AN EFFECTIVE DEFENSE CUM PREVENTION OF DDoS ATTACKS IN ACTIVE NETWORKS USING ATTRIBUTE TREES

Transcription

1 AN EFFECTIVE DEFENSE CUM PREVENTION OF DDoS ATTACKS IN ACTIVE NETWORKS USING ATTRIBUTE TREES P.Jayashree 1, Dr.K.S.Easwarakumar 2 1 Department of Information Technology, Anna University, MIT, Chennai,India 2 Department of Computer Science and Engineering, Anna University, CEG, Chennai,India pjshree@annauniv.edu ABSTRACT With the development and deployment of increasing internet services due to emerging technologies to meet the ever growing demands of the web users, the necessity to make these services available in also equally demanding. But web has become a necessary iniquity due to cyber attacks that are springing in abundance everyday. One of the most threatening attacks is the denial of service attacks originated from a single or multiple sources to make the legitimate users starve from the requested services. Many solutions have been proposed in the literature to defend against such attacks with each one having its own strength and weakness. In this paper an optimal datamining based defense cum protection mechanism, that identifies and uses the candidate packet attributes which can demark the attack packets from legitimate traffic more accurately, is devised as a complement to existing solutions and tested for its detection efficiency using ANTS, an active network test bed. Keywords: network security,denial of service attack, data mining, acive network. 1 INTRODUCTION With the advent of internet technology, the number and variety of services on the web are tremendously increasing. Free and open accessibility of these resources also give room for security attacks, imposing the need for adopting security measures for the network. One of the serious security threats from users view point is the denial of service (DoS) attacks. The damaging effect of such attacks can further be intensified through a set of attack sources distributed over a network domain leading to distributed denial of service attacks(ddos).these attacks are employed from a set of compromised hosts for consuming computational and communication resources rapidly [1]. Addressing denial of service problem is important as there has been an increase in network attacks in recent times [2].Many solutions have been proposed in the literature for defending against such attacks, each one having its own strength and weakness. As the DDoS attacks primarily aim at flooding the network, depleting the bandwidth and other resources rapidly, the same characteristics is made use of in devising the attack detection solution. In this paper a data mining based defense cum prevention mechanism is proposed based on analyzing the features of the network data packet using efficient data structures and employing present and traffic history details for the classification of legitimate and attack traffic. The solution is addressed for active network, a framework where network elements are programmable. This differs from traditional network in that all the network components are active in nature [3],[4].Like end hosts, the routers are capable of performing any customized computation on the packets flowing through them as specified by user or application. Commonly two approaches exist to bring activity to network nodes namely discrete approach and integrated approach. The discrete approach or programmable node approach allows programs to be injected into the active programmable nodes out of band (i.e) separately from the data packets. The data packets carry information for the active nodes to handle them. In integrated approach or encapsulation approach the code to be executed is integrated into every packet of data called as capsule. When the data arrives at the active node, it interprets the code and processes the data depending on code interpretation. Each active node has a built in mechanism to load the code, an execution environment to execute the code and a relatively permanent storage where the capsules would retrieve or store information. Though active network increases the flexibility and ease of deploying network applications, it also poses severe security threats. The presence of distrusted code that is executed on the network components may be malicious in nature to damage the routers. Hence dealing with security is an important issue for these type of networks. Ubiquitous Computing and Communication Journal 1

2 1.1 Contributions The proposed mechanism claims the following contributions as a part of the effective solution to DDoS attacks. A defense cum prevention solution is deployed at the source end perimeter routers and hence the network resources are saved from flooding attacks. Effective mechanism is devised to select packet attributes that act as candidates for classifying attack packets from legitimate traffic. The attributes are assigned varying weights evaluated based on their degree of contribution to detect attacks. The efficiency of attack detection for further prevention depends on the use of efficient and optimal data structures and information exchange between perimeter routers. 1.2 Paper Organization The remainder of the paper is organized as follows. Section 2 provides the preliminaries on denial of service attack and the related works in the literature. The proposed mechanism is discussed in section 3 and the design and implementation details are provided in section 4 and 5. Results of the simulation and analysis are reported in Section 6 and conclusions are drawn in section 7. 2 PRELIMINARIES Denial of service was the top source of financial loss due to cyber crime. The DoS attack on DNS server last year lasted only an hour. Since DNS information is heavily cached and had the attack lasted longer, the Internet could have experienced severe disruption. DDoS affects not only the target of the attack but legitimate users of the target's services are affected too. Observations and experiences tracking denial of service attacks over a period of time in the history serves as a base for better understanding to build novel solutions for the same. In this section a framework for classifying defense strategies for denial of service attacks is presented. Though many solutions are coming up, a sample of the most popular solutions employing variety of defense methods are overviewed here. 2.1 Related Works Identifying IP address spoofing is an important task in any attack detection and ingress filters and egress filters and hop count filtering methods are proposed in literature [5],[6],[7]. Various methods employ some form of packet marking to identify or trace down the attacks. Pushback mechanism [8],Trace back methods [9],[10],[11] and (Pi) path identification [12] are few of such methods. Few solutions employ rate limiters to control and regulate the traffic flow for attack mitigation as in [13][14]. In [15], various congestion control techniques like RED, CHOKE and pushback are used for mitigating attacks. Most of the solutions basically adopt some analytical models or algebraic approach for the solution as discussed in [16],[17],[18],[19]. The DWARD defense system is deployed at source end and autonomously detect attacks at the origin. [20].Secure Overlay Services (SOS) [21] hides victims locations to safeguard against attacks. DefCOM (Defensive overlay Cooperative Mesh) [22] proposes a distributed, cooperative network of routers that respond effectively to DDoS attacks while making some guarantees of continued service for legitimate clients. COSSACK [23] similarly forms a multicast group of defense nodes that are deployed at source and victim networks and cooperate in filtering the attack and [24] defines a defense solution for active networks. 2.2 Data Mining Solutions Data mining is a powerful technology that enables retrieving relevant data from a huge volume in data ware houses. There exists many data mining tools that can predict future trends and behaviors, facilitating proactive, knowledge driven decisions in many domains. This potential and automated analysis offered by data mining along with past event analysis provides a retrospective basis for decision support systems. Extracting relevant information from a huge data base in comparable time is a promising alternative for earlier expert systems. The main objective of going for mining the data in data stores is to identify and extract some hidden or indirectly documented information which may go unnoticed otherwise and which may be necessary for generating good predictive information in expert systems and other decision making systems. The data mining techniques that are commonly adopted are using neural network, Decision trees, Near neighbor method, support vector machines and association rule induction[25]. Listed below is the collection of few recent works in attack detection using data mining techniques. Many data mining based approaches are discussed in the literature addressing the solution using statistical, classification approaches and other signal processing and pattern recognition techniques. [25],[26] discussed a IDS model using historical data analysis. Neural network based model is proposed in [27] and genetic algorithm is used to model detection system as in [28]. Different data mining techniques are discussed and analyzed in [29] and [30] has presented various intrusion detection approaches as summarized above. Few commercial and many experimental products like EMERALD, ISOA(information security office assistant), DIDS(Distributed IDS), Ubiquitous Computing and Communication Journal 2

3 Kane secure, SNORT are also available. Each of these proposals has its own merit and provides techniques that can help address the DoS problem in different angles. No method has suggested a complete solution to the attack so far. But it is vital to have a more complete attack solution for comprehensive network security. In this paper another data mining based defense strategy to complement the list of existing techniques, with its own strengths, is proposed. 