An Integrated Honeypot Framework for Proactive Detection, Characterization and Redirection of DDoS Attacks at ISP level

Transcription

1 Jourl of Iformto Assurce Securty 1 (28) 1-15 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks t ISP level Ajl Sr R. C. Josh 1 1 I Isttute of Techology Roorkee, Roorkee, Uttrkh, , I jlsec@tr.eret., rcjosfec@tr.eret. Abstrct: Dstrbute Del of Servce (DDoS) ttcks c effect the stey fuctog of y etwork, posg severe securty thret. Cocetrte sgle source DDoS ttcks cosume huge resources lke bwth very smll urto hve rect mpct t ISP level, thus mkg them esly etectble. I cotrst, lute low rte DDoS ttcks le to grceful egrto of etwork over loger urto hece re mostly uetectble. The outcome of bove ttcks s tht legtmte users re ee servce. Though rry of schemes hve bee propose for the etecto of the presece of DDoS ttcks, chrcterzg of the flows s orml flow or mlcous oe, mtgtg the effects of the ttcks oce they hve bee etecte, there s stll erth of complete frmeworks tht ecompss multple stges the process of efese gst DDoS ttcks. I ths pper, we propose ovel hoeypot frmework tht proctvely etects the presece of ttck, chrcterzes the TCP flows s ttck or legtmte, mtgtes the fluece of the ttck by rerectg ttck flows to hoeypots. The etecto hs bee cheve by ovtve etropy bse scheme. Our etecto mechsm pts tself ccorg to vrto ttck los rel tme clbrtes the system to operte oe of the ïve, orml or best efese moes. The strem flows re chrcterze o the bss of etropy vlue moe of operto movg tme wow. Durg mtgto, ttck flows re rerecte to utoomc ymc hoeypots preset the sme etwork s ctve FTP servers. A ymc hoeypot ege (DHE) hoeypot cotroller (HC) moule hs bee moele to geerte jucous mxture of hoeypot ctve FTP servers from pool of servers epeg o rel tme etwork cotos t ISP level. Gooput, me tme betwee flure verge respose tme hve bee evlute for ïve, orml best efese moe of operto. We vlte the effectveess of the pproch wth smultos crre out t fferet ttck stregths s-2 o Lux pltform. We lso report our expermetl results for etecto over KDD 99 tset. Results show tht our propose frmework gves rstc mprovemet terms of verge respose tme goo put. It meets the chlleges of most of the exstg solutos to DDoS wth ts blty to proctvely etect vrble rte ttck rel tme wth mmum flse lrms mmum collterl mge. The propose scheme hs the potetl to mt stble etwork fuctolty eve the presece of ttcks. It c be fe tue ccorg to the ymclly chgg etwork cotos t ISP level. Keywors: Dstrbute Del of Servce (DDoS), Dymc Hoeypot Frmework, Detecto, Chrcterzto, Mtgto, ISP Dom. 1. Itroucto The Iteret (orglly kow s ARPANET) ws crete to prove ope etwork for reserchers [1]. Ufortutely, wth the growth of the Iteret, the ttcks to the Iteret hve lso crese crebly fst. The wespre ee blty to coect mches cross hs cuse the etwork to be more vulerble to trusos hs fcltte brek-s of vrety of types. Accorg to [1], mere 171 vulerbltes were reporte 1995 whch boome to 864 the yer of 26. Aprt from these, lrge umber of vulerbltes go ureporte ech yer. A Del of Servce (DoS) ttck s commoly chrcterze s evet whch legtmte user or orgzto s eprve of cert servces, lke e-ml or etwork coectvty, tht they woul ormlly expect to hve. DoS ttcks [2,3] ject mlcously-esge pckets to the etwork to eplete some or ll of these resources. The ttck power of Dstrbute DoS (DDoS) ttck [4] s bse o the mssve umber of ttck sources ste of the vulerbltes of oe prtculr protocol. DDoS ttcks, whch m t overwhelmg trget server wth mmese volume of useless trffc from strbute coorte ttck sources, re mjor thret to the stblty of the Iteret. I my cses whe suste hgh bwth ttck reches servers t s ot possble to cot the ttck t borer gtewy s the offeg pckets hve lrey cosume the fte bwth vlble o the coecto to the ISP[5][6]. I ths cse, hvg goo reltoshp cler commucto chels wth ISP re essetl. Hgh bwth ttcks hve rect mpct o the ISP s etwork. Dlute low rte ttcks re crtcl compoet rem uetecte utl the etwork fuctolty becomes ustble thus trgetg QoS. However, sce ISP etwork re closer to the source of the ttck they re better posto to flter the offeg trffc. The umber ssortmet of both the ttcks s well s the efese mechsms s mostrous. Though rry of schemes hs bee propose for the etecto of the presece of these ttcks, chrcterzg of the flows s orml flow or mlcous oe, etfyg the sources of the ttcks mtgtg the effects of the ttcks oce they hve bee Receve Jury 7, $3.5 Dymc Publshers, Ic.

2 2 Sr Josh etecte, there s stll erth of complete frmeworks tht ecompss multple stges of the process of efese gst DDoS ttcks. I ths pper, we propose tegrte hoeypot frmework for efese gst vrble rte DDoS ttcks t ISP level. By tegrte, we me, the frmework wll prove for the followg ctvtes efese gst DDoS ttcks: 1. Rel tme etecto of vrble rte DDoS ttck t ISP level. 2. Accurte chrcterzto of the flows s ttck or legtmte flows t POP, 3. Effcet mtgto of the effect of ttck usg utoomc ymc hoeypot rerecto. Hoeypots [7], [8] proctve etecto mechsm, re mches tht re ot suppose to receve y legtmte trffc, thus, y trffc este to hoeypot s most probbly ogog ttck c be lyze to revel vulerbltes trgete by ttckers. The etropc etecto mechsm couple wth presece of hoeypots mkes the etecto strog proctve. Autoomc ymc hoeypots hve bee use the frmework to strct ttckers from rel trgets wth the etwork, to mtgte the effect of ogog ttcks o ctve servers collect t for reserch to ttcker tools, methos, motvtos for foresc lyss. The rest of the pper s orgze s follows. Secto 2 gves bref overvew of some of the exstg techques to fcltte etecto, chrcterzto mtgto of DDoS ttcks log wth some of ther lmttos. Secto 3 gves gst of our propose tegrte frmework. Our etecto scheme s chrte Secto 4, wheres Sectos 5 6 expl etl our chrcterzto scheme ts vtges. Secto 7 escrbes the utoomc ymc hoeypot rerecto. Secto 8 gves the expermetl esg whch s clusve of the smulto testbe the obte results. Secto 9 presets the vtges of our frmework. We coclue our work prove poters to possble future work Secto. 2. Relte Work Ths secto chrts out the fferet work oe the res of etecto, chrcterzto mtgto of the effect of DDoS ttcks trcg bck the sources of the ttck. 2.1 Detecto Chrcterzto A comm o l y u se et ect o p pr och s eth er sgture-bse or omly-bse. Sgture-bse pproch spects the pssg trffc serches for mtches gst lrey-kow mlcous ptters. I prctce, severl sgture-bse etecto systems hve bee evelope eploye t frewlls or proxy servers, such s Bro [9] Sort []. By cotrst, omly bse etecto system observes the orml etwork behvor wtches for y vergece from the orml profle. Most of DoS etecto systems re omly bse [11]-[15]. However, ther orml trffc moels re mly bse o flow rtes. Due to the versty of user behvors the emergece of ew etwork pplctos, t s ffcult to obt geerl robust moel for escrbg the orml trffc behvors. As result, legtmte trffc c be clssfe s ttck trffc (flse postve) ttcker trffc s clssfe s legtmte (flse egtve). To mmze the flse postve/egtve rte, lrger umber of prmeters re use to prove more ccurte orml profles. However, wth the crese of the umber of prmeters, the computtol overhe to etect ttck creses. Ths becomes bottleeck, especlly for volume-orete DDoS ttcks tht wll be ggrvte by the computtol overhe of the etecto scheme. I [16], [17] bse o estto ress, ttck ggregte re fou the fltere usg pushbck techque. However ths cse, collterl mge s more s legtmte trffc tht ggregte s lso roppe. I [18] rom projecto techque hs bee use to reuce the mesos followe by SVM lgorthm tht efe threshols etect trusos. Though schemes [11]-[15], use volume bse metrcs to etect chrcterze DDoS ttcks hve bee successful soltg lrge trffc chges (such s bwth floog ttcks), but slow rte, sotropc ttcks c ot be etecte chrcterze becuse these ttcks o ot cuse etectble sruptos trffc volume. These suffer the form lrge umber of flse postves/egtves hece more collterl mge whe ttck s crre t slow rte or whe volume per ttck flow s ot so hgh s compre to legtmte flows. 2.2 Mtgto I orer to mmze the loss cuse by DoS ttcks, recto scheme must be employe whe the ttck s uerwy. Most solutos to the DDoS ttcks try to evelop pcket flter tht c stgush legtmte pckets from llegtmte oes hece rop llegtmte pckets oly [19]. The D-WARD efese system [6] s eploye t source-e etworks, utoomously etects stops ttcks orgtg from these etworks. We eploymet of D-WARD wll motvte servce-level ttcks, o whch we focuse ths pper. I [2], Bohcek hs suggeste mtgtg pproch tht reles o routers flterg eough pckets so tht the server s ot overwhelme whle esurg tht s lttle flterg s possble s performe. He hs propose soluto where pckets shoul be fltere t routers through whch the ttck pckets re pssg. But, t s rectve mtgto techque tht lso hs the rwbck tht legtmte trffc pckets my lso be roppe e route to the estto. I the Pushbck frmework [21], oce router suffers from suste cogesto, t tres to etect flow ggregtes tht re cotrbutg the most to cogesto. The cogeste router rte-lmts the etecte flow ggregte(s) ses the ggregte sgture (e.g., estto ress) to up strem routers, whch pply rte-lmtg to the ggregte recursvely push the rte-lmtg upstrem towr ttck sources. Pushbck requres cotguous eploymet; to overcome ths lmtto, Selectve Pushbck [22] proposes to se rte-lmtg requests to routers seg trffc wth

