An Analysis Model of Botnet Tracking based on Ant Colony Optimization Algorithm

Similar documents
LOAD BALANCING USING ANT COLONY IN CLOUD COMPUTING

Ant Colony Optimization for the Traveling Salesman Problem Based on Ants with Memory

The Online Freeze-tag Problem

Monitoring Frequency of Change By Li Qin

FDA CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES

A MOST PROBABLE POINT-BASED METHOD FOR RELIABILITY ANALYSIS, SENSITIVITY ANALYSIS AND DESIGN OPTIMIZATION

Design of A Knowledge Based Trouble Call System with Colored Petri Net Models

An important observation in supply chain management, known as the bullwhip effect,

Load Balancing Mechanism in Agent-based Grid

Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network

Point Location. Preprocess a planar, polygonal subdivision for point location queries. p = (18, 11)

A Virtual Machine Dynamic Migration Scheduling Model Based on MBFD Algorithm

ANALYSING THE OVERHEAD IN MOBILE AD-HOC NETWORK WITH A HIERARCHICAL ROUTING STRUCTURE

Local Connectivity Tests to Identify Wormholes in Wireless Networks

Automatic Search for Correlated Alarms

Project Management and. Scheduling CHAPTER CONTENTS

Web Application Scalability: A Model-Based Approach

The risk of using the Q heterogeneity estimator for software engineering experiments

Static and Dynamic Properties of Small-world Connection Topologies Based on Transit-stub Networks

DAY-AHEAD ELECTRICITY PRICE FORECASTING BASED ON TIME SERIES MODELS: A COMPARISON

Concurrent Program Synthesis Based on Supervisory Control

Rummage Web Server Tuning Evaluation through Benchmark

Evaluating a Web-Based Information System for Managing Master of Science Summer Projects

6.042/18.062J Mathematics for Computer Science December 12, 2006 Tom Leighton and Ronitt Rubinfeld. Random Walks

ENFORCING SAFETY PROPERTIES IN WEB APPLICATIONS USING PETRI NETS

Implementation of Statistic Process Control in a Painting Sector of a Automotive Manufacturer

Two-resource stochastic capacity planning employing a Bayesian methodology

On Multicast Capacity and Delay in Cognitive Radio Mobile Ad-hoc Networks

Learning Human Behavior from Analyzing Activities in Virtual Environments

Re-Dispatch Approach for Congestion Relief in Deregulated Power Systems

Drinking water systems are vulnerable to

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Time-Cost Trade-Offs in Resource-Constraint Project Scheduling Problems with Overlapping Modes

Machine Learning with Operational Costs

An Introduction to Risk Parity Hossein Kazemi

THE RELATIONSHIP BETWEEN EMPLOYEE PERFORMANCE AND THEIR EFFICIENCY EVALUATION SYSTEM IN THE YOTH AND SPORT OFFICES IN NORTH WEST OF IRAN

CRITICAL AVIATION INFRASTRUCTURES VULNERABILITY ASSESSMENT TO TERRORIST THREATS

X How to Schedule a Cascade in an Arbitrary Graph

Red vs. Blue - Aneue of TCP congestion Control Model

Buffer Capacity Allocation: A method to QoS support on MPLS networks**

Managing specific risk in property portfolios

Implementation of Botcatch for Identifying Bot Infected Hosts

Large-Scale IP Traceback in High-Speed Internet

Failure Behavior Analysis for Reliable Distributed Embedded Systems

Multi-Channel Opportunistic Routing in Multi-Hop Wireless Networks

An Associative Memory Readout in ESN for Neural Action Potential Detection

Branch-and-Price for Service Network Design with Asset Management Constraints

The impact of metadata implementation on webpage visibility in search engine results (Part II) q

Risk in Revenue Management and Dynamic Pricing

Secure synthesis and activation of protocol translation agents

Comparing Dissimilarity Measures for Symbolic Data Analysis

A Multivariate Statistical Analysis of Stock Trends. Abstract

Softmax Model as Generalization upon Logistic Discrimination Suffers from Overfitting

Dynamic Load Balance for Approximate Parallel Simulations with Consistent Hashing

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and

Service Network Design with Asset Management: Formulations and Comparative Analyzes

Storage Basics Architecting the Storage Supplemental Handout

A Modified Measure of Covert Network Performance

Multistage Human Resource Allocation for Software Development by Multiobjective Genetic Algorithm

