A High-Speed PacketScore DDoS Defense System

Transcription

1 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUNE 26 1 A High-Speed PacketScore DDoS Defense System Paulo E. Ayres, Huizhong Sun, and H. Jonathan Chao payres1@utopia.poly.edu, hzsun@antioch.poly.edu, chao@poly.edu Abstract Distributed Denial of Service (DDoS) attacks pose a significant threat to the Internet while no effective defense schemes have been proposed or deployed. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attacking packets from good ones with the use of packet scoring (scores are calculated per-packet based on the attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold (lower scores are more likely to be the attacking ones). We extend the packet-scoring concept and devise new schemes to reduce implementation complexity and improve overall performance. More specifically, a Leaky-Bucket overflow control scheme simplifies the score computation. An Attribute-Value-Variation scoring scheme a method based on analysis of deviations of the current traffic attribute values measured from a previously measured traffic baseline increases the accuracy of detecting and differentiating attacks. An enhanced packet discarding method allows both schemes to be more adaptive to challenging attacks such as those that dynamically change their attacking types and intensity. The overall reduction in complexity, higher detection and differentiation accuracies, and great memory savings make the new schemes natural candidates for high-speed hardware implementations of DDoS defense systems. Index Terms Denial-of-Service Attack, Network Security, Overload Control, Packet Differentiation. I. INTRODUCTION DDoS attacks aim to interrupt localized Internet services by making them temporarily unavailable by flooding the victim a single Web host or an entire stub network served by an ISP The authors are with the Department of Electrical and Computer Engineering, Polytechnic University, Brooklyn, NY, USA.

2 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN with a high volume of legitimate malicious packets originating from many different sources. To stop DDoS attacks, while they are in course, without manual identification, characterization, and filter configuration on ISP routers, methods based on marking and traceback protocols [1], [2], [3], [4], and pushback mechanisms [5], [6] have recently been proposed. Intrusion pattern recognition has also been proposed by the Data Mining community to automate extraction of hidden predictive information from databases, including offline machine-learning approaches as in [7], [8] and online as is the D-WARD approach [9]. A combination of static and dynamic statistical filters has also been proposed in [1]. There are also commercial products such, as Asta Networks and Cisco [11], [12], that detect and mitigate specific types of known DDoS attacks, especially those generated by well-known DDoS attack tools. However, their signaturebased approach makes them vulnerable for new types of DDoS attacks. Arbornetworks product [13] mitigates DDoS attacks with the traceback approach, requiring the precise characterization of the attacking packets. Mazu, Riverhead (currently Cisco) and Cyberoperations products [14], [15], [16] are built on statistics-based adaptive filtering techniques. Most of these solutions do not fully automate packet differentiation and discarding. Instead, they only recommend a set of binary filter rules to the network administrator. An ideal DDoS defense system should be flexible enough to cope with new and more sophisticated attacks in the future, and offer online automated approaches that are more scalable in terms of network operating speed and the number of potential targets to be protected. PacketScore, described in [17], proposes a statistics-based overload control approach that efficiently addresses key scalability issues in a backbone implementation, allowing a large number of targets to be protected at high speed. It is a proactive defense system by nature, able to detect and block never-seen-before attacks. Essentially, it detects and filters DDoS attacks based on a packetscoring approach. Arriving packets are given scores based on their TCP/IP attribute values as compared to nominal traffic profiles, and selectively discarded if their scores are below a dynamic threshold. In this paper, we present new packet scoring schemes with enhancements over [17] in lower implementation complexity, higher attack detection and differentiation accuracies, and higher adaptability against complex DDoS attacks. The rest of this paper is organized as follows: Section II provides an overview of the previously proposed PacketScore scheme. Section III presents the motivations and advantages of the new schemes. Sections IV and V describe the implementation of the proposed Leaky-Bucket and

3 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN AS 1 ISP Security Perimeter AS 2 3D-R 3D-R DDoS Attack R R DCS DDoS Attack 3D-R R R 3D-R Victim Stub Network 1 Victim's Stub Network DDoS Control Information Exchange DCS 3D-R : Detection, Differenciation, Discard Router DCS : DDos Control Server R: Regular Routers Fig. 1. Deployment of 3D-Rs and DCSs to tackle end-point DDoS attacks Attribute-Value-Variance (AV) based scoring schemes, respectively. Section VI describes the use of a new overload control system. Section VII evaluates the performance of the new schemes. Section VIII gives the conclusion of the paper. II. OVERVIEW OF CLP-BASED PACKETSCORE SCHEME Here, we review the previously proposed PacketScore scheme [17]. Fig. 1 depicts the support of distributed detection and overload control by multiple Detecting-Differentiating-Discarding Routers (3D-Rs) on a defense perimeter and DDoS Control Servers (DCSs ). Let n be the total number of 3D-Rs along the defense perimeter. The use of DCS reduces the O(n 2 ) peer communications among the 3D-Rs to O(n), and spares the 3D-Rs from the burden of managing a large number of per-end-point-target nominal traffic profiles. Since a DCS exchanges only control messages with the 3D-Rs, it can be safely kept away from the normal data path, i.e., out of the reach of potential DDoS attack traffic. To facilitate load balancing and improve scalability, the set of potential end-point targets within a domain can be partitioned among multiple DCSs.

