Multi-Model Anti-Ddos Framework For Detection
And Mitigation Of High Rate Ddos Attacks In The
Cloud Environment
A.Saravanan, S.Sathya BamaAbstract— Cloud computing has become the most inevitable concept in the field of computer science. It renders various services by providing resources such as data storage, software, applications and even more for the cloud users over the internet. The most significant weakness is making the resources unavailable for legitimate users by flooding the network with the attack packets. High rate distributed denial of service (DDoS) attacks are the most common threat for the cloud server in which a large number of attack packets are sent than normal legitimate packets. This paper presents the multi-model based Anti-DDoS framework to mitigate the high rate DDoS attacks for the cloud environment. The method makes use of the graphical turing test model and authentication model for preventing the DDoS attacks along with count based filtering model and statistical based filtering model for detecting the attacks with the support of access control lists. From the experimental analysis, it is found that the proposed model has an attack detection rate of 91% and 8% of the dropout rate which is better than the existing techniques.
Index Terms— Highrate DDoS Attack, DDoS Detection and Mitigation, Count-based Filtering, Statistical based Filtering, Virtual Firewall, Authentication. —————————— ——————————
1 INTRODUCTION
OWING to the advantage of cloud computing, plenty of users are influenced by its theories. In the 1960s, the basic idea of sharing the computer system by two are more people has been initiated by DARPA (Defense Advanced Research Projects Agency), an agency that is responsible for developing the technologies for military use. Later, during the 1970s, virtualization began to emerge which is the key factor of cloud computing. However, in the late 1990s, the cloud became a very prevalent concept as the users had a superior understanding of the services provided by the cloud. Due to the growth of the internet, cloud computing has now become the obvious technology as it carries significant services over the internet. The main idea behind cloud computing is to pay as per the use. The cloud user can rent the services data storage, computing power or software as an alternative over buying the required software and hardware. The clouds can be either public or private. The main advantage of using cloud computing is that the vendor is responsible for all the administrative activities including maintenance and troubleshooting. For the users of the cloud, it is simple to use and easy to complete the intended task.The public clouds can be either used for personal use or business use. The services provided by the cloud can be of three types such as infrastructure as a service (IaaS), software as a service (Saas), platform as a service (PaaS). Similarly, private clouds are created by business organizations for their personal use. The customers approach cloud because of the few different characteristics such as on demand service, pay as per the use and elasticity. An increase in the usage of the cloud also increases vulnerabilities such as privacy issues, legal issues, resource availability issues and even more [1]. Among them, the unavailability of resources is the major
concern in the cloud environment. The unavailability of service can be successfully achieved by implementing a DoS attack which aims at sending the unwanted floods of traffic to the targeted server as a legitimate user [2]. Another variant of the DoS attack is the distributed denial of service attack which uses the same idea but employs a group of systems termed as bots to flood the unwanted request to the target server. This is the most highly implemented attack in a cloud environment [3]. The DDoS attacks can be either low rate or high rate attacks in which low rate attacks are implemented by intermittently transmitting burst attack packets over short periods of time continuously or transmitting packets attack packets at a constant low-rate [4], whereas, for high rate attacks, the attacker transmits the high rate packets repeatedly over a period of time to make the resources unavailable [5].
In this work, a multi-model based anti-DDoS framework for detection and mitigation of high rate DDoS attacks in the cloud environment has been presented. The model makes use of two components such as virtual firewall and virtual verifier node. The verifier node does all the verification for the packets forwarded by the virtual firewall. The verifier initially verifies whether the requests are sent by the bots or the normal user using the graphical turing test. Then the user and the device through which the requests are sent are examined using an authentication model. These two methods are used as a preventive measure for DDoS attacks. Then as the next step, the count based filtering model and statistical based filtering are employed by the verifier for detecting the attacks. On detecting the attacks, the verifier nodes update the suspicious list, white list, and blacklist, through which the subsequent packets are either forwarded to the cloud, dropped the packets or forwarded to the verifier node for further verification. As a result, the DDoS attacks are detected for protecting the resources from the attackers.The rest of the paper is presented as follows. Section 2 discusses the works from the literature related to the proposed model. Section 3 presents the overall framework of the proposed multi-model based anti-DDoS model. The attack prevention steps and the attack
————————————————
A.Saravanan is currently working in the Department of MCA, Sree Saraswathi Thyagaraja College, Pollachi, Tamil Nadu, India – 642205. E-mail: [email protected]
4504 detection steps of the proposed model are elaborated in
section 4 and section 5 respectively. Section 6 discusses the experimental analysis and results obtained for the proposed model. Finally, the conclusion of the paper is presented.
