Encyclopedia
Please note this is an old version of this entry, which may differ significantly from the current revision.
Subjects:
Computer Science, Cybernetics
Two forms of DoS attack are troubling, DoS and DDoS (DDoS). Typically, DDoS attacks occur through linked devices from numerous locations. The attack can cause unusual activity that interrupts the regular traffic of specific servers, services, and networks through data bombardment from nearby infrastructure. This unusual activity creates tremendous continuous service requests to the servers and networks, making it difficult to identify a trustworthy source.
- denial of service
- distributed denial of service
- cyber–physical system
- machine learning
- high-speed network
- intrusion detection system
1. Introduction
With the increase in network traffic through the introduction of devices such as remote sensors, intelligent devices, self-drive Global Positioning System (GPS)-connected vehicles, 5G data transmission, smartphones, and cloud computing, the size of the internet is rapidly increasing [1]. There are approximately 4.66 billion internet users globally, which amounts to 59.5% of the global population. Similarly, approximately 53.6% of the global population are social media users, while smartphone users constitute 66.6%. Overall, the total population connected to the digital world was approximately 7.83 billion in 2021, with an anticipated annual growth of 316 million users. The expected internet user growth is alarming, especially when it comes to internet security and the integrity of Cyber–Physical Systems (CPS) [2]. Although the internet helps with different aspects of life and makes life more convenient, it creates many security risks. A typical example of these risks is malicious attacks such as DoS attacks, deception attacks, and reply attacks, all of which are types of cyber-attack. Their objectives and methods are different. DoS attacks aim to disrupt availability and deception attacks involve manipulation and trickery, whereas replay attacks focus on intercepting and reusing valid data to gain unauthorized access or manipulate systems. In addition, Denial-of-Service (DoS) attacks are related to breaches in user privacy and compromised security [3].
Generally, two forms of DoS attack are troubling, DoS and DDoS (DDoS). Typically, DDoS attacks occur through linked devices from numerous locations. The attack can cause unusual activity that interrupts the regular traffic of specific servers, services, and networks through data bombardment from nearby infrastructure. This unusual activity creates tremendous continuous service requests to the servers and networks, making it difficult to identify a trustworthy source. For example, in the Internet of things (IoT) environment, an attacker can quickly attack thousands of devices on a large scale [4,5,6,7]. For a practical CPS communication network, time delay is an important issue. A durable, adaptive DSC based on the dwell-time strategy and switching perspective was developed for a time-delayed switched nonlinear CPS under hybrid attacks on sensor measurements [8]. To investigate the stochastic characteristics of end-to-end network-induced time delay in a time-critical smart substation CPS context, the components of a smart substation CPS, such as data flow, communication network, and intelligent electronic devices (IEDs), are modelled [9]. In the case of time delay attacks (TDAs), which exploit communication channel weaknesses to cause potentially serious harm to a system, many of the approaches suggested for TDA detection have been evaluated exclusively offline and under strict assumptions of building a practical method for dealing with real-world problems [10]. DDoS attacks can be application layer attacks, protocol attacks, and volume-based attacks, and detecting them is more challenging on high-speed networks (HSNs). In HSNs, which consist of optical fiber networks with data rates of 100 Gbs, the context switching of network processing due to a DoS attack can reduce network speed due to a packet associated with a system call and a copy of the transition propagating across the network [11].
Since the speed of data processing on networks has grown, detecting DDoS attacks has become more complicated, raising security risks. Figure 1 illustrates a scenario of a DDoS attack occurring in a high-speed network. Additionally, researchers face enormous challenges in addressing DDoS attacks due to the network speed and different types of data entering the network [12]. Several DDoS attack detection techniques have been proposed, with two common types of detection, namely misuse detection and abnormal detection [13,14]. Both detection systems have limitations regarding the parameters selected for detecting network patterns. The advantage of misuse detection is that it provides a high accuracy; however, it requires complete information on the network. In contrast, prior knowledge of the network is not acquired in abnormal detection, but this approach does not provide the high accuracy offered by misuse detection [15].
Figure 1. DDoS attack in a high-speed network scenario.
In recent years, there have been several reviews in the literature of DoS attacks. For example, the authors of [16] presented the taxonomy of low-rate DoS attacks based on a three-layer modus operandi. The review included slow rate, service queue, and Quality of Service (QOS) attacks and described the various detection approaches against eight low-rate DoS attacks. However, the paper did not mention high-speed Network DDoS attacks. The authors of [17] presented cutting-edge defense techniques that help to prevent DDoS attacks and reduce the damage to user information. The review elaborates on the prevention techniques for IoT and Software-Defined Network devices. Ironically, DDoS attacks in a high-speed network scenario are not discussed. In [18], the authors described a defense mechanism against DDoS attacks, including the attack response, traffic classification, and attack detection, but not the network details.
