在現代網路中，最普遍、並且影響甚鉅的網路攻擊便是DDoS。隨著網路的取得越來越容易、以及聯網機器數量越來越多，網路使用量越來越大； 同時網路攻擊的軟體與工具取得也越來越容易，這使得發起攻擊的難度降低、並且當資源管理者資安觀念不充足的情況下，很容易讓其管理下的機器淪為攻擊者的botnet，讓攻擊所造成的影響更加嚴重。而現有的異常偵測系統能夠減低DDoS 所帶來的傷害，但仍然沒有辦法有效地防範，原因在於偵測系統的反應時間沒有辦法在攻擊發生的當下馬上察覺； 大多數的異常偵測系統需要將流量重新導向到外部機器上做進一步的流量分析與偵測，在這當中產生的latency 便是一個不可忽略的問題； 再來是當攻擊發生時，通常會干擾到原有服務中正常使用者的流量，而這時將大量流量導向對於外部機器以及網路頻寬的使用也是一個潛在性的問題。因此反應時間" 便是目前網路安全當中的重點。我們所提出的方法是將這類攻擊的偵測動作卸載到資料平面上，讓處理流量的交換器在轉發的同時去做流量分析，並且利用現有網路機制中異常行為(e.g. RST、Unique Port 數量過多等等) 作為判斷機制，當流量出現所定義的異常行為時，將其標示為攻擊者並做後續的處理。在我們使用的UNB 2018 測資以及自建的模擬環境中，在適當的threshold 下，可以達到100% 的偵測率、以及低於10% 的FP，並且只需要使用少量的記憶體及運算量即可達到這樣的成果。

In modern Internet, Distributed Denial-of-Service (DDoS) attack is one of the most common and influential network attacks. Many software tools related to DDoS attack evolve signicantly in recent years. Some of the tools try to build attacking networks (called botnet) automatically by scanning security holes of network nodes before launching DDoS attacks. As the Internet connectivity becomes much easier to access, the number of connected devices explosively increases. These devices may become victims of botnets and thus attackers in DDoS attacks if the system administrators do not deal with security holes carefully. On the other hand, some of the tools try to detect anomalies and then try to reduce subsequent damages caused by DDoS attacks. Unfortunately, existing solutions incur much longer latency to detect existence of DDoS attacks because they need to mirror traffic to an external network node for further traffic analysis with anomaly detection. Furthermore, benign traffic may incur unexpected latency even though they are innocent. To mitigate the latency in anomaly detection, this thesis proposes a flood-based attack detection system on data plane. We offload the detection of such attacks to the data plane, let the switch perform traffic analysis along with traffic processing, and utilize the abnormal behavior in the existing network mechanism (e.g. RST, Unique port excessive quantity, etc.) as a detection mechanism, when the traffic has an abnormal behavior defined, it is marked as attack. In the experiments with the datasets of UNB IDS2018 [1,2] and self-established virtual network, under the appropriate threshold, we can achieve 100% detection rate and less than 10% false positive rate, and only require a small amount of memory and computation cost.

[1] Cse-cic-ids2018: A collaborative project between the communications security establishment (cse) the canadian institute for cybersecurity (cic). https://www.unb.ca/cic/datasets/ids-2018.html.
[2] Cse-cic-ids2018 on aws. https://registry.opendata.aws/cse-cic-ids2018/.
[3] Google Ideas and Arbor Networks. Digital attack map. http://www.digitalattackmap.com/.
[4] Sam Kottler. February 28th ddos incident report. https://github.blog/2018-03-01-ddos-incident-report/.
[5] Jon Porter. Telegram blames china for `powerful ddos attack' during hong kong protests. https://bit.ly/2wSewAQ.
[6] Ehsan Khoshhalpour and Hamid Reza Shahriari. Botrevealer: Behavioral detection of botnets based on botnet life-cycle. The ISC International Journal of Information Security, 9:1-7, 07 2017.
