Which function representation is appropriate to detect against adversarial syn-ack delays?

[divyapathak24]

Attack vectors:

Variables: syn-ack delay value Fixed: percentage of attack flows – 2% of the monitored flows

• Attack type 1: Send SYN (at least 2%) packets every second and send their corresponding acknowledgements with delay of 5 times the average Round-Trip Time (RTT).

• Attack type 2: Vary the timing of SYN packet transmissions to synchronize the release of all ACKs (at least 2%) within a specific time frame, ranging from 5 times to 10 times the average RTT. (batches)

[divyapathak24]

Function 1: avg-count approach

avg_prefx = average delay of a prefix mon_A = monitoring subrange for RouteA mon_B = monitoring subrange for RouteB

Approach: Step 1: Note the average delay of a prefix (avg_prefx). Step 2: Filter flows in mon_A and mon_B which have delays greater than avg_prefx filter flows in RouteA/B having delays > avg_prefix . Let's call it filtered_mon_A and filtered_mon_B. Step 3: Calculate the distance for each value in filtered_mon_A from the avg_prefx. For instance,

filtered_mon_A = [1, 2, 3, ...]
avg_prefx = 0.5
delay_distance_A = [0.5, 1.5, 2.5, ...]

Similarly, get for filtered_mon_B to derive delay_distance_B Step 4: Employ a bin structure to represent a count of delay distances from the average; each bin indicates the number of distance values falling in that bin. Get the bin-plot for filtered_mon_A and filtered_mon_B. This is the avg-count plot

[divyapathak24]

Function 2: diff-count approach

This approach is an extension to the avg-count plot.

Approach: Step: We have 2 bars per bin indicating distance count from the avg_prefx for Route A and B. Now, get the difference of individual bins in A and B to get the diff-count plot.

Motivation for the plot: Assuming an attacker knows the monitoring subrange of one of the routes, it adds 2% of high delay flows (5xRTT or 5-10xRTT) to only one route, if we get the difference between the bins A and B, we can find a significant increase in the counts for bins > 1.

[divyapathak24]

Evaluation of our detection mechanism:

Metrics: FPR and FNR

1. Positive: Normal (0)
2. Negative: Attack (1) FPs: Normal instance being misclassified as an attack FNs: Attack instance being misclassified as normal

Variables: threshold (t) derived from analyzing Function(X) Objective 1: To study the threshold values for which FPR and FNR are the least Objective 2: Early detection for Attack-1 and 2

To do: Number of Positive instances (Normal <10%, >10% delay instances): Number of Negative instances (Attack <10%,>10% delay instances):

[divyapathak24]

Attack Model:

Variables: X*avg_RTT, y number of attack flows - study x and y relation x inversely prop to y Target: Study the performance (Accuracy, FPs, FNs) of our detection approach

[praveenabt]

Attack data set generation:

1. get data for attack models with malicious flows' avg RTTs vary from 2RTT to 32RTT (2, 4, 8, 16, 32). Study the relation between a number of malicious flows and avg. RTT value.
2. another attack model is the way how malicious flows (e.g., 1 new attack flow per sec approach, batch approach) are injected..

Detection approach (Routescout):

4. Look at the standard error deviation technique and derive the thresholds to be used for attack detection (using chi-square methods)

Detection approach (blink):

5. in the attack case, the number of sampled flows with a duration > 12sec is more compared to the normal scenarios