2. DDOS Attack Detection in High-Speed Network
An open-source Intrusion Detection System, Snort and Suricata [78], explains how to evaluate the drop rates and accuracy rates in a 100 Gbps network using their comparison and benchmarks [79]. This evaluation includes the usage of system resources, packet processing speed, packet drop ratio, and detection accuracy. However, a shortcoming of this study is that it does not consider the extensive data on the network. Another model proposed by [80], the Very Long Short-Term Memory (VLSTM) learning model, deals with the challenges of high dimensionality and unfairness. Its performance in experiments has resulted in using the UNSW-NB15 open dataset. A study presented reconstruction loss, classification loss, and divergence loss. However, anomaly detection tasks are still challenging for imbalanced data.
An Extended Barkley packet filtering (eBPF) and express data path are presented by M. A. Vieira [81] to introduce new technology for packet filtering and provide an example of a standard procedure of these technologies. The XDP program is written in the C or P4 languages, and the instructions are processed through the kernel and other programmable devices, such as a smart network interface card. This work mainly focuses on network monitoring, traffic analysis, load balancing, and system profiling. Moreover, the authors dealt with the high speed of network data but did not address the packet drop ratio. In given Table 1, the studies of the recent five years are categorized based on different parameters such as year, article reference, main features, advantages, and weaknesses.
Table 1. The studies of DDoS attacks in a high-speed network.
| Year | Article | Main Features | Advantages | Weakness |
|---|---|---|---|---|
| 2018 | [52] | The author proposed a three-layer module DDOS attack identification, delivery module flow table, and traffic identification | The applied SVM to DDoS traffic identification. | The flow table delivery module is needed to improve. |
| 2018 | [53] | For DDoS mitigation, traffic MoonPol | High-performance packet processors used by policers like DPDK. | The small number of packets that randomly falls into subnets of limited ranges. |
| 2018 | [82] | A non-parametric methodology in the data stream | Statistical based, distance-based detection. |
Not optimized to find anomalies. |
| 2018 | [83] | The present Time Path’s performance (XDP) | Just-in-time (JIT), kernel hook. | It is needed to capture the packets at a high data rate. |
| 2019 | [55] | Detection of DDoS attacks at the application layer | Analysis about HTTP DDOS monitoring, detection, mitigation, and prevention. | This study does not consider high-speed networks. |
| 2019 | [84] | The Big-Flow classification model | Network traffic dataset, scalable. | Does not consider the packet drop ratio. |
| 2019 | [85] | Data-driven cyber-security is used for internet traffic analysis | Cybersecurity, network traffic analysis, machine learning (ML), and social scam detection. | Research is required for extensive data networks, domain knowledge of traffic monitoring. |
| 2019 | [86] | To build the rule of DDOS mitigation in smart NICs on offloading the edge server | Smart NICs can help mitigate the network load on congested servers | Smart NICs reduce the effectiveness of server resources. |
| 2020 | [58] | Extended Berkeley packet filter and express data path | Packet filtering | Does not consider the packet drop ratio. |
| 2020 | [59] | DDoS detection schema | Incoming flows, packet symmetry ratio. | Does not consider delay time |
| 2020 | [80] | A VLSTM learning model | Reconstruction loss, classification loss, and divergence loss. | Anomaly detection tasks are still challenging for imbalanced data. |
| 2020 | [81] | Extended Barkley packet filtering (eBPF) and express data path | Network monitoring, network traffic analysis. | Does not deal with big data. |
| 2020 | [87] | Open-source Intrusion Detection System: Snort and Suricata | Speed of packet processing, packet drop ratio, the accurateness of detection. | Does not consider the extensive data on the network. |
| 2020 | [88] | Experiment with a Linux subsystem to track containerized user-space programs | Interpledge, eBPF, Profiling, Tracing. | It is not created for an end-to-end view of a distributed system. |
| 2021 | [64] | To suggest a new malicious classification scheme based on the Long Short-Term Memory (LSTM) model | LSTM, accuracy, throughput. Traffic classification, artificial intelligence, malicious traffic. | Using upcoming learning strategies, the metric selection for LSTM can be made accurately. |
| 2021 | [65] | This article proposed a new Learning Design Discussion Model (LDDM) | Lower false positive and false negative rates. DDoS attacks. | Still improve the detection accuracy on high-speed data 100 Gbps network. |