2
RELATED
WORKS
Several techniques have been suggested in the literature for detecting and mitigating DDoS attacks on cloud infrastructure. A typical scenario of DDoS attack in the cloud environment and the common defense mechanism are presented by Saravanan et al., [6]. The defense mechanism has three main categories as attack prevention, attack detection, and attack discovery. The authors proposed a context that includes prevention and detection process. The author suggested three methods for graphical turing tests such as VISUALCOM, IMGCOM, and AD-IMGCOM for preventing the DDoS attacks among which AD-IMGCOM is considered to be the most complex mechanism. In AD-IMGCOM, the users are given the shuffled parts of the image with an anomaly and the users are demanded to arrange the complete picture and identify the anomaly part [7]. Similarly, the method has been enhanced by including the count based filtering for detecting the attacks [8]. The most widely used count based filtering is providing the limit to the number of requests that originate from the same source or different sources. Based on these behaviors, the subsequent packets originating from the same host are dropped and are not processed by which the attacks are controlled [9]. The authors Jeyanthi and Mogankumar [10] uses a similar method to limit the number of requests arriving from the same host and if it exceeds the given threshold value, the IP address is stored in the blacklist and the corresponding packets are dropped. Generally, the count based filtering techniques include computation of hop count as a significant parameter in detecting the attack packets. Most the method uses the IP2HC table for comparing the results. On receiving the packets, the destination computes the hop count. The hop count is also retrieved from the IP2HC table stored in the server and is compared with the computed hop count. If there is a match, the packet is considered as the legitimate packet or else it is detected as spoofed packet [11]. On the other hand, hop-count diversity is utilized by Al-Haidari et al., [12]. The authors employ an access control list that contains the computed TTL value for accepting and dropping the packets. If the TTL value does not match or when the IP address is not in the white list, the verification process will be carried out that contains a graphical turing test [13]. Hop count based filter with cloud defender is utilized by the authors Karnwal.et al., [14]. However, the method is utilized only for detecting some specific DDoS attacks such as HTTP and XML based DDoS. Several other filtering methods have been introduced with the aim of mitigating the attacks. Pushback based approach by utilizing the resource regulation was suggested by Ioannidis & Bellovin [15]. However, the method consumes more computational power and turnaround time due to which it is considered to be less effective. To protect the servers from attackers, a simple distance based computation has been suggested by Chapade et al., [16]. Similarly, distance-based defense system for DDoS attacks has been proposed by You [17] with three major components such as detection,
traceback, and traffic control. However, these methods does not utilize the resources of the server properly. For filtering the DDoS attacks, a data mining technique called neural network has been implemented [18]. The main drawback of this method is that the method provides less accurate results based on inherent settings. To increase the resource utilization and the functionality of the system, a method has been suggested that uses three filters to ensure the authenticated access to the targeted system. The method practices user authentication and device authentication along with the filter to limit the services to the user [19]. Statistical based analysis has been suggested in the literature to effectively detect the DDoS attack. A machine learning technique that incorporates the statistical analysis for monitoring the online traffic has been introduced and the method is termed as stream processing based big data framework [20]. However, as the method uses only the statistical analysis about the incoming and outgoing packets, the results obtained are not accurate. Based on the knowledge gained from the literature, the proposed method uses several models for mitigating the high rate DDoS attack, a serious challenge in the cloud environment.
3 PROPOSED
MULTI-MODEL
BASED
ANTI-DDOS
FRAMEWORK
The overall architecture of the proposed multi-model based anti-DDOS framework is shown in Fig. 1. The proposed model has two main components.
Fig. 1. Overall Architecture of the Proposed Anti-DDOS Framework.
The first component is the virtual firewall (VF) and the second is the virtual verifier nodes (VVN) which is similar to the idea proposed by Sqalli et al., [13]. Though the base for the proposed model is the EDoS-Shield mechanism, the proposed model also has several layers of defense to protect the cloud from the DDoS attack using various models such as graphical turing test, count based filtering model, statistical based filtering model. The virtual firewall stores two access control lists such as a blacklist and a white list consisting of IP addresses of the source system. It acts as the first layer of defense as it verifies the source IP address with that of the one on the blacklist and white list. Additionally, the suspicious list is also maintained by VVN. These lists are updated by the verifier nodes based on the verification made by them. The
Virtual Verifier Node
Attack Prevention Attack Detection
Virtual Firewall Black
List
White List
components of the framework are described in the below subsection.