3 PROPOSED STRATEGY 3.1 An Overview The proposed detection cum prevention method for DDoS attacks is based on statistical mining of the analyzed traffic data characteristic and behavior to extract and order the packet features that decide the success of the detection system. The system is designed for active network domain and hence the deployment of the defense solution supports a preventive mechanism for further attacks. Active networks allows all the network elements and hence the routers to be programmable which makes the deployment in the routers at ease. The DDoS attacks though aim at pinning down the hosts providing services to users on the network, the attack traffic depletes the network resources also at a faster rate to make the entire network stumble for its normal request and response activities. Hence it is wise to deploy the defense solution at the source end so that attack traffic can be prevented from entering the network once detected and thereafter the attack packets get dropped at the network perimeter itself. Identifying the source end routers ahead of the attack severity is a basic requirement and the first hop routers in the network are identified through a simple packet marking scheme as discussed in our previous work [31]. One of the common characteristics of DDoS attacks is the use of IP spoofing and ingress filter [5] is employed as the first level of the solution phase to take care of IP spoofing. The packet attributes are collected and mined as an array of attribute trees to extract the required the information for traffic classification. The proposed scheme defines the methodology adopted by the system for an attempt to develop an effective detection strategy. 3.2 Data Mining Approach The set of data mining tasks commonly used for any data retrieval operation are summarizing the data to pick up relevant and hidden data items, applying some association rules to convert the data into categorical set and applying some method of classification to categorize the data for future prediction. This approach naturally pay way for its suitability in network intrusion detection applications. Data mining technique, with its power to make future predictions of likely events, using the knowledge of existing data collection, is found to be an competitive alternative to many attack detection methods proposed. The attack traffic, modeled as an array of trees, each of which stores and updates the data for a promising attribute of the packets for efficient attack detection, is mined dynamically. The approach is similar to the random forest data classifier method [32],[33]. The application of random forest, a collection of unpruned regression trees to detect intrusions is proposed in [34]wherein the detection mechanism using random forest classification is deployed at home router of victim to mine the static data set. Moreover the application of random forests, collection of yes/no decision trees, was used to classify data sets corresponding to misuse detection effectively. In the proposed defense strategy, the trees are used as binary search trees populated with attribute values to aid in effective detection of attack traffic. 3.3 Defense Framework The defense system is a two phase system with a training phase and a detection phase. The boundary between the two phases is not strictly demarked though the detection phase follows training phase, as the attribute trees learn to get their characteristic features for the detection redefined periodically over their life time. This section provides an overview of the system architecture and conceptual outline of the defense strategy adopted for attack detection, the details of which are discussed in the next section. Denial of service attack traffic is modeled as a set of binary trees, each tree corresponds to an attribute of the attack traffic packet. Denial of service attacks are primarily characterized by flooding type of traffic from a single or a set of sources towards a particular destination host. The attack may be of either constant rate or varying rate flow of packets. The solution should be able to handle both types effectively. Based on the characteristics of the attack and from what is learnt from the previous works in literature, the following attributes of the traffic are expected to be more suitable for traffic classification to detect DoS and DDoS attacks namely Destination address and port, Source address, Frequency of packets per flow, Frequency variations in traffic flow, Length of the packets per flow, Type of protocol used in per flow traffic. These six attributes can well represent both the packet as well as the traffic characteristics that can be used for discriminating Dos attacks, when evaluated over different periods of time. The training phase is meant as a preprocessing phase for the attack detection. The attributes extracted from the packets of a training set of attack samples is represented using a set of trees which are populated with the data. The trees are attributed by a weight factor that defines the priority of the Ubiquitous Computing and Communication Journal 3

