One of the critical threats to cyber security is DDoS attack in which the victim network element are bombarded with high volume of fictitious, attacking packets originated from a large number of machines. The aim of DDoS attack is to overload the victim and render it incapable of performing normal communications or services. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry.
The DDoS engine uses our ALPi scheme, which extends previously proposed PacketScore scheme with reduced implementation complexity and enhanced performance. ALPi scheme estimates the abnormality of a suspicious packet by comparing the current fine-grain traffic with a nominal traffic profile. More specifically, a leaky-bucket overflow measurement simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of differentiating attack packets. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation. In conclusion, the DDoS engine performs detection, differentiation, and discarding functions to block DDoS attacking packets.
PUBLICATIONS
- P. Ayres, H. Sun, H. Jonathan Chao, and W. C. Lau, “ALPi: A DDoS Defense System for High-Speed Networks,” in IEEE Journal on Selected Areas in Communications (JSAC), Special Issue on High-Speed Network Security, Oct. 2006.
- Y. Kim, W. Lau, M. C. Chuah, and H. J. Chao, “PacketScore: A statistical Packet Filtering Scheme against Distributed Denial-of-Service Attacks,” in IEEE Transactions on Dependable and Secure Computing, pp. 141-155, April-June, 2006.
PEOPLE
Prof. Jonathan H. Chao : Faculty
Huizhong Sun : PhD Student
Paulo Ayres : MS Student
Wei-Chen Huang : MS Student
Evelyn Yen : MS Student
Polytechnic University • 5 MetroTech Center • Brooklyn, NY 11201