Adaptive Defense against Stealthy Resource-Intensive DoS Attacks

Abstract

This proposed project will develop mitigation and defenses against a recently discovered new class Of Denial-of-Service (DoS) attacks, dubbed resource-intensive DoS (RIDoS), which overload and exhaust victim servers~ resources using only a small amount of attacker resources. Example Vulnerabilities in this class include improper handling of hashing [1] (CVE-2014-9016 [2]) and Black Nurse attacks [3]. Such threats are extremely dangerous because they facilitate asymmetric cyberattacks whereby low-resource adversaries can successfully disable even well defended targets. Traditionally, attackers rely on sending a large amount of requests to consume victim servers~ resources, which also incurs comparatively high cost for the attackers (e.g., acquiring large botnets). However, RIDoS attacks send a small number of sophisticated network requests that can already exhaust the critical resources in the servers, such as CPU or memory. Existing DoS defenses (e.g., [4~7]) fail against these new threats because they only anticipate adversaries who send many requests (e.g., from botnets) to consume victim servers~ resources. To address this new danger, we will develop novel detection approaches for RIDoS attacks by combining network-layer tra~c monitoring with system-level program analysis. Our main innovation is to strategically combine observations from both network and system layers to provide a comprehensive view that allows us to e~ectively detect and mitigate RIDoS attacks. For an incoming request (e.g., HTTP or SSH), we will automatically extract network-level signatures/patterns and associate the request with system-level resource usages. Then we monitor the used resources, and build statistics and machine learning models to ~ag overwhelming cases. We also propose deceptive defenses that ~ip the resource burden back onto the attacker. The proposed work will produce general solutions and a framework for e~ective defense. Our preliminary work [8] developed detection methods against CPU-exhaustion DoS attacks on HTTP applications (for PHP servers). We will leverage the insights that we have gained, and will generalize our prior work to protect arbitrary online applications across various server resources (including CPU, memory, and I/O resources). The PIs have extensive experience in network security, program analysis, statistics modeling and machine learning.Bene~ts to N avy. The proposed research will develop algorithms and proof-of-concept pro-totype implementations of robust cyber defenses against RIDoS attacks. Proposed defenses will leverage minimal defender computational resources and infrastructure in order to mitigate theAttacker-defender asymmetries that make RIDoS attacks more dangerous than conventional DoS attacks. This will greatly enhance Navy resiliency against a variety of resource-intensive attacks, and o~er increased detection opportunities for advance threat intelligence gathering.Intellectual Merit. The attack class targeted by the proposed research is a new, relatively unstudied threat category for which there are few e~ective defenses currently deployed in practice. Our technical approach of combining network- and system-level monitoring in mission-critical environments will spur innovations in software security hardening, machine learning, software optimization and debloating, and cyberdeceptive defense.

Document Details

Document Type

DoD Grant Award

Publication Date

Nov 26, 2019

Source ID

N000142012738

Entities

Tags