World Applied Scieces Joural 23 (11): 1418-1424, 2013 ISSN 1818-4952 IDOSI Publicatios, 2013 DOI: 10.5829/idosi.wasj.2013.23.11.950 DDoS Verificatio ad Attack Packet Droppig Algorithm i Cloud Computig Muhammad Zakarya Departmet of Computer Sciece, Abdul Wali Kha Uiversity, Marda, Pakista Submitted: Ju 8, 2013; Accepted: Jul 17, 2013; Published: Jul 25, 2013 Abstract: DDoS attacks o the World Wide Web i broad-spectrum ad predomiatly i moder cloud computig has become a oticeable issue for researchers i academia ad idustry related to the field of computer scieces. DDoS attacks are cool to provoke but their ucoverig is a very challegig ad digy task ad therefore, a eye-catchig weapo for hackers. Hece DDoS torrets do ot have familiar appearaces; therefore curretly existig IDS caot idetify ad discover these attacks perfectly. Correspodigly, there implemetatio is a bamboozlig task. I practice, gossip based detectio machies are used to detect such types of attacks by exchagig stream of traffic over lie but still results i etwork cogestio ad have upstairs of superfluous ad bous packets. Keepig the above drawbacks i mid, we have proposed a DDoS detectio ad prevetio mechaism i [1], that has the attractiveess of beig easy to adapt ad more trustworthy tha existig couterparts. We have itroduced etropy based detectio mechaism for DDoS attack detectio. I [2] we have implemeted the same algorithm to grids platform, where we obtai a accuracy of 90%. Our proposed solutio has o overhead of extra packets, hece resultig i good QoS. I this paper we are goig to implemet the same algorithm o clouds. Key words: DdoS QoS IDS AS ADS CloudSim INTRODUCTION carriage of a large amout of packets to a objective machie, usig istataeous teamwork of umerous Cloud computig is a most moder ad hottest hosts which are scattered throughout the cloud buzzword owadays, emerges as a key service of the computig eviromet. The rest of paper is orgaized as utility or o-demad computig [1] which builds o follows. I sectio 2 some related work is preseted. decade of research i the groud of computer etworkig, Sectio 3 is about our previous work followed by existig World Wide Web ad software services. People are problem i ext sectio. Solutio to the existig problem lookig for fastest, QoS, secure, efficiet ad reliable is discussed i sectio 5 followed by simulatio results i services ad that s why a umber of researchers are ext sectio. Performace evaluatio are show i sectio devoted to the distributed computig research icludig 7. Fially some cocludig remarks ad future work is clusters, HPC, grids ad clouds. Cloud computig put discussed i sectio 8. forwards a service orieted architecture, reduced iformatio techology overhead for the ed-user, Related Work: Accordig to [3, 4], ay statemets that eormous ad huge flexibility ad reduced total cost of owership. Recet attacks o the clouds especially DDoS poses as a potetial itimidatio ad dager to this key have some shock ad importace are called iformatio. Some believe that iformatio theory is to be a subset of commuicatio theory, but we cosider it much more. techology of the expectatios ad future. I this paper Etropy is a measure of the chaos of a group of particles d we are goig to preset a ew DDoS attack cofirmatio i.e. 2 law of thermodyamics. If there are a umber of possible messages, the each oe ca be expected to ad packet droppig algorithm for cloud eviromet. occur after certai fractio of time kow as probability of A etropy based ADS approach is preseted to mitigate the message. I [9-15] Shao proved that iformatio the attack which further improves etwork performace i cotet of a message is iversely related to its probability terms of computatioal time, QoS ad high availability. of occurrece. To summarize, the more ulikely a message SaaS, PaaS, IaaS ad IT foudatio are four basic types of is, the more iformatio it cotais. I [6, 16], Etropy cloud computig. DDoS attacks are throw through H(X) is give by Correspodig Author: Muhammad Zakarya, Departmet of Computer Sciece, Abdul Wali Kha Uiversity, Marda, Pakista. 1418
