G. Penchalaiah Babu, IJRIT- 71
International Journal of Research in Information Technology (IJRIT)
www.ijrit.com ISSN 2001-5569
An Algorithm Based Efficient Solution for DDoS Attack at ISP Level
G. Penchalaiah Babu1, B.Sreekanth2
1Student, Bheema Institute of Technology and Science Adoni, Kurnool, Andhra Pradesh, India
2Asst.Professor, Bheema Institute of Technology and Science Adoni, Kurnool, Andhra Pradesh, India
Abstract
Even though the attacks of non-distributed denial-of-service frequently make use of vulnerability by means of sending not many packets of cautiously forged on the way to disrupt a service, the attacks of DDoS are for the most part used for flooding a meticulous victim by means of enormous traffic. An intrusion detection system can almost do not become aware of such DDoS attacks, unless they are situated very secure to the victim. Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated bot masters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks.
In this paper, we formulated the problem, and presented theoretical proofs along with some algorithms to detect DDoS attacks through which future complications regarding service attacks can be rectified.
Keywords: DDoS, Intrusion, botmasters, botnet, traffic patterns, flash crowds.
1. Introduction
The Internet has never been a safe place and designing automated and efficient techniques for rapid detection of computer network anomalies (e.g., due to intrusions) never ceased to be a topical problem in cyber security. Many existing anomaly based Intrusion Detection Systems (IDS-s) operate by applying the machinery of statistics to comb through the passing traffic looking for a deviation from the traffic’s normal profile. By way of example, the Sequential Probability Ratio Test (SPRT), the Cumulative Sum (CUSUM) chart, and the Exponentially Weighted Moving Average (EWMA) inspection scheme are the de facto “workhorse” of the community. The CUSUM and EWMA methods come from the area of sequential change point detection, a branch of statistics concerned with the design and analysis of a fastest way to detect a change (i.e., an anomaly) in the state of a phenomenon (time process) of interest. Yet another change point detector popular in statistics is the Shiryaev–Roberts (SR) procedure. Though practically unknown in the cyber security community, the SR procedure is as computationally simple as the CUSUM chart or the EWMA scheme. However, unlike the latter two, the SR procedure is also the best one can do (i.e., exactly optimal) in a certain multi-cyclic setting, a natural fit in the computer network anomaly detection context. The aim of this work is to offer a novel multi-cyclic anomaly detector using the SR procedure as the prototype. Due to the exact multi-cyclic optimality of the SR procedure, the studied
G. Penchalaiah Babu, IJRIT- 72 algorithm is expected to outperform other detection schemes, in particular the multi-cyclic CUSUM procedure. We confirm this experimentally using real data.
Distributed denial-of-service (DDoS) attack has been one of the most frequently occurring attacks that badly threaten the stability of the Internet. According to CERT Coordination Center (CERT/CC), there are mainly three categories of DDoS attacks: flood attack, protocol attack and logical attack. This paper mainly focuses on flood attack. In the DDoS flood attack, an intruder bombs attack packets upon a site (victim) with a huge amount of traffic so as to actually jam its entrance and block access by legitimate users or significantly degrade its performance. Therefore, a real-time and accurate detection of these attacks is critical to the Internet community.
Fig 1: Composition of Normal and Attack traffic
Usually, the attack detection methods are classified into two categories. One is misuse detection and the other is anomaly detection. Misuse detection is based on a library of known signatures to match against network traffic. Hence, unknown signatures from new variants of an attack mean 100% miss.
Anomaly detection does not suffer from this problem. Considering that DDoS flood attack is a process changing dynamically and frequently, anomaly-based detectors play a key role in detecting this kind of attack. As far as anomaly detection is concerned, quantitatively characterizing statistic of network traffic without attack is fundamental.
