Conference Paper

Robust Self-Protection Against Application-Layer (D)DoS Attacks in SDN Environment

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In case of vulnerable protocols, Application Program Interfaces (APIs), or those without a proper encryption, sensitive information may be exposed to attackers, showing the information exchanged between the controller and the target application [74]. The SDN application layer is also vulnerable toward DoS attacks and their distributed version [75]. ...
... Therefore, detection and mitigation of such attacks represents one of the core features for security. Machine learning can be exploited for this purpose [75]. However, has previously discussed, machine learning is vulnerable to adversarial attacks. ...
Article
Full-text available
The Fifth Generation of Communication Networks (5G) envisions a broader range of services compared to previous generations, supporting an increased number of use cases and applications. The broader application domain leads to increase in consumer use and, in turn, increased hacker activity. Due to this chain of events, strong and efficient security measures are required to create a secure and trusted environment for users. In this paper, we provide an objective overview of 5G security issues and the existing and newly proposed technologies designed to secure the 5G environment. We categorize security technologies using Open Systems Interconnection (OSI) layers and, for each layer, we discuss vulnerabilities, threats, security solutions, challenges, gaps and open research issues. While we discuss all seven OSI layers, the most interesting findings are in layer one, the physical layer. In fact, compared to other layers, the physical layer between the base stations and users’ device presents increased opportunities for attacks such as eavesdropping and data fabrication. However, no single OSI layer can stand on its own to provide proper security. All layers in the 5G must work together, providing their own unique technology in an effort to ensure security and integrity for 5G data.
... The ISO and IEC (International Electrotechnical Commission) joint technical committee on artificial intelligence (ISO/IEC JTC 1/SC 42 15 ) has very recently published a technical report providing an overview of trustworthiness in AI and is developing standards on risk management for AI and assessment of the robustness of neural networks. ETSI initiated a new Industry Specification Group on Securing Artificial Intelligence (ISG SAI 16 ). The group aims to develop standards to safeguard and improve the security of AI in ICT field. ...
... To investigate the time overhead entailed by the blockchain, we implemented a permissioned blockchain using Hyperledger Fabric 17 . We used a dataset 18 containing 800000 samples [16], where each sample represents either a legitimate or a DDoS network flow defined by a feature vector containing 79 features. The dataset is used to train a deep learning model for detecting application-layer DDoS attacks. ...
Article
Full-text available
5G and beyond ecosystems will be characterized by a growing set of stakeholders and an increasing number of interconnected devices and services, not necessarily under the administration of the same entity. Establishing trust in such an open and diverse ecosystem is a cornerstone for a global adoption of the technology. In this vein, it is important to tackle security and privacy risks stemming from this rich ecosystem. In this article, we shed light on the trust concept in 5G and beyond networks and its dimensions, while pointing out potential emerging trust enablers and research directions. Furthermore, we propose a blockchain-based data integrity framework to foster trust in data used by a machine learning pipeline.
... Benzaïd et al. [79] proposed an application-layer DDoS self-protection framework that is robust towards adversarial examples. The framework leverages DL and SDN enablers to empower fully autonomous mitigation and detection for the application-layer DDoS attacks. ...
Preprint
Full-text available
Due to their massive success in various domains, deep learning techniques are increasingly used to design network intrusion detection solutions that detect and mitigate unknown and known attacks with high accuracy detection rates and minimal feature engineering. However, it has been found that deep learning models are vulnerable to data instances that can mislead the model to make incorrect classification decisions so-called (adversarial examples). Such vulnerability allows attackers to target NIDSs by adding small crafty perturbations to the malicious traffic to evade detection and disrupt the system's critical functionalities. The problem of deep adversarial learning has been extensively studied in the computer vision domain; however, it is still an area of open research in network security applications. Therefore, this survey explores the researches that employ different aspects of adversarial machine learning in the area of network intrusion detection in order to provide directions for potential solutions. First, the surveyed studies are categorized based on their contribution to generating adversarial examples, evaluating the robustness of ML-based NIDs towards adversarial examples, and defending these models against such attacks. Second, we highlight the characteristics identified in the surveyed research. Furthermore, we discuss the applicability of the existing generic adversarial attacks for the NIDS domain, the feasibility of launching the proposed attacks in real-world scenarios, and the limitations of the existing mitigation solutions.
