Detecção de ataques DDoS usando correlação espaço-temporal bayesiana
Resumo
Ataques DDoS têm causado prejuízos consideráveis ao longo dos anos. Para mitigar seu impacto, a detecção deve ocorrer preferencialmente próximo à origem. Propomos neste trabalho um sistema leve de detecção de DDoS que usa apenas contadores de bytes e pacotes de roteadores domésticos. Para detectar ataques com informações limitadas, empregamos duas camadas: (1) um classificador treinado com dados reais de usuários domésticos; (2) um modelo hierárquico bayesiano que correlaciona alarmes de várias residências. Usamos código-fonte de malwares reais para gerar tráfego de ataque DDoS nas casas de um grupo de voluntários durante 31 dias. Os experimentos realizados em campo mostraram que nosso sistema possui excelente desempenho.
Referências
Akamai (2016). Q3 2016 state of the Internet - security report. Technical report, Akamai.
Anthi, E., Williams, L., Slowi´nska, M., Theodorakopoulos, G., and Burnap, P. (2019). A supervised intrusion detection system for smart home iot devices. IEEE Internet of Things Journal, 6(5):9042–9053.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the Mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Auchard, E. (2016). German Internet outage was failed botnet attempt: report. https://www.reuters.com/article/us-deutsche-telekom-outagesidUSKBN13N12K. Accessed: 2021-07-02.
Bihary, C. (2017). How to Monitor Encrypted Traffic and Keep Your Network Secure. [link]. Accessed: 2022-02-24.
DARKReading (2020). DDoS Attacks Spiked, Became More Complex in 2020. [link]. Accessed: 2021-07-02.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine Learning DDoS Detection for Consumer Internet of Things Devices. In 2018 IEEE Security and Privacy Workshops (SPW), pages 29–35.
Feldmann, A., Gasser, O., Lichtblau, F., Pujol, E., Poese, I., Dietzel, C., Wagner, D., Wichtlhuber, M., Tapiador, J., Vallina-Rodriguez, N., Hohlfeld, O., and Smaragdakis, G. (2021). A year in lockdown: How the waves of covid-19 impact internet traffic. Commun. ACM, 64(7):101–108.
Jia, Y., Zhong, F., Alrawais, A., Gong, B., and Cheng, X. (2020). Flow- Guard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet of Things Journal, 7(10):9552–9562.
Kaspersky (2021). IT threat evolution Q1 2021. [link]. Accessed: 2021-07-02.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kruschke, J. K. (2015). Doing Bayesian data analysis: A tutorial with R, JAGS, and Stan (2nd). San Diego, CA: Academic Press.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM 2016, pages 1–9. IEEE.
Marín, G., Casas, P., and Capdehourat, G. (2021). Deepmal-deep learning models for malware traffic detection and classification. In Data Science – Analytics and Applications, pages 105–112. Springer Fachmedien Wiesbaden.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the Internet of things using deep learning approaches. In 2018 international joint conference on neural networks (IJCNN), pages 1–8.
Mehdi, S. A., Khalid, J., and Khayam, S. A. (2011). Revisiting traffic anomaly detection using software defined networking. In International workshop on recent advances in intrusion detection, pages 161–180. Springer.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., and Elovici, Y. (2018). N-BaIoT–Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders. IEEE Pervasive Computing, 17(3):12–22.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M., Menasché, D. S., and Towsley, D. (2019a). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021. IEEE.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M. M., Menasche, D. S., et al. (2019b). Uma abordagem para detecção de ddos a partir de roteadores domésticos. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 834–847. SBC.
NETSCOUT (2021). 2H 2020 Threat Intelligence Report – DDoS in a Time of Pandemic. https://www.netscout.com/threatreport/. Accessed: 2021-07- 02.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. IEEE/ACM Transactions on Networking, 26(1):131–144.
Salman, O., Elhajj, I. H., Chehab, A., and Kayssi, A. (2019). A machine learning based framework for iot device identification and abnormal traffic detection. Transactions on Emerging Telecommunications Technologies, page e3743.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for low-resource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267– 278.
Streit, A., Ribeiro, M. C., Leão, R. M., de Souza e Silva, E., et al. (2021a). Efeito do confinamento causado pela pandemia covid-19 nos perfis de tráfego residencial. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 238–251. SBC.
Streit, A., Santos, G. H., Leão, R. M., de Souza e Silva, E., Menasché, D., and Towsley, D. (2021b). Network anomaly detection based on tensor decomposition. Computer Networks, 200:108503.
Sudheera, K. L. K., Divakaran, D. M., Singh, R. P., and Gurusamy, M. (2021). Adept: Detection and identification of correlated attack stages in iot networks. IEEE Internet of Things Journal, 8(8):6591–6607.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultralightweight deep packet anomaly detection for Internet of things devices. In Performance Computing and Communications Conference, pages 1–8. IEEE.
Wan, Y., Xu, K., Xue, G., and Wang, F. (2020). Iotargos: A multi-layer security monitoring system for internet-of-things in smart homes. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pages 874–883. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into internet ddos attacks by botnets: characterization and analysis. IEEE/ACM Transactions on Networking, 26(6):2843–2855.
Wetzels, R., Matzke, D., Lee, M. D., Rouder, J. N., Iverson, G. J., and Wagenmakers, E.-J. (2011). Statistical evidence in experimental psychology: An empirical comparison using 855 t tests. Perspectives on Psychological Science, 6(3):291–298.