( ) p( x) log p( x) H X = x x (1) The log is to the base 2 ad etropy is expressed i bits. To say ucertaity is directly proportioal to etropy i.e. more accidetal they are, more etropy is there. The value of etropy lies betwee 0 ad log(). The etropy value is smaller whe the class distributio belogs to oly oe ad same class while etropy value is larger whe the class distributio is more eve. Therefore, comparig etropy values of some traffic feature to that of aother traffic feature provides a mechaism for detectig chages i the upredictability. We use traffic distributio like IP address ad applicatio port umber i.e. (IP address, Port). If we wats to calculate etropy of packets at a sigle or uique source i.e. 32 destiatio, the maximum value of must be 2 for IPV4 address. Similarly if we wat to gauge etropy at multiple applicatio ports the value of is the total umber of ports [5, 7, 17, 18]. I similar way, p(x) where x º X, is the probability that X takes the value x. We radomly examie X for a fix time widow (w), the p(x) = m/m i Where, m i is the total umber we examie that X takes value x i.e m = i= 1 mi Puttig these values i etropy equatio 1, we get (2) Fig. 1: Proposed Cloud Architecture [1] Remember that total umber of packets is the umber of packets observed i a specific time slot (w). Whe this calculatio fiishes, ormalized etropy is calculated to get the overall probability of the captured flow i a specific time widow (w). Normalized Etropy is give by Normalized etropy = H / log o ( Where is the umber of dissimilar values of x, i a o specific time slot (w). Durig the attack, the attack flow domiates the whole traffic, resultig i decreased ormalized etropy. To cofirm our attack detectio, agai we have to calculate the etropy rate i.e. growth of etropy values for radom variables, provided that the limit exists ad is give by (6) ( ) ( mi/m) log( mi/m) H X = i= 1 (3) H 1 ( ) = lim H( x, x...x ) 1 2 (7) Similarly, if we wat to calculate the probability p(x), the m is the etire umber of packets, but m i is the umber of packets with value x at destiatio as source [8]. Mathematically give as Nuber of pac kets with x i as source ( destiatio) address P( x) = Total umber of packets Agai if we wat to calculate probability p(x) for each destiatio port, the Nuber of pac kets with x i as source ( destiatio) port P( x) = Total umber of packets (4) (5) Proposed Solutio ad Results: I [1] the authors proposed a cloud architecture ad a DDoS detectio mechaism that has the beauty of beig easy to adapt ad more reliable tha existig couterparts. The author s claims, that their proposed solutio has o overhead of extra packets, hece resultig i good QoS. The architecture is show i Fig 2. The whole cloud eviromet is divided ito multiple sites either o geographical or admiistrative base. Every CS is uder the cotrol of a powerful AS. Our ADS is istalled o every edge router. Our cofirmatio algorithm eeds to be istalled o subsequet ad attached router to the edge router. Oce DDoS [19-21] is detected at edge router, the flow is trasferred to ext eighborig router, where agai the flow is checked agaist those iformatio that were collected o edge router. If there is o chage the attack 1419
is cofirmed ad the packet is discarded or dropped. Otherwise the packet is throw to its destiatio o its way. CloudSim was used for the evaluatio of this approach. Results see are of iterest but high etwork access ca lead to icrease false positive rate. I ext sectio we are goig to propose a cofirmatio algorithm to limit these false positives. Our ADS ca detect 100% DDoS attack oly i case of good threshold value, which is oe of the most challegig tasks i developig ay ADS. We coclude our story that a threshold value of 0.97 results i good detectio rate. A value greater tha 0.97, results i good detectio rate i.e. 100 % DDoS detectio but geerate more false