... The devised framework is implemented and deployed on an experimental testbed [56]. The performance results show the effectiveness of the proposed framework in protecting against application-layer DDoS attacks even in presence of adversarial attacks. ...
Technical Report
Full-text available
This white paper on AI and ML as enablers of beyond 5G (B5G) networks is based on contributions from 5G PPP projects that research, implement and validate 5G and B5G network systems. The white paper introduces the main relevant mechanisms in Artificial Intelligence (AI) and Machine Learning (ML), currently investigated and exploited for 5G and B5G networks. A family of neural networks is presented which are, generally speaking, non-linear statistical data modeling and decision-making tools. They are typically used to model complex relationships between input and output parameters of a system or to find patterns in data. Feed-forward neural networks, deep neural networks, recurrent neural networks, and convolutional neural networks belong to this family. Reinforcement learning is concerned with how intelligent agents must take actions in order to maximize a collective reward, e.g., to improve a property of the system. Deep reinforcement learning combines deep neural networks and has the benefit that is can operate on non-structured data. Hybrid solutions are presented such as combined analytical and machine learning modeling as well as expert knowledge aided machine learning. Finally, other specific methods are presented, such as generative adversarial networks and unsupervised learning and clustering.
Article
Along with the high demand for network connectivity from both end-users and service providers, networks have become highly complex; and so has become their lifecycle management. Recent advances in automation, data analysis, artificial intelligence, distributed ledger technologies (e.g., Blockchain), and data plane programming techniques have sparked the hope of the researchers’ community in exploring and leveraging these techniques towards realizing the much-needed vision of trustworthy self-driving networks (SelfDNs). In this vein, this article proposes a novel framework to empower fully distributed trustworthy SelfDNs across multiple domains. The framework vision is achieved by exploiting (i) the capabilities of programmable data planes to enable real-time in-network telemetry collection; (ii) the potential of P4 – as an important example of data plane programming languages – and AI to (re)write the source code of network components in a fashion that the network becomes capable of automatically translating a policy intent into executable actions that can be enforced on the network components; and (iii) the potential of blockchain and federated learning to enable decentralized, secure and trustable knowledge sharing between domains. A relevant use case is introduced and discussed to demonstrate the feasibility of the intended vision. Encouraging results are obtained and discussed.
Article
Full-text available
Video surveillance of public spaces is a feature of modern society that has expanded quite quickly and in a pervasive way during the last decades becoming a fundamental need for both individual and collective security. But, as the sophistication of this type of systems increases, the concern about threat to individuals’ right of privacy raises as well. Indeed, the video surveillance systems could breach personal privacy because location is clearly one of the most sensitive people information. Hence, preserving location privacy while achieving utility from it, is a challenging problem demanding the investigation of researchers. This paper tackles this non-trivial issue by designing a novel privacy-preserving architecture able to anonymously monitoring people access at the entrance of critical areas in an indoor space. At the same time our approach is able to provide full accountability in case of an accident or a legal requirement. Interestingly, our protocol is robust to server-side attacks and is efficient enough to be applied indoors through a set of IoT (Internet of Things) smart camera devices.
Article
Full-text available
The foreseen complexity in operating and managing 5G and beyond networks has propelled the trend toward closed-loop automation of network and service management operations. To this end, the ETSI Zero-touch network and Service Management (ZSM) framework is envisaged as a next-generation management system that aims to have all operational processes and tasks executed automatically, ideally with 100 percent automation. Artificial Intelligence (AI) is envisioned as a key enabler of self-managing capabilities, resulting in lower operational costs, accelerated time-tovalue and reduced risk of human error. Nevertheless, the growing enthusiasm for leveraging AI in a ZSM system should not overlook the potential limitations and risks of using AI techniques. The current paper aims to introduce the ZSM concept and point out the AI-based limitations and risks that need to be addressed in order to make ZSM a reality.Abstract
Article
Full-text available
The ETSI's Zero touch network and Service Management (ZSM) framework is a prominent initiative to tame the envisioned complexity in operating and managing 5G and beyond networks. To this end, the ZSM framework promotes the shift toward full Automation of Network and Service Management and Operation (ANSMO) by leveraging the flexibility of SDN/NFV technologies along with Artificial Intelligence, combined with the portability and reusability of model-driven, open interfaces. Besides its benefits, each leveraged enabler will bring its own security threats, which should be carefully tackled to make the ANSMO vision a reality. This paper introduces the ZSM's potential attack surface and recommends possible mitigation measures along with some research directions to safeguard ZSM system security.
