IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO.

2, MAY 2005 85

Denial of Service Attacks on Network-Based

Control Systems: Impact and Mitigation
Men Long, Chwan-Hwa Wu, Senior Member, IEEE, and John Y. Hung, Senior Member, IEEE

Abstract—Replacing specialized industrial networks with the

Internet is a growing trend in industrial informatics, where
packets are used to transmit feedback and control signals between
a plant and a controller. Today, denial of service (DoS) attacks
cause significant disruptions to the Internet, which will threaten
the operation of network-based control systems (NBCS). In this
paper, we propose two queueing models to simulate the stochastic
process of packet delay jitter and loss under DoS attacks. The mo-
tivation is to quantitatively investigate how these attacks degrade
the performance of NBCS. The example control system consists of
a proportional integral controller, a second-order plant, and two
one-way delay vectors induced by attacks. The simulation results
indicate that Model I attack (local network DoS attack) impairs
the performance because a large number of NBCS packets are Fig. 1. Abstraction of network-based control systems.
lost. Model II attack (nonlocal network DoS attack) deteriorates
the performance or even destabilizes the system. In this case, the
traffic for NBCS exhibits strong autocorrelation of delay jitter and Networking devices (routers, end computers, and firewalls)
packet loss. Mitigating measures based on packet filtering are dis- become ill-behaved when handling the high packet rate under
cussed and shown to be capable of ameliorating the performance DoS attacks because they have constraints on input/output
degradation. (I/O) processing, interrupt processing, central processing units
Index Terms—Delay jitter, denial of service (DoS) attacks, net- (CPU), and memory resources. Hence, delay jitter and packet
work-based control system (NBCS), packet loss, queueing model, loss of the NBCS packet flows become worse under attacks,
security.
which in turn may significantly impair the control system
performance such as percentage overshoot, rise and settling
I. INTRODUCTION time, and mean-squared error.
This paper proposes two simple models to approximate the
R EMOTE control using the Internet has become an
emerging technology. A possible scenario of a net-
work-based control system is depicted in Fig. 1. Packet delivery
packet transmission of NBCS under DoS attacks. It is difficult
for legitimate users to launch actual DoS attacks against proto-
types of NBCS in the real environment to evaluate performance,
exhibits delay jitter and loss under the regular operation status
partly because the attacks are classified as cybercrimes [6]. The
of the Internet. Thus, the performance of control systems is
proposed models have the flexibility to study the dynamics of at-
degraded, as the control loops are affected by the Internet [1].
tacks and are able to simulate a variety of attacks (even attacks
Today, network attacks to the Internet are common. The
that may be deployed by intruders in the future).
motivation of this study is to quantitatively investigate how
The proposed models are based on a multiple-input queue,
attacks affect network-based control systems (NBCS) perfor-
which captures the mechanism that causes delay jitter and
mance. Denial of service (DoS) attacks are perhaps the most
packet loss. Model I estimates the situation in which attackers
detrimental one that affects the packet delivery because they
launch DoS attacks to an endpoint (a controller, a plant ma-
have been proven capable of shutting an organization off from
chine, or a customer-edge router) from computers in the local
the Internet or dramatically slowing down network links [2].
area close to the endpoint. In this case, a large number of
For instance, malicious users send a large number of spurious
NBCS packets may be lost. Model II approximates the case
packets to a destination with the intention of consuming ex-
where remote attackers on the Internet launch DoS attacks
cessive amounts of endpoint network bandwidth. Such attacks
to service-provider-edge routers (several hops away from an
are commonly referred to as packet flooding attacks [3]. In
endpoint). Empirically, these attacks tend to slow down the
addition, in the past three years, there have been large-scale
network links between a controller and a remote plant. As a
worm activities (viral computer programs that self-propagate
result, some intermediate routers exhibit abnormal behavior,
to consume network and computer bandwidth), causing signifi-
and the NBCS packets experience relatively long delay jitter.
cant disruptions to the Internet [4], [5].
The simulation results indicate DoS attacks causing long
delay jitter may significantly deteriorate the performance of
Manuscript received November 26, 2004; revised January 20, 2004. NBCS under either an event- or time-driven controller. On the
The authors are with the Department of Electrical and Computer Engineering,
Auburn University, Auburn, AL 36849 USA (e-mail: [email protected]). other hand, the attacks causing excessive packet loss degrade
Digital Object Identifier 10.1109/TII.2005.844422 the performance but do not destabilize the system with the
1551-3203/$20.00 © 2005 IEEE
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 86 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