3 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 3 hgher th orml rtes. The etecto of these routers the proflg of orml trffc re performe v ehce probblstc pcket mrkg scheme. I [23], Kltr et l. hve propose proctve metho for mtgto of the effects of DDoS ttcks where ech router mts prtto of ctve TCP flows to ggregtes. Ech ggregte s probe to estmte the proporto of ttck trffc tht t cots. Pckets belogg to ggregtes tht cot sgfct mouts of ttck trffc my be subject to ggressve rop polces to prevet ttck t the tee vctm. Ag, ths cse too, legtmte pckets fce the rsk of beg roppe. Also, proper efto of ggregtes s crtcl prt of the pproch. Moreover, ggregtes hve to be efe vce of the ttck so tht ther respose mesuremets re tke to orml (o-ttck) trffc orer to be compre lter o wth mesuremets uer ttck, f y. IP hoppg [24] protects publc server, whose clets use DNS to look up ts IP ress. I IP hoppg, the server chges ts IP ress wthout chgg ts physcl locto. All pckets este to the ol IP ress re fltere t the etwork permeter by frewll. However, s physcl locto s ot chge, physcl coectos re ot broke sttes of ttcke systems rem ucle. TCP-Mgrte [25] Mgrtory-TCP [26], whch prove frmework for movg oe e pot of lve TCP coecto from oe locto recrtg t t other locto hvg fferet IP ress /or fferet port umber, re use for moblty support fult, or ttck, tolerce. Mutble Servces [27] s frmework to llow for rectvely reloctg servce frot-es formg oly pre-regstere clets of the ew locto through secure DNS-lke servce. Sherf et. l. [28], propose the proctve server romg mechsm, whch s secure lghtweght mechsm to proctvely chge the locto of the ctve server wth server pool. Legtmte clets keep trck of romg tmes locto of the romg server usg lght-weght, oe-wy hsh fuctos. However, the scheme curre overhe tht cuse performce egrto both the bsece of ttcks uer low ttck los. It s observe tht most of the mtgto techques prctce toy, suffer from the followg rwbcks: 1. They re rectve ture. 2. They eploy pcket roppg polces t the routers where eve legtmte pckets fce the rsk of beg roppe. 3. I cses lke [23], the topology of the etwork ees to be kow vce. The mtgto techque use the frmework propose ths pper oes wy wth ll these rwbcks s we shll see Secto Propose Soluto I ths secto, we shll scuss gret epth the vrous fcets of our propose frmework for efese gst DDoS ttcks. The propose frmework proves for proctve mtgto gst the effects of DDoS ttck s escrbe ext. All the flows rrvg t the Pot of Presece (POP) of ISP este to the server to be protecte from DDoS ttck re tgge s ether legtmte or ttck. Wheever pcket belogg to suspcous flow rrves t the POP, ste of seg tht pcket to the ctve FTP server or roppg t, t s rerecte to hoeypot server. Ths proves proctve pproch to mtgto gst the ttck becuse the FTP server s solte from ttck trffc bwth of the lks wth FTP server wll ot be exhuste by the volumous ttck trffc. A flow lst s geerte t the POP by smplg the strem trffc movg tme wow. It represets ctul ymcs of the pckets of the flow to whch they belog. These wll be subject to etecto followe by ctegorzto test escrbe ext. Durg etecto, we emostrte the utlty of more sophstcte tretmet of DDoS omles, s evets tht lter the strbuto of trffc fetures. For cocetrte s well s lute ttcks, trffc strbutos hve pprecble evto from orml to prove sgs of DDoS ttck. The chrcterzto of ttck trffc s oe by motorg the flow lst t the POP movg tme wow the choosg suspcous flows. For etecto chrcterzto, etropy [29] (scusse etl secto 4) wll be use s the prt of ths frmework. The etropy techque oes wy wth the svtges of the prevous methos bse o ggregtes[16], [17] volume bse metrcs [11]-[14] s t s ptble to vryg etwork cotos hece proves ccurte proctve etecto of vrble ttcks. Moreover, o hrwre mplemetto s [3] s requre. The propose frmework proves proper respose mechsm plce. Whe the ttckers get through, the etwork rects respos to the stuto tellgetly. Hoeypot/FTP server Clet/Attcker POP Cocetrte Attck Legtmte Trffc Dlute Attck ISP Dom ISP Dom To get better uerstg of the propose moel, Fgure 1. Topology to llustrte the propose soluto coser smple topology show Fgure 1. The topology cosere s smlr to the oe use trtolly to epct typcl clet-server scero the Iteret. The clets (ttck legtmte) se ther FTP requests to the server. The rrows the fgure cte the presece of vrble P

