An Approach for Detecting a Flooding Attack Based on Entropy Measurement of Multiple E-Mail Protocols



Similar documents
A Secure Password-Authenticated Key Agreement Using Smart Cards

Canon NTSC Help Desk Documentation

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) , info@teltonika.

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

An Alternative Way to Measure Private Equity Performance

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Fault tolerance in cloud technologies presented as a service

An Interest-Oriented Network Evolution Mechanism for Online Communities

Network Security Situation Evaluation Method for Distributed Denial of Service

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

DEFINING %COMPLETE IN MICROSOFT PROJECT

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Study on Model of Risks Assessment of Standard Operation in Rural Power Network

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Recurrence. 1 Definitions and main statements

A Passive Network Measurement-based Traffic Control Algorithm in Gateway of. P2P Systems

An RFID Distance Bounding Protocol

AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

IT09 - Identity Management Policy

A Novel Adaptive Load Balancing Routing Algorithm in Ad hoc Networks

Watermark-based Provable Data Possession for Multimedia File in Cloud Storage

Minimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures

The OC Curve of Attribute Acceptance Plans

Vembu StoreGrid Windows Client Installation Guide

A Replication-Based and Fault Tolerant Allocation Algorithm for Cloud Computing

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm


Efficient Bandwidth Management in Broadband Wireless Access Systems Using CAC-based Dynamic Pricing

A SECURE BILLING SERVICE WITH TWO-FACTOR USER AUTHENTICATION IN WIRELESS SENSOR NETWORKS. Received March 2010; revised July 2010

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

A Design Method of High-availability and Low-optical-loss Optical Aggregation Network Architecture

Traffic-light a stress test for life insurance provisions

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

Luby s Alg. for Maximal Independent Sets using Pairwise Independence

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

Updating the E5810B firmware

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

Using Certes to Infer Client Response Time at the Web Server

Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection

Performance Analysis of Energy Consumption of Smartphone Running Mobile Hotspot Application

Forecasting the Direction and Strength of Stock Market Movement

An Evaluation of the Extended Logistic, Simple Logistic, and Gompertz Models for Forecasting Short Lifecycle Products and Services

Reinforcement Learning for Quality of Service in Mobile Ad Hoc Network (MANET)

What is Candidate Sampling

Estimating the Development Effort of Web Projects in Chile

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

Effective Network Defense Strategies against Malicious Attacks with Various Defense Mechanisms under Quality of Service Constraints

A Novel Problem-solving Metric for Future Internet Routing Based on Virtualization and Cloud-computing

RequIn, a tool for fast web traffic inference

Dynamic Fleet Management for Cybercars

How To Classfy Onlne Mesh Network Traffc Classfcaton And Onlna Wreless Mesh Network Traffic Onlnge Network

Calculating the high frequency transmission line parameters of power cables

To manage leave, meeting institutional requirements and treating individual staff members fairly and consistently.

M3S MULTIMEDIA MOBILITY MANAGEMENT AND LOAD BALANCING IN WIRELESS BROADCAST NETWORKS

A Dynamic Load Balancing for Massive Multiplayer Online Game Server

On the Optimal Control of a Cascade of Hydro-Electric Power Stations

Risk Model of Long-Term Production Scheduling in Open Pit Gold Mining

Research Article QoS and Energy Aware Cooperative Routing Protocol for Wildfire Monitoring Wireless Sensor Networks

How To Understand The Results Of The German Meris Cloud And Water Vapour Product

An Analysis of Central Processor Scheduling in Multiprogrammed Computer Systems

A Load-Balancing Algorithm for Cluster-based Multi-core Web Servers

Genetic Algorithm Based Optimization Model for Reliable Data Storage in Cloud Environment

A High-confidence Cyber-Physical Alarm System: Design and Implementation

End-to-end measurements of GPRS-EDGE networks have

Multi-sensor Data Fusion for Cyber Security Situation Awareness

Calculation of Sampling Weights

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

A Novel Methodology of Working Capital Management for Large. Public Constructions by Using Fuzzy S-curve Regression

A Hierarchical Anomaly Network Intrusion Detection System using Neural Network Classification

RESEARCH ON DUAL-SHAKER SINE VIBRATION CONTROL. Yaoqi FENG 1, Hanping QIU 1. China Academy of Space Technology (CAST)

Alarm Task Script Language

Scalable and Secure Architecture for Digital Content Distribution

BERNSTEIN POLYNOMIALS

LAMOR: Lifetime-Aware Multipath Optimized Routing Algorithm for Video Transmission over Ad Hoc Networks

An Intelligent Policy System for Channel Allocation of Information Appliance

VoIP Playout Buffer Adjustment using Adaptive Estimation of Network Delays

Supporting Recovery, Privacy and Security in RFID Systems Using a Robust Authentication Protocol

IMPACT ANALYSIS OF A CELLULAR PHONE

EVALUATING THE PERCEIVED QUALITY OF INFRASTRUCTURE-LESS VOIP. Kun-chan Lan and Tsung-hsun Wu

