Detection of Syn Flooding Attacks Using Generalized Autoregressive Conditional Heteroskedasticity (GARCH) Modeling Technique

Transcription

1 Detection of Syn Flooding Attacks Using Generalized Autoregressive Conditional Heteroskedasticity (GARCH) Modeling Technique Nikhil Ranjan, Hema A. Murthy, Timothy A. Gonsalves Department of Computer Science and Engineering Indian Institute of Technology Madras, Chennai {ranjan, hema, Abstract This paper explores a fast and effective method to detect TCP flooding attack. The Generalized autoregressive conditional heteroskedastic (GARCH) model which is the most commonly used statistical modeling technique for financial time series is proposed as a new technique for Denial of service attack detection. The exponential backoff and retransmission property of TCP during timeouts is exploited in the detection mechanism. We are able to detect low as well as high intensity flooding attacks by modeling the difference between and +ACK packets using GARCH. Our studies show that this non linear volatility model performs better than earlier models like Linear Prediction. Index Terms TCP flooding, GARCH, Heteroskedasticity. I. INTRODUCTION The Internet was designed to move packets from source to the destination as fast as possible, irrespective of whether the receiver actually wants those packets. This is at the heart of denial-of-service (DoS) attacks. Any act to deny legitimate use of a service can be classified as a Denial of Service (DoS) attack [1]. These active attacks continue to be prevalent in the internet today, in spite of significant advances that have been made in network management and security. The CSI/FBI Computer Crime and Security Survey reports of 24 revealed that denial of service was one of the major source of financial loss due to cybercrime during that year [2]. Most of the attacks use TCP among which TCP flooding is quite popular [3]. TCP flooding is a denial of service attack. In order to exchange data using TCP, hosts must establish a connection. TCP establishes a new connection using the 3-way handshake as shown in the Figure 1. A TCP connection is initiated with a client issuing a request to a server with the flag on in the TCP header. Normally the server will issue a /ACK back to the client. The client will then send an ACK to the server and data transfer can commence. The attacker sends a few hundreds of requests to the target TCP port with source IP-address spoofed to be that of another, (currently unreachable from the target). The target responds with /ACKs to what it believes is the source of the incoming s. If the final ACK does not reach the server, the connection will remain half-open until the associated timer expires (which is usually 75 seconds). Since the memory allocated for maintaining half-open connections is finite, there is a limit to the maximum number of half-open connections. When this maximum count is exceeded the server starts dropping requests, whether legitimate or not. The target port is flooded. This is how the TCP flood attack works. Attacker with spoofed ip LOST Fig. 2. +ACK +ACK +ACK +ACK +ACK +ACK SERVER LISTEN -RECEIVED HALF-OPEN CONNECTIONS ABORT TCP flood attack Fig. 1. TCP three way handshake A consequence of the flooding attack is that a service can be brought down by flooding the server with a few tens of requests per second. It is therefore important to detect these attacks as early as possible so as to bring the halted services back to normal. As most e-commerce depends heavily on TCP based applications, the severity of the problem increases. Earlier work by Divakaran et al [4] used Linear Prediction to model network traffic but LP used in this context cannot model long tail distribution well. We therefore propose the

2 use of GARCH which is more appropriate model as it can model long tailed distribution of the network traffic better [5]. Because of the exponential backoff and retransmission properties of TCP, we find a unique pattern at the time of attack based on the difference of number of and +ACK packets with respect to a network. We use our model to detect such patterns and hence the attacks. The proposed system is stateless and fast and detects low intensity attacks well. Any change in network traffic pattern can be detected well by GARCH analysis and in most cases better than LP. The rest of the paper is organized as follows. Section II discusses related work. Parameters used for modeling and the issues of detection are discussed in Section III. Section IV details detection using GARCH analysis and the proposed algorithm. Performance evaluation and comparison between GARCH and LP detection mechanisms are discussed in Section V. Finally, concluding remarks are drawn in Section VI. II. RELATED WORK There are mechanisms available to defend a server or network from flooding attacks. cookies [6] and cache [7] defense mechanisms are limited to the victim server side. cookies can not encode all the TCP options from the initial into the cookie, and thus breaks the TCP semantics. kill [8] and Defender [9] are installed at the firewalls but they too tend to slow down connection even in the absence of attacks. All these mechanisms are stateful which tends to degrade TCP performance. Stateless approach is always a better alternative. Earlier works also used stateless detection techniques. CUSUM type algorithm [1] monitored the number of packets over a given interval to check if it has crossed a particular threshold. But the method is not scalable to large network scenarios where number of connection requests may increase abruptly. A different parameter namely the difference between and FIN packets was used [11] to detect attacks but the system