4 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN The PacketScore scheme [17] uses a statistic-based Bayesian method called Conditional Legitimate Probability (CLP) to calculate packets scores, hereinafter referred to as the CLP-based scheme. It consists of the following three phases: Attack detection and victim identification by monitoring four key traffic statistics of each protected target (packets-per-second, bits-per-second, number of active flows, and new arriving flow rate) while keeping minimum per-target states. The key traffic parameters are compared to the nominal traffic profile parameters. A DCS aggregates the reports from multiple 3D-Rs on a defense perimeter, to confirm if there is actually an ongoing attack. Differentiate attacking packets from legitimate ones by giving a score to every packet destined to the identified victim. Scores are determined by comparing every packet s current traffic profile against its nominal traffic profile. More specifically, they are computed by CLP, and stored in the form of scorebooks. By this method, the attribute value shared by attacking (legitimate) packets will be assigned a lower (higher) score, because of its relative frequency increase (decrease) in current traffic profile against the nominal ones. As a result, PacketScore can efficiently differentiate legitimate packets among suspicious traffic. Discard packets selectively by comparing the packet s score with a dynamic threshold, which is adjusted according to (1) the score distribution of all suspicious packets and (2) the congestion level of the victim. Fig. 2 summarizes the PacketScore scheme. Each arriving packet obtains a set of partial scores from the scorebook via a lookup operation, according to the attribute values it carries. The packet score the sum of the packet s partial scores is then compared to a dynamic threshold in the overload control unit. Packets whose scores are less than the threshold (like packet #3 in Fig. 2) will be discarded. A nominal profile is a set of baselines collected during a period in which the protected network was allegedly free of attacks. It characterizes the traffic within a certain period of time by measuring the average throughput in packets or bytes per second (used to rule an acceptable output packet rate), and by creating packet attributes normalized histograms. A measured profile has also this same structure, but characterizes the online traffic instead. The comparison of both profiles provides PacketScore with enough parameters to distinguish legitimate packets from DDoS attacking packets with the use of a metric or score. The degree of disassociation existing between these profiles (the higher the disproportion, the higher the

5 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN SCOREBOOK L O O K U P Packet #1 Legitimate Score 1 Packet #2 Legitimate Score.98 Packet #3 Attacking Score.17 Database Packet Packet Processing Forwarding S C O R E S PacketScore Router NOMINAL PROFILE MEASURED PROFILE OVERLOAD CONTROL Discard Pass Packet #1 Legitimate Outgoing Traffic Packet #2 Legitimate Packet #3 Attacking Fig. 2. Illustration of the PacketScore scheme likelihood of an attack) provides packet differentiation. The following attributes are currently measured on both profiles to generate the histograms: IP protocol-type values, packet sizes, Time-to-Live (TTL) values, TCP destination port numbers (the server ports, in a client/server model, and despite traffic flow directions), 16-bit source/destination IP address prefixes (as an approximation to the IP subnet calculation), TCP/IP header length, and TCP flag patterns. Iceberg-style histograms, defined in [18], are used so that the nominal profile includes only the non-null attribute values (icebergs) that appear more frequently than a preset threshold, say x%. This keeps the profile to a manageable size, and reduces the lookup time. Icebergstyle histograms require two passes of input data to collect nominal profile data. A one-pass iceberg-style histogram maintenance/update is implemented efficiently in hardware by applying a two-stage pipelined approximation similar to what is proposed in [19]. In this method, data processing is divided into periods where period t 1 scans for icebergs to be accounted in period t, which also scans for icebergs to be used in period t + 1 and so on as in Fig. 3. This figure contains real attribute values and frequencies from the flag nominal profile, using a 1% threshold. Arriving packets in period t 1 possessed flag attribute values 2, 16, 17, 19, 22, and

6 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN t-1 t t Iceberg scan for t Iceberg count from t Fig. 3. Iceberg detection in real-time 24. These values (or icebergs) are accounted in period t, with the number of occurrences being 2235, 385, 154, 88, 11, and 991, respectively. At the same time, in period t, arriving packets have flag attribute values 2, 16, 17, 18, 2, and 24, composing the icebergs to be accounted in period t + 1. Scoring is obtained as a direct comparison of nominal and measured profiles using CLP as a metric 1. After the scores are computed, it is necessary to calculate which score represents an upper-bound threshold that will distinguish legitimate packets from attacking ones, in a per packet/per-score basis. This chosen score will attend to throughput requirements, which regulate the output throughput, keeping it close to a target throughput previously set. This overload control process is achieved by having a Cumulative Distribution Function (CDF) of all incoming packets created and maintained using one-pass quantile computation techniques as in [2], [21], and [22]. Next, the discarding threshold (T H d ) is calculated (and dynamically adjusted) using the load-shedding algorithm as in [23]. According to this algorithm, the congestion level of the victim is measured, allowing the victim system to opportunistically accept more potentially-legitimate traffic as its capacity permits. The resulting T H d is simply a CDF entry. Incoming packets whose CDFs are below the T H d, are discarded, as shown in Fig. 4. The key idea here is to prioritize, forward, and drop packets based on their score values. 1 For further details on CLP, please refer to Eqs. 1, 2, and 3 in [17].