event-driven controller. Furthermore, through autocorrelation

and power spectrum density analysis, we find the pattern of
delay jitter and packet loss that has the most adverse effect on
the NBCS performance. Finally, the mitigating measures from
network intrusion detection and prevention are evaluated in this
paper.
The study of NBCS is an interdisciplinary course of computer
networking and control engineering. Our approach, mainly from
the networking point of view, can complement the extensive lit-
Fig. 2. Data path of a network-based control system.
erature on this subject from control system design. For example,
a networked proportional integral (PI) controller over an IP net-
work was implemented in [7], while [8] proposed a neural net- transmission latency is: percentage overshoot , rise
work middleware for tracking of a networked mobile robot. The time , settling time , and mean-squared
effect of delay jitter on quality of control in EIA-852-based net- error .
works was investigated in [9]. Asynchronous and synchronous
actuation for a networked control system was discussed in [10]. III. SIMULATION MODELS
A general purpose architecture for Internet-based teleoperation In this section, we first give the definition of delay jitter.
was presented in [11]. A teleoperation control system, based Second, we introduce both time- and event-driven control ap-
on the characteristics of measured site-to-site packet round-trip proaches. Third, we classify the packet traffic in the queueing
time, was designed and tested in [12]. In addition, the impor- models. Finally, two models of DoS attacks on NBCS are pre-
tance of network security in industrial informatics was advo- sented in details.
cated in [13].
The remainder of the paper is organized as follows. In A. Definition of Delay Jitter
Section II, the example control algorithm and plant dynamics
The abstract structure of an NBCS control loop is shown in
are introduced. In Section III, two queueing models for packet
Fig. 2. The sensor measurement and control signals are trans-
transmission under DoS attacks are proposed. In Section IV,
mitted between a controller and a plant via network packets.
the simulation methodology is described. In Sections V and VI,
Each sensor packet has an en route delay before arrival at the
the NBCS performance under the two models of DoS attacks
controller. Let the latency be , thus the delay jitter of
are evaluated. In Section VII, we apply the autocorrelation and
sensor packets is defined as
power spectrum density techniques to connect the pattern of
delay jitter and packet loss with the performance degradation (4)
of NBCS. In Section VIII, the mitigating measures using the
network security technologies are investigated. Conclusions where the subscript represents backward delay from the sensor
appear in Section IX. to the controller and the subscript denotes the index of the
sensor packet. Packet loss is treated separately. Similarly, the
II. AN EXAMPLE CONTROL SYSTEM delay jitter of control packets is defined as
A simple discrete PI algorithm and a second-order plant are (5)
used. This idealized control system is well understood so that
the performance degradation of NBCS under DoS attacks can
where the subscript represents forward delay from the con-
be better quantified. The plant transfer function is
troller to the actuator and the subscript denotes the index of
, and the PI controller is
the control packet.
[7].
The values of and can be regarded
The time scale is in accordance with control of an electro-
as the deterministic delay that is the time required for signal
mechanical system. Let the sampling rate of the plant be 50
propagation on physical media and networking device clocking
samples/s. Then the discrete-time transfer function is
a packet onto links. Note that compensating the deterministic
. We
delay is relatively easy in control system design. So, in the sim-
further obtain the difference equations for the control system
ulation, we assume that the deterministic delay has already been
compensated. Only the stochastic delay jitter and in the
control loop remains to be studied.
(1)
(2) B. Event- or Time-Driven Control Approaches
(3) In many control systems, the sensor sampling is time-driven.
The plant sensor sends a packet of the measurement to the
where denotes the output of the plant; means the output of controller every seconds. The packet will travel through
the PI controller; represents the input of the PI controller; networks and then arrive at the controller. A packet may be
is the reference input; is the index of samples. Under a unit lost en route; thus, the PI controller in our study can be either
step input , the performance without considering packet time-driven (at every seconds, use the latest measurement
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 LONG et al.: DENIAL OF SERVICE ATTACKS ON NBCS: IMPACT AND MITIGATION 87

packet stored in the buffer to calculate the control signal and

then transmit it to the actuator) or event-driven (transmit the
control signal upon receiving a measurement packet from
the sensor). The actuator is event-driven, that is, it changes
the amplitude upon obtaining a control signal packet from
the controller.