Traffic State Estimation in the Traffic Management Center of Berlin

RELIABILITY, RISK AND AVAILABILITY ANLYSIS OF A CONTAINER GANTRY CRANE ABSTRACT

P2P/ Grid-based Overlay Architecture to Support VoIP Services in Large Scale IP Networks

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Conferencing protocols and Petri net analysis

Design and Development of a Security Evaluation Platform Based on International Standards

Research on Privacy Protection Approach for Cloud Computing Environments

denote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node

Research of Network System Reconfigurable Model Based on the Finite State Automation

Activity Scheduling for Cost-Time Investment Optimization in Project Management

Course outline. Financial Time Series Analysis. Overview. Data analysis. Predictive signal. Trading strategy

Optimization Model of Reliable Data Storage in Cloud Environment Using Genetic Algorithm

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

Improved SVM in Cloud Computing Information Mining

Data security in Intelligent Transport Systems

Project Networks With Mixed-Time Constraints

Invoicing and Financial Forecasting of Time and Amount of Corresponding Cash Inflow

A Secure Nonrepudiable Threshold Proxy Signature Scheme with Known Signers

Transcription:

Journal of Appled Scence and Engneerng, Vol. 18, No. 1, pp. 79 88 (2015) DOI: 10.6180/jase.2015.18.1.10 An Approach for Detectng a Floodng Attack Based on Entropy Measurement of Multple E-Mal Protocols Hsng-Chung Chen 1,2, Chuan-Hsen Mao 1 and Shan-Shyong Tseng 3 * 1 Department of Computer Scence and Informaton Engneerng, Asa Unversty, Tachung, Tawan 413, R.O.C. 2 Department of Medcal Research, Chna Medcal Unversty Hosptal, Chna Medcal Unversty, Tachung, Tawan 404, R.O.C. 3 Department of Appled Informatcs and Multmeda, Asa Unversty, Tachung, Tawan 413, R.O.C. Abstract In recent years, there have been many approaches proposed by many researchers to detect RTT (round-trp tme) and RTO (retransmsson tmeout) message traffc accessng emal and tryng to determne whether these belong to dangerous traffc. The am of ths study s to protect an electronc mal (emal) server system based on the ntegrated entropy calculatons of the multple protocols of RTT and RTO n order to detect floodng attacks. Entropy s an approach n the mathematcal theory of communcaton. It can be used to measure the uncertanty or randomness n a random varable. A normal emal server usually supports four protocols consstng of smple mal transfer protocol (SMTP), post offce protocol verson 3 (POP3), Internet Message Access Protocol verson 4 (IMAP4), and HTTPS beng used by a remote web-based emal. However, n the nternet, there are many floodng attacks that attempt to paralyze an emal server system. Therefore, we propose a new approach for detectng floodng attacks based on the ntegrated entropy measurements for an emal server. Our approach can reduce the msjudged rate compared to conventonal approaches. Key Words: Entropy, Floodng Attack, E-mal Server, RTT, RTO 1. Introducton In recent years, the rapd development of technologes has helped people to communcate nformaton and share nformaton va the nternet. Emal has become one of the necessary communcaton servces for nternet users. The usng of electronc mal (emal) s a method of exchangng dgtal messages from one person to one or more recpents, va connectng through the nternet or computer network. There are many types of reasons for usng emal servces, from prvate purposes to busness purposes. The emal servce provder (ESP) s an organzaton whch provdes emal servers to send, receve and store emals for personal and/or organzatonal necessty. Some ESPs who may provde the servces to the general *Correspondng author. E-mal: sstseng@asa.edu.tw publc for personal emal are Gmal, Yahoo Mal, Hotmal and many others. Each emal server s able to support many knds of protocol. In 1982, the early stage of emal development, the smple mal transfer protocol (SMTP, for short) was formulated n RFC (Request for Comments) 821 [1,2]. SMTP s a protocol for a mal sender that communcates wth a mal recever. On certan types of smaller nodes n the nternet t s often mpractcal to mantan a message transport system [3]. For example, a workstaton may not have suffcent resources (cycles, dsk space) n order to permt a SMTP server [RFC821] [3]. To solve ths problem, The post offce protocol-verson 3 (POP3, for short) s ntended to permt a workstaton to dynamcally access a mal drop on a server host n a useful fashon. Usually, ths means that the POP3 protocol s used to allow a workstaton to retreve mal that the server s holdng for