A Novel Packet Marketing Method in DDoS Attack Detection

A Simple Model of Pricing, Markups and Market. Power Under Demand Fluctuations

One-Chip Linear Control IPS, F5106H

Introduction to NP-Completeness Written and copyright c by Jie Wang 1

Service Network Design with Asset Management: Formulations and Comparative Analyzes

From Simulation to Experiment: A Case Study on Multiprocessor Task Scheduling

CABRS CELLULAR AUTOMATON BASED MRI BRAIN SEGMENTATION

Synopsys RURAL ELECTRICATION PLANNING SOFTWARE (LAPER) Rainer Fronius Marc Gratton Electricité de France Research and Development FRANCE

An Efficient Methodology for Detecting Spam Using Spot System

Title: Stochastic models of resource allocation for services

The fast Fourier transform method for the valuation of European style options in-the-money (ITM), at-the-money (ATM) and out-of-the-money (OTM)

Packet-Marking Scheme for DDoS Attack Prevention

An Approach to Optimizations Links Utilization in MPLS Networks

Sage HRMS I Planning Guide. The Complete Buyer s Guide for Payroll Software

On-the-Job Search, Work Effort and Hyperbolic Discounting

Sage Timberline Office

Joint Production and Financing Decisions: Modeling and Analysis

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

Frequentist vs. Bayesian Statistics

Stochastic Derivation of an Integral Equation for Probability Generating Functions

Beyond the F Test: Effect Size Confidence Intervals and Tests of Close Fit in the Analysis of Variance and Contrast Analysis

F inding the optimal, or value-maximizing, capital

Safety evaluation of digital post-release environment sensor data interface for distributed fuzing systems

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Migration to Object Oriented Platforms: A State Transformation Approach

Efficient Training of Kalman Algorithm for MIMO Channel Tracking

An optimal batch size for a JIT manufacturing system

Transcription:

An Analysis Model of Botnet Tracing based on Ant Colony Otimization Algorithm Ping Wang Tzu Chia Wang* Pu-Tsun Kuo Chin Pin Wang Deartment of Information Management Kun Shan University, Taiwan TEL: 886+6-05-0545 FAX: 886+6-05-0545 E-mail: tzuchia@mailsuedutw Abstract- To effectively counter DDOS attacs from bot herder, defenders have develoed aroaches to successfully tracebac IPs of botnet C&C via logging the susicious flow information of routing routers Yet, available botnet detection schemes all suosed that ISPs would be cooerative to offer the comlete routing information for ath reconstruction In ractice, ISP s service constantly is a mutual benefit for intelligence exchange Therefore the constraint, require cooeration between ISPs, ought to be relaxed A new IP tracebac scheme based on ant colony otimization (ACO) algorithm is roosed for incomlete routing logs are rovided The aim of our wor is to develo an analysis model for reconstruction of attac aths to tracebac the botnet C&C via ant-insired collective intelligence by calculating the heromone to find ossible routes with suort and confidence degree The validation of model uses NS (Networ Simulator, version) comlied by dar IP ma, to simulate the scenario of fae IP attac, to test the effectiveness of model Furthermore, sensitivity analysis is conducted to investigate significant arameters effect on the outut of attac aths Exerimental results show that the roosed aroach effectively suggests the best attac ath of botnet in a dynamic networ environment Keyword:Botnet, bot, zombie, attac ath, ant colony otimization I INTRODUCTION The botnet refers to a grou of comuters, maniulated by herder via malicious codes inserted After malware has been successfully installed in a victim, it becomes a zombie (comromised hosts) and will accet the remote commands from the bot herder CSI/FBI reorted average losses due to security incidents are $34,44 er resondent in 009 Noticeably, % of resondents stated that they notified individuals whose ersonal information was breached [3] According to reorts in [4,5,7], botnet has become a major thread to steal victim s rivate data, instead of massive connections to susend networ services lie DDOS (Distributed Denial of Service) attacs Defenders develoed some aroaches to detect and classify botnet via IDS, honeyot and networ flow information [, 4-5] In ractice, a botnet uses a one-to-many control lins between command and control (C&C) and victims There are two main tyes of malicious bots in ast two decades: IRC and eer-to-eer Available IP tracebac aroaches focused on DDOS networ attacs Two romising solutions to the IP tracebac are assive and ro-active tracebac to discover the ossible attac aths that are the traits when an attacer exloited to achieve his intention The former can be only used for after an attac, such as PPM, itrace and SPIE, and its ros are that need no additional router storage requirements Their cons are suosed that ISPs of attac aths will cooerate and rovide the defender the comlete ath information If one of tour routers has lost the ath information, these aroaches would be failed, esecially when lacing of full administration authorities of routers in the Internet The latter is suosed attac remains active until trace comlete, so it can be used for an on-going tracebac, such as inut debugging, lin testing, overlay networ,etc This tye of aroaches need secify attac networ flows from normal networ flows immediately by collecting and examining online routing information in the underlying attac environment In further, it also needs additional router storage to ile u logs for analyzer to investigate the true attac sources The cons of these schemes are (i) massive messages should be recorded and transorted to a reository for further assessing aroriate attac aths, It brings about the situation that considerable management overhead and routing information might be erased, because extra routing information being stored(ii) Require cooeration between ISPs Though available IP tracebac aroaches are caable of detecting the zombies via accumulating attacing acets, they are all based on an idealistic assumtion all ISPs would be cooerative to offer the entire ath information for attac ath reconstruction Generally, ISP s service is a mutual benefit for intelligence exchange or followed by criminal law & rocedure Therefore the constraint, require cooeration between ISPs, must be relaxed A new IP tracebac scheme based on ant colony otimization (ACO) aroach is roosed to discover all ossible attac aths with suort and confidence degree for locating C&C and herder IP even if the ath reconstruction is in an incomlete routing environment Our wor incororates the ant colony otimization (ACO) algorithm to develo an analysis model to trace the herder IP via ath reconstruction, discover all ossible attac aths with suort and confidence degree This study shows that that tracing botnet herder can be formulated as a ath reconstruction roblem to facilitate the obtaining of the most ossible attac ath by otimal solutions Networ simulator (ns-) is used to conduct an exeriment for validating our model, comlied by dar IP ma, to simulate the attac scenarios by soofed IP Exerimental results show that the roosed aroach can effectively find the attac aths in incomlete evidences