C. Input and Output of Queueing Models

Packets moving from one site to another in a network have Fig. 3. DoS attack Model I (local network attack). Adjust  (attack traffic rate)
to access shared resources (communication links and network to approximate the severity of attacks. The effect of DoS attack is embedded into
equipment). For each router in the path between a plant and a the attack traffic .
controller, the mechanism governing packet transmission can be
abstracted by a queueing model [14]. The discipline for the ser- will be simulated in our study. Because the delay jitter of
vice is usually first-come-first-serve. Packets arrive at a router packets is caused mainly by the queueing of network equipment,
at unpredictable times. If a packet finds that the router CPU is we choose in our models to approximate delay jitter and
idle, it will be immediately served for an amount of time (CPU
processing the packet). If the router CPU is busy, the packet will
(7)
be in the queue to wait. When a queue with a finite size becomes
full, the newly arrived packet is dropped. (8)
The number of routers in the path and the path topology can
The rule for packet loss is: if a NBCS packet arrives at the queue
be considerably dynamic, depending on the locations of a plant
and finds it is full, then this packet will be immediately dropped.
and a controller. Considering the fact that those routers are het-
erogeneous and dynamic plus it is infeasible to collect every D. DoS Attack Model I: Local Network Attack
detail of traffic data from every intermediate router in the path,
we use a lumped queue to model the end-to-end packet trans- This model approximates the case where DoS attacks are
mission between a plant and a controller. A lumped queue with launched locally to an endpoint (a plant, a controller, or a cus-
adjustable parameters is a manageable approach. To better ap- tomer-edge router connecting to the Internet). The feature of
proximate the process of packet delivery, we tune some param- the attacks is that a lot of NBCS packets might be dropped be-
eters of the queueing model by matching the simulated delay cause the local routers or endpoint computers are not designed
jitter under network regular status with the measured data re- to handle the high rate of packet transmissions. Since the end-
ported by a couple of the U.S. national network measurement points are attacked from the local area network, the surviving
projects [15], [16]. sensor or control packets may experience relatively small jitter,
The queue has two input processes in order to approximate given that the remaining network (backbone network of Internet
the packet flow under network normal status. One is the NBCS service providers) might maintain a regular status.
packet flow and the other background traffic (noncontrol appli- To model this, we introduce another arrival process (attack
cation/other NBCS system packet flows). We separate the back- traffic) into the queue with mean arrival rate (packets/s), as
ground traffic with the attack traffic in the models. Background shown in Fig. 3. The mathematical expression for Model I is
traffic is the one under the network normal status, and attack (9)
traffic will be added into the models under DoS attacks. The
queue input and service time are stochastic processes. For the (10)
presentation simplicity, we use mean values to describe these
where represents the queue model that is simulated; is the
processes. In the model of backward delay, is the mean reference mean service time under network regular status; is
arrival rate (packets/s) of the sensor data (deterministic process);
the mean arrival rate of the sensor data; is the mean arrival
is the mean arrival rate of the background traffic; is the mean
rate of the background traffic; is the mean arrival rate of the
service time (ms) of the server in the queue; is the mean ar- control signal. The attack traffic is included in the input of (9),
rival rate of the sensor data at the controller. It is not uncommon which represents that intruders attack the path from the sensor
that IP routing from a site to another exhibits symmetry [15]. to the controller. Making a simplification for simulation, we do
Therefore, one can assume the background traffic arrival process not include the attack traffic in the path of control signals so
and the server service time for forward delay jitter will have that does not appear in (10). We increase the magnitude of the
the identical probability distribution with those for backward attack traffic rate to approximate the escalated severity of DoS
delay jitter . The mean arrival rate of control signals is attacks.
(time-driven controller) or (event-driven controller).
The total time spent in the queue by packet of NBCS is E. DoS Attack Model II: Nonlocal Network Attack
of a particular interest, which is the sum of waiting time and
Attacks may overload some router (on the Internet) in the
service time of the packet and denoted by
path between the plant and the controller, and slow down net-
work links. These routers are designed to route packets so that
(6) they may be able to handle the relatively high packet arrival rate.
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 88 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

Fig. 4. DoS attack Model II (nonlocal network attack). Adjust  (mean service time) to approximate the severity of attacks: (a) backward delay and (b) forward
delay. The effect of DoS attack is lumped into .

On the other hand, the DoS attacks may cause the operation of
routers to be unstable or oscillatory, which results in the irreg-
ular pattern of packet flows. The feature of these attacks is that
NBCS packet flow may experience a relatively long delay jitter.
Our modeling approach is to lump the effect of attacks into
the mean service time to reflect the abnormal behavior of the at-
tacked routers. The model is depicted in Fig. 4. The mathematic
expression for Model II is written as
(11)
(12)
where represents the queue model that can be simulated. To
approximate the DoS attacks, we change the mean service time
. A reference value is given first to represent network reg-
ular status. The lumped effect of DoS attacks to the routers in the
path is assumed to cause a larger mean service time . Hence,
we increase to model the elevated severity of the attacks. Con- Fig. 5. Packet rate of model I DoS attacks. Maximum rate ack mag =
trary to DoS attack Model I ( and the attack traffic rate are 1000 packets=s.
used), DoS attack Model II does not contain the explicit attack
flow in the queue. The effect of the DoS attacks is embedded reference input for the control loop is a unit step excitation.
into the adjustable parameter of queue mean service time. In the remainder of the text, the performance values, such as
percentage overshoot, rise and settling time, and mean-squared
IV. SIMULATION METHODOLOGY error, are average values of many simulation runs unless the au-
The stochastic processes in (9)–(12) can have general proba- thors make an explicit statement.
bility distributions. The queue service time in the model can be
interpreted as the time for routers to process the traffic, which
V. PERFORMANCE UNDER DOS ATTACK MODEL I
depends on the size of a packet as well as other relevant fac-
(LOCAL NETWORK ATTACK)
tors. We assume that the service time observes an exponential
distribution with mean (under network regular status/DoS Mean service time and background traffic load
attack Model I) or (under DoS attack Model II). It is a reason- are given as an example of network regular status for
able practice to assume that the background traffic is a Poisson both event- and time-driven controllers. Since the simulation
process with mean rate [17]. The background traffic load can time is 15 s and the sampling rate is 50 samples/s, there are 750
be defined as . The load ratio is understood as the ratio measurements packets from a sensor to a controller. In one sim-
of background traffic to network capacity, and ranges from 0 to ulation run of the network regular case, we average over all
1 according to the assumption that background traffic does not to get the value 6.97 ms of . As reported in [16], the one-way
exceed the capacity. jitter of a major US link from Atlanta to Chicago is 8 ms, which
We assume that the computational time of the controller is supports the use of in the model as an approximation
negligible. Hence, only the stochastic delay jitter and are for the delay jitter under network regular status.
put into the control loop simulation. Packet loss is admissible, In Model I DoS attacks, the injected packet rate grows expo-
and we allow that delay jitter is greater than the sampling period. nentially in the beginning and then saturates at a high level [4].
Each simulation run observes the control system over the be- To fit the time-scale of the simulation, we assume that the arrival
ginning 15 s. The buffer size of queue is ten in all cases. The rate of attack packets grows exponentially to a maximum point
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 LONG et al.: DENIAL OF SERVICE ATTACKS ON NBCS: IMPACT AND MITIGATION 89

