A Novel Entropy Based Detection of DDoS Attacks by editorijettcs

VIEWS: 138 PAGES: 5

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS) is an online Journal in English published bimonthly for scientists, Engineers and Research Scholars involved in computer science, Information Technology and its applications to publish high quality and refereed papers. Papers reporting original research and innovative applications from all parts of the world are welcome. Papers for publication in the IJETTCS are selected through rigid peer review to ensure originality, timeliness, relevance and readability. The aim of IJETTCS is to publish peer reviewed research and review articles in rapidly developing field of computer science engineering and technology. This journal is an online journal having full access to the research and review paper. The journal also seeks clearly written survey and review articles from experts in the field, to promote intuitive understanding of the state-of-the-art and application trends. The journal aims to cover the latest outstanding developments in the field of Computer Science and engineering Technology.

More Info
									   International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
       Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 2, July – August 2012                                          ISSN 2278-6856



      A Novel Entropy Based Detection of DDoS
                      Attacks
             Mr.T.Bharath Manohar1, Mrs.E.V.N.Jyothi2, Mrs.B.Rajani3, Mr.I.Rajesh Kumar4
                                          1
                                           M.Tech(CSE) , Department of CSE,
                                        CMR College of Engineering & Technology,
                                            Hyderabad,Andhra Pradesh,India.

                                               2,3
                                             Asst.Proff.Department of CSE,
                                        CMR College of Engineering & Technology,
                                           Hyderabad,Andhra Pradesh,India.

                                           4
                                            M.Tech(CSE) , Department of CSE,
                                             Amina Institute of Technology,
                                            Hyderabad,Andhra Pradesh,India.

                                                             distribution of packet flows, which are out of the control
Abstract: Distributed Denial of service (DDOS) attacks is    of attackers once the attack is launched, and found the
a critical threat to the internet. Due to the memory less    similarity of attack flows is much higher than the
features of the internet routing mechanism makes difficult   similarity among legitimate flows eg : flash crowds.
to trackback the source of the attacks. In this paper, We
                                                             Entropy growth rate as the length of a stochastic sequence
find out the source of the attack with the help of entropy
variation in dynamic by calculating the packet size, which   increases.
shows the variation between normal and DDOS attack           In this paper, We also together propose flow entropy
traffic, which is fundamentally different from commonly      variation to avoid packet marking. Here the packets that
used packet marking techniques. In comparison to the         is passing making. Here the packets that is through a
existing DDOS trackback methods, the proposed one posses     router into flows that was defined by the upstream router
dynamic entropy variations as per the clients behavior.
Keywords: DDOS, Method, Router.                              where a packet come from, and the destination address of
                                                             the packet.
1. INTRODUCTION                                              During non attack periods, routers are required to
                                                             observe and routed entropy variations. Once the attackers
To Traceback the source of the DDOS attacks in the
                                                             is launched the entropy rate increases dynamically to
internet    is    extremely hard. It is one of the
                                                             identify the locations of zombies. Upstream routers helps
extraordinary challenge to trackback the DDOS attacks,
                                                             to identify where the attack flow cause from based on
that attackers generate huge amount of requests to victims
                                                             their local entropy variations that are mentioned.
through compromised computers(zombies), in order to
denying normal services or degrading the quality of
                                                             2. SAMPLES            NETWORK         WITH        DDOD
services.
Recent survey shows that than 70 internet operators in the
                                                             ATTACKS
world demonstrated that DDOS attack are increasing           DDOS attacks are targeted at exhausting the victim’s
dramatically and individual attacks are more strong and      resources, such as network between, computing power
sophisticated. IP trace back means the capability of         and operating system data structures.
identifying the actual source of any packet across the
internet; with the help of IP trace back schemes identify    3. STEPS TO LAUNCH THE DDOS ATTACK
the zombies from which the DDOS attack packets entered
the internet.                                                    1) Attacker first establishes a network which
A number of IP trace back approaches have been suggested              is responsible for huge volume of traffic to deny
to identify attackers. Among them two major methods for               the series of normal users.
IP trace back, Probabilistic packet marking (PPM) and            2) Attackers then discover vulnerable hosts of
deterministic (DDPM). Both of these require routers to                the network. Vulnerable host in the sense that
inject marks into individual packets. And also provides               the system running no anti viruses or out of date
some limitations such as scalability, huge demands on                 anti viruses software.
storage space and vulnerability to packet pollution. Both        3) Attackers The now install new programs known
PPM and DPM also require duplicate on the existing                    as attack tools on the compromised hosts.
routing software which is extremely hard.                        4) It can be shown by the growth of entropy rate from
For the DDOS attack detection compare the packet number               the point of attack.