can be easily be defeated sending equal number of FIN packets. A better parameter which can be very effective to detect the attacks is the difference between and +ACK. This is called as the number of half open counts [4]. Work done by Divakaran et al [4] used Linear Prediction to model network data (the number of half open counts to be more precise) to detect the flood attacks. It is well known that network traffic is bursty in nature and Linear Prediction used in the context cannot model long tailed distribution well. We therefore propose the use of GARCH which is a more appropriate model as it can model long tailed distribution well as it models the volatility of the network traffic [5]. III. MODELING PARAMETER One of the better parameters for detection of flood attacks is the difference between and +ACK packets. This parameter shows a unique pattern during attacks whether it is a small network or a very large network unlike other parameters. Under normal scenario, the difference between the number of s and +ACKs is very small, as compared to the total number of s (TCP connection requests). The difference increases at the time of a attack. Fig 3 below shows the difference between s and +ACKs per time slot for normal as well as attack scenarios. Each time slot corresponds to.5 second. No. of half open counts Time slot Fig. 3. No. of half open count per time slot Network traffic traces were collected from the TeNeT network [12] for performing experiments. Only those packets with flag on (either or +ACK) were captured. The abnormal traffic was generated with different flooding rates starting with 15 s per second. The duration of time slot is chosen as.5 sec. For each time slot the number of half open counts is computed. Since the data is simulated, it can be labeled, that is the exact time at which the attacks happen is known apriori. Hence the values in data sets constitute the number of half open counts for consecutive.5 sec duration. We call these values as signal values s i for ith interval. The signal values can be normal or anomalous depending on whether it was computed during normal traffic scenario or during an attack. A. Motivation IV. GARCH MODEL The predictive property of network traffic plays an important role in many domains. Some examples include adaptive applications like network management systems and congestion control. The goodness of a traffic prediction model depends mostly on the fact that how well can it capture important traffic characteristics like short and long range dependence. Owing to the similarity between financial time series and network data, time series models used in the financial time series domain find applicability in network traffic modeling. It has been already shown that the network traffic data exhibited a high degree of long-range dependence (LRD) characteristics [13]. Previous works mostly focused on usage of linear time series models e.g. Auto Regressive (AR) and Auto Regressive Integrated Moving Average (ARIMA) [14] [15] but they fail to capture long range dependence.

3 There are various reasons to use GARCH as our modeling technique. The ACF (autocorrelation function) of the observed data set exhibits little correlation, the ACF of the squared data set still indicate significant correlation and persistence in the second-order moments. Sample Autocorrelation ACF of data set ACF of squared data set Lag Fig. 4. ACF of data set Engles ARCH test [16] on the data sets also shows significant evidence in support of GARCH effects (i.e heteroskedasticity). Computing Hurst exponent [17] on the data sets gave values greater than.5 strongly suggesting the presence of long range dependence. There are component GARCH models that do capture long range dependence [18] but we will not go into details now. The whole idea is to see how GARCH is able to react to the changes in the variance in the traffic characteristics. Such a model, thus holds promise for modeling the dynamics of network traffic better. B. Introduction to GARCH Model GARCH stands for generalized autoregressive conditional heteroskedasticity. Heteroskedasticity can be interpreted as time-varying variance (volatility). Conditional implies a dependence on the observations of the immediate past, and autoregressive describes a feedback mechanism that incorporates past observations into the present. GARCH is a time-series technique that can be used to model the serial dependence of volatility [19]. It is a mechanism that includes past variances in the explanation of future variances. C. Basic Modeling Technique Most models for financial returns are of the form: X t = σ t Z t (1) where Z t is a sequence of i.i.d. symmetric random variables, and σ t is a non-negative stochastic process such that Z t and σ t are independent for fixed t [16]. There is strong empirical support for stochastic volatility in financial time series and the presence of stochastic volatility implies that returns are not necessarily independent over time. The standard assumption for the noise Z t is that Z t is i.i.d. N (,1) with Z t independent of the standard deviation process σ t. In most of the linear time series models, one often assumes that the volatility is constant over time. Volatility is a central part of most asset pricing models. However, it is well known that financial time series exhibit time-varying volatility. In the year of 1982, Engle [2] proposed a model for σ t : σ 2 t = α + P α i Xt i 2 (2) This model is called the AutoRegressive Conditional Heteroskedasticity (ARCH process) where the autoregressive property in principle means that old events leave waves behind a certain time after the actual time of the action [16]. The process depends on its