Fig. 6. Performance under model I DoS attacks (local network attack). (a) Event-driven controller. (b) Time-driven controller.

at 3 s and then levels off until the simulation end of C. Discussion

15 s. Thus, is defined as Comparing Fig. 6(b) with Fig. 6(a), the time-driven approach
is more susceptible to network attacks. The DoS attacks cause
(13) excessive packets losses in the path from the sensor to the con-
troller, which makes the compensation inaccurate because the
simple time-driven controller based on (1)–(3) uses the quite
Fig. 5 depicts the growth of attack packet rate. In the simulation, “old” data stored in the buffer to determine the control sig-
we adjust the value of to observe how the severity of nals. In contrast, the system response becomes slower under
attacks degrades the performance. the event-driven approach, because the interarrival time of the
packets at the actuator becomes much larger due to the packet
A. Event-Driven PI Controller loss.
We ran ten simulations for each value of . Fig. 6(a)
shows the performance of the event-driven method. The system VI. PERFORMANCE UNDER DOS ATTACK MODEL II
is stable, though a large number of sensor packets are lost due to (NONLOCAL NETWORK ATTACK)
the attacks. The loss ratios of sensor packets are 84% and 85.2%
under 2000 and 2500 packets/s. Under attacks, per- With the reference (regular network status), four
centage overshoot increases more than 14%. The noticeable per- levels of (6, 9, 12, and 15 ms) are used to model different
formance degradation is that the rise and settling time is much magnitude of DoS attacks. We approximate that the larger value
larger than that without attacks. For example, the settling time of implies that the DoS attacks get more severe. For each value
is 2 s when , whereas the settling time without of , we change from 0.1 to 0.9, which models the background
the attack is 0.28 s. traffic load from low to high. At every pair of , we perform
One interesting phenomenon depicted by Fig. 6(a) is that, 20 simulation runs, and the average values are reported.
when attack packet rate exceeds a certain value, the percentage
overshoot decreases. The reason is that, as the packet loss is over A. Event-Driven PI Controller
a certain limit, the integration term of the PI controller decreases Fig. 7(a) conveys that the performance is degraded under DoS
because of the small amount of correction. Consequently, the attacks. With different classes of , the larger gets, the worse
percentage overshoot drops. the percentage overshoot . Under the same class of , larger
background traffic load tends to cause a higher percentage over-
B. Time-Driven PI Controller shoot. In the regular case of , increases a bit at
One strategy for dealing with delay jitter and packet loss is . Under DoS attacks, when , augments
that a controller makes a buffer to store previous sensor packets. earlier at . As reaches 0.9, is 58.1%. In the case of
Contrary to the event-driven controller, the controller, at each , at is 46.9%. Then at , is greater
sampling instant, will use the latest available one in the buffer, than 100%. For and 15 ms, is high at even low back-
calculate the control signal based on (1)–(3), and send it to the ground traffic load . Since the value of determines the
actuator. Fig. 6(b) plots the performance of the time-driven effect of Model II DoS attacks, the data suggest that if the path
approach. When is greater than 1000 packet/s, the between the controller and the plant without attacks is already
system becomes unstable. The sensor packet loss ratios are under heavy background traffic (high value of ), then the DoS
69.2% and 85.9% under 1000 and 1500 packets/s. attacks will likely cause much more performance degradation
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 90 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

(a)
Fig. 7. Performance under model II DoS attacks (nonlocal network attack). (a) Event-driven controller.

