A Ratio-Based Control Algorithm for Defense of DDoS Attacks

Similar documents
Applied Research Laboratory. Decision Theory and Receiver Design

PAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of Illinois-Urbana Champaign

The Development of Web Log Mining Based on Improve-K-Means Clustering Analysis

A NEW ACTIVE QUEUE MANAGEMENT ALGORITHM BASED ON NEURAL NETWORKS PI. M. Yaghoubi Waskasi M. J. Yazdanpanah

Chapter 3: Dual-bandwidth Data Path and BOCP Design

A Comprehensive Analysis of Bandwidth Request Mechanisms in IEEE Networks

An Interest-Oriented Network Evolution Mechanism for Online Communities

A Study on Secure Data Storage Strategy in Cloud Computing

Monitoring Network Traffic to Detect Stepping-Stone Intrusion

Evaluation of the information servicing in a distributed learning environment by using monitoring and stochastic modeling

Feature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College

Analysis and Modeling of Buck Converter in Discontinuous-Output-Inductor-Current Mode Operation *

Optimal maintenance of a production-inventory system with continuous repair times and idle periods

Traffic State Estimation in the Traffic Management Center of Berlin

A Prediction System Based on Fuzzy Logic

Recurrence. 1 Definitions and main statements

benefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).

1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)

Adaptive Load Balancing of Parallel Applications with Multi-Agent Reinforcement Learning on Heterogeneous Systems

A Secure Password-Authenticated Key Agreement Using Smart Cards

Load Balancing of Parallelized Information Filters

What is Candidate Sampling

Support Vector Machines

Network Security Situation Evaluation Method for Distributed Denial of Service

RequIn, a tool for fast web traffic inference

Efficient Computation of Optimal, Physically Valid Motion

Chosen Public Key and Ciphertext Secure Proxy Re-encryption Schemes

Energy-based Design of Steel Structures According to the Predefined Interstory Drift Ratio 1

Research Article Competition and Integration in Closed-Loop Supply Chain Network with Variational Inequality

An Alternative Way to Measure Private Equity Performance

Inter-domain Alliance Authentication Protocol Based on Blind Signature

PSYCHOLOGICAL RESEARCH (PYC 304-C) Lecture 12

Analysis of Energy-Conserving Access Protocols for Wireless Identification Networks

Calculating the high frequency transmission line parameters of power cables

Can Auto Liability Insurance Purchases Signal Risk Attitude?

Institute of Informatics, Faculty of Business and Management, Brno University of Technology,Czech Republic

Real-Time Traffic Signal Intelligent Control with Transit-Priority

Module 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

An Analytical Model for Multi-tier Internet Services and Its Applications

THE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek

J. Parallel Distrib. Comput.

A Structure Preserving Database Encryption Scheme

Vision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION


Learning User's Scheduling Criteria in a Personal Calendar Agent!

Application of Multi-Agents for Fault Detection and Reconfiguration of Power Distribution Systems

The OC Curve of Attribute Acceptance Plans

CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol

8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by

APPLICATION OF PROBE DATA COLLECTED VIA INFRARED BEACONS TO TRAFFIC MANEGEMENT

Power-of-Two Policies for Single- Warehouse Multi-Retailer Inventory Systems with Order Frequency Discounts

Project Networks With Mixed-Time Constraints

Data Broadcast on a Multi-System Heterogeneous Overlayed Wireless Network *

Forecasting the Demand of Emergency Supplies: Based on the CBR Theory and BP Neural Network

Risk-based Fatigue Estimate of Deep Water Risers -- Course Project for EM388F: Fracture Mechanics, Spring 2008

INVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMA-HDR NETWORKS

Formulating & Solving Integer Problems Chapter

A Novel Adaptive Load Balancing Routing Algorithm in Ad hoc Networks

A hybrid global optimization algorithm based on parallel chaos optimization and outlook algorithm

SDN: Systemic Risks due to Dynamic Load Balancing

Calculation of Sampling Weights

An MILP model for planning of batch plants operating in a campaign-mode

Portfolio Loss Distribution

Lecture 3: Force of Interest, Real Interest Rate, Annuity

Relay Secrecy in Wireless Networks with Eavesdropper

Schedulability Bound of Weighted Round Robin Schedulers for Hard Real-Time Systems

Enabling P2P One-view Multi-party Video Conferencing

Effective Network Defense Strategies against Malicious Attacks with Various Defense Mechanisms under Quality of Service Constraints

Extending Probabilistic Dynamic Epistemic Logic

A Passive Network Measurement-based Traffic Control Algorithm in Gateway of. P2P Systems

A DYNAMIC CRASHING METHOD FOR PROJECT MANAGEMENT USING SIMULATION-BASED OPTIMIZATION. Michael E. Kuhl Radhamés A. Tolentino-Peña

