Link flooding attack(LFA)is a type of covert distributed denial of service(DDoS)attack.The attack mechanism of LFAs is to flood critical links within the network to cut off the target area from the Internet.Recently,t...Link flooding attack(LFA)is a type of covert distributed denial of service(DDoS)attack.The attack mechanism of LFAs is to flood critical links within the network to cut off the target area from the Internet.Recently,the proliferation of Internet of Things(IoT)has increased the quantity of vulnerable devices connected to the network and has intensified the threat of LFAs.In LFAs,attackers typically utilize low-speed flows that do not reach the victims,making the attack difficult to detect.Traditional LFA defense methods mainly reroute the attack traffic around the congested link,which encounters high complexity and high computational overhead due to the aggregation of massive attack traffic.To address these challenges,we present an LFA defense framework which can mitigate the attack flows at the border switches when they are small in scale.This framework is lightweight and can be deployed at border switches of the network in a distributed manner,which ensures the scalability of our defense system.The performance of our framework is assessed in an experimental environment.The simulation results indicate that our method is effective in detecting and mitigating LFAs with low time complexity.展开更多
Link flooding attack(LFA)is a fresh distributed denial of service attack(DDoS).Attackers can cut off the critical links,making the services in the target area unavailable.LFA manipulates legal lowspeed flow to flood c...Link flooding attack(LFA)is a fresh distributed denial of service attack(DDoS).Attackers can cut off the critical links,making the services in the target area unavailable.LFA manipulates legal lowspeed flow to flood critical links,so traditional technologies are difficult to resist such attack.Meanwhile,LFA is also one of the most important threats to Internet of things(IoT)devices.The introduction of software defined network(SDN)effectively solves the security problem of the IoT.Aiming at the LFA in the software defined Internet of things(SDN-IoT),this paper proposes a new LFA mitigation scheme ReLFA.Renyi entropy is to locate the congested link in the data plane in our scheme,and determines the target links according to the alarm threshold.When LFA is detected on the target links,the control plane uses the method based on deep reinforcement learning(DRL)to carry out traffic engineering.Simulation results show that ReLFA can effectively alleviate the impact of LFA in SDN IoT.In addition,the rerouting time of ReLFA is superior to other latest schemes.展开更多
Wireless sensor networks (WSNs) have many potential applications [1,2] and unique challenges. They usually consist of hundreds or thousands of small sensor nodes such as MICA2, which operate autonomously;conditions su...Wireless sensor networks (WSNs) have many potential applications [1,2] and unique challenges. They usually consist of hundreds or thousands of small sensor nodes such as MICA2, which operate autonomously;conditions such as cost, invisible deployment and many application domains, lead to small size and resource limited sensors [3]. WSNs are susceptible to many types of link layer attacks [1] and most of traditional network security techniques are unusable on WSNs [3];This is due to wireless and shared nature of communication channel, untrusted transmissions, deployment in open environments, unattended nature and limited resources [1]. Therefore security is a vital requirement for these networks;but we have to design a proper security mechanism that attends to WSN’s constraints and requirements. In this paper, we focus on security of WSNs, divide it (the WSNs security) into four categories and will consider them, include: an overview of WSNs, security in WSNs, the threat model on WSNs, a wide variety of WSNs’ link layer attacks and a comparison of them. This work enables us to identify the purpose and capabilities of the attackers;furthermore, the goal and effects of the link layer attacks on WSNs are introduced. Also, this paper discusses known approaches of security detection and defensive mechanisms against the link layer attacks;this would enable IT security managers to manage the link layer attacks of WSNs more effectively.展开更多
随着4G/5G移动通信技术被应用于无人机指挥控制(Command and Control,C2)链路,此类链路因安全保护机制不足而面临日益严峻的安全威胁。针对4G/5G无人机C2链路完整性保护缺失的弱点,在实验室环境下完成了4G/5G无人机C2链路指令篡改攻击...随着4G/5G移动通信技术被应用于无人机指挥控制(Command and Control,C2)链路,此类链路因安全保护机制不足而面临日益严峻的安全威胁。针对4G/5G无人机C2链路完整性保护缺失的弱点,在实验室环境下完成了4G/5G无人机C2链路指令篡改攻击验证实验。为了应对该威胁,提出了基于高性能认证加密的C2链路数据防护方案,并在飞腾E2000Q嵌入式环境下完成了与现有商用EEA3+EIA3组合方案的对比测试和分析。所提方案在保证安全性的同时具有更好的性能表现。展开更多