7 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN CDF Big outgoing traffic change Packet Score Minor Threshold change Fig. 4. Outgoing traffic maintenance using discarding threshold updates III. IMPROVEMENT OVER THE CLP-BASED SCHEME We propose new methods to replace the CLP-based scheme to achieve high-speed operations, e.g., 1 Gbps. In the CLP-based scheme, a scorebook, a collection of each attribute value s score, is first generated based on Bayesian CLP. The score associated with each attribute value is obtained from two histograms; one is the currently measured and the other is the nominal profile. The implementation complexity arises from the calculation of these two histograms for each packet attribute. On the contrary, the Leaky-Bucket (LB) based scheme does not need to calculate a measured profile histogram, nor does it need to calculate any kind of histogram in real-time. Instead, it assigns an LB for each attribute value and determines a score for each attribute value based on the number of overflows of the associated LB. The scorebook can be readily obtained by keeping track of the overflow counts. The operation of the LB is quite simple, only involving memory access and count value updates. Another proposed scoring method, called Attribute-Value-Variation (AV), improves the accuracy of packet discarding 2, under all circumstances, as compared to the CLP- and LB-based schemes. This is achieved by using an attribute value variance instead of simple attribute values as an LB threshold. It is less complex than the CLP but more complex than the LB. The complexity 2 The capacity to distinguish legitimate packets from attacking packets, and discard the attacking ones with as much accuracy as possible.

8 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN comes from the necessity to calculate the variance for each attribute value during the nominal profile. It is very challenging to provide an effective overload control when a system is under fastchanging DDoS attacks. The previously proposed PacketScore scheme uses a CDF and a loadshedding algorithm to generate the discarding threshold T H d. Packets with scores lower than the threshold are discarded. However, if an attacker changes its attack type and intensity, the T H d which was valid for a certain range of scores would very likely become invalid, therefore compromising the differentiation capacity, until a more adequate T H d is dynamically set. This situation tends to worsen as the scores of a measurement period are used in the next period, while the attacks continue to change. We have observed that the moment the attacks change, spikes of admitted traffic appear (due to the threshold invalidation explained above), sometimes lasting for a relatively large period of time. Even with frequent threshold updates in a small period of time, (the only way to re-validate the threshold), the CLP scheme still suffers from this problem. We introduce the Proportion Integration (P/I) control (a simple and classic solution in the control system), as a method to reduce this problem. The overall control system is simpler, with lower computational and memory requirements. P/I provides a higher degree of independence from the scores generated in the previous period, and adapts faster to new attacks than the CDF/load-shedding scheme. A fair comparison among the schemes is provided in Section VII, through a series of simulations with the same parameters set such as same tcpdump files, same periods, same attack methods, duration, and intensities. IV. LB-BASED PACKETSCORE SCHEME LB is a well-known traffic enforcement/shaping algorithm and is usually implemented at the network edges to ensure a user s traffic complies with the negotiated traffic parameters. Conceptually, an LB consists of a bucket with a size of S and a drain rate of R d. In the context of traffic control, arriving packets are considered non-conforming if they will cause the bucket to overflow. They can be either discarded (for enforcement) or delayed (for shaping). Let us introduce the notation A i,j to represent a particular TCP/IP attribute value. In this case, i is an index that uniquely identifies a TCP/IP attribute, while j represents the value of this

9 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN TCP/IP attribute i. Attribute value A 1,26 for example, could represent TTL=26, A 2,8, Server Port=8 (HTTP), A 3,64, Packet Size=64, etc. Here, an LB is maintained for each attribute value A i,j, with a given size and a drain rate that are derived from the histogram of attribute A i in the nominal profile. By measuring the LB overflow frequency (more precisely, the overflow count in a measurement period), we can determine how discrepant the measured-traffic and nominal profiles are. This overflow frequency is regarded as a partial score for the associated attribute value. The total score of the arriving packet destined to the identified victim is the sum of all partial scores. The bucket size, also called threshold T H LB, is determined as follows: T H LB = N R(A i,j ) T (1) where T is the nominal profile measurement interval in seconds, N is the number of packetsper-second measured during T, and R is the distribution frequency of an attribute value A i,j. Both N and R(A i,j ) are obtained from the nominal profile, and their multiplication constitute the drain rate R d. A. Leaky-Bucket-Based Scoring In this section, we formalize the notion of LB-based packet scoring. Consider all the packets destined for an identified victim. A packet, p, carries a set of discrete-valued attributes A p i, where A p 1 could be the TTL value (e.g. TTL=26 or A 1,26 ), A p 2, the server port number, A p 3, the packet size in bytes, and so forth up to A p n, where n is the number of attributes. Let V (A p i ) be the number of overflows of the LB associated with A p i. We then have the packet score S(p) as the sum of overflows of all packet attribute values: n S(p) = V (A p i ) (2) i= Fig. 5 shows an example to illustrate how the scores of packet #1 (on the bottom left of the figure) and packet #2 (on the bottom right) are obtained. There are two sets of histograms; the top three belong to normal traffic profile and the bottom three belong to current traffic profile. The three histograms are associated with three attributes, TTL, destination port number, and packet size. Each histogram indicates the relative frequency of the attribute value that is larger than a given threshold (e.g., 1%). For instance, the relative frequency of TTL values of 23, 26, 54, 61,

