請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/86094
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 葉丙成(Ping-Cheng Yeh) | |
dc.contributor.author | Jonathan J. Mao | en |
dc.contributor.author | 毛煥為 | zh_TW |
dc.date.accessioned | 2023-03-19T23:36:34Z | - |
dc.date.copyright | 2022-09-16 | |
dc.date.issued | 2022 | |
dc.date.submitted | 2022-09-12 | |
dc.identifier.citation | [1] A. Agarwal, Z. Liu, and S. Seshan. HeteroSketch: Coordinating network-wide monitoring in heterogeneous and dynamic networks. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 719–741, Renton, WA, Apr. 2022. USENIX Association. [2] J. Baird. pybloom. https://github.com/jaybaird/python-bloomfilter,2014. [3] J. Barr. New aws auto scaling–unified scaling for your cloud applications, Jan 2018. [4] A. Bremler-Barr, E. Brosh, and M. Sides. Ddos attack on cloud auto-scaling mechanisms. In IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pages 1–9, 2017. [5] CAIDA. The caida ucsd anonymized oc48 internet traces, Jan. 15 2003. https://www.caida.org/catalog/datasets/passive_oc48_dataset. [6] CISA. Understanding denial-of-service attacks. Technical report, Cybersecurity and Infrastructure Security Agency, Nov. 20 2019. [7] B. Claise. Cisco Systems NetFlow Services Export Version 9. RFC 3954, Oct. 2004. [8] Cloudflare. What is latency? | how to fix latency | cloudflare, 2022. [9] J. Gong, T. Yang, H. Zhang, H. Li, S. Uhlig, S. Chen, L. Uden, and X. Li. Heavy-Keeper: An accurate algorithm for finding top-k elephant flows. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 909–921, Boston, MA, July 2018. USENIX Association. [10] S. Hemminger. Tc-netem. [11] Y.-M. Ke, C.-W. Chen, H.-C. Hsiao, A. Perrig, and V. Sekar. Cicadas: Congesting the internet with coordinated and decentralized pulsating attacks. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’16, page 699–710, New York, NY, USA, 2016. Association for Computing Machinery. [12] T. M. Kogler. Single gun, multiple round, time-on-target capability for advanced towed cannon artillery. Technical report, US Army Research Laboratory, Mar. 01 1995. [13] A. Kuzmanovic and E. W. Knightly. Low-rate tcp-targeted denial of service attacks: The shrew vs. the mice and elephants. In Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM ’03, page 75–86, New York, NY, USA, 2003. Association for Computing Machinery. [14] R. Meier, P. Tsankov, V. Lenders, L. Vanbever, and M. Vechev. NetHide: Secure and practical network topology obfuscation. In 27th USENIX Security Symposium (USENIX Security 18), pages 693–709, Baltimore, MD, Aug. 2018. USENIX Association. [15] Microsoft. Autoscaling guidance, Aug 2015. [16] Mininet. http://mininet.org/. [17] Radware. 2021–2022 global threat analysis report. [18] R. Rasti, M. Murthy, N. Weaver, and V. Paxson. Temporal lensing and its application in pulsing denial-of-service attacks. In 2015 IEEE Symposium on Security and Privacy, pages 187–198, 2015. [19] M. Sargent, J. Chu, D. V. Paxson, and M. Allman. Computing TCP’s Retransmission Timer. RFC 6298, June 2011. [20] S. Scherrer, C.-Y. Wu, Y.-H. Chiang, B. Rothenberger, D. E. Asoni, A. Sateesan, J. Vliegen, N. Mentens, H.-C. Hsiao, and A. Perrig. Low-rate overuse flow tracer (loft): An efficient and scalable algorithm for detecting overuse flows. In 2021 40th International Symposium on Reliable Distributed Systems (SRDS), pages 265–276, 2021. [21] M. Sides, A. Bremler-Barr, and E. Rosensweig. Yo-yo attack: Vulnerability in autoscaling mechanism. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, SIGCOMM ’15, page 103–104, New York, NY, USA, 2015. Association for Computing Machinery. [22] V. Sivaraman, S. Narayana, O. Rottenstreich, S. Muthukrishnan, and J. Rexford. Heavy-hitter detection entirely in the data plane. In Proceedings of the Symposium on SDN Research, SOSR ’17, page 164–176, New York, NY, USA, 2017. Association for Computing Machinery. [23] Verizon. Monthly ip latency data, Jun 2022. [24] Z. Wei-wei, G. Jian, G. Jian, G. Wenjie, and C. Shaomin. Netflow-based network traffic monitoring. 2011 13th Asia-Pacific Network Operations and Management Symposium, 2011. [25] H. Wu, H.-C. Hsiao, and Y.-C. Hu. Efficient large flow detection over arbitrary windows: An algorithm exact outside an ambiguity region. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC ’14, page 209–222, New York, NY, USA, 2014. Association for Computing Machinery. [26] S. T. Zargar, J. Joshi, and D. Tipper. A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Communications Surveys Tutorials, 15(4):2046–2069, 2013. [27] Z. Zhong, S. Yan, Z. Li, D. Tan, T. Yang, and B. Cui. Burstsketch: Finding bursts in data streams. Proceedings of the 2021 International Conference on Management of Data, 2021. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/86094 | - |
dc.description.abstract | 脈衝分散式阻斷服務攻擊通過不同發送源的低速流量 (low-rate flow) 集結成一 個短的流量脈衝,對於部分動態網路而言其產生效果與洪水式攻擊相當。然而, 在異質網路中,因為其組成為不同計算資源的設備,外加先前的研究提出的防禦 機制皆需要部屬在運算能力較強的設備上才能監測和緩解攻擊,這將造成運算較 弱的設備上無法部署相關防禦機制抵禦脈衝分散式阻斷服務攻擊。為此,我們提 出了一種名為 FLARE 的防禦機制,透過運算能力較強的設備協力合作而保護異 質網路中的所有網通設備。具體來說,FLARE 可分為三個階段,第一階段是在運 算能力較強的設備上將具有相同估計抵達受害者時間的流量進行分組。這些資訊 將進行交換用以識別出可疑的組。第二階段是透過修改被標記為可疑組別內流量 的路徑延遲,以破壞攻擊者所建立的時間同步。第三階段則是 FLARE 透過監測 抓到的可疑流量找出那些反覆被抓到的,並將其標記為惡意與在一段時間內阻止 它們的訪問。我們進一步將 FLARE 擴展為三種模型,主要在權衡脈衝檢測延遲 和計算資源之間的要求。實驗結果顯示,流量分組的總體準確率為 92%;在四次脈衝後,平均錯誤阻斷率低於 1%。 | zh_TW |
dc.description.abstract | A pulsing DDoS attack produces the effect of persistent flooding to many Internet services that dynamically adjust settings. Such an attack sends a short traffic pulse through low-rate traffic from various sources of bots. Prior research proposed defense algorithms on a network device with powerful computing resources to monitor and mitigate such attacks. However, a heterogeneous network consisting of devices with diverse computing resources may fail to deploy such defense algorithms on a resource-constrained device. Instead of improving the prior defense approach to fit devices with diverse computing resources, we propose a defense approach named FLARE that collaborates powerful computing devices to protect resource-constrained devices. FLARE exchanges traffic information between powerful computing devices to explore the flows that intend to participate in constructing pulses at the victim and further block their access to the network. Specifically, FLARE has three phases, starting with powerful devices grouping flows with the same estimated arrival time at the victim and exchanging them to identify suspiciousness. Second, FLARE randomizes the path latency of a suspicious group to disrupt time synchronization between bots. Third, with those phases running continuously, FLARE considers those suspicious flows that are repeatedly caught as malicious and blocks them for a period of time. We further extend FLARE into three models with trade-offs between detection delay and required computing resources. Our experiment results show an overall 92% of accuracy on grouping flows and an under 1% of mis-blocking ratio after four pulses. | en |
dc.description.provenance | Made available in DSpace on 2023-03-19T23:36:34Z (GMT). No. of bitstreams: 1 U0001-0709202221222000.pdf: 7519767 bytes, checksum: 8b7605cc73cc1f3ffe6fa866e47c6c22 (MD5) Previous issue date: 2022 | en |