Conference Paper
Full-text available
Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and k-NN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.
Article
Full-text available
Accounting for the exponential increase of security threats, the development of new defense strategies for pervasive environments is acquiring an even growing importance. The expected avalanche of heterogeneous IoT devices which will populate our industrial factories and houses will increase the complexity of managing security requirements in a comprehensive way. To this aim, cloud-based security services are gaining notable impetus to provide security mechanisms according to Security-as-a-Service (SECaaS) model. However, the deployment of security applications in remote cloud data-centers can introduce several drawbacks in terms of traffic overhead and latency increase. To cope with this, edge computing can provide remarkable advantages avoiding long routing detours. On the other hand, the reduced capabilities of edge node introduce potential constraints in the overall management. This paper focuses on the provisioning of virtualized security services in resource-constrained edge nodes by leveraging lightweight virtualization technologies. Our analysis aims at shedding light on the feasibility of container-based security solutions, thus providing useful guidelines towards the orchestration of security at the edge. Our experiments show that the overhead introduced by the containerization is very light.
Chapter
Full-text available
Societal dependence on Information and Communication Technology (ICT) over the past two decades has brought with it an increased vulnerability to a large variety of cyber-attacks. One such attack is a Distributed Denial-of-Service (DDoS) attack which harnesses the power of a larger number of compromised and geographically distributed computers and other networked machines to attack information-providing services, often resulting in significant downtime and thereby causing a denial-of-service to legitimate clients. The size, frequency, and sophistication of such attacks have exponentially risen over the past decade. In order to develop a better understanding of these attacks and defense system against this ever-growing threat, it is essential to understand their modus operandi, latest trends and other most widely-used tactics. Consequently, the study of DDoS attacks and techniques to accurately and reliably detect and mitigate their impact is an important area of research. This chapter largely focuses on the current landscape of DDoS attack detection and defense mechanisms and provides detailed information about the latest modus operandi of various network and application layer DDoS attacks, and presents an extended taxonomy to accommodate the novel attack types. In addition, it provides directions for future research in DDoS attack detection and mitigation.
Article
Full-text available
The rapid uptake of mobile devices and the rising popularity of mobile applications and services pose unprecedented demands on mobile and wireless networking infrastructure. Upcoming 5G systems are evolving to support exploding mobile traffic volumes, agile management of network resource to maximize user experience, and extraction of fine-grained real-time analytics. Fulfilling these tasks is challenging, as mobile environments are increasingly complex, heterogeneous, and evolving. One potential solution is to resort to advanced machine learning techniques to help managing the rise in data volumes and algorithm-driven applications. The recent success of deep learning underpins new and powerful tools that tackle problems in this space. In this paper we bridge the gap between deep learning and mobile and wireless networking research, by presenting a comprehensive survey of the crossovers between the two areas. We first briefly introduce essential background and state-of-the-art in deep learning techniques with potential applications to networking. We then discuss several techniques and platforms that facilitate the efficient deployment of deep learning onto mobile systems. Subsequently, we provide an encyclopedic review of mobile and wireless networking research based on deep learning, which we categorize by different domains. Drawing from our experience, we discuss how to tailor deep learning to mobile environments. We complete this survey by pinpointing current challenges and open future directions for research.
Article
Full-text available
Software Defined Networking Technology (SDN) provides a prospect to effectively detect and monitor network security problems ascribing to the emergence of the programmable features. Recently, Machine Learning (ML) approaches have been implemented in the SDN-based Network Intrusion Detection Systems (NIDS) to protect computer networks and to overcome network security issues. A stream of advanced machine learning approaches – the deep learning technology (DL) commences to emerge in the SDN context. In this survey, we reviewed various recent works on machine learning (ML) methods that leverage SDN to implement NIDS. More specifically, we evaluated the techniques of deep learning in developing SDN-based NIDS. In the meantime, in this survey, we covered tools that can be used to develop NIDS models in SDN environment. This survey is concluded with a discussion of ongoing challenges in implementing NIDS using ML/DL and future works.