80 Hsng-Chung Chen et al. t. POP3 s an applcaton layer Internet standard protocol used by local emal clents to retreve emal from a remote server over a transmsson control protocol/nternet protocol (TCP/IP) connecton. The other protocol whch s also supported by emal server s Internet Message Access Protocol (IMAP, for short) [4]. In 2003, M. Crspn [5] proposed the latest verson IMAP verson 4rev1 (IMAP4, for short) whch s formulated n RFC 2060. It has also been publshed wht the Internet Engneerng Task Force (IETF). The MAP4 allows a clent to access and manpulate electronc mal messages on a server [5]. IMAP4 permts manpulaton of remote message folders, called malboxes, n a way that s functonally equvalent to local malboxes. IMAP4 also provdes the capablty for an offlne clent to resynchronze wth the server. There s the other approach for supportng emal servces called webmal (or web-based emal) [6,7]. It s any emal clent mplemented as a web applcaton accessed va a web browser. For example, when accessng webmal at https://webmal.asa.edu.tw, you wll be redrected to a SSL [6] secured address and your connecton wll be encrypted. The secure sockets layer (SSL) protocol verson 3.0 was proposed by P. Karlton [6], n 2011, whch s formulated n RFC 6101 [6]. It s a securty protocol that provdes communcatons prvacy over the nternet va HTTPS (hypertext transfer protocol secure). Moreover, the most drect approach s usng the RTT (round-trp tme) and RTO (retransmsson tmeout) of transmsson control protocol (TCP) [8]. When a network s creatng a connecton, t communcates from the sender to the recever. The communcaton needs to respond by makng a round trp. By round trp the response obtans the tme of the RTT. It knows f the message traffc s normal or not [8]. The protocol allows clent/server applcatons to communcate n a way that s desgned to prevent eavesdroppng, tamperng, or message forgery [6]. However, a smple emal server has a lot of users and because of ts mportance; t s an easy target to attack. The methods of attacks nclude an SMTP floodng attack, spam attacks and malcous attachments n emals [9 13]. The varous floodng attacks wll ncrease the loadng of the server. In ths paper, we propose an approach for detectng floodng attacks based on an ntegrated entropy measurement n emal server. Then, we use the entropy operatons [14 17] to analyse the receved packets, n order to estmate RTT and RTO from the SMTP together wth POP3, IMAP4, HTTP messages flows [18], and then evaluate ts correspondng rsk nformaton. Therefore, the rsk nformaton wll be used to descrbe the status of the servng server. Accordng to the value of ths status, the server wll determne whether t s has suffered reduced performance by floodng attacks. The remander of ths paper s organzed as follows. Secton 2 descrbes the SMTP, POP3, IMAP4 and entropy operaton related work. In secton 3, we propose a new approach for detectng floodng attacks based on the ntegrated entropy calculatons of multple protocols n an emal server, and descrbe how to calculate the evaluate value of rsk nformaton of emal server. Fnally, we present our conclusons n secton 4. 2. Related Works In our proposed approach, we use the entropy measurement to detect the behavor of traffc of multple protocols for an emal server. Therefore, n secton 2, we wll descrbe the RTT and RTO of normal message flows of the SMTP standard [1,2], POP3 [3], IMAP [5], HTTPS [6] and the entropy operatons [14 17]. 2.1 SMTP Frst of all, SMTP was defned n the RFC 821 [1,2]. It s an ndependent subsystem n a specal communcaton system. In ths communcaton system, t only needs a relable channel to transmt the related sequence message flows. SMTP has an mportant smple delverng emal protocol n whch t can forward an emal between two dfferent networks. The archtecture of SMTP s shown n Fgure 1. In the SMTP archtecture [17], t conssts of a sender, a sender-smtp, a recever-smtp and a recever. When a sender (user or fle server) connects to another recever, t wll send a request message of establshng a connecton to the sender-smtp. Then, the sender-smtp wll establsh a two-way transmsson channel n order to connect the recever. The recever- SMTP wll be at a destnaton pont or a relay pont. Thus, Fgure 1. The SMTP archtecture [1,2,4].

An Approach for Detectng a Floodng Attack Based on Entropy Measurement of Multple E-Mal Protocols 81 the sender-smtp wll send the related SMTP commands to the recever-smtp. Fnally, the recever-smtp wll follow these commands to send back a SMTP response message to sender-smtp. Accordng to the above steps, f the command-response par was completed durng one normal tme-perod, t means that a round of the SMTP sesson was completed. The establshed SMTP message flows are dvded nto seven stages [17] as seen below: establshes connecton, HELO, MAIL FROM, RCPT TO, DATA, DATA TRANSFER, and QUIT. The SMTP message flows are shown n Fgure 2 [4]. 2.2 POP 3 (Post Offce Protocol) Post offce protocol (POP) [3] s an applcaton layer nternet standard protocol used by local emal clents to retreve emal from a remote server over a TCP/IP connecton. The POP 3 messages flow s shown as Fgure 3 [3]. The POP3 flow of transacton state s shown as Fgure 4. 2.3 IMAP (Internet Message Access Protocol) Internet Message Access Protocol (IMAP) s one of two general protocols for recevng electronc mal. The Internet Message Access Protocol verson 4rev1 (IMAP4rev1) [5] allows a clent to access and manpulate electronc mal messages n the server. IMAP4rev1 permts manpulaton of malboxes n a way that s functonally equvalent to local folders. 2.3.1 IMAP Message Flow IMAP verson 4 has been defned n RFC 3501 [5]. Ths protocol s an nteracton of a clent/server; consstng of a clent command, server data and completon result response. The man archtecture of the IMAP s shown as Fgure 5. The steps of ths fgure are descrbed as below. 1. Connecton wthout pre-authentcaton (OK greetng) 2. Pre-authentcated connecton (PREAUTH greetng) 3. Rejected connecton (BYE greetng) 4. Successful LOGIN or AUTHENTICATE command 5. Successful SELECT or EXAMINE command 6. CLOSE command, or faled SELECT or EXAMINE command 7. LOGOUT command, server shutdown, or connecton closed Fgure 3. POP3 flow authorzaton state [3]. Fgure 2. SMTP message flows [1,2,4]. Fgure 4. POP3 flow transacton state [3].

