2015 IJMR Volume 1 Issue 1 ISSN:

Transcription

1 DDoS Attacks Detection and Traceback by Using Relative Entropy Mr. Alap Kumar Vegda 1* and Mr. Narayan Sahu 2 1 Research Scholar, Cyber Security, Department of Computer Science Engineering 2 Assistant Professor, Department of Computer Science Engineering ITM University, Raipur, Chhattisgarh ABSTRACT: DDoS is a spy-on-spy game between attackers and detectors. Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memory less feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. In this paper, we innovatively propose using two entropy based algorithms to detect DDoS attacks by measuring and calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. We propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS Traceback methods, the proposed strategy possesses a number of advantages it is memory non intensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. Keywords DDoS detection, entropy variation, flow, IP trace back. alapvegda50@gmail.com Mob.No I. INTRODUCTION The distributed denial of service (DDoS) attack is a serious threat to the security of cyberspace. It typically exhausts bandwidth, processing capacity, or memory of a targeted machine or network. A DDoS attack is a distributed, cooperative and large-scale attack. It has been widely spread on wired [1] or wireless networks [2]. The key reason behind this phenomena is that the network security community does not have effective and efficient methods to locate attackers as it is easy for attackers to disguise themselves by taking advantages of the vulnerabilities of the World Wide Web, such as the dynamic, stateless, and anonymous nature of the Internet [3], [4]. Moreover, the attacker will mimic the network traffic pattern of flash event, which will disable the detector quickly. The entropy detector mentioned in the paper [5] used entropy very shallowly. It can raise the alarm for a sudden massive accessing, however, it cannot discriminate the DDoS attacks from the surge of legitimate accessing. To launch a DDoS attack, the attackers first establishes a network of compromised computers that are used to generate the huge volume of traffic needed to deny services to legitimate users of the victim. Then the attacker installs attack tools on the compromised hosts of he attack network. The hosts running these attack tools are known as zombies, and they can be used to carry out any attack under the control of the attacker. In addition, the attacker will mimic the network traffic pattern of flash event to make the detection tougher. Most of the existing techniques cannot discriminate the DDoS attacks from the surge of legitimate accessing. IT is an extraordinary challenge to detect and traceback the Distributed Denial-of-Service (DDoS) attacks in the Internet. In DDoS attacks, attackers generate a huge amount of requests to victims through compromised computers (zombies), with the aim of denying normal service or degrading of the quality of services. IP traceback means the capability of identifying the actual source of any packet sent across the Internet. Because of the vulnerability of the original design of the Internet, we may not be able to find the actual hackers at present. In fact, IP traceback schemes are considered successful if they can identify the zombies from which the DDoS attack packets entered the Internet. 1.1 Motivation We are motivated by identifying the attacks which simulate normal network accessing patterns to fly under the radar. In order to achieve the goal, we take use of information theory to explore the distance (relative entropy in information theory) among network flows. We apply our methods on community networks, e.g. ISPs, in which a A00007V1I12015 International Journal Of Multee-Disciplinary Research 52

2 number of routers can cooperate to identify DDoS at the very early stage. When the current DDoS detection algorithms, e.g. the entropy detection algorithm, raise an attack alarm, it may be a false alarm. For example, it is a surging of legitimate accessing for a breaking news or event, unfortunately, these legitimate accessing will be blocked as DDoS attacks. On the other hand, real attacks maybe reach the victim via huge number of paths with a normal package rate and distribution for each path, in this case, the current detection algorithms will be fooled and cannot identify the attack. In this letter, we concentrate on solving this problem. With our method, once a DDoS attack alarm is raised, the routers of the community network will calculate the distance among the suspicious flows to the possible victim on different paths, respectively. If