of a NBCS system. Notice that the numerical values of perfor- time than event-driven approach, because more control packets
mance degradation can become extremely large, but it simply arrived at the actuator (at every sampling instant the controller
means that the control system becomes destabilized in the phys- sends the control signal to the actuator). In terms of per-
ical world. Fig. 7(a) also depicts the nonmonotonic behavior of centage overshoot, settling time, and mean-squared error, the
percentage overshoot under the high background traffic load, time-driven approach is more sensitive to the DoS attacks than
which is due to the very large service time that the event-driven method, comparing Fig. 7(b) with Fig. 7(a).
causes excessive packet loss. The reason is that DoS attacks cause the delay jitter much
The performance of rise time (within 0.16–0.26 s) is not longer, and the simple control algorithm of the time-driven
affected significantly by the attacks, compared to the controller approach makes the “bad” compensation.
design specification in Section II. The patterns of settling time
and mean-squared error are very similar to that of percentage
overshoot, which are substantially impaired by DoS attacks. VII. TIME-FREQUENCY ANALYSIS OF DELAY
When DoS attacks get more intense (larger ), the control JITTER AND PACKET LOSS
system becomes unstable. In this section, we apply autocorrelation and power spectrum
density analysis to connect the pattern of the delay jitter/packet
B. Time-Driven PI Controller loss with the performance degradation. The event-driven con-
Fig. 7(b) displays the performance under the time-driven troller is assumed throughout this section.
method. The patterns of Fig. 7(b) are similar to those of We treat the delay jitter vector as time series . The x-axis
Fig. 7(a). Time-driven method is likely to have a shorter rise represents the index of packets while the y-axis denotes the
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 LONG et al.: DENIAL OF SERVICE ATTACKS ON NBCS: IMPACT AND MITIGATION 91

(b)
Fig. 7. (Continued.) Performance under model II DoS attacks (nonlocal network attack). (b) Time-driven controller. Fewer points in some curves ( > 9 ms)
because of the extremely large percentage overshoot.  is the ratio of background traffic to network capacity. The effect of DoS attack is lumped into .

delay jitter or . If there is packet loss during transmis- where denotes the time lag and represents the total number
sion, the delay for lost packet is infinity. Our implementation of packets. is plotted in Fig. 8 (one simulation run for
of simulation program adheres to this rule. To cope with the in- each case). The lag is normalized to range from 0 to 1. The
finity in mathematical analysis, we let if packet is delay jitter and packet loss in time domain are also depicted.
lost. The rationale is that both infinity and zero are special cases Fig. 8(a) shows the reference case ( , ), which
because a packet has to experience finite nonzero jitter in a real is stable with degradation. Fig. 8(b) shows the case ( ,
system. Zero jitter for lost packet is tractable to mathematical , ) under Model I DoS
analysis. Hence, describes actually both delay jitter and attacks, which is stable with degradation. Fig. 8(c) and (d) show
packet loss. the cases ( , ) and ( , )
The discrete version of autocorrelation estimate is under Model II DoS attacks, which are unstable. The statistic
characteristics of delay jitter and packet loss from the simulation
run are listed in Table I.
(14) The two unstable cases exhibit a strong autocorrelation
of the delay jitter while other stable cases display a weak
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 92 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

Fig. 8. Backward delay jitter and autocorrelation estimates. (a)–(b) Stable control system. (c)–(d) Divergent control system.

autocorrelation. The autocorrelation of the two unstable cases power spectrum density that is defined as the square of the co-
display some big bumps in the plot when the lag is greater efficients of Fourier transform over
than 0.1. It is apparent that the strong autocorrelation of delay
jitter and packet loss of NBCS packets may severely degrade
the control system performance.
To further study the pattern of the delay jitter and packet loss, (15)
we perform frequency analysis on using the technique of
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 LONG et al.: DENIAL OF SERVICE ATTACKS ON NBCS: IMPACT AND MITIGATION 93

TABLE I
STATISTIC CHARACTERISTICS OF BACKWARD DELAY JITTER (EXCLUDING PACKET LOSS)

Fig. 9. Power spectrum density of backward delay jitter. (a)–(b) Stable control system. (c)–(d) Divergent control system.

where denote the power (or periodicity) at a specific solution to DoS attacks thus far, the common approach of
frequency. The results are depicted in Fig. 9, where there exists mitigation is for routers to identify and then block the attack
a sharp difference between the stable and unstable cases. If we traffic. We refer readers to [18] and [19] for the details in defense
fit a straight line over the lower frequencies by least squares, techniques. For the control loop simulation, the event-driven
then we notice that in the two unstable cases caused by Model controller is assumed throughout this section.
II DoS attacks the straight line has a noticeable negative slope,
whereas the slope is very small in the two stable cases. A. Countermeasure to Model I DoS Attacks (Local Network
Attack)
Since Model I DoS attacks are launched locally, the routers
VIII. MITIGATING MEASURES
within the victim corporate network may detect and stop the
This section discusses the network defense against DoS attack traffic. It is feasible for customer-edge routers to in-
attacks for the security of NBCS. Although there is no complete stall an intrusion detection system that observes the passing
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 94 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

traffic. For instance, if the packet arrival rate is above a certain

threshold, the router can reason that a DoS attack is likely taking
place, and then actively drop the background or non-NBCS
traffic. We propose the following algorithm to illustrate this
idea. Some details for implementing the algorithm are omitted
because they are not the focus of this paper.