positive alarms, as the value is icreased from 0.97 to 1.0. I [2] we guessed a perfect threshold value of 0.95 while simulatig i GridSim. Differeces are due to the high umber of packets. We coclude by examiig small, medium ad large flow of etwork packets, that where umber of packets are icreased i a platform, we have to set the threshold value a little bit larger. The steps i algorithm are as uder. Fig 5 shows the flow diagram of detectio algorithm. Existig Problem: We have proposed a DDoS detectio ad prevetio mechaism i [1], that has the beauty of beig easy to adapt ad more depedable tha existig couterparts. As, i service level security issues DoS, DDoS ad etwork overcrowdig, are most importat. Solvig the dispute of DDoS attack also results i etwork high availability as well as good QoS. The problem i that solutio was that, i huge etwork usage or cogested etwork flow our proposed detectio algorithm will raise the attack alarm i.e. false positives, but it is ot always be the case. To cofirm the attack flow ad decide to flush out or washout the flow, we are goig to propose a cofirmatio algorithm, i this paper. Proposed Packet Droppig Algorithm: I [1, 3, 22] the authors proposed etropy rate for cofirmatio of the attack flow, but still o exact solutio was proposed. Etropy rate shows the icrease or decrease ratio of distributio. We are goig to exted our idea i this article ad will propose ad study a DDoS cofirmatio algorithm. Based o the results of such a cofirmatio algorithm the router will decide either to allow the flow of packets or to discard ad drop that packet flow. We eed such a algorithm because durig high etwork access our DDoS detectio algorithm will geerate false positives Fig. 2: Flow diagram [1] Fig. 3: Cofirmatio Algorithm ad will alert the ext edge router for DDoS attack, but it might ot be the case. Our ADS is istalled o each edgig router. Our verificatio algorithm eeds to be istalled o cosequet ad attached router to the edge router [22-26]. Oce DDoS is detected at edge router, the flow is trasferred to subsequetly adjacet router, where for a secod time the flow is checked agaist those iformatio that were claimed [27, 28] o edge router. If there is o alteratio the attack is cofirmed ad the packet is superfluous oe ad hece eeds to be dropped. Otherwise the packet is throw to its target ode or system o its ow way. We have used CloudSim for simulatio of our algorithm ad have compared a umber of cases to coclude performace evaluatio. A simple ad straightforward solutio is to ru the same algorithm o receiver side router. But the problem is that we are goig to detect ad drop the packet flow early i.e. ear the source. Suppose i Fig 6 below the user ab1 1420
Fig. 4: Flow diagram Fig. 6: Packet Flow Diagram Fig. 7: DDoS Detectio o Router 1 Fig. 5: Simulatios Study seds 90 packets to cb1, 91 packets to cb2 ad 34 packets to cb3. Whe etropy is calculated o r1, the attack is detected. Whe this flow reaches to r2, the packets that were addressed to cb3 are directed o differet way. Agai if we calculate etropy of ab1 o r3, o attack is detected. It results i, if we calculate etropy i.e. if we ru our detectio algorithm two times o edge router to seder ad receiver, the to some extet we will accurately measure DDoS ad ca drop oly attack packets. If the algorithm calculates same values, it meas the attack is cofirmed otherwise the packets are forwarded to its destiatio. The problem is that we eed to detect ad cofirm the attack ear to the source, so that the badwidth is ot wasted. The goal caot be achieved i this solutio. We ca ru the same detectio algorithm o ext edge router but still if the etwork is so large cosisted upo 100 routers. There is the possibility that Fig. 8: DDoS Detectio o Router 2 Fig. 9: DDoS Cofirmatio for Router 1 flow o Router 3 1421