10 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN % 5% 13% Histogram Threshold of 1% 7% 3% 1% 5% 15% 25% 1% 5% 21% 14% 9% 17% 4% Histogram Threshold of 1% 12% NOMINAL TRAFFIC PROFILE Leaky Bucket Thresholds TTL Value Dest. Port Number to to to Packet Size (in Bytes) 12% 5% 7% 14% 5% 9% 7% 2% 4% 4% 6% CURRENT 35% MEASURED TRAFFIC USING LB 11% 13% 15% 1% 7% TTL Value Dest. Port Number to to to 1499 Packet Size (in Bytes) Number of Overflows A 1 TTL Value = 61 2 A 2 Srv. Port Number = 8 14 A 3 Packet Size = 46 Bytes 15 Packet #1 Score = A 1 TTL Value = 54 A 2 Srv. Port Number = 11 A 3 Packet Size = 15 Bytes Packet #2 Score = 2 2 Fig. 5. Nominal and measured profile related to packet scoring on the LB-based scheme 251 are 1%, 5%, 13%, 7%, and 3%, respectively. Based on Eq. (1), the threshold of each LB (i.e., each attribute value), T H LB, is calculated and listed below the top three histograms. For example, the T H LB of TTL value 23 is 16 packets, where the relative frequency is 1%, N is 16 packets per second, and T is 1 seconds. The discrepancy between the histograms of the nominal traffic profile and those of the current traffic profile is reflected by the number of LB overflows, as shown below the bottom set of the histograms. For instance, the LB of TTL = 61 overflows 2 times in the measurement period. In an actual system, the histograms of the current traffic profile are not required. They are shown here to facilitate the explanation. A packet score is a sum of the partial scores of the attributes. The partial score is actually the number of overflows of the associated LB. For instance, packet #1 s score, 49, is the sum of

11 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN A1p TTL=26 Incoming Packet p A2p Server Port=8 Th = 1K Leaky Bucket for V(1,1) TTL=23 V(1,2) TTL=26 R d = 1 K A1,26 A1,26=V(1,2) Th = 1 K 5 % = 5 K R d A3p A7p Packet Size=64bytes Protocol=17 (UDP) = 1 = 5 K A3,64 A7,17 TTL Value V(1,n) TTL=251 K 5 % Drain Rate... Th = 3K R d = 3 If overflow increase 1 K SCOREBOOK (Number of overflows) V(1,1) V(1,2)... V(1,n)... A2,8=V(1,2) A2,8 Server Port Number V(2,1) Leaky Bucket for V(2,1) V(2,2) V(2,i) If overflow increase 1 V(2,2)... V(2,i) Fig. 6. Profile measurement and scorebook generation on the LB-based scheme 2, 14, and 15, while packet #2 s score is 2. The higher the score is, the greater the packet is discrepant from the nominal traffic, and thus the higher probability that the packet is an attacking packet. Fig. 6 illustrates how packet scores are calculated. Here, we assume the value of N to be 1 6 packets, and the measurement interval T to be 1 seconds, yielding R d = 1K packets/sec multiplied by the relative frequency of each attribute value. Fig. 6 shows an incoming packet and its attributes: TTL=26, server-port-number=8, packet-size=64bytes, and protocol-type=udp. We focus on TTL for now. The LB associated with TTL=26 has its threshold set to 5,, as calculated in Fig. 6, based on Eq. (2), and given N, T, and R= 5% (found on the TTL nominal traffic profile in Fig. 5). When the packet arrives, TTL=26 is identified as A p 1, and the level of the LB corresponding to A 1,26 is increased by one. In the case of the new level being higher than the T H LB, the number of LB overflows for A 1,26 is also increased by one. LB thresholds for TTL and server port attributes are represented in Fig. 5. The number of overflows for the second TTL LB corresponding to TLL value 26 is represented by V 1,2 in Fig. 6 with the value of 5% in Fig. 5. This value is the partial score, or V (A p 1), for TTL=26. Partial scores for the other attribute values are calculated similarly. One should observe that

12 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN Leaky Bucket Protocol Type TCP Leaky Bucket Server Port Number 23 UDP SQL-Work Attack ICMP SQL-Work Attack Leaky Bucket Packet Size 4 Bytes 372 Bytes SQL-Work Attack Bytes Fig. 7. SQL-worm attack scoring and differentiation by Leaky-Bucket some LBs are shared among different attribute vales. This is the case for A 3 = 64, for example, where A 3 represents the packet-size attribute (as in Fig. 5). As observed, all attribute values from 47 to 1 in Fig. 5 are associated to the same V (3, 2)LB 3. One of the most notable differences between the LB-based approach and [17] is that construction of histograms for different attributes is no longer necessary when performing online measurement of the current traffic. Rather, histograms are only used when building the nominal profile 4, which is in turn used to set the LB s fixed parameters T H LB and R d. Fig. 7 illustrates how to detect an SQL-Worm attack using LBs. The unusual flow of attacking packets rapidly increases the levels of the UDP Protocol, server port 1434, and packet size = 372 bytes LBs, eventually causing their overflows, which leads to packet differentiation by score. B. Leaky-Bucket Nominal Profile Nominal profiles are maintained by the 3D-R, in a way that every endpoint has its own set of nominal profiles. They consist of a series of Leaky-Bucket sizes obtained from the histograms of nominal profiles of packet attribute values, and throughput information the number of packets per second. They are maintained by the 3D-R, being collected during a period where 3 Read in the number of overflows of the second Leaky-Bucket of the third iceberg for the packet-size TCP/IP attribute. 4 An offline calculation that causes no impact to the real-time traffic collection operations

