Optimization of Stealthwatch Network Security System for the Detection and Mitigation of Distributed Denial of Service (DDoS) Attack: Application to Smart Grid System

The Smart Grid is an enhancement of the traditional grid system and employs new technologies and sophisticated communication techniques for electrical power transmission and distribution. The Smart Grid’s communication network shares information about status of its several integrated IEDs (Intelligent Electronic Devices). However, the IEDs connected throughout the Smart Grid, open opportunities for attackers to interfere with the communications and utilities resources or take clients’ private data. This development has introduced new cyber-security challenges for the Smart Grid and is a very concerning issue because of emerging cyber-threats and security incidents that have occurred recently all over the world. The purpose of this research is to detect and mitigate Distributed Denial of Service [DDoS] with application to the Electrical Smart Grid System by deploying an optimized Stealthwatch Secure Network analytics tool. In this paper, the DDoS attack in the Smart Grid communication networks was modeled using Stealthwatch tool. The simulated network consisted of Secure Network Analytic tools virtual machines (VMs), electrical Grid network communication topology, attackers and Target VMs. Finally, the experiments and simulations were performed, and the research results showed that Stealthwatch analytic tool is very effective in detecting and mitigating DDoS attacks in the Smart Grid System without causing any blackout or shutdown of any internal systems as compared to other tools such as GNS3, NeSSi2, NISST Framework, OMNeT++, INET Framework, ReaSE, NS2, NS3, M5 Simulator, OPNET, PLC & TIA Portal management Software which do not have the capability to do so. Also, using Stealthwatch tool to create a security baseline for Smart Grid environment, contributes to risk mitigation and sound security hygiene.

Formalized Description of Distributed Denial of Service Attack

The distributed denial of service (DDoS) attack is one of the dangers in intrusion modes. It's difficult to defense and can cause serious damage to the system. Based on a careful study of the attack principles and characteristics, an object-oriented formalized description is presented, which contains a three-level framework and offers full specifications of all kinds of DDoS modes and their features and the relations between one another. Its greatest merit lies in that it contributes to analyzing, checking and judging DDoS. Now this formalized description has been used in a special IDS and it works very effectively.(

Denial of Service Due to Direct and Indirect ARP Storm Attacks in LAN Environment

ARP-based Distributed Denial of Service (DDoS) attacks due to ARP-storms can happen in local area networks where many computer systems are infected by worms such as Code Red or by DDoS agents. In ARP attack, the DDoS agents constantly send a barrage of ARP requests to the gateway, or to a victim computer within the same sub-network, and tie up the resource of attacked gateway or host. In this paper, we set to measure the impact of ARP-attack on resource exhaustion of computers in a local area network. Based on attack experiments, we measure the exhaustion of processing and memory resources of a victim computer and also other computers, which are located on the same network as the victim computer. Interestingly enough, it is observed that an ARP-attack not only exhausts resource of the victim computer but also significantly exhausts processing resource of other non-victim computers, which happen to be located on the same local area network as the victim computer.

Central Aggregator Intrusion Detection System for Denial of Service Attacks

Vehicle-to-grid technology is an emerging field that allows unused power from Electric Vehicles(EVs)to be used by the smart grid through the central aggregator.Since the central aggregator is connected to the smart grid through a wireless network,it is prone to cyber-attacks that can be detected and mitigated using an intrusion detection system.However,existing intrusion detection systems cannot be used in the vehicle-to-grid network because of the special requirements and characteristics of the vehicle-to-grid network.In this paper,the effect of denial-of-service attacks of malicious electric vehicles on the central aggregator of the vehicle-to-grid network is investigated and an intrusion detection system for the vehicle-to-grid network is proposed.The proposed system,central aggregator–intrusion detection system(CA-IDS),works as a security gateway for EVs to analyze andmonitor incoming traffic for possible DoS attacks.EVs are registered with a Central Aggregator(CAG)to exchange authenticated messages,and malicious EVs are added to a blacklist for violating a set of predefined policies to limit their interaction with the CAG.A denial of service(DoS)attack is simulated at CAG in a vehicle-to-grid(V2G)network manipulating various network parameters such as transmission overhead,receiving capacity of destination,average packet size,and channel availability.The proposed system is compared with existing intrusion detection systems using different parameters such as throughput,jitter,and accuracy.The analysis shows that the proposed system has a higher throughput,lower jitter,and higher accuracy as compared to the existing schemes.