Volume 1, Issue 2 July-August 2012                                                                           Page 251
   International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
       Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 2, July – August 2012                                          ISSN 2278-6856


                                                              The router that used for investigating now as local router.
                                                              The flow on a local router is denoted by
                                                                            i, dj, t   , i, j   I,t€R
                                                              where Ui is an upstream router of a local router Ri, dj is
                                                              the destination of a group of packets that are passing
                                                              through the local router Ri, and t is the current time
                                                              stamp and i as the set of position integers, and R as the
                                                              set of real numbers. If anyone router occurs two
                                                              different incoming flows from the upstream routers, this
                                                              kind of flow is denoted as transit flows.



                Figure 1: DDoS Attacks
The flow is determined by calculating the best paths by
choosing the shortest path algorithms.
The fig:1 explain that number of client shares a server to
exchange the information, among them one or more than
one act as a attacker. This is notified with the help of
entropy variation between the normal flow and attack
flow.

3. TOPOLOGY CREATION

                                                              Figure 3: Traffic flow is monitor at the upstream router

                                                              Therefore a flow at a router can be defined as follows;
                                                              fij(ui, dj)={<ui, dj, t>| ui € U, dj € D, i, j € I}
                                                              Where, ui, I € I as the immediate upstream router of
                                                              the local router Ri which shown in fig:4



          Figure 2: Network topology Structure
In order to communicate with one or more client with a
server, network topology structures should be designed.
From the fig: 2, It shows that R1 and R2 act as the routers
and S1 and S2 are the required server and c1 and c2 are
the client. It also shows the connections among the server
s1, Router R1, and Client C1 and as S2, R2, and C2
respectively. This network topology is responsible to share
the information from one location to another.

4. SYSTEM TRANSACTION
Here the packets that are passing through a router into
flows. A flow in the sense a pair that the upstream router
where the packet came from and the destination address of     In the fig: 4, all the incoming flows as input flows and
the packet. Entropy which is an information theoretic         all the flows that are leaving from router Ri as named as
concept, that helps to measure the randomness in the          output flows. D represent the destinations of the packets
network. Here the entropy used to measure the changes of      that are passing through the local router Ri, Attacker is
randomness of flows at a router for a given time interval     responsible for traffic flow at a router.
with the help of packet size, used for transaction.           There by for a given time internal T, the variation of the
Generally, a router knows as local router in this network     number of packets for a flow as follows:
topology for e.g.: upstream router and downstream outers.
The local area network attacked to the upstream routers.
Volume 1, Issue 2 July-August 2012                                                                              Page 252
    International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
       Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 2, July – August 2012                                          ISSN 2278-6856


Nij( i , dj, t+ΔT)=|fij(ui dj t+ΔT)| -|fij(ui , dj, t)|          ALGORITHM FOR TRACEBACK MODEL

Here |fij(ui , dj, t)| = 0 therefore Nij( i , dj, t+ΔT) is the
number of packets during the flow is fij.
Hence using the packet size variation, due to the attacker
the entropy rate is defined as follows:
H (F) = -
Where pij(ui,dj) as the probability of each flow at a router
based on large number theorem .H(F) as the entropy
variation used to measure the variations of randomness
of flows.The flow design explain once the server is
suffered by an attacker, it will install a new program
known as attack tool when it is vulnerable host, due to
this situation a huge amount of traffic is created at the
upstream router. This can be estimate by monitoring the
packet size, variation with the help of entropy rate. If the
server is not suffered by any of an attacker then it shows
the static entropy rate to explain the normal flow
through the router.