4 4 Sr Josh rte ttcks comg from clet om. The set of routers (R) t POP (cte by P) e route from the clets to the server proctvely geerte flow lst movg tme wow cotg formto bout ech rrvg flow the umber of pckets belogg to tht flow. The flow lst goes uer etropc test for ttck etecto thus the flows re chrcterze s ttck or legtmte. If flow s chrcterze s legtmte flow, oly the wll the routers belogg to set P be structe to forwr the pckets to the romly selecte ctve FTP servers. If flow s chrcterze s ttck flow, the the flow s rerecte to oe of the romly selecte hoeypots. Coectos wth the llegtmte flows re rete by hoeypots. Hoeypots respo cote mer to the ttcker s request before roppg them. They log formto bout the ttck flows ether for fxe tme tervl equl to the tme wow for chrcterzto (or multple thereof) or tll the expry of curret eo ( vrble tme urto, scusse lter), whchever less. If the flow to hoeypot s retgge s legtmte subsequet tme wows, t s rerecte to ctve FTP server hece mmzg the collterl mge the effect of flse postves. I the ymc etwork evromet wth vrtos clet ttck lo presece of sophstcte ttcks, etecto mtgto process fe tue themselves rel tme. The prmeters lke tolerce fctor of the etwork, umber loctos of servers hoeypots re vre to mmze umber of flse lrms prove stble etwork fuctolty. Chrcterzto mtgto work o two fferet tme scles. The etls of the etecto utoomc ymc hoeypots re gve the sectos to follow. 4. Sttstcl Etropy Bse Detecto 4.1 Etropy bref Our hypothess to etect chrcterze ttcks trets DDoS omles s evets tht sturb the strbuto of trffc fetures. For exmple, DoS ttck, regrless of ts volume, wll cuse the strbuto of estto ress to be cocetrte o the vctm ress. As propose by Sr et l [29], we use etropy to cpture the egree of spersl or cocetrto of strbuto. The smple etropy H (X ) s N = ( ) H ( X ) = p log ( p (1) where 1 2 ) p = S. The vlue of smple etropy les the / rge log 2 N. The metrc tkes o the vlue whe the strbuto s mxmlly cocetrte,.e., ll observtos re the sme. Smple etropy tkes o the vlue log 2 N whe the strbuto s mxmlly sperse,.e. = = 4.2 Detecto of Attck Coser rom process { X ( t), t = j, j N}, where costt tme tervl s clle tme wow, N s the set of postve tegers, for ech t, X ( t) s rom vrble. Here X (t) represets the umber of pcket rrvls for flow { t, t}. X (t) It s fou our smulto wthout ttck tht Etropy H (X ) vlue vres wth very rrow lmts fter slow strt phse s over. Ths vrto becomes rrower f we crese.e. motorg pero. We tke verge of H (X ) esgte tht s orml Etropy H (X ). To etect the ttck, the etropy H c ( X ) s clculte shorter tme wow cotuously, wheever there s pprecble evto from H (X ), ttck s s to be etecte. We ssume tht the system s uer ttck t tme t, whch mes tht ll ttckg sources strt emttg pckets from ths tme: the etwork s orml stte for tme t < t turs to ttcke stte tme t. Let t eote our estmte o t. At tme t followg evet trggers ( H ( X ) > ( H ( X ) + )) c ( H ( X ) < ( H c ( X ) )) ttck = true; Here I where I s set of tegers s evto threshol. Tolerce fctor s esg prmeter s bsolute mxmum evto Etropy H (X ) from verge vlue H ( X ) whle proflg for etwork wthout ttck. I [29] t ws observe tht s fucto of clet ttck lo ( s regulte by etecto rte flse postve rte). However, ymc etwork cotos, the esg prmeter lso epes o system clet requremets. I lter sectos we wll show tht system c be me uto resposve to ttcks f verge respose tme, me tme betwee flure gooput lso regulte the vlue of. 5. Attck Flow Chrcterzto t Pot of Presece Oce the ttck s luche t POP P s, we hve ggregte of ttck flows orml flows. Let F represet set of ctve flows. The F F F ( F F = φ) (3) = Where Frepreset ctul orml flows F s set of ctul ttck flows. Our m tsk ths moule s to f F * = { f1, f 2,... f m} F (4) the set of m mlcous flows. Ielly, * * ( F F = F ) AND( F F = φ) (5) Now the m problem s to f m:- s for lute low rte ttcks, m umber of lest * mesure pcket rrvl flows costtute F. for cocetrte hgh rte ttcks, m umber * of hghest mesure pcket rrvl flows form F. To swer these questos f we c f Φ, the expecte totl ttck trffc the from followg equto, we c f m F. m j= 1 X ( t + ) Φ j * (2) (6)

5 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 5 Where s esgte flow, j vryg from 1 to m for lest or hghest mesure pcket rrvls, X ( + ) represet pcket rrvls for flow ext t tme wow fter ttck s etecte. The expecte vlue Φ, s clculte s Φ = Φ t Φ, where Φ t s the totl trffc receve { t, t } Φ s verge totl trffc tll from the tme bottleeck lk t utlzto s 1. The set of ctve flows F lso referre to s Flow Lst (FL) secto 7 s upte t the begg of ech tme wow by tggg ech flow s ttck or legtmte 6. Flse Postves Flse Negtves Flse postves gve the effectveess of the system wheres flse egtves gve mesure of the system relblty. Vrtos tolerce fctor hs bee use to qutfy flse postves flse egtves [29] whch ssst mkg ecsos o optml vlue of etropc threshols. Our propose etecto scheme works oe of the three moes, mely best, orml ïve efese. The moe of operto s chose ccorg to ttck stregth by vryg so s to mmze flse postves flse egtves. I cse of best efese show fgure 2, the orml etropy bwth urg ttck etecto s chose to be very smll. The choce s me to reuce the flse egtves to mmum, s zero el cse. Fgure lso shows the operto of orml ve efese moe. Nïve efese hs the lowest etecto sestvty level hece t hs lowest flse postve rte. Oce s ece, optmum etropc threshols re utomtclly upte to clbrte the system. Decso of optmum vlue of uer vryg etwork cotos becomes fucto of relte output prmeters s scusse secto 8.2. Nve Best Norml Etropy Rge Fgure 2. Best, Norml Nve Defese 7. The Rerecto Scheme 7.1 Autoomous Dymc Hoeypots Our pproch for ymc hoeypot geerto s respose to flows etfe s legtmte ttcks flow lst (FL). Gve server pool, we propose utomtc geerto of pproprte umber of ctve servers to servce the legtmte requests equte umber of hoeypots to solte the ttcks t the sme tme. A hoeypot cotroller (HC) hs bee moele t the pot of presece where ymc hoeypot ege (DHE) tkes s put the flow lst (FL) mte urg etecto chrcterzto process geertes jucous mxture of ctve servers hoeypots from the server pool. Hoeypot Cotroller (HC) moule performs three fuctos. Frst, t keeps trck of FL stte of flow. Seco, epeg o the ttck lo clet lo, DHE trggers the geerto of pproprte umber of servers hoeypots coortes ther tmgs locto. Thr, the ttck legtmte trffc s rerecte ccorgly by vrtos the ymc fel lke estto ress. The cotroller estblshes ecte coecto justs routg formto so tht the ttck trffc s forwre to the romly selecte hoeypot for tercto. All t from ths tercto s logge t remote tbse locte se DMZ for lter lyss. A hgher-level resposblty of the hoeypot cotroller s to mge prortze the selecto of server set. 7.2 Servce Moel Our etwork cossts of pool of N homogeous servers server pool wth P ctve FTP servers (N-P) hoeypot servers. Ech estto the etwork shoul be ble to behve ccorg to whether the correspog oe ctg s ctve server or hoeypot. Thus the servces hve bee replcte o ll servers. We use FTP whch s TCP bse servce tht c be replcte. We cll the urto for whch ech oe cts s hoeypot or ctve server s eo. A FTP coecto rems lve utl ether the legtmte FTP request s fulflle completely or the tg of the flow the FL chges t the strt of ext tme wow or f the umber locto of servers hoeypots chge (eo expres) before the request s fulflle. A llegtmte FTP request s recte to hoeypot whch rets the coecto respos to ttcker cote mer for fxe tme tervl equl to the tme wow of chrcterzto or tll the curret eo termtes, whchever s less. If the flow s retgge s ttck before termto of curret eo, the the coecto wth hoeypot s rete. I cse of flse postve, the coecto s mgrte bck to ctve FTP server subsequet chrcterzto tme wow. 7.3 Implemetto Detls Autoomous Dymc Hoeypot bse rerecto volves followg steps Decg the umber of hoeypots servers Let N S N H represet the umber of servers hoeypots respectvely. Our m s to f out the optmum vlues of N S N H epeg upo the etwork lo. We efe legvec such tht legvec = N S +N H. We efe rry vector [] of sze legvec whose elemets re the form of orere pr set of estto IP ress port umber of the hoeypot or the server.e. vector[] = {est IP, port}.we further efe two rrys subvecns [] subvecnh [] whose elemets re ces of the rry vector [] tht correspo to estto IP ress port umber of servers hoeypots respectvely such tht followg hols true: (legvec= (Legth(subvecNS) + Legth( subvecnh)) AND (subvecns I subvecnh) = φ (7)