Experimental Evaluation of Cisco ASA-5510 Intrusion Prevention System against Denial of Service Attacks

Cyber attacks are continuing to hamper working of Internet services despite increase in the use of network security systems such as, firewalls and Intrusion protection systems (IPS). Recent Denial of Service (DoS) attack on Independence Day weekend, on July 4th, 2009 launched to debilitate the US and South Korean governments’ websites is indicative of the fact that the security systems may not have been adequately deployed to counteract such attacks. IPS is a vital security device which is commonly used as a front line defense mechanism to defend against such DoS attacks. Before deploying a firewall or an IPS device for network protection, in many deployments, the performance of firewalls is seldom evaluated for their effectiveness. Many times, these IPS’s can become bottleneck to the network performance and they may not be effective in stopping DoS attacks. In this paper, we intend to drive the point that deploying IPS may not always be effective in stopping harmful effects of DoS attacks. It is important to evaluate the capability of IPS before they are deployed to protect a network or a server against DoS attacks. In this paper, we evaluate performance of a commercial grade IPS Cisco ASA-5510 IPS to measure its effectiveness in stopping a DoS attacks namely TCP-SYN, UDP Flood, Ping Flood and ICMP Land Attacks. This IPS comes with features to counteract and provide security against these attacks. Performance of the IPS is measured under these attacks protection and compared with its performance when these protection features were not available (i.e. disabled). It was found that the IPS was unable to provide satisfactory protection despite the availability of the protection features against these flooding attacks. It is important for the network managers to measure the actual capabilities of an IPS system before its deployment to protect critical information infrastructure.

Modeling and Simulation of Low Rate of Denial of Service Attacks

The low-rate denial of service attack is more applicable to the network in recent years as a means of attack, which is different from the traditional field type DoS attacks at the network end system or network using adaptive mechanisms exist loopholes flow through the low-rate periodic attacks on the implementation of high-efficiency attacked by an intruder and not be found, resulting in loss of user data or a computer deadlock. LDos attack since there has been extensive attention of researchers, the attack signature analysis and detection methods to prevent network security have become an important research topic. Some have been proposed for the current attacks were classified LDoS describe and model, and then in NS-2 platform for experimental verification, and then LDoS attack detection to prevent difficulties are discussed and summarized for the future such attacks detection method research work to provide a reference.

The History, Trend, Types, and Mitigation of Distributed Denial of Service Attacks

Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global information source for every being. Despite all this, attacker knowledge by cybercriminals has advanced and resulted in different attack methodologies on the internet and its data stores. This paper will discuss the origin and significance of Denial of Service (DoS) and Distributed Denial of Service (DDoS). These kinds of attacks remain the most effective methods used by the bad guys to cause substantial damage in terms of operational, reputational, and financial damage to organizations globally. These kinds of attacks have hindered network performance and availability. The victim’s network is flooded with massive illegal traffic hence, denying genuine traffic from passing through for authorized users. The paper will explore detection mechanisms, and mitigation techniques for this network threat.

Threshold-Based Software-Defined Networking(SDN)Solution for Healthcare Systems against Intrusion Attacks

The healthcare sector holds valuable and sensitive data.The amount of this data and the need to handle,exchange,and protect it,has been increasing at a fast pace.Due to their nature,software-defined networks(SDNs)are widely used in healthcare systems,as they ensure effective resource utilization,safety,great network management,and monitoring.In this sector,due to the value of thedata,SDNs faceamajor challengeposed byawide range of attacks,such as distributed denial of service(DDoS)and probe attacks.These attacks reduce network performance,causing the degradation of different key performance indicators(KPIs)or,in the worst cases,a network failure which can threaten human lives.This can be significant,especially with the current expansion of portable healthcare that supports mobile and wireless devices for what is called mobile health,or m-health.In this study,we examine the effectiveness of using SDNs for defense against DDoS,as well as their effects on different network KPIs under various scenarios.We propose a threshold-based DDoS classifier(TBDC)technique to classify DDoS attacks in healthcare SDNs,aiming to block traffic considered a hazard in the form of a DDoS attack.We then evaluate the accuracy and performance of the proposed TBDC approach.Our technique shows outstanding performance,increasing the mean throughput by 190.3%,reducing the mean delay by 95%,and reducing packet loss by 99.7%relative to normal,with DDoS attack traffic.