                                                                 ARCHITECTURE DIAGRAM




               Figure 4: BLOCK DIAGRAM
It explains about modelling between Internet,End-Host,
Edge Router and Router.
ALGORITHM FOR LOCAL FLOW MODEL




Volume 1, Issue 2 July-August 2012                                                               Page 253
   International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
       Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 2, July – August 2012                                          ISSN 2278-6856



 In this section, the related algorithms according to our
 previous modeling and analysis. There are two
 algorithms in the proposed traceback suite, the local
 flow monitoring algorithm and the IP traceback
 algorithm. The local flow monitoring algorithm is
 running at the non attack period, accumulating
 information from normal network flows, and
 progressing the mean and the standard variation of flows.
 The progressing suspends when a DDoS attack is
 ongoing. The local flow monitoring algorithm is shown
 as Fig. 6. Once a DDoS attack has been confirmed by any
 of the existing DDoS detection algorithms, then the
                                                                    Figure 9: Graph that explains increased rate of flow
 victim starts the IP traceback algorithm, which is shown
 as Fig. 7. The IP traceback algorithm is installed at
 routers. It is initiated by the victim, and at the upstream   6. CONCLUSION
 routers, it is triggered by the IP traceback requests from
 the victim or the downstream routers which are on the         In this paper we proposed an effective and efficient IP
                                                               Traceback scheme against DDOS attacks based on
 attack path. The proposed algorithms are independent
                                                               entropy variations. Here the packet marking strategies is
 from the current routing software, they can work as
                                                               avoided, because it suffers a number of drawbacks. This
 independent modules at routers. As a result, We do not        paper employs by storing the information of flow entropy
 need to change the current routing software.                  variations at routers. Once the DDOS attack has been
                                                               identified it performs pushback tracing procedure. The
5. PERFORMANCE EVALUATION                                      Traceback algorithm first identifies its upstream router
                                                               where the attack flows comes from and then submits the
In this section the performance is evaluate the                Traceback request to the related upstream router.
effectiveness and efficiency of the entropy variation based    This procedure continues until the most far away zombies
on IP Traceback mechanism here the First task is to show       are identified. But in my existing case We used the static
that the flow entropy variation is stable for non attack.      value to determine to determine the entropy rate. But in
                                                               my proposed strategies We used dynamic value to
                                                               determine the entropy rate which is based upon the packet
                                                               size of the client’s behavior.

                                                               REFERENCES

                                                                 [1] M. T. Goodrich, "Probabilistic Packet Marking for
                                                                      Large- Scale IP Traceback," IEEE/ACM Trans.
                                                                      Networking, vol. 16, no. 1, pp. 15-24, Feb. 2008.
                                                                 [2] T. K. T. Law, J. C. S. Lui, and D. K. Y. Yau, "You
                                                                      Can Run, But You Can't Hide: An Effective
                                                                      Statistical Methodology to Traceback DDoS
                                                                      Attackers," IEEE Trans. Parallel and Distributed
                                                                      Systems, vol. 16, no. 9, pp. 799-813, Sept. 2005.
 Figure 8: Graph that shows uniform entropy rate due to
                                                                 [3] S. Savage, "Network Support for IP Traceback,"
                       non attack
                                                                      IEEE/ACM Trans. Networking, vol. 9, no. 3, pp.
                                                                      226-237, June 2001.
 After estimating the first task We decided to find out the      [4] Belenky and N. Ansari, "IP Traceback with
 fluctuation for normal situations by adding an attacker at           Deterministic Packet Marking," IEEE Comm.
 any one of the client (or) server, there by the second task          Letters, vol. 7, no. 4, pp. 162-164, Apr. 2003.
 is to demonstrate the relationship between the drop of          [5] D. Dean, M. Franlin, and A. Stubblefield, "An
 flow entropy variation and the increase of attack                    Algebraic Approach to IP Traceback," ACM
 strength, entropy rate due to the attacker at server1.               Trans. Information and System Security, vol. 5, no.
                                                                      2, pp. 119-137, May 2006.
                                                                 [6] G. Jin and J. Yang, "Deterministic Packet Marking
                                                                      Based on Redundant Decomposition for IP


Volume 1, Issue 2 July-August 2012                                                                                Page 254
   International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)
       Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 1, Issue 2, July – August 2012                                          ISSN 2278-6856