6 6 Sr Josh Fgure 3. Steps t Hoeypot cotroller ege moule to compute N S N H Let CL AL represet clet ttck lo. N fl N f re umber of legtmte ttck flows DR/Legflow DR/Attflow represet t rte per legtmte ttck flow respectvely. Fgure 3 shows the steps t DHE t hoeypot cotroller moule to compute N S N H. Tble 1 s use for mppg CL AL to optmum combto of servers hoeypots, N S N H respectvely. Attck Lo Tble 1. Mppg lo to hoeypots servers Clet Number of Number of Lo Hoeypots Servers Low Low Low 2 moerte - low Low Moerte Low 2 moerte - low Low Hgh Low 2 moerte - low Moerte Low Moerte Moerte - low Moerte Moerte Moerte Moerte Moerte Hgh (Moerte - low ; Moerte) (Moerte; Moerte + low) Hgh Low 2 moerte - low Low Hgh Moerte (moerte; (moerte - low; moerte + low) Moerte) Hgh Hgh Moerte Moerte Decg the locto of servers hoeypots Hvg etfe the umber of servers hoeypots, ext we utlze bckwr hsh ch [28] to clculte the loctos cheve romg whch s heret utoomous ymc hoeypots. The scheme buls o coecto mgrto mechsms proves secure frmework for ssug the romg trgger proctvely. N S ctve servers cotuously chge ther locto wth pool of legvec homogeous servers to proctvely efe gst DDoS ttcks. Servce tme s ve to eos; t the e of ech eo, CL AL s mppe to N S N H usg tble 1 the servce mgrtes from oe set of servers to other the server pool. A log hsh ch s geerte usg oe wy hsh fucto H(. ), use bckwr fsho smlr to Py-Wor scheme [31]. The lst key the ch, K, s romly geerte ech key, K (<<), the ch s compute s H(K +1 ) s use to clculte both the legth, R, of servce eo E, set of curret ctve servers F urg E.. Let S represet the set of exes of the vector[] rry. Also let P NS (S) represet orere set of ll possble subsets of S wth crlty N S. The crlty of P NS (S) s N P = (N S!/(legvec! * (N S legvec)!)), where legvec s the umber of servers vector[]. The for ech servce eo E, the set of curret ctve servers s P NS (S)[MSB lg NP H (K )], where H (. ) s oe wy hsh fucto MSB x (y) re the x most sgfct bts of y. The legth R, of the servce epoch E s uformly strbute the tervl [u, m+u] secos s follows: R = u + MSB m (H (K ), where m represets the curret thret level. Hece, the vlue of the system prmeter m s chge ptvely epeg upo N S N H. Vlue of m s versely proportol to the thret level,.e. t s rectly proportol to N S versely proportol to N H s erve from tble 2. The vlue u represets lower bou o the le tme of server shoul be log eough to lyze ttcks. HCE keeps ccout of N S, legvec, u, vector[], m P NS (S) s romg uptes. N H Tble 2. Mppg N S N H to m N S Mo- Mo+ Low Mo Hgh Low Low Low Mo Low Mo Mo + Low Hgh The rerecto lgorthm The rerecto lgorthm performs the per-flow tretmet of ech flow the Flow Lst (FL) tme wow t POP. The pseuo coe s s follows: HoeypotCotrollerPerFlow (FL) For flow FL If (Tg = ttck) Prse the prmry pcket serch source estto ress (F DA F SA) P DA = F DA N DA = P DA A: If (N DA = Destto ress of hoeypot) Forwr the pcket to N DA Else Replce N DA by estto ress of hoeypot Forwr the pcket to N DA If (More Frgmet = ) Goto S Else Prse ext heer of the flow for P DA N DA = P DA If (Tg = ttck) Goto A Else

7 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 7 Goto B Else Prse the prmry pcket serch source estto ress (F DA F SA) P DA = F DA N DA = P DA B: If (N DA = Destto ress of ctve FTP server) Forwr the pcket to N DA Else Replce N DA by estto ress of server Forwr the pcket to N DA If (More Frgmet = ) Goto S Else prse ext heer of the flow for P DA N DA = P DA If (Tg = ttck) Goto A Else Goto B S: Stop 7.4 Mthemtcl moel At y ctve ftp server oe, the rrvg trffc s the ggregte of severl legtmte possbly of some ttck flows, where l = (l1, l2,..., lj,...,l(n fl )) =(1, 2,...,, (N f )). Our set FL cots l. The totl trffc rte λ rrvg to oe s compose of two prts: λ =, +, (2) λ λ whereλ, s the legtmte comg trffc rte whch belogs to orml flow, λ, s the rrvl rte of ttck pckets belogg to flow. Some ttck trffc my be mstkely tke to be orml trffc whle some orml trffc wll be mstkely thought to be ttck trffc. Ay trffc chrcterze s ttck s rerecte t oe of the romly selecte hoeypot servers. Thus, frcto f, of orml trffc (the probblty of flse lrms) mjor frcto of ttck trffc, (the probblty of correct etecto) wll be rerecte to hoeypot s t rrves to the hoeypot cotroller. If the oe s ttck etecto mechsm were perfect we woul hve f, =, = 1. However, chrcterzto mechsm s such tht probblty of flse egtve s.e. prctclly, = 1. However there my be some flse postves, so 1>f, >. Oce pcket s mtte to hoeypot cotroller, t s queue the forwre bse o ts selecte estto ress. We moel ech oe by sgle server queue wth servce tme s represetg both the tme t tkes to process the pcket the oe the ctul trsmsso tme. The trffc testy prmeter t ctve FTP servers s ρ: ρ = s (, (1 f, ) +, (1, )), (3) I I, where for oe, s the rrvg trffc rte of orml flow, I, s the rrvg trffc rte of DDoS flow. To evlute the effectveess of our scheme, we mesure the gooput t ech oe. Ths estblshes the effectveess of our DDoS protecto scheme, lso of how successful or usuccessful the DDoS ttck hs bee. The gooput G() t ech oe s: G( ) =, (1 L)( 1 f, ) (4) I I where L s the buffer overflow probblty or probblty of pckets lost t server oe. Durg rerecto, el stuto t hoeypot s escrbe by equltes, f, =,=1 Tble 3 gves the prctcl stuto t oe. Tble 3. Mppg lo to hoeypots servers Best Defese Nïve Defese Actve server ((1-,)=) ; (1-f,) ((1-f,)=1); (1-,) Hoeypot,=1; f,>,<1; f,= 8. Expermetl Desg 8.1 Smulto Topology The e systems or hosts (users PCs, PDAs, web Servers, ml servers etc) Iteret coect to ech other through tere herrchy of Iteret Servce Provers (ISPs). Wth ISP s etwork, the pots t whch the ISP coect to other ISPs (whether below, bove, or t the sme level the herrchy) re kow s pots of presece (POPs). The tercoecto of POPs of ISP through hgh bwth lks s clle ISP bckboe. I ISP s etwork POP s ctully group of coecte core ccess routers to whch core routers of the sme or other ISPs (prvte/publc peer or NAT) ISP s ow customers servers re coecte respectvely. Wheever two ISP re rectly coecte to ech other, they re s to be peer wth ech other. Though, complexty of POP s coectg router wll vry epeg upo whether other ISP router (ormlly core) or ow customer om (ormlly ccess) s ttche. For smulto purpose, we use ISP level etwork wth four coopertve ISP oms (1, 2, 3, 4) where ech om hs POPs represete by sgle oe ech s show fgure 4. Oe customer om s ttche to ech POP whch cossts of legtmte ttckg hosts. Two POPs every ISP re ttche to other ISPS. ISP om 4 hs tol POP for coectg to our protecte server. Our m ths pper s to etect DDoS ttck ISP om 4. Fgure 4. Smulto Topology We hve represete trst om routers s POPs of the ISP stub oms s customer oms ttche to

