Measurement Based Evaluation and Mitigation of Flood Attacks on a LAN Test-Bed

TL;DR

The paper addresses DoS-like UDP flood threats to IoT LANs and the gap between ideal IDS performance and real-world operation under attack. It deploys a LAN test-bed with UDP traffic, a DRNN-based IDS, and a simple mitigation that drops packets when the majority of the last $20$ packets indicate an attack, blocking further traffic for the next $30$ seconds. Results show that short attacks are detected with high accuracy (approximately $99.7\%$), but longer attacks overload the server and delay detection, while the mitigation reduces queue lengths and prevents IDS paralysis, with detections timing dependent on attack duration. This work demonstrates practical, rapid-response strategies for protecting IoT LANs from UDP flood DoS and informs future work on optimizing IDS analysis frequency and energy usage.

Abstract

The IoT is vulnerable to network attacks, and Intrusion Detection Systems (IDS) can provide high attack detection accuracy and are easily installed in IoT Servers. However, IDS are seldom evaluated in operational conditions which are seriously impaired by attack overload. Thus a Local Area Network testbed is used to evaluate the impact of UDP Flood Attacks on an IoT Server, whose first line of defence is an accurate IDS. We show that attacks overload the multi-core Server and paralyze its IDS. Thus a mitigation scheme that detects attacks rapidly, and drops packets within milli-seconds after the attack begins, is proposed and experimentally evaluated.

Figures (10)

• Figure 1: Testing Environment using Ethernet for communications, with Raspberry Pi machines acting as forwarders of normal and attack traffic, and an Intel 8-Core Processer used as a Server to process incoming packet traffic and run the IDS algorithm.
• Figure 2: The structure of the IDS system that computes the decision variable $y_i$ from the network traffic metrics $[x_i^1, x_i^2, x_i^3]$ with the DRNN based Auto-Associative Random Neural Network (AAD RNN) and the postprocessing module.
• Figure 3: The performance of the IDS with $\gamma = 0.3$, and compared with the best value of $\gamma=0.3787$, is evaluated for Accuracy, TPR, and TNR, in an experiment where RPi2 starts a UDP Flood attack lasting $10$ seconds.
• Figure 4: The IDS's binary decisions are shown for $\gamma = 0.3$, when the RPi2 starts a UDP Flood attack lasting $10$ seconds.
• Figure 5: Schematic organization of the Server that supports the IDS. Mitigation is based on triggering "packet drop" decisions for all packets in the IDS Input Buffer, when it detects a majority of attack packets among the most recent $20$ packets. The IDS then resumes testing the incoming packets, and the decision and mitigatiion process is repeated.