SYN Flood Attack Detection and Mitigation using Machine ...

22
SYN Flood Attack Detection and Mitigation using Machine Learning Traffic Classification and Programmable Data Plane Filtering Marinos Dimolianis, Adam Pavlidis, Vasilis Maglaris Network Management & Optimal Design Laboratory (NETMODE) School of Electrical & Computer Engineering National Technical University of Athens 24th Conference on Innovation in Clouds, Internet and Networks (ICIN 2021) March 3rd, 2021 Paris, France

Transcript of SYN Flood Attack Detection and Mitigation using Machine ...

Page 1: SYN Flood Attack Detection and Mitigation using Machine ...

SYN Flood Attack Detection and Mitigation using Machine Learning Traffic Classification and Programmable Data Plane Filtering

Marinos Dimolianis, Adam Pavlidis, Vasilis MaglarisNetwork Management & Optimal Design Laboratory (NETMODE)

School of Electrical & Computer EngineeringNational Technical University of Athens

24th Conference on Innovation in Clouds, Internet and Networks (ICIN 2021)March 3rd, 2021

Paris, France

Page 2: SYN Flood Attack Detection and Mitigation using Machine ...

SYN Flood Attack (1/2)

https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q4-2020/

https://www.imperva.com/blog/imperva-mitigates-largest-ddos-attacks-of-2020-so-far/

Page 3: SYN Flood Attack Detection and Mitigation using Machine ...

SYN Flood Attack (2/2)

https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

Page 4: SYN Flood Attack Detection and Mitigation using Machine ...

SYN Flood – State of the art Mitigation

▪ Source IP Filtering (Blocks attack traffic)

❑ Rules proportional to the source IPs

❑ IP Spoofing

▪ SYN Cookies (Responds to attack traffic)

❑ Source IP Verification

❑ Processing Resources Consumption

❑ Backscatter Traffic

Page 5: SYN Flood Attack Detection and Mitigation using Machine ...

Signature-based Detection & Mitigation

Signature

Classification

Yes

No

XDP

Malicious Signatures

Signature

Reduction

Mitigation

MechanismSYN Cookies

Monitoring

Data

Internet

Sources

Border

Router

Victim

Protected

Networks

Redirection

Signals

Attack Redirection

Network Traffic

TCP Traffic to victim

Control/Management Signalling

Benign Traffic

Dropped Traffic

Page 6: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Packet Aggregation in Signatures within time-windows

▪ Frequency Encoding

❑ Example Signature (ip.ttl, ip.dst)

Signature Classification (1/2)

Packet Fields

ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size

ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq

239 192.168.1.1 3 60% 80%

62 192.168.1.1 1 20% 80%

61 10.1.1.1 1 20% 20%

Page 7: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Signature Classification via Supervised Learning

Signature Classification (2/2)

ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq

239 192.168.1.1 3 60% 80%

62 192.168.1.1 1 20% 80%

61 10.1.1.1 1 20% 20%

Page 8: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Signature Classification via Supervised Learning

Signature Classification (2/2)

ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq

239 192.168.1.1 3 60% 80%

62 192.168.1.1 1 20% 80%

61 10.1.1.1 1 20% 20%

Page 9: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Signature Classification via Supervised Learning

Signature Classification (2/2)

ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq

239 192.168.1.1 3 60% 80%

62 192.168.1.1 1 20% 80%

61 10.1.1.1 1 20% 20%

Page 10: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Multi-objective Optimization (Feature Selection)

❑ the number of malicious signatures

❑ the dropped benign traffic

Signature Reduction

Packet Fields

ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size

Page 11: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Feature Selection problem that minimizes

❑ the number of malicious signatures

❑ the dropped benign traffic

Signature Reduction

Packet Fields

ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size

Page 12: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Feature Selection problem that minimizes

❑ the number of malicious signatures

❑ the dropped benign traffic

Signature Reduction

Packet Fields

ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size

Page 13: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Feature Selection problem that minimizes

❑ the number of malicious signatures

❑ the dropped benign traffic

▪ Non-dominated Sorting Genetic Algorithm (NSGA) II

Signature Reduction

Packet Fields

ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size

Page 14: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Programmable Packet Matching & Dropping

▪ Signature-based Filtering

▪ SYN Cookies

eXpress Data Path Mitigation Mechanism

Yes

No

XDP

Malicious Signatures

SYN Cookies

Victim

Page 15: SYN Flood Attack Detection and Mitigation using Machine ...