the distances among the suspicious flows are the same or very close, we can therefore identify it as an attack. we propose a novel mechanism for IP traceback using information theoretical parameters, and there is no packet marking in the proposed strategy; we, therefore, can avoid the inherited shortcomings of the packet marking mechanisms. We categorize packets that are passing through a router into flows, which are defined by the upstream router where a packet came from, and the destination address of the packet. During non attack periods, routers are required to observe and record entropy variations of local flows. In this paper, we use flow entropy variation or entropy variation interchangeably. Once a DDoS attack has been identified, the victim initiates the following pushback process to identify the locations of zombies: the victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. Once the immediate upstream routers have identified the attack flows, they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources. 1.2 Contribution The main contributions of this paper are as follows. 1) The detection and defence can be implemented in a community network easily. Further, it can be done independently in the community network. 2) The proposed method does not have the pressure of storage of the past packages for analysis, it also does not cost the computing power of routers much. 3) It proposes the generalized entropy and information distance metrics outperform the traditional distance metrics for the DDoS attack detection in terms of early detection, lower false positive rates, and stabilities. 4) The proposed method can archive real-time traceback to attackers. Once the short-term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure. The workload of traceback is distributed, and the overall traceback time mainly depends on the network delays between the victim and the attackers. A00007V1I12015 International Journal Of Multee-Disciplinary Research 53 II. RELATED WORK Understanding the features of DDoS attack is critical for effective attack traceback. However, we have limited real data sets about DDoS attacks. The current knowledge of DDoS attack can be classified as follows: inference based on partial information [6], real network emulation [7] or simulations [8], and real attack and defence between two cooperate research groups [9]. It is obvious that hunting down the attackers (zombies), and further to the hackers, is essential in solving the DDoS attack challenge. The summary of the existing DDoS traceback methods can be found in [10] and [11]. In general, the traceback strategies are based on packet marking. Wang et al. [12] proposed a relative entropy based application layer-ddos detection method in which the click ratio of the web object is defined and the cluster method is used to extract the click ratio features. With the extracted features, the relative entropy is calculated to detect the suspicious sessions. Yu et al. [13] proposed an information theory based detection mechanism in which the distance of the package distribution behaviour among the suspicious flows is used to discriminate mimicking flooding attacks from legitimate accessing. Oikonomou and Mirkovic [14] analyzed many websites' log, and proposed defences against application layer DDoS attacks via human behaviour modelling which differentiate DDoS bots from human users. Kandula et al. [15] proposed a system to protect a web cluster from DDoS attacks by CAPTCHAs in which the users who solve the puzzles can only get access to the services. This method assumed that human users can identify the distorted images, but the machine cannot. Wang, Jin, and Shin [16], proposed a victim based solution where a received IP packet is discarded if major discrepancies exist between its hop count and the value stored in the previously built table. In StackPi [17], a packet is marked deterministically by routers along its path towards the destination. The victim can associate Stackpi marks with source IP addresses to detect source IP address spoofing. In Differential Packet Filtering against DDoS Flood Attacks [18], author relies on probabilistic means to determine risky packets. This scheme is adaptive to traffic change and attempts to sustain quality of service. 3.1 System analysis III. DETECTION AND IP TRACEBACK ALGORITHM In a community network, we can manage and configure our routers. Therefore, the routers can cooperate with each other to identify the DDoS attacks. Figure 1 displays a very simple attack diagram with two attack flows in a community network with three routers and one server as victim.