past. The terms conditional heteroskedasticity means that the variance (conditional on the available information) varies and depends on old values of the process. One can resemble this with the process having a short-term memory and that the behavior of the process is influenced by this memory. However, since it can be expected that σt 2 is a time-changing weighted average of past squared observations, it is quite natural to define σt 2, not only as a weighted average of past Xt 2 s, but also of past σt 2. Empirical evidence shows that high ARCH order has to be selected in order to capture the dynamics of the conditional variance. This leads to the Generalized ARCH model (GARCH) introduced in 1986 by Bollerslev [19]. The volatility process is: i=1 i=1 P Q σt 2 = α + α i Xt i 2 + β j σt j 2 (3) j=1 where the α i ś and the β j ś are non-negative parameters [2]. Hence we can say that the GARCH(P,Q) model takes into account the volatility of clustering and long tailed behavior of the financial time series and performs accurate forecast of the conditional variance of the series.in this specific case of GARCH modeling the conditional variance is a linear function of past squared innovations and earlier calculated conditional variances as shown in equation (3). D. Choosing the order of the model We model the network traffic data using GARCH(1,1). We used the relative values of the Akaike information criteria (AIC) and Bayesian information criteria (BIC) statistics [16] as guides in the model selection process and found that GARCH(1,1) fits better than any other order. Instead of computing the GARCH coefficients just once for the entire dataset, they are computed for each of the (possibly) overlapping frames in the dataset. Initially, a dataset is divided into frames of N samples or signal values. Adjacent frames are separated by M samples, and the frames will overlap depending on the value of M. Here the adjacent frames are overlapped by N 1. Frame size chosen here is N=15. As GARCH is a volatility model it is always better to compute the coefficients

4 with more than 1 data points to get accurate results and overcome convergence issues. The algorithm to compute the GARCH coefficients is explained in [21]. After the coefficients are computed, we can predict the future volatility of the series [21]. Now, the error between the actual realized volatility(σ t ) and the predicted volatility(pv) is given by: where the realized volatility is given by: e t = (σ t P V t )/σ t (4) σ 2 t = (x t X) 2 (5) where x t is the series value at time t and X is the historical mean taken over long period. The comparison of error values pertaining to different orders of GARCH(P,Q) on the data set is tabulated below. The values clearly suggests that GARCH(1,1) works better. TABLE I COMPARING PREDICTION ERROR Framesize P=1,Q=1 P=2,Q=1 P=1,Q=2 P=2,Q= The following plot is one such snapshot showing how the prediction error changes as we proceed from normal to anomalous frames in case of GARCH(1,1). Error value Frame number Fig. 5. Prediction error for signal values E. Comparing error values with Linear Prediction When we compared the prediction error values of GARCH(1,1) with Linear Prediction of order 3 for the same data sets and keeping the same framesize, it was observed that the error values using GARCH(1,1) is lower than that of the LP. The following table shows the mean error values using GARCH(1,1) and LP models computed for over 1 simulated attacks of each rate. Looking at the following table, we can clearly conclude that GARCH(1,1) fits the data well and show lesser prediction errors than LP. TABLE II MEAN PREDICTION ERROR # of syn/sec GARCH(1,1) mean(error) LP mean(error) F. Detection Algorithm The detection algorithm does the time series analysis of the traffic to detect any flooding attack. The data set contain signal values s i which corresponds to the half open count for the ith time slot. The data set is divided into overlapping frames. We have define a threshold on the error value α using normal frames For each frame the GARCH(1,1) coefficients are computed and next period s variance is predicted. We calculated the average error of three consecutive frames and check if it crosses the threshold α. Advance the frame by one signal value and repeat the above steps. If the average error value increases beyond the threshold then an alarm is raised signifying the attack. Recompute the coefficients and error values using normal frames and start all fresh. The last step makes sure that the anomalous frame are not chosen for error computation. Also we compute the average error value of three consecutive frame to be pretty sure about the fact that the attack actually has occurred. V. EVALUATION We collected the traces of normal traffic from the TeNeT network to evaluate our proposed detection mechanism. The abnormal traffic generated with the different attacks rates starting from 15 /sec. The data sets contain contain the signal values of number of number of half open counts for consecutive polling interval of.5 seconds. The data sets are divided into overlapping frames of size 15. The GARCH(1,1) and Linear Prediction techniques are applied in turn on the data sets to see which is performing better and when A. Results Using normal frames we had already set the threshold limits on error values for both models. We use different thresholds for GARCH(1,1) and LP since their error values shows remarkable difference for normal traffic. Say we use α for GARCH(1,1) and β for LP. Using these threshold we detect the attacks using algorithm discussed using GARCH(1,1) and LP modeling technique. About 1 attacks pertaining to each rate were simulated. The tables (3) and (4) show the detection delays using GARCH(1,1) and LP techniques respectively. B. Analysis Observing the tables (3) and (4) reveal few important facts. GARCH(1,1) performs better than that of Linear Prediction

