A Potent Model for Unwanted Traffic Detection in QoS Network Domain

Transcription

1 A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan, Ghassan Ahmed Al A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan *, Ghassan Ahmed Al School of Computer Scence, Unverst Sans Malaysa, Pulau Pnang, Pnang, Malaysa aaaa.cod08@student.usm.my, aman@cs.usm.my, ghassan@cs.usm.my do: /jdcta.vol4.ssue2.14 Abstract Unwanted traffc njecton whch amplfes the traffc loadng and ehausts network resources s counted as network securty threat. Despte of the numerous protecton systems, ths threat s stll lackng powerful remedy tll day. Ths paper proposes a potent model for unwanted traffc detecton n edge-to-edge QoS network doman. It s desgned to detect servce volatons and bandwdth theft n the network. The ngress and egress edges at the ISP doman are used to feed Rsk Management Unt (RMU) by nformaton about delay, jtter and throughput. RMU computes users' ratos to verfy the volatons n the Servce level Agreement (SLA) and to dentfy who s behnd these volatons. The smulaton results ndcate that our model s capable to detect the volatons n SLA. Furthermore t s precse for droppng the unwanted traffc wthout eceedng that to the wanted traffc. Keywords Dfferentated Servce; Unwanted traffc detecton; Qualty of Servce; Servce level agreement. 1. Introducton The ablty to measure QoS parameters s mportant to detect servce volatons and to contan attacker's sabotages n the nternet[1, 2]. The sophstcated attackers eplot the securty vulnerabltes ncluded n the open structure of the nternet to perform ther attacks. They tend to use the network traffc n order to hde ther malcous traffc by mng them wth the normal network traffc. Some of them use DDoS, worms, Network scan and SYN floodng attacks n order to perform servce volatons and bandwdth theft. Such attacks have dffcult challenges to prognoss the true postve.e. the challenges of droppng the malcous traffc wthout eceedng that to the legtmated traffc. Current Intruson Detecton Systems (IDS) are unable to effectvely remedy such challenges; however, some effcent research trend to study the breachng n the qualty of servces (QoS) parameters to dentfy and classfy network attacks such as[3-6]. The phlosophy of these researches s that QoS parameters whch bascally used to measure the network performance can also be used to determne whether that performance s normal or not. In ths paper we propose a potent model for unwanted traffc detecton n QoS edge-to-edge doman networks. The purpose of ths study was to present an effectve soluton for the above attacks challenges consderng the drawbacks of recent IDS approaches. Currently, t wll focus on detectng the unwanted traffc njecton and dentfyng whch user t has been generated by. Hence, montorng the users who abuse the network resources s requred to dfferentate between wanted and unwanted traffc. Customers of DffServ edge-to-edge QoS n mult-doman network have a Servce Level Agreement (SLA) for packet loss, delay, jtter and bandwdth guarantees provded by ther Internet Servce Provder (ISP)[7, 8]. The customer who eceeds ts guaranteed rato wll despol others' ratos. That s why; QoS parameters should be nspected at doman edges n order to prevent network resources ehauston. In ths paper, packet loss check s gnored. Our vson s to suffce by measurng jtter and bandwdth. These parameters can be measured more accurately. Jtter s aggregated for each user and compared wth ts guarantees n the SLA. When the user volates hs jtter guarantee n SLA, the throughput wll be computed as user transfer rate to verfy the servces volatons and to dentfy the user who s behnd these volatons. The man contrbuton of ths paper s lettng the decson whch confrms whether the servces guarantees are volated or not based on jtter metrc measurement. In fact, delay jtter s measured to correct the errors whch are caused by usng naccurate methods for delay measurng. Actually, these methods nclude drawbacks such as: non-synchronzaton when tmestamp of props packets s recorded between sender and recever edges or the asymmetrcal lnks f we smply measure RTT and dvde t by two. * Correspondng author. Tel.: E-mal address: aman@cs.usm.my 122