4 attribute s contribution in detecting the attack. During the detection phase the packets from the actual network traffic are evaluated and assigned a Training Phase attack traffic packets Packet Elicitor attributes attribute trees Attribute Tree Populator Tree Attributer attribute trees attack packets real traffic packets Traffic Classifier Detection phase normal packets Figure 1. System architecture score point based on degree of relevance to attack characteristics possessed by them. This information is fed back to the set of attribute trees that are used for classifying the traffic. This positive feed back aids in fine tuning the classifier to more correctly classify the traffic. The packets that score above a predefined threshold value are stamped as attack packets and get dropped at the router and thereby prevented from entering the network. The detection mechanism outlined here is depicted in the fig SYSTEM DESIGN DETAILS 4.1 Attribute Tree construction After identifying the necessary attributes of the packet, called the deciding set (S A ), which can more clearly distinguish the legitimate packets from the attack packets, as the conformity of each property towards its legitimacy decision is not the same, the packet elicitor extracts the deciding set of attributes from the incoming packets. The deciding set is selected such that when some attributes fail to detect the packet correctly, the others in the set should be able to do it. Hence they are not considered as independent quantities; instead, they are highly interrelated with each other such that each feature completely cooperates with the rest in deciding the legitimacy of the packets. Each element (A i ) in the deciding set S A, is represented by a binary search tree T i. The tree T i is represented as a collection of nodes N1,N2 etc corresponding to the various values taken by the attribute. Each node Nj has two fields to signify the attribute value (Vj) and the frequency (Fj). The tree is constructed dynamically as repeated insertion of nodes as and when a packet with that attribute arrives. The set of trees for the deciding set of attributes used for attack detection is represented as in Eq.(1). S A Ti Nj Ai Nj Vj, i is an, jis an, Fj integer integer (1) During the training phase the trees are initially populated with DoS attack packets of varying classes and during the detection phase the trees are dynamically updated with incoming real packet attributes when analysed to be an attack packet. The range and type of values taken by the various attributes defined by S A, is not within a defined boundary. In order to perform effective searching of the trees it is proposed to convert the actual values to an equivalent hash integer values. The field Vj of the j th node of an attribute defines the hash equivalent of the actual attribute value. Pearson hashing [35] is simple and less likely to have collisions. Given an input (C), consisting of any number of bytes, it produces as output, a single byte (h) that is strongly dependent on every byte of the input. Its implementation requires only few Ubiquitous Computing and Communication Journal 4

5 instructions, and a 256-byte lookup table (T) containing a permutation of the values 0 through 255 as defined below. h[0] = 0 for i in 1..n index = h[i-1] xor C[i] h[i] = T[index] end loop return h[n] The field Fj of the node Nj defines the number of the packets with the equivalent attribute value of Vj i.e. the frequency of occurrence of Vj as two packets that are perfectly similar get mapped only to a single value according to the hash function. The tree is subjected to updations only when a packet which has been detected as an attack is used to update the tree. In all other situations a mere look up is carried out to search for the presence of a particular node. Whenever a new attribute value needs to be inserted in the tree, its frequency (F) is set to 1. For each successive insertions of the same node value, its frequency(f) is incremented. This is done whenever the packet analyzed by the traffic classifier is categorized as an attack and its hashed value of the feature is the same as the value of that particular node. 4.2 Prioritizing the Attributes The various attributes selected for detecting DoS attacks need not contribute the same in detection process. Each attribute may have some characteristics to identify the legitimacy or attack relatively better for certain classes of attack than others. Then there are chances that these features can be used to classify the packets more easily and so these attributes need to be given more credence compared to others. Hence the trees representing the packet attributes are attributed by a weight factor symbolizing the priority of the attributes role in the attack detection process. The weight W i associated with the attribute A i or tree T i takes a value in the closed interval [0 1] which is the ratio to which it can classify a packet correctly. All the trees are assigned a weight value of 1 during the starting of the training period. After a period of time allowing the trees to get stabilized with training data set, the trees are updated with new weight values as computed by the algorithm. The weight values are updated periodically depending on the rate of traffic flow during detection phase. The weight values get modified based on the number of tree misses. Whenever the value extracted from the current packet for the attribute is not already a part of the tree, as a node when hashed to the tree, it is marked as tree miss. After a period of time Δt, the number of tree- misses (M i ) is calculated for each tree indicating the number of new nodes added during that period. Based on the number of new nodes inserted in a tree as well as the total number of new nodes added in the set of trees (M total ), weight value of each tree is updated as stated in Eq.