Answer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy

Forecasting the Direction and Strength of Stock Market Movement

JCM_VN_AM003_ver01.0 Sectoral scope: 03

The Greedy Method. Introduction. 0/1 Knapsack Problem

Efficient Project Portfolio as a tool for Enterprise Risk Management

Addendum to: Importing Skill-Biased Technology

Fragility Based Rehabilitation Decision Analysis

Performance Analysis of Energy Consumption of Smartphone Running Mobile Hotspot Application

Brigid Mullany, Ph.D University of North Carolina, Charlotte

Neural Network Solutions for Forward Kinematics Problem of Hybrid Serial-Parallel Manipulator

Stochastic Protocol Modeling for Anomaly Based Network Intrusion Detection

Frequency Selective IQ Phase and IQ Amplitude Imbalance Adjustments for OFDM Direct Conversion Transmitters

Network Aware Load-Balancing via Parallel VM Migration for Data Centers

Virtual Network Embedding with Coordinated Node and Link Mapping

Feasibility of Using Discriminate Pricing Schemes for Energy Trading in Smart Grid

Fair Virtual Bandwidth Allocation Model in Virtual Data Centers

A Distributed Algorithm for Least Constraining Slot Allocation in MPLS Optical TDM Networks

PERFORMANCE ANALYSIS OF PARALLEL ALGORITHMS

Modeling and Prediction of Pedestrian Behavior based on the Sub-goal Concept

"Research Note" APPLICATION OF CHARGE SIMULATION METHOD TO ELECTRIC FIELD CALCULATION IN THE POWER CABLES *

On-Line Fault Detection in Wind Turbine Transmission System using Adaptive Filter and Robust Statistical Features

A DATA MINING APPLICATION IN A STUDENT DATABASE

ANALYZING THE RELATIONSHIPS BETWEEN QUALITY, TIME, AND COST IN PROJECT MANAGEMENT DECISION MAKING

Transcription:

A Rato-Based ontrol Algorthm for Defense of DDoS Attacks Sheng-Ya n Yong Xong Jyh-harn u Deartment of omuter Scence eas A&M Unversty ollege Staton X 7784- {shengyayonglu}@cs.tamu.edu echncal Reort 005--4 Jan 7 005 Abstract Resource deleton s a unversal ndcator of Dstrbuted Denal of Servce DDoS attacks. In ths aer we roose a rato based control algorthm for detecton and throttlng of DDoS attacks. We use the sldng mode control SM control theory to formulate and otmze the traffc control condtons for DDoS defense. A cluster-based control model s develoed for the envronment of an oen network at reduced comutng cost. he control algorthm s shown to be hghly fleble and robust aganst dfferent tyes of attack atterns. It can be ntegrated wth dfferent low level detecton schemes so that bandwdth sharng can be mlemented usng one common framework.

