based DoS network activities are not isolated, but related as different stages of a series of cyber-attacks. Intuitively, their traces could be caught even though they are carefully hidden behind normal network activities and have forged footprints. For example, the distribution of inter-arrival time of a series of malicious requests on a web-server could be identified even through those malicious requests implemented with forged IP headers. In order to launch a successful flooding-based DoS attack, the hacker has to make large enough requests to overwhelm the target's service capacity. Therefore, such malicious service requests are tended to be intensive and follow best-effort approach.The remainder of this paper is organized as follows: Section 2 reviews related work. Section 3 covers background of flooding-based DoS attack. Section 4 introduces the simulated normal and malicious traffic. Section 5 describes characteristics of the selected network traffic captured by CADIA. Section 6 explains fluid-based approach on a single congested network. Section 7 discusses performance of our model under the simulated normal and malicious traffic. Section 8 concludes this paper and points out future work.
Related WorkSeveral literatures have studied and addressed strategies for mitigating cyber-attacks. Lobo et al.[9] studied attacks and countermeasures of the Windows Rootkits: software that is used to hide malicious activities and permit hackers to take control of victims. Several suggestions were issued to the Microsoft and research communities for developing future Windows operating systems. Shafi [10] surveyed security challenges in Cyber-Physical Systems (CPS). Agresti [11] proposed four distinct forces that will shape the future evolution of cybersecurity. Michael et al. [12] emphasized the importance of integrating legal and policy in cyber-preparedness. Eom et al. [13] developed an active cyber-attack model for accessing network vulnerabilities. Yu et al. [14] discussed models and countermeasures for
AbstractNetwork traffic traces provide valuable information for researchers to study behaviors of normal and malicious network activities. Although traffic traces are enough to reveal packet-level and connection-level details of most network activities, identifying specific malicious network activities is still a huge challenge: many malicious network activities are able to hide themselves behind normal activities with forged packet and connection information. In practice, mechanisms that are able to effectively extract malicious network activities from raw traffic traces are emerging and will benefit network security and other related communities as well. In this paper, a fluid-based approach for modeling simulated normal and malicious flooding-based denial of service network activities is developed. To approach this goal, several raw traffic traces gathered by the Cooperative Association for Internet Data Analysis (CADIA) are analyzed and investigated.