|The Ohio State University
|Computer and Information Science
|Full text PDF:
Widespread Internet attacks, such as Distributed Denial of Service (DDoS) attacks and active worm attacks, have been major threats to the Internet in the recent past. Although tremendous research effort has focused on this domain, the defense against these attacks remains challenging for one reason: the attacks are evolving intelligently based on their knowledge of defense mechanisms. In other words, the attacks are becoming more intelligent and effective through defense-oriented evolution in order to defeat existing defense systems. The objectives of this dissertation are to obtain deep insight about these defense-oriented attacks and to address the challenges in defense against them. While multiple elements define a specific defense system, the most important ones are the system infrastructure and algorithms. The evolving defense-oriented attacks can exploit and leverage the knowledge of infrastructure and algorithms in the defense systems in order to counteract them. Hence we can classify defense-oriented widespread Internet attacks into infrastructure-oriented and algorithm-oriented attacks. In this dissertation, we investigate a variety of such attacks and design new and more effective countermeasures against them. For infrastructure-oriented attacks, we study two classes of new attacks that target different aspects of the defense system infrastructure. First, we investigate intelligent DDoS attacks which aim to infer architectures of the DDoS-defending Secure Overlay Forwarding Systems (SOFS) to launch attacks more efficiently than ordinary random DDoS attacks. Second, we study the invisible LOCalization attack which can obtain location information of Internet Threat Monitoring (ITM) systems. In order to counteract these new attacks, we provide enhancements for SOFS and ITM systems. For algorithm-oriented attacks, first we study a class of new active worms, the Varying Scan Rate Worm, which deliberately varies its port scan rate during propagation to evade detection by existing network-based worm detection algorithms. Second, we focus on polymorphic worms which change or possess new signatures to defeat existing host-based worm detection algorithms. Furthermore, we provide new and more effective detection approaches against these new worms. The war between attackers and defenders is never ending. We believe this dissertation lays a foundation to deeply understand the evolution of widespread Internet attacks and to enhance defenses against them.