. Introducton Dstrbuted denal-of-servce DDoS snce t severely dsruted some ublc web stes years ago remans a crtcal threat to Internet securty. By sendng a massve amount of ackets to a selected target the DDoS attack s amed at deletng the comutng and communcaton resources of the vctm. he mact of an attack can be classfed as dsrutve or degradng [6]. It s more dffcult to detect a degradng attack than the dsrutve one because t s more dffcult to dfferentate normal traffc from the hostle traffc when the attack level s low. Bandwdth deleton can be caused by acket floodng or by redrect amlfcaton of attack ackets. DDoS attacks can be mlemented at dfferent rotocol levels. In a floodng attack agents-zombes send large volumes of traffc to the vctm to consume the vctm system s bandwdth whereas n amlfcaton attack the broadcast router redrects and amlfes the attack to the vctm. Many attern and statstcs anomaly based detecton technques have been develoed n the lterature. he attern based aroach cannot defend the attacks unless the atterns are known a ror. he statstcs based detecton aroach needs to effectvely manage false alarms esecally when the dynamcs of the med regular-attack traffc flows are affected by the throttlng mechansms. In general normal traffc would be less affected when the DDoS traffc can be contaned at romty of ther sources [5]. A reventon based aroach usng resource accountng was roosed n [8] [9]. Sectral analyss [0] strng matchng [5] and game theoretc samlng [4] etc. have also been roosed n the lterature. he adatve threshold scheme n [] measured the mean rate to detect attacks but t s nsenstve to the attacks of low densty. umulatve Sum usum [] [] [8] [9] s a wdely adoted algorthm for detecton of DDoS traffc. It effectvely observes the change ont of the acket stream to detect DDoS. he hocount flterng technque [] utlzes the tme-to-lve value to determne the legtmacy of a acket. hs scheme s based on the observaton that soofed IP addresses are generated randomly thus hard to create the matched value for each of them. Knowng that attack traffc and normal traffc can be classfed nto two dfferent tyes ths dea can be generalzed to the noton of rato-based DDoS detecton. raffc rato s a good ndcator for detecton e.g. MUOPS [5] albet t dd not consder non-adatve rotocol attacks. he Packet Scores-P algorthm [6] used the ondtonal egtmate Probablty P as a scorebased flterng aroach to throttle ackets. By comutng the robablstc dstrbuton of acket attrbutes durng the samlng erod each acket s checked to see f t conforms to the rofle of normal traffc. An attack s detected when changes of the ont dstrbutons of suscous traffc tyes eceed some P thresholds. Most detecton algorthms are desgned for sngle ont detecton. When the traffc atterns are stable a statc DDoS detecton technque suffces. Wthout consderng the effects of defense mechansms the detecton scheme may roduce ecessve false alarms. Four rmary mechansms have been develoed for DDoS defense. raceback rovdes the vctm wth the locaton of the attack source that can be quenched. hrottlng reduces the suscous nflues. Flterng dentfes and rohbts secfc tyes of malcous ackets from enterng the rotected zone and reconfguraton adusts the network toology to quarantne the attacks. For better erformance of defense the detecton and resonse subsystems should be ntegrated. In ths aer we roose an area-wde control scheme for rato based DDoS defense. It s based on a smlar observaton of the traffc flow mbalance under DDoS attack as the PacketScore but our aroach does not requre robablstc characterzaton of the traffc flows. o make the solutons ractcal and robust we take a non-arametrc aroach where the target system s treated as a black bo so that only the system nuts and oututs need to be consdered for desgn of the control system. Based on the Sldng Mode ontrol SM theory ths scheme can control traffc flows at any rotocol layers because the system under control s treated as a black bo. Assumng that a change ont detecton technque such as usum s emloyed we focus on how to characterze the network dynamcs usng bandwdth utlzaton rato as the control obect. he tradeoff between resonsveness and stablty of a cluster-based DDoS defense archtecture s analyzed. he remander of the aer s organzed as follows: Secton dscusses the traffc model and system archtecture. Secton analyzes the traffc behavor and derves traffc balance equatons. Secton 4 etends the model from a sngle node to a cluster and gves an otmal control law amed at mamzng the total admsson ratos. Secton 5 gves the smulaton results to verfy the erformance of our control methodology. Secton 6 concludes ths aer.. Rato-based detecton and control of DDoS traffc Detecton and control of DDoS traffc are closely related. ontrol rules are desgned to stablze the detecton and reacton behavors by acket throttlng. An effectve detecton algorthm must take nto account of the queung and control dynamcs when both DDoS attack and ts defense functon are both engaged. Otherwse the detecton system wll tend to gve ecessve false alarms. And the control decsons need to be made based on detecton outcomes so

that otmal amounts of control adustment can be delvered to the target system tmely. Rato based control s not based on drect measurements of the hyscal system but based on ndrect erformance measurements. In formulaton of the control obectve we ay attentons to ensure that the otmzaton rocess s consstent wth the hyscal henomenon. he bandwdth rato can be a real-tme tme functon or a constant obtaned by off-lne statstcal analyss and the attrbute of the measurement unt can be defned wth resect to dfferent rotocol layers or rotocol tyes as needed. he comlety of underlyng analyss for multle flows aarently ncreases wth the number of acket tyes beng controlled. In ths work we only consder a two-traffc-tye control roblem whch s adequate for defense of DDoS attacks. Unlke the P-based PacketScore that needs contnuous udate of traffc rofle the rato-based control s stateless and dstrbuton free. Ideally defense of DDoS attack should engage all network nodes to throttle attack traffc but ths s not ossble for real world oeratons. Furthermore from the analytcal vewont t s comutatonally nfeasble to ncororate the dynamcs of a large network nto one sngle model n order to solve the stablty roblem. o balance between soluton otmalty and ractcalty we adot a Selfstablzng luster System SS [].e. Fgure as the desgn bass. O O 4 O O n n O 4 Fgure. he SS archtecture for defense of DDoS attacks A network can be dvded nto an arbtrary number of SS s. Each cluster s assumed to be ndeendently controlled. Obvously the effectveness of DDoS defense s roortonal to the number of artcatng SSs. In modelng of the control systems acket traffc s dvded nto nter-cluster eternal and ntra-cluster nternal traffc. A cluster s treated as an ndeendent system where the ntercluster traffc s the nut/outut of the system. he sum of eternal lnks enterng the cluster s treated as one eternal varable so that t s less senstve to the fluctuaton of ndvdual lnks. Intra-cluster traffc s modeled as system state varables to cature the dynamcs of ntra-cluster lnks. hs way t allows easy coulng of clusters wthout comromsng the accuracy of traffc dynamcs. In ths aer we eand from the threshold based SM control scheme [] to a rato based control scheme. Our work n [] s a range based control strategy where traffc rate control s based on an absolute threshold [0] []. Unlke acket flterng [7] [8] [9] ths technque does not need accurate characterzaton of the attack traffc and s consstent wth QoS mechansms []. he system dynamcs s talored by the selecton of swtchng functon and ts erformance s nsenstve to arameter and model uncertanty []. In ths work we am at recse control of the bandwdth rato for two selected traffc tyes based on the same traffc model but a dfferent analyss and otmzaton aroach. he otmzaton rocess ays elct attenton to rotecton of other resources n throttlng of hot traffc.. Full cluster control model Our node model for defense of DDoS attacks s alcable to sources targets or the ntermedate network nodes. raffc under control s dvded nto two tyes and each acket tye s allowed to consume u to a fed rato of the total caacty. Our frst goal s to mnmze the mact of DDoS attack wthn the cluster. As a result we throttle the nbound traffc to mantan the rato between traffc tyes to the target value. Wthout loss of generalty we assume that the toology n a cluster s a blateral fully connected grah consstng of n nodes. If the lnk between node and does not est we can smly set throttle varable ρ of lnk to zero n our model. odes n a cluster that need to have more close nteractons wth another cluster are called edge nodes. Edge nodes can be assgned to the cluster as needed. odes that are solated from other nodes are called nner nodes. An llustraton of node and traffc s shown n Fgure wth ther notatons gven n able. Smlar to the node model gven n [] [] our node model can be aled to local hosts or eternal nodes. able. otatons used throughout the node model symbol defnton k λ he total rate of tye k traffc enterng λ he rate of nternal traffc from I λ he rate of dsatched traffc n to to k λ he nternal traffc rate of tye k from k he eternal traffc rate of tye k enterng to

