Moderate Denial-of-Service attack detection based on Distance flow and Trace back Routing

(1)

International Journal On Engineering Technology and Sciences – IJETS™ ISSN (P): 2349-3968, ISSN (O): 2349-3976

Volume 1 Issue 7, November 2014

255 

Moderate Denial-of-Service attack detection based on

Distance flow and Traceback Routing

Vinish Alikkal Student

Shree Venkateshwara Hi-Tech Engineering College

alikkalvinish@gmail.com

Dr.T.Senthil Prakash Head/Department of CSE Shree Venkateshwara Hi-Tech

Engineering College jtyesp@yahoo.co.in

D Yuvraj Assistant Professor Shree Venkateshwara Hi-Tech

Engineering College yuvrajbee@gmail.com

Abstract—Interconnected systems, such as Web servers, data base servers, Cloud computing servers and so on, are now under threads from network attackers. As one of most common and aggressive means, denial-of-service (DoS) attacks cause serious impact on these computing systems. In this paper, we present a DoS attack detection system that uses multivariate correlation analysis (MCA) for accurate network traffic characterization by extracting the geometrical correlations between network traffic features. Our MCA-based DoS attack detection system employs the principle of anomaly based detection in attack recognition. In this base paper, The Distributed Denial of Service attack has been detected and resolve by using Trace back Routing Algorithm and Distance flow. Both the inbound and out bound traffic of router has been analyzed by using Trace back algorithm

.

Index Terms— Multivariate Correlation Analysis (MCA), DoS, Digital Attacker Map.

I. INTRODUCTION

Distributed Denial of Service (DDoS) attacks restrict the services of one or more users connected to the internet. The attackers cumulatively tried to affect the user’s privileges too. In other words DDoS is an attack which prevents the legimate users from using specified network resources such as web services, real time services and cloud services. The DDoS attacks now a days are Flood Attacks (UDP Flood attack, ICMP flood attack), Amplification Attacks (Smurf attack), Resource Depletion Attacks (Protocol Exploit Attacks, PUSH + ACK attack, Malformed Packet attacks). The Digital Attack Map shows the daily DDoS attack happened around worldwide (Figure 1). For Example, latest incidents on September 14 2014 in Philippines. They experienced a distributed denial-of-service (DDoS) attack, which forced the site’s administrators to temporarily suspend services and the legimate users lost their access privileges to access their resources

II. DDOSATTACKARCHITECTURE

The architecture characterizes the setup and installation technique of DDoS attack and identifying both active and passive classes. In this section we describes about the different classes of DDoS architectures, Agent Handler Model and Internet Relay based model..

A. Agent Handler Model

The template is used to format your paper and style the text. All margins, column widths, line spaces, and text fonts are prescribed; please do not alter them. You may note peculiarities. For example, the head margin in this template measures proportionately more than is customary. This measurement and others are deliberate, using specifications

that anticipate your paper as one part of the entire proceedings, and not as an independent document. Please do not revise any of the current designations.

B. Internet Relay Chat Based Model (IRC Based)

The IRC model based attack architecture is similar to the Agent Based model; the only difference is instead of handlers instead of using a handler program installed on a network server, an IRC (Internet Relay Chat) communication channel

Fig 1. Digital Attacker Map

(2)

is used to connect the client to the agents. The attacker system is called Zombia, a group of attacker systems known as Zombia army. The attacked system is known as victim. The network traffic has been analyzed by the attacker and tries to break the security parameters via network components. The victim completely analyzed by the attacker and sends the continuous Relay messages to the server and denies the server services to users

III. RELATEDWORKS

A. Anomaly-based network intrusion detection: Techniques, systems and challenges

Based on the PPM mechanism, Law etc. All tried to trace back the attackers using traffic rates of packets, which were targeted on the victim. The model bears a very strong assumption; the traffic pattern has to obey the Poisson distribution, which is not always true in the internet. Moreover, it inherits the disadvantages of the PPM mechanism: large amount of marked packets are expected to reconstruct the attack diagram, centralized processing on the victim, and it is easy be fooled by attackers using packet pollution. Finally, complete content and organizational editing before formatting. Please take note of the following items when proofreading spelling and grammar.

The deterministic packet marking mechanism tries to mark the spare space of a packet with the packet’s initial router’s information, e.g., IP address. Therefore, the receiver can identify the source location of the packets once it has sufficient information of the marks. The major problem of DPM is that it involves modifications of the current routing software, and it may require very large amount of marks for packet reconstruction. Moreover, similar to PPM, the DPM mechanism cannot avoid pollution from attackers. Entropy rate, the entropy growth rate as the length of a stochastic sequence increases, was employed to find the similarity between two flows on the entropy growth pattern, and relative entropy, an abstract distance between two probabilistic mass distributions, was taken to measure the instant difference between two flows.

