Docstoc

An Entropy Architecture for Defending Distributed Denial-of-service Attacks

Document Sample
An Entropy Architecture for Defending Distributed Denial-of-service Attacks Powered By Docstoc
					(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

An Entropy Architecture for Distributed denial-of-service attacks
G.Meera Gandhi, CSE, Research Scholar, Sathyabama University Chennai, Tamil Nadu

defending

S.K.Srivatsa, Professor, ICE, St.Joseph’s College of Engineering Chennai, Tamil Nadu

Abstract
The goal of intrusion detection is to identify entities attempting to destabilize the security controls. Network based intrusion detection techniques are used to identify unauthorized, illicit and anomalous behavior based on the network traffic. Identifying the network intruders is the most significant problem for network administrators and network security experts. Intrusion detection systems are an important component of defensive measures protecting computer systems and networks from abuse. New threats are emerging at an increasing rate. Distributed Denial-of-Service (DDoS) attacks have emerged as a popular means of causing mass damage. The impacts of DoS attack will cause greater collateral damage. DoS attacks remain a serious threat to the users, organizations, and infrastructures of the Internet. The approaches used in the existing defense techniques are based on traffic characteristics such as traffic deviation, attack pattern matching etc, which may not yield accurate detection and involves high complexity.

In this paper, the router based entropy algorithm has been designed to improve the performance and protection from the distributed denial-of-service attacks. This work includes attack tree construction, attacks detection and clustering of alerts. By calculating the predicted entropy for a router, alerts are raised for flows in which the predicted entropy is more than a threshold value. Then the alerts are grouped into different clusters according to their source, target, time and attack-type. It helps to avoid group redundant alerts and to associate alerts that are of the same nature. By Simulation results, it has been shown that the proposed architecture improves the detection accuracy and throughput while reducing the alert overhead. In this paper, we have explored the current research potential in terms of security, throughput performance of the router and impact of DoS attack technology based on intruder activity and attack tools. Key words: Intruders, denial of service, attacks, router entropy; attack tree, attack type.

.

129

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

called the attack tree, where the attack victim is the tree root, and the different traffic sources are many tree leaves. I. INTRODUCTION Attacks detection: We design an entropy based scheme for attack detection. Entropy is a measure of the uncertainty or randomness associated with a random variable or data coming over the network. Entropy is calculated per router depending on the packet header information. If the projected entropy is below a threshold value for any router, then that flow is considered to be an attack flow and the source is identified as an attacker. The several existing defense techniques have been discussed and can be distinguished from the proposed criteria. A. Denying Denial-of-Service Attacks: A Router Based Solution

During the time when Internet provides essential communication for an infinite number of people, security becomes a tremendous issue to deal with Intrusion Detection Systems (IDS) .IDS is mainly considered to be the mainstream of security technology. IDS are designed to identify security breaches. However, one of the major problems with current IDS is the lack of the "environmental awareness" (i.e. security policy, network topology and software [1] .This ignorance triggers many false positives and false negatives. A false negative is corresponding to a non-detected attack and it occurs because an attacker is misclassified as a normal user. A false positive is corresponding to a false alert and it occurs because the IDS misinterpret normal packets or activities as attacks. DDoS traffic also creates a heavy congestion in the Internet core which interrupts communication between all Internet users whose packets cross congested routers, during the very large attacks [2]. II. PROBLEM IDENTIFICATION

To prevent DDoS attacks a general method based on more secure packet forwarding among routers is proposed as a solution. Encryption, digital signatures, and authentication are modified by the routers to enable the tracing of a packet back to its origin. Thus it stops further traffic at the closest intelligent router point. Though this system provides more secure and private communication between the routers involved, a remarkable amount of complexity is introduced results in increasing cost, delay, and bandwidth parameters. In addition, as it decrypts the initial packet, knowledge of the last router is vital. Thus a single point of failure and consequently a less reliable information system is created

Network traffic of DOS attacks creates a heavy congestion in the router which disturbs the services. The impacts of DoS attacks are causing greater collateral damage. DoS attacks remain a serious threat to the users, organizations, and infrastructures of the Internet. The approaches used in the existing defense techniques are based on traffic characteristics such as traffic deviation, attack pattern matching etc, which may not yield accurate detection. Also these techniques involve high complexity. The flooding alerts which are sent upon detection may be false alerts or duplicate alerts and may result in additional overhead. So these alerts need to be checked and organized. So our objective is to design a defense mechanism which detects the DDoS attackers accurately with less complexity and alert overheads. In this paper, we propose a router entropy based algorithm has been designed to improve the performance of services and protecting from the distributed denial-of-service attacks. In our proposed solution there are 3 steps:

B.

Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic

Hop-count filtering is a victim based solution. It depends on the number of hops between source and destination. It is indirectly indicated by the TTL field in an IP packet. If major discrepancies exist between the value stored in the previously built table and its hop count, received IP packet is discarded and the attack is detected. This process heavily depends on assumptions and probabilistic methods, representing the method inaccurate. C. Implementing Pushback: Router-Based Defense against DDoS Attacks

1) Attack tree construction 2) Attacks detection 3) Clustering of alerts.
Attack tree construction: It is defined as the process of obtaining an abstraction of the router-level Internet graph,

Pushback is a network-based solution. It tries to solve the problem of DDoS attacks using the congestion level between different routers within the network. The router sends a pushback message to the routers connecting it to other congested links when a link’s congestion level reaches a certain threshold. It asks them to limit the inward traffic to this destination. .

130

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

D.

Protection against DDoS Attacks Based on Traffic Level Measurements

Traffic level measurement is another defense method. A DDoS module is attached to a given server making it a virtual server [6]. If traffic reaches high level, while continuously monitoring, most incoming packets will be dropped. The module thus tries to isolate the server from the attack. Illegitimate traffic is recognized by its higher mean of traffic level and thus can be effectively suppressed. E. Stack Pi: A Path Identification Mechanism against IP Spoofing and DDoS Attacks

Sherif Khattab, Rami Melhem, Daniel Moss´e, and Taieb Znati [4] propose a honeypot back propagation scheme to trace back attack sources when attacks occur. Based on this scheme, the reception of a packet by a roaming honeypot triggers the activation of a DAG of honeypot sessions rooted at the honeypot under attack towards attack sources. The formation of this tree is achieved in a hierarchical fashion: first at the Autonomous system (AS) level and then at the router level within an AS if needed. The proposed scheme supports incremental deployment and provides deployment incentives for ISPs. Aleksandar Kuzmanovic and Edward W. Knightly [5] investigate a class of low-rate denial of service attacks which, unlike high-rate attacks, are difficult for routers and counterDoS mechanisms to detect. Using a combination of analytical modeling, simulations, and Internet experiments, they show that maliciously chosen low-rate DoS traffic patterns that exploit TCP’s retransmission timeout mechanism can throttle TCP flows to a small fraction of their ideal rate while eluding detection. Moreover, as such attacks exploit protocol homogeneity they study fundamental limits of the ability of a class of randomized timeout mechanisms to thwart such lowrate DoS attacks.

Stack Pi is a method that acts to mitigate illegitimate traffic by marking packets deterministically. It comprises two parts: Marking and Filtering. In the meantime, to detect illegitimate traffic based on the marking scheme, the filtering scheme is responsible. Here access is allowed if the marking matches the database entry and is denied otherwise. Alert Clustering: The alerts are grouped into different clusters according to their source, target, time and attacktype. Clustering helps to avoid group redundant alerts and to associate alerts that are of the same nature. For example, in [10], detection of DDoS flooding attacks is based on IV. ATTACK TREE CONSTRUCTION distributed change-point detection (DCD) method. In that Based on the immediate packet flows to the victim, the attack method, predicting the deviation rate may not be accurate and involve high complexity. tree rooted at the victim is a notion of the Internet router- level graph. Hence it remains static over quite short intervals of The paper is organized as follows. Section 2 presents the time. The attack tree is refreshed rarely or based on an related work done. Section 3 discusses the attack tree interrupt. When the structure is modified, it triggers an construction phase. Section 4 presents the entropy based interrupt. detection technique. Section 5 presents the alert clustering. The simulation results are given in Section 6 and conclusion is given in Section 7. A. Recursive Approach III. RELATED WORK

Jelena Mirkovic, Max Robinson, Peter Reiher, George Oikonomou [3] propose a distributed system for DDoS defense, called DefCOM. DefCOM nodes span source, victim and core networks and cooperate via an overlay to detect and stop attacks. Attack response is twofold: defense nodes constrain the attack traffic, relieving victim’s resources; they also cooperate to detect legitimate traffic within the suspicious stream and ensure its correct delivery to the victim. DefCOM design has a solid economic model where networks deploying defense nodes directly benefit from their operation. DefCOM further offers a framework for existing security systems to join the overlay and cooperate in the defense. These features create excellent motivation for wide deployment, and the possibility of large impact on DDoS threat.

