Network Security Situation Evaluation Method
for Distributed Denial of Service
Jin Qi
1,2, Cui YiMin
1,2, Huang MinHuan
1,2, Kuang XiaoHui
1,2, TangHong
1,21) Science and Technology on Information System Security Laboratory, Beijing, China
2) Beijing Institute of System and Engineering, Beijing, China
[email protected]
Abstract:-The measurement of network congestion and degradation of quality of service during distributed denial of service attacks remained an elusive goal. This paper analyzes the impacts that all congested links cause on attack victim and network architecture, introduces the min-cut set and presents a new method to assess the network security situation under DDoS attacks, which computes the influence value that attacks cause on network security situation according to the distance between the congested link and victim and whether the link is in the min-cut set, and this value is used for quantitative situation assessment. The applicability of this method is verified by simulated experiments with the network simulation tool.
Keywords:-DDoS attack security situation link congestion degree metric
1
Introduction
Distributed Denial of service (DDoS) is a major threat today. Its intended effect is to prevent legitimate users from doing routine business with the victim, by exhausting some limited resource via a packet flood or by sending malformed packets that cause network elements to crash. Service denial is experienced by users as a severe slowdown, service quality degradation or a complete disruption of communication with the victim. There are many evaluation methods have been researched, in order to analyze the security situation under DDos attacks, and guide security engineers to adopt effective countermeasures. For example, there are the Vulnerability Evaluation Method, the Analyze of Survivability, and the Security Situation Evaluation Method, etc. The Security Situation Evaluation Method is capable of describing the overall situation of the network, analyzing the development of security situation, support to make patching measurement, and consequently becoming a hotspot in network security research area.
In [1] [2], the authors propose a Joint Director of Laboratories Data Fusing Model, for apperceiving network security situation. They deploy many sensors in the testbed, use data fusing and data mining to identify the adversary and the victim, evaluate the network security situation. In [3], the authors propose a Security Situation Assessment and Response Evaluation method base on the Bayes Network Model and Symbolic Probabilistic Inference Algorithm. The algorithm can detect ongoing large-scales network intrusion, display
the situation evaluation result, and make efficient reaction.
Current DoS measurement approaches are concerned for the partial of the target network or capture traffic measurement from the low level of the network. The performance data need to be expressed in terms of extracting from the raw data. And several factors must be synthesized, and then deduce the entire network security situation. The amount of data need to be captured and extracted is very large. It is a challenge to display network security situation in real time. Other researchers frequently choose one DDoS impact, which they feel is the most relevant. This causes the results to be incomplete, as each displays the aspect of the service denial unilaterally.
We propose an effective approach to DDoS impact measurement that relies on easy computing network traffics. It deal with large scale network, can display the security situation of the entire network. We present several metrics that comprehensively capture the DDoS impact in a variety of test scenarios, in testbed experimentation or in simulation. And we experiment on NS2[4] testbed under several DDoS attacks to validate our principles and algorithms. After experiment, the principles and algorithms are proved to be applicable for DDoS impact evaluation.
2
Security situation influence analysis
based on link congestion
Target Server Daemon Nodes Daemon Nodes Master Nodes adversary Network
DDoS attacks work by using a large number of compromised hosts to direct a simultaneous attack on targets. Figure.1 shows the typical process of a DDoS attack. The attack scenario provides two important informations. First, the closer to the target, the fewer the number of the links there is, which can be selected by the flooding packets. Second, the closer to the target, the more serious congestion the links are.
Fig 1. A typical DDoS attack scenario
Network can be mapped into a connected graph, which regards the router as the vertex, the physical connection between the routers as the edge. Assume that each application server has a direct physical connection only with one router. It is shown in Figure 2. The graph is a directed graph, but some places are using a non-directed graph approach for the convenience of presentation.
Fig 2. Network mapping relationship
The purpose of DDoS attack is to consume the net bandwidth or service resources, which prevents legitimate users from doing routine business. There are two impacts on the network security situation caused by the congested links. One is the impact on the application server, the other is the impact on the network structure.
The following two principles is focus on these two factors.
2.1 Take Priority of the Adjacent Link
The links which are adjacent to the victims make greater impact on the degradation of quality of service during DDos attacks.
First, when the links adjacent to the server are congested, it is likely that the DDoS attack is against the server. Second, the more links adjacent to the service are congested; the more legitimate users are influenced from using the service.