B. Triangle-Area-Based Multivariate Correlation Analysis for Effective Denial-of-Service Attack

In this paper, system applies the idea of Multivariate Correlation Analysis (MCA) to network traffic characterization and employs the principal of anomaly-based detection in attack recognition. This makes our solution

capable of detecting known and unknown DoS attacks effectively by learning the patterns of legitimate network traffic only. Furthermore triangle area technique is proposed to enhance and speed up the process of MCA. This method focuses on the ingress traffic to the internal network of the protected servers. Monitoring and analyzing at the destination network reduce the overhead in detecting malicious activities by concentrating only on relevant inbound traffic. This also enables our detector to provide protection which is the best fit for the targeted internal network because legitimate traffic profiles residing in the detectors are developed for a smaller number of network services.

a) Threats and attacks

Attacks can be based on system software or data. System software based attacks include:

Automated or user-initiated network-aware attacks (viruses, worms, Trojan horses, peer-to-peer) which targets files and data often causing loss of machine control, productivity and time.

Malicious system misuse which targets shared resources and protected data

Unmonitored software installation – unknown, untested or unstable programs installed along with intended items that interfere with supported applications leading to unreliable systems and loss of productivity data Integrity, Confidentiality and Availability based attack target.

Data loss from any resource with electronic data storage

b) A Sample Network with DDoS Attacks

In a DDoS attack scenario, as shown in figure.1.3 the flows with destination as the victim include legitimate flows, such as f3, and a combination of attack flows and legitimate flows, such as f1 and f2. Compared with non attack cases, the volumes of some flows increase significantly in a very short time period in DDoS attack cases. Observers at routers R1, R4, R5, and V will notice the dramatic changes; however, the routers who are not in the attack paths, such as R2 and R3, will not be able to sense the variations. Therefore, once the victim realizes an ongoing attack, it can push back to the LAN's, which caused the changes based on the information of flow entropy variations, and therefore, we can identify the locations of attackers.

Fig 3. Internet Relay Chat Based Model

(3)

255 IV. EXISTINGSYSTEM

Basic features are generated from ingress network traffic to the internal network where protected servers reside in and are used to form traffic records for a well-defined time interval. Monitoring and analyzing at the destination network reduce the overhead of detecting malicious activities by concentrating only on relevant inbound traffic. This also enables our detector to provide protection which is the best fit for the targeted internal network because legitimate traffic profiles used by the detectors are developed for a smaller number of network services. The detailed process can be found.

Multivariate correlation analysis, in which the “triangle area map generation” module is applied to extract the correlations between two distinct features within each traffic record coming from the first step or the traffic record normalized by the “feature normalization” module in this step. The occurrence of network intrusions cause changes to these correlations so that the changes can be used as indicators to identify the intrusive activities. All the extracted correlations, namely, triangle areas stored in triangle area maps (TAMs), are then used to replace the original basic features or the normalized features to represent the traffic records. This provides higher discriminative information to differentiate between legitimate and illegitimate traffic records. Finally the anomaly based detection mechanism is adopted in decision making. It facilitates the detection of any DoS attacks without requiring any attack relevant knowledge.

Available Existing Technologies are

a) END-HOST STORAGE, b) Probabilistic Packet Marking (PPM), c) ICMP traceback (iTrace), d) Hash-based IP Traceback, e) Deterministic Packet Marking (DPM).

a)END-HOST STORAGE

This scheme is based on the idea that routers mark packets that pass through them with their addresses or a part of their addresses. Packets for marking are selected at random with some fixed probability of being selected. As the victim gets the marked packets, it can reconstruct the full path, even though the IP address of the attacker is spoofed. This scheme is aimed primarily at DoS and DDoS attacks as it needs many attack packets to reconstruct the full path.

b) PROBABILISTIC PACKET MARKING (PPM)

In this scheme, assume that the path the packets take is

R1-R2-R4-R9-R12. Each router implementing PPM accepts the stream of packets, and before routing them probabilistically marks them with its partial address information (i.e., puts the router’s partial address in the packet headers). Packets are marked with a marking probability p, which is suggested to be 0.04. When the victim receives enough such packets, it can reconstruct the addresses of all the PPM-enabled routers along the attack path. Clearly, in order to reconstruct the full path the flow must contain a large number of packets. To deploy the scheme, vendors need to implement two functions: marking and reconstruction. Once the marking function is available; the software on all routers must be upgraded.