5 TABLE III DETECTION DELAY IN SECONDS USING GARCH(1,1) # of syn/sec Best Average Worst False Positive % TABLE IV DETECTION DELAY IN SECONDS USING LP # of syn/sec Best Average Worst False Positive % when the rate of flood is relatively small. As the rate of flooding increases the performance of both models are almost the same. In actual real world scenario it is important to detect low intensity flooding attacks as quickly as possible because high intensity attacks are not very tough to detect. GARCH(1,1) proves better in detecting attacks under 3 /sec more quickly than that of LP. This is mainly due to the fact that GARCH(1,1) is able to fit in the data better than that of LP. This is quite obvious from the fact that error values are low in case of former as already depicted in Table 2. Hence we can say that GARCH(1,1) is able to react to the changes in the variance of network traffic better. C. Comparison with Snort Snort is an open source network intrusion prevention and detection system [22]. To detect flooding attacks we manually have to add static rules to set a threshold values on the number of half open counts. Whenever the count exceeds the threhold it will throw up an alert. The proposed detecting system takes into the account the statistics of the current traffic and dynamically sets thresholds so the rate of false alarms are relatively low. It was relatively difficult to set dynamic rules in earlier Snort versions. Snort 2.6 and later versions have the ability to add preprocessors and rules as dynamically loadable modules but this concept is in development phase. Many organisations have continued to rely upon traditional Snort rules. The ultimate aim is to integrate the proposed detection system with Snort so that we can take advantage of both the detection systems. VI. CONCLUSION Time series modeling has an important role to play in the performance evaluation of computer networks. As an example, we motivate the use of GARCH for detection of TCP flooding attacks. This work has highlighted some important results. First, GARCH(1,1) prediction can be used to analyze network traffic. Even though ARCH/GARCH modeling techniques are mostly used in financial time series, they can be used to analyze network time series data to good effect. GARCH models fits into network traffic data better than that of LP which helps to make a conclusion that network data are somewhat heteroskedastic in nature. Hence, with GARCH(1,1) technique we can detect low intensity flooding attacks more promptly than that of LP. Even though this paper has focused on TCP flooding attack, similar method can be used to detect other DoS attacks such as RESET attacks, ACK flooding, ICMP flooding etc. Choosing appropriate parameters, this approach should be able to detect other TCP based DoS attacks better than many other linear time series models. REFERENCES [1] Computer Emergency Response Team, CERT Coordination Center,Denial of Service Attacks. [Online]. Available: http: // tips/denial of service.html [2] CSI/FBI Computer Crime and Security Survey. [Online]. Available: area/pdfs/fbi/fbi24.pdf [3] D. Moore, G. M. Voelker, and S. Savage, Inferring internet denial-ofservice activity, pp [4] D. M. Divakaran, H. A. Murthy, and T. A. Gonsalves, Detection of flooding attacks using linear prediction analysis, 14th IEEE International Conference on Networks, pp. 1 6, September 26. [5] B. Zhou, D. He, and Z. Sun, Traffic predictability based on ARIMA/GARCH model, 26, pp [Online]. Available: all.jsp?arnumber= [6] Syn Cookies. [Online]. Available: [7] J. Lemon, Resisting syn flood dos attacks with a syn cache, in BSDCon 22, Feb 22, pp [8] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, Analysis of a denial of service attack on tcp, in Proceedings of the 1997 IEEE Symposium on Security and Privacy, IEEE Computer Society. IEEE Computer Society Press, May, pp [9] Tcp Syn Flooding Attack and the Firewall-1 Syndefender. [Online]. Available: [1] S. V. A and P. F, Application of anomaly detection algorithms for detecting syn flooding attacks, in IEEE GLOBECOM,4, no. 4. [11] H. Wang, H. Wang, D. Zhang, D. Zhang, K. G. Shin, and K. G. Shin, Detecting syn flooding attacks detecting syn flooding attacks, in INFOCOM 22. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, pp [12] The telecommunications and computer networking group, Indian Institute of Technology. [Online]. Available: [13] W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, On the self-similar nature of ethernet traffic (extended version), Networking, IEEE/ACM Transactions on, no. 1, pp [14] A.Sang and S.Li, A predictability analysis of network traffic, no. 39, pp , 22. [15] A. Adas, Traffic models in broadband networks, Communications Magazine, IEEE, no. 7, pp [16] Garch toolbox. [Online]. Available: DOCSERVER/raw/garch.pdf [17] B. Qian and K. Rasheed, Hurst exponent and financial market predictability, in IASTED conference on Financial Engineering and Applications (FEA 24), 24, pp [18] J. M. Maheu, Can Garch Models Capture the Long-Range Dependence in Financial Market Volatility? University of Toronto,Dept. of Economics, Tech. Rep. [19] T. Bollerslev, Generalized autoregressive conditional heteroskedasticity, Journal of Econometrics, vol. 31, pp , [2] R. Engle, Garch 11: The use of ARCH/GARCH models in applied econometrics, The Journal of Economic Perspectives, no. 4, pp [21] W. J. Kirchgssner, Gebhard, Introduction to Modern Time Series Analysis, Springer series 27. [22] Snort. [Online]. Available: