AN ANOMALY DETECTION SYSTEM FOR DDOS ATTACK IN GRID COMPUTING

AN ANOMALY DETECTION SYSTEM FOR DDOS ATTACK IN GRID COMPUTING 1 Sumit kar, 2 Bibhudatta sahoo 1,2 NIT Rourkela/CSE, Rourkela, Idia sumitk-cs209@itrkl.ac.i, bdsahu@itrkl.ac.i ABSTRACT: Grid computig is rapidly emergig as a domiat field of wide area distributed computig. Grid computig is a collectio of heterogeeous computers ad resources across multiple orgaizatios ad delivers computig ad resources as services to its users. The heterogeeity ad scalability characteristics of Grid itroduce potetial security challeges. Distributed Deial of Service attack (DDoS) is oe of the major threats to grid computig services. The perfect secure system for DDoS attack is based o the 3 steps: (i) Attack prevetio, (ii) attack detectio ad recovery, ad (iii) attack idetificatio. This paper presets vulerability of Grid computig i presece of DDoS attack. Our proposed method is based upo attack detectio ad recovery, ad uses a Etropy based aomaly detectio system to detect DDoS attack. A grid topology model is used to describe how to implemet the etropy based aomaly detectio system i grid eviromet. Keywords: Grid computig, aomaly detectio, etropy 1. INTRODUCTION The Grid techology has emerged as a high throughput wide area distributed computig. Grid computig [1] [2] provides a ifrastructure that supports the sharig ad coordiated use of heterogeeous computers ad resources spread across multiple admiistrative domais. Due to the dyamic ad multi-orgaizatioal ature of grid, the issue of maagig security of both users ad resources are the most challegig. First geeratio grid was deployed i research labs, academic istitutios ad for military use. But ow a day may eterprises are begiig to use grid techologies commercially as well [20], so maitaiig the QoS ad security are importat to meet user s demad. Grid uses iteret as a ifrastructure to build commuicatio ad middleware like Globus are used that eable resource providers to make available their services for users. The fusio of web services ad grid techologies further icreases the cocers about security problem for their complex ature [17]. A good classificatio of possible threats i grid computig ca be foud i [6], which is based o threats o differet users associated with Grid. From which Distributed Deial of Service attack (DDoS) is a immese threat to grid computig. For example Su s ew o-demad grid computig service becomes a victim with a deial-ofservice (DOS) attack o its first day of operatio [20]. The remider of the paper is orgaized as follows sectio 2 discusses related work. sectio 3 presets vulerability of DDoS attack i Grid computig ad describe the 3 steps used i our proposed defese system to secure Grid. Sectio 4 outlies the eed of a aomaly detectio system i Grid ad discussed how etropy based approach ca be suitable for it. I sectio 5 we describe etropy based aomaly detectio approach ad our detectio algorithm. I sectio 6 we have described usig a grid topology model how it ca implemeted i Grid ad coclusio i sectio 7. 2. RELATED WORK The vulerabilities of grid eviromet i the presece of DDoS have bee preseted i [10] ad they have proposed a distributed defese system for Grid. Authors of [11] discussed the eed for a itrusio detectio system i grid eviromet. They have classified grid itrusios i to 4 types i.e. 1) Uauthorized access 2) Misuse 3) Grid exploit 4)Host or Network-specific attacks. They have proposed a model that is composed of high-level GIDS that utilizes fuctioality of lower-level HIDS (host itrusio detectio system) ad NIDS (etwork itrusio detectio system) provided through stadard iter-ids commuicatio. Differet techiques ad challeges ivolved i aomaly detectio system ca be foud i [14]. May articles like [13] use traffic volume [flow, packet, byte cout] as the metric for aomaly detectio system. Volume based detectio scheme were proved as a good metrics, But like small DoS