c) ICMP traceback (iTrace)

ICMP traceback takes a different approach in

determining the full path of the attack. Every router on the

network is configured to pick a packet statistically (1 in every 20,000 packets recommended) and generate an ICMP traceback message or iTrace directed to the same destination as the selected packet. The iTrace message itself consists of the next and previous hop information, and a time stamp. As many bytes of the traced packet as possible are also copied in the payload of iTrace. The Time To Live (TTL) field is set to 255, and is then used to identify the actual path of the attack. The routers on the path generate a new packet with an iTrace message. This is unlike PPM, where the traceback information was completely in-band. By assuming the victim is under DDoS attack, and therefore the volume of packets going to it is large, the victim will eventually get all the addresses of the routers on the attack path that Implement iTrace. By using TTL fields, these addresses can be sorted to reconstruct the attack path.

d) HASH-BASED IP TRACEBACK

The scheme is officially called Source Path Isolation Engine (SPIE). In hash-based traceback, every router captures partial packet information of every packet that passes through the router, to be able in the future to determine if that packet passed through it. In this scheme such routers are called data generation agents (DGAs). DGA functionality is implemented on the routers. The network is logically divided into regions. In every region SPIE Collection And Reduction agents(SCARs) connect to all DGAs, and are able to query them for necessary information. The SPIE Traceback Manager (STM) is a central management unit that communicates to ID's of the victims and SCARs, as seen in figure.5. As packets traverse the network, digests of the packets get stored in the DGAs. In this scheme, constant fields from the IP header and the first 8 bytes of the payload of each packet are hashed by several hash functions to produce several digests.

e) DETERMINISTIC PACKET MARKING (DPM).

The DPM method requires all the internet routers to be updated for packet marking. The DPM mechanism poses an extraordinary challenge on storage for packet logging for routers. DPM require update on the existing routing software which is extremely hard to achieve on the internet. The DPM tries to spare space of a packet with the packet’s initial router information .Therefore the receiver can identify the source location of the packets once it has sufficient information of the marks. The major problem of DPM is that it involves modification of the current routing software and it may require large amount of marks for packet reconstruction

(4)

V. PROPOSEDSYSTEM

The proposed detection system has detected attacks in routers and ,then on and the proposed trace back algorithm calculates information distances based on difference of their local traffic and the forward traffic from their immediate upstream routers, and will find that there are no attacks in LAN and LAN and ; therefore, on routers and the proposed algorithm calculates continually information distances based on variations of their local traffic and the forward traffic from their immediate upstream routers, then can find there is an attack (zombie) in LAN so the router will stop forwarding the traffic from the zombie immediately.

The DoS attack has been identified; the incoming packet initiates the following push back process to identify the locations of attack, the victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. Once the immediate upstream routers have identified the attack flows, they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further; this procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s) or the discrimination limit between attack flows and legitimate flows is satisfied.

A. IDENTIFYING AND TRACING DDoS ATTACK

a ) IP TRACEBACK ALGORITHM FOR DDoS

Step1: Initialize a set Auto=Ø and obtain the local parameters C and δ.

Step2: Let Ustream={ui}, i ϵ I be a set of upstream routers ,

Dest={ di } i ϵ I be a set of the destinations of the

packets and V be the victim.

Step3: Define the attack flow Attack flow fi = < uj ,v>

Where i= 1,2,3....n, uj ϵ Ustream

Step4: Sort the attack flow in descending order and we obtain f1n ... f13, f12, f11 .

Step5: for i=1 to n

begin

Calculate H( F \ fi1 )

If (|H (f) - C|> δ ) then append the responding

upstream router for f11 to set Auto

else

break

End if End for

Step6: Submit all the Traceback request to the routers in the set Ustream and deliver the zombies information from

Auto set to the victim.

The IP traceback algorithm is installed at routers. It is initiated by the victim, and at the upstream routers, it is triggered by the IP traceback requests from the victim or the downstream routers which are on the attack path. The proposed algorithms are independent from the current routing software, they can work as independent modules at routers. As a result, we do not need to change the current routing software. The traceback manager audits the entire predefined signature with the arrived one in the following manner.

The attacker sends the illegal information via the peer networks and it will be reached over the Master systems and the Master systems will send the continuous packets to the target machine in order get in to an authorized affect. The Master devices are also called red spots. Which are located at different places or countries when the attacker want to attack a station , then the request will be send to the different Masters that are located in the different countries and then it will send the red alerted messages to the target machine and finally the station become vulnerable.