The rest of the aer is organized as follows Section II rovides the bacground information of the IP tracebac techniques, Section III reorts our aroach Simulations and analysis on the results are resented in Section VI Section V erforms a sensitivity analysis and discusses the effect of control variables to outut attac aths Conclusions and future studies follow in Section VI II RELATED WORKS From 990s, a number of IP tracebac techniques have been develoed and alied in DDOS networ attacs In theory, to reconstruct routing information in attac aths generates ossible attac aths Basically, defender needs to answer the following critical questions for IP tracebac techniques: (i) how much storage of ath information can successfully reconstruct an attac ath (ii) How fast can effectively trac bac to attac origin The aim of IP tracebac technique is to locate the roer attac origin by analyzing information of attac aths, esecially when incomlete ath information rovided Furthermore, because attacer can easily create source addresses by soofed IPs to bother the defender; in other words, disguise their location using fae IP addresses; hence the true origin is lost Thus requirements of our IP tracebac scheme at least should involve the requirements: (i) discriminate the attac between real IPs and soofed IP; (ii) reort how much storage of ath information (a grou of successive routing acets) to reconstruct an attac ath with a quantified index, such as robability, suort degree or confidence degree In the following, we briefly review these aroaches as follows: (i)logging: embed a log function in a router such that can record all traffic acets Once attac haened, data mining technique is emloyed to tracebac attac source from data reository It caused heavy overhead on the networ and considerable management overhead Snoeren (00)[] imroved and roosed a mechanism, SPIE (Source Path Isolation Engine) to reduce management and networ overhead via logging the hashing value of networ acet, generated by bloom filters storing and forwarding a 3-bit hash digest for each IP data acet It effectively reduced the transmission eriods of resource demands for storing massive networ acets, but cause heavy load on server comutation Savage (000)[0] designed a acet maring (PM) aroach to resolve high demand on comutational resources using mars acets, derived by adjacent routers deterministically or robabilistically A well-nown scheme, PPM (Probabilistic Pacet Maring) can trace attac source by mared acets, originated from an attacer to victim, without causing heavy overhead to networ traffic It also answers the question that how many acets can successfully reconstruct the attac aths Basically, there are three varies tyes: (i) Node aend (ii) edge samling (iii) node samling Though PM aroaches have many advocates, their drawbacs are clear First, it cannot trace multile attacers Second, shift acet maring overhead to router Third, attacers can easily create soof of IP and mae a counterfeit of fae ath To decrease comutational loading on router, Bellovin et al (000) [9] relaced mared acet by icm message, named itrace This aroach assists defender to reconstruct the entire attac aths via router resonses icm messages to destination site on demand (inteniion) A useful but controversial way to rebuild attac ath is lin testing aroach-defender filters the destination IP and ort of ustream router based on attac signature and reversely tracebac herder IP ste by ste, when attac accident detected A famous method is the controlled flooding that injected massive acets on secific route to discover the congestion henomenon of router (ex, acet dros) for looing for an attac ath The aforementioned aroaches are suosed that all ISPs are cooerative as well as rovide the entire routing information to the victim When this constraint is violated, then these aroaches may fail III AN ANALYSIS MODEL FOR ATTACK PATHS Our wors is to develo an analysis model for attac aths of botnet, estimate the suort and confidence of each attac ath for aroriately selecting the correct attac ath under the circumstance of those only artial ISPs cooerate 3 Basic idea Basically, attac ath reconstruction is started from victim via ustream lins and recursively reeat until attac source is located, as illustrated in Fig In other words, receiving each routing acet to form the ath information enables the victim to reconstruct the whole attac ath Thus, ath reconstruction can be considered as a secial grah otimization roblem ACO is alied to attac ath reconstruction via ants laying down a trail heromone for attracting and guiding other ants bac to the nest with food Attac aths, such as two examles of attac aths, P -P -P 3, P 4 -P 5 -P 6 -P 3, and also dislay the ossibility to each attac ath based on colony heromone A Attacer 3 B 6 E C 5 F D 4 Victim # H Figure Tracebac of ossible attac aths G Victim # n Insired by the wisdom of natural ants, ants use heromone on the trail to find their ways bac to nest from victim to attac

