Uma abordagem leve para detecção de DDoS a partir de roteadores domésticos

  • Gabriel Mendonça UFRJ
  • Gustavo H. A. Santos UFRJ
  • Edmundo de Souza e Silva UFRJ
  • Rosa M. M. Leão UFRJ
  • Daniel S. Menasché UFRJ

Resumo


Ataques DDoS são prevalentes. Sua detecção deve ocorrer preferencialmente na borda da rede próximo à sua origem, especificamente nos roteadores domésticos. Entretanto, esses dispositivos tipicamente têm recursos limitados, tornando inadequadas abordagens baseadas em inspeção de pacotes ou análise de fluxos. Propomos um método extremamente leve para detecção de DDoS que usa apenas contadores de bytes de interfaces de rede. Para detectar ataques com tão pouca informação, treinamos modelos de Aprendizado de Máquina com dados reais do tráfego de centenas de usuários domésticos, juntamente com tráfego oriundo de ataques gerados em ambiente controlado. Mostramos que nossos classificadores são muito eficientes na detecção de ataques com diferentes vetores.

Palavras-chave: Segurança, DDoS, Aprendizado de Máquina, Botnets

Referências

Akamai (2016-2018). State of the Internet: Q3 2016, Summer 2018 Threat Advisory: Mirai Botnet 2016, Satori Mirai Variant Alert 2017. Technical report, Akamai.

Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Understanding the mirai botnet. In USENIX Security Symposium, pages 1092–1110.

Blenn, N., Ghiëtte, V., and Doerr, C. (2017). Quantifying the spectrum of denial-ofservice attacks through internet backscatter. In Proceedings of the 12th International Conference on Availability, Reliability and Security, page 21. ACM.

Chang, W., Mohaisen, A., Wang, A., and Chen, S. (2015). Measuring botnets in the wild: Some new trends. In ACM Symposium on Information, Computer and Communications Security, pages 645–650. ACM.

Dash,W. and Craven, M. J. (2017). Exploring botnet evolution via multidimensional models and visualisation. In International Workshop on Security and Trust Management, pages 72–88. Springer.

De Carli, L., Torres, R., Modelo-Howard, G., Tongaonkar, A., and Jha, S. (2017). Botnet protocol inference in the presence of encrypted traffic. In INFOCOM, pages 1–9. IEEE.

Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine learning ddos detection for consumer internet of things devices. arXiv:1804.04159.

Gallager, R. G. (2013). Stochastic Processes: Theory for Applications. Cambridge University Press.

Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the dos ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.

Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7):80–84.

Kuhnert, K., Steinberger, J., and Baier, H. (2018). Botnet detection and prevention in anonymous networks. In Intl. Conf. Autonomous Infrastructure, Management and Security.

Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In ACM SIGCOMM Computer Communication Review, volume 35, pages 217–228. ACM.

Liaskos, C., Kotronis, V., and Dimitropoulos, X. (2016). A novel framework for modeling and mitigating distributed link flooding attacks. In INFOCOM, pages 1–9. IEEE.

Mazel, J., Casas, P., Fontugne, R., Fukuda, K., and Owezarski, P. (2015). Hunting attacks in the dark: clustering and correlation analysis for unsupervised anomaly detection. International Journal of Network Management, 25(5):283–305.

McDermott, C. D., Majdani, F., and Petrovski, A. (2018). Botnet detection in the internet of things using deep learning approaches.

Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-baiot: Network-based detection of iot botnet attacks using deep autoencoders. arXiv:1805.03409.

Nevat, I., Divakaran, D. M., Nagarajan, S. G., Zhang, P., Su, L., Ko, L. L., and Thing, V. L. (2018). Anomaly detection and attribution in networks with temporally correlated traffic. Transactions on Networking, 26(1):131–144.

Ozcelik, M., Chalabianloo, N., and Gur, G. (2017). Software-Defined Edge Defense Against IoT-Based DDoS. In 2017 IEEE Intl. Conf. Computer and Information Technology (CIT), pages 308–313. IEEE.

Pena, E. H., Carvalho, L. F., Barbon Jr, S., Rodrigues, J. J., and Proenc¸a Jr, M. L. (2017). Anomaly detection using the correlational paraconsistent machine with digital signatures of network segment. Information Sciences, 420:313–328.

Sedjelmaci, H., Senouci, S. M., and Taleb, T. (2017). An accurate security game for lowresource iot devices. IEEE Transactions on Vehicular Technology, 66(10):9381–9393.

Silveira, F., Diot, C., Taft, N., and Govindan, R. (2011). Astute: Detecting a different class of traffic anomalies. ACM SIGCOMM Computer Communication Review, 41(4):267– 278.

Summerville, D. H., Zach, K. M., and Chen, Y. (2015). Ultra-lightweight deep packet anomaly detection for internet of things devices. In IPCCC, pages 1–8. IEEE.

Wang, A., Mohaisen, A., Chang, W., and Chen, S. (2015). Delving into internet ddos attacks by botnets: characterization and analysis. In DSN, pages 379–390. IEEE.

Wang, B., Li, X., de Aguiar, L. P., Menasche, D. S., and Shafiq, Z. (2017). Characterizing and modeling patching practices of industrial control systems. POMACS, 1(1):18.
Publicado
06/05/2019
MENDONÇA, Gabriel; SANTOS, Gustavo H. A.; DE SOUZA E SILVA, Edmundo; LEÃO, Rosa M. M.; MENASCHÉ, Daniel S.. Uma abordagem leve para detecção de DDoS a partir de roteadores domésticos. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 37. , 2019, Gramado. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2019 . p. 834-847. ISSN 2177-9384. DOI: https://doi.org/10.5753/sbrc.2019.7406.

##plugins.generic.recommendByAuthor.heading##