2 Internatonal Journal of Dgtal Content Technology and ts Applcatons Volume 4, Number 2, Aprl 2010 The rest of the paper s organzed as follows. Secton 2 dscusses the background and related work. In Secton 3, we revew the mpacts of unwanted traffc on QoS parameters. Secton 4 classfes the unwanted traffc. Secton 5 descrbes the archtecture and algorthm of SLA volaton. Secton 6 debates the metrcs (delay, jtter and bandwdth) measurement. Secton 7 presents smulaton results. In secton 8, the concluson and future work are ntroduced. Fnally, the acknowledgment s wrtten n secton Background and Related Work IDS are classfed nto known attack based, and unknown attack based. The known attack based detectors are defned as a set of rules wrtten to eamne the network traffc n order to nspect the known attacks characterstcs such as[9-11]. These IDS detectors also called a msuse or sgnature bases. Ther man drawback s the need for addng new rules when a new type of attack s dscovered. The unknown attack detectors are descrbed as anomaly based detecton systems n[12-15]. Though these types can detect a suspcous traffc, they can not gve a complete dagnoss about the attack nature. In addton, the possblty of normal traffc devaton from ts dstrbuton model whch s created frst leads to rse the false alarms generaton. There have been a number of related studes tended to measure the mbalance and breaches that occur n the QoS parameters to detect the servce volatons or to portend the resources theft. Ahsan H and Sona F et al [6],[16] and Ahsan H, Mohamed H and Bharat B[17] propose a scalable system for detectng servce volatons and bandwdth theft n DffServ edge to edge doman. Ths approach s smple and useful for nvestgaton SLA volatons; however, ts shortcomng by relyng the delay frstly to detect servce volatons. As t measures one way delay (OWD) by usng the tmestamps recorded at both ends. Accordng to[18], OWD s hard to measure by smply sendng probes from the source to the destnaton. Besdes, the probe-packet stream adds consderable etra-amount traffc on the network and thus produces a QoS performance that s not smlar to that wthout the nfluence of the probe-packet. In addton, the method of determnng the probablty wth whch the probe packets should be njected s not accurate[6]. Moreover, the core-asssted scheme for loss measurement s not useful and dffcult to deploy, added to the ambguty n determnng ts loss threshold. We-Zhou Lu, We-Xuan Gu et al[18], propose a non-synchronzed One-way queung delay measurement and ts applcaton on detectng DDoS attack. To avod the synchronzaton problem resultng from recordng the tmestamp at both ends, the ntervals are separately measured at the sender and the recever to compute OWD. Ths approach s lmted only to measure packet loss rate, OWD and jtter wthout propose a complete mechansm to detect attacks and dentfy ther sources. Garga and Reddy [5] present a real-tme detecton and contanment of network attacks usng QoS Regulaton. The network attack detector s desgned based on montorng the ncrease of the nput traffc by each protocol. Each protocol has two knds of threshold: hgh and low threshold. When the traffc volume of the correspondng protocol sgnfcantly eceeds a regulaton hgh threshold or s below the low threshold, the detector declares anomales and then the system swtches to class-based buffer management technques. The use of non class-based buffer management durng the normal tme mode to avod the wastng n the system resources s one advantage of these approaches. In addton, classfyng the traffc accordng to the correspondng protocol wll help later n recognzng the attacks types. On the other hand these regulaton-based systems contan drawbacks such as: the possblty of tranng ths approach to accept anomaly traffc as legtmate traffc. Also the protocols thresholds themselves are dffcult to assgn by the values whch ensure reducton n the false alarm rates. Km and Reddy[3], propose a smlar approach of Garga and Reddy to detect network attacks usng QoS regulaton. Furthermore, ths approach doesn t eplan feasble mechansms for montorng the nput traffc and classfyng the traffc accordng to the correspondng protocol. 