13 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN Average Mean.8 Frequency Attribute Value (Individually, or in Group) Fig. 8. Flag nominal profile on the Leaky-Bucket-based scheme the network operated allegedly free from attacks, and relying on the observation that relative distribution samples of real-life Internet traffic attributes do not vary significantly over a short period of time, unless there is an attack (a claim corroborated in [17], and in our simulations). As a direct application of the iceberg-style histograms, CLP nominal profiles do not include attribute values with frequencies below the preset threshold during the measurement interval. Overall DDoS attack detection sensibility would benefit with an increase in granularity for these less-frequent attribute values, therefore, we extend the iceberg-style histogram concept, in the LB approach. In this scheme, all attribute values that do not appear so frequently during the measurement interval are grouped in a single entry in a nominal profile histogram, when the sum of their frequencies becomes higher than a preset fixed threshold. Fig. 8 represents the nominal profile histogram for the flag attribute. Its distribution frequencies represent the traffic profile contained in the trace obtained from the Internet trace archive of the MAWI project [24] of May 31, 24, from 2:pm to 2:1pm. Each attribute value has a distribution frequency associated with it. Values 2, 16, and 24, for instance, have distribution frequencies higher than the fixed threshold (set in 1% in the example), while all other attribute values from to 64 (except the three values just mentioned) do not. As a result, these attributes

14 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN are grouped, sharing the same distribution frequency (like the three single entry values) 5. This profile was obtained using profilers: special programs that are part of our simulations, and generate the profiles by reading the data in tcpdump format. Network traffic observations show different periods of a day across different days having different traffic natures. The nominal profile, therefore, must be periodically updated so as to provide the right nominal profile for the incoming traffic to be measured. It is one function of the 3D-R to provide the profile update, right after the end of each measured nominal period, which should not be too short (since, the scoring process could enter into a nominal race condition, always trying to adapt to the recently changed profile, therefore being more sensitive to burstiness). The measured nominal period should not be too long, when the same sensitivity to burst is diminished, thus not reflecting real traffic very well. Another 3-DR function is the offline profile generation, which also happens after the end of a period. Practical observation shows great similarity between icebergs of adjacent periods. Based on this observation, we suggest the profile update to take place every 1 minutes, with the last updated profile being used toward score generation (as long as there are no attacks during these periods). When under attack, the profile is not used by any subsequent period, and is kept only for post-attack analysis purposes. In that situation, the next profile to be used should be the one from the same period-of-day of the day before, or a week before. One inherent problem of nominal profiles in general, is the incapacity of detecting unexpected hikes of legitimate nominal traffic throughput within the nominal period. For this situation, we set a target throughput (ρ target ) higher than the throughput put read from the nominal profile 6. This way we opportunistically accept more legitimate packets (and also potentially forwarding more attacking traffic as a drawback). We propose the ρ target to be dynamic, always higher than the nominal throughput by x% (as long as the final ρ target value doesn t oversubscribe the line or a committed packet rate previously set). 5 In the example, all attribute values below the threshold, coincidently form a single group. However, there can be many groups within a histogram, as long as their joint attribute value frequency is higher than the threshold. 6 This technique is also used in [17].

15 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN C. Leaky-Bucket Real-Time Implementation As seen in Eq. (2), the packet score is obtained by summing the number of LB overflows of the packet s attribute values. Two processes need to occur in parallel for this to happen: the traffic profiling, and the score computation. Profiling controls the LB levels and overflows, as in Fig. 6. Scoring is divided in two parts: the scorebook generation and the packet scoring. The scorebook is a set of associations between score and attribute values, containing the latest snapshot of LB overflows. It needs to be periodically updated at the beginning of each traffic profile period, which is a time-scale much longer than the packet arrival time-scale. After the scorebook is built, it is used as a static reference for obtaining the partial scores of an incoming packet, and its further score calculation. After getting the current traffic profile, the CLP method needs to do a complex offline calculation to generate the scorebook by software, which takes some processing. Unlike [17] which requires CLP computation, the scorebook in the LB approach is promptly ready to be used for the next period, with no need of any extra computation. The following processes must occur in parallel (in the 3D-R) at the time of the packet arrival: Traffic measurement, LB level and overflow controls, histogram update for future generation of the next nominal profile. Scorebook generation at the end of each period. Score computation based on the frozen (static) scorebook and the current packet attribute values. Selective packet discard (overload control), and dynamic threshold adjustments by the Proportion Integration (P/I) control system. To properly implement and integrate those processes, a pipelined approach implementation is used, as Fig. 9 shows. The decision to allow or drop packets does not start until the third period starts. Fig. 9 also demonstrates the parallelization of the processes and the interdependency between periods. Although the packet scoring is always processed according to the second bullet above, packet discarding only happens if the system is operating beyond its safe (target) utilization level ρ target, otherwise all packets are forwarded. Overall, the LB scheme is faster and simpler, compared to the CLP scheme, making it more suitable for real-time implementation. In the CLP scheme, there are too many interdependent