[7] p4lang.org. P4 official website. https://p4.org/.
[8] Barefoot Network. Home page of barefoot. https://www.barefootnetworks.com/.
[9] Hossein Hadian Jazi, Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani. Detecting http-based application layer dos attacks on web servers in the presence of sampling. Computer Networks, 121:25 - 36, 2017.
[10]Â. C. Lapolli, J. Adilson Marques, and L. P. Gaspary. Offloading real-time ddos attack detection to programmable data planes. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pages 19-27, April 2019.
[11] G. Androulidakis and S. Papavassiliou. Improving network anomaly detection via selective flow-based sampling. IET Communications, 2(3):399-409, March 2008.
[12] Q. Pan, H. Yong-feng, and Z. Pei-feng. Reduction of traffic sampling impact on anomaly detection. In 2012 7th International Conference on Computer Science Education (ICCSE), pages 438-443, 2012.
[13] Jianning Mai, Ashwin Sridharan, Hui Zang, and Chen-Nee Chuah. Fast filtered sampling. Computer Networks, 54(11):1885 - 1898, 2010.
[14] A. Patcha and J. Park. An adaptive sampling algorithm with applications to denial-of-service attack detection. In Proceedings of 15th International Conference on Computer Communications and Networks, pages 11-16, Oct 2006.
[15] P. Garc a-Teodoro, J. D az-Verdejo, G. Maci a-Fern andez, and E. V azquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers Security, 28(1):18 - 28, 2009.
[16] Pedro Casas, Johan Mazel, and Philippe Owezarski. Unsupervised network intrusion detection systems: Detecting the unknown without knowledge. Computer Communications, 35(7):772 - 783, 2012.
[17] Nong Ye and Qiang Chen. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International, 17(2):105-112.
[18] Nong Ye. A markov chain model of temporal behavior for anomaly detection. In Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, pages 171-174, 2000.
[19] V. A. Siris and F. Papagalou. Application of anomaly detection algorithms for detecting syn flooding attacks. In IEEE Global Telecommunications Conference, 2004. GLOBECOM '04., volume 4, pages 2050-2054 Vol.4, Nov 2004.
[20] Zeek official website. https://www.zeek.org/.
[21] Snort official website. https://www.snort.org/.
[22] Y. Xu and Y. Liu. Ddos attack detection under sdn context. In IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications, pages 1-9, April 2016.
[23] Minlan Yu, Lavanya Jose, and Rui Miao. Software defined traffic measurement with opensketch. In Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 29-42, Lombard,
IL, 2013. USENIX.
[24] D. He, S. Chan, X. Ni, and M. Guizani. Software-defined-networking-enabled traffic anomaly detection and mitigation. IEEE Internet of Things Journal, 4(6):1890-1898, Dec 2017.
[25] Broadcom. Npl tutorials. https://github.com/nplang/NPL-Tutorials.
[26] Zaoxing Liu, Antonis Manousis, Gregory Vorsanger, Vyas Sekar, and Vladimir Braverman. One sketch to rule them all: Rethinking network flow monitoring with univmon. pages 101-114, 08 2016.
[27] Jan-Jaap Korpershoek. Filtering ddos traffic using the p4 programming language. https://github.com/JJK96/P4-filtering.
[28] Intrusion detection evaluation dataset (cicids2017). https://www.unb.ca/cic/datasets/ids-2017.html.
[29] Iman Sharafaldin., Arash Habibi Lashkari., and Ali A. Ghorbani. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,, pages 108-116. INSTICC, SciTePress, 2018.
[30] Konstantin. Ddos golang script. https://github.com/Konstantin8105/DDoS.
[31] CAIDA Anonymized Internet Traces 2016 Dataset and other Anonymized InternetTraces Datasets. The caida ucsd anonymized internet traces 2016 - 0121. http://www.caida.org/data/passive/passive_2016_dataset.xml.