attacks that do ot cause much chages i traffic ca ot be detected perfectly. Recetly there has bee use of etropy ad traffic distributio for detectig DDoS attack aomalies. Author [3] uses etropy of distributio of source address for DDoS detectio. I [4] icluded PCA framework with etropy based metrics ad show that it ca detect aomalies more efficietly tha before. I [5] suggested use of differet iformatio measures for detectig malicious activities. The authors of [7] use etropy rate to discrimiate the DDoS attack from legitimate traffic. Our objective i this paper is to desig a ISSN: 0974-3596 April 09 September 09 Volume 1 : Issue 2 Page: 553

aomaly detectio system based o etropy ad etropy rate to detect DDoS attack i Grid eviromet. We use ormalized etropy which calculates the over all probability distributio i the captured flow i our algorithm to get more accurate result. 3. DoS ATTACK IN GRID DoS ad DDoS attacks [9] are the most commo ad deadly attack today. A DoS attack ivolves sedig large umber of packets to a destiatio to prevet legitimate users from accessig iformatio or services. DDoS use the computig power of thousads of compromised machies kow as zombies to a target a victim. Zombies are gathered to sed useless service requests, packets at the same time. DDoS attacks are ot targeted at stealig, modifyig or destroyig iformatio, but its aim is to prevet legitimate users from usig a service. It is very difficult to detect a DoS attacker because they geerally use spoofed IP address ad it becomes more complicated i large distributed system like grid. Although Grid Security Ifrastructure (GSI) of grid middleware provides several security features that required o grid eviromet; iclude X.509 certificates, autheticatio algorithm usig Secure Socket Layer (SSL) protocol, authorizatio, delegatio, auditig ad sigle sig o [17]. Due to the scalability ad dyamic ature of grid some security flaws are there ad the huge resource capacity like computatioal ad storage of grid computig may become a ext platform for the attackers [10]. If a itruder got uauthorized access to grid, the the grid resources ca misused i differet ways; like the huge computatioal power ca be used for breakig passwords or security systems ad the large storage capacity ca be used to store illegal software ad data, ad the huge badwidth ca be used for luchig DDoS attack. To secure grid from DDoS attack the defese system ca be divided i to 3 steps. (i) Attack prevetio (before attack), (ii) attack detectio ad recovery (durig the attack), (iii) attack idetificatio (after attack). 3.1. DDoS Attack prevetio The aim of attack prevetio mechaisms is to take prevetive measures which ca ot provide 100% security, but it will decrease the stregth of DDoS attack. Based o the target of implemetatio of the mechaisms it ca divide them i to system security ad protocol security mechaisms. [9] System security mechaisms System security deals with those mechaisms which are implemeted o the ed host. I DDoS attack it is required thousads of compromised machies to target a victim, but if we will stregthe the overall security of each host of grid the it will difficult for a attacker to luch a attack. Examples of system security mechaisms are firewall ad micro firewall systems, ati virus systems, access cotrol, packet filter ad authorizatio systems. Protocol security mechaisms Protocol mechaisms icrease the security by desigig a safe protocol so that oly resources are allocated to the cliets after sufficiet autheticatio ad authorizatio are completed. For which resources will ot waste time i attack like TCP SYN attack. Use of proxy sever has bee proposed by authors [18]. 