3. Unwanted traffc mpact on QoS metrcs Qualty of servce (QoS) concept s a set of mechansms desgned to capably manage the network characterstcs n order to guarantee hgh qualty performance n the network servces. The network characterstcs are defned by QoS parameters whch nclude bandwdth, Delay, Jtter and Loss[19, 20]. These parameters whch we use to detect anomalous actvtes n the traffc are brefly descrbed n table 1. The network s n normal state as long as the ratos of the above QoS parameters are normal. Hereby, n ths paper, we consder the volaton n these parameters ratos occurrng by anomalous actvtes n the network traffc. 123

3 A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan, Ghassan Ahmed Al Table 1. Qualty of Servce (QoS) parameters Parameters Bandwdth Delay Jtter Loss Descrpton Traffc rate that can be carred from source to destnaton n a gven tme perod (mostly one second). The delay n data transmsson from one pont to another. The change n delay for a par of packets selected wthn a flow n the evaluaton nterval. The rato of packets dropped by the routers (lost packets). In fact n addton to malformed traffc, most of anomalous traffc n the network s caused by attackers and ntruders actvtes. Fgure.1 llustrates the mpacts of unwanted traffc upon QoS parameters. Unwanted traffc mpact because of the congeston caused by the malcous traffc or n case of the delay caused by that congeston. 4. Unwanted traffc classfcaton Unwanted traffc classfcaton s requred for dentfyng the knd of traffc whch s behnd servce volatons n the network. We quarantne the njected traffcs whch cause the amplfcaton n the network as unwanted traffc. Unsolcted traffc Unwanted traffc Malcous traffc Malformed traffc ncrease ++ ncrease ++ ncrease ++ decreas e Traffc knd Fgure 2. unwanted traffc classfcaton QoS Parameters Fgure 1. Unwanted traffc mpact on QoS parameters Bandwdth consumpton: s a result due to traffc amplfyng. Amplfyng process s done by njectng malcous or unwanted traffc such as dstrbuted denal of servce (DDoS) attacks or network scan. Tme delay: s a result of bandwdth consumpton. When there s bandwdth consumpton, there s a decrease n the data transfer rate through network paths n a tme unt; thus, there s a delay n the transmsson tme. Jtter: Resultng from the changes n delay for a par of packets selected wthn a flow n the evaluaton nterval. Data Loss: Some packets are dropped by routers Unwanted traffc can not be solely counted as malcous traffc. Fgure 2 shows that unwanted traffc s categorzed nto three knds: malcous, unsolcted and malformed traffcs. Malcous traffc s njected by attackers for evl purposes such as DDoS, worms, SYN floodng or network scans attacks. The proft and commerce purposes are behnd the unsolcted traffc njecton such as spam or cookes; whereas malformed traffc s generated because of network tools malfuncton. 5. Archtecture for detectng SLA breach Fgure 3. shows the methodology archtecture for detectng servce volaton and resoureces theft proposed n ths paper. The archtecture s composed of four man unts: Montorng Unt (MU), Verfcaton Unt (VU), Dagnoss Unt (DU) and Rsk Management Unt (RMU). 124

4 Internatonal Journal of Dgtal Content Technology and ts Applcatons Volume 4, Number 2, Aprl 2010 Traffc n Jtter Check Montorng Unt (MU) Normal Traffc Matchng RMU Bandwdth Check Verfcaton Unt (VU) Identfcaton Classfcaton Flter Out Dagnoss Unt (DU) Fgure 3. The archtecture for detectng SLA volaton MU functonalty s montorng the anomaly actvtes n the network traffc. It measures packets delay at the provder edges for every user and reportng that to RMU. RMU computes the jtters of each user n order to compare them wth ther jtter guarantees n the SLA. To verfy whether servces are volated or not, bandwdth gurantees should be measured. VU functonalty s to measure the data transfer rate for those users who