3 Fig. 1. A simple attack diagram in a community network. We have a few assumptions in order to make the discussion clear and easy to be understood. 1) The attackers use the same function to generate attack packages at the zombies, for example, the Poisson distribution or the Chi-square distribution. 2) There is only one server in the community network that is under attacking or massive accessing at a time. 3) The network system is linear and stable (this is quite reasonable for a short time period). Similar to [19], we define the packages which share the same destination address as a flow on each of the routers in a community network. Once an alarm is raised, the routers start to sample the number of packages of the suspicious flows in a time unit, e.g second, respectively. Suppose in an attack scenario, the attacker uses a random variable X to control the generation speed of the attack packages. The possible methods could be: 1) Using a constant speed to generate the packages, namely(x = C) = 1, and C is a constant; 2) Increasing the number of attack packages according to attack time t, X = at + b, a and b are constants; 3) Simulating the network traffic as Poisson distribution, namely, P ( X = k ) =λ k -λ k! k = 0, 1..., and λ is a constant; For example, in the community network as Figure 1, once a DDoS attack alarm is raised, we find that there are two suspicious flows,fp and fq, the sampling job can be done either on router R2 and R3 or R1 for a suffice time period T. Once the sampling job is done, we obtain the two distributions for fp and fq, respectively, P(X) = p(x1, x2, x3...xn) Q(X) = q(x1, x2, x3...xn) 1) We hence obtain the distance, relative entropy, of the two distributions as follows, ( )= k! ()(() () 2) where χ is the sample space of X If fp and fq are attacking flows, then they are generated by the same function f(x) at different zombies. Let g p (.) and gq(.) be the system functions for flow fp and fq from the zombie to the sampling routers, respectively. Then we have, ()= gp(f(x)) ()= gq(f()) 3) If gp(.) and gq(.) are linear, then D(p q) = 0. the same flows (attack flows) or not. A(p, q) = 1 D(p q) δ A(p1, p2,...pm, q1, q2...qm) = 1 pm Although it is impossible that the Internet satisfies the assumption, however, the distance of two attack flows should be very small compared with the case that one is attack flow and one is normal flow. We us the following formula to make the judgment of the two flows, p and q, are A00007V1I12015 International Journal Of Multee-Disciplinary Research 54 0 D(p q) > δ 4) Where δ is a given small number as a threshold. We now extend the number of attack flows to n(n > 2). We make m(2m < n) flow pairs randomly from the n suspicious flows. Notated as pi, qi, i = 1, 2,...m, respectively. Hence, we can have Ai(pi, qi), i = 1, 2...m. Suppose the possibility of misjudgement for each pair is p, then the positive judgment for an attack could be expressed as follow. 5) For example, if p = 0.5, and we expect99% positive for the judgment, then the condition is m System modelling In this paper, we categorize the packets that are passing through a router into flows. A flow is defined by a pair the upstream router where the packet came from, and the destination address of the packet. Entropy is an information theoretic concept, which is a measure of randomness. We employ entropy variation in this paper to measure changes of randomness of flows at a router for a given time interval. We notice that entropy variation is only one of the possible metrics. Chen and Hwang used a statistical feature, change point of flows, to identify the abnormality of DDoS attacks [20]; however, attackers could cheat this feature by increasing attack strength slowly. We can also employ other statistic metrics to measure the randomness, such as standard variation or high-order moments of flows. We choose entropy variation rather than others in this paper because of the low computing workload for entropy variations. First, let us have a close investigation on the flows of a router, as shown in Fig. 2. Generally, a router knows its local topology, e.g., its upstream routers, the local area network attached to the router, and the downstream routers. We name the router that wearer investigating now as a local router. In the rest of the paper, we use I as the set of positive integers, and R as the set of real numbers. We denote a flow on a local router by <ui; dj; t>; i; j I; t R, where ui is an upstream router of a local router Ri, dj is the destination address of a group of packets that are passing through the local router Ri, and t is the current time stamp. For example, the local router Ri in Fig. 2 has two different incoming flows the ones from the upstream routers Rj and Rk, respectively. We name this kind of flows as transit flows. Another type of incoming flows of the local router Ri is generated at the local area network; we call these local flows, and we use L to represent the local flows. We name all the incoming flows as input flows, and all the flows leaving router Ri are named as output flows. We denote ui,i I as the immediate upstream routers of the local router Ri, and set U as the set of incoming flows of router Ri. Therefore, U ={ui, i ϵ I} + {L}.We use a set D = {di; i I} to represent the destinations of the packets that are passing through the local router Ri. If v is the victim router, then v