As shown by Lelandet al., and supported by a number of later research, the measurements of local and wide-area network traffic, wire-line and wireless network traffic all demonstrate that network traffic possesses self-similarity characteristic in large time-scale. Self-similarity is the property associated with the object whose structure is unchanged at different scales, and its degree can be described by the Hurst parameter. Several studies show that DDoS flood attack can exert remarkable influence on the self- similarity of network traffic. Thus, this kind of attack can be effectively detected by monitoring the change of the Hurst parameter. Existing flood attack detection methods based on the self-similarity nature of network traffic divide the network traffic into non-overlapping segments. The Hurst parameter of each segment is estimated, once the Hurst parameter changes beyond a pre-defined fixed threshold, the loss of self-similarity (LoSS) occurs and the DDoS flood attack is detected. However, the DDoS flood attack may take place at arbitrary moment whenever the traffic changes its self similarity characteristic. The intensity of DDoS flood attack is also varying, which leads to changing Hurst parameter. Therefore, these existing fixed threshold detection methods lack flexibility and self-adaptability.
Fig 2: Diagram of DDoS flood attack detection
G. Penchalaiah Babu, IJRIT- 73
2. Literature Review
Several anomaly detection methods have been proposed against DDoS flood attack in the literature. In these methods, the network traffic activity is captured and then a profile representing its stochastic behavior is created. This profile is mainly based on metrics such as the network traffic rate, the number of packets or bytes for each protocol, the rate of connections, the number of different IP addresses, etc. Any activity that deviates from the profile is treated as a possible attack. There is a serious problem with these statistical anomaly detection methods. That is, it is hard to decide the appropriate metric on the global scale, because the linear superposition of these micro-based detection methods can not cope with the complex behavior of whole network. In 1993 Lelandet al. first found that the network traffic is self-similar and this attribute is one of the basic natures of the network traffic. Later, in his work pointed out that the self-similarity of Internet traffic is attributed to a mixture of the actions of a number of individual users, and hardware and software behaviors at their originating hosts, multiplexed through an interconnection network. In other words, this self similarity always exists regardless of the network type, topology, size, protocol, or the type of services the network is carrying.
The research done by Lifirst mathematically proved that there is a statistically significant change in the average Hurst parameter under DDoS flood attack. Allenet al. and W.Schleifer et al. proposed a method using Hurst parameter to identify attack, which causes a decrease in the traffic’s self-similarity.
Those methods consider the normal range of Hurst parameter to be [0.5, 0.99], and there is an attack when the Hurst parameter runs out of this range. The experiment results demonstrate that the method proposed has an average detection rate of 60% to 84% depending on the intensity of the attack. Renet al. proposed using the wavelet analysis method to estimate the Hurst parameter, and consider there is an attack when the Hurst parameter runs out of the range [0.6, 0.9]. The cut down of normal range of Hurst parameter can be more efficient in detecting the low-rate DDoS flood attack. Nevertheless, all of these existing detection methods can only detect the presence of attack after the attack occurs, they can not identify at what time the attack happened. Fuzzy logic is one of the most popular methods used in attack detection for it can deal with the vague and imprecise boundaries between normal traffic and different levels of attacks. Wanget al.
proposed to use the fuzzy logic to analyze the Hurst parameter and estimate the time duration of DDoS attack. However, the work didn’t consider the intensity of the attack traffic compared with the background traffic, therefore cannot accurately reflect the level of damage that is caused by the attack.
The major identifications of this paper are:
(i) Considering the inherent relationship between DWT and self-similarity, we propose to use SIC combined with DWT to detect the occurrence of the DDoS flood attack, therefore real-time DDoS attack detection is achieved;
(ii) We studied a fuzzy set and its implementation to decide the intensity of DDoS flood attack against the background traffic dynamically and intelligently, which provides an accurate indication of the possible damage caused by the attack. Several anomaly detection methods have been proposed against DDoS flood attack in the literature.
In these methods, the network traffic activity is captured and then a profile representing its stochastic behavior is created. This profile is mainly based on metrics such as the network traffic rate, the number of packets or bytes for each protocol, the rate of connections, the number of different IP addresses, etc. Any activity that deviates from the profile is treated as a possible attack. There is a serious problem with these statistical anomaly detection methods. That is, it is hard to decide the appropriate metric on the global scale, because the linear superposition of these micro-based detection methods can not cope with the complex behavior of whole network. In 1993 Lelandet al. first found that the network traffic is self-similar and this attribute is one of the basic natures of the network traffic. Later, the work pointed out that the self- similarity of Internet traffic is attributed to a mixture of the actions of a number of individual users, and hardware and software behaviors at their originating hosts, multiplexed through an interconnection network. In other words, this self similarity always exists regardless of the network type, topology, size, protocol, or the type of services the network is carrying.