(2), to fix its weightage relatively proportional to its relevance in detecting attacks. W i t t W i t ( W t M i M total) (2) i where W i t t defines the weight assigned to tree T i at time instant of t+δt and W i t is the corresponding value at time t. The functionality of tree attributer that attributes trees with weights dynamically is defined in the following pseudo code. set weight of all trees as 1 set miss-count of all trees as 0 repeat do until time t = t+δt repeat for each incoming packet read packet's attributes repeat for each attribute extract the attribute value val let hash(val) be h search tree for h if a node n found with value v=h then increment its frequency f else insert a new node with v = h,set f = 1 and increment tree miss-count end repeat end repeat end do record the miss-count of all trees and sum up as miss-counts if change in previous miss-count then update its weight value to weight_new weight_new = weight_old - (weight_old * misscount / miss-counts) end repeat 4.3 Optimal Search Tree Given n nodes, it is possible to construct 2n C n /(n+1) different valid binary search trees. One of the objective of the attack detector is to detect attacks as early and as fast as possible thereby attack traffic can be prevented from entering the network even. For finding the legitimacy of the packets, tree searching is associated and needs to be efficient. If the attribute value of attack packets represented by a node in the corresponding tree is near the root level, then during attack the tree searching to hash such values in the trees become easy and fast. Moreover as the input is very random, there is a probability that the tree becomes imbalanced in height which may lead to longer searches. Without loss of generality, it can be assumed that the searches made in the trees are proportional to the frequency values in each node. Ubiquitous Computing and Communication Journal 2

6 However, when there is a severe attack, most of the packets are attack packets and in which case, it is needed to minimize the tree search to the maximum extent possible. When the traffic is normal, Heaviness = 51 Heaviness = 42 Figure 2: Attribute tree and its equivalent optimized tree performing a search throughout its height though takes longer time, will add only a very small delay. So restructuring of the tree helps in achieving the search efficiency. It is required that there should be an optimal rearrangement such that the heaviness H is minimized. For a tree T i with node Nj having frequency Fj and depth Dj, the heaviness H i is defined as in Eq.(3). H i ( Fj Dj) (3) all nodes j For optimizing the tree, a parameter called tree heaviness is considered as the objective function. It The root node is defined as level 1 and successive siblings at successive levels. The optimal tree is obtained using dynamic programming approach as applied in the Maximum Chain Multiplication problem. From a given set of nodes, the most appropriate root node is chosen that serves the best. The same procedure is applied at all levels recursively to arrive at the most optimized tree. It is the most appropriate tree needed which satisfies all the constraints and is optimal. An example attribute tree with depth 4 and its equivalent optimized tree are shown in Fig.2 5 DEFENSE STRATEGY PACKET SCORE Size of a tree is defined by the number of packets that have been used to construct that tree. Numerically it is equal to the sum of the frequencies of all the nodes of the tree. Let this size factor be S i for the tree T i. Frequency of the node corresponding to the attribute value of the incoming packet is Fi. The value Fi / S i gives the contribution of that node or attribute value in that particular tree. Packet score is nothing but the weighed ratio of the number of attack packets having that value for the feature to the total number of packets that have been used to construct the tree. The decision whether to pass the packet or drop it is taken based on this packet score value. Score attributes i( W Fi i Si) / attributes i( W ) i (4) The packets scoring a high value is detected as an attack as they resemble the more frequently occurred packets structured in the attribute trees for attack traffic. Packets scoring a lower value may not be attack packets. Some delimiter value for the score is to be used to classify the packets as attack or not. This threshold value should be able to correctly classify the packets. This is determined using the sensitivity analysis by plotting the response curves of the traffic classification for various threshold values. The statistics is collected for legitimate, attack and mixed traffic. Let the attack threshold value figured out is Th a. If score > Th a, then the packet is classified as attack and is used to update the trees and then dropped at the router itself. This feedback of the attack characteristics helps in refining the detection accuracy by enabling the packets to score values that have distinct margins for attack and legitimate packets. Ubiquitous Computing and Communication Journal 3

