Practical and accurate runtime application protection against dos attacks
International Symposium on Research in Attacks, Intrusions, and Defenses, 2017•Springer
Abstract Software Denial-of-Service (DoS) attacks use maliciously crafted inputs aiming to
exhaust available resources of the target software. These application-level DoS attacks have
become even more prevalent due to the increasing code complexity and modular nature of
Internet services that are deployed in cloud environments, where resources are shared and
not always guaranteed. To make matters worse, many code testing and verification
techniques cannot cope with the code size and diversity present in most services used to …
exhaust available resources of the target software. These application-level DoS attacks have
become even more prevalent due to the increasing code complexity and modular nature of
Internet services that are deployed in cloud environments, where resources are shared and
not always guaranteed. To make matters worse, many code testing and verification
techniques cannot cope with the code size and diversity present in most services used to …
Abstract
Software Denial-of-Service (DoS) attacks use maliciously crafted inputs aiming to exhaust available resources of the target software. These application-level DoS attacks have become even more prevalent due to the increasing code complexity and modular nature of Internet services that are deployed in cloud environments, where resources are shared and not always guaranteed. To make matters worse, many code testing and verification techniques cannot cope with the code size and diversity present in most services used to deliver the majority of everyday Internet applications. In this paper, we propose Cogo, a practical system for early DoS detection and mitigation of software DoS attacks. Unlike prior solutions, Cogo builds behavioral models of network I/O events in linear time and employs Probabilistic Finite Automata (PFA) models to recognize future resource exhaustion states. Our tracing of events spans then entire code stack from userland to kernel. In many cases, we can block attacks far before impacting legitimate live sessions. We demonstrate the effectiveness and performance of Cogo using commercial-grade testbeds of two large and popular Internet services: Apache and the VoIP OpenSIPS servers. Cogo required less than 12 min of training time to achieve high accuracy: less than false positives rate, while detecting a wide range of resource exhaustion attacks less than seven seconds into the attacks. Finally, Cogo had only two to three percent per-session overhead.
Springer
Showing the best result for this search. See all results