Randomized Security Patrolling for Link Flooding Attack Detection

With the advancement of large-scale coordinated attacks, the adversary is shifting away from traditional distributed denial of service (DDoS) attacks against servers to sophisticated DDoS attacks against Internet infrastructures. Link flooding attacks (LFAs) are such powerful attacks against Internet links. Employing network measurement techniques, the defender could detect the link under attack. However, given the large number of Internet links, the defender can only monitor a subset of the links simultaneously, whereas any link might be attacked. Therefore, it remains challenging to practically deploy detection methods. This paper addresses this challenge from a game-theoretic perspective, and proposes a randomized approach (like security patrolling) to optimize LFA detection strategies. Specifically, we formulate the LFA detection problem as a Stackelberg security game, and design randomized detection strategies in consideration of the adversary's behavior, where best and quantal response models are leveraged to characterize the adversary's behavior. We employ a series of techniques to solve the nonlinear and nonconvex NP-hard optimization problems for finding the equilibrium. The experimental results demonstrate the necessity of handling LFAs from a game-theoretic perspective and the effectiveness of our solutions. We believe our study is a significant step forward in formally understanding LFA detection strategies.

[1]  Andreas Johnsson,et al.  Scalability and Dimensioning of Network-Capacity Measurement System using Reflecting Servers , 2015, ArXiv.

[2]  Rebecca N. Wright,et al.  The design space of probing algorithms for network-performance measurement , 2013, SIGMETRICS '13.

[3]  John S. Heidemann,et al.  Trinocular: understanding internet reliability through adaptive probing , 2013, SIGCOMM.

[4]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[5]  Lei Xue,et al.  LinkScope: Toward Detecting Target Link Flooding Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[6]  Xenofontas A. Dimitropoulos,et al.  On the Interplay of Link-Flooding Attacks and Traffic Engineering , 2016, CCRV.

[7]  Xiapu Luo,et al.  MonoScope: Automating network faults diagnosis based on active measurements , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[8]  R. McKelvey,et al.  Quantal Response Equilibria for Normal Form Games , 1995 .

[9]  Vincent Conitzer,et al.  Stackelberg vs. Nash in Security Games: An Extended Investigation of Interchangeability, Equivalence, and Uniqueness , 2011, J. Artif. Intell. Res..

[10]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[11]  Sonia Fahmy,et al.  Accurately Measuring Denial of Service in Simulation and Testbed Experiments , 2009, IEEE Transactions on Dependable and Secure Computing.

[12]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[13]  Marco Mellia,et al.  The quest for bandwidth estimation techniques for large-scale distributed systems , 2010, PERV.

[14]  Sonia Fahmy,et al.  On the Cost of Network Inference Mechanisms , 2011, IEEE Transactions on Parallel and Distributed Systems.

[15]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[16]  James P. G. Sterbenz,et al.  Comprehensive comparison and accuracy of graph metrics in predicting network resilience , 2015, 2015 11th International Conference on the Design of Reliable Communication Networks (DRCN).

[17]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[18]  Lei Xue,et al.  On Measuring One-Way Path Metrics from a Web Server , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[19]  Vincent Conitzer,et al.  Computing the optimal strategy to commit to , 2006, EC '06.

[20]  Avinatan Hassidim,et al.  Topology discovery of sparse random graphs with few participants , 2011, SIGMETRICS '11.

[21]  Virgil D. Gligor,et al.  FLoc : Dependable Link Access for Legitimate Traffic in Flooding Attacks , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[22]  Vern Paxson,et al.  Measurements and analysis of end-to-end Internet dynamics , 1997 .

[23]  Benoit Donnet,et al.  Internet topology discovery: a survey , 2007, IEEE Communications Surveys & Tutorials.

[24]  Ming Zhang,et al.  Effective Diagnosis of Routing Disruptions from End Systems , 2008, NSDI.

[25]  Thomas Dreibholz,et al.  Measuring and comparing Internet path stability in IPv4 and IPv6 , 2014, 2014 International Conference and Workshop on the Network of the Future (NOF).

