Please use this identifier to cite or link to this item:
Title: Intelligent Services for Detection and Mitigation of Distributed Denial-of-Service Attacks in Programmable Network Environments
Authors: Δημολιάνης, Μαρίνος
Μάγκλαρης Βασίλειος
Keywords: DDoS attacks, Anomaly Detection, Attack Mitigation, Software-Defined Networking (SDN), Data Plane Programmability, P4, eXpress Data Path (XDP), Supervised Learning, Federated Learning
Issue Date: 19-Apr-2022
Abstract: In this dissertation, we leverage on capabilities offered by the Network Softwarization paradigm and combine them with advanced data analysis techniques, i.e. Machine Learning (ML), towards the development of an integrated protection framework against cyberattacks. We focus on Distributed-Denial of Service (DDoS) attacks and implement mechanisms for efficient network data collection, fast and reliable anomaly detection and effective mitigation. Initially, we design a DDoS detection mechanism entirely offloaded in the data plane using the P4 language. Through traffic features computed and evaluated in-network, DDoS attacks victims are identified rapidly within short timeframes. Detection in the data plane is one step ahead of control plane mechanisms that stall real-time detection and mitigation of network attacks. Detecting the victim of network attacks is only the first step towards mitigating them and is followed by traffic classification procedures. Thus, in this dissertation we introduce a novel signature-based classification and mitigation schema based on softwarized data planes, i.e. eXpress Data Path (XDP). Supervised Learning algorithms (Random Forests, Multilayer-Perceptrons), applied to packet features (signatures), segregate malicious from benign packets. The employed features are pre-selected through an automated process that eliminates inconsequential features. To expedite mitigation performance and ease filtering rules management, source IP-agnostic rules tailored to the attack traffic are generated. This is achieved via a multi-objective optimization problem formulation that reduces filtering rules number with minimal effect on benign traffic. The proposed signature-based mechanism is evaluated in two broad categories of DDoS attacks, protocol (i.e. SYN Flood) and volumetric (i.e. DNS Amplification). Based on experimental evaluations, our innovative approach outperforms the state-of-the-art flow-based protection mechanisms by (i) detecting attacks in shorter time-windows, (ii) optimizing the number and type of filtering rules, and (iii) achieving increased packet filtering performance. Finally, in this dissertation, we extend our signature-based schema to collaborative network environments. Collaborative DDoS detection relies on Federated Learning techniques that enable for cooperative and privacy-aware learning. Collaborative DDoS mitigation is implemented in programmable XDP-based middleboxes featuring a scalable, cost-effective protection as-a-service mechanism. By contrast to traditional protection schemes, we allow data exchange amongst disjoint network domains with respect to data privacy legislations; moreover, we offer a flexible yet efficient firewall solution offloaded in Commercial-off-the-Shelf hardware. Our integrated protection framework is deployed in programmable network hardware and evaluated using production network data from diverse and heterogeneous network environments, featuring fully realistic experimentation.
Appears in Collections:Διδακτορικές Διατριβές - Ph.D. Theses

Files in This Item:
File Description SizeFormat 
MD_dissertation.pdf4.67 MBAdobe PDFView/Open

Items in Artemis are protected by copyright, with all rights reserved, unless otherwise indicated.