A distributed divide-and-conquer approach has been proposed. The problems are broken down repeatedly into multiple subproblems at each router and are handled by the router’s neighbors respectively. The attack tree combines and propagates up the solutions of sub-problems from the traffic sources to the victim. Thus we use a bottom-up approach instead of top-down approach. If an intermediate router assigns unique labels to all its immediate children, then the degree in the attack tree is the maximum value of the local identifier. The attack sub-trees (SRi) of its neighbors (children) are aggregated at each router and forwards it to its immediate upstream neighbor. When employed by every router in the attack tree, an incremental attack tree evolution results in a bottom-up distributed fashion.

131

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

B.

Modular Path Tree

This scheme provides more strong and clear support for dynamic changes to the attack tree, without complete retransmission of the attack tree.
R1

0.15

0.78

0.24

The constructed attack tree is essentially an attack path tree which uses out-of-band packet marking embedding only the router connectivity information. It has been proposed to overload this attack path tree to also embed path entropy information, to construct a novel attack path entropy tree.

R2

R4

V.
0.25

ENTROPY BASED ATTACKS DETECTION Entropy

0.4

.0.4

0.2

0.3

. A.

Entropy or Shannon-Wiener index is a measure of the uncertainty or randomness associated with a random variable. In this case it is a measure of data coming over the network.
Figure1. Attack path tree

C.

Logical Representation:

Consider a notion of the attack tree as shown in Fig. 1. It shows the attack sub-tree of some router R1, having 3 different tree children, namely R2, R3 and R4. The logical representation of this sub-tree is

The range of sample entropy lies in [0, logn]. The entropy value is smaller when the class distribution belongs to one class and it is larger otherwise. For detecting changes in the randomness, entropy of some sample packet header fields is compared with another sample packet header fields. The entropy E (Y ) of a random variable Y with possible values

S R1 = H R1 U S R 2 U S R 3 U S R 4

------ (1)

{ y1, y2 ,..., yn } and distribution of probabilities PR = { pr1, pr2 ,..., prn } with n elements, where 0 ≤ pri ≤ 1 and Σi pri = 1 can be calculated as

H R1 -> Degree of router R1 S R1 -> Attack sub-tree of router R1
The equation is generalized for every router in the attack tree as

E (Y ) = −∑ PR( yi ) log PR( yi ) ------------- (3)
i =1

n

B.

Detection Technique

S Ri = H Ri

R j ∈CRi

US

Rj

-------------------- (2)

CRi ->the immediate children of Ri .
Thus the proposed distributed divide-and-conquer approach is represented as a concise recurrence relation. D. Physical Representation

An entropy based technique is used for detection. The number of packets it has received from each of its immediate children in the attack path tree is measured by entropy, which is employed in every intermediate router. In our proposed detection algorithm we use entropy as a principal matrix. pr ( yi ) ( where yi ∈ Y ) is the probability that Y takes the value yi . Suppose we arbitrarily observe Y for a fixed time window w, then pr ( yi ) = ti / t , where ti s the frequency or number of times we observe Y taking the value i.e.

The structural modification to the attack tree supports a simple plug-n-play design (different shaded regions in Figure 1). It can propagate up the tree to the victim, without needing a total re-computation of the whole attack tree or affecting other independent sub-trees attack. By periodic or triggered update messages we can model the dynamic Internet routing characteristics. This message contains only the attack sub-trees which have been structurally modified.

t = ∑ ti
i =1

n

132

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

E (Y ) = ∑ (ti / t ) log(ti / t ) ------------------- (4)
i =1 Here n is the maximum number of ports.

n

Algorithm 1: DDoS detection algorithm

If we want to calculate probability of any source (destination) address then,

Step 1: Collect sample flows for a time window t on each routers. Step2: Calculate router entropy n

ti = number of packets with yi as source (Destination)
address t = total number of packets

E ( y ) = ∑ PR (Yi ) log PR( yi )
i =1

Step 3: Calculate NE = ( E / log n 0 ) where, NE= normalized router Entropy. Step 4: If NE < th1 , where th1 is the threshold value 4.1 Mark the flow as suspected. 4.2 Raise an alert Step 5: Calculate the

