Document Type
Dissertation
Degree
Doctor of Philosophy (PhD)
Major/Program
Electrical Engineering
First Advisor's Name
Kemal Akkaya
First Advisor's Committee Title
committee chair
Second Advisor's Name
A. Selcuk Uluagac
Second Advisor's Committee Title
committee member
Third Advisor's Name
Alexander Perez-Pons
Third Advisor's Committee Title
committee member
Fourth Advisor's Name
Deng Pan
Fourth Advisor's Committee Title
committee member
Keywords
moving target defense, link flooding attack, software defined networking
Date of Defense
6-17-2020
Abstract
With the increasing diversity and complication of Distributed Denial-of-Service (DDoS) attacks, it has become extremely challenging to design a fully protected network. For instance, recently, a new type of attack called Stealthy Link Flooding Attack (SLFA) has been shown to cause critical network disconnection problems, where the attacker targets the communication links in the surrounding area of a server. The existing defense mechanisms for this type of attack are based on the detection of some unusual traffic patterns; however, this might be too late as some severe damage might already be done. These mechanisms also do not consider countermeasures during the reconnaissance phase of these attacks. Over the last few years, moving target defense (MTD) has received increasing attention from the research community. The idea is based on frequently changing the network configurations to make it much more difficult for the attackers to attack the network.
In this dissertation, we investigate several novel frameworks based on MTD to defend against contemporary DDoS attacks. Specifically, we first introduce MTD against the data phase of SLFA, where the bots are sending data packets to target links. In this framework, we mitigate the traffic if the bandwidth of communication links exceeds the given threshold, and experimentally show that our method significantly alleviates the congestion. As a second work, we propose a framework that considers the reconnaissance phase of SLFA, where the attacker strives to discover critical communication links. We create virtual networks to deceive the attacker and provide forensic features. In our third work, we consider the legitimate network reconnaissance requests while keeping the attacker confused. To this end, we integrate cloud technologies as overlay networks to our system. We demonstrate that the developed mechanism preserves the security of the network information with negligible delays. Finally, we address the problem of identifying and potentially engaging with the attacker. We model the interaction between attackers and defenders into a game and derive a defense mechanism based on the equilibria of the game. We show that game-based mechanisms could provide similar protection against SLFAs like the extensive periodic MTD solution with significantly reduced overhead.
The frameworks in this dissertation were verified with extensive experiments as well as with the theoretical analysis. The research in this dissertation has yielded several novel defense mechanisms that provide comprehensive protection against SLFA. Besides, we have shown that they can be integrated conveniently and efficiently to the current network infrastructure.
Identifier
FIDC009010
Recommended Citation
Aydeger, Abdullah, "Mitigating Stealthy Link Flooding DDoS Attacks Using SDN-Based Moving Target Defense" (2020). FIU Electronic Theses and Dissertations. 4510.
https://digitalcommons.fiu.edu/etd/4510
Rights Statement
In Copyright. URI: http://rightsstatements.org/vocab/InC/1.0/
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).