8 8 Sr Josh POPs s show fgure 4. Hoeypot servers the protecte FTP servers vry umber fter ech eo. The POP lk to server bwth for hoeypot server s kept sme s FTP server so tht t exctly mttes the FTP server. Followg tble 4 gves topology geertor prmeters. Tble 4. Topology Geertor Prmeters S.No. Prmeter Vlue 1. ISP oms 4 2. No. of trst routers 12 (1 more ISP 4 for coectg servers) 3. Ege probblty Number of stub oms / ISP 5. Number of hosts / stub om 6. Bckboe lk bwths 2.5GhZ 7. Bckboe lk elys secos There re four ISP oms wth two peers ech.e. two other ISP oms re rectly ttche t POPs. Tble 5 proves the bsc prmeters set for smulto. Tble 5. Bsc prmeters of smulto S.No. Prmeter Vlue 1. Smulto Tme 6 secos 2.. Number of legl sources / ISP om Totl 4*=4 3. No. of ttckers 1-25 / ISP om. Totl= 1-4. Access bwth for legtmte 1Mbps customers 5. Bottleeck Bwth 3Mbps 6. Me ttcker rte.1-1.mbps(low rte) Mbps(hgh rte) 7.. Attck urto 2-5 secos We vre ttck rtes s gve S.No.6 compute etropy gooput. All the legtmte TCP coectos re ot tte t the sme tme s SYN bcklog s lso lmte sze s show S.No.3 below. Tble 6. Trffc Prmeters S.No Prmeter Vlue 1. Trffc rrvl process t Posso legtmte clets 2. Trffc geertor t ttckers (me ttck rte gve Tble Attck tools vlble t 2, S.No.6 3. Coecto strtup tme Rom 1-8secos 4. Pcket Sze 4bytes Tble 7. Attck etecto prmeters S.No. Prmeter Vlue 1. Wow Sze.2 secos 2. Tolerce fctor for etropy 3- evto orml rge of etropy s clculte by usg frequecy strbuto of umber of pckets per flow ID (SourceIP, SourcePort, DesttoIP, DesttoPort) tme wows of.2 secos. Smulto s lso crre by tkg loger wow of 1. seco. Devtos re stll lesser s expecte however verge s lmost sme. It s fou tht etropy vlue lso les smll rge of to , wheres ths vres epeg upo etwork evromet type of pplcto.the verge s , str evto s.12, mxmum bsolute evto from verge s.3393.flze smulto prmeters re:- Norml Etropy Vlue ( H (X ) ): Mxmum bsolute evto from verge ( ): (b) Detecto of ttck Whe our etwork s put uer lute low rte ttck, frst tme wow fter ttck s luche t 2 secos, there s jump etropy vlue. The postve jump persstet hgh vlue s compre to orml reflects tht t s lute low rte ttck the flows whch re cusg ths omly hve comprtvely lesser frequecy th lrey exstg oes. I cse of cocetrte hgh rte ttcks, etropy vlue tes to be lower th orml. I our smulto usg totl ttck stregth of 3Mbps wth ttckers, the etropy rops ow to 7.1. However tlly t c rse but wth proper justmet of wow strt tme, the sme c lso be lumpe. I ths cse, the flows whch hve comprtvely hgher shre of pckets re resos of omly. Smlr tres exst for hgh rte ttcks t fferet ttck stregths wth vrto oly evto from orml vlue. Zhg et l[32] show the performce of etectg ttcks t fxe threshol of sestvty. If the threshol s set too low, the the flse lrm rte wll be low, but etecto rte wll be low, too. Smlrly, threshol set too hgh my e up etectg most trusos, but suffer from hgh flse lrm rte. Hece the threshol shoul mtch the ymcs of the etwork. Fgure 5 shows the ROC curves for KDD 99 tsets usg our propose scheme wth vryg tolerce fctor uer 1%, 2%, 5% % ttcks. The re uer ROC curve the fgure shows tht performce creses upto 17% cse of % ttcks. Smultos re crre t fferet vlues of tolerce fctor for fferet ttck stregths. 8.2 Results Dscusso Detecto Chrcterzto () Threshol settg We coucte smulto expermets for fg out threshol for etropy uer orml coto s per smulto prmeters gve prevous secto. The Detecto Rte (%) % Attck ; = 2 % Attck ; = % Attck ; =5 % Attck ; = Flse Alrm Rte (%) Fgure 5. ROC Curve: Our propose scheme

