Constructing detection knowledge for DDoS intrusion tolerance

Abstract Intrusion tolerance is the ability of a system to continue providing (possibly degraded but) adequate services after a penetration. With the rapid development of network technology, distributed denial of service (DDoS) attacks become one of the most important issues today. In this paper, we propose a DDoS ontology to provide a common terminology for describing the DDoS models consisting of the Profile model (the representation of the behaviors of system and users) and the Defense model (the descriptions of Detection and Filter methodologies). Also, the Evaluation strategy based upon current statuses of users' behaviors is used to evaluate the degree of the intrusion tolerance of the proposed models during DDoS attacks. Based upon the ontology, four KCs (Profile model, Evaluation strategy, Detection methodology, and Filter methodology Knowledge Classes) and their relationships are then proposed, where each KC may contain a set of sub-KCs or knowledge represented as a natural rule format. For an arbitrarily given network environment, the default knowledge in the Profile KC and the Evaluation KC, the appropriate detection features in the Detection KC, and the suitable access control list policies in the Filter KC can be easily extracted and adopted by our proposed integrated knowledge acquisition framework. We are now implementing a NORM-based DDoS intrusion tolerance system for DDoS attacks to evaluate the proposed models.

[1]  P. J. Criscuolo Distributed Denial of Service Tools, Trin00, Tribe Flood Network, Tribe Flood Network 2000 and Stacheldraht. , 2000 .

[2]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[3]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[4]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[5]  B. Dutertre,et al.  Intrusion tolerant software architectures , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[6]  Alan Liu,et al.  Knowledge-Based Software Architectures: Acquisition, Specification, and Verification , 1999, IEEE Trans. Knowl. Data Eng..

[7]  Jun Zheng,et al.  Internet-based knowledge acquisition and management method to build large-scale medical expert systems , 2002, Proceedings of the Second Joint 24th Annual Conference and the Annual Fall Meeting of the Biomedical Engineering Society] [Engineering in Medicine and Biology.

[8]  Shian-Shyong Tseng,et al.  A New Mechanism of Mining Network Behavior , 2002, PAKDD.

[9]  Ahmed A. Rafea,et al.  Automatic knowledge acquisition tool for irrigation and fertilization expert systems , 2003, Expert Syst. Appl..

[10]  Shian-Shyong Tseng,et al.  Design and implementation of new object-oriented rule base management system , 2003, Expert Syst. Appl..

[11]  Geoffrey I. Webb,et al.  An Experimental Evaluation of Integrating Machine Learning with Knowledge Acquisition , 1999, Machine Learning.

[12]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[13]  Wesley W. Chu,et al.  Knowledge acquisition from documents with both fixed and free formats , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[14]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..