Article
Full-text available
This paper proposes adversarial attacks for Reinforcement Learning (RL) and then improves the robustness of Deep Reinforcement Learning algorithms (DRL) to parameter uncertainties with the help of these attacks. We show that even a naively engineered attack successfully degrades the performance of DRL algorithm. We further improve the attack using gradient information of an engineered loss function which leads to further degradation in performance. These attacks are then leveraged during training to improve the robustness of RL within robust control framework. We show that this adversarial training of DRL algorithms like Deep Double Q learning and Deep Deterministic Policy Gradients leads to significant increase in robustness to parameter variations for RL benchmarks such as Cart-pole, Mountain Car, Hopper and Half Cheetah environment.
Article
Full-text available
Several machine learning models, including neural networks, consistently misclassify adversarial examples---inputs formed by applying small but intentionally worst-case perturbations to examples from the dataset, such that the perturbed input results in the model outputting an incorrect answer with high confidence. Early attempts at explaining this phenomenon focused on nonlinearity and overfitting. We argue instead that the primary cause of neural networks' vulnerability to adversarial perturbation is their linear nature. This explanation is supported by new quantitative results while giving the first explanation of the most intriguing fact about them: their generalization across architectures and training sets. Moreover, this view yields a simple and fast method of generating adversarial examples. Using this approach to provide examples for adversarial training, we reduce the test set error of a maxout network on the MNIST dataset.
Conference Paper
Full-text available
Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.
Article
Distributed Denial of Service (DDoS) Attacks are some of the most devastating attacks against web applications. A large number of these attacks aim to exhaust the network bandwidth of the server, and are called network layer DDoS attacks. They are volumetric attacks and rely on a large volume of network layer packets to throttle the bandwidth. However, as time passed, network infrastructure became more robust and defenses against network layer attacks also became more advanced. Recently, DDoS attacks have started targeting the application layer. Unlike network layer attacks, these attacks can be carried out with a relatively low attack volume. They also utilize legitimate application layer requests, which makes it difficult for existing defense mechanisms to detect them. These attacks target a wide variety of resources at the application layer and can bring a server down much faster, and with much more stealth, than network layer DDoS attacks. Over the past decade, research on application layer DDoS attacks has focused on a few classes of these attacks. This work attempts to explore the entire spectrum of application layer DDoS attacks using critical features that aid in understanding how these attacks can be executed. defense mechanisms against the different classes of attacks are also discussed with special emphasis on the features that aid in the detection of different classes of attacks. Such a discussion is expected to help researchers understand why a particular group of features are useful in detecting a particular class of attacks.
Article
The explosive rise of Internet of Things (IoT) systems have notably increased the potential attack surfaces for cybercriminals. Accounting for the features and constraints of IoT devices, traditional security countermeasures can be inefficient in dynamic IoT environments. In this vein, the advantages introduced by Software Defined Networking (SDN) and Network Function Virtualization (NFV) have the potential to reshape the landscape of cybersecurity for IoT systems. To this aim, we provide a comprehensive analysis of security features introduced by NFV and SDN, describing the manifold strategies able to monitor, protect, and react to IoT security threats. We also present lessons learned in the adoption of SDN/NFV-based protection approaches in IoT environments, comparing them with conventional security countermeasures. Finally, we deeply discuss the open challenges related to emerging SDN- and NFV-based security mechanisms, aiming to provide promising directives to conduct future research in this fervent area. IEEE
Conference Paper
Software Defined Networking (SDN) has emerged as a key enabler for future agile Internet architecture. Nevertheless, the flexibility provided by SDN architecture manifests several new design issues in terms of network security. These issues must be addressed in a unified way to strengthen overall network security for future SDN deployments. Consequently, in this paper, we propose a Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) enabled intrusion detection systems for SDNs. The proposed approach is tested using the NSL-KDD dataset, and we achieve an accuracy of 89% with only six raw features. Our experiment results also show that the proposed GRU-RNN does not deteriorate the network performance. Through extensive experiments, we conclude that the proposed approach exhibits a strong potential for intrusion detection in the SDN environments.