3.1 Virtual Firewall (VF)
A virtual firewall is a device particularly designed for the virtual environment with the intention of filtering and observing network traffic. It can be implemented as software on the virtual machines to examine the input packets. The set of security policies are implemented as a program in which each packet will be verified to ensure secure communication. In this proposed model, the virtual firewall is implemented for routing and filtering packets. It maintains two lists such as a white list and blacklist for making judgments about the incoming packets that aim at acquiring service from the cloud originating from the outside user. Obviously, the white list contains a set of authenticated source IP addresses whereas the blacklist contains a list of unauthenticated source IP addresses. For all the incoming packets, the virtual firewall compares the source IP address of the incoming packet with the set of source IP addresses in the blacklist and if there is a match, the firewall will drop the request initiating from that particular source IP address. On the other hand, if the source IP address of the incoming packet is found in the white list, then the firewall forwards the request towards the requested service towards the cloud. If the IP address is not available in either the black or white list, then the request is forwarded to the VVN for further analysis.Virtual firewalls are generally employed frequently in the virtual environment as it is less expensive when compared to the other services. It has so many advantages such as portability, easy to maintain and quick and fast upgradation. It is mainly practiced to protect the cloud along with the data and its service from unauthenticated users.
3.2 Virtual Verifier Node (VVN)
The second significant component is the virtual verifier node which is responsible for processing all the defense mechanisms concerning the packets sent by the legitimate user inside the cloud infrastructure. Though it is represented as a singular node, the actual implementation involves a group of virtual nodes deployed in the cloud environment. It is considered to be the heart of the security mechanism as it involves several layers of defense. On accepting the incoming packets, the virtual firewall forwards the request to the virtual verifier node which is responsible to examine users of the corresponding packets employing graphical turing tests [21]. This acts as the second layer of defense. The graphical turing test is the most widely applied method for authentication with the purpose of identifying the bots from the legitimate user [22]. On identifying the normal user (not the bot), as the next step, the verifier node sequentially verifies the authentication of the user. This is considered to be the third layer of defense. These two steps act as a prevention strategy against DDoS attacks and are happening at the application layer. As the next layer of defense, the proposed verifier applies attack detection steps such as count based filtering and statistical based analysis. In count based filtering, the thresholds are employed to detect the attacks initiated towards the cloud. The method uses several parameters such as the number of request connections from the same source, number of request connections from various new different sources, hop counts and even more. This acts as the fourth layer of defense. In the
statistical based analysis, the ratio of incoming and outgoing packets and flow of packets are analysed to detect the initiated DDoS attacks. This is the fifth layer of defense. The verifier node is responsible for attack detection and is processed at the network layer. Apart from these steps, the verifier node is also an authority for updating the access control lists periodically which helps to improve the performance of the first layer of defense at the virtual firewall. On identifying the source IP address as the legitimate user, the virtual verifier node sends the packet towards the cloud server. At this point, the source IP address is updated in the white list and thus all the successive requests originating from this source IP address are forwarded by the firewall towards the cloud server for the requested service. If the IP address is not available on the white list, then it is verified at the blacklist. On seeing the match, the firewall will drop the packets and all the subsequent requests from the specific IP address are also dropped. If the IP address is not found in the white list or blacklist, the requests are forwarded to the verifier node. The verifier node checks whether the IP address is available on the suspicious list. If there is a match, it proceeds with further measures to verify the legitimate request. Once the request packets pass all the verification, it is then forwarded to the cloud for the requested service. On identifying the packet as a doubtful at any of the above measures, the IP address will be updated on the suspicious list along with the number of requests arrived from the particular host and the packets are dropped. If the count of the request reaches the particular threshold, then the source IP address is updated in the blacklist due to which all the successive requests originating from this source IP address will be dropped by the virtual firewall in the near future. The responsibilities of the verifier node are consolidated and are shown in Fig. 2.
4 DDOS
ATTACK
PREVENTION
4.1 Graphical Turing Test
The botnet is a set of connected devices mostly infected by the malware and is controlled as a group which is the biggest threat for the could environment. It is most widely used for attempting the distributed denial of service attacks. For preventing the bots from successful DDoS attacks, several preventive methods have been proposed in the literature [23].
Fig. 2. Responsibilities of the Virtual Verifier Node.
The methods can be grouped under five main categories such as challenge-response system [7], crypto puzzles [24], hiding
Virtual Verifier Node
Graphical Turing Test
Authentication Model
Count based Filtering
Statistical based
Updating Access Control Lists
Server
4506 the servers or resources [10], restricting the access [25] and
limiting the resources [26]. Owing to the advantages of simplicity and easy implementation, the challenge-response system has been used in the proposed work. However, one of the most common prevention strategies that are implemented in any network-based service is the graphic turing test and is particularly termed as CAPTCHA [27]. The graphic turing test includes test puzzles, graphical test and crypto-puzzles [28], [29] with an aim of detecting the bots by providing the challenges to the user that are illegible even for the intelligent machine and thus bots cannot produce the appropriate response. On verifying the source IP address of the user with the access control list, the firewall forwards the request to the verifier node. Upon receiving the request, the verifier node verifies the user by sending the image puzzle as a challenge to the requested system. On providing the correct response for the given challenge, the user will be allowed for the next level defense verification. On the other hand, even after the few trials, if the user failed the graphical test, the request packet will be dropped and the IP address will be added to the suspicious list and on reaching the given threshold, it is updated in the blacklist. In this work, testing strategy Image Completion with Anomaly Detection (AD-IMGCOP) suggested by the authors Saravanan et al., [7] is utilized in which the parts of the image and an anomaly part along with the blank boxes are given as a challenge to the user. The user has to identify the anomaly and drag and drop the parts in the respective boxes to make a complete image.