he eternal traffc rate of tye k leavng O k I he dsatched traffc rate n to the eternal lnk Outbound nter-cluster lnk leavng One-way ntra-cluster lnk from he bandwdth of ρ he throttle level to traffc he throttle level to traffc I λ I to k X he queue length of tye k traffc on lnk k X he queue length of tye k traffc on lnk k X k Utlty functon for outbound traffc of tye k on H k k X Reected rato of outbound traffc k k * X k he ercentle of k ' k λ dsatched to k he ercentle of λ dsatched to the eternal lnk *! " # # " $ λ λ! $ % & Fgure. he eneral raffc model n a node. Balance equatons n a node acket throttlng ntra-cluster routng queung dynamcs and traffc outut.. hrottlng For node λ and are nbound traffc from other nternal and eternal nodes resectvely and the total traffc enterng the node s eressed n.. ongeston control s accomlshed through adustng throttlng varables ρ and. he subscrt for each symbol denotes a lnk from a sender to a recever.. I I λ ρ λ ΦΛ λ where ρ [0] [0] Φ [ ρ ] and [ ] Λ λ. Both Φ and Λ are rank-one matrces. If does not have nuts from eternal lnks then s equal to 0. Symbols λ and resectvely denote the ntra-cluster and nter-cluster traffc and λ I and I n. are acket rates after throttlng s n effect. Packet flows closely affect one another n a cluster esecally when the DDoS attack s actve. he relatonsh between these acket flows s one of the most mortant ndcators for detecton of DDoS attack. o reresent the relatonsh between these traffc flows we use λ and to ndcate these tyes n the lnk. her relatonsh s defned n... Packet routng λ t λ t t t k. In a cluster ackets are routed to dfferent outbound aths based on ther destnaton addresses.. s used to reresent the routng relatonsh between dfferent aths. Here and are ratos of the nut traffc dsatched to k other ntra-cluster nodes and the eternal resectvely. I λ t * λ t k k I t λ * t k k. When 0 t means that a node s not connected to the eternal lnk. On the bass of the traffc model we now dscuss the relatonsh between traffc flows based on four asects: 4