breache ther jtter gurantees at provder egress edges and then forward the amount of consumed bandwdth to RMU. Tactcally bandwdth checkng wll not be eecuted before jtter guarantee has already been breached. In other words, bandwdth s defned as data transfer rate for the user at tme unt, whch means that any breach n delay guarantees changes data transfer tme and then affects data transfer rate. Hence, users who breache ther bandwdth guarantees too, wll be declared as unwanted network generators. RMU s the control and managment unt. It s seen as the heart n the body. In addton to the responsblty of dstrbutng the roles among the unts and assgnng prorty for the tactcal tasks, RMU computes the average numbers of jtter and consumed bandwdth for each user dependng on data gven by the related unts. Besdes, RMU s responsble of makng the crucal decsons whch determnes whether servces are breached and bandwdth are theved or not. Fgure.4 shows servce volatonss and bandwdth theft detecton algorthm whch s eecuted for jtter and bandwdth metrcs on DffServ doman. DU s responsble for classfyng the unwanted traffc whch s behnd servce volatons nto malcous, unsolcted and malformed traffc. Actually traffc classfcaton s out of ths paper scope, that s why DU s only planned to be studed later n the net paper. The negatve effect of traffc classfcaton overload n the performance parameter can be avoded frstly by zoomng out the classfcaton scope nto the traffc whch has been already proved as unwanted traffc. Secondly, by collectng the nformaton of unwanted traffc and placng them n a repostory. Then eecutng the operaton of classfcaton n the offlne way. 6. QoS parameters measurement Customers of end-to-end QoS n mult-doman Dfferentated Servces [8] network have SLA guarantees for packet loss, delay, jtter and data transfer rate provded by ther ISP. Ths secton descrbes feasble methods for measurng these QoS parameters for each user n the doman. The calculated ratos are compared wth the ratos granteed n SLA to detect the volatons n jtter, bandwdth and data loss gaurantees. We proposed prvate method for each of them as follow: 6.1 Delay and Jtter metrcs measurement One-Way-Delay (OWD) s measured accordng to [6] ether by recordng tmestamps of props packets or by dvdng the Round Trp Tme (RTT) by two. The man drawback of the frst way s the non synchronzaton between the two ends: however, the asymmetrc lnks gves us an appromated rato when we use RTT. To avod these drawbacks, we check delay jtter nstead of delay parameter, because such drawbacks can affect n delay rato computng, but they can not affect n jtter rato computng. Jtter s defned as the change between OWD for a par of packets selected wthn a flow n the evaluaton nterval[18]. That means for measurng jtter, delay must be computed frst. In ths paper, we choose to compute OWD by dvdng Two Way Delay (TWD) by two. TWD s the RTT whch s computed by measurng the tme from ngress to egress and back to ngress. The ngress edges forward the packet TWD nformaton to the RMU. The RMU computes the OWD for every packet traverses from ngress to egress as: TWD OWD (1) 2 The computed values of OWD s used to compute the jtter as jtter OWD OWD (2) Where 1 1 y y y OWD y s the delay computed for packet n 125

5 A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan, Ghassan Ahmed Al the flow y of user, and Unwanted traffc are detected Yes OWD Traffc n Packets Delay Montor Jtter computng Jtter > SLA Jtter guarantee Yes Bandwdth computng Bandwdth > SLA Bandwdth Guarantee No No Declare the user as resources robber y 1 s the delay value computed of net packet +1 n the same flow of same user. The jtter average of user can be computed by usng the eponental smooth movng average (ESMA)[21]. as follow: avg _ Jtr avg _ Jtr w jtter y 1 w (3) Where y jtter s the jtter rato computed for each flow y of user over tme nterval t, w s a small adaptaton factor set to 0.1 for ths computaton. In concluson, we nfer that unwanted traffc may have njected and network servces may have abused, when the jtter average of user eceeds ts jtter