7 The defense mechanism is deployed in active routers at the perimeter of the network. Routers get their defense structures updated periodically by way of exchange of attack knowledge from peer routers. The router updation is essential for preventing attacks at the source network. Instead of sending the whole tree structures, which is costly, the routers are designed to send the hash value of the node whenever the frequency of that node hits a particular threshold as defined. The router information exchange is part of the prevention mechanism of the system. 6 RESULTS AND ANALYSIS OF SIMULATED STUDY 6.1 Simulation Environment The proposed system is deployed in active networks where the routers are programmable. ANTS is a Java based toolkit used for constructing an active network and the solution is deployed and tested in ANTS. As ANTS has limitation in the size of topology that can be defined, a distributed version is developed, as defined in our earlier work[36], to support larger network topology for simulation. The test topology with zombies to launch DDoS attacks as shown in fig.3 is used for testing the defense system proposed that is deployed in all the intelligent routers at the network perimeter. features is identified for the six attributes considered for traffic classification by the proposed system namely Destination address and port, Source address, Frequency of packets per flow, Frequency variations in traffic flow, Length of the packets per flow, Type of protocol used in per flow traffic. Six attribute trees are used and packets over a time window of 2 plus minutes is used to analyze the output parameters. 6.2 Performance Analysis The threshold value for the packet score to discriminate the attack traffic is evaluated as depicted in fig. 4 and fig. 5. The system is tested with attack traffic and legitimate traffic separately to define the limit. As the threshold value approaches 0.32, the number of attack packets getting dropped at the router is increased. Similarly the maximum legitimate traffic passed through the routers is for the threshold value nearly 0.3. Hence the attack threshold Th a is set as 0.32 for testing. Figure 4: Flow through router for attack traffic Figure 5: Flow through router for legitimate traffic Figure 3: Test topology in active network DARPA dataset is the standard dataset in the field of intrusion detection [37],[38].KDD 99 intrusion detection datasets, which are based on DARPA 98 dataset, provides labeled data for feature identification and is the only labeled dataset publicly available. 10% of the data set corresponds to DoS attacks. In the training data set containing 24 attack types classified into 4 broad classes, only the DoS class of records were taken as the data set for evaluation. The relevance of each feature in KDD 99 intrusion detection datasets with 41 Based on various simulation runs performed using generic, nominal and SYN-flood attacks, the false alarm rate is evaluated. The average false positive percentage is 2.65 for nominal traffic and 0 for others while the average false negative percentage is 2.5, 2.08, 3.55 for generic, nominal and SYN flood attacks. Since the solution deployed at the routers employs feed back loops to allow learning cum detection for fine tuning the detection process, it is justified that false negative rate exceed false positive as some attack packets get through the routers undetected at the initial time instances of testing time window. Ubiquitous Computing and Communication Journal 2

8 7 CONCLUSION DDoS attacks threatening the inter network services need to be detected effectively and as early as possible. In this paper, an effective detection method using packet features mined using set of trees for detection has been proposed. As the static nature of the trees prevents it from gaining knowledge as traffic pattern changes on the fly, for the new attack patterns, a dynamic updation algorithm has been employed by restructuring it into an array of optimal attribute trees. Attribute trees have been designed such that they keep track of the distinct properties of attack packets as learned from attack traffic profile to improve detection accuracy. Hence multiple trees do help in determining the legitimacy of the packets. The trees are weighed to reflect the efficiency with which it can classify the packet as attack or legitimate. To prevent the random growth of the trees, an optimization mechanism has been applied for efficient searching of the tree to improve the detection time as well as the detection efficiency. As the detection mechanism is deployed at source network, it also acts as a prevention system, though not a complete prevention system. 