Table 1: Traffic at Router 1 Source ode Destiatio ode No of packets R1 R3 Etropy (R1) Etropy (R3) AB1 CB1 20 12 8 0.35 0.27 AB2 CB1 20 4 16 0.17 0.40 AB1 BB1 30 15 15 0.39 0.39 AB2 BB2 40 32 8 0.52 0.28 Router etropy for R1 is 1.43 ad ormalized etropy for R1 is 0.90. Similarly router etropy for R3 is 1.35 ad ormalized etropy for R3 is 0.85. Table 2: Traffic at Router 2 Source ode Destiatio ode No of packets R1 R3 Etropy (R1) Etropy (R3) AB3 CB1 10 3 7 0.16 0.29 AB4 CB1 20 11 9 0.37 0.33 AB3 CB3 40 21 19 0.49 0.47 AB4 CB2 20 18 2 0.46 0.12 Router etropy for R1 is 1.49 ad ormalized etropy for R1 is 0.94. Similarly router etropy for R3 is 1.21 ad ormalized etropy for R3 is 0.77. Table 3: Traffic at Router 3 Source ode Destiatio ode No of packets Etropy (R1) AB1 CB1 20 0.48 AB2 CB1 20 0.48 AB3 CB1 10 0.35 AB4 CB1 20 0.48 AB4 CB2 20 0.48 Router etropy for R3 is 2.28 ad ormalized etropy for R3 is 0.98. the attack flow will remai o oe path crossig over multiple routers. It will cofirm the attack without ay cocer that i future the flow may be distributed over multiple paths. Followig are the steps for cofirmatio of the DDoS attack. Decide a threshold value 2 Calculate etropy rate o edge router usig Equatio VII Compare etropy rates o that router, if =< 2, DDoS cofirmed Drop the attack flow Fig. 10: DDoS detectio ad cofirmatio rate Fig. 11: DDoS false positive rate Simulatios Study ad Results: Fig 7 shows the simulatio eviromet that was created i CloudSim Simulator. To compare grids ad clouds we have implemeted the same sceario to extract more results [2]. The oly differece is that the threshold value i higher tha that was cosidered i [2]. The threshold value of 0.97 was always adjusted i [1], durig the detectio phase. The above simulatio eviromet was desiged ad developed i CloudSim simulatio eviromet. Routers are coected to each other over a 10 Mbps lik ( ), while all other coectios are made at 1 Mbps lik ( ). The reaso behid this termiology is clear as router forward more data packets as compared to a sigle trasmittig ode. Detectio algorithm was executed o Router 1 ad Router 2. O both routers attack was detected. The cofirmatio algorithm was executed o Router 3. The attack was ot cofirmed o this router; hece the flow was delivered to its destiatio odes. 1422
Fig 6 shows packets flows that were captured durig 2. Zakarya, M. ad S. Afzal, 2013. DDoS the experimets. I our experimet, our detectio algorithm shows that o routers 1 DDoS was detected but ot cofirmed. Similarly o Router 2, o DDoS flow was detected. Durig the coformatio process o router 3, the flow was cofirmed as a attack, hece packet drop mechaism was activated ad the flow was successfully dropped. Performace Evaluatio: We observed that a threshold value of 0.97 results i good detectio rate ad a threshold value of 0.90 results i good cofirmatio. A value greater tha 0.97 ad 0.90, results i good detectio rate ad cofirmatio i.e. 100 % DDoS detectio ad cofirmatio, respectively but geerate more false positive alarms, as the value is icreased from 0.97 to 1.0 i.e. false detectio alarm or 0.90 to 1.0 i.e. false cofirmatio alarm. The reports are show i figure 10 ad figure 11, which are self-explaatory. Our experimets show that as more attacks are detected, more attacks are also cofirmed ad vice versa. I some situatios that might ot be the case, as its ot assured that more etwork traffic will always cause DDoS. Still the topic eeds researcher s attetio for further exploratio ad solutios. Coclusio ad Future Work: I this paper, we have proposed a ew solutio ad algorithm [25-27] to DDoS attack cofirmatio ad attack packet droppig for cloud computig [7, 8]. I previous versio of this article we itroduced a ADS for recogitio ad early prevetio of DDoS attacks i our suggested architecture. The problem of huge etwork access resulted false positive alarms. That issue was subject of this article. Our DdoS attack packet droppig algorithm will cofirmthe attack flow, if it is a attack flow, the flow is discarded otherwise the flow is cosidered legitimate data packets ad are forwarded to its destiatio, without ay cocer that it was targeted as a DDoS attack flow o the edge router. I future the proposed desig ad suggestio may be actually implemeted over cloud computig platform to precisely detect DDoS attacks [28-30]. The idea may also be exteded for recovery mechaism for DDoS attacks. REFERENCES 1. Zakarya, M. ad A.A. Kha, 2012. Cloud QoS, High Availability ad Service Security Issues with Solutios. IJCSNS, 12(7): 71. Cofirmatio ad Attack Packet Droppig Algorithm i O-Demad Grid Computig Platform. VAWKUM Trasactio o Computer Scieces, 1(1). 