16 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN Incoming Packets Period 1 Measure Current Traffic By leaky Bucket to Generate Scorebook ScoreBook Generated in Period Period 2 Measure Current Traffic By leaky Bucket to Generate Scorebook Score Packets and Dynamic Adjust Discarding Threshold ScoreBook Generated in Period 1 Period 3 Measure Current Traffic By leaky Bucket to Generate Scorebook Score Packets and Dynamic Adjust Discarding Threshold Outgoing Packets Fig. 9. Pipelined implementation timeline tasks that need to be implemented sequentially before the packets can start to be dropped, such as iceberg identification and accounting, as per the two-stage pipelined approximation similar to [19]. In the new approach, these tasks can be all performed in a mini-period of 1ms or less, so the packet discarding and overload control can start immediately, resulting in faster responses to DDoS attacks. V. ATTRIBUTE-VALUE-VARIATION SCHEME In this section we introduce the attribute value variance as another new metric in the packet scoring process. The Attribute-Value-Variation (AV) scheme basically compares the incoming packet s attribute value distributions with the nominal profile, providing packet scores based on the resulting differentiation. It approximates the measured profile distributions, detecting attribute values on arriving packets that significantly deviate from the nominal profile. Scoring is based on the probability of whether the packet s attribute-value distributions significantly differ from the nominal profile or not. This probability results from the comparison of the average means and variances of the iceberg-attribute-values computed in the nominal profile, with the incoming packet s current attribute-value mean distributions. The higher the incoming packet s measured profile deviates from the nominal profile, the higher its likelihood of being an attacking one and vice-versa.

17 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN A. The Attribute-Value-Variation Operation We devised the idea of packet scoring by attribute value variation based on the model described in [25], a work on anomaly detection on web-server requests from the Intrusion Detection Community. Their method successfully approximates the actual but unknown distribution of the query attribute lengths of a request, detecting instances that significantly deviate from the observed normal behavior. In our scheme, during the nominal profile calculation, the average mean µ and the variance σ 2 of the attribute value distribution are calculated. In a detection phase, the probability p of an arriving packet attribute value χ and average µ can be calculated based on the Chebyshev Inequality, as shown below: p( χ µ > µ µ ) < p(µ) = σ 2 (µ µ) 2 (3) This allows the scheme to obtain an upper bound on the probability that χ µ exceeds a threshold µ µ and detecting the probability that an incoming packet attribute value µ deviates more from its µ in the nominal profile, than its current value χ. B. The Attribute-Value-Variation Nominal Profile The AV nominal profiles histograms contain the average mean distribution µ, and variance σ 2 of the attribute values. The overall structure (except for the introduced variance field) and profile update scheme are implemented in the same way as in the LB-based scheme, although the profile calculation is implemented differently. Here, we calculate the average mean for each attribute value, dividing the profile period into N = 6 samples 7, with an attribute value mean calculated for each sample. The mean of these samples becomes the average mean, as per Eq. (4), followed by the variation calculation as per Eq. (5). µ = 1 N N µ i (4) i=1 σ 2 = 1 N N (µ i µ) 2 (5) i=1 7 A sample size of 6 gives a reasonable mean approximation, without adding too much overhead.

18 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN The resulting profiles will determine acceptable distribution deviations from σ 2, at the same time these distributions stay close to an average mean distribution µ. The scoring process will further measure these deviations, with higher deviations meaning higher likelihoods of attacking packets. Fig. 1 shows the nominal profile used for the flag attribute, with the Standard Deviations 8 of the attribute values on top of each average mean histogram bar. Like the flag histogram in Fig. 8, Fig. 1 represents the same MAWI [24] trace. A profiler program has also been created for the AV-based scheme. C. The Attribute-Value-Variation Scoring The packet score is composed of the sum of the probabilities of its attribute value distributions deviating from their respective σ 2 and µ in the nominal profiles. Each probability can be viewed as the probability P - same as p in Eq. (3) - of an attribute value in accordance to the nominal profile as, P (A p i ) = σ 2 (µ µ) 2, Ap i p (6) where p represents the incoming packet; A, a measured attribute; i, the value of this attribute; µ, the attribute value s current mean distribution; µ, the average mean distribution of the same 8 Standard Deviations are shown instead of variances, which are very low values, insignificant in the plot. 1 Average Mean Standard Deviation.1 Frequency Attribute Value (Individually, or in Group) Fig. 1. Flag nominal profile on the attribute-value-variation-based scheme