2.2 Take Priority of the Links in the Min-cut Set
The links which are in the min-cut set make greater impact on the degradation of quality of service than which are not in the min-cut set.
Based on graph algorithms, when the link in the cut-set is congested, it makes the probability of network partitioning even greater. So the link in the min-cut set is more important than the links are not.
3
The situation assessment for DDoS
attacks
Based on the security situation analysis and priority principles of the link congestion, the security situation model should be established using graph algorithms, and then proposed the situation evaluation algorithms based on the link congestion. The calculation methods of the key evaluation parameters should be described subsequently.
3.1 The Situation Model based on Graph
Algorithms
The parameters of network security situation evaluation are formally defined here. First, we define the concept the “Level” of router and link.
• Definition 1: The Router Level. It is the length of the shortest path between two routers. For example, in Figure.2, the level of Router C relative to Router A is 2, while Router C relative to Router B is 1.
• Definition 2: The Link Level. It is the level of the link’s initial node. For example, the level of link <E,A>is equal to the level of Router E relative to Router A, which is 2.
Input: raw network monitoring data Output: the situation curve
BEGIN
1 DO every time slot
2 IF some links e fulfill ρ(e) >ρMAX and e not in EJ 3 Add each e in EJ
4 IF some links e fulfill ρ(e) ≤ρMAX and e in EJ 5 Delete each e from EJ
6 IF | EJ|>ρMAX
7 Get current situation value S by calling algorithm 2 8 Append S to the situation curve
END
The parameters of network security situation can be grouped into two categories: the network static structure NA and the network congestion situation NC.
3.1.1 The Network Static Characteristics
The Network Static Characteristics: NA. It contains the network diagram, important node set and the min-cut set. NA is denoted by the triple-form NA=(G,VI,EC). The static characteristics will be recalculated only when the network structure changes.
• The network diagram: G= (V, E). Where V is the set of vertexes, E is the set of edges.
• The important vertexes set: VI. It indicates the
routers which connect to the servers. • The min-cut set: EC.
3.1.2 The Network Congestion Situation
The Network Congestion Situation NC. Mainly refers to the congested links set and related functions. It is denoted by the five-form:
NC=(EJ,lev(ei,vj),ρ(e),δ(ei,vj),λ(e)). NC is changed based on real-time network congestion situtaion.
• The congested links set: EJ.
• The function about level: lev(ei,vj): ei∈EJ, vj∈VI. It
describes the level of link ei relative to the node vj.
• The link congestion degree metric: ρ(e) : ei∈EJ. It
describes the congestion degree of link e.
• The distance metric: δ(ei,vj): ei∈EJ, vj∈VI.. It
describes the influence of congestion link ei on
node vj.
• The structure metric: λ(e): ei∈EJ. It describes the
degree of the influence of congested link e on network structure.
3.2 The Evaluation Algorithm based on Link
Congestion
Evaluation algorithm based on link congestion is divided into three steps: initial construction, situation monitoring and situation assessment.
3.2.1 The Initial Construction Algorithm
The static characteristics of the network are constructed in the initial construction phase. The network diagram construction and the important node identification require human involvement, and the min-cut set is calculated using the Stoer-Wagner algorithm [5]. The
BFS algorithm [6] is implemented by using each server as a starting point during the changing of network structure, and the other nodes’ the shortest distance will be stored. In situation evaluation, the lev(ei,vj) can be
gotten through calculate the level of congested link e’s starting router relative to the server v.
3.2.2 The Situation Monitoring Algorithm
Assume that each router has the mechanism that can detect the congestion happens and calculate the degree of congestion. Once the degree of congestion on a particular link exceeds the threshold ρMAX, the
monitoring system will report to the evaluation center. When the number of congested links exceed the threshold ρMIN , the network situation will be
recalculated. The algorithm is defined in Figure 3.
Fig 3. Monitoring the network situation and calculating the situation curve
3.2.3 The Situation Evaluation Algorithm
As mentioned above, the influence of security situation included the degradation of quality of service and the congestion of the network, which will be described as follows.