Algorithm: Packet filtering with incremental

dropping probability at customer-edge routers
Initialization: set a small packet dropping
=
probability prob a // i.e., a : = 0 001
set packet number threshold num th and
time threshold T th Fig. 10. Example DoS attacks. (a) Model I. (b) Model II. Solid lines represent
set elapse time =0 the NBCS traffic path. Dashed lines are attack path.
1: count number of packets num every T ( ) 1 =
100 ms TABLE II
MITIGATION AGAINST MODEL I DoS ATTACK WITH
2: if num > th ack mag = 2500 packets=s,  = 3 ms, AND  = 0:6
3: drop the background traffic with prob (EVENT-DRIVEN CONTROLLER)
4: increase prob
5: else
6: elapse time = elapse time +1 T

7: end
8: if num < th AND elapse time > T th

9: reset prob a =
10: reset elapse time =0
11: end
TABLE III
12: Goto Step 1 MITIGATION AGAINST MODEL II DoS ATTACK WITH  = 15 ms
AND  = 0:1 (EVENT-DRIVEN CONTROLLER)

The rationale of the algorithm is that customer-side routers

in a corporate network can distinguish NBCS traffic from other
background traffic, and furthermore the NBCS traffic can be
given a higher priority. In implementation, we can use the “type
of service” (TOS) field in the IP packet header to allow packets
to be treated differently based on the application needs. The
router begins to drop the background traffic from an initial small
probability if the packet arrival rate is higher than the prescribed results under different values of . In this context, we prescribe
packet rate threshold . Then the router will start to increase the packet rate of attack traffic to observe the original exponen-
(packet dropping probability) to drop the low priority tial growth, but at s , the attack traffic packet rate
traffic until the packet rate is below the threshold. Incrementally will be reduced from the original value to zero because the attack
increasing the packet dropping probability can shorten the time traffic is blocked. We perform ten simulation runs and list the re-
required for packet rate dropping below the threshold. If the sults in Table II, where one noticeable attribute is that the rise
time duration , under which packet rate is less than and settling time and the mean-squared error are significantly
, is greater than the prescribed , then will be reset reduced by the mitigating measure. Table II also indicates that
to the small initial value to reflect that the attack is diminishing. quicker intrusion detection and packet filtering can better alle-
Fig. 10(a) illustrates that local attackers launch the DoS attacks viate the performance degradation.
to router R1 (customer-edge router of the plant). In this case,
R1 can implement the algorithm and cut off the attack traffic B. Countermeasure to Model II DoS Attacks (Non-Local
for the protection of the NBCS traffic. Network Attack)
To test the efficacy of the algorithm, we set up a specific net- Under Model II attacks, the remote attackers send a flood of
work topology that contains a few end nodes and routers to sim- traffic to the provider-edge router, as illustrated in Fig. 10(b).
ulate a possible attack to a NBCS system. During the simulation, The difference in this case is that intermediate routers in the
we have observed that, depending on the scales of the DoS at- Internet may not distinguish the particular NBCS traffic from
tacks, the network defense yields different results on the elapsed other application traffic. The reason is that it is cost-expensive
time from the onset of an attack to router successfully blocking and cumbersome to configure every Internet router, though cor-
the attack traffic. porate IT engineers can set up the packet blocking rules on their
To avoid the excessive discussion of particular attack sce- routers. In this case, however, it is the responsibility of Internet
narios, we make the simplification that reports the mitigation service providers to mitigate the DoS attacks.
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 LONG et al.: DENIAL OF SERVICE ATTACKS ON NBCS: IMPACT AND MITIGATION 95

Fig. 11. Backward delay jitter time series. (a) DoS attack model I, ack mag = 2500 packets=s,  = 3 ms,  = 0:6. (b) Mitigation for DoS attack model I,
t = 1 s. (c) DoS attack model II,  = 15 ms,  = 0:1. (d) Mitigation for DoS attack model II, t = 2 s.

