An Adversary-Centric Behavior Modeling of DDoS Attacks

Distributed Denial of Service (DDoS) attacks are some of the most persistent threats on the Internet today. The evolution of DDoS attacks calls for an in-depth analysis of those attacks. A better understanding of the attackers’ behavior can provide insights to unveil patterns and strategies utilized by attackers. The prior art on the attackers’ behavior analysis often falls in two aspects: it assumes that adversaries are static, and makes certain simplifying assumptions on their behavior, which often are not supported by real attack data. In this paper, we take a data-driven approach to designing and validating three DDoS attack models from temporal (e.g., attack magnitudes), spatial (e.g., attacker origin), and spatiotemporal (e.g., attack inter-launching time) perspectives. We design these models based on the analysis of traces consisting of more than 50,000 verified DDoS attacks from industrial mitigation operations. Each model is also validated by testing its effectiveness in accurately predicting future DDoS attacks. Comparisons against simple intuitive models further show that our models can more accurately capture the essential features of DDoS attacks.

[1]  Ulrich Rührmair,et al.  PUFs in Security Protocols: Attack Models and Security Evaluations , 2013, 2013 IEEE Symposium on Security and Privacy.

[2]  Mengjun Xie,et al.  A Collaboration-based Autonomous Reputation System for Email Services , 2010, 2010 Proceedings IEEE INFOCOM.

[3]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[4]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[5]  Aziz Mohaisen,et al.  Measuring and Analyzing Trends in Recent Distributed Denial of Service Attacks , 2016, WISA.

[6]  Shanchieh Jay Yang,et al.  Probabilistic Inference for Obfuscated Network Attack Sequences , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[8]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[9]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[10]  Jonathan D. Cryer,et al.  Time Series Analysis , 1986 .

[11]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[12]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[13]  Aziz Mohaisen,et al.  Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[14]  Niels Provos,et al.  Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware , 2008, LEET.

[15]  Peter L. Reiher,et al.  RAD: Reflector Attack Defense Using Message Authentication Codes , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Anja Feldmann,et al.  An Assessment of Overt Malicious Activity Manifest in Residential Networks , 2011, DIMVA.

[17]  Wanyu Zang,et al.  How Resilient is the Internet against DDoS attacks? — A Game Theoretic Analysis of Signature-based Rate Limiting , 2007 .

[18]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Martín Casado,et al.  Flow-Cookies: Using Bandwidth Amplification to Defend Against DDoS Flooding Attacks , 2006, 200614th IEEE International Workshop on Quality of Service.

[20]  P. Rousseeuw Silhouettes: a graphical aid to the interpretation and validation of cluster analysis , 1987 .

[21]  M. Ivimey Annual report , 1958, IRE Transactions on Engineering Writing and Speech.

[22]  Daniel Migault,et al.  Use cases for DDoS Open Threat Signaling , 2019 .

[23]  Aziz Mohaisen,et al.  Capturing DDoS Attack Dynamics Behind the Scenes , 2015, DIMVA.

[24]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[25]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[26]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[27]  David L. Elliott,et al.  A Better Activation Function for Artificial Neural Networks , 1993 .

[28]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[29]  Michael K. Reiter,et al.  A multi-layer framework for puzzle-based denial-of-service defense , 2008, International Journal of Information Security.

[30]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[31]  Jun Li,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2014, SIGCOMM.

[32]  J. Mirkovic,et al.  Fine-grained capabilities for flooding DDoS defense using client reputations , 2007, LSAD '07.

[33]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[34]  Yongdae Kim,et al.  Towards complete node enumeration in a peer-to-peer botnet , 2009, ASIACCS '09.

[35]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[36]  Guanhua Yan,et al.  Towards a bayesian network game framework for evaluating DDoS attacks and defense , 2012, CCS '12.

[37]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[38]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[39]  Tirumaleswar Reddy,et al.  DDoS Open Threat Signaling (DOTS) Requirements , 2019, RFC.

[40]  Michael Carl Tschantz,et al.  Formalizing and Enforcing Purpose Restrictions in Privacy Policies , 2012, 2012 IEEE Symposium on Security and Privacy.

[41]  Herbert Bos,et al.  On measuring the impact of DDoS botnets , 2014, EuroSec '14.

[42]  Mooi Choo Chuah,et al.  Detection and Classification of Different Botnet C&C Channels , 2011, ATC.

[43]  Vyas Sekar,et al.  Analyzing large DDoS attacks using multiple data sources , 2006, LSAD '06.

[44]  Peter Reiher,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2015, SIGCOMM 2015.

[45]  Konstantin Beznosov,et al.  Design and analysis of a social botnet , 2013, Comput. Networks.

[46]  Vern Paxson,et al.  Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks , 2015, 2015 IEEE Symposium on Security and Privacy.

[47]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[48]  George Varghese,et al.  EndRE: An End-System Redundancy Elimination Service for Enterprises , 2010, NSDI.

[49]  Aziz Mohaisen,et al.  Measuring Botnets in the Wild: Some New Trends , 2015, AsiaCCS.

[50]  Minlan Yu,et al.  SENSS: observe and control your own traffic in the internet , 2015, SIGCOMM 2015.

[51]  Aziz Mohaisen,et al.  Name Server Switching: Anomaly Signatures, Usage, Clustering, and Prediction , 2014, WISA.

[52]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[53]  M. Branch,et al.  ANNUAL REPORT FOR 2014 , 2014 .

[54]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[55]  Herbert Bos,et al.  Reliable Recon in Adversarial Peer-to-Peer Botnets , 2015, Internet Measurement Conference.

[56]  Lixin Gao,et al.  The extent of AS path inflation by routing policies , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[57]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[58]  Yoshua Bengio,et al.  An empirical evaluation of deep architectures on problems with many factors of variation , 2007, ICML '07.