9 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 9 Hece, proper choce of tolerce fctor etermes the optmum etropc threshols urg etecto to clbrte the system. Vlue of whe reuce urg hgh ttck lo gves better ROC performce, self clbrtg the system. From s-2 smultos, we clculte the etropc threshols by vryg the vlues of s tbulte below: Tble 8. Etropc threshols wth vryg tolerce fctor Prmeter Lower Bou Upper Bou We efe three moes of operto, mely ïve, orml best tht tke the vlues of s show tble 9. Tble 9. Mppg to moe of operto Moe of Operto Vlue of Nïve Defese 8,9, Norml Defese 6,7 Best Defese 3,4, Hoeypot Bse Rerecto Gooput, me tme betwee flure verge respose tme hve bee use s prmeters to evlute the three moes of operto uer fferet ttck stregths etwork lo. Gooput gves the mesure of effectveess of the system, me tme betwee flures gves system relblty verge respose tme gves mesure of the effcecy of propose frmework. () Gooput Gooput (Percetge Improvemet) Best Norml Nïve Low Moerte Hgh Low Moerte Hgh Low Moerte Hgh Low Low Low Moerte Moerte Moerte Hgh Hgh Hgh Attck Lo; Clet Lo Fgure 6. Percetge mprovemet gooput wth vryg etwork lo uer ïve, orml best efese Fgure 6 shows percetge mprovemet gooput uer three moes of operto. I cse of low clet lo, best, orml ïve efese schemes gve equl mprovemet of 3% gooput s compre o efese rrespectve of the ttck lo. The three moes of operto gve mxmum gooput whch s lmost equl to el gooput gooput wth o DDoS. Vlue of N S trggere by DHE s such tht there re equte umbers of ctve FTP servers to fulfll ll legtmte requests t low clet lo. I cse of moerte clet lo, ïve efese gves better performce s compre to best efese. A mprovemet gooput up to 42% hs bee reporte eve the presece of hgh ttck lo. Ths s so becuse vlue of N S trggere s eough to fulfll legtmte requests. Becuse of lmte umber of flse postves ïve efese, most of the legtmte flows rech the ctve servers rectly th v hoeypot s cse of best efese Best efese cuses more pcket loss collterl mge. For moerte clet prtculr vlue of ttck, sy moerte ttck, best efese gves lower gooput th ïve efese. I cse of ïve efese, the etropy rge creses. Hece, rte of flse postves reuce whch mples tht umber of legtmte clets beg etecte s ttckers reuce. The umber of legtmte clets beg set rectly to ctve FTP servers (ste of beg etecte s ttcks best efese recte to hoeypots) crese. Hece the gooput creses. I cse of hgh clet lo, up to 81% mprovemet gooput s reporte cse of best efese, s compre to o efese. Gooput bsece of ttck s slghtly lesser th el gooput ue to loss of pckets cuse by buffer overflow smulteous presece of my legtmte requests flockg ctve FTP servers. For hgh clet lo prtculr vlue of ttck lo, best efese gves hgher gooput mprovemet th ïve efese. Ths behvor s exctly opposte to tht of moerte clet lo c be exple s follows. As the clet lo s hgh, smller etropy rge of best efese ses smller selecte set of legtmte clet lo to lmte ctve FTP servers to be processe effcetly wthout loss. However, cse of ïve efese, hgher etropy rge llows more umber of clet requests to be set to ctve FTP servers log wth crese flse egtves. It creses the processg lo o lmte vlble ctve FTP servers cusg pckets to rop losses thus reucg gooput. Wth hgh clet lo prtculr scheme, sy ïve, crese ttck lo ecreses the gooput slghtly. Ths behvor s sme s show cse of moerte clet lo becuse of chge mppg ccorg to chgg ttck lo s tble 1. Gooput (Percetge Improvemet) Best Norml Nïve Defese Type Low CL; Low AL Low CL; Moerte AL Low CL; Hgh AL Moerte CL; Low AL Moerte CL; Moerte AL Moerte CL; Hgh AL Hgh CL; Low AL Hgh CL; Moerte AL Hgh CL; Hgh AL Fgure 7. Defese type vs. percetge mprovemet gooput Fgure 7 summrzes the results of the gooput. We coclue tht tug the system for best efese t hgh clet lo ïve efese t low clet lo gves the best performce.

10 Sr Josh (b) Me Tme betwee Flures Me tme betwee flures (MTBF) sgfes the relblty It s ttrbute th qutfes ttck tolerce of the etwork. Coser the etwork s system whose put s the clet request output s the repose to the request. Ielly, system s s to hve fle f there s o repose to the clet request or whe the verge respose tme becomes fte. However, system must lso gurtee promse QoS where the respose to request shoul rech the clet wth preefe tervl or there s upper lmt o the verge respose tme. For the purpose of smulto, we ssume the system to hve fle f the verge respose tme becomes greter th the sum of urto of lst fve eos. Fgure 8 shows the vrto MTBF of etwork wth the crese ttck lo for vryg clet los cse o efese gst DDoS s use. I the presece of hgh clet lo, eve slght crese ttck lo cuses the system to brupt flure. The etwork s comprtvely more stble wth respect to moerte low clet lo. However, eve t low clet lo, the system fls the presece of very low ttck lo. Fgure 9 shows tht cse of hgh clet lo (~ 3 Mbps), best efese gves better stblty wth crese ttck lo s compre to ïve efese. It s so becuse best efese, there re o flse egtves ll the ttck flows re etecte recte to hoeypots. Wheres cse of ïve efese, my ttck flows wll go uetecte (wth lrge umber of flse egtves) wll be recte to ctve server cusg srupto servces ultmtely leg to the flure of the etwork wth crese ttck lo. MTBF (x sec) Attck Lo (Mbps) Hgh Clet Lo Moerte Clet Lo Low Clet Lo Fgure 8. Vrto of MTBF wth Attck lo MTBF (x sec) Hgh Clet Lo : No Defese Hgh Clet Lo : Nïve Defese Hgh Clet Lo : Norml Defese Hgh Clet Lo : Best Defese Totl Attck Lo (Mbps) Fgure 9. Vrto of MTBF wth AL; Hgh CL At moerte low clet los (15 Mbps 2 Mbps respectvely), best efese hs greter MTBF th ïve efese ue to smlr resos s escrbe. Ths s show fgures 11 respectvely. MTBF (x sec) Moerte Clet Lo : No Defese Totl Attck Lo (Mbps) Moerte Clet Lo : Nïve Defese Moerte Clet Lo : Norml Defese Moerte Clet Lo : Best Defese Fgure. Vrto of MTBF wth AL; Moerte CL It my be ote tht o flure s reporte cse of hgh moerte clet lo (fgure 9 ) the presece of ttck lo of upto 2 Mbps 5 Mbps respectvely the presece of hoeypots. However, t low clet lo, the etwork becomes much stble wth o etwork flure reporte eve f there s ttck lo of bout 2 Mbps. MTBF (x sec) Low Clet Lo : No Defese Low Clet Lo : Nïve Defese Low Clet Lo : Norml Defese Low Clet Lo : Best Defese Totl Attck Lo (Mbps) Fgure 11. Vrto of MTBF wth AL; Low CL Moreover MTBF rems cosstet eve f the ttck lo creses beyo 23 Mbps cse of low clet lo, orml ïve efese. Ths emostrtes tht the propose frmework hs the potetl to gve stble etwork fuctolty eve the presece of ttcks. Best efese

11 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 11 gves best performce for MTBF uer y mout of etwork lo Fgure 12(). Vrto of MTBF wth AL; Nïve, Norml Best efese ; The Rr Plot Hgh Clet Lo ; Nve Defese Hgh Clet Lo ; Norml Defese Hgh Clet Lo; Best Defese Moerte Clet Lo ; Nve Defese Moerte Clet Lo ; Norml Defese Moerte Clet Lo ; Best Defese Low Clet Lo ; Nve Defese Low Clet Lo ; Norml Defese Low Clet Lo ; Best Defese Fgure 12(b). Key for the rr plot (c) Averge Respose Tme Averge Respose Tme (ART) sgfes the effcecy of the system gves mesure of fuctolty eve the presece of ttck lo. I cse of low ttck lo, the ïve efese gves the best results wth up to 78% mprovemet ART s compre to o efese s show fgure 13. Nve efese hs hgh flse egtves gves low flse lrms. But s ttck lo s less, flse egtves become sgfct. Due to low flse lrm rte, most of the legtmte flows re rectly set to ctve FTP servers ART (Percetge Improvemet) Nïve Defese 2 Norml Defese Best Defese Clet Lo (Mbps) Fgure 13. %ge mprovemet ART vs. CL (Low AL) hece ART ecreses. However, cse of best efese, ART s hgher hece percetge mprovemet s less s compre to ïve efese. Ths s so becuse best efese gves hgh flse lrm rte low flse egtves. As the clet lo creses, the umbers of flse postves crese. These flows re frst recte to the hoeypots before beg etfe s legtmte flows beg rerecte to ctve servers. Hece, ths les to crese vlues of verge respose tme wth cresg clet lo cse of best efese. ART (Percetge Improvemet) Nïve Defese Norml Defese Best Defese Clet Lo (Mbps) Fgure 14. %ge mprovemet ART vs. CL (Hgh AL) The fgure 14 shows percetge mprovemet ART wth cresg clet lo t ttck lo of 45 Mbps. Wth hgh ttck lo, best efese gves more mprovemet ART vlues s compre to ve efese. It s so becuse best efese gves hgh flse lrms low flse egtves. As ttck lo s hgh, flse egtves re eglgble, best efese s ble to etfy ll ttcks wth zero flse egtves ths soltes the server from hgh ttck lo, thus mtg the stble ART. O the other h, ïve efese gves low flse lrms but hgh flse egtves. So t hgher ttck los, more ttckers rem uetfe flock the server, gvg hgher vlues of ART. After crese ttck lo beyo 45 Mbps, the MTBF bruptly ecreses for hgh moerte clet los. Hece the verge respose tme curve shows brupt chotc behvor. The fgure 15 shows tht cse of low clet lo low ttck lo, ïve efese gves the best performce wth up to 6% mprovemet s compre to o efese. The mprovemet ecreses wth crese ttck lo becuse t hgh ttck lo, ïve efese gves hgher flse egtves. Hece ttck lo my go to ctve servers cusg ART (Percetge Improvemet) Nïve Defese Norml Defese Best Defese Attck Lo (Mbps) Fgure 15. %ge mprovemet ART vs. AL (Low CL)