An effective countermeasure system was proposed in [20]. C. Discussion

The idea is that the Internet routers generate audit trails for en Fig. 11 plots the time series of the delay jitter and packet
route traffic and then trace the origin of the attack packets. For loss without/with mitigation. Each plot in time domain is drawn
example, in Fig. 10(b), router R2 identifies the attack packet from one instance of simulation runs. Comparing Fig. 11(a) with
through the intrusion detection method that identifies a mali- Fig. 11(b), we observe that the mitigation to Model I DoS at-
cious packet and then queries R3; R3 in turn queries routers R4 tacks mends the packet loss so that the system response be-
and R5. R4 stops the trace because its log does not contain the comes faster. For the countermeasure to Model II DoS attacks,
attack packet digest whereas R5 detects the presence of attack the beginning interval of Fig. 11(d) is similar to the pattern of
traffic. Since R5 is the access router serving the end users, now Fig. 11(c), but the later intervals of Fig. 11(d) (after mitigation)
it blocks the traffic originated from attacker’s machines. Con- contains no large bumps that is the sign of slow fluctuation of
sequently, the traffic burden of R2 and R3 can be significantly packet delay jitter in time domain.
reduced.
The factor in simulation is the elapsed time from the onset
IX. CONCLUSION
of an attack to router successfully blocking the attack traffic. We
model the mitigating effect by decreasing to a lower value . In this paper, the performance degradation of NBCS under
In the simulation, we choose the case of and DoS attacks is quantitatively investigated. We propose two
because it is unstable without mitigation. Due to the intrusion queueing models to approximate delay jitter and packet loss
prevention system, after , the mean service under attacks. The proposed queueing models incorporate
time will decrease to a lower value (slightly higher the different aspects of attacks to either a local area network
than network regular status ) to reflect that the attack connecting to the Internet or the Internet. The simulation
is diminishing. We perform 10 simulation runs and report the results show that NBCS systems can be significantly degraded
results in Table III, where we observe the system has moderate under DoS attacks. One observation drawn from the study
performance degradation if the network intrusion detection can is that the worst performance occurs when the NBCS traffic
quickly respond to the attacks. exhibits a strong autocorrelation of packet loss and delay jitter.
Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.
 96 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 1, NO. 2, MAY 2005

