Open divyapathak24 opened 9 months ago
avg_prefx = average delay of a prefix mon_A = monitoring subrange for RouteA mon_B = monitoring subrange for RouteB
Approach:
Step 1: Note the average delay of a prefix (avg_prefx).
Step 2: Filter flows in mon_A and mon_B which have delays greater than avg_prefx
filter flows in RouteA/B having delays > avg_prefix
. Let's call it filtered_mon_A and filtered_mon_B.
Step 3: Calculate the distance for each value in filtered_mon_A from the avg_prefx.
For instance,
filtered_mon_A = [1, 2, 3, ...]
avg_prefx = 0.5
delay_distance_A = [0.5, 1.5, 2.5, ...]
Similarly, get for filtered_mon_B to derive delay_distance_B Step 4: Employ a bin structure to represent a count of delay distances from the average; each bin indicates the number of distance values falling in that bin. Get the bin-plot for filtered_mon_A and filtered_mon_B. This is the avg-count plot
This approach is an extension to the avg-count plot.
Approach: Step: We have 2 bars per bin indicating distance count from the avg_prefx for Route A and B. Now, get the difference of individual bins in A and B to get the diff-count plot.
Motivation for the plot: Assuming an attacker knows the monitoring subrange of one of the routes, it adds 2% of high delay flows (5xRTT or 5-10xRTT) to only one route, if we get the difference between the bins A and B, we can find a significant increase in the counts for bins > 1.
Metrics: FPR and FNR
Variables: threshold (t) derived from analyzing Function(X) Objective 1: To study the threshold values for which FPR and FNR are the least Objective 2: Early detection for Attack-1 and 2
To do: Number of Positive instances (Normal <10%, >10% delay instances): Number of Negative instances (Attack <10%,>10% delay instances):
Attack Model:
Variables: X*avg_RTT, y number of attack flows - study x and y relation x inversely prop to y Target: Study the performance (Accuracy, FPs, FNs) of our detection approach
Attack data set generation:
Detection approach (Routescout):
Detection approach (blink):
Attack vectors:
Variables: syn-ack delay value Fixed: percentage of attack flows – 2% of the monitored flows
Attack type 1: Send SYN (at least 2%) packets every second and send their corresponding acknowledgements with delay of 5 times the average Round-Trip Time (RTT).
Attack type 2: Vary the timing of SYN packet transmissions to synchronize the release of all ACKs (at least 2%) within a specific time frame, ranging from 5 times to 10 times the average RTT. (batches)