4.2 Authentication Model
Once the user is identified as a normal user and not the bot by employing the graphical turing test, the next step is to authenticate the user as a legitimate. In this authentication phase, the user is verified through their profile created at the time of registration. The authentication is made for the existing user and if the new user arrives, the login credentials such as user name, password, and other personal details along with their mobile number will be stored in the user_profile database. Additionally, information concerning the device and browser utilized by the user at the time of registration is stored in the device_profile database with the unique identifier of the user.
During the login phase, the user enters the username and password which is then compared with the one present in the user_profile table. If a match occurs, the device and the browser currently used by the user is then compared with one present in the device_profile. Again if a match occurs, a simple text puzzle created from the user profile will be given to the user. If the user passes the test, the request is moved to the next level or otherwise, the request will be blocked and the source IP address will be updated in the suspicious list. On the other hand, if the device and browser doesn‟t match with the one in the device_profile, then the One Time Password (OTP) will be sent to the user‟s registered mobile number (RMN). The user is then allowed to enter the OTP and if a match occurs, as discussed earlier, the text puzzle generated from the user profile will be given as the challenge. On the other hand, if the OTP entered by the user does not match with the one sent to the RMN, the request will be discarded and the source IP address will be added to the suspicious list and on
reaching the given threshold, it is updated in the blacklist. The process of user authentication is shown as the workflow diagram in Figure 3 for a better understanding.
Here the text puzzle can be generated commonly based on the mandatory details provided by the user at the time of registration. Some of the text puzzles that can be sent as a challenge for the user can be „Enter the last two digits of your pincode‟, „Enter the fourth digit of your pincode‟, „Enter your first and last number of your RMN‟ and so on. The questions can be framed in common based on the mandatory fields of the user profile. This method will consume less work as it eliminates the process of generating specific questions to the specific user. The flowchart for the user authentication phase is shown in Fig. 3.
5 DDOS
ATTACK
PREVENTION
5.1 Count based Filtering
Fig. 3. Flowchart of the User Authentication Process.
5.2 Statistical based Filtering
Several parameters are available in the literature for analysing the incoming and outgoing IP packets statistically [30]. The attacker uses several zombie systems to enable the attack on the particular system thereby consuming the system resources with an aim of denying the request send by the legitimate user. Most commonly, the adverts employ several flooding attacks based on UDP, ICMP and TCP packets. Thus by analysing the incoming and the outgoing packets, the DDoS flooding attacks can be detected and dropped. The parameters used for the proposed research are ratios of various protocols such as TCP, UDP and ICMP, the ratio of incoming and outgoing packets, and the entropy values of the protocols [19], [31]. The parameters and the formula to compute the values are presented below.
Ratio of Incoming and Outgoing Packets:
The ratio of incoming packets towards outgoing packets is found to be the most effective as the attackers generally engage with the more number of incoming packets than outgoing packets generated by the targeted system. The sudden increase in the ratio indicates the occurrence of attack packets. The formula to compute the ratio of incoming and outgoing packets is given (1).
∑
∑ Ratio of various Protocols:
Basically, the DDoS attack will be successful by utilizing the TCP (T), UDP (U) and ICMP (I) packets. The ratio of these
protocols specifies the hint about the existence of a DDoS attack. The formula to compute the ratio of various protocols shown in (2).
∑
∑ Here, i represents various protocols such as TCP, UDP and ICMP packets. The proportion depicts the presence of the attack.
Entropy of Protocol (Ep)
Not only the ratio of the protocols, but the entropy of protocols also provides a better result in detecting the DDoS attacks. In the case of normal traffic, the ratios of the various protocol packets are constant and thus the entropy will be a non-zero constant. However, in the case of an attack, the entropy values will be 0. The formula to compute the entropy values is shown (3).
∑ Here, i represents various protocols such as TCP, UDP and ICMP packets.
Based on the above statistical measures the proposed method works in an efficient way. The detailed architecture of the method is presented in Fig. 4.
Fig. 4. Detailed Architecture of the Proposed Model.
The cloud server contains several services and is represented as service 1, service 2, ..service n. The components present in the architecture are already explained.The process of a virtual firewall is represented as algorithm pseudocode in Fig. 5. Only fo the first time, the requests are verified using a virtual verifier node and for the subsequent requests, the packets are verified using a white list and blacklist.
Algorithm : Pseudocode for VF_Event
Input : IP address of Packet P, Whitelist w_list, Blacklist b_list Output: Decision about the Packet as Accept, Drop, Forward_VNN.
Start
New User?
