Mitigation of Random Query String DoS via Gossip

Ferretti, Stefano; Ghini, Vittorio

doi:10.1007/978-3-642-29166-1_11

Cited by 3 publications

(5 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…REMARK I. From (5) and (6) we see that increasing the EDR α and/or the transmission rate λ corresponds to increasing the MIR. Besides, the MIR is always smaller 1 REMARK II.…”

Section: A Characterization Of the Botnet Message Innovation Ratementioning

confidence: 86%

“…Recently, the new class of application-layer DDoS attacks is emerging as one of the most powerful threats [3]- [6]. In such attacks, the malicious traffic patterns are disguised as normal ones by leveraging the many possibilities offered at the application layer (for instance, when surfing through a website, more and more web-pages are likely to be explored as time elapses).…”

Section: A Related Workmentioning

confidence: 99%

“…policies, the empirical MIR of a botnet with reference EDR value(22) does always provide a lower bound to the sum of individual MIRs 6. …”

mentioning

confidence: 99%

See 2 more Smart Citations

DDoS Attacks With Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Matta

Mauro

Longo

2017

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Distributed Denial-of-Service (DDoS) attacks are usually launched through the botnet, an "army" of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this work, we offer basically three contributions: i) we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; ii) we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time elapses) estimate of the botnet possibly hidden in the network; and iii) we verify the validity of the proposed inferential strategy over real network traces.

show abstract

“…REMARK I. From (5) and (6) we see that increasing the EDR α and/or the transmission rate λ corresponds to increasing the MIR. Besides, the MIR is always smaller 1 REMARK II.…”

Section: A Characterization Of the Botnet Message Innovation Ratementioning

confidence: 86%

Section: A Related Workmentioning

confidence: 99%

See 1 more Smart Citation

DDoS Attacks With Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Matta

Mauro

Longo

2017

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…Our model for multi-clustered DDoS is inspired to recent kinds of application-layer DDoS [3], [4], and is a generalization of the DDoS class originally proposed in [1]. We assume that the botnet is made of C non-overlapping clusters, each of which has access to an emulation dictionary (at time t) denoted by E c (t), for c = 1, 2, .…”

Section: The Multi-clustered Ddos Attackmentioning

confidence: 99%

“…This peculiar form of attacks goes beyond the simplest repetition-based attacks, by exploiting the ample range of possibilities available at the application layer [3], [4]. In such novel attacks, the bots choose randomly their requests from a set of admissible messages (an emulation dictionary), trying so to disguise their traffic patterns as normal ones.…”

Section: Introductionmentioning

confidence: 99%

Botnet identification in multi-clustered DDoS attacks

Matta

Mauro

Longo

2017

2017 25th European Signal Processing Conference (EUSIPCO)

View full text Add to dashboard Cite

Abstract-In a randomized DDoS attack with increasing emulation dictionary, the bots try to hide their malicious activity by disguising their traffic patterns as "normal" traffic patterns. In this work, we extend the DDoS class introduced in [1], [2] to the case of a multi-clustered botnet, whose main feature is that the emulation dictionary is split over the botnet, giving rise to multiple botnet clusters. We propose two strategies to identify the botnet in such challenging scenario, one based on cluster expurgation, the other one on a union rule. Consistency of both algorithms under ideal conditions is ascertained, while their performance is examined over real network traces.

show abstract