82 Hsng-Chung Chen et al. Once authentcated, t s not possble to re-enter a not authentcated state. In addton the unversal command (any state command) s vald n the NOT Authentcated state. For a descrpton of a not authentcated state clent server communcaton, s shown n the Fgure 7 as seen below. Fgure 5. IMAP archtecture [5]. 2.3.2 IMAP Clent Commands Any State In the any state clent command, there are three commands: CAPABILITY, NOOP, and LOGOUT. These commands are always be used n NOT Authentcated state, Authentcated state, and selected state. In the communcaton flows of the clent server, any state commands are shown n Fgure 6. 2.3.3 IMAP Clent Commands Not an Authentcated State In the not-an-authentcated state, the AUTHENTICATE or LOGIN command establshes authentcaton and enters the authentcated state. The AUTHENTICATE command provdes a general mechansm for a varety of authentcaton technques, prvacy protecton, and ntegrty checkng [5]. The STARTTLS command s an alternate form of establshng sesson prvacy protecton and ntegrty checkng, but doesn t establsh authentcaton or enter the authentcated state. Server mplementatons may allow access to certan malboxes wthout establshng authentcaton. Ths can be done by means of the ANONYMOUS authentcator. An older conventon s a LOGIN command usng use rd anonymous ; n ths case, a password s requred although the server may choose to accept any password. The restrctons placed on anonymous user are mplementaton-dependent [5]. 2.3.4 IMAP Clent Commands Authentcated State In the authentcated state, commands that manpulate malboxes are permtted. Of these commands, the SELECT and EXAMINE commands wll select a malbox for access and enter the selected state. In the authentcated state, the unversal commands (CAPABILITY, NOOP, and LOGOUT), are also vald and can be used. The commands n an authentcated state are: SELECT, EXAMINE, CREATE, DELETE, RENAME, SUBSCRIBE, UNSUBSCRIBE, LIST, LSUB, STATUS, and APPEND. For a descrpton of clent server communcaton n the authentcated state for IMAP, please see Fgure 8. 2.4 HTTPs HTTPs s a communcatons protocol for secure communcaton over the nternet. Techncally, t s not a Fgure 6. IMAP flow any state [5]. Fgure 7. IMAP flow not authentcated state [5].

An Approach for Detectng a Floodng Attack Based on Entropy Measurement of Multple E-Mal Protocols 83 2.5.1 RTT RTT s the tme requred for a packet to travel from a specfc source to a specfc destnaton and back agan. Typcally, RTT s dvded nto three parts: propagaton delay, processng delay and queung delay [8]. The frst parts of the values for a TCP connecton s the opposte fxed. The router cache s queung and processng tme as the entre network congeston of a degree more changng. Therefore, RTT of changng n a degree react the network of congeston. 1) Mean devaton (MD) It s the mean of the dstances between each value and the mean. It gves us an dea of how spread out from the center the set of values s. The equaton [8] s shown as (1). (1) By calculatng the MD, we are able to determne the volatlty of certan nformaton. As used here, the MD can be used to measure the RTT of jtter state. 2) RTT measurement prncple RTT measurements [8] can be used n two ways: A. TCP Tmestamp Opton TCP tmestamp opton can be used to accurately measure the RTTs [8]. The equaton [8] s shown as (2). Fgure 8. IMAP flow authentcated state [5]. protocol n and of tself; but rather, t s the result of smply layerng the HTTP on top of the SSL/TLS (secure sockets layer/transport layer securty) protocol [6], thus addng the securty capabltes of SSL/TLS to standard HTTP communcatons. In ts popular deployment on the nternet, HTTPS provdes authentcaton of the web ste and assocated web server that one s communcatng wth, whch protects aganst man-n-the-mddle attacks [7]. 2.5 RTT and RTO In ths subsecton, RTT [8] and RTO [8] wll be descrbed as below. RTT = current tme tmestamp recorded (sendng tme) (2) The tmestamp recorded s the packet flow when sendng out of tme. You can easly get a measurement of RTT. It recognzes the receved (current tme) and sent tmes whch can be easly used to get a measurement value of RTT. B. The retransmsson queue control block TCP data packets In the TCP retransmsson, the queue saves the sent data packets, but unacknowledged data. The equaton [8] s shown as (3). RTT = current tme tcp_skb_cb (3) where tcp_skb_cb means the frst data packet transmsson tme. The TCP have to use Karn s algorthm [8] for takng RTT samples. That s, RTT samples MUST NOT be made usng segments that were retransmtted (and thus for whch t s ambguous whether the reply was for the frst nstance of the packet or a later nstance). The only case s when the TCP can safely take RTT samples from retransmtted segments when the TCP tmestamp opton s employed, snce the tmestamp opton removes the ambguty regardng whch nstance of the data segment trggered the acknowledgement [8].

