Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao - PowerPoint PPT Presentation

About This Presentation
Title:

Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao

Description:

Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 32
Provided by: Lax9
Learn more at: http://web.cs.wpi.edu
Category:

less

Transcript and Presenter's Notes

Title: Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao


1
Packet Score Statistics-based Overload Control
against Distributed Denial-of-service Attacks
Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H.
Jonathan Chao
  • Presenter Name
  • Yatin Manjrekar

2
Agenda
  • Introduction
  • Overview of Packetscore approach
  • Packetscore Methodologies
  • Performance Evaluation
  • Conclusion

3
Introduction
  • Denial-of-service attack
  • overload the server to bring it down
  • Distributed Denial-of-service attack
  • End point attacks
  • Infrastructure attack
  • Limitations of Manual detection

4
Introduction cont..
  • D-WARD approach
  • Statistical traffic profiling at the edge of the
    network
  • Aims at stopping attack near source.
  • Viability hinges on cooperation of ingress
    network administrator
  • Deployment issue. (backbone network ?)
  • Available Commercial products do not fully
    automate packet differentiation , filter
    enforcement

5
Overview of Packetscore approach
  • Three Phases (3D-R)
  • Detect the onset of an attack
  • Differentiate between legitimate/attack packets
    using CLP
  • Discard packets selectively
  • What is Packetscore ?
  • Score based filtering approach.

6
(No Transcript)
7
Packetscore methodologies
  • Packet differentiation via fine grain traffic
    profile comparison
  • Assumption Some traffic characteristics are
    stable during normal operation
  • Increase in frequency of packet attribute
    indicate attacking packet
  • Can One guess Distribution of attribute ?

8
Attribute value distribution
9
Attribute value distribution cont..
10
Attribute value distribution cont.
11
Conditional Legitimate Probability (CLP)
  • The likelihood of suspicious packet being
    legitimate
  • Each packet carries a set of discrete-valued
    attributes
  • Joint distribution for strongly correlated
    attributes
  • Marginal distribution for other attributes

12
Conditional Legitimate Probability (CLP)
13
CLP cont..
14
Variation of Nominal profiles
  • The nominal traffic profile is function of time
  • The traffic profile changes with day of week,
    time of day
  • These profile changes could be handled using
    periodic recalibration
  • Used 95 percentile to save storage

15
Managing Nominal traffic profiles.
  • Iceberg style histograms
  • Traffic profile of each target stored in the form
    of normalized histograms
  • Iceberg Histograms only includes most frequent
    entries
  • Missing entries assume relative upper bound
    frequency
  • Per target profile is kept to manageable size and
    saves on storage requirement

16
Real Time Profiling
  • The packet attribute distributions are updated
    with packet arrival
  • Update is decoupled from computing CLP and done
    in parallel at different time scale
  • CLP is computed based on recent snapshot of
    measured histogram
  • Generate set of scorebooks which map to specific
    combination of attributes

17
Real Time traffic profiling
18
Selective Packet discarding
  • On arrival of suspicious packet
  • CLP as differentiating metric
  • The aggregate arrival rate is adjusted. Which in
    turn changes load shedding algorithm
  • Packet attributes are used to update traffic
    profile.
  • CLP based score is computed using frozen
    /snapshot scorebooks
  • Discard packet if CLP is less than threshold
  • Immunity rules could be used for certain minimum
    throughput requirement packets

19
(No Transcript)
20
Performance Evaluation
21
Performance Criteria
  • Difference in score distribution RA RL
  • Score distribution has long/thin tail with
    outliers
  • MinL(MaxA) is 1st(99th) percentile used

22
(No Transcript)
23
Different evaluated attack types
  • Generic Attack
  • TCP-SYN flood attack
  • SQL Slammer Worm attack
  • Nominal attack
  • Mixed attack
  • Changing attack

24
(No Transcript)
25
Effect of increasing Attack intensity
26
Nominal Profile sensitivity
27
Different options of scoring Strategies
28
Scoring strategy
29
Setting thresholds
30
Conclusion
  • Collaboration of 3D-R and DCS defend against DDoS
    attacks
  • The proposed scheme leverages hardware
    implementation of data stream processing
    technique
  • We studied Performance and design tradeoffs of
    proposed packet scoring scheme
  • It can tackle never seen before DDoS attack (Weak
    claim ? Too many parameters?)

31
  • Q A
  • Comments ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Packet Score: Statistics-based Overload Control against Distributed Denial-of-service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan Chao" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!