• The link congestion influence on the degradation of quality of service: SS. The distance metric can
be calculated according to the distance of a congested link to a server, and then multiplied with the degree of link congestion; at last the degree of the congested link influence on the server can be obtained. It can be calculated using (1):
∑ ∑
∈ ∈⋅
=
J i E j I e v V i j i se
v
e
s
δ
(
,
)
ρ
(
)
(1)• The link congestion influence on the network structure: SN. According to whether a congested
link is in the min-cut set, the different structure coefficients multiply with the degree of link
Input: network graph G, import node set VI, edge cut set
EC, congestion link set EJ
Output: situation value of the network BEGIN
1 set initial network situation S=0
2 FOR each ei in EJ
3 FOR each important vj in VI
4 compute the coefficient ei to vj:δ(ei,vj)
5 S=S+δ(ei,vj)·ρ(e i)
6 compute the coefficient ei to network structure λ(ei)
7 S=S+λ(ei)·ρ(e i)
8 RETURN S END
X congestion, then the degree of influence of the
congested link on the network structure can be obtained. It can be calculated using (2):
∑
∈⋅
=
J i E e i i Ne
e
s
λ
(
)
ρ
(
)
(2) The overall network security situation status can be calculated using: S=SS +SN. The algorithm is shown inFigure 4.
Fig 4. Quantitatively analyzing the situation value of the network
The impact of network security situation caused by network congestion is the negative income of situation. Therefore, the larger S value is, the worse the network security situation is, whereas the situation is better.
3.3 DDoS Impact Metrics
In the algorithm mentioned above, the link congestion degree, the distance and the network structure are three important DDoS impact metrics in the security situation evaluation.
3.3.1 The Link Congestion Degree Metric
The link congestion degree metric is defined as the bytes transferred into the router divide the maximum bytes the router can transfers. Let’s abstract the router protocol using the method described in the figure 5. A, B and C are three input links of the router RA. Packets transferred from A and B will route to the output link D, arrive at the router RB. The other output links of RA is denoted by X.
Fig 5. The abstraction of the router protocols
In transaction duration, we can capture all packets transferred from the router RA to link D, which is denoted by λin. Second, we can get the maximum packets
the router can transfers by checking the user manual of the router, which is denoted by λmax. Finally, we get the
value of the link congestion metric ρ(D)=λin/ λmax.
3.3.2 The Distance Metric
Ideally, DDos data flooding is generated from daemon nodes, congregated at the victim in the last. This procedure can be described as figure 6. From the figure, we can deduce that the nearer the data are transferred to the victim, the fewer router paths that there are. In ideally DDos data flooding scenario, the number of router paths is depend on two parameters. One is the distance; the other is the node attack degree.
Fig 6. DDos data flooding scenario in ideally
The node attack degree is differing from the concept origin from the graph algorithms. It only contains the nodes that have processed malicious traffic. So, we only take care of the paths that the malicious data are transferred. From the node attack degree, we can compute the average node attack degree, which is denoted by Avgdegddos. For the first layer of routers in
network topology, when data are arrived, the number of the routes that the data can be transferred is
) , ( ) 1 deg ( 1 ) , ( j iv e lev ddos j i Avg v e − = δ (3)
Now, we need to know how to calculate the average node attack degree: Avgdegddos. Approximately, the
congested router is considered as the paths that the malicious data are transferred. In hypothesis, there are existed some proportion of malicious data around the congested routers, the proportion of malicious data is denoted by k. We can use the following method to calculate the average node attack degree.
The average node attack degree of the entire congested routers is denoted by Avgdeg. The number of the congested routers that have been calculated is denoted by num. When there is new router has been congested, we can get the degree of this router. And then, we calculate the average attack degree of this router, which is denoted by deg. After some time statistic, we get the average node degree under DDos attack. And then we calculate the average attack degree using (4).
1 deg deg deg deg + + ⋅ ⋅ = ⋅ = num num Avg k Avg k Avg ddos (4)
3.3.3 The Structure Metric
We have defined the min-cut set before, and denoted by EC. If the link in the min-cut set is congested, the value
which expresses the contribution that the congested path will cut the entire network into two subnets is 1/ EC. The
contribution value is the parameter that congested links exist in the min-cut set. When a congested link exists in more than one min-cut set, we choose the biggest value of the 1/ EC.
The number of all graph edges is denoted by E. When a congested link does not exist in the min-cut set, we use 1/ E expresses the contribution that the path impact on the network structure. Then we get (5).