| 2021 | [79] | To estimate the flow size of encrypted data at multi-Gbps line rates | Deep Packet Inspection, multi-Gbps line, VPN-buffered traffic. | Still improve the detection accuracy on high-speed data 100 Gbps network. |
| 2021 | [89] | Estimate the overall number of unique components or different k-constant items in a flow across various traffic measurement | Filter out duplicates, sample the elements, and store the sampled traffic data in off-chip memory using it on memory. | Cannot detect distributed denial of service attacks and scanners. |
| 2021 | [90] | In this paper, we develop and deploy a full-packet capture in (FPC-NM) systems | Packet reception, data packet storage, and log management. | Up to 40 Gbs, 70 Gbs, and 100 Gbs are not included. |
| 2021 | [91] | To eliminate errors and produce a custom binary for specific network | Code-optimization approaches. | Does not continue the packet processing at 100 Gbps. |
| 2022 | [68] | The algorithm monitors the CPU time used by every connection and the statistical method used for attack detection | System Calls information is container-based on Linux eBPF at the host level. | This algorithm considers only Dos attacks, not DDoS attacks. |
| 2022 | [69] | Signature-based techniques for DDoS mitigation and utilization of Packet generation algorithms (PGA) for attack execution | Full-fledged IDS/IPS solutions like Snort Suricata. | To unlock the full potential of eBPF and XDP (cross-compiling, modularity). |
| 2022 | [92] | NetFPGA SUME approach used for packet filtering and mitigation of volumetric DDOS attack | Packet filtering has been performed in HSN using a single core of CPU. | A 100 Gbit/s data path provides an excellent testing environment. |
| 2022 | [93] | HARNESS schedule and serve as control plane USRs in terms of delay tolerant and delay-sensitive to authenticate H.A. services. | XDP and eBPF use for coherent and optimized end-to-end working. | Does not consider the packet drop ratio. |
The researchers in [84] processed a massive amount of network traffic with a verification technique that checked the reliability based on the classifier’s outcomes. The Big-Flow classification model is adjusted once suspect packets are found. The focus of this study is to deal with the network traffic dataset, but it does not consider the packet drop ratio. According to [59], the DDoS detection schema has numerous traffic functions. This scheme generates precise per-subnet alarms implemented in the data plane without external controllers, allowing for tight control loops. The findings include accurate detection relying on a realistic attack using accessible traces. It deals with incoming flows and the packet symmetry ratio observed per secured sub-network. The express data path is a suitable framework for DDoS protection and creating a novel scheme to prevent cyber threats. Nevertheless, it features packet rates of 1–2 Mpps for 10 Gigabit links not more than 10 Giga bit.
A Linux subsystem is capable of tracking containerized user-space programs for Inter ledger connectors, with the ability to control the software stack in development [43]. The tests investigated and evaluated the tool landscape developed to assist eBPF in this project. This project does not show the end-to-end view of a distributed system. In addition, HTTPS encrypted traffic is analyzed to determine the user’s operating system and track the user’s local explorer and other methods, resulting in a 20,000 dataset example with a 96.06% classification accuracy [96]. The traffic analysis technique, which employs SSL/TLS, is a powerful method. The attacker can use statistics to identify the user’s operating system.
A data distributed control system (DDCS) can be used for data-driven cyber security, social, and internet traffic analyses, cyber security data collection, cyber security feature engineering, and simulation [85]. The DDCS shows a strong link among data, models, and methodology while reviewing the key recent works in Twitter spam detection and I.P. traffic classification. However, this work does not mention high-speed data.
The research in [80] suggested a new malicious classification scheme based on the Long Short-Term Memory (LSTM) model. Data annotation for effective traffic classification can result in network loops and bandwidth issues. The selection of LSTM makes it accurate. In a DDoS, the detection schema has numerous traffic functions [59]. These features are known as formal DoS parameters, such as the arriving flow pattern and packet symmetry levels observed per secured sub-network. In [97], a full-packet capture in (FPC-NM) systems in 20 Gb/s was developed and deployed. A nanosecond timestamp was used in the FPC-NM system, significantly boosting the accuracy of a security incident retrospective analysis.