12 12 Sr Josh cogesto crese respose tmes. Hece, t hgher ttck los, best efese shows hgher mprovemet ART vlues. ART (Percetge Improvemet) Nïve Defese Norml Defese Best Defese Attck Lo (Mbps) Fgure 16. %ge mprovemet ART vs. AL (Hgh CL) Fgure 16 shows percetge mprovemet verge respose tme wth ttck lo the presece of hgh clet lo (~3 Mbps). For ttck lo up to 2 Mbps, ïve efese shows more mprovemet ART vlues s compre to best efese. It s so becuse, wth hgh clet lo, smll to moerte ttck lo, ve efese oes ot gve too my flse egtves oly lttle ttck trffc s verte to ctve server. Whle cse of best efese wth hgh clet lo low to moerte ttck lo, lrge legtmte populto s etecte s ttck goes to hoeypot before beg recte to ctve server, thus cresg the vlues of ART gvg lower ART mprovemets. I cse of hgh clet lo hgh ttck lo, there s treoff betwee best efese (whch reuces flse egtves hece llegtmte trffc to ctve servers, thus cresg ART) ïve efese (whch creses flse postves thus vertg the flows to hoeypots before rectg them to ctve servers, thus cresg ART). Hece t shows chotc behvor. Etre results re tbulte the followg tbles: Tble. Moes of operto for gooput Gooput AL/CL Low Mo Hgh Low N, No, B N B Mo N, No, B N B Hgh N, No, B N B Tble 11. Moes of operto for MTBF MTBF AL/CL Low Mo Hgh Low B B B Mo B B B Hgh B B B Tble 12. Moes of operto for ART ART AL/CL Low Mo Hgh Low N N N Mo B No N Hgh B Chotc Chotc N : Nïve Defese No: Norml Defese B: Best Defese From the bove scusso t s cler tht our propose frmework shows sgfct mprovemet mportt etwork performce prmeters wth mor treoff t hgh ttck lo hgh clet lo. The prorty of output prmeters lso etermes the vlue of. For ex., t low AL hgh CL, ART goes fvor of ïve efese wheres gooput goes fvor of best efese. The frmework s uto correctve. A crese ART sgfes the presece of ttck whch trggers lower vlue of subsequet etecto wow to mt stble etwork fuctolty. 9. Avtges of the propose frmework 1. Use of etropy s mesure for sttstcl evto t POP ebles quck etecto of vrble rte DDoS ttcks. 2. Movg tme wow bse motorg proves for ccurte rel tme chrcterzto. 3. Hoeypots help retg ttck evece for foresc purposes eble smooth operto eve uer hevy lo. 4. Defese moel s sclble to the etwork cotos ttck lo. 5. Our frmework esures mmum collterl mge. The coectos wth the ttcks re rete wth hoeypots for eo cse of mschrcterze flow, they re rerecte to ctve FTP server subsequet tme wows. So, legtmte pcket loss s mmum. 6. Aptble to ttcker trcks ue to the presece of hoeypots. 7. As there re o lethrgc tbles for routg, rerecto s bse o smple rule geerte rel tme sttes of servers re flushe fter ech eo, there re less memory overhes terms of motore trffc. 8. As we use smple lgorthm to prse the t pckets chrcterze them, the computto prt reuces to just clcultg the etropy of flows per tme wow. The computto of ext server set eo legth lso requres the use of lght weght hsh fuctos. Hece, there re less

13 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 13 computtol overhes terms of correlto / ferece lyss 9. Sce there re o bulky upte messges, there s less bwth overhes terms of cotrol trffc exchge betwee efese moules. Coclusos The frmework presete ths pper proves e to e soluto for efese gst both lute egrg hgh rte cocetrte floog DDoS ttcks ISP om. Our chrcterzto scheme clbrtes the etwork to operte oe of the three moes of efese, mely, ïve, orml best to reuce flse postves flse egtves. ROC curves emostrte vtge of usg the propose scheme uer hgh rte ttcks. Next, we presete ymc hoeypot bse mtgto scheme where ymc hoeypot ege hoeypot cotroller utomtclly trggers the geerto of pproprte umber of hoeypots servers fter ech eo. Evluto of the frmework o prmeters lke gooput, me tme betwee flure verge respose tme uer three moes of operto show tht our scheme gves stble etwork fuctolty cse of smooth chge clet lo. I cse of brupt chges, t hs the teecy to pt tself to the etwork. It expereces fvorble ttck lo epeet behvor for fxe umber of ttck mches self optmzes the etecto prmeters. There s hgh percetge mprovemet gooput ART presece of utoomc ymc hoeypots wth mor treoff t hgh clet lo. Our propose frmework mtgtes DDoS ttcks meetg the ffcult chlleges of keepg collterl mge overhes terms of memory, computto bwth eglgble. Hece the results re promsg show tht the frmework hs the potetl to prove stble etwork fuctolty eve the presece of hgh rte ttcks. Some of the veues for further expermetto re wth lrger heterogeeous etworks. Polcy to strbute keys to legtmte flows epeg upo trust level (or urto of ther legtmcy) c tke the mgemet off the HCE t the expese of crese computto cotrol messges. Future focus s to pply bck trckg o ttck flows gog to the hoeypot servers to rech the ttck source upte the flterg rules t POP. Both of them hol promse for evlutg mprovg our DDoS efese metho. The overhe of stte motorg c be strbute mogst multple gress POPs of ISP. Refereces [1] CERT Sttstcs, URL [2] L. Grber, "Del-of-Servce Attcks Rp the Iteret", IEEE Computer, vol. 33, o. 4, 2. pp [3] K.J. Houle, G. M. Wever, N. Log, R. Thoms. Tres el of servce ttck techology. Techcl Report Verso 1., CERT Coorto Ceter, Crege Mello Uversty, 21. [4] F. Lu, S. H. Rub, M. H. Smth, L. Trjkov. Dstrbute el of servce Attcks. I Proceegs of IEEE Itertol Coferece o Systems Cyberetcs vol. 3, pp , 2. [5] C.M. Cheg, H.T. Kug, K.S. T, Use of spectrl lyss efese gst DoS ttcks". I Proceegs of IEEE GLOBECOM 22, pp , 22. [6] J. Mrkovc, G. Prer, P. Reher, Attckg DDoS t the source. I Proceegs of ICNP 22, Prs, Frce, pp , 22. [7] L. Sptzer, Hoeypots: Smple, Cost-Effectve Detecto. 3 Aprl 23. URL: [8] L. Zhgug Hoeypot: Supplemete Actve Defese System for etwork Securty. IEEE., /3, 23 [9] V. Pxso, Bro: A System for Detectg Network Itruers Rel-Tme. Computer Networks, vol. 31, os , [] M. Roesch, Sort Lghtweght Itruso Detecto for Networks. I Proceegs of USENIX Systems Amstrto Cof. (LISA 99), Nov [11] T. M. Gl M. Poletto. Multops: t-structure for bwth ttck etecto". I Proceegs of th USENIX Securty Symposum, 21. [12] R. B. Blzek, H. Km, B. Rozovsk, A. Trtkovsky, A ovel pproch to etecto of elof-servce ttcks v ptve sequetl btch sequetl chge-pot etecto methos". I Proceegs of IEEE Systems, M Cyberetcs Iformto Assurce Workshop, 21. [13] B. Becsth, I. Vj, Protecto gst DDoS Attcks Bse o Trffc Level Mesuremets. Presete t Wester Smulto MultCoferece. S Dego, Clfor, USA., 24. [14] A. Lkh, M. Crovell, C. Dot, Mg Aomles Usg Trffc Feture Dstrbutos, ACM SIGCOMM, 25. [15] A. Sr R. C. Josh, Smulto of Dymc Hoeypot Bse Rerecto to Couter Servce level DDoS Attcks. I Proceegs of ICISS 27, Sprger LNCS 4812, pp , 27. [16] Y. Xu, R. Guer, O the Robustess of Routerbse Del-of-Servce Defese Systems. ACM SIGCOMM, 25. [17] J. Ios, S. M. Bellov, Implemetg Pushbck: Router-Bse Defese gst DDoS Attcks. IEEE INFOCOMM, 23. [18] H. Deg, Q. Zeg, D. P. Agrwl, A Usupervse Network Aomly Detecto System Usg Rom Projecto Techque, Itertol Workshop o Cryptology Network Securty (CANS), Sept , 23. [19] B. Steph, Optml flterg for el of servce mtgto, I Proceegs of the 41st IEEE Coferece o Decso Cotrol, 22, Vol. 2, pp , Dec. 22. [2] J. Mrkovc, J. Mrt, P. Reher, A Txoomy of DDoS Attcks DDoS Defese Mechsms. Techcl Report 218, Computer Scece