. Queung dynamcs he outbound traffc of a lnk s a functon of ts queue length. When the buffer s emty the dearture rate s equal to the arrval rate. When the buffer s not emty the mamum outut rate s uer bounded by the lnk caacty and the change rate of queue length s equal to the dfference between the outut and nut rates. X t λ t X * t k k k k k.4 Outut traffc 0 k.4 When the network traffc s heavy ackets would be droed based on the control laws.5. et H denote the dro rate of the outbound traffc.6 reresents the droed traffc and.7 the actual sendng rate of the outut lnk to nternal nodes. R X t * t λ t λ t.5 k k k k k R λ k k k k k k t H X t * X t * t.6. λ k k k k k k t H X t * X t * t X t * t k k.8 denotes the actual outut rate of the eternal lnk. O. k t H X t * X t * t X t * t.7.8 Substtute. nto.4 we get queue length change on the ntra-cluster lnk n.9. X t t X k k k k *[ ρ λ ].9 k Smlarly the queue length change on the nter-cluster lnk can be eressed as below. X t t X *[ ρ λ ].0 4. Smlfed cluster traffc model he comlete cluster control model s a reference to characterze the cluster dynamcs comrehensvely. o reduce the comutng cost we roose a smlfed model n Fgure for cluster analyss. We wll use a -node cluster to make an n-deth study and the result can be easly modfed for dfferent cluster szes. We assume that no throttlng k between ntra-cluster nodes.e. ρ k. For a threenode cluster every node s consdered ntra-clustered thus they do not block one another but handle eternal DDoS attack together. O O O O O λ λ O λ λ λ λ O Fgure. A reduced traffc model for a cluster et and denote the two tyes of acket tyes beng controlled on each lnk to control ther admsson rato the control obect s defned as O O t where t s a functon that can be reresented by slne wavelet analyss or other statstcal technques. For smlcty we assume that t s known. For any node n a cluster the number of equatons s equal to the number of outbound lnks multled by the number of traffc tyes. For a -node cluster we get s equatons for each node. Due to the symmetrc toology of the cluster we ust need to analyze one node. Balance equatons of other nodes can be derved n a smlar manner. For node the equlbrum equatons are: 4. hese flow balance equatons are smlar to those derved n [] [] ecet that throttle varables are moved from nut flows to the front of the queue to reduce the effect of acket dsatch. et we dscuss the new control law to control the rato between two traffc tyes. 4. he rato control roblem o reduce the mact of short-term traffc fluctuaton we take the movng average of most recent ackets as measured varables of the control and detecton system. Knowng that one cannot redct the stochastc behavor of flows asymtotcal control of the rato s more effectve than nstantaneous control. Otherwse any control rule s subect to sontaneous crash due to random nuts. he SM system conssts of lnear and swtched laws. he lnear control law s derved from the equvalent control whch controls the nut after t s fltered by a low ass flter. It s based on a contnuous control model once the state reaches the swtchng manfold s t 0 where st denotes the swtchng functon one of the mortant comonents n SM. he 5

6 constructon of the swtchng functon s based on the eected outut and the relatve degree of the system dynamcs. Recall that our control obectve s to kee the rato of two traffc tyes to a secfed value. 4. dects that our goal y s to control the traffc rate of two tyes to a rato..e. y s mnmzed when the rato of two acket flow tyes s equal to the secfed rato: tye n lnk outut rate of tyen lnk oututrate of O O O O y 4. where s the rato of two traffc tyes. In addton the relatve degree of a system s r when the nut varable aears after the outut functon y s dfferentated r tmes [] [4]. hen we can construct the swtchng functon of an r-degree system usng the followng equaton 0 r r y y c s []. In our model the relatve degree s one because by 4. t shows that the control varable aears after outut varable O s dfferentated one tme where } { and {}. m m k k O 4. herefore the swtchng functon used n our cluster model s eressed n 4.4. O O y s 4.4 Furthermore we derve the equvalent control law by takng the frst dervatve of t s to be zero. In dong so we lug 4.4 along wth 4. nto t s and then obtan 4.5. D t s O O O Φ 4.5 ] [ 6 5 4 ] [ Φ where Φ s a control vector that contans all admsson varables. he elements of vector and D are resectvely eressed n 4.6 and 4.7 6 5 4 4.6 and D 4.7 4. Otmzaton of equvalent control law When 0 t s the equvalent control vector ] [ eq Φ can be obtaned as the otmzed soluton of the contnuous comonent by solvng 4.8. As a heurstc choce our obectve s to mamze the admsson varables : all ackets acceted 0: no ackets acceted whch s subect to two constrants. Frstly 0 t s s a necessary condton to derve the equvalent control law. Secondly the values of admsson varables must fall wthn the range 0 to. hs can be modeled as a lnear otmzaton roblem where the obectve functon s a lnear combnaton of all nut varables. In summary we formalze ths roblem to 4.8. Φ Φ Φ ] [0 ] [ 0 Subect to ] [ Mamze 6 D m m } {...6 4.8 4.8 can be solved by usng lnear rogrammng solvers such as Matlab otmzaton toolbo [6] or l solver [7]. o guarantee the value of the fnal controlled throttle varable wthn 0 and we wll adatvely adust arameters of the swtched comonent for mantanng the control law wthn a sensble range as t wll be elaned shortly. For the control obect to reach ts equlbrum.e. the eected bandwdth rato between the two traffc tyes one