OTP match occurs? Register No
Yes
No Authentication
Authenticated User?
Yes
Authenticated Device?
No
Yes
Send OTP to RMN
Yes Text Puzzle
Response
Fail
Accept the Request
Pass
Drop the Request
No
End
Virtual Firewall User
Black List White List Attacker
Cloud Server
Service 1
Service n
Virtual Verifier Node Graphical
Turing Test
AD-IMGCOP
Authentication
User Profile Device Profile
OTP to RMN Text Puzzle
Count based Filtering Same host
Request
Different host Request
SYN Flag Analysis
TTL Value Computation Statistical based Filtering
Incoming & Outgoing Profile
Protocol Proportions
Protocol Entropy
Su
sp
ic
io
u
s
Li
st
. .
4508 Algorithm VF_Event (P, w_list, b_list)
Begin
If IP address of Packet P is in Whitelist w_list then If IP address of Packet P is not in Blacklist b_list then
Accept the Packets and forward to Cloud for required service
Else
Forward the Packets to VNN for verification End If
Else
If IP address of Packet P is not in Blacklist b_list then Forward the Packets to VNN for verification Else
Drop the Packets End If
End
End Function
Fig. 5. Algorithm Pseudocode for Virtual Firewall.
On the other hand, if the packets are considered to be suspicious, the verifier node verifies the packets using various models and finally, the suspicious packets are added to the suspicious list which is moved to blacklist later and the legitimate requests are forwarded to the cloud. The cloud server sends the requested service to the user through a firewall. The algorithm pseudocode for the verifier node is shown in Fig. 6.
Algorithm : Pseudocode for VNN_Event
Input : IP address of Packet P, Whitelist w_list, Blacklist b_list, Suspiciouslist s_list, user_profile (up) table, device_profile (dp) table, Threshold values for same source request (t_ssr), different source request (t_dsr), SYN falg ON (t_fsyn)
Output: Decision about the Packet as Accept, Drop, Forward_VNN, Upadation of Access Control Lists.
Algorithm VNN_Event (P, w_list, b_list, s_list) Begin
//Graphical Turing Test Block
If (P is in both b_list and w_list) or (P is not in both b_list and w_list) then
Send AD_IMGCOP based Graphical Turing Test If (test result = pass) then
Move to Authentication Block Else
Add to s_list with counter Drop the Packet P //Authentication Block
If (new_user) then Register the user details Else
If ((UID, PWD) = user_profile(UID, PWD)) then If ((DID, BID) = device_profile (DID, BID)) then If (response(test_puzzle) = up(stored_values)) then Move to Count based Filtering Block
Else Drop the packets and add in s_list with counter Else generate the OTP and send it to the RMN If (user_OTP = Generated_OTP) then
If (response(test_puzzle)=up(stored_values)) then Move to Count based Filtering Block Else Drop packets and add in s_list with counter Else Drop packets and add in s_list with counter
Else drop the packets and s_list with counter // Count based Filtering Block
Compute TTL, number of same source request ss_request, number of different source request
ds_request, number of packets with SYN flag ON f_syn If Computed TTL = TTL value in IP2HC then
If ss_request < t_ssr then If ds_request < t_dsr then If f_syn < t_fsyn then
Move to Statistical based Filtering Block Else Drop packets and add in s_list with counter Else Drop the packets and add in s_list with counter Else Drop the packets and add in s_list with counter Else Drop the packets and add in s_list with counter // Statistical based Filtering Block
Compute ratio of input and output packets rin,out as in (1),
ratio of protocols TCP, UDP, ICMP
rtcp, rudp, ricmp as in Eq. (2) and Entropy E as in Eq. (3).
If rin,out <100 then
If deviation in the proportion rtcp : rudp : ricmp is low then
If Entropy E >0 then
Accept the packets and forward to Cloud for requested service
Add the packets in w_list
Else Drop the packets and add in s_list with counter Else Drop the packets and add in s_list with counter Else Drop the packets and add in s_list with counter If the counter for the IP address in s_list = 3 then Move the records in s_list to Blacklist b_list End
End Function
Fig. 6. Algorithm Pseudocode for Virtual Verifier Node.
6 EXPERIMENTAL
AND
RESULT
ANALYSIS
particular point of time [33]. The threshold can be computed for each time window say one minute. The threshold value for the number of requests from the same host t_ssr can be computed as the one third of the total limit of the request which can be depicted as (B/N+1)/3. On the other hand, the threshold value for the number of new requests from the different hosts t_dsr can be computed as the two third of the total limit of the request which can be depicted as 2(B/N+1)/3. The threshold value for the number of requests with SYN set as ON can be computed as one half of the total limit of the request which can be depicted as (B/N+1)/2.The performance of the model has been analysed using various measures such as detection rate, false negative rate, and dropout rate. The performance of the proposed model is compared with several methods existing in literature such as pushback [15], distance based [17], C2DF [18] and DDoS Detection [6] and the results have been examined. The analysis has been carried out by varying the number of DDoS attacks detected towards the deployed cloud server. The detection rate and false negative rate for the various number of DDoS attacks for the existing methods and the proposed model have been compared. The values are presented in Table 1.