     Traceback," IEEE Comm. Letters, vol. 10, no. 3,         AUTHORS
     pp. 204-206, Mar. 2006.                                                  First Author- T.Bharath Manohar,
 [7] K. Park and H. Lee, "On the Effectiveness of                             has done B.Tech. (CSE) from Vijay
     Probabilistic Packet Marking for IP Traceback                            Rural Engineering College,Nizamabad
     under Denial of Service Attack," Proc. IEEE                              .(A.P)   Affliated       to    JNTU
     INFOCOM, 2001.                                                           Hyderabad.Andhra Pradesh ,India in
 [8] Gong and K. Sarac, "A More Practical Approach                            2009. Presently he is pursuing
     for Single- Packet IP Traceback Using Packet                             M.Tech.(CSE) from CMR College of
     Logging and Marking," IEEE Trans. Parallel and          Engineering & Technology,Hyderabad, Affliated to
     Distributed Systems, vol. 19, no. 10, pp. 1310-         JNTU Hyderabad ,Andhra Pradesh.India. His Research
     1324, Oct. 2008.                                        Interest are in Computer Networks, Data Mining, Cloud
 [9] C. Snoeren et al., "Single-Packet IP Traceback,"        Computing etc.
     IEEE/ACM Trans. Networking, vol. 10, no. 6, pp.
     721-734,Dec.2002.
 [10] D. Moore et al., "Inferring Internet Denial-of-        Second Author- E.V.N.Jyothi,Asst Proff,Dept of CSE,
     Service       Activity," ACM Trans. Computer            CMR College of Engineering &Technology,Hyderabad,
     Systems, vol. 24, no. 2, pp.115-139, May 2006.          Andhra Pradesh.India
 [11] Patrikakis, M. Masikos, and O. Zouraraki,
     "Distributed Denial of Service Attacks," The
     Internet Protocol J., vol. 7, no. 4, pp. 13-35, 2004.   Third Author- B.Rajani,Asst Proff, Dept of CSE,
 [12] M.T. Goodrich, "Probabilistic Packet Marking for       CMR College of Engineering &Technology,Hyderabad,
     Large- Scale IP Traceback," IEEE/ACM Trans.             Andhra Pradesh.India
     Networking, vol. 16, no. 1, pp. 15-24, Feb. 2008.
 [13]T.K.T. Law, J.C.S. Lui, and D.K.Y. Yau, "You
     Can Run, But You Can't Hide: An Effective               Fourth Author- Mr.I.Rajesh Kumar, M.Tech(CSE),
     Statistical Methodology to Traceback DDoS               Department of CSE, Amina Institute of Technology,
     Attackers," IEEE Trans. Parallel and Distributed        Hyderabad,Andhra Pradesh,India.
     Systems, vol. 16, no. 9, pp. 799-813, Sept. 2005.
 [14]S. Savage, "Network Support for IP Traceback,"
     IEEE/ACM Trans. Networking, vol. 9, no. 3, pp.
     226-237, June 2001.
 [15] A. Belenky and N. Ansari, "IP Traceback with
     Deterministic Packet Marking," IEEE Comm.
     Letters, vol. 7, no. 4, pp. 162-164, Apr. 2003.
 [16] D. Dean, M. Franlin, and A. Stubblefield, "An
     Algebraic Approach to IP Traceback," ACM
     Trans. Information and System Security, vol. 5, no.
     2, pp. 119-137, May 2006.
 [17] G. Jin and J. Yang, "Deterministic Packet
     Marking Based on Redundant Decomposition for
     IP Traceback," IEEE Comm. Letters, vol. 10, no.
     3, pp. 204-206, Mar. 2006.
 [18].”Traceback of DDos           Attacks using Entroy
     variations” IEEE Transactions on Parallel and
     Distributed Computing, Vol. 22, No. 3, March
     2011
 [19] R.R. Kompella, S. Singh, and G. Varghese,
     “On Scalable Attack Detection in the Network,”
     IEEE/ACM Trans. Networking, vol. 15, no. 1, pp.
     14-25, Feb. 2007.
 [20] T. Peng, C. Leckie, and K. Ramamohanarao,
     “Survey of Network-Based Defense Mechanisms
     Countering the DoS and DDoS Problems,” ACM
     Computing Surveys, vol. 39, no. 1, p. 3,
     2007.



Volume 1, Issue 2 July-August 2012                                                                      Page 255

								
To top