PR (yi) = Number of packets with yi as Source (destination ) address -----------------------------------------------------Total number of packets Here total number of packets is the number of packets seen for a time window T . Normalized entropy calculates the over all probability distribution in the captured flow for the time window T . Normalized entropy = ( E / log n 0 ) ----------- (5) Here n0 is the number of distinct yi values in the given time window. Since the attack flow dominates the whole traffic, the normalized entropy of the traffic is decreased in a detectable manner in DDoS attack from the captured traffic in time window T . It is also possible in the case of massive legitimate network accessing. So Entropy rate has to be calculated to confirm the DDoS attack. The projected entropy (PE) is the rate of growth of entropy of a random process. If we have a sequence of n random variables, then the projected entropy of a stochastic process { yi } is defined by

PE ( y ) = lim

1 E ( y1, y2 ,..., yn ) n

n− > ∞

of the suspected flows in that router and the routers on down Stream. Step 6: If, PEi ( y ) ≤ th 2 where th 2 is the threshold value 6.1 Mark the flow as attacked. 6.2 Raise a final alert. 6.3 Discard the attack flow.

Figure 2 . The algorithm for DDos detection using router entropy

Er ( y ) = lim

1 E ( y1, y2 ,..., yn ) n− > ∞ ----- (6) n

C.

Overall Description of Our Architecture

The steps in the proposed DDoS detection algorithm are described in figure 2.

Figure 3 gives the diagrammatic representation of our entire architecture while figure 5 presents a consolidated function of operations involved in our proposed architecture.
.

133

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Figure 4. Experimental Setup

Figure 3. Entropy Based Architecture

B.

Simulation Results • Varying Attack Traffic Rate

VI

. EXPERIMENTAL RESULTS In our initial experiment, we vary the attack traffic rate as 100,200,…500kb and measure the number of alerts raised. We compare our results with the DCD-CAT scheme [10]. As we can see from figure 5, our proposed EBA scheme has lower number of alerts when compared with the DCD- CAT scheme, since it contains the alert clustering technique.

A.

Simulation Setup

This section deals with the experimental performance evaluation of our algorithms through simulations. In order to test our protocol, the NS2 simulator [17] is used. The experimental setup is similar to Figure 4.

AttackRate Vs No.ofAlerts 25

No.ofAlerts

20 15 10 5 0 100 200 300 400 500 AttackRate alert-EBA alert-Normal

Figure 5 . Attack Rate Vs No. of Alerts

.
134 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

Attack Rate Vs Packet Loss 50000
packets lost

AttackTraffic w ith EBA
EBA
Throughput

40000 30000 20000 10000 0 100 200 300 Rate 400 500

DCD-CAT NoDefense

0.2 0.15 0.1 0.05 0 1 2 3 4 5 Time(s) 6 7 8 9

Figure 6 Attack Rate Vs Packet Loss

Figure 6 shows the number of packets lost by the legitimate users when the attack traffic rate is varied. From the figure 7 , it is concluded that the loss is very less in the case EBA followed by DCD-CAT. The loss is maximum, when there is no defense. • . Attack and Normal Throughput

AttackThroughput

NormalThroughput

Figure 8 . Attack Traffic with EBA

In the second experiment, we measure the Throughput obtained by the legitimate users (Normal throughput) and throughput obtained by attackers (Attack throughput).
Attack Traffic without Defense

Figure 8 shows the normal throughput and attack throughput values of our proposed EBA scheme. From the figure 9 , we can see that the attack throughput is very much reduced, increasing the normal throughput.

Attack Traffic with DCD-CAT
0.4 0.3 0.2 0.1 0 1 2 3 4 5 Tim e(s ) AttackThroughput NormalThroughput 6 7 8 9

Throughput

0.3 0.2 0.1 0 1 2 3 4 5 Tim e(s) AttackThroughput NormalThroughput 6 7 8 9

Figure 9. Attack Traffic with DCD-CAT

Figure 7. Attack Traffic With Out Defense

Figure 7 shows the normal throughput and attack Throughput values, without applying any defense. It has shown that the attack throughput is very high, there by
reducing the normal throughput.

Figure 9. Shows the normal throughput and attack throughput values of the DCD-CAT scheme . From this figure, it has been found that the attack throughput is reduced to a low extent, slightly increasing the normal throughput.