TABLE1
PERFORMANCE COMPARISON ON VARIOUS MODELS
#
a
tt
a
c
k
s Pushback
Distance
based C2DF
DDoS Detection
Proposed Model
#
A
D
DR FN
R
#
A
D
DR FN
R
#
A
D
DR FN
R
#
A
D
DR FN
R
#
A
D
DR FN
R
10 6 0.60 0.40 7 0.70 0.30 8 0.80 0.2
0 9 0.90 0.10 9 0.90 0.10 20 14 0.70 0.30 16 0.80 0.20 17 0.85 0.1
5 19 0.95 0.05 19 0.95 0.05 30 20 0.67 0.33 25 0.83 0.17 26 0.87 0.1
3 28 0.93 0.07 29 0.97 0.03 40 29 0.73 0.28 34 0.85 0.15 35 0.88 0.13 37 0.93 0.08 37 0.93 0.08
50 39 0.78 0.22 42 0.84 0.16 44 0.88 0.1
2 45 0.90 0.10 46 0.92 0.08 60 45 0.75 0.25 48 0.80 0.20 52 0.87 0.1
3 53 0.88 0.12 54 0.90 0.10 70 52 0.74 0.26 57 0.81 0.19 61 0.87 0.1
3 62 0.89 0.11 63 0.90 0.10 80 61 0.76 0.24 68 0.85 0.15 65 0.81 0.1
9 71 0.89 0.11 73 0.91 0.09 90 71 0.79 0.21 71 0.79 0.21 74 0.82 0.1
8 79 0.88 0.12 80 0.89 0.11 100 65 0.65 0.35 75 0.75 0.25 83 0.83 0.1
7 86 0.86 0.14 88 0.88 0.12 Avg. 0.72 0.28 0.80 0.20 0.80 0.1
5 0.90 0.10 0.91 0.09 Table 1 presents the number of attacks, number of attacks detected (AD), detection rate (DR) and false negative rate (FNR) for all the methods. The number of attacks given as an input for the deployed model is varied from10 to 100 for which the number of attacks detected, detection rate and false negative rate are presented for all the proposed and existing methods in Table 1. From the analysis, the pushback method has an average detection rate of 72%, distance based method has an average detection rate of 80%, C2DF has an average detection rate of 80%, DDoS detection model has an average detection rate of 90% and the proposed model has an average detection rate of 91%. Thus, the proposed method has a better
detection rate than the other existing methods. The values of detection rate and false negative rate presented in Table 1 are presented as a graph in Fig. 7 and Fig. 8.
Fig. 7. Algorithm Pseudocode for Virtual Verifier Node.
Fig. 8. Algorithm Pseudocode for Virtual Verifier Node.
Additionally, the dropout rate for the proposed and existing systems are compared by varying the number of requests. The dropout rate is the ratio of the number of packets dropped towards the total number of packets. The comparative analysis of the dropout rate by varying the number of attacks from 50 to 500 is shown in Table 2. Table 2 represents the number of attacks along with a number of attacks dropped out (AD) and dropout rate (DoR) for the proposed and the existing methods. The values presented in Table 2 is presented as graph in Fig. 9.
TABLE2
PERFORMANCE COMPARISON ON VARIOUS MODELS
# Attacks
Pushback Distance
based C2DF
DDoS
Detection Proposed
#
A
D
D
oR
#
A
D
D
oR
#
A
D
D
oR
#
A
D
D
oR
#
A
D
D
oR
50 27 0.54 17 0.34 9 0.18 3 0.06 3 0.06 100 49 0.49 29 0.29 15 0.15 8 0.08 6 0.06 150 75 0.50 61 0.41 26 0.17 17 0.11 15 0.10 200 89 0.45 59 0.30 35 0.18 19 0.10 16 0.08
0.00 0.20 0.40 0.60 0.80 1.00
10 20 30 40 50 60 70 80 90 100
No. of Attacks
Pushback Distance based C2DF DDoS Detection Proposed
0.00 0.10 0.20 0.30 0.40 0.50
10 20 30 40 50 60 70 80 90 100
No. of Attacks
4510 250 103 0.41 76 0.30 35 0.14 21 0.08 18 0.07
300 129 0.43 94 0.31 48 0.16 29 0.10 25 0.08 350 143 0.41 105 0.30 65 0.19 33 0.09 29 0.08 400 166 0.42 137 0.34 90 0.23 51 0.13 33 0.08 450 199 0.44 149 0.33 101 0.22 51 0.11 39 0.09 500 229 0.46 191 0.38 159 0.32 51 0.10 45 0.09
Avg 0.45 0.33 0.19 0.10 0.08
Fig. 9. Comparison of Dropout Rate.