84 Hsng-Chung Chen et al. 2.5.2 RTO The TCP of retransmsson and tmeout are very mportant for obtanng the connected RTT measurements [8]. Because the network traffc s changng the retransmsson tme wll also change. The TCP needs to follow these changes and dynamcally adjust the tmeout of the tmed RTO [8]. The RTO s descrbed n RFC2988, the TCP uses a retransmsson tmer to ensure data delvery n the absence of any feedback from the remote data recever, the duraton of ths tmer s referred to as the RTO [8]. 2.6 Entropy Theory Named after Boltzmann s H-theorem, Shannon [19, 20] defned the entropy H (Greek letter Eta) as a dscrete random varable X wth possble values {x 1,,x n } and probablty mass functon P(X) [19,20] as shown n (4). (4) where E s the expected value operator, and I s the nformaton content of X. I(X) s tself a random varable. When taken from a fnte sample, the entropy [19] can explctly be shown as (5). (5) where b s the base of the logarthm used, The common values of b are 2, natural logarthm e, and 10, and the unt of entropy s a bt, such as b =2,b = e,orb = 10. In the case of p(x )=0forsome, the value of the correspondng summand 0 log b (0) s taken to be 0, whch s consstent wth the well-known lmt as the equaton (6). 3. Emal Server Preventon Aganst Floodng Attack Based on Entropy In ths secton, the ntegrated entropy measurements of multple emal protocols wth the supportng RTT and RTO n an emal server are descrbed as below. There are four emal protocols mentoned n secton 2. It s assumed that the message flows for each protocol wll be dvded nto RTT and RTO message flows between a server and clents. Then, the entropy operatons are used to calculate the entropy values of RTT and RTO message flows for each protocol, ndvdually. The two equatons set (8) and (9), for RTT and RTO respectvely, are lsted n Table 1 as below. Accordng to above those equatons, we defne the Evoluton Algorthm as below. Evoluton Algorthm Input ( H( X K ), H( X )), K, an emal servce message T RTT T, RTO flow par ncludes two entropy values for the RTT and RTO message flow durng the samplng tme duraton T, where T = 1, 2,, t. Output Result cost values C KT of the emal server status n T. The cost values C KT {crtcal hgh, very hgh, hgh, normal, low, very low} = {CH, VH, H, N, L, VL} are the evoluton n order to support further judgements for the emal whether under floodng attacks or not. Also, the result wll show what knd of emal protocol the system s usng s recevng floodng attacks. Begn (6) One may also defne the condtonal entropy of two events X and Y takng values x and y j respectvely, as the equaton (7). (7) where p(x, y j ) s the probablty that X = x and Y = y j. Ths quantty should be understood as the amount of randomness n the random varable X gven that you know the value of Y [19,20].

An Approach for Detectng a Floodng Attack Based on Entropy Measurement of Multple E-Mal Protocols 85 Fnally, the algorthm returns the cost values for the current samplng tme duraton T. The cost values can ndcate the evoluton cost n order to support the judgments for the emal server whether under floodng attacks or not. Also, the result wll show what knd of emal protocol the system s usng f recevng floodng attacks. End; 4. Smulaton Results and Dscussons The scheme compared to the proposed scheme [9] s qute fast and easy to gve a real-tme evoluton for judgment processes of detectng floodng attacks n a traffc volume vew. Therefore, an example s shown the smu- Table 1. The equatons set of RTT and RTO message flows generated from four protocols The equatons set for RTT message flow (8) The equatons set for RTO message flows (9) H( X Y) p( x, y )log (, ) u j, j Px yj H( X Z) p( x, z )log (, ) u j, j Px zj H( X S) p( x, s )log (, ) u j, j Px sj HY ( X) py (, x)log (, ) u j, j Py xj HY ( Z) py (, z)log (, ) u j, j Py zj HY ( S) py (, s)log (, ) u j, j Py sj H( Z X) p( z, x )log (, ) u j, j Pz xj H( Z Y) p( z, y )log (, ) u j, j Pz yj H( Z S) p( z, s )log (, ) u j, j Pz sj H( S X) p( s, x )log (, ) u j, j Ps xj H( S Y) p( s, y )log (, ) u j, j Ps yj H( S Z) p( s, z )log (, ) u j, j Ps zj H( X Y) p( x, y )log (, ) v j, j Px yj H( X Z) p( x, z )log (, ) v j, j Px zj H( X S) p( x, s )log (, ) v j, j Px sj HY ( X) py (, x)log (, ) v j, j Py xj HY ( Z) py (, z)log (, ) v j, j Py zj HY ( S) py (, s)log (, ) v j, j Py sj H( Z X) p( z, x )log (, ) v j, j Pz xj H( Z Y) p( z, y )log (, ) v j, j Pz yj H( Z S) p( z, s )log (, ) v j, j Pz sj H( S X) p( s, x )log (, ) v j, j Ps xj H( S Y) p( s, y )log (, ) v j, j Ps yj H( S Z) p( s, z )log (, ) v j, j Ps zj Notes: X: SMTP; Y: POP3; Z: IMAP4; S: HTTP (s); u: RTT; v: RTO, where XK { x,,,..., } T, RTT K x T, RTT K x T, RTT K x T, RTT KT, RTT 1 2 3 s a random entropy value of the RTT message flow durng samplng tme duraton T, and XK { x,, T, RTO K x T, RTO KT, RTO KT, RTO K 3 T, RTO 1 2 x,..., x } s a random entropy value of the RTO message flow durng samplng tme duraton T; H ( X, ) K RTT s an entropy value set for the RTT message flow; H( XK, ) T RTO s an entropy value set for the RTO message flow; K {X, Y, Z, S}. T