Conference Paper
With exponential growth in the size of computer networks and developed applications, the significant increasing of the potential damage that can be caused by launching attacks is becoming obvious. Meanwhile, Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are one of the most important defense tools against the sophisticated and ever-growing network attacks. Due to the lack of adequate dataset, anomaly-based approaches in intrusion detection systems are suffering from accurate deployment, analysis and evaluation. There exist a number of such datasets such as DARPA98, KDD99, ISC2012, and ADFA13 that have been used by the researchers to evaluate the performance of their proposed intrusion detection and intrusion prevention approaches. Based on our study over eleven available datasets since 1998, many such datasets are out of date and unreliable to use. Some of these datasets suffer from lack of traffic diversity and volumes, some of them do not cover the variety of attacks, while others anonymized packet information and payload which cannot reflect the current trends, or they lack feature set and metadata. This paper produces a reliable dataset that contains benign and seven common attack network flows, which meets real world criteria and is publicly available. Consequently, the paper evaluates the performance of a comprehensive set of network traffic features and machine learning algorithms to indicate the best set of features for detecting the certain attack categories.
Article
A Slow HTTP Distributed Denial of Service (DDoS) attack causes a web server to be unavailable, but it is difficult to detect in a network because its traffic patterns are similar to those of legitimate clients. In this paper, we propose a network-based Slow HTTP DDoS attack defense method which is assisted by a Software-Defined Network (SDN) that can detect and mitigate Slow HTTP DDoS attacks in the network. Simulation results show that the proposed Slow HTTP DDoS attack defense method successfully protects web servers against Slow HTTP DDoS attacks.
Article
Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.
Article
The self-organized map, an architecture suggested for artificial neural networks, is explained by presenting simulation experiments and practical applications. The self-organizing map has the property of effectively creating spatially organized internal representations of various features of input signals and their abstractions. One result of this is that the self-organization process can discover semantic relationships in sentences. Brain maps, semantic maps, and early work on competitive learning are reviewed. The self-organizing map algorithm (an algorithm which order responses spatially) is reviewed, focusing on best matching cell selection and adaptation of the weight vectors. Suggestions for applying the self-organizing map algorithm, demonstrations of the ordering process, and an example of hierarchical clustering of data are presented. Fine tuning the map by learning vector quantization is addressed. The use of self-organized maps in practical speech recognition and a simulation experiment on semantic mapping are discussed
Conference Paper
Machine learning systems offer unparalled flexibility in dealing with evolving input in a variety of applications, such as intrusion detection systems and spam e-mail filtering. However, machine learning algorithms themselves can be a target of attack by a malicious adversary. This paper provides a framework for answering the question, "Can machine learning be secure?" Novel contributions of this paper include a taxonomy of different types of attacks on machine learning techniques! and systems, a variety of defenses against those attacks, a discussion of ideas that are important to security for machine learning, an analytical model giving a lower bound on attacker's work function, and a list of open, problems.
DDoS: A Comparison of Defense Approaches
  • lintemuth
T. Lintemuth and P. Hevesi, "DDoS: A Comparison of Defense Approaches," Gartner, Apr. 2019.
Adversarial Machine Leaning
  • L Haung
  • A D Joseph
  • B Nelson
  • B I Rubinstrein
  • J D Tygar
L. Haung, A. D. Joseph, B. Nelson, B. I. Rubinstrein, and J. D. Tygar, "Adversarial Machine Leaning," in In Proc. of 4th ACM Workshop on Artificial Intelligence and Security, Oct. 2011, pp. 43 -58.
Reinforcement Learning for Autonomous Defence in Software-Defined Networking
  • Y Han
  • B I Rubinstein
  • T Abraham
  • T Alpcan
  • O De
  • S Vel
  • D Erfani
  • C Hubczenko
  • P Leckie
  • Montague
Y. Han, B. I. Rubinstein, T. Abraham, T. Alpcan, O. De Vel, S. Erfani, D. Hubczenko, C. Leckie, and P. Montague, "Reinforcement Learning for Autonomous Defence in Software-Defined Networking," in In Proc. of the 9th Int. Conf. on Decision and Game Theory for Security (GameSec), Aug. 2018, pp. 145 -165.
Adversarial Machine Leaning
  • haung