rato guarantee n the SLA. Fgure 4. SLA volaton detecton flowchart 6.2 Bandwdth metrc measurement Normal Traffc Matchng Accordng to[19], when the DffServ traffc eceeds the amount of bandwdth allocated for the customers specfed by SLA, the traffc stream has reached burst sze; consequently, the ecess packets are drooped out of traffc profle. Otherwse, packets are consdered as n traffc profle; smlarly, when the bandwdth s not enough, the network traffc wll be congested, and then the tme requred for transmttng data from one pont to another wll ncrease. In other wards, the traffc loss or transmttng delay can't occur as long as network bandwdth s not consumed. For these reasons, we consder the volaton n bandwdth guarantee an evdence for unwanted traffc njecton. The objectve of ths paper n addton to the anomalous actvtes detecton s the anomaly generator dentfcaton. A common fact that the user who consumes a bandwdth more than hs porton, he certanly starves the others. To dentfy starvaton source, we refer to every user who eceeds ts guarantee of jtter n order to measure hs throughput at all egress edges. Egress edges report RMU by the bandwdth consumed by each flow. The RMU aggregates the throughput of each user at all egress edges as the average of data transmsson rate of that user. In ths model, to easly measure the amount of bandwdth consumed by every flow, a mathematcal mechansm can be used. Accordng to[22], theoretcal when the network traffc loadng s staple, every TCP flow transmtted through congested path wll consume the same porton of bandwdth. In[23], Maths uses the followng equaton to measure bandwdth of a sngle TCP flow : MSS Fbw RTT C P where MSS s the mamum segment sze, RTT s the packet round trp tme, P s the drop probablty of the packet, and C s a constant depends on the type of TCP. In order to apply Maths's equaton, we take nto consderaton all condtons and parameters assumptons. The equaton wll be appled on congested lnk between ngress and egress edges. Ths lnk s appromately symmetrc. Flows of same user wll be assumed as comng from the same source. Egress edges compute the amount of bandwdth consumed by flow of user and report t to the RMU. RMU classfes the flows whch belong to user and aggregates the bandwdth average of each user at all egress edges by usng ESMA as avg _ Fbw avg _ Fbw weght Fbw 1 weght (5) Where Fbw s the amount of bandwdth consumed by flow of user over tme nterval t, weght s a small adaptaton factor set to 0.1 for ths computaton. We conclude that unwanted traffc have been njected and (4) 126

6 Internatonal Journal of Dgtal Content Technology and ts Applcatons Volume 4, Number 2, Aprl 2010 network resources have been robbred, f the average of bandwdth consumed by the user eceeds ts bandwdth guarantee n the SLA. 6.3 Loss metrc measurement Although loss parameter checkng s not ncluded n ths study, we eplan how t can be measured to help n detectng servce volatons and resources theft. We wll refer to edge-to-edge strategy as loss measurement mechansm between Provder Edges (PE). The ngress edge y reports RMU by all packets actually sent to egress edges over a tme unt t seconds for user, ( y Psent ), On the other hand, egress edges z reports RMU by all packets actually receved over a tme unt z for the same user, Pr cvd. The RMU computes the average loss rato for user as follow: avg _ EgPloss avg _ Psent avg _ Prcvd (6) avg _ Psent where avg_psent s average number of packets sent by user and avg_prcvd s average number of packets receved for the same user. Both these ratos are computed by RMU by usng ESMA over the same nterval. In concluson, we nfer that suspcous traffc may have njected, f ths average loss eceeds the loss guarantee n the SLA. 7. Smulaton result 7.1 Smulaton setup Ths secton descrbes our smulaton result for detectng the bandwdth consumng and servce volatons. We used the network smulator NS-2.33[24]. The network topology used n our smulaton comprses fve edges routers wth traffc condtoners and s core routers as llustrated n fgure 5. The lnk bandwdth capacty among all nodes s