From the experimental analysis, it is found that the average dropout rate for the pushback method is 45%, for distance based method is 33%, for C2DF method the value is 19%, for DDoS Detection method the value is 10% whereas for the proposed model the average dropout value is 8% which is minimum than other methods. It is clear from the comparison that the proposed method has less dropout value than the existing methods. From the results obtained, it is clear that the model produces better results than many of the existing algorithms used for the analysis. The method delivers a robust multi-model based anti-DDoS mitigation framework that employs various models such as graphical turing test, authentication, count based filtering and statistical based filtering in verifying the packets. Also, the overhead of verifying the packets is highly reduced as the verification takes place only for the first time when the packets originate from the particular host, however for the successive requests, the packets are verified using the access control lists such as the white list and blacklist. For providing a resilient defense layer, the information about the doubtful packets is initially stored in the suspicious list. After a few analyses, the information about the packets is moved to the white and blacklists.
7 CONCLUSION
Securing the cloud from various threats and vulnerabilities is the major concern for cloud providers. Distributed denial of service attack is the most common vulnerability as it makes the resources unavailable to legitimate users. Multi-model based anti-DDOS framework has been proposed to prevent and detect the high rate DDoS attacks in the cloud environment. The analysis of results obtained for the experimental analysis made from the simulation of a network shows that the proposed method provides better performance in preventing and detecting the attacks. The method provides
a strong mitigation framework as it uses several models in verifying the packets. Additionally, the information about the doubtful packets is initially stored in the suspicious list and later it is moved to the white and blacklists. Also, the overhead of verifying the packets is highly reduced as the verification takes place only for the first time and for the successive requests, the details are verified with the access list. The future work focuses on providing an enhanced solution for detecting the low rate DDoS attacks which is a challenge among cloud environments.
REFERENCES
[1] W. Alosaimi, M. Zak, and K. Al-Begain, “Denial of service attacks mitigation in the cloud,” Proc. IEEE Conference on Next Generation Mobile Applications, Services and Technologies, pp. 47-53, 2015.
[2] D. Zissis, and D. Lekkas, “Addressing cloud computing security issues,” Future Generation Computer Systems, vol. 28, no. 3, pp. 583-592, 2012.
[3] S. Mansfield-Devine, “The growth and evolution of DDoS,” Network Security, vol. 2015, issue. 10, pp. 13-20, 2015.
[4] L. Zhou, M. Liao, C. Yuan, and H. Zhang, “Low-rate DDoS attack detection using expectation of packet size,” Security and Communication Networks, vol. 2017, pp. 1-14, 2017.
[5] K.S. Sahoo, M. Tiwary, and B. Sahoo, “Detection of high rate DDoS attack from flash events using information metrics in software defined networks,” Proc. IEEE Conference on Communication Systems & Networks, pp. 421-424, 2018. [6] A. Saravanan, S. Sathya Bama, S. Kadry, and L.K. Ramasamy,
“A new framework to alleviate DDoS vulnerabilities in cloud computing,” International Journal of Electrical and Computer Engineering, vol. 9, no. 5, pp. 4163-4175, 2019.
[7] A. Saravanan, M.S. Irfan Ahmed, and S. Sathya Bama, “Mitigation Framework against DDoS Attacks in Cloud Server,” Web Proc. of the ICT Innovations conference on Cognitive Functions and Next Generation ICT Systems, pp. 33-42, 2016. [8] A. Saravanan and S. Sathya Bama, S, “Early Detection of
DDoS Attack on Cloud Environment using Queuing Model,” Proc. of Conference published in International Journal of Recent Technology and Engineering, vol. 7, issue 6, pp. 1624-1631, 2019.
[9] B. Saini, and G. Somani, “Index page based EDoS attacks in infrastructure cloud,” Proc. of the International Conference on Security in Computer Networks and Distributed Systems, Springer, Berlin, Heidelberg. vol. 420, pp. 382-395, 2014. [10]N. Jeyanthi, and P.C. Mogankumar, “A virtual firewall
mechanism using army nodes to protect cloud infrastructure from DDOS attacks,” Cybernetics and Information Technologies, vol. 14, no. 3, pp.71-85, 2014.
[11]I.B. Mopari, S.G. Pukale, and M.L. Dhore, “Detection and defense against DDoS attack with IP spoofing,” Proc. of the IEEE International Conference on Computing, Communication and Networking, pp. 1-5, 2008.
[12]F. Al-Haidari, M.H. Sqalli, and K. Salah, “Enhanced EDoS-shield for mitigating EDoS attacks originating from spoofed IP addresses,” Proc. of IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1167-1174, 2012.