19 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN NOMINAL TRAFFIC PROFILE. 6% 1% 5% 13% 7% 3% %. 3% 5%. 6% 2 7%. 5%. 2% 14% 5% Histogram Threshold of 1% TTL Value. 3%. 2% 1% 5% 15% 25% 1% 5% % 7%. 5% 2%. 12% 4%.. 3% 2% 4% 6% Dest. Port Number Profile Comparison & Scoring by Attribute-Value-Variation %. 6%. 3% 21% 14% 9% 17% 4% 12% to 35% % 11 to % 13% 15% 7% Histogram Threshold of 1%.. 3% 2% 51 to % Packet Size (in Bytes) CURRENT MEASURED TRAFFIC PROFILE TTL Value Dest. Port Number to to to 1 15 Packet Size (in Bytes) ScoreBook A1 TTL Value = A2 Srv. Port Number = 8 53 A3 Packet Size = 46 Bytes 61 Packet #1 Score = A1 TTL Value = 54 1 A2 Srv. Port Number = 11 1 A3 Packet Size = 15 Bytes 1 Packet #2 Score = 3 Fig. 11. Nominal and measured profiles related to packet scoring on the AV-based scheme attribute value measured in the nominal profile; and σ 2 is the variance of this attribute value also measured in the profile. If the incoming packet s mean is less than the average, the packet is automatically considered legitimate, having assigned a probability of 1 and score. Fig. 11 illustrates how a packet s score is generated by the AV-based scheme. The histograms of nominal and current traffic profile in Fig. 11 are similar to those in the LB approach in Fig. 5. The difference is that each attribute value in Fig. 11 has both the average µ and the variance σ 2 of relative frequency in nominal traffic profile, while only µ in Fig. 5. For example, the average µ and the variance σ 2 of relative frequency for TTL value 23 is 1% and.6%, respectively, which can be calculated from Eq. (4) and (5). On the other hand, the histogram of the current traffic profile only has average µ of relative frequency. From Eq. (6), a partial score for each attribute is generated and stored in a scorebook as shown in Fig. 11. For instance, TTL

20 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN of 23 has µ = 1% and σ 2 =.6% in nominal traffic profile and µ = 12% in current traffic profile. From Eq. (6), we get the result of.15% and normalize it to 15 by multiplying a constant value. VI. SELECTIVE PACKET DISCARDING AND OVERLOAD CONTROL As Section III shows, overload control is a key component in the PacketScore scheme. This is implemented in the 3D-R, which continually tries to maintain a pre-set target throughput (ρ target ). This control is achieved by forwarding or discarding the packets according to the T H d. The P/I control performs overload control on both LB and AV schemes, by providing and updating the T H d dynamically as, T H d (k) = T H d (k 1) + T H d (7) where T H d = K p [e(k) e(k 1)] + K i e(k), and is the threshold variation. This variation is composed of the sum of two parts: oscillation and error control. K p and K i are static values used in Eq. (7). These are critical values that should be carefully selected, or the overload control will be ineffective. In our simulations, we used the values of 1 6 for K p, and for K i. We used 1 2 and 1 3 for LB and AV, respectively, for an index data structure of up to 15, score entries. The reason for a smaller K i for the AV scheme is that the P/I function is evoked more frequently (every 1ms), as compared to the LB scheme (every 1ms), requiring larger threshold variations per threshold update. All of these values were obtained in our simulations during a learning period, in which many values were tested until the overload control produced good results. Because K p and K i are derived from the scorebook data structure and the scores produced, one does not need to experiment new values, as long as the same data structure size is used. If a different size is chosen, K p and K i must be changed proportionally. Continuing with Eq. (7), T H d and error rate e are functions of a period K (and K 1), with the error rate being equal to the actual output throughput minus the target throughput [e(k) = ρ out (k) ρ target (k)]. Fig. 12 depicts the integrated overload control operation involved in the T H d generation. First, the error rate (e(k)) is calculated in the Error Control portion, based on the difference of the actual output throughput ρ 9 out and the target throughput ρ target from the nominal profile. The Threshold Calculation then obtains both e(k) and e(k 1), calculating the discarding threshold 9 The fraction F of arriving packets ρ legitimate + ρ attack.

21 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN NOMINAL PROFILE SCOREBOOK Packet Scores ρ target P/I e(k) TH d Error Threshold e(k) Control Calculation e(k-1) PKTPKTPKTPKTPKT TH d TH d OVERLOAD CONTROL ρ out Pass PKT Discard PKT Fig. 12. The proportion integration (P/I) control system variation T H d with the use of K p and K i. This variation is added to the previous period s threshold T H d (k 1), composing the T H d. T H d is simply a score, based on which, the arriving packets are forwarded or dropped, if their scores are above or below it, respectively. This process of comparing packet scores to the current discarding threshold is done at wire-speed, with the threshold concurrently adjusted from time to time. These periodic adjustments occur at the same time-scale as the scorebook generation interval (1ms, in the LB-scheme), which is larger than the packet arrival time-scale and shorter than the 5s interval period. In the AV scheme, they occur more frequently (every 1ms) within the period the scorebook is generated (1ms). The shorter interval proved to be more efficient against fast-changing attacks, providing a better overload control. Although the LB-scheme also benefits from these faster updates, in terms of overload control, we kept this value higher due to a better score separation, as the next section shows. P/I simplifies the overload control substantially, when compared to the CDF/load-shedding scheme, used in the CLP approach. Because the use of CDF requires the maintaining maintaining a large data structure and online histograms, it imposes an overhead to the system.