The different signature records are comes from the different Master Stations at the same time or different time. The Traceback detection system keeps an inbuilt protection system and the main components are Signature matching Engine(Traceback Manager), Attack Signature Database, Mining Engine and Signature Generator. The signature generator keeps the normal profile records of signature and it will be checked with the incoming signature records if the signature mismatches blocking module identify the fault signature and block the current stations. The inbound and out bound traffic has been considered and then received the proxy messages from Zombies and restrict DDoS attacks, then provide the feedback to the server that is located in the detection system.

VI.CONCLUSION

In this paper, we proposed an effective and efficient IP Traceback scheme against DDOS attacks based on entropy variations. Here the packet marking strategies is avoided, because it suffers a number of drawbacks. This paper Fig 6. Framework for the DoS attack Detection System

attacks.

(5)

255 employs by storing the information of flow entropy variations at routers. Once the DDOS attack has been identified it performs push back tracing procedure. The Traceback algorithm first identified its upstream router where the attack flows comes from and then submitted the Traceback request to the related upstream router. This procedure continues until the most far away zombies are identified. But in my existing case We used the static value to determine to determine the entropy rate. But in my proposed strategies We used dynamic value to determine the entropy rate which is based upon the packet size of the client’s behavior

ACKNOWLEDGMENT

I am using this opportunity to express my gratitude to everyone who supported me throughout the course of this MBA project. I am thankful for their aspiring guidance, invaluably constructive criticism and friendly advice during the project work. I am sincerely grateful to them for sharing their truthful and illuminating views on a number of issues related to the project.

I express my warm thanks to Head of Department Dr.T.Senthil Prakash sir, and Prakadeswaran sir for their support and guidance. I express my gratitude to my project guide D Yuvraj sir and all the people who provided me with the facilities being required and conductive conditions for my project.

REFERENCES

[1] C.F. Tsai and C.Y. Lin, “A Triangle Area Based Nearest Neighbors Approach to Intrusion Detection,” Pattern Recognition, vol. 43,pp. 222-229, 2010.

[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E.Vzquez, “Anomaly-Based Network Intrusion Detection: Techniques,Systems and Challenges,” Computers and Security, vol. 28,pp. 18-28, 2009. [3] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans.Software Eng., vol. TSE-13, no. 2, pp. 222-232, Feb. 1987.

[4] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang,

“Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient,” IEEE Trans. Parallel and Distributed Systems, vol. 23, no. 6, pp. 1073-1080, June 2012.

[5] S. Jin, D.S. Yeung, and X. Wang, “Network Intrusion Detection in Covariance Feature Space,” Pattern Recognition, vol. 40, pp. 2185- 2197, 2007.

[6] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, “Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation

Coefficient,” IEEE Trans. Parallel and Distributed Systems, vol. 23, no. 6, pp. 1073- 1080, June 2012

[7] A.A. Cardenas, J.S. Baras, and V. Ramezani, “Distributed Change Detection for Worms, DDoS and Other Network Attacks,” Proc. The Am. Control Conf., vol. 2, pp. 1008-1013, 2004.

[8] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, “DDoS Attack Detection Method Using Cluster Analysis,” Expert Systems with Applications, vol. 34, no. 3, pp. 1659-1665, 2008.

MR.VINISHALIKKALRECEIVEDTHE

B.TECH DEGREE FROM CALICUT

UNIVERSITY FROM GOVT.

ENGINEERING COLLEGE, MR.

VINISH ALIKKAL RECEIVED THE

B.TECH DEGREE FROM CALICUT

UNIVERSITY FROM GOVT.

ENGINEERINGCOLLEGE, PALAKKAD, KERALAIN INDIA

2004-2008 AND WORKED AS LECTURER IN MEA

ENGINEERING COLLEGE FROM 2009 – 2013 AND

PURSUING ME (CSE) FROM SHREE VENKATESWARA

HI-TECH ENGINEERING COLLEGE, ERODE, INDIA IN

2013-2015. TAMILNADU INDIA 2013-2015. HIS RESEARCH

INTERESTS ARE NETWORK SECURITY, DATABASES, CLOUD COMPUTING AND ARTIFICIAL INTELLIGENT. HE PARTICIPATED IN NATIONAL WORKSHOP ON COMPUTATIONAL INTELLIGENCE AND PARTICIPATED ON NATIONAL WORKSHOP ON ANDROID APPLICATION DEVELOPMENT.