dc.description.tableofcontents | 誌謝 i 摘要 ii Abstract iii Contents v List of Figures viii List of Tables x Chapter 1 Introduction 1 Chapter 2 Background and Related Work 6 2.1 Defense mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Pulsing Denial-of-Service Attacks . . . . . . . . . . . . . . . . . . . 8 Chapter 3 Problem Definition 10 3.1 Network Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.1 Heterogeneous Network . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.2 Network Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.3 Controller in a Network . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.1 Defining a Pulse . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.2 Pulse Construction . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.3 Desired Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.1 Low False Positives and Low False Negatives . . . . . . . . . . . . 14 3.3.2 Low Detection Time . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.3 Reasonable Resources Usage . . . . . . . . . . . . . . . . . . . . . 16 Chapter 4 System Design 17 4.1 Workflow Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2 Key Ideas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.2.1 Flow Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.2.2 Estimated Arrival Time Slot . . . . . . . . . . . . . . . . . . . . . 20 4.2.3 Latency Randomization . . . . . . . . . . . . . . . . . . . . . . . . 20 4.3 Proposed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3.1 One-step Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.3.2 Two-step Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.3.3 Two-step Model with Bloom Filter . . . . . . . . . . . . . . . . . . 25 4.4 Design Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Chapter 5 Evaluation 31 5.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.1.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.1.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1.3 Parameter Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 5.2 Compare with BurstSketch . . . . . . . . . . . . . . . . . . . . . . . 35 5.3 Flow Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.4 Latency Randomization . . . . . . . . . . . . . . . . . . . . . . . . 48 5.5 Detection Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.6 Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Chapter 6 Discussion 56 6.1 Constant-rate UDP Traffic . . . . . . . . . . . . . . . . . . . . . . . 56 6.2 Latency Randomization Inside a Group . . . . . . . . . . . . . . . . 57 6.3 Adversary Holding Plenty of Bots . . . . . . . . . . . . . . . . . . . 58 6.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chapter 7 Conclusion 60 References 61 | |
dc.language.iso | en | |
dc.title | 透過流量分組與隨機化延時緩解脈衝分散式阻斷服務攻擊 | zh_TW |
dc.title | Mitigating Pulsing DDoS Attack with Flow Grouping and Latency Randomization | en |
dc.type | Thesis | |
dc.date.schoolyear | 110-2 | |
dc.description.degree | 碩士 | |
dc.contributor.coadvisor | 蕭旭君(Hsu-Chun Hsiao) | |
dc.contributor.oralexamcommittee | 蔡欣穆(Hsin-Mu Tsai),沈上翔(Shan-Hsiang Shen) | |
dc.subject.keyword | 脈衝分散式服務阻斷攻擊,攻擊緩解,協同防禦,流量分組,流量延時隨機化, | zh_TW |
dc.subject.keyword | pulsing DDoS attack,attack mitigation,collaborative defense,flow grouping,flow latency randomization, | en |
dc.relation.page | 64 | |
dc.identifier.doi | 10.6342/NTU202203236 | |
dc.rights.note | 同意授權(全球公開) | |
dc.date.accepted | 2022-09-12 | |
dc.contributor.author-college | 電機資訊學院 | zh_TW |
dc.contributor.author-dept | 電信工程學研究所 | zh_TW |
dc.date.embargo-lift | 2022-09-16 | - |
顯示於系所單位: | 電信工程學研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
U0001-0709202221222000.pdf | 7.34 MB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。