3. Claude Shao, E., 1948. A Mathematical Theory of Commuicatio, 4. Claude Shao, E., 1949. Commuicatio Theory of Secrecy Systems, 5. Cloud Security Alliace. Top Threats To Cloud Computig. Techical Report, March 2010. http://www.cloudsecurityalliace.org/topthreats.ht ml. 6. David Applebaum, Probability ad Iformatio (A Itegrated Approach), Cambridge Uiversity Press, 2008. 7. Thomas M. Cover ad Joy A. Thomas, 2006. Elemets of Iformatio Theory, Secod Editio, 8. Deis Arturo Ludeña Romaña ad Yasuo Musashi, Etropy Based Aalysis of DNS Query Traffic i the Campus Network, Japa 9. George Nychis, 2007. A Empirical Evaluatio of Etropy-based Aomaly Detectio, May 2007 10. Zakarya, M., AA. Kha ad H. Hussai, Grid High Availability ad Service Security Issues with Solutios, ICIIT 2010, 978-1-4244-813 8-5/10 / $ 26.00 C 2010 IEEE 11. Zakarya, M. ad I. Ur Rahma, 2013. A Short Overview of Service Discovery Protocols for MANETS. VAWKUM Trasactio o Computer Scieces, 1(2). 12. Meeakshi, S. ad S.K. Srivatsa, 2009. A Comprehesive Mechaism to reduce the detectio time of SYN Floodig Attack, 13. Preeti, Yogesh Chaba ad Yudhvir Sigh, 2008. Review of Detectio ad Prevetio Policies for Distributed Deial of Service Attack i MANET, 14. Thomas M. Cover ad Joy A. Thomas, 2006. Elemets of Iformatio Theory, Secod Editio, 15. Mazur Murshed ad Rajkumar Buyya, Usig the GridSim Toolkit for Eablig Grid Computig Educatio, Moash Uiversity, Australia. 16. George Nychis, 2007. A Empirical Evaluatio of Etropy-based Aomaly Detectio. 17. Yi-Chi Wu, Wuu Yag ad Rog-Horg Ja, DDoS Detectio ad Trace-back with Decisio Tree ad Gray Relatioal Aalysis, Natioal Chiao Tug Uiversity, Taiwa. 1423
18. Zakarya, M., N. Dilawar, M.A. Khattak ad M. Hayat, 24. Kha, A.A. ad M. Zakarya, 2010. Performace 2013. Eergy Efficiet Workload Balacig Algorithm Sesitive Power Aware Multiprocessor Schedulig for Real-Time Tasks over Multi-Core. World Applied i Real-time Systems. Techical Joural UET Taxila Scieces Joural, 22(10): 1431-1439. (Pakista). 19. Zakarya, M., I.U. Rahma, N. Dilawar ad R. Sadaf, 25. Zakarya, M., I. Rahma ad I. Ullah, 2012. A A itegrative study o bioiformatics computig Overview of File Server Group i Distributed cocepts, issues ad problems. Iteratioal Joural Systems. of Computer Sciece (IJCSI), 8(6). 26. Zakarya, M., I.U. Rahma ad A.A. Kha, 20. Zakarya, M. ad I.U. Rahma, 2013. A Secure Packet (2012, October). Eergy crisis, global warmig ad IT Drop Defese Mechaism i Wireless Mobile Ad- idustry: Ca the IT professioals make it better hoc Networks, IJREAT 2013 some day? A review. I Emergig Techologies 21. Cha, B. ad J. Kim, 2011. Study of Multistage (ICET), 2012 Iteratioal Coferece o (pp: 1-6). Aomaly Detectio for Secured Cloud Computig IEEE. Resources i Future Iteret. I Depedable, 27. Goyal, U., G. Bhatti ad S. Mehmi, A Dual Autoomic ad Secure Computig (DASC), 2011 Mechaism for defeatig DDoS Attacks i Cloud IEEE Nith Iteratioal Coferece Computig Model. O, pp: 1046-1050. IEEE 28. Jeyathi, N. ad N.C.S.N. Iyegar, 2012. 22. Kar, S., 2009. A Aomaly Detectio Scheme for A Etropy Based Approach to Detect ad DDoS Attack i Grid Computig (Doctoral Distiguish DDoS Attacks from Flash Crowds i dissertatio). VoIP Networks. Iteratioal Joural of Network 23. Syed Navaz, S.A., V. Sageetha ad C. Prabhadevi, Security, 14(5): 257-269. 2013. Etropy based Aomaly Detectio System to Prevet DDoS Attacks i Cloud. Iteratioal Joural of Computer Applicatios, 62(15): 42-47. 1424