22 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN VII. PERFORMANCE EVALUATION In this section, we use simulations to evaluate and compare the performance of the three PacketScore schemes in a stand-alone environment consisting of: the 3D-R components, the respective off-line nominal profile and the same stored nominal traffic by the WIDE project [24]. To establish a fair comparison, all simulations have the same overall common internal settings (unless stated otherwise), and input traffic (obtained from the WIDE project), from which they generate attacking packets in the exact same way. The simulations share the same traces, attack intensity and type (1 times, generic attack), scorebook update interval (every 5 seconds), and target maximum load ρ target set to 15, PPS, a value opportunistically higher than the maximum incoming load measured of 8,711 PPS in the nominal profile, yielding the acceptance of more potentially legitimate traffic as the system capacity permits. We used the Internet trace archive of the WIDE project [24] to obtain 1- minute duration traces, for the period between 2:pm and 2:1pm, from May 31, 24 to June 3, 24, for a total of four non-overlapping periods. We also used the same set of traces used in [17], although we are not comparing these results here. We felt the newer traces better reflect today s average Internet traffic (they contained six times more traffic, on average). A. Performance Criteria We adopted the following four items as performance criteria for the simulations: false positive ratio, false negative ratio, score separation power, and effectiveness of the overload control. The first two are the most important. False positives represent the percentage of legitimate packets that are mistakenly discarded, while false negatives represent the percentage of attacking packets admitted. The score separation power, gives us the degree of differentiation between the legitimate packet score distribution and the attack packet score distribution. Establishing a tail probability of 5%, we observed an intersection zone between these two distributions. For the percentage of legitimate packet scores outside this zone, we call R L, and the percentage of attack packet scores outside the same zone, R A as in Fig. 2 in [26]. Let Min L (Max A ) be the lowest (highest) score observed for the incoming legitimate (attacking) packets. Define R A (R L ) to be the fraction of attacking (legitimate) packets that have a score below Min L (above Max A ). These are the two metrics used to measure the score separation.

23 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN The results should be interpreted as follows: the closer R L and R A are to 1% and to each other, the better. To check how the effectiveness of both overload controls, we compare the actual output utilization ρ out against the target maximum utilization ρ target, set by the schemes. Ideally, the ρ out / ρ target ratio should be 1 or very close to 1 (either above or below). B. Different Attack Types Evaluations of the three schemes demonstrate their accuracy in forwarding legitimate packets when under different attacks. For the most impacting attack, the false negative rates were: 2.82% (LB), 1% (CLP), and.9% (AV), when analyzing each attack individually. The following attacks are used, as in [26]: Generic attack: all attribute values of the attacking packets are uniformly randomized over their corresponding allowable ranges. TCP-SYN Flood attack SQL Slammer Worm attack Nominal attack: all attacking packets resemble the most dominant type of legitimate packets observed in practice, i.e., 15-byte TCP packets with server port 8 and TCP-flag set to ACK, with uniformly random source IP addresses. Mixed attack: equally combines the above four types of attacks while keeping the overall attack rate to 1 times that of the nominal packet rate N or ρ legitimate. Changing attack: similar to the Mixed attack except that the different types of attacks take turns. An attack type is randomly selected and continues for an exponentially distributed period. The corresponding results are depicted in Table I, which presents the performance of all schemes under different types of attacks. The attack intensity on the AV-based scheme is a multiple of the ρ target, rather than ρ legitimate. By doing this, we emphasize the better results of this scheme over the other two, as ρ target is almost twice ρ legitimate (creating more stressful attacks). The overload control provided by P/I on the LB and AV schemes provides a much better result than on the CLP scheme, with a throughput ratio of exactly 1 all the time. The CLP and LB schemes presented a very similar score separation, while AV was able to completely separate

24 TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUN TABLE I CLP, LB AND AV SCHEME RESULTS FOR DIFFERENT ATTACK TYPES Attack Type % False +ve % False -ve %R A %R L ρ out ρ target CLP LB AV CLP LB AV CLP LB AV CLP LB AV CLP LB AV Generic SYN Flood SQL Worm One Attribute Nominal Mixed Chg.1s avg Chg.3s avg Chg.6s avg Chg.3s avg Changing Attacks every 1/3/6/3s the scores virtually all the time. The false negatives are more constant on LB and AV (due to better overload control), and the false positives presented the best results in all times on AV (changing attacks every 1 seconds on average has a lower rate on CLP, but with a very high throughput rate, a situation in which AV demonstrated a much lower rate than CLP), followed by the CLP and LB schemes. C. Increasing Attack Intensity Changes in attack type and intensity constitute a big challenge to any defense scheme. For PacketScore, it affects the discarding phase by invalidating T H d, resulting in higher false positive rates, as Section III explains. Table II shows the results for the schemes when under different attack intensities configured either statically or dynamically (changing sequentially every 1 or 5 seconds). Table III shows the scheme performances when challenged by attacks with increasing complexity, generated by having the attack types changed while changing their intensity at random periods. The LB and AV schemes provided a better result than CLP, showing a higher resiliency under extreme attack conditions.