source A moving ant lays some heromone (in varying quantities) on the ground, thus maring the ath it follows by a trail of this substance While an isolated ant moves essentially at random, an ant encountering a reviously laid trail can detect it and decide with a high robability ath to trace it A grou of ants, A q, q=,,m, are assigned to get foods and ants travel at a random wal There are n ants waled on the high heromone tail (Pi) when ants find their way bac to nest, then suort degree of attac ath Pi (su Pi) is given by n su i = m () In the following, confidence degree of attac ath (conf Pi) can be derived by the ratio of the ant number on attac ath Pi to ant numbers on all attac aths with the minimal suort degree conf i su( = m i= su,,,,,, min_ ) n min_ ) where min_ reresents the minimum suort degree, denoted that min_ High confidence degree hints the higher robability of attac ath is 3 IP Tracebac Scheme for Botnet It assumed that attac ath be a non-cyclic directed grah to avoid entering an infinite number of loos, if selecting a cyclic grah We focused on two issues of ath reconstruction: (i) Find all directed aths between two arbitrary nodes, (ii) discover ossible attac aths to identify the most ossible attac ath Let networ toology be a directed grah, G=(V,E), where V reresent a set of nodes, V={v, v,, v n }, Vs is a set of source nodes (ie, attac sources), V d is a set of sin nodes (victims), E denotes the edge of grah The analysis model of IP tracebac for botnet is stated by the following four stes: Ste: Build u a networ toology Our wors focuses on security management issues of web services; therefore, a service-oriented toology for model analysis will be established based on location of service centers Ste : Decide the number of aths between two nodes Basically, a ath in a digrah is a sequence of vertices from one vertex to another vertex Here a set of edges those reresent the flow through the whole attac ath According to Svarcius and Robinson (986) [], the number of non-cyclic aths between two networ nodes can be derived by the followings: If the length of an edge may be reresented by E, then E, E 3,, reresents length unit equals to two and three, resectively, which denoted by the ower of edge There exists a transition relation based on closure transition theorem of grah theory, n () where E E reresent the ower of edge E = E o E (3) Theorem There are some connections from node vi to vj in grah G, where length unit of a edge equals to between two nodes, E, then connection relation is denoted by v i E v j * 3 * and E = E E E,where E is an union set for 3 E, E, E, Let adjacent matrix, M = { v i =,, m; j =,, n} reresent the * edge E between node vi to vj in grah G, M reresents the edge * E From Theorem, we have M * 3 = M orm orm or orm (4) * where M is the reachability matrix of a directed grah, 3 M = M M, M = M M, etc Next, let N ( i, be a counting matrix for calculating the number of connection edge between node vi to vj whose length unit equals to one 0, if ( vi, v j ) E N( i, = [ n ] m n, n = (5), if ( vi, v j ) E Similarly, N ( i,, N 3 ( i,, its length unit is equal to two and three Similar to Eq(3), the elements of counting matrix can be derived by the cross roduct of two adjacent counting matrix For examle, N is a mx matrix whose element is defined by Eq (5), N is a xn matrix, then matrix N 3 is exressed by 3 i, = N( i, ) N (, = N ( (6) According to induction rule, the counting matrix whose length unit equals to is derived by N = N N = N N (7) where N reresents a counting matrix whose ath length is equal to In the following, we define a matrix NP to stand for the total number of aths between node vi to vj,, where ath length is equal to NP( i, = N ( i, (8) = Ste 3: Reconstruction of attac aths To search the global otimal solution of ACO, two search strategies are given to reconstruct the ossible attac aths, when ants find their way bac to nest (i) Trace by the higher intensity of the heromone over a trail, however, this strategy might lead to algorithm converges to a local otimal solution, (ii) Reinforce 3