3.2. Attack detectio ad recovery The aim of attack detectio ad recovery is to detect DDoS attack before it affects the ed user.itrusio detectio systems [11] are widely used for DDoS detectio. A Itrusio detectio system (IDS) is software ad/or hardware which will moitor the etwork or a computer system for suspicious activity ad alerts the system maager or etwork admiistrator. We ca classify the IDS based the target of implemetatio as host based ad etwork based. The techique adopted by IDS for itrusio detectio classifies IDS i to two types sigature based ad aomaly based. Sigature based IDS A sigature based IDS will moitor packets o the etwork ad compare them agaist a database maitaied with kow threats. If the sigature of packets match with those kow attacks it will marked as malicious. The advatage with sigature based IDS is sigatures are easy to develop. The disadvatage of is that they ca oly detect kow attacks, for which a large up-to-date database of sigature for every attack must be created, Aomaly-based IDS Aomaly-based IDS [14] creates the ormal behavior of the users usig the system or etwork to detect itrusios. If the deviatio of user activity is outside a certai threshold value, it marked as malicious ad a respose is triggered. Aomaly detectio has a advatage over sigature-based i that a ew attack ca be detected if it falls out of the ormal traffic patters. Disadvatage of aomaly-detectio system is the difficultly of defiig rules. Settig of a perfect threshold is also very challegig because settig of a small threshold creates may false positives ad settig of high threshold reduces the effectiveess of the IDS [14]. After detectio of itrusio it s the work of respose system to take actio so that attack traffics will damaged with out affectig legitimate user. There are popularly two respose mechaisms filterig ad rate limitig algorithms are used agaist DoS attack. 3.3 Attack source idetificatio Aother difficulty i defedig to DDoS attack is to trace the source of the attacks, because the attackers are geerally uses spoofed IP addresses i the IP packets. For which the attack idetificatio mechaism should be flexible eough so that it ca ISSN: 0974-3596 April 09 September 09 Volume 1 : Issue 2 Page: 554

trace the source of attack packets without depedig o the source address field of the IP header. There are differet mechaisms proposed by differet authors like Advaced Markig Scheme ad the Autheticated Markig Scheme [19], Probabilistic Packet Markig (PPM), Determiistic Packet Markig (DPM), has bee proposed to trace back the source of spoofed IP packets. Also more efficiet method like flexible Determiistic Packet Markig (FDPM) ca be foud [8]. 4. ANOMALY DETECTION SYSTEM FOR GRID Previously, much work has bee doe i volume (o. of bytes, packets, flows) as a pricipal metric for aomaly detectio system [13]. Volume based detectio scheme method ca detect aomalies that causes large traffic chages,but aomalies like small DoS attacks which do ot cause much chages i traffic volume ca ot be detected well. The attack discussed above ca be better detected by aalyzig distributio of traffic features. A traffic feature is a field i the header of the packet. Oe of the properties of Grid Security Ifrastructure (GSI) [17] is cofidetiality of the data trasferred over the etwork. For which the data trasmitted over the grid must be ecrypted. So the system could ot see the data payload portio of the packet because of ecryptio. Aalysis would be based oly o the low level iformatio, which ca be extracted from the packet header. The Next problem is to fid a metric that ca extract distributio of traffic features that ca be used i aomaly detectio system. A umber of articles suggested etropy as a metrics to summarizig traffic distributio for aomaly detectio [3] [4] [5] [15]. The use of etropy for aalyze chages i traffic distributio has two beefit. i) Usig etropy for aomaly detectio icreases the detectio capability tha volume based methods. ii) It provides additioal iformatio to classify amog differet types aomaly (worms, DoS attack. Port scaig).we cosiders two classes of distributio i) flow header features (IP address, ports, ad flow sizes) ii) behavioral features (the umber of distict destiatio / source address that a host commuicates with) [15]. The aomaly detectio system discussed i this paper is based o by aalyzig the chage i etropy of above two traffic distributios. 