86 Hsng-Chung Chen et al. laton results n example 1. Due to the evoluton algorthm proposed n secton 3, the algorthm s qute smple for detectng heavy traffc wth unmoral traffc flows whch are appled to e-mal protocols. Example 1. Assume that there exsts four protocols servng for e-mal server are montored. After obtanng the RTT values at four dfferent tme perods, where the tme-perod seres s lsted as T {T n 3, T n 2, T n 1, T n }, and T n s current tme, T n 1, T n 2, T n 3 are the past tme perod compared to T n for the tme to measure RTT values. Moreover, the RTO values are then calculated by usng the measured RTT values. The smulated RTT results n Tables 2, 3 and 4 are used to calculate the RTO values on the tme perods T n 1, T n 2, T n 3 whch are three prevous tmes compared to the current tme perod T n. The calculated results are shown n Table 5 for the current tme perod, n whch the RTT smulated values are frst obtaned from network, and the RTO values are also calculated. Fnally, the entropy values are calculated by usng the RTT and RTO values. The entropy values of RTT and RTO are the ones used that wll gan the best cost value compared wth the average cost values obtaned on the three past tme perods. Fnally, ths approach wll provde a result as shown n Table 5. Compared wth the three average cost values obtaned by three prevous tme perods, ths coupled wth the entropy values changng, they can be used to detect whether the e-mal system wth four protocols are sufferng the varety of floodng attacks or not. Fnally, the system wll assgn a letter or combnaton of letters denotng the severty of the floodng attack as follows: CH, VH, H, N, Table 2. RTT values were obtaned at T = T n 3 Protocol RTT RTO Protocol RTT RTO P (x, y) u P (x, y) v H (X Y) u H (X Y) v H RTT + H RTO SMTP 0.0040 0.0520 POP3 0.0050 0.0325 0.0000 0.0017 0.0396 1.6405 1.6801 IMAP4 0.0080 0.0540 POP3 0.0030 0.0315 0.0000 0.0017 0.0208 1.5514 1.5722 SMTP 0.0090 0.0545 IMAP4 0.2340 0.3510 0.0021 0.0191 1.2887 3.6334 4.9221 SMTP 0.0010 0.0505 HTTPS 0.0020 0.0310 0.0000 0.0016 0.0199 1.6385 1.6584 POP3 0.0190 0.0595 STMP 0.3340 0.5010 0.0063 0.0298 1.4316 3.6388 5.0704 POP3 0.2100 0.3150 IMAP4 0.0210 0.0405 0.0044 0.0128 0.0463 0.1899 0.2362 POP3 0.0110 0.0555 HTTPS 0.0120 0.0360 0.0001 0.0020 0.0772 1.6412 1.7183 IMAP4 0.0550 0.0825 SMTP 0.0080 0.0340 0.0004 0.0028 0.0332 1.0505 1.0837 IMAP4 0.1230 0.1845 HTTPS 0.0090 0.0345 0.0011 0.0064 0.0270 0.3841 0.4111 HTTPS 0.0010 0.0505 SMTP 0.0560 0.0840 0.0001 0.0042 0.5285 2.6902 3.2187 HTTPS 0.0670 0.1005 POP3 0.0110 0.0355 0.0007 0.0036 0.0424 0.8652 0.9077 HTTPS 0.0040 0.0520 IMAP4 0.0230 0.0415 0.0001 0.0022 0.1791 1.8932 2.0723 Note: RTT and RTO unt: second. Table 3. RTT values were obtaned at T = T n 2 Protocol RTT RTO Protocol RTT RTO P (x, y) u P (x, y) v H (X Y) u H (X Y) v H RTT + H RTO SMTP 0.0020 0.0510 POP3 0.0080 0.0340 0.0000 0.0017 0.0712 1.7173 1.7885 IMAP4 0.0020 0.0510 POP3 0.0010 0.0305 0.0000 0.0016 0.0090 1.6067 1.6157 SMTP 0.1110 0.1665 IMAP4 0.0050 0.0325 0.0006 0.0054 0.0158 0.4224 0.4382 SMTP 0.2220 0.3330 HTTPS 0.0030 0.0315 0.0007 0.0105 0.0065 0.1371 0.1436 POP3 0.1030 0.1545 STMP 0.0660 0.0990 0.0068 0.0153 0.2030 1.0522 1.2553 POP3 0.1020 0.1530 IMAP4 0.0220 0.0410 0.0022 0.0063 0.0709 0.5724 0.6433 POP3 0.1220 0.1830 HTTPS 0.1340 0.2010 0.0163 0.0368 0.3586 1.2825 1.6411 IMAP4 0.1130 0.1695 SMTP 0.0440 0.0660 0.0050 0.0112 0.1326 0.7176 0.8502 IMAP4 0.0090 0.0545 HTTPS 0.0260 0.0430 0.0002 0.0023 0.1722 1.8512 2.0235 HTTPS 0.0080 0.0540 SMTP 0.0210 0.0405 0.0002 0.0022 0.1433 1.8047 1.9479 HTTPS 0.0560 0.0840 POP3 0.0120 0.0360 0.0007 0.0030 0.0493 1.0720 1.1213 HTTPS 0.0340 0.0670 IMAP4 0.1250 0.1875 0.0043 0.0126 0.5420 2.8731 3.4151 Note: RTT and RTO unt: second.