.
135 http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Throughput

0.4

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 6, No.1, 2009

VII. CONCLUSION In this paper, the new architecture has been proposed for protecting against the distributed denial-of-service attacks. This mechanism helps in identifying the attacks, constructing the attack trees, improving the attacks detection and clustering of alerts. This system helps in measuring the number of alerts raised and its performance improvement. This defense mechanism detects the DDoS attackers accurately with less complexity. By Simulation results, it has been shown that the proposed architecture improves the detection accuracy and throughput while reducing the alert overhead. VIII. REFERENCES
[1]. Adel Bouhoula (et.al) ‘A security policy and Network Cartography based Intrusion Detection and Prevention Systems ‘Journal of Information Assurance and Security 4 (2009), 279-291. [2] Keromytis, A.D., Misra, V., and Rubenstein, D. “SOS: architecture for mitigating DDoS attacks”.Selected Areas in Communications, IEEE Journal volume: 2, Issue: 1, January 2004. [3] Jelena Mirkovic, D-WARD: Source-End Defense against Distributed Denial-of-Service Attacks, Ph.D. thesis, University of California Los Angeles, 2003. [4]. Sherif Khattab, Rami Melhem, Daniel Moss´e, and Taieb Znati,” Honeypot Back-propagation for Mitigating Spoofing Distributed Denial-of-Service Attacks”, IEEE, 2006. [5]. Aleksandar Kuzmanovic and Edward W. Knightly, ” Low-Rate TCPTargeted Denial of Service attacks and Counter Strategies”,IEEE/ACM Transactions on Networking (TON), 2006. [6] Zhu Lina, Zhu Dongzhao, “A Router-based Technique to Detect and Defend against Low-rate Denial of Service”, academy publisher, 2009. [7]. B. B. Gupta, Manoj Misra and R. C. Joshi,” An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach”, Journal of Information Assurance and Security ,2008. [8] Fanglu Guo Jiawu Chen Tzi-cker Chiueh,” Spoof Detection for Preventing DoS Attacks against DNS Servers”, IEEE, 2006. [9] M. Muthuprasanna, G. Manimaran,” Distributed divide- and-conquer techniques for effective DDoS attack defenses”, white papers, 2008. [10]. Yu Chen, Kai Hwang and Wei-Shinn Ku,” Collaborative Detection of DDoS Attacks over Multiple Network Domains”, IEEE, 2007 [11]. Cheng Jin Haining Wang Kang G. Shin,” Hop-Count Filtering: An Effective Defense Against Spoofed Traffic”, ACM 2003. [12]. John Ioannidis, Steven M. Bellovin,” Implementing Pushback: Router- Based Defense against DDoS Attacks” 2002.

[13]. Qiming Li [et.al] ,” On the Effectiveness of DDoS Attacks on Statistical Filtering”, IEEE 2005. [14]. Jelena Mirkovic, Peter Reiher,” Taxonomy of DDoS attack and DDoS Defense Mechanisms”, ACM, 2004. 15]. Guangsen Zhang and Manish Parashar,” Cooperative Defense against DDoS Attacks “, Journal of Research and Practice in Information Technology, 2006. [16]. Arjita Ghosh and Sandip Sen, ”Agent-Based Distributed Intrusion Alert System”, SpringerLink, 2004. [17]. The Network Simulator - ns-2. http://www.isi.edu/nsnam/ns

[18]. Debra L( et.al), “Websos: Protecting web servers from ddos attacks,” in the Proceedings of the 11th IEEE International Conference on Networks (ICON)., 2003.

Author’s Profile:

MEERA GANDHI.G received her B.E (Computer Science and Engineering) degree and has been awarded M.E (Computer Science and Engineering) degree by Sathyabama University, Chennai. Currently. She is pursuing her PhD in Computer Science degree in Sathyabama University, Chennai and will be finishing her research this academic year.She is working as a Professor in the Department of Computer Science and Engineering in Sathyabama University, Chennai. She is having seventeen years of experience in the field of Computer Science. She is doing her research in the area of Information Security and Neural Networks She is also interested in the areas of Intrusion Detection Systems, Intrusion prevention systems, Artificial Intelligence, Genetic Computing, Web mining ,Data Security. She has published many papers in International Journals/ National Journals and Proceedings. She has also participated and presented papers in International and National Conferences. She is a Member in Professional associations like Indian Society for Technical Education, Computer Society of India. She is also acting as reviewers for the Journal “EXPERT SYSTEMS” and Scientific Journal International.

136

http://sites.google.com/site/ijcsis/ ISSN 1947-5500


				
DOCUMENT INFO
Shared By:
Stats:
views:646
posted:11/3/2009
language:English
pages:8