set to 10 Mbps. Propagaton delay of all lnks s 5 ms. The smulaton scenaro s desgned to evaluate the effectveness of the proposed scheme for montorng every customer on the provder edges. Ths scenaro s smulated consderng a Dfferentated Servce (DS) network doman. The doman accepts three servce level specfcatons (SLS) for three users. The user uses multple hosts to sends multple flows va one or more ngress edges along the topology lnks. The detals of SLS for users' flows are presented n table 2. U1 U2 U3 ngress1 0 Ingress2 CR1 3 CR 4 1 CR2 CR3 4 6 CR5 2 ngress3 7 Fgure 5. The smulated network topology We smulate 30 flows, each flow has the same average rate of 320 Kbps. TCP New Reno s used. For smplcty, fve eplct paths are selected between ngress and egress edges as follow: P0 ncludes nodes 3, 6, 8, 10 and t s assocated to flow (1-12); P1 ncludes nodes 0, 1, 4, 7, 8, 10 and t s assocated to flow (13-21); P2 ncludes nodes 0, 2, 5, 7, 8, 10 and t s assocated to flow (22-27); P3 ncludes nodes 5, 7, 8, 9 and t s assocated to flow (28-30); The smulaton tme s 30s. The delay, jtter and throughput of each user are measured every o.1 ms. Table 2. SLS of doman users Source Destnaton Throughput Delay jtter U1 R2 7 Mbps 25 ms 10% U2 R2 2 Mbps 25 ms 10% U3 R1 1 Mbps 25 ms 10% 7.2 Result and dscusson 5 DS doman CR6 8 egress1 In the smulaton, our proposed mechansm s nvestgated under lght load; and when there s an ecessve traffc by consderng same scenaro. Under the lght load, the normal traffc s smulated as follow: 12 flows generated by user U1 through P0; 9 flows generated by user U1 through P1; 6 flows generated by user U2 through P2; and 3 flows generated by user U3 on P3. Fgure 6 shows a normal stuaton between 0 and 6 seconds where network servces are not volated and bandwdths are adequate to accommodate all ncomng traffc. An attack s smulated on U1. At the seventh second, U1 starts to attack by sendng an ecessve traffc to R2. Lnk (8 10) becomes the most congested and ehbts ncreased delay ratos, because t s a bottleneck for P0, P1 and P2. The delay n P3 does not ncrease because t s not congested Egress2 R1 R2 127

7 Mean Delay (Second) Mean Delay (Second) Mean Delay (Second) A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan, Ghassan Ahmed Al U1 U2 U Delay Jtter Smulaton Tme (Second) Smulaton Tme (Second) Fgure 6. Users mean delay Fgure 6 also shows that U3 does not eceed ts delay rato, whle both U1 and U2 volate ther SLS by eceedng delay porton guaranteed at 7-23 seconds. That s why; the volaton s occurred by ether U1 or U2. The delay average of the aggregated flows s computed for both U1 and U2. The delay measurng procedure dscussed n secton 6.1. Fgure 6 shows that U1 eceeds ts delay guarantee to more than 70 ms and U2 also eceed ts delay guarantee to more than 40 ms. As we dscussed n secton 6, OWD measurement has some drawbacks that make t not accurate. Due to those drawbacks, the result of delay measurng s consdered not suffcent. Consequently, the crucal decson wll be taken based on jtter measurement. Fgure 7 and fgure 8 depct the jtter measurng for U1 and U2 respectvely. Fgure 7 shows that the jtter average of U1 s normal before 7 second and after 23 second; however t eceeds 2.5 ms to more than 10 ms between 7 and 23 seconds. Fgure 8 shows that the jtter average of U2 s round 2.5 ms at all smulaton tme. We consder the oscllatory jtter durng the tme 7-23 seconds s the evdence for servce volaton and bandwdth consume. The volaton n jtter guarantee whch s depcted n fgure 7 confrms the volaton n delay whch s depcted n fgure 6, whle the absence of volaton n jtter guarantee whch s depcted n fgure 8 negates the delay volaton as depcted prevously n fgure 6. So that U1 s consdered an unwanted traffc generator, whle U2 s consdered a legtmated user. The followng eamples demonstrate that the absence of jtter volaton n fgure 8 negates the delay volaton n fgure 6 for the user U2. Arrved tmes of the frst packet (T1) and arrved tme of the net packet (T2) are assumed respectvely as 25, Jtter value s computed as: Fgure 7. Flows mean