Experimental Evaluation

▪ Datasets

▪ Signature Classification Accuracy

▪ Signature Reduction Evaluation

▪ SYN Flood Mitigation Performance

Page 16: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Benign Datasets B1, B2 from WIDE-F1

▪ Malicious Datasets A1 – A5 (SYN Flood Attacks)

Experimental Evaluation – Datasets

Attack ip.src ip.dst ip.dsfield.ecn ip.flags.df tcp.srcport tcp.dstport ip.id ip.ttl tcp.window_size

A1 15 1 1 1 65535 65535 1 3 1

A2 760863 1 1 1 65534 65534 1 4 1

A3 839660 1 1 1 65535 65535 1 4 1

A4 3415575 1 1 1 65536 1 65535 2 1

A5 1493948 1 1 1 65536 1 65535 3 1

0

20

40

60

80

100

0 10 20 30 40 50 60

Kpps

Time (s)

TCP SYN Attacks Packet Rate

A1 A2 A3 A4 A5

1. http://mawi.wide.ad.jp/mawi/

Page 17: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Supervised Learning Models

❑ Random Forest (RF) - Multilayer-Perceptron (MLP)

Signature Detection Accuracy

0%

20%

40%

60%

80%

100%

A1/B1 A2/B1 A3/B1 A4/B1 A5/B1

TP

R (%

)

Training Dataset

RF - TPR (5s)

A1/B2

A2/B2

A3/B2

A4/B2

A5/B2

Test

Dataset

0%

20%

40%

60%

80%

100%

A1/B1 A2/B1 A3/B1 A4/B1 A5/B1

TP

R (%

)

Training Dataset

RF - TPR (10s)

A1/B2

A2/B2

A3/B2

A4/B2

A5/B2

Test

Dataset

0%

20%

40%

60%

80%

100%

A1/B1 A2/B1 A3/B1 A4/B1 A5/B1

TP

R (%

)

Training Dataset

RF - TPR (30s)

A1/B2

A2/B2

A3/B2

A4/B2

A5/B2

Test

Dataset

0%

20%

40%

60%

80%

100%

A1/B1 A2/B1 A3/B1 A4/B1 A5/B1

TP

R (%

)

Training Dataset

MLP - TPR (10s)

A1/B2

A2/B2

A3/B2

A4/B2

A5/B2

Test

Dataset

0%

20%

40%

60%

80%

100%

A1/B1 A2/B1 A3/B1 A4/B1 A5/B1

TP

R (%

)Training Dataset

MLP - TPR (30s)

A1/B2

A2/B2

A3/B2

A4/B2

A5/B2

Test

Dataset

Page 18: SYN Flood Attack Detection and Mitigation using Machine ...

▪ NSGA-II1

Signature Reduction Evaluation

1. https://platypus.readthedocs.io/en/latest/

Datasets #Malicious Signatures #Signatures Reduced (Range)

A1+B1 758078

A2+B1 1070311

A3+B1 1331799

A4+B1 3417663

A5+B1 1494425

Page 19: SYN Flood Attack Detection and Mitigation using Machine ...

▪ NSGA-II1

▪ Signature Reduction 99,99%

▪ Worst Case for Dropped Benign Traffic ≈ 2%

Signature Reduction Evaluation

1. https://platypus.readthedocs.io/en/latest/

Datasets #Malicious Signatures #Signatures Reduced (Range)

A1+B1 758078 [1, 15]

A2+B1 1070311 [1, 4]

A3+B1 1331799 [1, 4]

A4+B1 3417663 [1, 2]

A5+B1 1494425 [1, 3]

Page 20: SYN Flood Attack Detection and Mitigation using Machine ...

▪ Packet processing performance evaluation

❑ SYN cookies (state-of-the-art)

❑ BPF MAP (Signatures stored in memory)

❑ STATIC (Signatures as if-then-else conditions)

SYN Flood Mitigation Performance

XDP Implementation Packets blocked (%) out of 10Mpps

SYN cookies 47%

BPF MAP 70%

STATIC 92%

Page 21: SYN Flood Attack Detection and Mitigation using Machine ...

Conclusions & Future Directions

Conclusions

▪ SYN Flood DDoS Detection & Mitigation❑ High Accuracy using Supervised Learning methods

❑ Effective & Efficient Mitigation

Future Work

▪ Explore other attack vectors e.g. SYN-ACK, ACK Floods

▪ Extend our approach to collaborative schemas towards cooperative DDoS Detection & Mitigation

▪ Deploy and evaluate our mechanism within production environments.

Page 22: SYN Flood Attack Detection and Mitigation using Machine ...

THANK YOU!

Marinos Dimolianis

[email protected]