A Link Flooding Attack(LFA)is a special type of Denial-of-Service(DoS)attack in which the attacker sends out a huge number of requests to exhaust the capacity of a link on the path the traffic comes to a server.As a r...A Link Flooding Attack(LFA)is a special type of Denial-of-Service(DoS)attack in which the attacker sends out a huge number of requests to exhaust the capacity of a link on the path the traffic comes to a server.As a result,user traffic cannot reach the server.As a result,DoS and degradation of Qualityof-Service(QoS)occur.Because the attack traffic does not go to the victim,protecting the legitimate traffic alone is hard for the victim.The victim can protect its legitimate traffic by using a special type of router called filter router(FR).An FR can receive server filters and apply them to block a link incident to it.An FR probabilistically appends its own IP address to packets it forwards,and the victim uses that information to discover the traffic topology.By analyzing traffic rates and paths,the victim identifies some links that may be congested.The victim needs to select some of these possible congested links(PCLs)and send a filter to the corresponding FR so that legitimate traffic avoids congested paths.In this paper,we formulate two optimization problems for blocking the least number of PCLs so that the legitimate traffic goes through a non-congested path.We consider the scenario where every user has at least one non-congested shortest path in the first problem.We extend the first problem to a scenario where there are some users whose shortest paths are all congested.We transform the original problem to the vertex separation problem to find the links to block.We use a custom-built Java multi-threaded simulator and conduct extensive simulations to support our solutions.展开更多
Network security has become more of a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security in the application, transport, or network layers of a network, the da...Network security has become more of a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security in the application, transport, or network layers of a network, the data link layer (Layer 2) security has not yet been adequately addressed. Data link layer protocols used in local area networks (LANs) are not designed with security features. Dynamic host configuration protocol (DHCP) is one of the most used network protocols for host configuration that works in data link layer. DHCP is vulnerable to a number of attacks, such as the DHCP rouge server attack, DHCP starvation attack, and malicious DHCP client attack. This work introduces a new scheme called Secure DHCP (S-DHCP) to secure DHCP protocol. The proposed solution consists of two techniques. The first is the authentication and key management technique that is used for entities authentication and management of security key. It is based on using Diffie-Hellman key exchange algorithm supported by the difficulty of Elliptic Curve Discrete Logarithm Problem (ECDLP) and a strong cryptographic one-way hash function. The second technique is the message authentication technique, which uses the digital signature to authenticate the DHCP messages exchanged between the clients and server.展开更多
Detecting sophisticated cyberattacks,mainly Distributed Denial of Service(DDoS)attacks,with unexpected patterns remains challenging in modern networks.Traditional detection systems often struggle to mitigate such atta...Detecting sophisticated cyberattacks,mainly Distributed Denial of Service(DDoS)attacks,with unexpected patterns remains challenging in modern networks.Traditional detection systems often struggle to mitigate such attacks in conventional and software-defined networking(SDN)environments.While Machine Learning(ML)models can distinguish between benign and malicious traffic,their limited feature scope hinders the detection of new zero-day or low-rate DDoS attacks requiring frequent retraining.In this paper,we propose a novel DDoS detection framework that combines Machine Learning(ML)and Ensemble Learning(EL)techniques to improve DDoS attack detection and mitigation in SDN environments.Our model leverages the“DDoS SDN”dataset for training and evaluation and employs a dynamic feature selection mechanism that enhances detection accuracy by focusing on the most relevant features.This adaptive approach addresses the limitations of conventional ML models and provides more accurate detection of various DDoS attack scenarios.Our proposed ensemble model introduces an additional layer of detection,increasing reliability through the innovative application of ensemble techniques.The proposed solution significantly enhances the model’s ability to identify and respond to dynamic threats in SDNs.It provides a strong foundation for proactive DDoS detection and mitigation,enhancing network defenses against evolving threats.Our comprehensive runtime analysis of Simultaneous Multi-Threading(SMT)on identical configurations shows superior accuracy and efficiency,with significantly reduced computational time,making it ideal for real-time DDoS detection in dynamic,rapidly changing SDNs.Experimental results demonstrate that our model achieves outstanding performance,outperforming traditional algorithms with 99%accuracy using Random Forest(RF)and K-Nearest Neighbors(KNN)and 98%accuracy using XGBoost.展开更多