Yoachimik, O. (2021). Cloudflare thwarts 17.2M rps DDoS attack —the largest ever reported. [link]. Accessed: 2021-08-20.
Anthi, E., Williams, L., Slowi´nska, M., Theodorakopoulos, G., and Burnap, P. (2019). A supervised intrusion detection system for smart home iot devices. IEEE Internet of Things Journal, 6(5):9042–9053.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the Mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Auchard, E. (2016). German Internet outage was failed botnet attempt: report. https://www.reuters.com/article/us-deutsche-telekom-outagesidUSKBN13N12K. Accessed: 2021-07-02.
Bihary, C. (2017). How to Monitor Encrypted Traffic and Keep Your Network Secure. [link]. Accessed: 2022-02-24.
DARKReading (2020). DDoS Attacks Spiked, Became More Complex in 2020. [link]. Accessed: 2021-07-02.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine Learning DDoS Detection for Consumer Internet of Things Devices. In 2018 IEEE Security and Privacy Workshops (SPW), pages 29–35.
Feldmann, A., Gasser, O., Lichtblau, F., Pujol, E., Poese, I., Dietzel, C., Wagner, D., Wichtlhuber, M., Tapiador, J., Vallina-Rodriguez, N., Hohlfeld, O., and Smaragdakis, G. (2021). A year in lockdown: How the waves of covid-19 impact internet traffic. Commun. ACM, 64(7):101–108.
Jia, Y., Zhong, F., Alrawais, A., Gong, B., and Cheng, X. (2020). Flow- Guard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet of Things Journal, 7(10):9552–9562.
Kaspersky (2021). IT threat evolution Q1 2021. [link]. Accessed: 2021-07-02.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kruschke, J. K. (2015). Doing Bayesian data analysis: A tutorial with R, JAGS, and Stan (2nd). San Diego, CA: Academic Press.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM 2016, pages 1–9. IEEE.
Marín, G., Casas, P., and Capdehourat, G. (2021). Deepmal-deep learning models for malware traffic detection and classification. In Data Science – Analytics and Applications, pages 105–112. Springer Fachmedien Wiesbaden.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the Internet of things using deep learning approaches. In 2018 international joint conference on neural networks (IJCNN), pages 1–8.
Mehdi, S. A., Khalid, J., and Khayam, S. A. (2011). Revisiting traffic anomaly detection using software defined networking. In International workshop on recent advances in intrusion detection, pages 161–180. Springer.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., and Elovici, Y. (2018). N-BaIoT–Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders. IEEE Pervasive Computing, 17(3):12–22.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M., Menasché, D. S., and Towsley, D. (2019a). An extremely lightweight approach for ddos detection at home gateways. In 2019 IEEE International Conference on Big Data (Big Data), pages 5012–5021. IEEE.
Mendonça, G., Santos, G. H., de Souza e Silva, E., Leão, R. M. M., Menasche, D. S., et al. (2019b). Uma abordagem para detecção de ddos a partir de roteadores domésticos. In Anais do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 834–847. SBC.
NETSCOUT (2021). 2H 2020 Threat Intelligence Report – DDoS in a Time of Pandemic. https://www.netscout.com/threatreport/. Accessed: 2021-07- 02.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. IEEE/ACM Transactions on Networking, 26(1):131–144.
Salman, O., Elhajj, I. H., Chehab, A., and Kayssi, A. (2019). A machine learning based framework for iot device identification and abnormal traffic detection. Transactions on Emerging Telecommunications Technologies, page e3743.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for low-resource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM CCR, 41(4):267– 278.
Streit, A., Ribeiro, M. C., Leão, R. M., de Souza e Silva, E., et al. (2021a). Efeito do confinamento causado pela pandemia covid-19 nos perfis de tráfego residencial. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 238–251. SBC.
Streit, A., Santos, G. H., Leão, R. M., de Souza e Silva, E., Menasché, D., and Towsley, D. (2021b). Network anomaly detection based on tensor decomposition. Computer Networks, 200:108503.
Sudheera, K. L. K., Divakaran, D. M., Singh, R. P., and Gurusamy, M. (2021). Adept: Detection and identification of correlated attack stages in iot networks. IEEE Internet of Things Journal, 8(8):6591–6607.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultralightweight deep packet anomaly detection for Internet of things devices. In Performance Computing and Communications Conference, pages 1–8. IEEE.
Wan, Y., Xu, K., Xue, G., and Wang, F. (2020). Iotargos: A multi-layer security monitoring system for internet-of-things in smart homes. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications, pages 874–883. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into internet ddos attacks by botnets: characterization and analysis. IEEE/ACM Transactions on Networking, 26(6):2843–2855.
Wetzels, R., Matzke, D., Lee, M. D., Rouder, J. N., Iverson, G. J., and Wagenmakers, E.-J. (2011). Statistical evidence in experimental psychology: An empirical comparison using 855 t tests. Perspectives on Psychological Science, 6(3):291–298.
Yoachimik, O. (2021). Cloudflare thwarts 17.2M rps DDoS attack —the largest ever reported. [link]. Accessed: 2021-08-20.
Publicado
23/05/2022
Como Citar
MENDONÇA, Gabriel; SANTOS, Gustavo H. A.; SOUZA E SILVA, Edmundo de; LEÃO, Rosa M. M..
Detecção de ataques DDoS usando correlação espaço-temporal bayesiana. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 40. , 2022, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 224-237.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2022.222296.
