IIIT Hyderabad Publications |
|||||||||
|
BotD: A Scalable Anomaly-Based Bot Detection Architecture for Securing Web ServicesAuthor: Krishna Teja Yadavalli Date: 2020-02-20 Report no: IIIT/TH/2020/11 Advisor:Shatrunjay Rawat AbstractWeb services are facing a constant threat from ever-increasing novel attacks. Attackers are continually coming up with new and unseen attacks whenever a vulnerability is found. Also, as the at- tackers have access to massive Botnets, these attacks are initiated immediately, before the interested party patches the vulnerability, to cause a denial of service on the targeted service. In this context, anomaly-based network intrusion detection techniques are valuable to protect the web services against these unknown attacks. Anomaly detection algorithms have gained significance to counter these unknown attacks, although they have high false alarms rates. As these algorithms can be effective on unknown attacks, web services can leverage them to defend against botnets. These algorithms need to be applied on the traffic which is handled by the scalable web services, in effect, there is a need for developing an intrusion detection system which is scalable with the web service it is protecting and also validate the alarms raised by these algorithms. Network-based anomaly detection is a well-mined area of research, with many projects that have produced algorithms to detect suspicious and anomalous activities. In this thesis, a bot detection architecture named BotD is proposed; this architecture provides a framework to plugin existing anomaly detection algorithms and the newer ones as they evolve. These installed algorithms analyze the incoming traffic and raise anomaly alarms when suspicious activity is detected. The architecture validates these alarms and takes appropriate actions. If the alarm validation turns out to be positive, the architecture marks the clients with such traffic patterns as bots and drops the traffic coming from them subsequently. In the case of false alarms, feedback is given to the algorithms to improve themselves. Moreover, BotD provides an interface for algorithm developers to monitor various metrics related to the algorithms plugged-in and takes care of scaling itself with the incoming traffic. Furthermore, in the thesis, we propose a network orchestration algorithm, used to transfer state across hosts using the SDN control layer. This proposed orchestration algorithm is used in this architecture to transfer plugged-in algorithms’ state efficiently across nodes while scaling. Finally, a simulation of the architecture is presented as a proof of concept for the proposed architecture. Full thesis: pdf Centre for Security, Theory and Algorithms |
||||||||
Copyright © 2009 - IIIT Hyderabad. All Rights Reserved. |