14 14 Sr Josh Deprtmet, Uversty of Clfor,LosAgeles, 22. [21] R. Mhj, S. M. Bellov, S. Floy, J. Ios, V. Pxo, S. Sheker, Cotrollg hgh bwth ggregtes the etwork. I ACM SIGCOMM Computer Commucto Revew, volume 32, pp ACMPress, 22. [22] T. Peg, C. Lecke, K. Rmmohro, Defeg gst strbute el of servce ttck usg selectve pushbck. I Proceegs of ICT, 22. [23] M. Kltr, K. Gllccho M. A. Shym, Usg trset behvor of TCP mtgto of strbute el of servce ttcks. I Proceegs of the 41st IEEE Coferece o Decso Cotrol, 22, Vol. 2, pp , Dec. 22. [24] J.Joes. Dstrbute Del of Servce Attcks: Defeses, Techcl report, Globl Itegrty, 2. [25] A. C. Soere, H. Blkrsh, M. F. Kshoek. The Mgrte Approch to Iteret Moblty. I Proceegs. of the Oxyge Stuet Workshop, July 21. [26] F. Sult, K. Srvs, D. Iyer, L. Iftoe. Mgrtory TCP: Coecto Mgrto for Servce Cotuty the Iteret. I Proceegs of ICDCS, 22. [27] P. Dew, P. Dsgupt, V. Krmchet. Defeg gst Del of Servce ttcks usg Secure Nme resoluto, I Proceegs of SAM 23, 23. [28] S. M. Khttb, C. Sgpchtruks, R. Melhem, D. Mosse T. Zt. Proctve Server Romg for Mtgtg Del of Servce Attcks, I Proceegs of the 1 st Itertol Coferece o Iformto Techology: Reserch Eucto (ITRE'3), August 23. [29] Ajl Sr, Krsh Kumr R. C. Josh, Detecto Hoeypot Bse Rerecto to Couter DDoS Attcks ISP Dom I Proceegs of IEEE Thr Itertol Symposum o Iformto Assurce Securty. Mchester, UK, pp , Aug 27. [3] Y. Xg W. Zhou. Clssfyg DDoS pckets hgh-spee etworks, I Itertol Jourl of Computer Scece Network Securty, Vol. 6, No. 2B, Februry 26, pp [31] R. L. Rvest A. Shmr. PyWor McroMt Two Smple Mcropymet Schemes, I Proceegs of 1996 Itertol Workshop o Securty Protocols, umber 1189 Lecture Notes Computer Scece, M. Loms, etor, pges Sprger,1996 [32] J.Zhg M. Zulkere, Aomly Bse Network Itruso Detecto wth Usupervse Outler Detecto I Proceegs of IEEE ICC 26, pp I August 197 he joe E&CE Dept., Uversty of Roorkee s LECTURER. He the becme READER August 1981 the PROFESSOR September Curretly he s workg s PROFESSOR Electrocs Computer Egeerg Deprtmet, I Isttute of Techology, Roorkee. He hs serve s He of the Deprtmet twce from J 1991 to J 1994 from J 1997 to Dec He hs bee He of Isttute Computer Cetre, IITR from Mrch Dec 25. Presetly he s ctvely volve reserch the res of Iformto Securty, Boformtcs, Dtbses Recofgurble Computg. Dr. Josh s expert pel of vrous tol commttees lke AICTE, DRDO MIT. He s lso member of Ntol Iustrl Reserch Developmet Awr Commttee. Dr. Josh hs gue bout 25 Ph.D. theses M.E./M.Tech. Dsserttos (15), M.E./B.E. projects (2+). He hs bee prcpl vestgtor for projects from vrous tol geces lke Mstry of Iformto Commucto, DRDO, DOE AICTE He hs publshe over 15 reserch ppers Ntol/Itertol Jourl/Cofereces. Dr. Josh hs lso oe 18 moths trg t ENSER Greoble, Frc uer Io Frech Collborto progrm. He hs receve Gol Mel by Isttute of Egeers 1978 for best reserch pper. Rmesh C. Josh Bor t Pthorgrh (UA, I) o Jue 1st, 1946, Dr. Josh receve hs B.E. egree electrcl egeerg from Allhb Uversty, Allhb, I He the receve hs M.E. Ph.D. egrees electrocs computer egeerg from Uversty of Roorkee, I, , respectvely.

15 A Itegrte Hoeypot Frmework for Proctve Detecto, Chrcterzto Rerecto of DDoS Attcks 15 Ajl Sr Bor t Brelly (UP, I) o August 1, 1982, she receve her B. Tech egree Iformto Techology from U.P. Techcl Uversty, Luckow, I, 24. She hs bee gol melst urg her uergrute stues. She receve her M.Tech. egree Iformto Techology from I Isttute of Techology, Roorkee 26. Curretly she s pursug her Ph.D. Electrocs Computer Egeerg Deprtmet, I Isttute of Techology, Roorkee, I. Her recet sgfct work o Hoeypots DDoS clues mplemetto of low tercto hoeypots smulto of hgh tercto hoeypots. Her reserch terests clue Iformto Securty Boformtcs. Ms. Ajl hs bee recpet of 1st prze t Ntol Level R&D cotest orgze by Govt. of I, Best Egeer Awr the yer 23-24, hs bee recpet of three Gol Mels urg uergrute stues, hs bee hoore twce by IMA bee tol level prtcpt t ImgeCup 6 by Mcrosoft.