G. Penchalaiah Babu, IJRIT- 74
3. DoS Attack Detection Algorithm
In this section, we studied some of the major algorithms which contributed a lot in modeling and detecting of Denial of Service attacks and also placed a platform for developing a wide range of algorithms to detect DDoS attacks.
3.1 FireCol DDoS Attack Detection Algorithm
G. Penchalaiah Babu, IJRIT- 75 4.2 Snapshot Algorithm
4. Conclusions
In this paper, we studied a method to detect the occurrence and intensity of DDoS flood attack based on the change of self-similarity in network traffic. We identified the problem of rapid anomaly detection in computer network traffic. This paper also studied FireCol, a scalable solution for the early detection of flooding DDoS attacks. Belief scores are shared within a ring-based overlay network of IPSs.
It is performed as close to attack sources as possible, providing a protection to subscribed customers and saving valuable network resources. Experiments showed good performance and robustness of FireCol and highlighted good practices for its configuration.
References
[1] Zhengmin Xia, Songnian Lu and Jianhua Li – “Enhancing DDoS Flood Attack Detection via Intelligent Fuzzy Logic”, International Journal of Informatica, Vol.1, p.p.no 497-507.
[2] Alexander G. Tartakovsky, Senior Member, IEEE, Aleksey S. Polunchenko_ and Grigory Sokolov-
“Efficient Computer Network Anomaly Detection by Changepoint Detection Methods”, International Journal of Mathematical Scienes, Dec 2012, Vol.4,p.p.no 1-7.
[3] Jéerôme François, Issam Aib, Member, IEEE, and Raouf Boutaba-FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks, IEEE 2012 Transaction on Networking,Volume :PP, Issue:99, p.p.no 1-14.
[4] T. Y. Wong_, K. T. Law, John C. S. Lui and M. H. Wong – “An Efficient Distributed Algorithm to
G. Penchalaiah Babu, IJRIT- 76 Identify and Traceback DDoS Traffic”, Published by Oxford University Press, 2006, p.p.no 418 – 442.
[5] Shui Yu, Senior Member, IEEE, Yonghong Tian, Senior Member, IEEE, Song Guo, Senior Member, Dapeng Oliver Wu – “Can We Beat DDoS Attacks in Clouds?”, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, p.p.no 1-11.
[6] Adel El-Atawy , Ehab Al-Shaer – “Adaptive Early Packet Filtering for Defending Firewalls against DoS Attacks”, p.p.no 1-9.
[7] Jun Zhu, Zhefu Jiang, Zhen Xiao – “Twinkle: A Fast Resource Provisioning Mechanism for Internet Services”, IEEE INFOCOM 2011, p.p.no 1-9.
[8] J´erˆome Franc¸ois , Adel El-Atawy, Ehab Al-Shaer, Raouf Boutaba – “A Collaborative Approach for Proactive Detection of Distributed Denial of Service Attacks”, IEEE Workshop on Monitoring, Attack Detection and Mitigation - MonAM'2007, Nov 2007.
[9]. Shui Yu, Song Guo, Ivan Stojmenovic – “Can We Beat Legitimate Cyber Behavior Mimicking Attacks from Botnets?”, 31st Annual IEEE International Conference on Computer Communications: Mini- Conference, 2012, p.p.no 3133 – 3138.
[10] Hamza Rahmani, Nabil Sahli, Farouk Kammoun – “Joint Entropy Analysis Model for DDoS Attack Detection”, Fifth International Conference on Information Assurance and Security, 2009, p.p.no 267- 272.
[11] Khaled Salah, Member, IEEE, Khalid Elbadawi, Member, IEEE, and Raouf Boutaba – “Performance Modeling and Analysis of Network Firewalls”, IEEE Transactions On Network and Service Management, Vol. 9, No. 1, March 2012, p.p.no 12-22.
[12] S.Ravi Kiran1, G.Narayana2, T.Shesagiri – “Secure Network Intended For Flooding DDoS Attacks Recognition”, IJRRECS/December 2013/Volume-1/Issue-8/1799-1804.