jtter of U1 Fgure 8. Flows mean jtter of U2 Jtter = T2 - T1, Jtter = ( ) = 2.5 ms. Delay Jtter Smulaton Tme (Second) If packets delay value ncreases by ( s the error rato of OWD computng), jtter value wll not change because of that as Jtter = (T2 + ) (T1 + ), Jtter = ( ) (25 + 7) = 2.5 ms Fgure 9 shows the appromated throughput of the aggregated flows for each user n the doman. We measure the throughput of U1 by aggregatng the flows that follow P0 and P1, the throughput of U2 by aggregatng the flows that follow P2 and the throughput of U3 by aggregatng the flows that follow P3. Throughput measurng n Fgure 9 depcts that U1 breaches ts bandwdth guarantee by eceedng ts average rate nto more than 9 Mbps n the perod (7-23) seconds; however, the throughput of U2 and U3 s n 128

8 Throughput(Mbps) Internatonal Journal of Dgtal Content Technology and ts Applcatons Volume 4, Number 2, Aprl 2010 normal rate. Despte of loss metrc s not consdered n ths paper, loss rato can be measured at the edge routers for each user. Loss measurng method s eplaned n secton Fgure 9. Users mean throughput. 8. Concluson and future work Our mechansm presented n ths paper can detect the rsk before t occurs and dentfes ts generator and destnaton at the attack tme, wth no need to use traceback algorthms. Ths model s lght-weght and does not requre any etra components. we have demonstrated that through the smple archtecture on secton 4. All that we need s one devce for RMU. In addton, ths algorthm s effcent to detect SLA volatons and to dentfy the user who s behnd network servces abusng. The smulaton results ndcate that usng jtter s effectve to avod the drawbacks of usng delay. Moreover, t s useful to remedy the ncrease of false alarms. In future work, we wll plan to add the DU unt whch wll be responsble for classfyng the unwanted traffc nto malcous, unsolcted and malformed traffc. And then determnng whch knd was behnd servce volatons n the network. 9. Acknowledgements Ths research was supported by Short-term Grant No.304/PKOMP/639021, School of Computer Scence, Unverst Sans Malaysa, Penang, Malaysa. 10. References U1 U2 U Smulaton Tme (Second) [1] Y. Vnod, B. Paul, and U. Johannes, "Internet ntrusons: global characterstcs and prevalence." I. c. o. m. a. m. o. c. systems, Ed. USA: ACM, vol. 31, 2003, pp [2] G. A. Al, A. Jantan and A. A. Ahmed, "Honeybee-based model to detect ntruson," LNCS Sprnger-Verlage Berln Hedelberg 2009, [3] K. S. Soo and A. L. N. Reddy, "Real-tme detecton and contanment of network attacks usng QoS regulaton," n Communcatons, ICC IEEE Internatonal Conference on, 2005, Vol. 1, 2005, pp [4] M. Ada, N. Myosh, and K. Ishbash, "A scalable and lghtweght QoS montorng technque combnng passve and actve approaches," n INFOCOM Twenty-Second Annual Jont Conference of the IEEE Computer and Communcatons Socetes. IEEE, vol.1, 2003, pp [5] A. Garg and A. L. N. Reddy, "Mtgaton of DoS attacks through QoS regulaton," Mcroprocessors and Mcrosystems, vol. 28, 2004, pp [6] A. Habb, S. Fahmy, S. R. Avasarala, V. Prabhakar, and B. Bhargava, "On detectng servce volatons and bandwdth theft n QoS network domans," Computer Communcatons, vol. 26, 2003, pp [7] J. Henanen, F. Baker, W. Wess, J. Wroclawsk, "Assured forwardng PHB group," RFC 2597, June [8] C.-K. Tham and Y. Lu, "Assured end-to-end QoS through adaptve markng n mult-doman dfferentated servces networks," Computer Communcatons, vol. 28, 2005, pp [9] Roesch and Martn, "Snort - Lghtweght 1ntruson Detecton for Networks," Proc. USENIX Lsa 99, SeattLe, Nov. 7-12, [10] Pason and Vern, "Bro: A system for Detectng Network Intruders n Real-Tme," Lawrence Berkeley Natonal Laboratory Proceedngs, 7'th USENIX Securty Symposum, Jan , San Antono TX, [11] R. Ghader, B. Mnae-Bdgol, "Detectng Data Errors wth Employng Negatve Assocaton Rules," JDCTA : Internatonal Journal of Dgtal Content Technology and ts Applcatons, vol. Vol. 3, 2009, p. pp. 91 ~ 95. [12] R. Sekar, M. Bendre, D. Dhurjat, and P. Bollnen, "A fast automaton-based method for detectng anomalous program behavors," n Securty and Prvacy, S&P Proceedngs