Timely Detection and Mitigation of Stealthy DDoS Attacks via IoT Networks
Abstract : Internet of Things (IoT) networks consist of sensors, actuators, mobile and wearable devices that can connect to the Internet. With billions of such devices already in the market which have significant vulnerabilities, there is a dangerous threat to the Internet services and also some cyber-physical systems that are also connected to the Internet. Specifically, due to their existing vulnerabilities IoT devices are susceptible to being compromised and being part of a new type of stealthy Distributed Denial of Service (DDoS) attack, called Mongolian DDoS, which is characterized by its widely distributed nature and small attack size from each source. This study proposes a novel anomalybased Intrusion Detection System (IDS) that is capable of timely detecting and mitigating this emerging type of DDoS attacks. The proposed IDS’s capability of detecting and mitigating stealthy DDoS attacks with even very low attack size per source is demonstrated through numerical and testbed experiments.
? It can be deployed at the ISP’s edge routers and serves as a supplement of the existing network filtering to protect potential victims from being flooded.
? While our initial goal was to provide effective defense against existing DDoS tools, we are continuing to explore techniques for better defense against future stealthy attacks.
? In order not to inject bias into our experiments, the existing Internet traces CAITD and CDAD will be utilized as much as possible and synthetically generated traffic is only employed when necessary.
? Whenever we find a backward flow that can be paired with an existing forward flow in the BCS structure, the corresponding counter decreases.
? Although a number of practical solutions have been deployed against DDoS, many problems still exist, especially due to the new genre of DDoS attacks through IoT devices.
? DDoS attacks via IoT networks are relatively less addressed compared to other security issues in the IoT enviornment.
? The attackers managed to cause the heating controllers to continually reboot the system in a loop so that the heaters never worked.
? Thus, they do not negatively contribute to the global statistic st, and consequently do not cause extra delay in detection.
? It uses a window to compute the information ´ metric on the aggregate traffic at each node, which causes loss in time resolution, and also in early detection ability.
• The proposed detectors are mostly outlier detectors, i.e., they classify a sample measurement as either normal or anomalous.
• Moreover, such schemes have breakdown points such that if outliers, significantly far away from the nominal measurements, are observed, then the proposed filters fail to keep track of the system state.
• In order to improve the time resolution and also to detect cyber-attacks more reliably, several online detectors based on the quickest detection theory are proposed.
• The proposed mechanisms are tightly connected to an estimation mechanism, which makes both the detection and state estimation schemes robust against unknown and time-varying attack variables.
? A comprehensive performance evaluation is provided using a testbed implementation, the N-BaIoT dataset, and simulations.
? We evaluate the performance of the proposed IDS in a large network with many nodes, where a stealthy DDoS attack from many compromised IoT devices can actually take down a server.
? Thus, to evaluate our mitigation performance, we consider the data filtering method, which simply applies a threshold to the observed raw data.
? There are efficient ways of finding (approximate) k nearest neighbors that scale even better to high-dimensional systems.
? Considering the large number of devices in a typical IoT network, and the abundant data generated by those devices, computationally efficient solutions that can achieve effective network monitoring, i.e., joint monitoring of devices, are required.
|