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service(DoS)attacks,the Low-rate Denial of Service(LDoS)attacks make the traditional method of detecting Distributed Denial of Service Attack(DDoS)attacks useless due to the characteristics of a low average rate and concealment.With features extracted from the network traffic,a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper.An attack feature set containing the Acknowledge character(ACK)sequence number,the packet size,and the queue length is used to classify normal and LDoS attack traffics.Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor(KNN)classifier separately,and to obtain the decision contour matrix.Then a posteriori probability in the matrix is fused,and the fusion decision index D is used as the basis of detecting the LDoS attacks.Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.

Dynamic Threshold-Based Approach to Detect Low-Rate DDoS Attacks on Software-Defined Networking Controller

The emergence of a new network architecture,known as Software Defined Networking(SDN),in the last two decades has overcome some drawbacks of traditional networks in terms of performance,scalability,reliability,security,and network management.However,the SDN is vulnerable to security threats that target its controller,such as low-rate Distributed Denial of Service(DDoS)attacks,The low-rate DDoS attack is one of the most prevalent attacks that poses a severe threat to SDN network security because the controller is a vital architecture component.Therefore,there is an urgent need to propose a detection approach for this type of attack with a high detection rate and low false-positive rates.Thus,this paper proposes an approach to detect low-rate DDoS attacks on the SDN controller by adapting a dynamic threshold.The proposed approach has been evaluated using four simulation scenarios covering a combination of low-rate DDoS attacks against the SDN controller involving(i)a single host attack targeting a single victim;(ii)a single host attack targeting multiple victims;(iii)multiple hosts attack targeting a single victim;and(iv)multiple hosts attack targeting multiple victims.The proposed approach’s average detection rates are 96.65%,91.83%,96.17%,and 95.33%for the above scenarios,respectively;and its average false-positive rates are 3.33%,8.17%,3.83%,and 4.67%for similar scenarios,respectively.The comparison between the proposed approach and two existing approaches showed that it outperformed them in both categories.

Entropy-Based Approach to Detect DDoS Attacks on Software Defined Networking Controller

The Software-Defined Networking(SDN)technology improves network management over existing technology via centralized network control.The SDN provides a perfect platform for researchers to solve traditional network’s outstanding issues.However,despite the advantages of centralized control,concern about its security is rising.The more traditional network switched to SDN technology,the more attractive it becomes to malicious actors,especially the controller,because it is the network’s brain.A Distributed Denial of Service(DDoS)attack on the controller could cripple the entire network.For that reason,researchers are always looking for ways to detect DDoS attacks against the controller with higher accuracy and lower false-positive rate.This paper proposes an entropy-based approach to detect low-rate and high-rate DDoS attacks against the SDN controller,regardless of the number of attackers or targets.The proposed approach generalized the Rényi joint entropy for analyzing the network traffic flow to detect DDoS attack traffic flow of varying rates.Using two packet header features and generalized Rényi joint entropy,the proposed approach achieved a better detection rate than the EDDSC approach that uses Shannon entropy metrics.

Cyberattack Ramifications, The Hidden Cost of a Security Breach

In this in-depth exploration, I delve into the complex implications and costs of cybersecurity breaches. Venturing beyond just the immediate repercussions, the research unearths both the overt and concealed long-term consequences that businesses encounter. This study integrates findings from various research, including quantitative reports, drawing upon real-world incidents faced by both small and large enterprises. This investigation emphasizes the profound intangible costs, such as trade name devaluation and potential damage to brand reputation, which can persist long after the breach. By collating insights from industry experts and a myriad of research, the study provides a comprehensive perspective on the profound, multi-dimensional impacts of cybersecurity incidents. The overarching aim is to underscore the often-underestimated scope and depth of these breaches, emphasizing the entire timeline post-incident and the urgent need for fortified preventative and reactive measures in the digital domain.