基金supported in part by the National Key R&D Program of China under Grant 2018YFA0701601in part by the National Natural Science Foundation of China(Grant No.62201605,62341110,U22A2002)in part by Tsinghua University-China Mobile Communications Group Co.,Ltd.Joint Institute。
文摘Link flooding attack(LFA)is a type of covert distributed denial of service(DDoS)attack.The attack mechanism of LFAs is to flood critical links within the network to cut off the target area from the Internet.Recently,the proliferation of Internet of Things(IoT)has increased the quantity of vulnerable devices connected to the network and has intensified the threat of LFAs.In LFAs,attackers typically utilize low-speed flows that do not reach the victims,making the attack difficult to detect.Traditional LFA defense methods mainly reroute the attack traffic around the congested link,which encounters high complexity and high computational overhead due to the aggregation of massive attack traffic.To address these challenges,we present an LFA defense framework which can mitigate the attack flows at the border switches when they are small in scale.This framework is lightweight and can be deployed at border switches of the network in a distributed manner,which ensures the scalability of our defense system.The performance of our framework is assessed in an experimental environment.The simulation results indicate that our method is effective in detecting and mitigating LFAs with low time complexity.
基金supported by the Fundamental Research Funds under Grant 2021JBZD204ZTE industry-university research cooperation fund project “Research on network identity trusted communication technology architecture”State Key Laboratory of Mobile Network and Mobile Multimedia Technology
文摘Link flooding attack(LFA)is a fresh distributed denial of service attack(DDoS).Attackers can cut off the critical links,making the services in the target area unavailable.LFA manipulates legal lowspeed flow to flood critical links,so traditional technologies are difficult to resist such attack.Meanwhile,LFA is also one of the most important threats to Internet of things(IoT)devices.The introduction of software defined network(SDN)effectively solves the security problem of the IoT.Aiming at the LFA in the software defined Internet of things(SDN-IoT),this paper proposes a new LFA mitigation scheme ReLFA.Renyi entropy is to locate the congested link in the data plane in our scheme,and determines the target links according to the alarm threshold.When LFA is detected on the target links,the control plane uses the method based on deep reinforcement learning(DRL)to carry out traffic engineering.Simulation results show that ReLFA can effectively alleviate the impact of LFA in SDN IoT.In addition,the rerouting time of ReLFA is superior to other latest schemes.
文摘Wireless sensor networks (WSNs) have many potential applications [1,2] and unique challenges. They usually consist of hundreds or thousands of small sensor nodes such as MICA2, which operate autonomously;conditions such as cost, invisible deployment and many application domains, lead to small size and resource limited sensors [3]. WSNs are susceptible to many types of link layer attacks [1] and most of traditional network security techniques are unusable on WSNs [3];This is due to wireless and shared nature of communication channel, untrusted transmissions, deployment in open environments, unattended nature and limited resources [1]. Therefore security is a vital requirement for these networks;but we have to design a proper security mechanism that attends to WSN’s constraints and requirements. In this paper, we focus on security of WSNs, divide it (the WSNs security) into four categories and will consider them, include: an overview of WSNs, security in WSNs, the threat model on WSNs, a wide variety of WSNs’ link layer attacks and a comparison of them. This work enables us to identify the purpose and capabilities of the attackers;furthermore, the goal and effects of the link layer attacks on WSNs are introduced. Also, this paper discusses known approaches of security detection and defensive mechanisms against the link layer attacks;this would enable IT security managers to manage the link layer attacks of WSNs more effectively.