5. ENTROPY BASED APPROACH Etropy [16] is a measure of the ucertaity or radomess associated with a radom variable or i this case data comig over the etwork. The more radom it is, the more etropy it cotais. The value of sample etropy lies i rage [0, log].the etropy shows its miimum value 0 whe all the items (IP address or port) are same ad its maximum value log whe all the items are differet. The etropy of a radom variable X with possible values {x 1, x 2, x } ca be calculated as H (X) = - i = 1 P (x i ) log P (x i ) (1) If we are iterested i measurig the etropy of packets over uique source or destiatio address the maximum value of is 2 32 for ipv4 address. If we wat to calculate etropy over various applicatios port the is the maximum umber of ports. Here p (x i ) where x i X is the probability that X takes the value x i. Suppose we radomly observe X for a fixed time widow w, the p (x i ) = m i /m, where m i is the frequecy or umber of times we observe X takig the value x i I.e. m = mi. i = 1 H (X) = - (m i /m) log (m i /m) (2) i= 1 H (X) = Etropy. If we wat calculate probability of ay source (destiatio) address the, m i = umber of packets with x i as source (Destiatio) address ad M = total umber of packets Number of packets with x i as source P (x i ) = (destiatio) address Total umber of packets Here total umber of packets is the umber of packets see for a time widow T. Similarly we ca calculate probability for each source (destiatio) port as Number of packets with x i as source P (x i ) = (destiatio) port Total umber of packets Normalized etropy calculates the over all probability distributio i the captured flow for the time widow T. Normalized etropy = (H / log 0 ) (3) Where 0 is the umber of distict x i values i the give time widow. I a DDoS attack from the captured traffic i time widow t, the attack flow domiates the whole traffic, as a result the over all etropy of the traffic decreased i a detectable maer. But it is also possible i a case of massive legitimate etwork accessig. To cofirm the attack we have to agai calculate the etropy rate. Here flow is packages which share the same destiatio address/port. I this mechaism we have take oe assumptio that the attacker uses same fuctio to geerate attack packets at zombies, ad it is a statioary stochastic process. Accordig to [16] for a stochastic processes the etropy rate H ( χ ) of two radom processes are same. H ( χ ) = lim 1 H (x1, x 2 x ) (4) The steps i DDoS detectio algorithm are described i figure 1. ISSN: 0974-3596 April 09 September 09 Volume 1 : Issue 2 Page: 555

Algorithm 1 : DDoS detectio algorithm 1. Collect sample flows for a time widow T o the edge routers P (x i ) log 2. Calculate router etropy H(x) = - i= 1 P (x i ) 3. Calculate NE = (H / log 0 ) where, NE = ormalized Router etropy 4. If NE < threshold (δ 1 ), idetify the suspected attack flow 5. Calculate the etropy rate H ( χ ) = lim 1 H (x 1, x 2 x ) of the suspected flow i that router ad the routers i dow stream 6. Compare H i ( χ ) iε etropy rates o routers 8. If H i ( χ ) threshold (δ 2 ), it is a DDoS attack Else legitimate traffics 9. Discard the attack flow. Figure 1: DDoS detectio algorithm Defiitio 1: A stochastic process {X (t), t T} is a collectio of collectio of radom variables. For each t T, X (t) is a radom variable. We refer X (t) as the state of the process at time t. The set T is called the idex set of process. Defiitio 2: A stochastic process is said to be statioary if the joit distributio of ay subset of radom variables is ivariat with respect to shifts i the time idex i.e. Pr{X1 = x1, X2 = x2... X = x} = Pr{X1+l = x1, X2+l = x2... X+l = x} Defiitio 3: The etropy rate is the rate of growth of etropy of a