DDoS attacks defence strategies based on nonparametric CUSUM algorithm

Transcription

1 Abstract DDoS attacks defece strategies based o oparametric CUSUM algorithm Chaghog Ya 1*, Qi Dog 2, Hog Wag 3 1 School of Iformatio Egieerig, Yacheg Istitute of Techology, No.9 XiWag Aveue Road, Yacheg, Chia 2 School of Iformatio Egieerig, Yacheg Istitute of Techology, No.9 XiWag Aveue Road, Yacheg, Chia 3 YaCheg juior high school, No.199 The liberatio of south Road, Yacheg, Chia Received 1 September 2014, I the Iteret etwork attacks, distributed deial of service (DDoS) has aroused world attetio because of its destructive power. It seems particularly difficult to defed agaist DDoS attacks for they have characteristics such as abrupt attacks, attackig host computer i a very wide distributio, ad so o. To guard agaist etwork security ad defed distributed deial of service attacks (DDoS), research should begi from the detectio of DDos attacks. O the basis of deep research of DDoS attacks, the thesis summarizes ad aalyses the mechaism ad priciples of itrusio detectio firstly. This paper starts with the aalysis of the priciple of DDoS attacks. Followed by iquiry ad aalysis of data packet of DDoS attacks detectio, the thesis gives out the computatio method for detectig DDos attacks based o Flow Coectio desity ad presets a defedig model agaist DDos attacks based o the temporal series of Flow Coectio Codesity (Desity). With the defedig module based o the temporal series of Flow Coectio Codesity (Desity), data packet ca be effectively filtered so that DDos attacks ca be effectively defeded ad preveted. Fially, experimets prove that the module ca effectively filter data packet from etwork. Keywords: etwork security, distributed deial of service, flow coectio desity, time series, defece strategies 1 Itroductio With the etwork comig ito the Iteret era, etwork security problems appear, of which distributed deial of service attack has great impact o the etwork security. Distributed Deial of Service, referred to as DDoS, is a kid of deial of service attacks which is offesive ad destructive. At preset, the Iteret is everywhere, ad DDoS attacks lauched by hackers are everywhere uless we discoect the etwork. Distributed deial of service maily target host ode, switch, routers ad other etwork equipmet. Tools used by hackers for distributed deial of service are easy to develop. Hackers coduct diversified attacks secretly ad the attackig techiques improve day after day which ca cause devastatig damage eve immeasurable losses. DDoS is widely applied by hackers because it is easy to implemet, difficult to prevet ad of great harm. I February 2000, uidetified hackers lauched a huge-scale distributed deial of service, attackig a series of worldreowed sites such as ebay, yahoo, Microsoft, MSN, Amazo, ad so o, ad causig umerous system paralyses for several days ad sigificat social ecoomy loss which mouted to billios of dollars. I early 2003, hackers, who will do whatever they ca to cause damage, used a ew techology of distributed deial of service attacks to damage the Iteret i a wide rage icludig North America, Europe ad Asia. This ot oly caused hudreds of thousads of computers early paralyzed ad early oe hudred thousad etwork servers uable to ru, but also resulted i icalculable ecoomic losses ad adverse social impact. As for Chia, o May 19, 2009, DNS resolutio system of Chia Telecom was attacked by a large flow of DDoS, causig a massive etwork paralysis i telecommuicatios etwork of six souther provices ad thousads of web services termiatio [1]. Distributed deial of service, referred to as DDos, is of destructive power. For a aalogy, how ca you get through whe people call you at the same time? Ad DDos attacks are like that. DDos maily take advatage of the loopholes ad shortcomigs of etwork trasport protocol - TCP/IP protocol. It chooses computers with scattered etwork locatios as its attackig host to sed large amouts of data to the target host. This will ot oly cause the resources or etwork badwidth of attacked hosts cosume a lot, but also that the attacked host is so overloaded ad paralyzed that it will stop providig ormal etwork services. As a result, legitimate users caot get access to or use the resources, or ca the attacked host provide ay services. Schematic diagram for DDos attackig priciple is show i Figure 1. * Correspodig author [email protected] 121