{
C j i C j i C i E E e E E E e E e ∩ ∩ ∉ ∈ = 1 1 ) ( λ (5)4
Experiment Analyze
4.1 Description of Experiment
In this section, we describe the topology and traffic scenarios in the NS2 testbed that we employ to illustrate our algorithm. The experimental topology is shown in Figure 7. It consists of three client networks and each network is interconnected via two routers. Each client
network has four routers. The victim servers are connected to router F and G. The label on the edge in the topology is the maximum data process rate of the path. In Figure 7, we only consider the edges that exist in min-cut set EC= {(C,I),(H,J)}.We get the average node degree
is 11/3, and use this value as the average attack degree. The link congestion metric ρ is 1.
Fig 7. Experimental topology
4.2 Experiment Result
4.2.1 Experiment 1: Validate the Principle that Take Priority of the Adjacent Link
DDos attack scenario 1: The flooding data is generated by node A. The data will be processed by node B and D. And the node G is the target. At the same time, the flooding data is generated by node L. The data will be processed by node I. And the node F is the target. The data transfer rate is 2.8Mb/s, which cause the forane links congestion.
DDos attack scenario 2: The flooding data is generated by node E. And the node G is the target. The data transfer rate is 4.5Mb/s, which cause the adjacent links congested.
Table 1. VALIDATE THE PRIORITY PRINCIPLE OF THE ADJACENT LINK
Congested Link
Congested Level
Impact on Qos Impact on structure Gener al Impact F G 1 <A,D> 1.5 0.082 0.082 0.065 0.638 <A,B> 1.5 0.082 0.082 0.065 <L,I> 1.5 0.082 0.082 0.065 2 <E,G> 1.5 0.521 0.521 0.065 1.192 After experiment 1,we get that for the links which have the same congestion metrics, the links which far
away from the victim make less impact on the degradation of quality of service during DDos attacks.
4.2.2 Experiment 2: Validate the Principle that Take Priority of the Links in the Min-cut Set.
DDos attack scenario 3: The flooding data is generated by node B. The data will be processed by node E. And the node G is the target. The data transfer rate is 5.6Mb/s, which cause the links which are not in the min-cut set congestion.
DDos attack scenario 4: The flooding data is generated by node J. The data will be processed by node H. And the node F is the target. The data transfer rate is 5.6Mb/s, which cause the links which are in the min-cut set congested.
Table 2. VALIDATE THE PRIORITYPRINCIPLE OF THE LINKS IN THE MIN-CUT SET
Congested Link
Congested Level
Impact on Qos Impact on structure Gener al Impact F G 1 <B,E> 1.5 0.195 0.195 0.065 1.681 <E,G> 1.5 0.521 0.521 0.065 <J,H> 1.5 0.195 0.195 0.78 2 <H,F> 1.5 0.521 0.521 0.065 2.368
After experiment 2,we get that for the links which have the same distance to the victim, the links which are in the min-cut set, make greater impact on the degradation of quality of service during DDos attacks than the links which are not in the min-cut set.
5
CONCLUSION
Ultimately, DDoS attacks are about create network congestion and denying end user service. We propose the network security situation evaluation method for DDos measurement. The method builds network model
introduces graph algorithms, base on the principles that the links which are adjacent to the victim and in the min-cut set have more impact on the degradation of quality of service during DDos attacks, and can get the links congestion impact on the degradation degree of security situation. It can work out large-scale network security situation and reduce the data processing time. At last, we use NS2 testbed validate the theories and algorithms mentioned in the paper.
We believe there is much more work to be done in developing effective methods for DDoS technology evaluation. We will research how to use the Analytic Hierarchy Process [7] base on this method in the future.
References
[1] Bass T, Muhisensor data fusion for next generation distributed intrusion detection systems, 1999 IRIS National Symposium on Sensor and Data Fusion, Laurel, 1999.
[2] Bass T, Intrusion detection systems and multisensor data fusion: Creating cyberspace situational awareness, Communications of the ACM, 2000, 43(4):99-105.
[3] D’Ambrosio B, Takikawa M, and Upper D, et a1. Security Situation Assessment and Response Evaluation(SSARE), DARPA Information Survivability Conference & Exposition II. 2001. [4] The network simulator-NS2,
http://www.isi.edu/nsnam/ns
[5] Stoer M, Wagner F, A simple min-cut algorithm, Journal of the ACM, 1997, 44(4): 585-591.
[6] Robert Sedgewick, and Kevin Wayne, Algorithms FOURTH EDITION, Addison-Wesley, US: Princeton University, 2011.
[7] Satty T L, How to Make a Decision:The Analytic Hierarchy Process, European Journal of Operational Research, 1990, 1(48):9-26.