ant s sight ability for direction searching by examining trail intensity of heromone This strategy mae ants search more flexible than that of the former According to [8], each ant in the colony carries out a comlete search on the grah abided by the robability density function as α β [ τ( t)] [ η( t)] = (9) α β τ ] [ η ] [ j neighbor where determine the robability where an ant chooses a ath from node i to node j τ be the intensity of heromone trail between router i and router j at time t, η means a heuristic value denotes the number of routing acets assing through between router i and router j at time t, α is the weighting factor of heromone, β is the weighting factor of visibility Ant colony udates the robability density function of feasible attac aths and chooses the right one The ath search of adjacent routers for each ant (local udate rule) is given by τ ( t + ) = ( ρ) τ + ρδτ (0) 0 where ρ reresents the evaoration or decay rate of heromone, residing in [0,], higher value hints that heromone fast-decay, τ 0 is the initial value of heromone The intensity of heromone ath can be revised after all the ants select their route from the victim to an attac source The urose of ath udate is to avoid ants selecting on the same trail which might be a local otimal solution Once ant colony comletes one generation, an overall udate of heromone intensity (global udate rule) rocess is receded, the intensity of heromone on each node will be recalculated by τ ( t + ) = ( ρ) τ + ρδτ () C if th route is the otimal ath L Δτ = 0 otherwise where C is a constant, L is the number of nodes on the otimal ath Global search of feasible aths is designed to that will increase the udate seed of heromone and convergence time of ACO The difference between local udate rule and global udate rule is (i) τ udate in global udate rule only alter heromone intensity of the otimal ath that amlifies the bias between attac ath and ordinary ath But τ udate in local udate rule is used for exloring other ossible aths, so local udate rule will revise the heromone intensity of any aths where ant asses through it Finally, ant tracebac rocess iterates until the tour reaches all ants choose the same ath or the reset cycles Then, the roosed scheme find the otimal attac ath, established by colony traveled based on ant-density rule In summary, the whole rocess of ath reconstruction is stated as illustrated Fig Ste Initialize Construct a route grah based on the toology For t = to initialize heromoneτ 0 for node Lay h ants on the starting node For q = to m Reset the starting node Ste Tracebac Process For q = to m If ant(q) not arrived the edge node (victim) Move to the neighbor node j and udate the robability P Add the node j into qth route solution Ste 3Local heromone udate for i,j = to if route(i, in the qth Route solution τ ( t + ) = ( ρ) τ + ρδτ 0 Set else τ ( t + ) = ( ρ) τ + ρδτ Set Ste 4Global heromone udate Comute the most ossible route solution and L If node is in the most ossible route solution C τ ( t + ) = ( ρ) τ + ρ Set L If not satisfied the terminate conditions (00 iterations) Emty all the route solution For q = to m Swa the starting node into qth route solution Bac to Ste Else outut the most ossible route solution Figure The rocess of ath reconstruction Ste4: Validation of Soofed IP source If bot herders want to masquerade or hide their attac location using soofed IP, then true origin might be lost Thus, attac scenarios with soofed source addresses which need to be simulated to secify the robability successful to detect a fae IP attac and verify whether ACO algorithm can discover the correct attac aths or not Based on the above statement of attac scenarios, we have to answer the question that how many routing acets required to detect a soofed IP attac Insired by PPM, we suose the robability successful to detect a fae IP attac at routers is q and an attac ath is d hos long and the furthest router in this ath is R Let X be the first time to detect a soofed IP attac from R Obviously, X abides by the geometric distribution The robability of receiving the some routing acets to discover a fae IP attac incurred via successive acets from R is d q ( q), then we have its exectation value E ( X ) = () d q( q) Let Y be the number of acets required to detect a soofed IP attacs Suose the cost is a secific function of routing distant 4