An Approach for Detectng a Floodng Attack Based on Entropy Measurement of Multple E-Mal Protocols 87 Table 4. RTT values were obtaned at T = T n 1 Protocol RTT RTO Protocol RTT RTO P (x, y) u P (x, y) v H (X Y) u H (X Y) v H RTT + H RTO SMTP 0.0020 0.0510 POP3 0.0080 0.0340 0.0000 0.0017 0.0712 1.7173 1.7885 IMAP4 0.0020 0.0510 POP3 0.0010 0.0305 0.0000 0.0016 0.0090 1.6067 1.6157 SMTP 0.1110 0.1665 IMAP4 0.0050 0.0325 0.0006 0.0054 0.0158 0.4224 0.4382 SMTP 0.2220 0.3330 HTTPS 0.0030 0.0315 0.0007 0.0105 0.0065 0.1371 0.1436 POP3 0.1030 0.1545 STMP 0.0660 0.0990 0.0068 0.0153 0.2030 1.0522 1.2553 POP3 0.1020 0.1530 IMAP4 0.0220 0.0410 0.0022 0.0063 0.0709 0.5724 0.6433 POP3 0.1220 0.1830 HTTPS 0.1340 0.2010 0.0163 0.0368 0.3586 1.2825 1.6411 IMAP4 0.1130 0.1695 SMTP 0.0440 0.0660 0.0050 0.0112 0.1326 0.7176 0.8502 IMAP4 0.0090 0.0545 HTTPS 0.0260 0.0430 0.0002 0.0023 0.1722 1.8512 2.0235 HTTPS 0.0080 0.0540 SMTP 0.0210 0.0405 0.0002 0.0022 0.1433 1.8047 1.9479 HTTPS 0.0560 0.0840 POP3 0.0120 0.0360 0.0007 0.0030 0.0493 1.0720 1.1213 HTTPS 0.0340 0.0670 IMAP4 0.1250 0.1875 0.0043 0.0126 0.5420 2.8731 3.4151 Note: RTT and RTO unt: second. Table 5. Fnal results for current tme T = T n Protocol RTT RTO Protocol RTT RTO P (x, y) u P (x, y) v H (X Y) u H (X Y) v CK T n CKT past New H Result SMTP 0.0050 0.0525 POP3 0.0100 0.0350 0.0001 0.0018 0.0757 1.7006 1.7763 1.7524 0.0239 VH IMAP4 0.0090 0.0545 POP3 0.0120 0.0360 0.0001 0.0020 0.0806 1.6698 1.7503 1.6012 0.1492 VH SMTP 0.1230 0.1845 IMAP4 0.0180 0.0390 0.0022 0.0072 0.0535 0.4255 0.4789 1.9328-1.4539 VL SMTP 0.1450 0.2175 HTTPS 0.0180 0.0390 0.0026 0.0085 0.0493 0.3346 0.3839 0.6485-0.2646 L POP3 0.0210 0.0605 STMP 0.0110 0.0355 0.0002 0.0021 0.0606 1.4965 1.5572 2.5270-0.9698 L POP3 0.0110 0.0555 IMAP4 0.0220 0.0410 0.0002 0.0023 0.1401 1.7723 1.9123 0.5076 1.4048 CH POP3 0.1110 0.1665 HTTPS 0.0660 0.0990 0.0073 0.0165 0.1964 0.9644 1.1608 1.6669-0.5061 L IMAP4 0.0220 0.0610 SMTP 0.1120 0.1680 0.0025 0.0102 0.5546 2.9602 3.5148 0.9280 2.5868 CH IMAP4 0.0560 0.0840 HTTPS 0.1230 0.1845 0.0069 0.0155 0.4555 2.4555 2.9110 1.4860 1.4250 CH HTTPS 0.0750 0.1125 SMTP 0.1150 0.1725 0.0086 0.0194 0.3854 1.9078 2.2932 2.3715-0.0783 L HTTPS 0.0810 0.1215 POP3 0.0110 0.0355 0.0009 0.0043 0.0395 0.6876 0.7271 1.0501-0.3231 L HTTPS 0.0950 0.1425 IMAP4 0.0660 0.0990 0.0063 0.0141 0.2103 1.1523 1.3626 2.9675-1.6049 VL CK C T 1 T 2 T 3 Notes: K C n K C n K, CK H( X Y), ( ), Tpast T u T H X Y n n v T, and the metrc of RTT and RTO s second. n 3 L, VL, where CH s crtcal hgh, VH s very hgh, H s hgh, N s normal, L s low and VL s very low. 5. Conclusons In ths study, we proposed a new approach for detectng floodng attacks based on the ntegrated entropy measurements of multple emal protocols by usng measured RTT and RTO n an emal system. Our approach can reduce the msjudge rate compared to conventonal approaches. By applyng ths approach, the current status of the emal server s able to be quckly analysed and determned whether the server s sufferng from by multple floodng attacks or not. Fnally, accordng to the evoluton cost value of an emal server by usng the ntegrated entropy measurement approach as proposed n ths paper, t can detect floodng attacks more easly and quckly. Acknowledgements Ths work was supported n part by the Mnstry of Scence and Technology, Tawan, Republc of Chna, under Grant MOST 103-2221-E-468-027, also NSC 101-2511-S-468-007-MY3. References [1] Postel, J. B., A Smple Mal Transfer Protocol, RFC821 (1982).