2 misjudgemet rate of packet icrease, resultig i a loss of legitimate data iformatio. Curretly, the most typical source-side defece strategy is D-WARD model proposed by Jelea Mirkovic ad others [3]. 2.2 THE NETWORK DEFENCE IN THE MIDDLE LAYER FIGURE1 DDoS attack priciple 2 Commo DDoS defece strategies aalysis The DDoS attacks o the Iteret are becomig icreasigly fierce ad will cotiually itesify. Oly i 2013, DDoS attacks have emerged i a edless stream i the world, ad it seems difficult to measure the amout ad size by usig statistics. A ew IDC study foud that prevetio solutio market for DDoS attacks ad DoS attacks is expected to grow 18.2 percet from 2012 to 2017 ad related spedig will reach $870 millio [2]. The substatial harm of DDOS attacks is forcig people to defed agaist DDOS attacks to miimize the loss. To defed agaist DDOS attacks, people have explored a variety of DDOS defece strategies from various prospective based o the priciple of DDoS attacks. From the DDoS attack priciple i Figure1, we ca see that core router of the attacked host is the proxy host ad it forwards data through the itermediate etwork routers. Thus, whe aalysig distributed deial of service, we ca divide the whole etwork ito three parts, ivolvig the attackig ed of the etwork, the middle layer ad the attacked ed. Correspodigly, DDoS attack defece strategies are also divided ito the attackig ed defece, the middle layer defece ad the attacked ed defece. 2.1 THE NET WORK DEFENCE IN THE ATTACKING END I this process, defece ode is deployed o the igress router of the etwork, the the ode couts ad aalyses the flow based o packet iformatio, which is moitored by the igress router. Fially, through repeated comparisos betwee statistics ad the ormal flow model, dagerous abormal packets will be filtered out. I this way, we caot oly track iformatio about the attackig ed, but also to avoid further damage from outside to the etwork. There are of course some shortcomigs i the attackig ed, for istace, if the attackig flow i the attackig ed does ot coverge, it will be difficult to establish ormal flow model, which will cause Curretly, the etwork defece i the middle layer maily depeds o itrusio detectio systems o the etwork. Itrusio detectio systems detect attacks by capturig ad aalysig etwork packets. If the etwork is attacked, it will take measures to correspodigly limit the rate of the attackig data flow. The beefit of this defece strategy is that oce a attack is detected, you ca quickly suppress the traffic, thus greatly reducig the harm to the attacked ed. Disadvatage of etwork defece strategies i the middle layer is that the data flow o the middle tier etwork router is large which will ot oly cosume more resources, but also make it difficult to decide whether the data flow is legitimate, ultimately causig damage to legitimate etwork traffic, ad eve to the performace of the whole etwork. 2.3 THE NETWORK DEFENCE IN THE ATTACKED END The attacked ed is direct victim of the DDoS attacks, ad it is most immediate, most accurate ad most effective to deploy defece system i the attacked ed. Thus, it is effective to deploy defece system i the attacked ed to defed agaist DDoS attacks, which is the outstadig advatage of attack ed defece. Of course, there are some shortcomigs i the attacked ed defece strategy. For example, the attacked ed is the mai attackig target. If the attack is fierce, resultig i paralysis i storage ad processig system o the defece ode, it may ot be able to respod to the defece system deploymet to locate the positio of the fiercest attack, which will lead to limited respose to attacks. To balace its advatages ad disadvatages, it is a good choice to deploy the defece system i the ed etwork. The challege is to fid a good defece strategy, makig the DDoS attacks dysfuctioal so as to defed agaist DDoS attacks ad to secure the attacked host. 3 DDoS attacks defece module ad strategies based o oparametric CUSUM algorithm To desig DDoS defece module based o oparametric CUSUM algorithm ad the make a better defesive strategies to effectively defed agaist DDoS attacks o the victim port. It is more timely ad accurate to detect DDoS attacks by coutig ad testig traffic of attacked port, so as to defed agaist DDoS attacks. 122

3 3.1 THE DEFENCE BASIS OF NETWORK TRANSMISSION The data trasmissio is carried out i the form of data packets o the etwork. I the Iteret, i order to overcome the heterogeeity of the etwork, ad to esure the correct data trasmissio, IP protocol defies a uified packet format, which is called a IP datagram. The structure is show i Figure 2. FIGURE 2 IP datagram structure TABLE 1 Iformatio collectio of IP data packets withi a uit time o a certai etwork Data packets Source IP address Destiatio IP address Destiatio port umber P0 s1 D1 port1 P1 s1 D1 port1 P3 s3 D2 port1 A s3 D1 port1 P4 s2 D2 port2 C s2 D2 port2 B s3 D2 port2 R s3 D2 port1 Through aalysis, we coclude that by comparig the same set of IP packets withi this etwork flow per uit time, relevat set of data packets are {p 0, p 1}, {p 4, C}, {p 3, R}. Accordig to the defiitio, i a time uit, the flow coectio desity is 3, because there are 3 relevat data packets collectio withi the time uit of the etwork. The, we ca decide whether