d, then the robability of receiving Y routing acets to ensure a soofed IP attac incurred via successive acets from R is f ( d) E ( Y) = (3) d q( q) For examle, assumed that analysis cost c is the natural logarithm function of routing distant d, then we have ln( ) ( ) = d E Y (4) q( q) d 33 Dar IP Ma Uon successfully traced bac to attac source, defender needs a GIS to ma zombie IPs in the real world In our wor, dar IPs will be located in a Google ma and the attac aths maring with confidence degree be connected according to the infection sequences This model can assist the defender to effectively monitor the infected hosts by reading information of dar IP, such as nation, bot tye and its attac signatures IV TESTING AND VALIDATION Our wors simulated a service networ in USA to discover the otential threads caused by botnet attacs Ste: Build u a networ toology By alying Google ma, networ toology is established as shown in Fig3 where there are 3 service nodes (0~3) N4 0 0 0 6 7 8 N5 0 0 0 0 6 N3 0 0 0 0 0 0 0 Ste3 Reconstruction of attac aths To search a global otimal solution, two search strategies are given to reconstruct the ossible attac aths, when ants find their way bac to nest (i) to follow by higher the intensity of heromone over a trail, however, this strategy might lead to the result that solution might converge to a local otimal solution, (ii) add a sight ability to an ant that it can react to direction searching by online judging trail intensity of heromone This strategy let ant s behavior become more flexible than that of the former Ste 3:Attac to a victim We conduct 00 test runs of random attacs using Monte Carlo simulation to collect routing information For examle, the attac from node 0 to node 9 is executed via 30 ants to trace bac to their nest, the comlete tour routings are recorded in Table Scenario S3 Table Records of assing nodes on attac ath Attac source Victim Nodes on attac ath N0 N9 0,4,9,5,,8,5,9 N0 N9 0,4,5,0,9,4,,0,7,9 N0 N9 0,4,9,4,,5,0,7,9 N0 N9 0,3,4,9,5,,8,9 N0 N9 0,4,9,4,,5,9 N0 N9 0,4,9,4,,0,7,9 N0 N9 0,4,9,5,,5,9 Ste 3 Tracebac to attac aths The routing information derived by Ste 3, is inut as initial values and required dataset of ACO Then ants travel around all traits based on the local and global heromone udate rules using Eqs(9)~() Consequently, there are 6 ossible attac aths, where minimum suort degree is greater than 0% as Fig4 Figure 3 networ toology Ste : Decide the number of aths between two nodes The end nodes 0, and reresents attac sources, end nodes 9, 30 and 3 are victims The matrix NP, the amount of ath number between attac source vi to victim v j with distant length 6 can be derived by Eq(3)~(9) as Table Table adjacent matrix N0 N N N3 N9 N30 N3 N0 0 0 0 3 N 0 0 0 0 3 N 0 0 0 0 0 0 N3 0 0 0 0 7 4 5 Figure 4 Simulation of attac ath reconstruction 5