In addition, we find that the network defense measures can [20] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, B.
ameliorate the performance degradation. The proposed models Schwartz, S. Kent, and W. Strayer, “Single-packet IP traceback,”
IEEE/ACM Trans. Networking, vol. 10, no. 6, pp. 721–734, Dec. 2002.
of DoS attacks on NBCS can be a useful tool for performance [21] J. Nilsson, B. Bernhardsson, and B. Wittenmark, “Stochastic analysis
evaluation, as we further combine the network mitigation with and control of real-time systems with random time delays,” Automatica,
the more sophisticated control algorithms designed for handling vol. 34, no. 1, pp. 57–64, 1998.
delay jitter such as gain scheduling [7] and optimal stochastic
control [21] in the future research.
Men Long was born in Chongqing, China, in
1978. He received the B.E. degree (Hons.) from
ACKNOWLEDGMENT Chongqing University, Chongqing, in 2000 and the
M.S. degree from The University of Tulsa, Tulsa,
The authors thank the anonymous reviewers for their valuable OK, in 2002, both in electrical engineering. He is
comments and suggestions that greatly helped the research work currently pursuing the Ph.D. degree in the Electrical
and Computer Engineering Department, Auburn
and improved the paper presentation. University, Auburn, AL.
His research interests include mobile computing
and network security.
REFERENCES
[1] M.-Y. Chow and Y. Tipsuwan, “Network-based control systems: a tuto-
rial,” in Proc. 27th Conf. IEEE Industrial Electronics Soc., Denver, CO,
Nov. 2001, pp. 1593–1602. Chwan-Hwa “John” Wu (M’88–SM’94) received
[2] A. Householder, A. Manion, L. Pesante, G. Weaver, and R. Thomas, the B.S. degree from National Chiao-Tung Univer-
“Managing the Threat of Denial-of-Service Attacks,” Carnegie Mellon sity, Hsinchu, Taiwan, R.O.C., in 1980 and the Ph.D.
CERT Coordination Center, Pittsburgh, PA, [Online] Available: degree from the Polytechnic University, New York,
http://www.cert.org/archive/pdf/Managing_DoS.pdf, Oct. 2001. in 1987.
[3] K. Houle, G. Weaver, N. Long, and R. Thomas, “Trends He joined the faculty of Auburn University,
in Denial of Service Attack Technology,” Carnegie Mellon Auburn, AL, in 1987, where he is currently a
CERT Coordination Center, Pittsburgh, PA, [Online] Available: Professor of Electrical and Computer Engineering.
http://www.cert.org/archive/pdf/DoS_trends.pdf, Oct. 2001. He has been the Principal Investigator on research
[4] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. projects funded by the NSF, NASA, U.S. Marshals
Weaver, “Inside the Slammer worm,” IEEE Security & Privacy Mag., Service, USDA, and Cray Research, Inc. He holds
vol. 1, no. 4, pp. 33–39, 2003. one U.S. patent and is author of Emerging Technologies in Multimedia
[5] S. Staniford, V. Paxson, and N. Weaver, “How to own the Internet in your Computer Communications (Englewood Cliffs, NJ: Prentice-Hall, 1997). His
spare time,” in Proc 11th USENIX Security Symp., 2002, pp. 149–167. current research interests include information security and computer networks.
[6] U.S. Department of Justice. Computer Crime and Intellectual Property Dr. Wu is an author and co-author of over 50 journal papers in IEEE
Section. [Online] Available: http://www.usdoj.gov/criminal/cyber- transactions, physical reviews, and in journals such as Applied Physics Letters,
crime/ccpolicy.html#DDSA Applied Optics, and the Journal of Parallel and Distributed Computing, as well
[7] Y. Tipsuwan, M.-Y. Chow, and R. Vanijjirattikhan, “An implementation as in over 110 conference publications. He has served as committee member
of a networked PI controller over IP network,” in Proc. 29th Conf. IEEE and referee for numerous conferences and journals, as Guest Editor for the
Industrial Electronics Soc., Roanoke, VA, Nov. 2003, pp. 2805–2810. IEEE TRANSACTIONS ON PLASMA SCIENCE and IEEE TRANSACTIONS ON
[8] Y. Tipsuwan and M.-Y. Chow, “Neural network middleware for model INDUSTRIAL ELECTRONICS, and as Associate Editor of IEEE TRANSACTIONS
predictive path tracking of networked mobile robot over IP network,” in ON INDUSTRIAL ELECTRONICS. He received the IEEE TRANSACTIONS ON
Proc. 29th Conf. IEEE Industrial Electronics Soc., Roanoke, VA, Nov. INDUSTRIAL ELECTRONICS 1997 Outstanding Paper Award. He is a member of
2003, pp. 1419–1424. Sigma Xi and Eta Kappa Nu.
[9] S. Soucek, T. Sauter, and G. Koller, “Effect of delay jitter on quality of
control in EIA-852-based networks,” in Proc. 29th Conf. IEEE Industrial
Electronics Soc., Roanoke, VA, Nov. 2003, pp. 1431–1436.
[10] J. Yepez, P. Marti, and J. Fuertes, “Control loop performance analysis John Y. Hung (S’79–M’80–SM’93) received the
over networked control system,” in Proc. 28th Conf. IEEE Industrial B.S. degree from the University of Tennessee,
Electronics Soc., Sevilla, Spain, Nov. 2002, pp. 2881–2885. Knoxville, in 1979, the M.S.E. degree from
[11] K. Brady and T.-J. Tarn, “Internet-based teleoperation,” in Proc. 27th Princeton University, Princeton, NJ, in 1981, and
Conf. IEEE Industrial Electronics Soc., Denver, CO, Nov. 2001, pp. the Ph.D. degree from the University of Illinois,
644–649. Urbana–Champaign, in 1989, all in electrical engi-
[12] J. Woo and J. Lee, “Transmission modeling and simulation for Internet- neering.
based control,” in Proc. 27th Conf. IEEE Industrial Electronics Soc., From 1981 to 1985, he was with Johnson Controls,
Denver, CO, Nov. 2001, pp. 165–169. Milwaukee, WI, developing microprocessor-based
[13] A. Weaver, “Survey of industrial information technology,” in Proc. 27th controllers for commercial heating, ventilation,
Conf. IEEE Industrial Electronics Soc., Denver, CO, Nov. 2001, pp. and air conditioning systems. From 1985 to 1989,
2056–2061. he was a Consultant Engineer with Poly-Analytics, Inc. In 1989, he joined
[14] L. Kleinrock, Queueing Systems: Volume I—Theory. New York: Auburn University, Auburn, AL, where he is currently an Associate Professor
Wiley, 1976, pp. 8–9. of Electrical and Computer Engineering. His teaching and research interests
[15] National Laboratory for Applied Network Research. Active Mea- include nonlinear control systems and signal processing with applications in
surement Project. [Online] Available: http://watt.nlanr.net/ac- process control, robotics, electric machinery, and power electronics. He is
tive/maps/ampmap_active.php holds two U.S. patents in the area of control systems.
[16] Internet 2. One-Way Latency Measurement. [Online] Available: Prof. Hung has received several awards for his teaching and research, in-
http://abilene.internet2.edu/ami/owamp_status_map.cgi/now cluding a Best Paper Award from the IEEE TRANSACTIONS ON INDUSTRIAL
[17] T. Karagiannis, M. Molle, M. Faloutsos, and A. Broido, “A nonsta- ELECTRONICS. He has been an Associate Editor of the IEEE TRANSACTIONS
tionary Poisson view of Internet traffic,” in Proc. 23rd Conf. IEEE In- ON CONTROL SYSTEM TECHNOLOGY (1997–1998), and is an Associate Editor
focom, Hong Kong, 2004. of the IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS. He served as Tech-
[18] H. Aljifri, “IP traceback: a new denial-of-service deterrent,” IEEE Secu- nical Program Co-Chair for the 2000 IEEE International Conference on Indus-
rity & Privacy Mag., vol. 1, no. 3, pp. 24–31, May–Jun. 2003. trial Technology (Goa, India) and the 2000 IEEE International Symposium on
[19] R. Chang, “Defending against flooding-based distributed denial-of-ser- Industrial Electronics (Puebla, Mexico). He also serves as Treasurer of the IEEE
vice attacks: a tutorial,” IEEE Commun. Mag., pp. 42–51, Oct. 2002. Industrial Electronics Society.

Authorized licensed use limited to: BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE. Downloaded on November 06,2024 at 11:16:52 UTC from IEEE Xplore. Restrictions apply.