must drve the control dynamcs from any ntal state to the sldng mode and make t stay on the swtchng surface st0. he -reachablty condton s t s t η s guarantees that s t 0 ast [][4]. o satsfy ths condton and to reduce system uncertantes the control law m 4.9 combnes wth dscontnuous comonent k m sgn s where m { } and {..6 } when alyng the traectory of s t onto the sldng surface. et we dscuss the control law of SS for stablzng the rato of two traffc tyes. onstructon of the control law s based on the theory n [] [7] for { } k sgn s 4.9 k sgn s where k and k are desgn arameters and sgn s the sgnum functon defned as s * sgn s s. ote that the sgn of the swtched comonent of the control law n two traffc tyes s ooste for drvng the traffc rato to the target value radly. By substtutng control law 4. nto 4.9 we can rove that the traectory of s wll converge to the swtchng manfold s t 0. he control law satsfes the reachablty condton because s t s t 6 6 k k s η s where >0. hs s a stronger condton than the rght hand sde to be zero because t guarantees that the outut traectory wll reaches the swtchng surface wthn a fnte tme not nfnte. 5. Desgn and Smulaton 5. Desgn of adatve arameters K and K We need to desgn k and k n 4.9 such that the admsson level of a traffc tye falls wthn the range of [0 ]. wo cases sgn s > 0 and sgn s < 0 need to be carefully consdered. We frst analyze k and then k based on ts comlementary roerty wth resect to k. ase : sgn s > 0.e. k condton :0 k condton : k > 0 In order to satsfy both condtons k must be wthn the range of 0 and.e. k 0 ] so that 0. As a heurstc choce we eect the swtched comonent adatve and roortonal to the equvalent control..e. k k * where k 0].s called the range arameter that defnes the dynamc range of the control actons. ase : sgn s < 0.e. k condton : 0 k condton : k > 0 Agan these two condtons dctate the range of k so that k 0 ]. et k be the rato of then k * k where k 0]. In summary 5. reresents our desgn for adatve selecton of the arameters. sgn s > 0 k k * k k * 5. sgn s < 0 k * * k k k where k 0] and { }. 5. Eerment evaluaton We evaluated the erformance of our scheme usng smulaton. In the frst eerment we regard the whole cluster as the control obect wthout consderng states of ndvdual lnks. he target rato of two traffc tyes n a - node cluster s set to be 0.5 for the whole cluster wthout consderng ndvdual lnks. hat s the bandwdth utlzaton of tye traffc should be half of that of tye traffc at the three outut lnks of the cluster. In the smulaton ackets have the same sze and the bandwdth of each lnk s equal to 0 5 ackets/sec. Eternal traffc sources are randomly generated usng s ndeendent random number generators. he ngressve acket rate s bounded between [0.7-.]*0 4 for node [0-]*0 4 for node and [0.5-] *0 4 for node. Packets have random aths but a acket must leave the cluster after t vsted all nodes. Packet throttlng s based on 4.9 where are derved by and usng 4.8 and k and k are calculated usng 5.. he range arameter k s set to be 0.6 n the whole study. By luggng the value of above arameters nto 4.9 we obtan the comuted admsson rate and used for the current controllng decsons. he smulaton results are gven n Fgure 4 and Fgure 5 resectvely where n Fgure 4 the rato of the total outut rates between tye- and tye- traffc s about 50% wth some nstantaneous fluctuaton. However consderng the cumulatve ratos between the two tyes of traffc the control erformance aears to be rght on target.e. 50% ecet for the short ntal erod see Fgure 5. 7

Fgure 4. Inut and outut traffc traces n each node s t E Φ F E [ ] [ ] 5. F where s defned n 4.6 and are defned n 4.8 and { }. Hence Φ eq can be comuted by luggng arameters of 5. nto 4.8 to obtan ts otmal value. After recevng Φ k and k we can substtute them eq nto the modfed 4.9 and then secure admsson varables and he frst row of Fgure 6 shows the nstantaneous measurement of traffc ratos on the three lnks. he second row of Fgure 7 shows that when takng cumulatve average of the traffc rato t asymtotcally converges to the target value 0.5. Fgure 5. he cumulatve rato of traffc tyes n the cluster 5. ontrol of sngle lnk In the second eerment we treated each lnk as an ndeendent control system usng slghtly modfed control rules. For the eternal outbound lnk of node O O s s the swtchng functon for the lnk to mantan the traffc rato and then we use 4.9 for obtanng the control law. he swtchng functon S n 4.9 s relaced by S whch means the control goal s determned by the ndeendent lnk. Smlarly we also use S nstead of S n 5. to acqure k and k. For obtanng the otmzed admsson rate lnk. Φ eq we rewrte 4.5-4.7 as 5. for each Fgure 6. raffc rato control to nter-cluster lnks We note that a larger value of range arameter k lowers the chance of saturatng the controller but t comes at a rce of hgh level of oscllaton. Fgure 7 shows the tme trace of the admsson levels n terms of the ercentle of nbound ackets based on the second eerment. ven the cluster traffc nuts the control system the controller adusts the throttlng/admsson levels dynamcally. 8

