited information, our key insight consists in employing two detection layers: (1) a classifier trained with real home user data; (2) a Bayesian hierarchical model that correlates alarms from multiple homes. We use real IoT malware source code to collect DDoS attack data, generating attack traffic from the homes of a selected group of volunteers for 31 days. The field experiments have shown that our system has excellent performance.
References
Akamai (2016). Q3 2016 state of the Internet - security report. Technical report, Akamai.
Anthi, E., Williams, L., Slowi´nska, M., Theodorakopoulos, G., and Burnap, P. (2019). A supervised intrusion detection system for smart home iot devices. IEEE Internet of Things Journal, 6(5):9042–9053.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the Mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Auchard, E. (2016). German Internet outage was failed botnet attempt: report. https://www.reuters.com/article/us-deutsche-telekom-outagesidUSKBN13N12K. Accessed: 2021-07-02.
Bihary, C. (2017). How to Monitor Encrypted Traffic and Keep Your Network Secure. [link]. Accessed: 2022-02-24.
DARKReading (2020). DDoS Attacks Spiked, Became More Complex in 2020. [link]. Accessed: 2021-07-02.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine Learning DDoS Detection for Consumer Internet of Things Devices. In 2018 IEEE Security and Privacy Workshops (SPW), pages 29–35.
Feldmann, A., Gasser, O., Lichtblau, F., Pujol, E., Poese, I., Dietzel, C., Wagner, D., Wichtlhuber, M., Tapiador, J., Vallina-Rodriguez, N., Hohlfeld, O., and Smaragdakis, G. (2021). A year in lockdown: How the waves of covid-19 impact internet traffic. Commun. ACM, 64(7):101–108.
Jia, Y., Zhong, F., Alrawais, A., Gong, B., and Cheng, X. (2020). Flow- Guard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet of Things Journal, 7(10):9552–9562.
Kaspersky (2021). IT threat evolution Q1 2021. [link]. Accessed: 2021-07-02.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kruschke, J. K. (2015). Doing Bayesian data analysis: A tutorial with R, JAGS, and Stan (2nd). San Diego, CA: Academic Press.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM 2016, pages 1–9. IEEE.
Marín, G., Casas, P., and Capdehourat, G. (2021). Deepmal-deep learning models for malware traffic detection and classification. In Data Science – Analytics and Applications, pages 105–112. Springer Fachmedien Wiesbaden.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the Internet of things using deep learning approaches. In 2018 international joint conference on neural networks (IJCNN), pages 1–8.
Mehdi, S. A., Khalid, J., and Khayam, S. A. (2011). Revisiting traffic anomaly detection using software defined networking. In International workshop on recent advances in intrusion detection, pages 161–180. Springer.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., and Elovici, Y. (2018). N-BaIoT–Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders. IEEE Pervasive Computing, 17(3):12–22.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M., Menasché, D. S., and Towsley, D. (2019a). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021. IEEE.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M. M., Menasche, D. S., et al. (2019b). Uma abordagem para detecção de ddos a partir de roteadores domésticos. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 834–847. SBC.
NETSCOUT (2021). 2H 2020 Threat Intelligence Report – DDoS in a Time of Pandemic. https://www.netscout.com/threatreport/. Accessed: 2021-07- 02.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. IEEE/ACM Transactions on Networking, 26(1):131–144.
Salman, O., Elhajj, I. H., Chehab, A., and Kayssi, A. (2019). A machine learning based framework for iot device identification and abnormal traffic detection. Transactions on Emerging Telecommunications Technologies, page e3743.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for low-resource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267– 278.
Streit, A., Ribeiro, M. C., Leão, R. M., de Souza e Silva, E., et al. (2021a). Efeito do confinamento causado pela pandemia covid-19 nos perfis de tráfego residencial. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 238–251. SBC.
Streit, A., Santos, G. H., Leão, R. M., de Souza e Silva, E., Menasché, D., and Towsley, D. (2021b). Network anomaly detection based on tensor decomposition. Computer Networks, 200:108503.
Sudheera, K. L. K., Divakaran, D. M., Singh, R. P., and Gurusamy, M. (2021). Adept: Detection and identification of correlated attack stages in iot networks. IEEE Internet of Things Journal, 8(8):6591–6607.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultralightweight deep packet anomaly detection for Internet of things devices. In Performance Computing and Communications Conference, pages 1–8. IEEE.
Wan, Y., Xu, K., Xue, G., and Wang, F. (2020). Iotargos: A multi-layer security monitoring system for internet-of-things in smart homes. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pages 874–883. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into internet ddos attacks by botnets: characterization and analysis. IEEE/ACM Transactions on Networking, 26(6):2843–2855.
Wetzels, R., Matzke, D., Lee, M. D., Rouder, J. N., Iverson, G. J., and Wagenmakers, E.-J. (2011). Statistical evidence in experimental psychology: An empirical comparison using 855 t tests. Perspectives on Psychological Science, 6(3):291–298.
Yoachimik, O. (2021). Cloudflare thwarts 17.2M rps DDoS attack —the largest ever reported. [link]. Accessed: 2021-08-20.