8 REFERENCES [1] L.Garber: Denial of service attacks rip the Inter net, IEEE Computer, vol. 33, no. 4, pp (2000). [2] D. Pappalardo and E. Messmer: Extortion Via DDoS on the Rise, Network World( 2005). ddos-extortion.html [3] D.L.Tennenhouse and D.J.Wetherall: Towards active network architecture, Computer communication review,vol.26,no.2( 1996). [4] K. L. Calvert et al.: Directions in Active Networks, IEEE Communications( 2001). [5] P. Ferguson and D. Senie: Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing, RFC 2827 (2000). [6] S.Templeton: Detecting Spoofed Packets, Seminars, UC Davis Computer Security Laboratory ( 2002). [7] Cheng Jin, Kang G. Shin, and Haining Wang: Defense Against Spoofed IP Traffic Using Hop- Count Filtering, IEEE/ACM Transactions on Networking ( 2007). [8] J. Ioannidis and S.M. Bellovin: Implementing Pushback: Router-Based Defense Against DDoS Attacks, Proceedings of Network and Distributed System Security Symposium (2002). [9] M. Adler: Trade-offs in probabilistic packet marking for IP trace back Journal of the ACM, vol. 52, no. 2, pp ( 2005). [10] A. Yaar, A. Perrig, and D. Song: FIT: Fast Internet trace back, IEEE INFOCOM, pp , (2005). [11] A. Belenky and N. Ansari: IP Trace back with Deterministic Packet Marking, IEEE communications Letters, vol. 7, no. 4, pp (2003). [12] A. Yaar, A. Perrig, and D. Song: Pi: A path identification mechanism to defend against DDoS attacks, IEEE Symposium on Security and Privacy, pp ( 2003). [13] A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to mitigate DDoS flooding attacks, IEEE Symposium on Security and Privacy( 2004). [14] Xiaowei Yang, David Wetherall and Thomas Anderson: A DoS limiting Network Architecture SIGCOMM 05, pp: 22 26, (2005). [15] Takanori Komatsu and Akira Namatame: On the Effectiveness of Rate-Limiting Methods to Mitigate Distributed DoS (DDoS) Attacks, IEICE Transactions on Communications, E90-B(10), pp: (2007). [16] C.-K. Fung and M.C. Lee: A Denial-of-Service Resistant Public-key Authentication and Key Establishment Protocol, Proceedings of IEEE International Performance, Computing and Communications, (2002). [17] Shuyuan Jin, Daniel S. Yeung: A Covariance Analysis Model for DDoS Attack Detection, IEEE Communications ( 2004). [18] George Oikonomou, Peter Reiher, Max Robinson, and Jelena Mirkovic: A Framework for Collaborative DDoS Defense, Proceedings of the Annual Computer Security Applications Conference ( 2006) [19] Matthew Beaumont-Gay: A Comparison of SYN Flood Detection Algorithms, Proceedings of the Second International Conference on Internet Measurement and Protection ( 2007). [20] Jelena Mirkovic, Peter Reiher: D-WARD: A Ubiquitous Computing and Communication Journal 3

9 Source End Defense against Flooding Denial of Service Attacks, IEEE transactions on Dependable and Secure computing, Vol. 2, No. 3, pp (2005). [21] Keromytis, A.D. Misra, V. Rubenstein, D.: SOS: an architecture for mitigating DDoS attacks, IEEE Journal on Selected Areas in Communications, Volume: 22, Issue: 1,pp: (2004) [22] Papadopoulos, C.; Lindell, R.; Mehringer, J.; Hussain, A.; Govindan, R.:COSSACK: coordinated suppression of simultaneous attacks, DARPA Information Survivability Conference and Exposition Proceedings, Volume 1, Issue, pp: 2-13 (2003) [23] Robinson, M. Mirkovic, J. Michel, S. Schnaider, M. Reiher, P.:DefCOM: defensive cooperative overlay mesh, DARPA Information Survivability Conference and Exposition Proceedings, Volume: 2,pp: , vol.2 (2003) [24] G. Kim, T. Bogovic, and D. Chee: Active Edge-Tagging (ACT): An Intruder Identification & Isolation Scheme in Active Networks, proceedings of 6th IEEE Symposium on Computers and Communications (2001). [25] D. E. Denning: An intrusion detection model, IEEE Transactions on Software Engineering, vol. 13,no. 2, pp ( 1987). [26] W. Lee, S. J. Stolfo, and K. Mok: A data mining framework for building intrusion detection model, IEEE Symposium on Security and Privacy, pp (1999). active networks, Proc. of International conference on Information security, pp: (2005) [31] Kumar: Classification and Detection of Computer Intrusions, Doctoral Dissertation, Purdue University(1995) [32].Breiman: Random Forests, Machine Learning, 45(1):5 32( 2001) [33] Frederick Livingston: Implementation of Breiman s Random Forest Machine Learning Algorithm, ECE591Q Machine Learning Journal Paper ( 2005). [34] Jiong Zhang and Mohammad Zulkernine: Network Intrusion Detection using Random Forests, Queen s University ( 2006). [35] Peter K. Pearson :Fast Hashing of Variable- Length Text Strings., Communications of the ACM 33(6), 677 (1990). [36] P.Jayashree, K.S.Easwarakumar, Ramya.P Chandrasekar.M, and Vijay.M: Design of a Distributed Active Network Toolkit, proc. of International Conference on Contemporary Computing, (2008) [37] R. Lippmann, J. W. Haines, D. J. Fried, J. Korba,and K. Das: The 1999 DARPA offline intrusion detection evaluation, Computer Networks, vol. 34, pp (2000). [38]S. D. Moitra and S. L. Konda: An empirical investigation of network attacks on computer systems, Computers and Security, vol. 23, no. 1, pp ,(2004). [27] R. Lippmann and R. K. Cunningham: Improving intrusion detection performance using keyword selection and neural networks, Computer Networks, vol.34, pp ( 2000). [28] D. E. Goldberg: Genetic Algorithms in Search, Optimization and Machine Learning, Addison- Wesley (1989). [29] D. Zhu, G. Premkumar, X. Zhang, and C.-H. Chu: Data mining for intrusion detection: A comparison of alternative methods, Decision Sciences, vol. 32, no. 4, pp ( 2001). [30] T. Verwoerd and R. Hunt: Intrusion detection techniques and approaches, Computer Communications, vol. 25, no. 15, pp (2002). [31] P.Jayashree, K.S.Easwarakumar: An alternative approach to DDoS attack defense in Ubiquitous Computing and Communication Journal 4

10 . Ubiquitous Computing and Communication Journal 5