[13]M.H. Sqalli, F. Al-Haidari, and K. Salah, K., “EDoS-shield-a two-steps mitigation technique against EDoS attacks in cloud computing,” Proc. of IEEE fourth International Conference on Utility and Cloud Computing, pp. 49-56, 2011.
0.00 0.10 0.20 0.30 0.40 0.50 0.60
50 100 150 200 250 300 350 400 450 500
No. of Attacks
[14]T. Karnwal, T. Sivakumar, and G. Aghila, “A comber approach to protect cloud computing against XML DDoS and HTTP DDoS attack, ” in Proc. of the IEEE Students' Conference on Electrical, Electronics and Computer Science, pp. 1-5, 2012.
[15]Y. Ioannidis, and S. Bellovin, “Implementing pushback: router-based defense against DDoS attacks,” in Proc. of the Network and Distributed System Security Symposium, pp. 1-12, 2002. [16]S.S Chapade, K.U. Pandey, and D.S. Bhade, “Securing cloud
servers against flooding based DDoS attacks,” in Proc. of IEEE International Conference on Communication Systems and Network Technologies, pp. 524-528, 2013.
[17]Y. You, “A Defense Framework for Flooding-based DDoS Attacks,” Canada, 2007, Available from : <https://pdfs.semanticscholar.org/>
[18]P. Shamsolmoali, M.A. Alam, and R. Biswas, “C₂DF: High Rate DDOS filtering method in Cloud Computing,” Computer Network and Information Security, pp. 43-50, 2014.
[19]S. Neeta, “Security Threats and Attacks on Cloud Computing Systems: An Empirical Study,” Ph.D Thesis, Noida International University, Greater Noida, Gautama Budh Nagar, Uttra Pradesh, 2015
[20]B. Zhou, J. Li, J. Wu, S. Guo, Y. Gu, and Z. Li, “Machine-Learning-Based Online Distributed Denial-of-Service Attack Detection Using Spark Streaming,” in Proc. of IEEE, International Conference on Communications, pp. 1-6, 2018 [21]W.G. Morein, A. Stavrou, D.L. Cook, A.D. Keromytis, V. Misra,
and D. Rubenstein, “Using graphic turing tests to counter automated DDoS attacks against web servers,” in Proc. of the 10th ACM conference on Computer and Communications Security, pp. 8-19, 2003.
[22]P. Du, and A. Nakao, “DDoS defense as a network service,” in IEEE Network Operations and Management Symposium-NOMS, pp. 894-897, 2010.
[23]G. Somani, M.S. Gaur, D. Sanghi, M. Conti, and R. Buyya, “DDoS attacks in cloud computing: Issues, taxonomy, and future directions”, Computer Communications, vol. 107, pp.30-48, 2017.
[24]W. Alosaimi, and K. Al-Begain, “A new method to mitigate the impacts of the economical denial of sustainability attacks against the cloud,” in Proc. of the 14th Annual Post Graduates Symposium on the convergence of Telecommunication, Networking and Broadcasting (PGNet), pp. 116-121, 2013. [25]Z.A. Baig, and F. Binbeshr, “Controlled virtual resource access to
mitigate economic denial of sustainability (EDoS) attacks against cloud infrastructures,” Proc. of IEEE International Conference on Cloud Computing and Big Data, pp. 346-353.
[26]G. Somani, A. Johri, M. Taneja, U. Pyne, M.S. Gaur, and D. Sanghi, “DARAC: DDoS mitigation using DDoS aware resource allocation in cloud,” Proc. of International Conference on Information Systems Security, Springer, Cham, pp. 263-282, 2015.
[27]D. Leggett, “CAPTCHAs tough on sales common way to test
user tolerance‟, 2009. Available:
http://www.uxbooth.com/articles/captchas-tough-on-sales-common-way-to-test-user-tolerance/.
[28]M. Mehra, M. Agarwal, R. Pawar, and D. Shah, “Mitigating denial of service attack using CAPTCHA mechanism,” in Proc. of the ACM International Conference & Workshop on Emerging Trends in Technology, pp. 284-287, 2011.
[29]S.B.E. Raj, D. Devassy, and J. Jagannivas, “A new architecture for the generation of picture based CAPTCHA,” In Proc. of IEEE 3rd International Conference on Electronics Computer Technology, vol. 6, pp. 67-71, 2011.
[30]M. Suresh, and R. Anitha, “Evaluating machine learning algorithms for detecting DDoS attacks,” International Conference on Network Security and Applications, Springer, Berlin, Heidelberg, pp. 441-452, 2011.
[31]T. Xu, D. He, and Y. Luo, “DDoS attack detection based on RLT features,” in Proc. of IEEE International Conference on Computational Intelligence and Security, pp. 697-701, 2007. [32]Stromsecurity, IT Security Research and Services, Application
Layer DDoS Simulator, 2010,
https://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos-simulator/