the etwork traffic is ormal based o the flow coectio desity, so as to determie whether there is distributed deial of service attack. I the Iteret etwork, ay packet trasmissio, icludig that is attacked by DDoS, must be orgaized i the form of IP datagrams. IP datagram must idicate the specified data to be trasmitted, the IP address of the computer that seds datagrams ad that receives the datagram. Accordig to the priciple of DDoS attacks, DDoS attacks are carried out by a large umber of hosts that are geographically dispersed o the etwork, which sed plety of packets to attack the victim host. Therefore, we ca aalyse the source IP address, destiatio IP addresses ad port umbers of IP datagram that reaches computers. If large amouts of datagram are from several hosts that are i geographically dispersed etwork, the it is DDoS attack, which we should guard agaist. 3.2 FLOW CONNECTION DENSITY Firstly, i a certai time period, we itercept a collectio of idetical etwork data package that cotais the same port umber of the source address, destiatio port, ad destiatio port umber, ad this is called a flow coectio, ad the amout of the flow coectio i this period is called flow coectio desity. It ca be showed i the followig form. We assume that i uit time, the collectio of data packets withi etwork traffic is R = {p 1,, p i,,p M}, of which, collectio of related data packets is {R 1,R 2,,R N}, the we defie that i this etwork traffic, the flow coectio desity is the amout of related data packets collectio, that is N [4-5]. The we take the followig table as a example. Table 1 idicates the obtaied IP data packets collectio withi a uit of time o a certai etwork. 3.3 CALCULATION FOR IMPROVING FLOW CONNECTION DENSITY BASED ON NON- PARAMETRIC CUSUM ALGORITHM Through the study of o-parametric CUSUM algorithm [6-8], we ca better improve the calculatio method of flow coectio desity. We o loger cout the collectio of idetical etwork data packages i the uit time, but we calculate the added source IP address i a Δt time to get flow coectio desity. The we get a time series {Z}, which cosists of flow coectio desity sequeces withi multiple Δt time. The basic idea based o oparametric CUSUM algorithm to improve flow coectio desity ca be showed by the followig Equatios (1)-(3): Y 0, 0 Y ( Y Z ), 1 x (1) 0, x 0, (2) x, x 0 Y is the cumulatively positive value of Z, ad the decisio fuctios are: d N Y 1, 0, Y M, (3) Y M where the costat value of detectio threshold of DDoS is M, the fuctio d N(Y ) represets the judgmet result for M i a certai geeratig time. Through the judgmet result, we defie that, whe the result of fuctio d N(Y ) is 1, there are a large umber DDoS attacks; whe the result is 0, there are o DDoS attacks ad the etwork is ormal. 123

4 3.4 CALCULATION DDoS ATTACKS DEFENCE MODEL BASED ON NON-PARAMETRIC CUSUM ALGORITHM TO IMPROVE FLOW CONNECTION DENSITY The DDoS attacks defece model based o oparametric CUSUM algorithm to improve flow coectio desity cosists of three modules, respectively are acquisitio module, time series module ad filter module. Acquisitio module: I this module, IP data packets received by the host are collected i every certai time of t, the it comes to data format coversio accordig to required data format i time series module ad filter module ad the the data is trasmitted to the time series module ad filter module i differet levels. Time series module: I this module, we use the additioal received IP data packets withi a certai time of t to calculate the abstract flow coectio desity. The sed the fial judgmet result of fuctio d N(Y ), which is based o the judgmet result of Equatios (1), (2) ad (3) to the filter module by combiig with the time series of {Z} composed of flow coectio desity data received i previous time periods of (-1) t. Filter module: whether to receive or discard the data packets based o the data iformatio results from processig a data packet ad judgmet results of fuctio d N(Y ) passed from time series module. DDoS attacks defece model based o oparametric CUSUM algorithm to improve flow coectio desity is show as follows (Figure 3): levels. We use the data i time series module ad additioal received IP data packets to calculate the specific flow coectio desity. The we use the additioal collected source IP data packets withi a certai time of t i time series module to calculate the abstract flow coectio desity, ad calculate its cumulative positive value by combiig with the time series of {Z } composed of flow coectio desity data received i previous time periods of ( 1) Δt. The it will sed the fial judgmet result of fuctio d N(Y ), which is based o the judgmet result of Equatios (1)-(3) to the filter module. The filter module will compare the cumulative positive value with the threshold value, if the cumulative positive value is greater tha