[26]  Ghassan O. Karame,et al.  On the Security of End-to-End Measurements Based on Packet-Pair Dispersions , 2013, IEEE Transactions on Information Forensics and Security.

[27]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[28]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[29]  Chase Qishi Wu,et al.  On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks , 2010, SpringSim.

[30]  Xiangjian He,et al.  Detection of Denial-of-Service Attacks Based on Computer Vision Techniques , 2015, IEEE Transactions on Computers.

[31]  Xiapu Luo,et al.  Design and Implementation of TCP Data Probes for Reliable and Metric-Rich Network Path Monitoring , 2009, USENIX Annual Technical Conference.

[32]  Virgil D. Gligor,et al.  Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures , 2014, CCS.

[33]  David Wetherall,et al.  Studying Black Holes in the Internet with Hubble , 2008, NSDI.

[34]  Milind Tambe,et al.  Security and Game Theory - Algorithms, Deployed Systems, Lessons Learned , 2011 .

[35]  Xiapu Luo,et al.  Characterizing Inter-Domain Rerouting by Betweenness Centrality after Disruptive Events , 2013, IEEE Journal on Selected Areas in Communications.

[36]  Antonio Pescapè,et al.  A tool for the generation of realistic network workload for emerging networking scenarios , 2012, Comput. Networks.

[37]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[38]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[39]  Ming Zhang,et al.  Detecting traffic differentiation in backbone ISPs with NetPolice , 2009, IMC '09.

[40]  Thomas C. Schmidt,et al.  Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics , 2015, WOOT.

[41]  Bo An,et al.  Refinement of Strong Stackelberg Equilibria in Security Games , 2011, AAAI.

[42]  Milind Tambe,et al.  TRUSTS: Scheduling Randomized Patrols for Fare Inspection in Transit Systems , 2012, IAAI.

[43]  Jia Wang,et al.  Locating internet bottlenecks: algorithms, measurements, and implications , 2004, SIGCOMM '04.

[44]  Ehab Al-Shaer,et al.  Agile virtualized infrastructure to proactively defend against cyber attacks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[45]  Milind Tambe,et al.  Security and Game Theory: IRIS – A Tool for Strategic Security Allocation in Transportation Networks , 2011, AAMAS 2011.

[46]  Milind Tambe,et al.  GUARDS: game theoretic security allocation on a national scale , 2011, AAMAS.

[47]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[48]  Ariel D. Procaccia,et al.  Lazy Defenders Are Almost Optimal against Diligent Attackers , 2014, AAAI.

[49]  Andreas Krause,et al.  Submodular Function Maximization , 2014, Tractability.

[50]  Jing Tao,et al.  A New Sketch Method for Measuring Host Connection Degree Distribution , 2014, IEEE Transactions on Information Forensics and Security.

[51]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[52]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[53]  Guanhua Yan,et al.  Towards a bayesian network game framework for evaluating DDoS attacks and defense , 2012, CCS '12.

[54]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[55]  Bo An,et al.  PROTECT - A Deployed Game Theoretic System for Strategic Security Allocation for the United States Coast Guard , 2012, AI Mag..

[56]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS.

[57]  Yuan Tian,et al.  Resistance Is Not Futile: Detecting DDoS Attacks without Packet Inspection , 2013, WISA.

[58]  Chang-Gun Lee,et al.  Orchestration of Network-Wide Active Measurements for Supporting Distributed Computing Applications , 2007, IEEE Transactions on Computers.

[59]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[60]  Dongdong Ge,et al.  A Review of Piecewise Linearization Methods , 2013 .

[61]  M. L. Fisher,et al.  An analysis of approximations for maximizing submodular set functions—I , 1978, Math. Program..

[62]  Jiarui Gan,et al.  Minimum Support Size of the Defender ’ s Strong Stackelberg Equilibrium Strategies in Security Games , 2013 .

[63]  Lei Xue,et al.  Towards Detecting Target Link Flooding Attack , 2014, LISA.