radom process. If we have a sequece of radom variables, the the etropy rate of a stochastic process { x i } is defied by H ( χ ) = lim 1 H (x1, x 2 x ) 6. IMPLEMENTATION IN GRID C3 A3 A4 Site C C2 C4 Site A A2 A5 Router 1 C1 A1 Router 3 C5 SOURCE SOURCE Router 0 B2 D2 B3 D3 Site B D1 B1 B5 Router 2 Router 4 B4 victim D4 D5 Site D Figure 2. Grid topology Grid computig ca be thought as a virtual orgaizatio which is a collectio of some real orgaizatios or sites [12]. I the figure 2 we have show a Grid topology model which is a collectio of four sites i.e. site A, site B, site C ad site D ad they are coected by 5 routers. We employ our proposed aomaly detectio system i each router of the grid ifrastructure. Edge routers ear the source of traffic will capture flows for a predefied time widow T ad calculate the router etropy ad ormalized router etropy. If the ormalized router etropy is less tha certai threshold δ 1 idetify the suspected DDoS attack flow from the traffic. But it is also possible i a case of massive legitimate etwork accessig. To cofirm the attack the etropy rate of the suspected flow is calculated i that router accordig To Eq. (4). Based o the destiatio address o the IP header of the packets ad routig table it discovers the dowstream routers ad seds security alarm to those routers to calculate etropy rate of the suspected flow. As discussed above, the etropy rates of attack flows at differet routers i the etwork are same. If the calculated etropy rates o routers are same or very ear, the attack is cofirmed. No real Grid eviromet is available for testig the performace. So the real life experimets could ot be performed. We have cosidered two examples usig figure (2) how the detectio scheme works. Suppose From figure (2) ode A1 ad C4 are attack sources ad D1 is the victim. Based o the DDoS detectio algorithm flows comig A1 will first captured by router 1 ad flows comig from C4 will be captured by router 3. Suppose at router 1, router 2 ad router 3 we have captured flows as give i table 1, table 3 ad i table 2 respectively i a fixed time widow T. The etropy of the flows are calculated accordig to Eq. (2) ad Eq. (3).For easy uderstadig we have assiged IP addresses to each host. Source ode Table I. Data for router 1 Destiatio No of address packets etropy A1 D1[134.11.78.56] 6 0.47 A5 B5[192.168.1.121] 2 0.44 A2 B2[192.168.1.118] 3 0.51 Here Router etropy = 0.47 + 0.44 + 0.51 = 1.42 0 = 3 Normalized Router etropy NE = 1.42/ log 2 3 = 0.89 Table II. Data for router 3 Source Destiatio address No of etropy ode packets C1 B4[192.168.1.122] 2 0.48 C2 D3[134.11.78.54] 2 0.48 C4 D1[134.11.78.56] 5 0.47 Router etropy =0.47+0.48+0.48 = 1.43 Here 0 = 3 Normalized Router etropy NE = 1.43/ log 2 3 = 0.90 Table III. Data for router 2 ISSN: 0974-3596 April 09 September 09 Volume 1 : Issue 2 Page: 556

Sour ce ode Destiatio address No of packets etropy B1 C2[192.168.213.109] 2 0.52 B2 C3[192.168.213.108] 2 0.52 B3 C1[192.168.213.110] 2 0.52 Router etropy=0.52 + 0.52 +0.52 = 1.56 0 = 3 Normalized Router etropy NE = 1.56/ log 2 3 = 0.98 Although the data are take maually we ca see that for router 1 ad router 3 the ormalized router etropy is less tha the router 2. I the first two cases oe flow domiates the whole traffic as a result the ormalized etropy decreases. If the threshold δ 1 is perfect, suppose 0.94 for the above example, it will treat flow comig from ode A1 ad C4 as suspected flows. After which the etropy rate is beig calculated. I figure 2, for router 1 the etropy rate of suspected flow is calculated ad compared i router1 ad router 0. Similarly for router 3 the etropy rate of those flows will be calculated ad compared both i router 3 ad router 0. While the etropy rates of differet routers are same or less tha δ 2, the attack is cofirmed ad attack flow is discarded. All the calculatios are based o log 2. 