基于CNN-BiLSTM的ICMPv6 DDoS攻击检测方法

针对ICMPv6网络中DDoS攻击检测问题,提出一种基于CNN-BiLSTM网络的检测算法。通过将带有注意力机制、DropConnect和Dropout混合使用加入到CNN-BiLSTM算法中,防止在训练过程中产生的过拟合问题,同时更准确地提取数据的特性数据。通过实验表明:提出的算法在多次实验中的检测准确率、误报率与漏报率平均值分别为92.84%、4.49%和10.54%,检测算法泛化性较强,性能由于其他算法,能够有效处理ICMPv6 DDoS攻击检测问题。

DDoS Attack Detection Scheme Based on Entropy and PSO-BP Neural Network in SDN

SDN (Software Defined Network) has many security problems, and DDoS attack is undoubtedly the most serious harm to SDN architecture network. How to accurately and effectively detect DDoS attacks has always been a difficult point and focus of SDN security research. Based on the characteristics of SDN, a DDoS attack detection method combining generalized entropy and PSOBP neural network is proposed. The traffic is pre-detected by the generalized entropy method deployed on the switch, and the detection result is divided into normal and abnormal. Locate the switch that issued the abnormal alarm. The controller uses the PSO-BP neural network to detect whether a DDoS attack occurs by further extracting the flow features of the abnormal switch. Experiments show that compared with other methods, the detection accurate rate is guaranteed while the CPU load of the controller is reduced, and the detection capability is better.

Stochastic DoS Attack Allocation Against Collaborative Estimation in Sensor Networks

In this paper,denial of service(DoS)attack management for destroying the collaborative estimation in sensor networks and minimizing attack energy from the attacker perspective is studied.In the communication channels between sensors and a remote estimator,the attacker chooses some channels to randomly jam DoS attacks to make their packets randomly dropped.A stochastic power allocation approach composed of three steps is proposed.Firstly,the minimum number of channels and the channel set to be attacked are given.Secondly,a necessary condition and a sufficient condition on the packet loss probabilities of the channels in the attack set are provided for general and special systems,respectively.Finally,by converting the original coupling nonlinear programming problem to a linear programming problem,a method of searching attack probabilities and power to minimize the attack energy is proposed.The effectiveness of the proposed scheme is verified by simulation examples.

A Novel Framework for DDoS Attacks Detection Using Hybrid LSTM Techniques

The recent development of cloud computing offers various services on demand for organization and individual users,such as storage,shared computing space,networking,etc.Although Cloud Computing provides various advantages for users,it remains vulnerable to many types of attacks that attract cyber criminals.Distributed Denial of Service(DDoS)is the most common type of attack on cloud computing.Consequently,Cloud computing professionals and security experts have focused on the growth of preventive processes towards DDoS attacks.Since DDoS attacks have become increasingly widespread,it becomes difficult for some DDoS attack methods based on individual network flow features to distinguish various types of DDoS attacks.Further,the monitoring pattern of traffic changes and accurate detection of DDoS attacks are most important and urgent.In this research work,DDoS attack detection methods based on deep belief network feature extraction and Hybrid Long Short-Term Memory(LSTM)model have been proposed with NSL-KDD dataset.In Hybrid LSTM method,the Particle Swarm Optimization(PSO)technique,which is combined to optimize the weights of the LSTM neural network,reduces the prediction error.This deep belief network method is used to extract the features of IP packets,and it identifies DDoS attacks based on PSO-LSTM model.Moreover,it accurately predicts normal network traffic and detects anomalies resulting from DDoS attacks.The proposed PSO-LSTM architecture outperforms the classification techniques including standard Support Vector Machine(SVM)and LSTM in terms of attack detection performance along with the results of the measurement of accuracy,recall,f-measure,precision.

Apple’s Lion vs Microsoft’s Windows 7: Comparing Built-In Protection against ICMP Flood Attacks

With the increase in the number of computers connected to Internet, the number of Distributed Denial of Service (DDoS) attacks has also been increasing. A DDoS attack consumes the computing resources of a computer or a server, by degrading its computing performance or by preventing legitimate users from accessing its services. Recently, Operating Systems (OS) are increasingly deploying embedded DDoS prevention schemes to prevent computing exhaustion caused by such attacks. In this paper, we compare the effectiveness of two popular operating systems, namely the Apple’s Lion and Microsoft’s Windows 7, against DDoS attacks. We compare the computing performance of these operating systems under two ICMP based DDoS attacks. Since the role of the OS is to manage the computer or servers resources as efficiently as possible, in this paper we investigate which OS manages its computing resources more efficiently. In this paper, we evaluate and compare the built-in security of these two operating systems by using an iMac computer which is capable of running both Windows 7 and Lion. The DDoS attacks that are simulated for this paper are the ICMP Ping and Land Attack. For this experiment, we measure the exhaustion of the processors and the number of Echo Request and Echo Reply messages that were generated under varying attack loads for both the Ping and Land Attack. From our experiments, we found that both operating systems were able to survive the attacks however they reacted a bit differently under attack. The Operating System Lion was handling both the Ping and Land attack in the exactly the same way, whereas Windows 7 handled the two attacks a bit differently, resulting in different processor consumptions by two different operating systems.