文摘随着4G/5G移动通信技术被应用于无人机指挥控制(Command and Control,C2)链路,此类链路因安全保护机制不足而面临日益严峻的安全威胁。针对4G/5G无人机C2链路完整性保护缺失的弱点,在实验室环境下完成了4G/5G无人机C2链路指令篡改攻击验证实验。为了应对该威胁,提出了基于高性能认证加密的C2链路数据防护方案,并在飞腾E2000Q嵌入式环境下完成了与现有商用EEA3+EIA3组合方案的对比测试和分析。所提方案在保证安全性的同时具有更好的性能表现。
基金supported in part by the NSF grants(CNS 1757533,CNS 1629746,CNS 1564128,CNS 1449860,CNS 1461932,CNS1460971,and IIP 1439672).
文摘A Link Flooding Attack(LFA)is a special type of Denial-of-Service(DoS)attack in which the attacker sends out a huge number of requests to exhaust the capacity of a link on the path the traffic comes to a server.As a result,user traffic cannot reach the server.As a result,DoS and degradation of Qualityof-Service(QoS)occur.Because the attack traffic does not go to the victim,protecting the legitimate traffic alone is hard for the victim.The victim can protect its legitimate traffic by using a special type of router called filter router(FR).An FR can receive server filters and apply them to block a link incident to it.An FR probabilistically appends its own IP address to packets it forwards,and the victim uses that information to discover the traffic topology.By analyzing traffic rates and paths,the victim identifies some links that may be congested.The victim needs to select some of these possible congested links(PCLs)and send a filter to the corresponding FR so that legitimate traffic avoids congested paths.In this paper,we formulate two optimization problems for blocking the least number of PCLs so that the legitimate traffic goes through a non-congested path.We consider the scenario where every user has at least one non-congested shortest path in the first problem.We extend the first problem to a scenario where there are some users whose shortest paths are all congested.We transform the original problem to the vertex separation problem to find the links to block.We use a custom-built Java multi-threaded simulator and conduct extensive simulations to support our solutions.
文摘Network security has become more of a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security in the application, transport, or network layers of a network, the data link layer (Layer 2) security has not yet been adequately addressed. Data link layer protocols used in local area networks (LANs) are not designed with security features. Dynamic host configuration protocol (DHCP) is one of the most used network protocols for host configuration that works in data link layer. DHCP is vulnerable to a number of attacks, such as the DHCP rouge server attack, DHCP starvation attack, and malicious DHCP client attack. This work introduces a new scheme called Secure DHCP (S-DHCP) to secure DHCP protocol. The proposed solution consists of two techniques. The first is the authentication and key management technique that is used for entities authentication and management of security key. It is based on using Diffie-Hellman key exchange algorithm supported by the difficulty of Elliptic Curve Discrete Logarithm Problem (ECDLP) and a strong cryptographic one-way hash function. The second technique is the message authentication technique, which uses the digital signature to authenticate the DHCP messages exchanged between the clients and server.
文摘Detecting sophisticated cyberattacks,mainly Distributed Denial of Service(DDoS)attacks,with unexpected patterns remains challenging in modern networks.Traditional detection systems often struggle to mitigate such attacks in conventional and software-defined networking(SDN)environments.While Machine Learning(ML)models can distinguish between benign and malicious traffic,their limited feature scope hinders the detection of new zero-day or low-rate DDoS attacks requiring frequent retraining.In this paper,we propose a novel DDoS detection framework that combines Machine Learning(ML)and Ensemble Learning(EL)techniques to improve DDoS attack detection and mitigation in SDN environments.Our model leverages the“DDoS SDN”dataset for training and evaluation and employs a dynamic feature selection mechanism that enhances detection accuracy by focusing on the most relevant features.This adaptive approach addresses the limitations of conventional ML models and provides more accurate detection of various DDoS attack scenarios.Our proposed ensemble model introduces an additional layer of detection,increasing reliability through the innovative application of ensemble techniques.The proposed solution significantly enhances the model’s ability to identify and respond to dynamic threats in SDNs.It provides a strong foundation for proactive DDoS detection and mitigation,enhancing network defenses against evolving threats.Our comprehensive runtime analysis of Simultaneous Multi-Threading(SMT)on identical configurations shows superior accuracy and efficiency,with significantly reduced computational time,making it ideal for real-time DDoS detection in dynamic,rapidly changing SDNs.Experimental results demonstrate that our model achieves outstanding performance,outperforming traditional algorithms with 99%accuracy using Random Forest(RF)and K-Nearest Neighbors(KNN)and 98%accuracy using XGBoost.