IEEE Symposum on, 2001, pp [13] L. SooHyung, K. HyunJu, N. JungChan, and J. JongSu, "Abnormal traffc detecton and ts mplementaton," n Advanced Communcaton Technology, 2005, ICACT The 7th Internatonal Conference on, 2005, pp [14] M. Thottan and J. Chuany, "Anomaly detecton n IP networks," Sgnal Processng, IEEE Transactons on, vol. 5, 20031, pp [15] S. Janakraman, V. Vasudevan, "ACO based Dstrbuted Intruson Detecton System," JDCTA: Internatonal Journal of Dgtal Content Technology and ts Applcatons, vol. Vol. 3, 2009, p. pp. 66 ~ 72. [16] H. Ahsan, F. Sona, and B. Bharat, "Montorng and controllng QoS network domans.": John Wley \& Sons, Inc., vol. 15, 2005, pp

9 A Potent Model for Unwanted Traffc Detecton n QoS Network Doman Abdulghan Al Ahmed, Aman Jantan, Ghassan Ahmed Al [17] A. Habb, M. M., Hefeeda, and B. Bhargava, "Detectng Servce Volatons and DoS Attacks," CERIAS Tech Report TR, [18] W.-Z. Lu, W.-X. Gu, and S.-Z. Yu, "One-way queung delay measurement and ts applcaton on detectng DDoS attack," Journal of Network and Computer Applcatons, vol. 32, 2009, pp [19] X. Xpeng and L. M. N, "Internet QoS: a bg pcture," Network, IEEE, vol. 13, 1999, pp [20] Csco, "Qualty of Servce Networkng," Internetworkng Technology Handbook, [21] Y. Gu, X. Hong, M. Mazzucco, and R. Grossman, "Rate Based Congeston Control over Hgh Bandwdth/Delay Lnks," IEEE/ACM Transacton on Networkng. [22] W. Hsen-Mng, W. Chn-Ch, and L. Woe, "On the Server Farness of Congeston Control n the ISP Edge Router," n Local Computer Networks, th Annversary. The IEEE Conference on, 2005, pp [23] M. Matthew, S. Jeffrey, M. Jamshd, and O. Teuns, "The macroscopc behavor of the TCP congeston avodance algorthm." c. c. Revew, Ed.: ACM, vol. 27, 1997, pp [24] " " The Network Smulator (ns-2) home page. Authers' Bography Abdulghan Al Ahmed receved the B.Sc (Hons) degree n Computer Scence from Sudan Unversty for Scence and Technology n He receved hs M. Sc. n Computer Scence (Network Securty) from al- Neelan Unversty n Snce 2005, he s a member n the research and development center at communcaton and technology cty, Sana'a, Yemen. From , he worked as part tme lecturer at Sana'a Unversty, Saba unversty and Yemena unversty, Sana'a, Yemen. He s currently PhD student n Unverst Sans Malaysa, Penang, Malaysa. Hs research nterests nclude computer and network securty, MPLS technology, QoS and embedded real-tme systems. Computer Scence (Artfcal Intellgence) and B.CompSc (Hons) n Computer Scence (major program) from the same unversty n 1996 and 1993, respectvely". He s currently nvolved n several network and securty system research projects such as developng Neuro-Fuzzy Intruson Detecton System engne, whch s to ncorporate neural network archtecture and fuzzy logc nference nto a hybrd engne; as well as other types of engnes such as honey bee adopted concept n protectng network ntruson. Other projects under hs supervson nclude malwares research such as appled AI concept for ant-vrus engne and Rootkt detecton and protecton, Network Forensc, RFID, and moble and wreless securty n general. In addton to the network and securty research, he also performs research and publcaton n several software engneerng areas,.e., Software Dynamc and Safe Updatng, Software Modelng and Archtecture such as CBSD, Secure Software/Programmng, and Software Testng and Qualty Assurance". Ghassan A. Al receved the B.Sc.(Hons.) degree n computer scence from Ajman Unversty, UAE, n Hs M.Sc. degree n computer scence from the Unverst Sans Malaysa n From , he worked at Al-Andaluse Unversty as an nstructor of computer scence as well as part tme lecturer at Sana'a Unversty. Later, he worked as a research offcer wth hs supervsor at Unverst Sans Malaysa. Currently, he s a PhD student wth Unverst Sans Malaysa. Hs research nterests nclude computer and network securty, E-commerce/web ntellgence and nformaton technology. "Aman Jantan s currently servng as a senor lecturer n the School of Computer Scences, Unverst Sans Malaysa. He receved hs PhD n Software Engneerng from Unverst Sans Malaysa n He receved M. Sc. n 130