Experimental Evaluation of Juniper Network's Netscreen-5GT Security Device against Layer4 Flood Attacks

Cyber attacks are continuing to hamper working of Internet services despite increased use of network secu-rity systems such as firewalls and Intrusion protection systems (IPS). Recent Distributed Denial of Service (DDoS) attacks on Dec 8th, 2010 by Wikileak supporters on Visa and Master Card websites made headlines on prime news channels all over the world. Another famous DDoS attacks on Independence Day weekend, on July 4th, 2009 were launched to debilitate the US and South Korean governments’ websites. These attacks raised questions about the capabilities of the security systems that were used in the network to counteract such attacks. Firewall and IPS security systems are commonly used today as a front line defense mechanism to defend against DDoS attacks. In many deployments, performances of these security devices are seldom evaluated for their effectiveness. Different security devices perform differently in stopping DDoS attacks. In this paper, we intend to drive the point that it is important to evaluate the capability of Firewall or IPS secu-rity devices before they are deployed to protect a network or a server against DDoS attacks. In this paper, we evaluate the effectiveness of a security device called Netscreen 5GT (or NS-5GT) from Juniper Networks under Layer-4 flood attacks at different attack loads. This security device NS-5GT comes with a feature called TCP-SYN proxy protection to protect against TCP-SYN based DDoS attacks, and UDP protection feature to protect against UDP flood attacks. By looking at these security features from the equipments data sheet, one might assume the device to protect the network against such DDoS attacks. In this paper, we con-ducted real experiments to measure the performance of this security device NS-5GT under the TCP SYN and UDP flood attacks and test the performance of these protection features. It was found that the Juniper’s NS-5GT mitigated the effect of DDoS traffic to some extent especially when the attack of lower intensity. However, the device was unable to provide any protection against Layer4 flood attacks when the load ex-ceeded 40Mbps. In order to guarantee a measured level of security, it is important for the network managers to measure the actual capabilities of a security device, using real attack traffic, before they are deployed to protect a critical information infrastructure.

面向边缘计算的TCA1C DDoS检测模型

边缘计算弥补了传统云计算数据传输开销大的不足,但边缘网络中存储和计算资源受限的特殊性限制了其部署复杂安全算法的能力,更易受到分布式拒绝服务(DDoS)攻击。针对目前边缘网络中DDoS攻击检测方法性能不高、未对卸载任务分类处理、对多属性的流量处理能力弱的问题,提出一种基于任务分类的Attention-1D-CNN DDoS检测模型TCA1C,对通信链路中的流量按不同的卸载任务进行分类,使单个任务受到攻击时不会影响整个链路中计算任务卸载的安全性,再对同一任务下的流量提取属性值并进行归一化处理。处理后的数据输入到Attention-1D-CNN,通道Attention和空间Attention学习数据特征对DDoS检测的贡献度,利用筛选函数剔除低于特征阈值的冗余信息,降低模型学习过程的复杂度,使模型快速收敛。仿真结果表明:TCA1C模型在缩短DDoS检测所用时间的情况下,检测准确率高达99.73%,检测性能优于DT、ELM、LSTM和CNN;当多个卸载任务在面临特定攻击概率时,卸载任务分类能有效降低不同任务的相互影响,使终端设备的计算任务在卸载过程中保持较高的安全性。

Enhanced Timestamp Discrepancy to Limit Impact of Replay Attacks in MANETs

Mobile Ad hoc NETworks (MANETs), characterized by the free move of mobile nodes are more vulnerable to the trivial Denial-of-Service (DoS) attacks such as replay attacks. A replay attacker performs this attack at anytime and anywhere in the network by interception and retransmission of the valid signed messages. Consequently, the MANET performance is severally degraded by the overhead produced by the redundant valid messages. In this paper, we propose an enhancement of timestamp discrepancy used to validate a signed message and consequently limiting the impact of a replay attack. Our proposed timestamp concept estimates approximately the time where the message is received and validated by the received node. This estimation is based on the existing parameters defined at the 802.11 MAC layer.