Good modeling ractice requires that the develoer evaluate of the suort and confidence in the model via assessing the uncertainties associated with the outcome of model itself Then suort and confidence degree of each ath is evaluated as the fourth and the fifth column of Table 3 using Eqs ()~(), when the minimal suort degree is set to 0% As a result, to of suort and confidence degree of ossible attac aths are drawn in red line in Fig 5 and attac aths with maximum robability in NS is shown as Fig 6 Attac source N0 Table 3 The attac aths with suort and confidence victim Attac aths Suort Confidence degree degree N9 N0 N4 N9 N5 N 33% 905% N5 N9 N9 N0 N4 N9 N5 N 33% 0% N8 N9 N9 N0 N4 N9 N5 N 567% 8095% N5 N9 N9 N0 N3 N4 N9 N 67% 0% 5 N N5 N9 N9 N0 N4 N9 N4 N 67% 0% N5 N9 N9 N0 N4 N9 N4 N 67% 0% N N5 N9 N9 N0 N4 N9 N4 N 33% 0% 0 N N5 N9 N9 N0 N4 N9 N5 N 33% 0% N5 N8 N9 Figure 6 The attac aths with maximum robability in NS Figure 7 Dar IPs ma Case I:Only Partial Routing Information is rovided Suose artial ISPs are not willing to offer the comlete routing information These nodes, lacing of necessary touring information, are called grey nodes Then heromones of grey nodes set to zero Reeat the Stes 3~3, exeriment results show that ants will select the right attac aths as a tour, if grey nodes are in the attac aths, for examle node 9,5 and 5 But when ants also find other alternative nodes to construct an attac ath, then searching ath may be altered, such as two alternative airs, (3,4) and (, ) in Fig7 In this situation, node 3 may be shifted to alternative node 4 Figure 5 The to of suort and confidence degree of attac aths Once successfully traced bac to attac source, defender needs a GIS to ma zombie IPs in the real world In our wor, dar IPs are located and dislayed in a Google ma-based GIS and connect the attac aths maring with confidence degree according to the infection sequence, as shown Fig7 Dar IP ma can facilitate to effectively monitor the infected hosts by examining dar IPs information, including IP s nationality, bot tye and its attac signatures Case II:Preset Nodes in Attac Paths It assumed that art of networ nodes has been judged in advance as the reset nodes in attac aths For examle, reset nodes 3, 6 and 8 are forced to be selected into simulation case Reeat the Ste 3, defender finds that node 3 is far away the original attac ath, and then new attac ath will be generated However, nodes 6 and 8 are close to the attac ath, the results have almost the same attac aths as those of the above examle, as shown in Fig8 6

come bac to the correct aths rogressively after five iterations The search behavior of colony and resistance caability to the soofed IP attacs is shown as Fig9 Figure 8 Attac aths derived by reset nodes Ste4 Validation of Soofed IP source Let node be a soofed IP as shown in Fig5, and then reset the routing information to zero The goal of decetion test is to chec whether our model could resist the soofed IP attac After executed the simulations and observed the outcomes, the results showed that artial ants searched the false aths in the beginning; however, later most ants would not attract by the soof IP and The diagram (a)~(d) in Fig9 stands for simulation results of caability against the soofed ID attac, resectively We conducted and executed 00 times of algorithm with 0 iterations and the maximum oulation of colony is set to 30 Figure (a) reveals the relationshi between iteration and the accuracy of searching the attac ath It s aroximate above 5 iterations that ants can regularly discover the correct ath In figure (b), it shows that the relationshi between iteration and the ercentage of ants on the best ath Over 50% ants cleverly found the best ath, when the iterations were aroximately over 9 From figure(c), we recognized that heromone of best ath would not evaorate and maintain a steady value as ants continually ass through In the following, we examine the relationshi between iteration rocess and the converge ratio of ants on the best ath In Figure (d), the threshold is set as 40% When over 40% ants have gathered on the best ath, it indicated that our algorithm has converged during these iterations From figure (d), we observed that the convergent results had attained during iteration 3 to 8 In summary, most ants can resist the soofed IP attacs via ath research rocess after over 9 iterations in our case (a) Percentage of correct ath and iteration number (b) Percentage of the ants on the best route (c)pheromone and iteration number Figure 9 Soofed IP attacs (d) Percentage of the ants converge on the best route 7

