Conference Paper

TrustGuard: A flow-level reputation-based DDoS defense system

Sch. of Electr. Eng. & Comput. Sci., Washington State Univ., Pullman, WA, USA
DOI: 10.1109/CCNC.2011.5766474 Conference: Consumer Communications and Networking Conference (CCNC), 2011 IEEE
Source: IEEE Xplore


Distributed Denial of Service (DDoS) attacks pose one of the most serious security threats to the Internet. We examine the drawbacks of existing defense schemes. To combat these deficiencies, we propose a credit-based defense system: TrustGuard. Essentially, flows accumulate credit based on the diversity of their packet-size distribution. The more diverse the flow, the more credit it has. Since DDoS attacks demonstrate low diversity they accumulate less credit and are likely to be dropped by the system. Naturally, the performance of TrustGuard greatly depends on the choice of credit accumulation and flow selection methods. We derive our solution by identifying the essential characteristics of DDoS attacks. Our analysis accounts for both micro and macro behaviors of DDoS attacks. The primary goal of this work is to not only detect the occurrence of a DDoS attack, but to also identify the attackers and victims involved. Experimental results demonstrate that TrustGuard performs admirably in both cases.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, various intrusion detection and prevention systems have been proposed to detect DDoS attacks and mitigate the caused damage. However, many existing IDS systems still keep per-flow state to detect anomaly, and thus do not scale with link speeds in multigigabit networks. In this paper, we present a two-level approach for scalable and accurate DDoS attack detection by exploiting the asymmetry in the attack traffic. In the coarse level, we use a modified count-min sketch (MCS) for fast detection, and in the fine level, we propose a bidirectional count sketch (BCS) to achieve better accuracy. At both detection levels, sketch structures are utilized to ensure the scalability of our scheme. The main advantage of our approach is that it can track the victims of attacks without recording every IP address found in the traffic. Such feature is significant for the detection in the highspeed environment. We also propose a SRAM-based parallel architecture to achieve high-speed process. Furthermore, we analyze accuracy estimation issues to provide hints for practical deployment with constraint memory. We finally demonstrate how to extend our original scheme to a collaborative detection framework. Experimental results using the real Internet traffic show that our approach is able to quickly detect anomaly events and track those victims with a high level of accuracy while it can save over 90% key storage compared with previous sketch-based approaches.
    Preview · Article · Dec 2011 · Journal of Communications
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Botnets are considered one of the most dangerous and serious security threats facing the networks and the Internet. Comparing with the other security threats, botnet members have the ability to be directed and controlled via C&C messages from the botmaster over common protocols such as IRC and HTTP, or even over covert and unknown applications. As for IRC botnets, general security instances like firewalls and IDSes do not provide by themselves a viable solution to prevent them completely. These devices could not differentiate well between the legitimate and malicious traffic of the IRC protocol. So, this paper is proposing an IDS-based and multi-phase IRC botnet and botnet behavior detection model based on C&C responses messages and malicious behaviors of the IRC bots inside the network environment. The proposed model has been evaluated on five network traffic traces from two different network environments (Virtual network and DARPA 2000 Windows NT Attack Data Set). The results show that the proposed model could detect all the infected IRC botnet member(s), state their current status of attack, filter their malicious IRC messages, pass the other normal IRC messages and detect the botnet behavior regardless of the botnet communication protocol with very low false positive rate. The proposed model has been compared with some of the existing and well-known approaches, including BotHunter, BotSniffer and Rishi regarding botnet characteristics taken in each approach. The comparison showed that the proposed model has made a progress on the comparative models by not to rely on a certain time window or specific bot signatures.
    Full-text · Article · Jan 2013
  • Source

    Full-text · Article · Jan 2015 · IEEE Communications Surveys & Tutorials
Show more