88 Hsng-Chung Chen et al. [2] Klensn, J., A Smple Mal Transfer Protocol, RFC5321 (2008). [3] Myers, J. and Rose, M., Post Offce Protocol-Verson 3, RFC 1939 (1996). [4] Crspn, M., Request for Comments: 2060, Standards Track, Network Workng Group, Dec. (1996). [5] Crpsn, M., Internet Message Access Protocol-Verson 4rev1, RFC3501 (2003). [6] Karlton, P., Request for Comments: 6101, Standards Track, Network Workng Group, August (2011). [7] Wkpeda, HTTP Secure, [On-Lne] http://en.wk peda.org/wk/http_secure, 2014. [8] Zhangsk, RTT of Measure and RTO of Calculatons n TCP, [On-Lne] http://blog.csdn.net/zhangskd/artcle/ detals/7196707. [9] Chen, H. C., Sun, J. Z. and Wu, Z. D., Dynamc Forenscs System wth Intruson Tolerance Based on Herarchcal Colour Petr-Nets, BWCCA 2010: Internatonal Conference on Broadband and Wreless Com - putng, Communcaton and Applcatons, Fukuoka, Japan, November 4 6, pp. 660 665 2010. do: 10.1109/ BWCCA.2010.151 [10] O Donnell, A. J., The Evolutonary Mcrocosm of Stock Spam, IEEE Securty & Prvacy, pp. 70 75 (2007). do: 10.1109/MSP.2007.22 [11] Bass, T. and Watt, G., A Smple Framework for Flterng Queued SMTP Emal, Proceedngs of MILCOM 97, Vol. 3, pp. 1140 1144 (1997). do: 10.1109/MIL COM.1997.644877 [12] Bass, T., Freyre, A., Gruber, D. and Watt, G., Emal Bombs and Countermeasure: Cyber Attack on Avalablty and Brand Integrty, IEEE Network, Vol. 12, No. 2, pp. 10 17 (1998). do: 10.1109/65.681925 [13] Wang, X., Chellappan, S., Boyer, P. and Xuan, D., On the Effectveness of Secure Overlay Forwardng Systems Under Intellgent Dstrbuted DoS Attacks, IEEE Transactons on Parallel and Dstrbuted Systems, pp. 619 632 (2006). do: 10.1109/TPDS.2006.93 [14] Shannon, C. E., A Mathematcal Theory of Communcaton, Bell System Techncal Journal, Vol. 27, pp. 379 423 and 623 656 (1948). do: 10.1002/j.1538-7305.1948.tb01338.x [15] Astronomy, A., Informaton Entropy, Avalable from: [On-Lne] http://www.absoluteastronomy.com/topcs/ Informaton_entropy, 2012. [16] Weaver, W. and Shannon, C. E., The Mathematcal Theory of Communcaton, 1949, Republshed n Paperback, (1963). do: 10.1002/j.1538-7305.1948.tb00917.x [17] Chen, H. C., Tseng, S. S., Mao, C. H., Lee, C. C. and Churnawan, R., An Approach for Detectng Floodng Attack Based on Integrated Entropy Measurement n E-Mal Server, The 8th Internatonal Conference on Embedded and Multmeda Computng (EMC-13), pp. 941 952 (2013). do: 10.1007/978-94-007-7262-5_107 [18] Kumar, A. and Kaur, M., An Improved Algorthm for Solvng Fuzzy Maxmal Flow Problems, Journal of Appled Scence and Engneerng, Vol. 10, No. 1, pp. 19 27 (2012). do: 10.1007/978-3-642-10646-0_34 [19] Wkpeda, Entropy, [On-Lne] http://en.wkpeda. org/wk/entropy, (2015). [20] Lu, H. and Gegov, A., Inducton of Modular Classfcaton Rules by Informaton Entropy Based Rule Generaton, Soft Computng. Sprnger, 16 Jan., (2015). Manuscrpt Receved: Jun. 3, 2014 Accepted: Jan. 22, 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information