V DISCUSSION Once finished the tracebac rocesses, sensitivity analysis is further investigated for realizing how the variation in the outut of our model relating to the control variables of ath searching of ACO The sensitivity analysis is an essential ste of quality assurance in model develoment rocess In ACO model, three control variables need be exlored - α, the weighting factor of heromone; β, the weighting factor of visibility and ρ, the evaoration or decay rate of heromone, resectively Sensitivity analysis can lay what-if analysis exloring the imact of varying three inut arameters Investigate these three significant arameters effect on the outut of attac aths The selection of two weighting factor α and β may affect the search results of attac aths It might increase the convergence seed resulting in falling into a local otimal solution, if α s value too high (over the threshold) Since the higher α s value imlies that ants would have a tendency to fast convergence in comarison with lower α s value After executed 00 test runs, accumulate and average the ath information on attac aths as illustrated in Table 4 From Table 4, two arameters affect the outut results of attac aths The total number of routing acets collected on attac aths will be over 60 as the threshold that covers about 80% routing information, if α residues in [09, ] and β in [5, 8] In the following, defender may concern that the decay rate of heromone how to affect the seed of convergence From Table 5, we realized that it will have an effect on the roceeding seed of acets and lowering the average number of routing acets handled on the attac aths, when ρ is too low for intensity of Table 4 Effect of arameter α, β α β α=0 α=03 α=05 α=07 α=09 α= α=5 α=8 β=0 08 3 40 8 48 49 66 088 β=03 096 73 3 5 98 30 3 94 β=05 333 340 346 353 358 34 35 β=07 375 39 49 43 469 57 457 363 β=09 43 486 497 508 5 563 505 453 β= 489 537 558 557 578 577 563 59 β=5 538 583 583 597 600 68 69 549 β=8 597 595 593 65 648 6 586 574 Table 5 Effect of decay rate factor, ρ ρ 0 0 03 04 05 Average number of routing acets handled 555 584 6 67 647 ρ 06 07 08 09 Average number of routing acets handled 639 63 69 63 Table 6 Effect of iteration number # of generation 5 0 0 40 00 Average number of ath information 58 63 645 647 648 collected Percentage of ath information collected 79% 85% 83% 84% 84% heromone trail τ Consequently, ant would ee slowing down to search a new ath In contrast, it might increase the influence of convergence seed to gain a local otimal solution, if ρ is high From the trade-off analysis of Table 5, we observe that the best-fit value of decay rate of heromone is 05 in our case From Table 6, satisfactory results on average number of ath information colleted about 80%) would be attained, when the iteration numbers (generations) is over ten VI CONCLUSION A new IP tracebac analysis model based on an extended ACO algorithm is roosed for incomlete flow information being rovided To avoid attacs from IP soofing, our scheme can assist defender to mae an aroriate decision on discovering ossible attac aths with suort and confidence In addition, sensitivity analysis of ACO control variables be examined to increase confidence by verifying the effect of the convergence tendency; Comutation time is also examined The numerical examles resented herein show that the roosed aroach effectively discovers the most ossible attac ath and suggest the right location of deloyment nodes for romoting the robability of traing attac sources ACKNOWLEDGES This wor was suorted artly by TWISC@ NCKU, National Science Council under the Grants No: NSC98-9-E-006-00 and NSC 98-9-H-68-00 REFERENCES [] A C Snoeren, C Partridge, L A Sanchez, and C E Jones, Hash-based IP tracebac, SIGCOMM 0, Aug 00, 7-3 [] C Langin, Z Hongbo, S Rahimi, B Guta, M Zargham, and MR Sayeh, A Self-Organizing Ma and its Modeling for Discovering Malignant Networ Traffic, IEEE Symosium on Comutational Intelligence in Cyber Security, -9, 009 [3] CSI, Comuter Crime and Security Survey 009, source from htt://wwwgocsicom/forms/csi_surveyjhtml [4] G Gu, P Porras, V Yegneswaran, M Fong, and W Lee, BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation, Proceedings of the 6th USENIX Security Symosium, August, 007 [5] G Gu, R Perdisci, J Zhang, and W Lee, BotMiner: Clustering Analysis of Networ Traffic for Protocol- and Structure-Indeendent Botnet Detection, In Proceedings of the 7th USENIX Security Symosium (Security'08), 008 [6] Google Ma API Examles, (accessed Jan 4, 00), available at htt://codegooglecom/intl/zh-tw/ais/mas/documentation/examles [7] JB Grizzard, V Sharma, C Nunneryand, BB Kang, Peer-to-Peer Botnets: Overview and Case Study, HotBots 07 First Worsho on Hot Toics in Understanding Botnets, Aril 0, 007 [8] M Dorigo, GD Caro, and L M Gambardella, Artificial life, 999 [9] S Bellovin, M Leech, and T Taylor, ICMP tracebac messages, Internet Draft: draft-ietf- itrace-0txt, Oct 00 [0] S Savage, D Wetherall, A Karlin, et al, Practical networ suort for IP tracebac, In Proc Of AC, SIGCOMM 000, Santa Clara, 000 [] Svarcius, R and Robinson, W B, Discrete Mathematics with Comuter Science Alications, Menlo Par, CA: Benjamin, Cummings, 986 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information