An Approach for DDoS Detection at Home Gateways
Abstract
DDoS attacks are prevalent. To mitigate their impact, detection should preferably occur closest to the attack origin, at the network edge, e.g., at home routers. However, these devices typically have limited resources and the use of approaches that resort on packet inspection do not bode well with such devices. We propose an extremely lightweight approach for DDoS detection that employs solely network interface byte counts. To detect attacks with such limited amount of information, our key insight consists in training classifiers making use of real workload data from nearly one thousand home-users augmented with attacks generated in a controlled environment. We show that our classifiers are very efficient in detecting attacks with different vectors.
Keywords:
Security, DDoS, Machine Learning, Botnets
References
Akamai (2016-2018). State of the Internet: Q3 2016, Summer 2018 Threat Advisory: Mirai Botnet 2016, Satori Mirai Variant Alert 2017. Technical report, Akamai.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Blenn, N., Ghiëtte, V., and Doerr, C. (2017). Quantifying the spectrum of denial-ofservice attacks through internet backscatter. In Proceedings of the 12th International Conference on Availability, Reliability and Security, page 21. ACM.
Chang, W., Mohaisen, A., Wang, A., and Chen, S. (2015). Measuring botnets in the wild: Some new trends. In ACM Symposium on Information, Computer and Communications Security, pages 645–650. ACM.
Dash,W. and Craven, M. J. (2017). Exploring botnet evolution via multidimensional models and visualisation. In International Workshop on Security and Trust Management, pages 72–88. Springer.
De Carli, L., Torres, R., Modelo-Howard, G., Tongaonkar, A., and Jha, S. (2017). Botnet protocol inference in the presence of encrypted traffic. In INFOCOM, pages 1–9. IEEE.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine learning ddos detection for consumer internet of things devices. arXiv:1804.04159.
Gallager, R. G. (2013). Stochastic Processes: Theory for Applications. Cambridge University Press.
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kuhnert, K., Steinberger, J., and Baier, H. (2018). Botnet detection and prevention in anonymous networks. In Intl. Conf. Autonomous Infrastructure, Management and Security.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In ACM SIGCOMM Computer Communication Review, volume 35, pages 217–228. ACM.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM, pages 1–9. IEEE.
Mazel, J., Casas, P., Fontugne, R., Fukuda, K., and Owezarski, P. (2015). Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection. International Journal of Network Management, 25(5):283–305.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the internet of things using deep learning approaches.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of iot botnet attacks using deep autoencoders. arXiv:1805.03409.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. Transactions on Networking, 26(1):131–144.
Ozcelik, M., Chalabianloo, N., and Gur, G. (2017). Software-Defined Edge Defense Against IoT-Based DDoS. In 2017 IEEE Intl. Conf. Computer and Information Technology (CIT), pages 308–313. IEEE.
Pena, E. H., Carvalho, L. F., Barbon Jr, S., Rodrigues, J. J., and Proenc¸a Jr, M. L. (2017). Anomaly detection using the correlational paraconsistent machine with digital signatures of network segment. Information Sciences, 420:313–328.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for lowresource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM Computer Communication Review, 41(4):267– 278.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultra-lightweight deep packet anomaly detection for internet of things devices. In IPCCC, pages 1–8. IEEE.
Wang, A., Mohaisen, A., Chang, W., and Chen, S. (2015). Delving into internet ddos attacks by botnets: characterization and analysis. In DSN, pages 379–390. IEEE.
Wang, B., Li, X., de Aguiar, L. P., Menasche, D. S., and Shafiq, Z. (2017). Characterizing and modeling patching practices of industrial control systems. POMACS, 1(1):18.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the mirai botnet. In USENIX Security Symposium, pages 1092–1110.
Blenn, N., Ghiëtte, V., and Doerr, C. (2017). Quantifying the spectrum of denial-ofservice attacks through internet backscatter. In Proceedings of the 12th International Conference on Availability, Reliability and Security, page 21. ACM.
Chang, W., Mohaisen, A., Wang, A., and Chen, S. (2015). Measuring botnets in the wild: Some new trends. In ACM Symposium on Information, Computer and Communications Security, pages 645–650. ACM.
Dash,W. and Craven, M. J. (2017). Exploring botnet evolution via multidimensional models and visualisation. In International Workshop on Security and Trust Management, pages 72–88. Springer.
De Carli, L., Torres, R., Modelo-Howard, G., Tongaonkar, A., and Jha, S. (2017). Botnet protocol inference in the presence of encrypted traffic. In INFOCOM, pages 1–9. IEEE.
Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine learning ddos detection for consumer internet of things devices. arXiv:1804.04159.
Gallager, R. G. (2013). Stochastic Processes: Theory for Applications. Cambridge University Press.
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.
Kuhnert, K., Steinberger, J., and Baier, H. (2018). Botnet detection and prevention in anonymous networks. In Intl. Conf. Autonomous Infrastructure, Management and Security.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In ACM SIGCOMM Computer Communication Review, volume 35, pages 217–228. ACM.
Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM, pages 1–9. IEEE.
Mazel, J., Casas, P., Fontugne, R., Fukuda, K., and Owezarski, P. (2015). Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection. International Journal of Network Management, 25(5):283–305.
McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the internet of things using deep learning approaches.
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of iot botnet attacks using deep autoencoders. arXiv:1805.03409.
Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. Transactions on Networking, 26(1):131–144.
Ozcelik, M., Chalabianloo, N., and Gur, G. (2017). Software-Defined Edge Defense Against IoT-Based DDoS. In 2017 IEEE Intl. Conf. Computer and Information Technology (CIT), pages 308–313. IEEE.
Pena, E. H., Carvalho, L. F., Barbon Jr, S., Rodrigues, J. J., and Proenc¸a Jr, M. L. (2017). Anomaly detection using the correlational paraconsistent machine with digital signatures of network segment. Information Sciences, 420:313–328.
Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for lowresource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.
Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM Computer Communication Review, 41(4):267– 278.
Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultra-lightweight deep packet anomaly detection for internet of things devices. In IPCCC, pages 1–8. IEEE.
Wang, A., Mohaisen, A., Chang, W., and Chen, S. (2015). Delving into internet ddos attacks by botnets: characterization and analysis. In DSN, pages 379–390. IEEE.
Wang, B., Li, X., de Aguiar, L. P., Menasche, D. S., and Shafiq, Z. (2017). Characterizing and modeling patching practices of industrial control systems. POMACS, 1(1):18.
Published
2019-05-06
How to Cite
MENDONÇA, Gabriel; SANTOS, Gustavo H. A.; DE SOUZA E SILVA, Edmundo; LEÃO, Rosa M. M.; MENASCHÉ, Daniel S..
An Approach for DDoS Detection at Home Gateways. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 37. , 2019, Gramado.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 834-847.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2019.7406.