7. CONCLUSION A DDoS attack is a major ad complex threat for Grid computig. The aim of this study was to ivestigate how DDoS attack affects the grid performace ad desigig a aomaly detectio system. The attack must be detected ad blocked before reachig the victim ad with high detectio rate ad low false alarm rate. I this paper we have used iformatio theoretic parameters etropy ad etropy rate to model the aomaly detectio system for Grid. We have implemeted aomaly detectio system i each router of the grid eviromet ad the router will cooperate with each other to detect aomaly. The mai advatage of the above proposed method is the attack is detected ad blocked before reachig the victim ad with high detectio rate. But the challege lies i this approach if the attacker will use differet packet geeratio fuctios i a attack ad settig a good threshold. The effectiveess of the proposed method has bee proved theoretically. I the future work we will simulate the proposed algorithm ad aalyze the results ad we will provide a road map for further research i this area. 8. REFERENCES 1. I. Foster, C. Kesselma, The Grid: Blueprit for a ew computig ifrastructure.morga Kaufma publishers, 1999. 2. R. Buyya, S. Veugopal, A Getle Itroductio to Grid computig ad Techologies, CSI Commuicatios, 19 July 2005. 3. L. Feistei, D. Schackeberg, R. Balupari, ad D. Kidred. Statistical approaches to DDoS attack detectio ad respose. I Proc of DARPA Iformatio Survivability Coferece ad Expositio, 2003. 4. [4] A. Lakhia, M. Crovella ad C. Diot, Miig aomalies usig traffic feature Distributios. I proc. of ACM SIGCOMM, 2005. 5. W. Lee, D. Xiag, Iformatio-theoretic measures for aomaly Detectio, I Proc. of IEEE Symposium o Security ad Privacy, 2001. 6. N. Jiacheg, L. Zhishu, G. Zhoghe,S. Jirog, Threat aalysis ad Prevetio for grid ad web security services, SNPD, pp. 526-531, 2007. 7. S. Yu, W.Zhou, Etropy-based Collaborative Detectio of DDoS attacks o Commuity Networks, I Proc. of IEEE iteratioal coferece o pervasive computig ad Commuicatios, 2008. 8. Y. Xiag ad W. Zhou, A Defese System agaist DDoS Attacks by Large- Scale IP Traceback, I Proc. of Third Iteratioal Coferece o Iformatio Techology ad Applicatios (ICITA 05). 9. J. Mirkovic, J. Marti ad P. Reiher, A Taxoomy of DDoS Attacks ad DDoS Defese Mechaisms, ACM Computer Commuicatios Review, Vol.34, No. 2, April 2004. 10. Y. Xiag, W. Zhou, Protect Grids from DDoS attack, I proc. of third Iteratioal coferece o grid ad cooperative computig, vol. 3251, pp. 309-316, 2004 11. A. Schulter, J. A. Reis, F. Koch, C. B. Westphall A Grid-based Itrusio Detectio System, I Proc. of ICNICONSMCL 06. 12. T. Zati, J. Amadei, Daiel R. Pazehoski, S. Sweey Desig ad Aalysis of a Adaptive, Global Strategy for Detectig ad Mitigatig Distributed DoS Attacks i GRID Eviromets I Proc. of the 39th Aual Simulatio Symposium (ANSS 06), 2006. 13. A. Lakhia, M. Crovella, ad C. Diot. Diagosig Network-Wide Traffic Aomalies. I ACM SIGCOMM, Portlad, August 2004. 14. P. G. Teodoro, J. D.Verdejo, G. M.Feradez, E.Vazquez, Aomaly-based etwork itrusio detectio: Techiques, systems ad challeges, computer & security, 2008. 15. G. Nychis, V. Sekar, D. G Aderse, H. Kim ad H.Zhag, A Empirical Evaluatio of Etropy-Based Traffic Aomaly Detectio. Tech. Rep. CMU- CS-08-145, Computer Sciece Departmet, Caregie Mello Uiversity, 2008. 16. Thomas M. Cover ad Joy A. Thomas, Elemets of Iformatio Theory, secod editio, 2007. 17. S. Shirasua, A. Slomiski L. Fag ad L. Gao, Performace compariso of security mechaisms for grid services, Proc. of the fifth IEEE/ACM Iteratioal Workshop o Grid Computig, pp.360-364, 2004. 18. J. Wag, X. Liu ad A. Chie, Empirical Study of Toleratig Deial-of-Service Attacks with a Proxy Network, I Proc. Of the USENIX Security Symposium, 2005. 19. D.Xiaodog Sog ad A. Perrig Advaced ad Autheticated Markig Schemes for IP Traceback IEEE INFOCOM, 2001. 20. http://www.su.com/service/sugrid/idex.jsp ISSN: 0974-3596 April 09 September 09 Volume 1 : Issue 2 Page: 557