Fgure 7. Admsson levels on each lnk for each tye when k 0.6 and target traffc rato s 0.5 cluster_algo for each samlng tme f scoreadm_tye_lnkq > scoreadm_tye_lnkq where q {} then sgnal else sgnal 0 sendsgnal Fgure 8. ontrol algorthm used n the cluster source_algo for every fed erod recevesgnal f sgnal then ratetye ratetye* r where r > else ratetye ratetye* r where r [0 Fgure 9. MIMD algorthm used at the source 5.4 Pushback usng admsson ndcator Admsson level s desgned for drect traffc throttlng n the two eerments mentoned above. It was found that the admsson level s also an effectve ndcator for detecton of traffc rato changes. We can use them to notfy ustream acket sources to throttle ther outbound traffc based on the ushback concet mechansm [0] []. he source uses a multle-ncrease-multle-decrease MIMD rule to adust ts acket flow ncrease or decrease rato based on the feedback sgnals. hat s gven the current traffc level at each adustment the traffc flow ncreases to c or decreases to -c where c s a constant. Fgure 8 and Fgure 9 descrbe the algorthm corresondng to the cluster and source resectvely. Here adm_tye_lnkq denotes the eected admsson level of traffc tye n outbound lnk q and score. s a user-desgned routne usng admsson levels of same tye as arguments for comutng and erformng bnary traffc ushback. In our smulaton we set r. and r0.8 where tye- traffc s adusted n sources accordng to the sgnal from the cluster and tye- traffc s assumed to be a relable one that need not be adusted. Fgure 0 shows the tme traces of the traffc sources after the control s aled where the controlled traffc has the large yet relatvely slow swngng shaes. he cluster admsson levels under ths control scheme are lotted n Fgure and the rato between the two tyes of traffc s lotted n Fgure. omarng to lots n Fgure 5 and Fgure the new results have slghtly degraded yet ecellent asymtotc stablty. he rato between tye and tye traffc stll converges to the target value 0.5. Fgure 0. Source control usng ushback Fgure. luster admsson levels for tye- and - traffc 9

Fgure. he ratos of two traffc tyes on each lnk and for the whole cluster when the target value s 0.5 6. oncluson In ths aer we roosed a rato based model usng SM for detecton and control of DDoS attack. o solve ths multle nut sngle outut system we aled both control theory and lnear otmzaton technques to derve the rato control laws. Knowng that the admsson level s a relatve measurement the swtched comonent of the control law s made adatve accordng to the current throttlng rato. We derved the feasblty crtera for desgn of the adatve swtched law and guaranteed the range of control varables to satsfy ther constrants. Our desgn s smle and can be aled to dfferent levels of control. he cluster level control has ecellent asymtotc stablty n convergng to the target rato value. It was modfed for ndeendent lnk level control to acheve smlar erformance. When the admsson level of the cluster s used as a DDoS detecton ndcator for sources we also acheve smlar erformance wth some eected slght degradaton n stablty. It s well known that delay s a maor concern for any feedback control systems [] [] [4]. We tested but dd not reort the effect of delays due to sace lmt. It was found that the control erformance remans hghly stable when the delay s as hgh as one second or more more than enough to address the cross US contnent delays n most cases. References [] Yong Xong S. u P. Sun On the defense of the dstrbuted denal of servce attacks: an on-off feedback control aroach IEEE ransactons on Systems Man and ybernetcs Part A 4 00. 8-9. [] Janusz Flak Modelng and ontrol of Dynamc Flows n ommuncaton etworks Srnger-Verlag Berln Hedelberg 988. []. Edwards and S. K. Surgeon Sldng Mode ontrol - heory and Alcatons aylor & Francs Inc Brstol PA 998. [4] Jean-Jacques Slotne and Weng. Aled onlnear ontrol. Prentce Hall Englewood lffs.j. 99. [5] J. Mrkovc. Prer P. Reher Source-end DDoS defense In Proceedngs of Second IEEE Internatonal Symosum on etwork omutng and Alcatons Arl 00. [6] Jelena Mrkovc and Peter Reher A taonomy of DDoS attack and DDoS defense mechansms AM SIOMM omuter ommuncaton Revew Volume 4 Issue 004. 9-5. [7] P. Ferguson and D Sene etwok Ingress Flterng: Defeatng Denal-of servce Attacks whch emloy IP Source Address Soofng htt://www.etf.org/rfc/rfc87.tt 000. [8] J. J. Mrkovc M. Wang P. Reher and. Zhang SAVE: Source Address Valdty Enforcement Protocol In Proceedngs of IEEE Infocom 00. [9] K. Park and H. ee. On the Effectveness of Roter-based Packet Flterng for Dstrbuted DoS Attack Preventon n Power-law Internets In Proceedngs of AM SIOM 00. 5-6. [0] J. Ioammds and S. M. Bellovn Imlementng Pushback: Router-Based Defense aganst DDoS Attacks In Proceedngs of ISO etwork and Dstrbuted System Securty Symosum DSS 00. [] R. Mahaan M. Bellovn S. Floyd V.Pason and S. Shenker ontrollng hgh bandwdth aggregates n the network AM omuter ommuncatons Revew July 00. [] Jeun Kong M. Mrza J.Shu. Yoedhana M. erla and Songwu u. Random flow network modelng and smulatons for DDoS attack mtgaton In the Proc. of IEEE Internatonal onference on ommuncatons Volume: -5 May 00. 487 49. [] A. Isodor ecture otes on onlnear ontrol otes for a ourse at the arl ranz esellshaft Aug 987. [4] A. Isodor onlnear ontrol Systems: An Introducton Srnger-Verlag ew York 989. [5]. M. l and M. Poletto. MUOPS: a data-structure for bandwdth attack detecton In Proceedngs of 0 th Usen Securty Symosum August 00. [6] Matlab. htt://www.mathworks.com/roducts/otmzaton/. [7] l_solve. ft://ft.cs.ele.tue.nl/ub/l_solve/. [8] A. arg and A... Reddy. Mtgaton of DoS attacks through QoS Regulaton In Proceedngs of IWQOS worksho May 00 [9] F. au S. H. Rubn M. H. Smth and. rakovc. Dstrbuted Denal of Servce Attacks In IEEE Internatonal onference on System Man and ybernetcs ashvlle USA October 000. 75-80. [0] Alefya Hussan John Hedemann and hrstos Paadooulos A Framework for lassfyng Denal of Servce Attacks In Proceedngs of AM SIOMM 00 Karlsruhe ermany 00. [] V. Srs & F. Paagalou Alcaton of Anomaly Detecton Algorthms for Detectng SY Floodng Attacks In Proceedngs of IEEE lobal elecommuncatons onference lobecom 004 Dallas USA 004. [] heng Jn Hanng Wang and Kang. Shn Ho-ount Flterng: An Effectve Defense aganst Soofed raffc In Proceedngs of the 0th AM conference on omuter and 0