4 D. Therefore, a flow at a local router can be defined as follows: f ij(u i,d i)={<u i,d i,t> u i U, d j D, i,j I} (1) Fig. 2. Traffic flows at a router on an attack path. We denote fij(ui,di,t) as the count number of packets of the flow fij at time t. For a given time interval T, we define the variation of the number of packets for a given flow as follows: N ij(u i,d j,t+ T)= ij(u f i,d i,t+ T) - ij(u f i,d i,t). (2) If we set f ij (u i,d i,t) =0, then N ij (u i,d j,t+ T) is the number of packets of flow fij, which went through the local router during the time interval T. In order to make the presentation tidy, we use Nij(ui,dj,t) to represent N ij (u i,d j,t+ T) in the rest of this paper. Based on the large number theorem, we have the probability of each flow at a local router as follows (, ), = (3) (, ) where pij(ui,dj) gives the probability of the flow fij over all the flows on the local router, and (, ) =1 Let F be the random variable of the number of flows during the time interval T on a local router, therefore, we define the entropy [33] of flows for the local router as follows: ()=, (, )log, ( 4) In order to differentiate from the original definition of entropy, we call H(F) as entropy variation in this paper, which measures the variations of randomness of flows on a given local router. 3.3 The Distance Algorithm Based on the analysis of the previous section, we have the corresponding algorithm. The algorithm is listed as in Table I. Based on this algorithm, we can identify DDoS attacks as early as possible, therefore, actions will be taken to discard the attack packages. 1. Identify the suspicious flow on the local router 2. Count the number of packages of the suspicious flow in a time slot t. 3. Identify the sample space, x1, x2...xn of sampling period T, and the responding frequency 4. Calculate the possibility distribution of the flow as ( )= Where, i = 1, 2...n 5. Submit the distribution to an aggregate router, e.g. R1 in Figure 1, to calculate the distance according to equation (2). 6. Fig. Compare 3 The distance the distances algorithm for the suspicious flows on 3.4 Traceback Algorithm 1. Initialize the local threshold parameter, C, and sampling interval Δ ; 2. Identify flows, f 1,f 2,..f n, and set count number of each flow to zero, x 1 = x 2 = x n= 0; 3. When Δ is over, calculate the probability distribution and the entropy variation as follows. = ( ), ; ()= log 4. Save x 1 = x 2 = x n and (); 5. If there is no dramatic change of the entropy variation (), namely, (), progress the mean =, =1 And the standard variation =, =1 6. Go to step 2. Fig. 4. The algorithm for local flow traffic monitoring. Fig. 5. The IP traceback algorithm on a router. A00007V1I12015 International Journal Of Multee-Disciplinary Research Initialize a set A=, and obtain the local parameter of C and ; 2. Let ={ }, be a set of the upstream routers ={ }, be a set of the destination of the packets, and V be a victim; Define attack flow, =<,>,=1.2.,, and sort the attack flows in the descent order, and we have, f 1,f 2,,f n. 3. For i=1 to n { Calculate (\ ) if ( () >then append the responding upstream router of f i to set A else break; end if; end for; 4. Submit traceback requests to the routers in set A respectively, and deliver the confirmed zombies information, set A, to the victim.

5 In this section, we design the related algorithms according to our previous modelling and analysis. There are two algorithms in the proposed traceback suite, the local flow monitoring algorithm and the IP traceback algorithm. The local flow monitoring algorithm is running at the no attack period, accumulating information from normal network flows, and progressing the mean and the standard variation of flows. The progressing suspends when a DDoS attack is ongoing. The local flow monitoring algorithm is shown as Fig. 5. Once a DDoS attack has been confirmed by any of the existing DDoS detection algorithms, then the victim starts the IP traceback algorithm, which is shown as Fig. 6. The IP traceback algorithm is installed at routers. It is