Implementing the FPC-NM system achieves a 17 Gb/s throughput with a connection of 160,000, experiencing zero packet loss. These parameters encompass packet reception, nanosecond timestamping, load balancing, preprocessing packets, application layer protocol analysis, data packet storage, and log management. By utilizing LZ4 compression, the system achieves real-time compression and storage efficiency at 10 Gb/s, but up to 40 Gb/s. However, it does not support 70 Gbps and 100 Gbps. As industry and research institutions are installing 100 Gbps networks to meet data transfer demands, high-speed networks are becoming more common, leading to significant technical challenges. An Intrusion Detection System cannot efficiently handle network activities with high rates of traffic monitoring and packet drop ratios, which directly affects the detection accuracy. This paper [87] provides a detailed explanation of the open-source IDS, namely, Snort and Suricata, with comparative parameters in a 100 Gb/s network.
A low-rate DDoS attack detection method (LDDM) using a multidimensional sketch structure and network flow measuring allows for a reduction in the data storage cast and improves the detection accuracy [65]. The measurements depend on the daubechies four wavelets transform to calculate each sketch’s energy percentage. This approach differentiates between the regular and attack traffic. The LDDM is used to evaluate low-rate DDoS attack datasets, but a high-rate DDoS attack is not considered. Figure 2 shows different irregular traffic pattern detection.
Figure 2. Irregular traffic pattern detection.
The architecture in [98] allows for network operators to estimate the flow size of encrypted data at multi-Gbps line rates using samples and sketching mechanisms. It also helps in understanding the behavior of VPN-buffered traffic. The implementation shows a 99% accuracy of the service provider on 6000 tracks for three key factors. Evaluation studies depend on the track time and starting point, achieving more than a 90% precision for the content classification of a given service provider in the best case. The examiner presents the time path’s performance (XDP). eBPF is used for XDP to process incoming traffic before allocating kernel data structures, which improves the performance. The second case study uses eBPF to set up socket-level application-specific packet-filtering options. To eliminate errors and produce a custom binary for a specific network function, Packet-Mill boosts the throughput (up to 36.4 Gb/s—70%) and reduces the latency (up to 101 Gb/s—28%) without continuing unnecessary packet processing at 100 Gb/s. However, new packets arrive 10 times faster than main memory access times while utilizing only one processor core [91]. Apache storm used the Netty communication component [98], a TCP/IP protocol stack applied for an asynchronous server, and a client framework that decreased efficiency due to context switching and memory copying. It increased the IP over the InfiniBand communication mode on the CPU load. With the aid of remote direct memory access (RDMA) technology, the scheme implementation can reach up to five times faster than IPoIB and ten times faster than Gigabit Ethernet when tested on Mellanox QDR Cards (40 Gb/s). Additionally, this approach considerably reduces the CPU burden and boosts the system throughput.
Comma-separated values (CSV) [97] are a frequently used data interchange format. Concerning format, all industries’ potent databases and stream processing of frameworks have utilized CSV as an input. The speed of input or output hardware poses significant challenges due to advanced input or output gadgets such as InfiniBand NICs and NVMe SSDs, with transfer rates of 100 Gb/s and higher. This article aims to increase the input speed of CSV with the help of graphics processing unit GPUs. A new parsing strategy is created that simplifies the control flow, while correctly handling context-sensitive CSV features such as quotes. The articles have been studied and categorized based on their main features, advantages, and drawbacks. This section defines the thematic taxonomy of the characterization and classification of the irregular traffic pattern schemes on high-speed data networks, in order to achieve the following objectives: end-to-end time, packet drop, packet delay time, scalability, packet processing speed, and detection accuracy. The stated studies are categorized based on six characteristics: (i) detection techniques, (ii) traffic monitoring, (iii) NICs, (iv) traffic flow, (v) traffic filtering, and (vi) objective function.
Network traffic monitoring is a task to ensure that the operation of a network performs smoothly. When any unusual packet comes on the network, the Network Traffic Monitoring Tool (NTMT) [105] captures that packet. Generally, NTMT observes all incoming and outgoing packets on the network. Detection accuracy implies the agreement between the actual and detection values. The exact value is unknown in several cases, but is compared with the standard. Accuracy is a ratio of the nearest value to the real value, which is the result. Scalability is a characteristic of a system, model, or function that elaborates on the ability to manage the workload. In the scalability test, many parameters are included, such as throughput, memory usage, CPU usage, network usage, and response time. Delay time is the time between the source signal and its echo. The most uncomplicated delay effect is a single repeat. The minimum delay is counted as 30 and 100 ms to create a slap-back echo, while longer delay times produce a more distant echo.
This entry is adapted from the peer-reviewed paper 10.3390/s23156850
This entry is offline, you can click here to edit this entry!