ommuncaton Securty Washngton D.. USA 00. 0 4. [] H. Wang D. Zhang and Kang. Shn Detectng SY Floodng Attacks In Proceedngs of IEEE onference on omuter ommuncatons ew York June 00. [4] Mural Kodalam.V. akshman. Detectng etwork Intrusons vs Samlng: A ame heoretc Aroach In roceedngs of IEEE onference on omuter ommuncatons. San Francsco March 00. [5]. uck. Sherwood B. alder and. Varghese. Determnstc Memory-Effcent Strng Matchng Algorthms for Intruson Detecton In Proceedngs of IEEE onference on omuter ommuncatons Hong Kong. March 004. [6] Y. Km W.. au M.. huah and H. J. hao. PacketScore: Statstcs-based Overload ontrol aganst Dstrbuted Denal-of-Servce Attacks In Proceedngs of IEEE onference on omuter ommuncatons. Hong Kong. March 004. [7] Vadm I. Utkn Sldng Mode n ontrol Otmzaton Srnger-Verlag Berln Hedelberg ew York 99. [8]. Peng. ecke and R. Kotagr. Proactvely Detectng DDoS Attack Usng Source IP Address Montorng In Proc. of IFIP-6 conference on etworkng 004 Athensreece May 004 [9]. Peng. ecke and R. Kotagr Preventon from dstrbuted denal of servce usng hstory-based IP flterng In Proceedngs of IEEE Internatonal onference on ommuncatons 00 Anchorage Alaska USA August 00. [0] John Ioannds and Steven M. Bellovn "Imlementng Pushback: Router-Based Defense aganst DDoS Attacks" In Proceedng of etwork and Dstrbuted System Securty Symosum February 00. [] Ratul Mahaan Steven M. Bellovn Sally Floyd John Ioannds Vern Pason Scott Shenker. ontrollng hgh bandwdth aggregates n the network AM SIOMM omuter ommuncaton Revew Volume Issue July 00 [] Shn K..; Xanzhong uomutng tme delay and ts effects on real-tme control systems IEEE ransactons on ontrol Systems echnology. June 995. 8 4. [] Moroka H. Sabanovc A. Uchbor A.; Wada K. Oka M Alcaton of tme-delay-control n varable structure moton control systems. In Proceedngs of IEEE Internatonal Symosum on Industral Electroncs. Vol.. June 00. 8. [4] Aweya J Ouellette M. Montuno D.Y. Desgn and Stablty Analyss of a Rate ontrol Algorthm Usng the Routh Hurwtz Stablty rteron. IEEE/AM ransactons on etworkng 4 Aug. 004.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information