initiated by the victim, and at the upstream routers, it is triggered by the IP traceback requests from the victim or the downstream routers which are on the attack path. The proposed algorithms are independent from the current routing software, they can work as independent modules at routers. As a result, we do not need to change the current routing software. CONCLUSION we are motivated by discriminating the DDoS attacks from surge legitimate accessing, and identifying attacks at the early stage, even before the attack packages reach the target server. In this paper, we proposed an effective and efficient detection and IP traceback scheme against DDoS attacks based on relative entropy. The proposed scheme provides work effectively and stably. we start to calculate the distance among the different suspicious flows in the community network. If the distance is less than a given threshold, for example 0.2 based on our experiments, then it is an attack, otherwise, we treat it as a surge of legitimate accessing. Differentiation of the DDoS attacks and flash crowds. In this paper, we did not consider this issue Differentiation of the DDoS attacks and flash crowds. The proposed method may treat flash crowd as a DDoS attack, and therefore, resulting in false positive alarms. We have a high interest to explore this issue Furthermore, the proposed IP traceback scheme based on information theory can effectively trace all attacks until their own zombies. In conclusion, our proposed relative entropy can substantially improve the performance of DDoS attacks detection and IP traceback over the traditional approaches. REFERENCES [1] A. Chonka et al.,cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks,0 J. Netw. Comput. Applicat. Jun. 23, 2010 [Online]. Available: jnca [2] X. Jin et al., ZSBT: A novel algorithm for tracing DoS attackers in MANETs, EURASIP J. Wireless Commun. Netw., vol. 2006, no. 2, pp. 1 9, [3] C. Patrikakis, M. Masikos, and O. Zouraraki, Distributed Denial of Service Attacks, The Internet Protocol J., vol. 7, no. 4, pp , [4] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys, vol. 39, no. 1, p. 3, [5] R. C. J. K. Kumar and K. Singh, A distributed approach using entropy to detect DDoS attacks in ISP domain, in Proc. International Conference on Signal Processing, Communications and Networking (ICSCN 07). [6] D. Moore et al., Inferring Internet Denial-of-Service Activity, ACM Trans. Computer Systems, vol. 24, no. 2, pp , May [7] Lincoln Laboratory Scenario (DDoS) 1.0, MIT, data/2000/lls_ddos_1.0.html, [8] J. Mirkovic et al., Accurately Measuring Denial of Service in Simulation and Testbed Experiments, IEEE Trans. Dependable and Secure Computing, vol. 6, no. 2, pp , Apr.-June [9] J. Mirkovic et al., Testing a Collabotative DDoS Defense in a Red/Blue Team Exercise, IEEE Trans. Computers, vol. 57, no. 8, pp , Aug [10] H. Aljifri, IP Traceback: A New Denial-of-Service Deterrent? IEEE Security & Privacy, vol. 1, no. 3, pp , May/June [11] Z. Gao and N. Ansari, Tracing Cyber Attacks from the Practical Perspective, IEEE Comm. Letters, vol. 43, no. 5, pp , May [12] Jin Wang, Xiaolong Yang & Keping Long, (2010) A New Relative Entropy Based App-DDoS Detection Method, IEEE Symposium On Computers And Communications (Iscc). [13] Shui Yu, Wanlei Zhou, Robin Doss, & Weijia Jia, (2011) Traceback of DDoS Attacks using Entropy Variations, IEEE Transactions on Parallel and Distributed Systems. [14] G.Oikonomou & J.Mirkovic, (2009) Modeling human behavior for defense against flash-crowd attacks, ICC2009. [15] S.Kandula, D.Katabi, MJacob & A.W.Berger, (2005) Botz-4- sale: surviving organized DDoS attacks that mimic flash crowds, in Proc. Second Symp. Networked Systems Design and Implementation (NSDI). [16] Haining Wang, Cheng Jin & Kang G. Shin, (2007) Defense Against Spoofed IP Traffic Using Hop-Count Filtering, IEEE Transactions on Networking,vol.15.No.1, pp [17] Perrig A., Song D, & Yaar A., (2003) StackPi: a new defense mechanism against IP spoofing and DDoS attacks, CMU technical report. [18] Tanachaiwiwat, S. & Hwang, K., (2003) Differential packet filtering against DDoS flood attacks. ACM Conference on Computer and Communications Security (CCS). [19] T. M. Cover and J. A. Thomas, Elements of Information Theory, Second Ed., [20] Y. Chen and K. Hwang, Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analysis, J. Parallel and Distributed Computing, vol. 66, pp , [21] Shui Yu and Wanlei Zhou, Information Theory Based Detection Against Network Behavior Mimicking DDoS Attacks, IEEE COMMUNICATIONS LETTERS, VOL. 12, NO. 4, APRIL [22] Ke Li and Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 2, JUNE A00007V1I12015 International Journal Of Multee-Disciplinary Research 56