Anthi, E., Williams, L., Slowi´nska, M., Theodorakopoulos, G., and Burnap, P. (2019). A supervised intrusion detection system for smart home iot devices. IEEE Internet of Things Journal, 6(5):9042–9053.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the Mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Auchard, E. (2016). German Internet outage was failed botnet attempt: report. https://www.reuters.com/article/us-deutsche-telekom-outagesidUSKBN13N12K. Accessed: 2021-07-02.
Bihary, C. (2017). How to Monitor Encrypted Traffic and Keep Your Network Secure. [link]. Accessed: 2022-02-24.
DARKReading (2020). DDoS Attacks Spiked, Became More Complex in 2020. [link]. Accessed: 2021-07-02.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine Learning DDoS Detection for Consumer Internet of Things Devices. In 2018 IEEE Security and Privacy Workshops (SPW), pages 29–35.
Feldmann, A., Gasser, O., Lichtblau, F., Pujol, E., Poese, I., Dietzel, C., Wagner, D., Wichtlhuber, M., Tapiador, J., Vallina-Rodriguez, N., Hohlfeld, O., and Smaragdakis, G. (2021). A year in lockdown: How the waves of covid-19 impact internet traffic. Commun. ACM, 64(7):101–108.
Jia, Y., Zhong, F., Alrawais, A., Gong, B., and Cheng, X. (2020). Flow- Guard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet of Things Journal, 7(10):9552–9562.
Kaspersky (2021). IT threat evolution Q1 2021. [link]. Accessed: 2021-07-02.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kruschke, J. K. (2015). Doing Bayesian data analysis: A tutorial with R, JAGS, and Stan (2nd). San Diego, CA: Academic Press.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM 2016, pages 1–9. IEEE.
Marín, G., Casas, P., and Capdehourat, G. (2021). Deepmal-deep learning models for malware traffic detection and classification. In Data Science – Analytics and Applications, pages 105–112. Springer Fachmedien Wiesbaden.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the Internet of things using deep learning approaches. In 2018 international joint conference on neural networks (IJCNN), pages 1–8.
Mehdi, S. A., Khalid, J., and Khayam, S. A. (2011). Revisiting traffic anomaly detection using software defined networking. In International workshop on recent advances in intrusion detection, pages 161–180. Springer.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., and Elovici, Y. (2018). N-BaIoT–Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders. IEEE Pervasive Computing, 17(3):12–22.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M., Menasché, D. S., and Towsley, D. (2019a). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021. IEEE.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M. M., Menasche, D. S., et al. (2019b). Uma abordagem para detecção de ddos a partir de roteadores domésticos. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 834–847. SBC.
NETSCOUT (2021). 2H 2020 Threat Intelligence Report – DDoS in a Time of Pandemic. https://www.netscout.com/threatreport/. Accessed: 2021-07- 02.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. IEEE/ACM Transactions on Networking, 26(1):131–144.
Salman, O., Elhajj, I. H., Chehab, A., and Kayssi, A. (2019). A machine learning based framework for iot device identification and abnormal traffic detection. Transactions on Emerging Telecommunications Technologies, page e3743.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for low-resource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267– 278.
Streit, A., Ribeiro, M. C., Leão, R. M., de Souza e Silva, E., et al. (2021a). Efeito do confinamento causado pela pandemia covid-19 nos perfis de tráfego residencial. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 238–251. SBC.
Streit, A., Santos, G. H., Leão, R. M., de Souza e Silva, E., Menasché, D., and Towsley, D. (2021b). Network anomaly detection based on tensor decomposition. Computer Networks, 200:108503.
Sudheera, K. L. K., Divakaran, D. M., Singh, R. P., and Gurusamy, M. (2021). Adept: Detection and identification of correlated attack stages in iot networks. IEEE Internet of Things Journal, 8(8):6591–6607.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultralightweight deep packet anomaly detection for Internet of things devices. In Performance Computing and Communications Conference, pages 1–8. IEEE.
Wan, Y., Xu, K., Xue, G., and Wang, F. (2020). Iotargos: A multi-layer security monitoring system for internet-of-things in smart homes. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pages 874–883. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into internet ddos attacks by botnets: characterization and analysis. IEEE/ACM Transactions on Networking, 26(6):2843–2855.
Wetzels, R., Matzke, D., Lee, M. D., Rouder, J. N., Iverson, G. J., and Wagenmakers, E.-J. (2011). Statistical evidence in experimental psychology: An empirical comparison using 855 t tests. Perspectives on Psychological Science, 6(3):291–298.
Yoachimik, O. (2021). Cloudflare thwarts 17.2M rps DDoS attack —the largest ever reported. [link]. Accessed: 2021-08-20.
Published
2022-05-23
How to Cite
MENDONÇA, Gabriel; SANTOS, Gustavo H. A.; SOUZA E SILVA, Edmundo de; LEÃO, Rosa M. M..
Detecção de ataques DDoS usando correlação espaço-temporal bayesiana. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 40. , 2022, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 224-237.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2022.222296.
