of-service attack Detections
نویسنده
چکیده
Application features like port numbers are used by Network-based Intrusion Detection Systems (NIDSs) to detect attacks coming from networks. System calls and the operating system related information are used by Host-based Intrusion Detection Systems (HIDSs) to detect intrusions toward a host. However, the relationship between hardware architecture events and Denial-of-Service (DoS) attacks has not been well revealed. When increasingly sophisticated intrusions emerge, some attacks are able to bypass both the application and the operating system level feature monitors. Therefore, a more effective solution is required to enhance existing HIDSs. In this article, the authors identify the following hardware architecture features: Instruction Count, Cache Miss, Bus Traffic and integrate them into a HIDS framework based on a modern statistical Gradient Boosting Trees model. Through the integration of application, operating system and architecture level features, the proposed HIDS demonstrates a significant improvement of the detection rate in terms of sophisticated DoS intrusions. DOI: 10.4018/jisp.2010010102 International Journal of Information Security and Privacy, 4(1), 18-31, January-March 2010 19 Copyright © 2010, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. resulting from DoS attacks could lead to million dollars’ loss. Generally, DoS attacks can be either flooding-based or software exploit-based. In a flooding-based DoS attack, a malicious user sends out a tremendously large number of packets aiming at overwhelming a victim host. For example, in a SYN-flooding attack, a significant number of TCP SYN packets are sent towards a victim machine, saturating resources in the victim machine. We can observe a surge of TCP connections in a short time, which are modeled by a tuple of application features . In exploit-based DoS attacks, specially crafted packets are sent to the victim system targeting at specific software vulnerabilities in the operating system, service or application. The success of exploitation will either overwhelm or crash the target system. An existing solution to the exploit-based attacks is to patch and update software frequently. Currently, research work on DoS intrusion detections mainly rely on Network-based Intrusion Detection Systems (NIDSs) (Chen et al., 2005; Handley et al., 2001; Hussain et al., 2003; Jin et al., 2003; Chari et al., 2003; Kuzmanovic et al., 2003; Wang et al. 2003). The NIDSs monitor features extracted from network packet headers at the application layer such as packet rate and traffic volume. Ramp-up behaviors and frequency domain characteristics are also studied to aid in improving the accuracy and performance of IDS (Chen et al., 2005; Hussain et al., 2003). On the other hand, Host-based Intrusion Detection Systems (HIDSs) which widely employ audit trails and system call tracking can effectively identify buffer overflow (BoF) attacks (Chari et al., 2003; Chaturvedi et al., 2006; Wagner et al., 2002). However, the DoS attacks are not easily observed by such an HIDS and not widely researched in the HIDS literature. Some researchers have proposed to limit the bound of certain system calls (Chari et al., 2003) such as fork(). However, with the advent of large-scale application software, such bounds may seriously impair the performance of normal applications. Moreover, DoS attacks may not involve huge number of system calls at all. Therefore, a more generic solution is needed to detect DoS attacks. When increasingly sophisticated techniques are adopted by attackers, multi-tier attacks and IP spoofing are emerging to amplify destructive effects and evade detections. The attack patterns or behaviors will be difficult to identify by using only header-based network traffic analysis. For example, in a complicated scenario that an attacker gets around the network monitoring sensors and launches DoS attacks locally, a NIDS may not able to detect this intrusion. In such a scenario, non-privileged access is well enough to successfully initiate a DoS attack against the host machine: once the attacker obtains the access to the victim machine, even if it is not root-privileged and difficult to further elevate to carry out other destructive or stealthy behaviors, he/she can still easily upload a DoS daemon to massively consume the machine’s limited resources. Instead of network information only, information originated and resided on the victim machine should be used to track and monitor such undergoing attacks in this case. In this paper, we propose an HIDS with multi-level integrated information from application, operating system (OS), and architecture levels to improve the detection rate of sophisticated DoS attacks. According to our experiments, even if DoS attacks could successfully evade captures of NIDS monitors, architectural behaviors will still be triggered: a tremendous jump of Instruction Count, Cache Miss, Bus Traffic can be found. Based on this observation, a novel HIDS employing a modern statistical Gradient Boosting Trees (GBT) model is proposed to detect sophisticated DoS intrusions through the integration of application, OS, and architecture features. Our experiments test three different types of exploits: self-developed local DoS exploits, real-world remote DoS exploits and real-world local DoS attacks. The results show that the inclusion of architecture features can significantly improve the detection rate of evasive DoS intrusions. 12 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/host-based-intrusion-detectionsystem/43055?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2
منابع مشابه
RESCUE: Reputation based Service for Cloud User Environment
Exceptional characteristics of Cloud computing has replaced all traditional computing. With reduced resource management and without in-advance investment, it has been victorious in making the IT world to migrate towards it. Microsoft announced its office package as Cloud, which can prevent people moving from Windows to Linux. As this drift is escalating in an exponential rate, the cloud environ...
متن کاملA Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks
An automated system for detecting network traffic anomalies caused by Denial-of-Service attacks is proposed. The system is designed as a two-stage architecture incorporating the change-point detection methodology, used for early attack identification, and further spectral profiling, used for confirmation of the attack presence. The proposed system is shown to be robust and capable of achieving ...
متن کاملStatistical Segregation Method to Minimize the False Detections During DDoS Attacks
DDoS attack aims at occupying the victim resources so as to defy the legitimate requests from reaching it. Even though the attack traffic is generated in intimidating measures, the attack traffic mostly is disguised as the genuine traffic. Hence most of the mitigation methods cannot segregate the legitimate flows from the attack flows accurately. As the result, legitimate flows have also been f...
متن کاملNeural Network Based Protection of Software Defined Network Controller against Distributed Denial of Service Attacks
Software Defined Network (SDN) is a new architecture for network management and its main concept is centralizing network management in the network control level that has an overview of the network and determines the forwarding rules for switches and routers (the data level). Although this centralized control is the main advantage of SDN, it is also a single point of failure. If this main contro...
متن کاملF-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management
Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the pro...
متن کاملUsing selective, short-term memory to improve resilience against DDoS exhaustion attacks
Distributed Denial of Service (DDoS) attacks originating from botnets can quickly bring normally effective web services to a screeching halt. This paper presents SESRAA (SElective Short-term Randomized Acceptance Algorithms), an adaptive scheme for maintaining web service despite the presence of multifaceted attacks in a noisy environment. In contrast to existing solutions that rely upon “clean...
متن کامل