the threshold value, the it will decide to receive or discard the data packets based o the data packets iformatio i acquisitio module. We have coducted a series of experimets ad obtaied evidece for DDoS attacks defece model based o oparametric CUSUM algorithm to improve flow coectio desity. Accordig to the aalysis of theoretical ad experimetal value ad compariso betwee them, the error rate of the experimetal values is oly 3.618%. It is foud out that the wrog results are maily caused by the exteral factors such as idetificatio delays ad etwork oise. Of course, these exteral factors ca be resolved by a series of measures. As for idetificatio delay, we ca take proper meas of improvig the sesitivity of the system to reduce recogitio delays, thereby reducig the risk of errors. To sum up the experimetal results, we ca see that DDoS attacks defece model, based o oparametric CUSUM algorithm to improve flow coectio desity, ca effectively detect DDoS attacks ad properly filter out malicious attackig data packets, securig the ormal operatio of the host or etwork. 4 Coclusios FIGURE 3 DDoS attacks defece model based o oparametric CUSUM algorithm to improve flow coectio desity The mechaism of DDoS attacks defece model based o oparametric CUSUM algorithm to improve flow coectio desity is that, the system firstly obtais data withi a specified time i the acquisitio module, the the data packets received is aalysed, icludig source address, destiatio address ad specific port umber of the data packets. The it comes to data format coversio accordig to required data format i time series module ad filter module, ad the the data is trasmitted to the time series module ad IP packets filter module i differet This paper gives a itesive study of the operatio mode ad priciple of DDoS attacks, discusses the simple defece strategies agaist DDoS attacks. It proposes algorithm to detect DDoS attacks based o flow coectio desity accordig to characteristics of etwork data trasmissio ad DDoS attackig priciple. Fially, it gives DDoS attacks defece strategy based o the time series aalysis of flow coectio desity. Based o oparametric CUSUM algorithm, modules are decided to prevet DDoS, which ca lead to good defece strategies, defedig agaist DDoS attacks to a great extet. Refereces [1] Xu C 2012 Research ad implemetatio of DDoS detectig algorithm i applicatio layer Master thesis Chogqig uiversity: Chogqig Chia (i Chiese) [2] Yag Y 2014 Worries of DDoS attacks Joural of Chia educatio etwork 2014(01) 21-2 (i Chiese) [3] Qi Y, Tag M, Zhag M 2014 Mass customizatio i flat orgaizatio: The mediatig role of supply chai plaig ad corporatio coordiatio Joural of Applied Research ad Techology 12(2) [4] Ya C 2009 Research ad implemetatio of DDoS attackig detectio ad defece strategies based o flow coectio desity Master thesis Suzhou Uiversity Suzhou Chia (i Chiese) 124

5 [5] Zhag C, Huag L, Zhao Z 2013 Research o combiatio forecast of port cargo throughput based o time series ad causality aalysis Joural of Idustrial Egieerig ad Maagemet 6(1) [6] Takada H, Hofma U 2004 Applicatio ad Aalyses of Cumulative Sum to Detect Highly Distributed Deial of Service Attacks usig Differet Attack Traffic Patters.Iter-domai QoS Newsletter 2004(7) [7] Xiog K, Zhag Y, Zhag Z, Wag S, Zhog Z 2014 PA-NEMO: Proxy mobile IPv6-aided etwork mobility maagemet scheme for 6LoWPAN Elektroika ir Elektrotechika 20(3) [8] Cai X 2006 Based o the etwork data acquisitio ad sequece aalysis of the eviromet of the DDoS attack Master thesis, Najig uiversity of posts ad telecommuicatios Naji Chia (i Chiese) Authors Chaghog Ya, bor i May, 1980, Yacheg, Jiagsu Provice, P.R. Chia Curret positio, grades: lecturer. Uiversity studies: MSc i Computer Sciece ad Techology at Suzhou Uiversity. Scietific iterests: itermediate lecturer, itelliget cotrol, etwork security, iformatio processig, remote sesig remote sesig. Publicatios: more tha 19 papers. Experiece: teachig experiece of 12 years, 3 scietific research projects. Qi Dog, bor i October, 1974, Yacheg, Jiagsu Provice, P.R. Chia Curret positio, grades: associate professor. Uiversity studies: MSc i Computer Sciece ad Techology at Najig Uiversity of Sciece ad Techology. Scietific iterests: itermediate lecturer, itelliget cotrol, etwork security, iformatio processig. Publicatios: more tha 20 papers. Experiece: teachig experiece of 18 years, 10 scietific research projects. Hog Wag, bor i October, 1979, Yacheg, Jiagsu Provice, P.R. Chia Curret positio, grades: lecturer at the School of Yacheg, Chia. Uiversity studies: BSc i Mathematics at Yua Uiversity i Chia. MSc at Qighai Normal Uiversity i Chia. Scietific iterests: educatio maagemet, mathematics educatio, etwork security, iformatio processig. Publicatios: 10 papers. Experiece: Teachig experiece of 14 years, 2 scietific research projects. 125