DETECTION OF DDoS ATTACKS USING SOURCE IP BASED ENTROPY

Transcription

1 International Journal of Computer Science Engineering and Information Technology Research(IJCSEITR) ISSN Vol. 3, Issue 1, Mar 2013, TJPRC Pvt. Ltd. DETECTION OF DDoS ATTACKS USING SOURCE IP BASED ENTROPY JASWINDER SINGH 1, MONIKA SACHDEVA 2 & KRISHAN KUMAR 3 1 Assistant Professor at GTBKIET, Chhapianwali District, Mukatsar, Punjab, India 2 Associate Professor at SBSSTC, Ferozepur District, Ferozepur, Punjab, India 3 Associate Professor at PTU Main Campus, APIT, Kapurthla District, Jalandhar, Punjab, India ABSTRACT There are about nine hundred million people, who use internet now-a-days. They use the internet to communicate with each other and all over the world, business-men can do their work over the internet, and there is much more to it. In a nutshell, the world is highly dependent on the Internet. Therefore, the availability of internet is very critical for the socio economic growth of the society. One of the major security problems in the current Internet, is the denial-of-service (DoS) attack always attempts to stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-ofservice (DDoS) attacks cause a serious danger to Internet operation. An important method for stopping DDoS attacks is to detect attackers and handlers. Detection of DDoS attacks is a challenging problem for network security. In this paper, the proposed work aims at detecting DDoS attacks in the network using Entropy Based Anomaly Detection Algorithm. The value of entropy is calculated with respect to time and packet windows. The results indicate that during normal activity i.e. only legitimate traffic is flowing, value of entropy lies in a narrow range but in case of attack, it increases or decreases considerably. So, attack can easily be detected. KEYWORDS: DoS, DDoS, Availability, Entropy, Detection INTRODUCTION One of the major security problems in the current Internet, a denial-of-service (DoS) attack always attempts to stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks cause a serious danger to Internet operation. A distributed denial-of-service (DDoS) attack is a DoS attack which relies on multiple compromised hosts in the network to attack the victim [13]. There are mainly two types of DDoS attacks. The first type of DDoS attacks aim of attacking the victim to force it not to serve legitimate users by exploiting software and protocol vulnerabilities. The second type of DDoS attack is based on a massive volume of attack traffic, which is known as a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim's network bandwidth with real-looking but unwanted data. As a result, legitimate packets cannot reach the victim due to a lack of bandwidth resource. DDoS attacks are comprised of packet streams from disparate sources. These attacks engage the power of a vast number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate clients. The traffic is usually difficult to distinguish legitimate packets from attack packets. The attack volume can be larger than the system can handle. A DDoS victim can suffer from damages ranging from system shutdown and file corruption, to total or partial loss of services [6]. There are no apparent characteristics of DDoS streams that could be directly used for their detection and filtering. The attacks achieve their desired effect by the sheer volume of attack packets. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are specific attacks that attempt to prevent legitimate users from accessing networks, servers, services or other resources. An important method for stopping

2 202 Jaswinder Singh, Monika Sachdeva & Krishan Kumar DDoS attacks is to detect attackers and handlers. Attack detection aims to detect DDoS attack in process of an attack and characterise to discriminate attack traffic from legitimate traffic [15]. Attack detection is responsible for identifying DDoS attacks or attack packets. The False Positive Ratio (FPR) and False Negative Ratio (FNR) can quantitatively measure the effectiveness of attack detection. False Positive Ratio is given by the number of packets classified as attack packets (positive) by a detection system that are confirmed to be normal (negative), divided by the total number of confirmed normal packets. The False Negative Ratio, on the other hand, is given by the number of packets classified as normal (negative) by a detection system that are confirmed to be attack packets (positive), divided by total number of confirmed attack packets [26]. Attack detection techniques aims to detect DDoS attacks by monitoring the behavior of the host and network. They generate profiles for normal usage by analyzing system and network behaviors under normal conditions. Once they detect an abnormal behavior, they invoke preventive mechanisms, such as filtering or rate-limiting. issues: According to [7] in order to meet the increasing need for detection and response, researchers face following major A stand-alone router on the attack path should automatically recognize that the network is under attack and adjust its traffic flow to ease the attack impact downstream. The detection and response techniques should be adaptable to a wide range of network environments, preferably without significant manual tuning. Attack detection should be as accurate as possible. False positives can lead to inappropriate responses that cause denial of service to legitimate users. False negatives result in attacks going unnoticed. Attack response should employ intelligent packet discard mechanisms to reduce the downstream impact of the flood while preserving and routing the non-attack packets. The detection method should be effective against a variety of attack tools available today and also robust against future attempts by attackers to evade detection. RELATED WORK The first well-publicized DDoS attack in the public press was in February On February 7, Yahoo! was the victim of a DDoS during which its Internet portal was inaccessible for three hours. On February 8, Amazon, Buy.com, CNN, and ebay were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them down significantly. And, on February 9, E*Trade and ZDNet both suffered DDoS attacks. Analysts estimated that during the three hours Yahoo was down, it suffered a loss of e-commerce and advertising revenue that amounted to about $500,000. According to book seller Amazon.com, its widely publicized attack resulted in a loss of $600,000 during the 10 hours it was down. During their DDoS attacks, Buy.com went from 100% availability to 9.4%, while CNN.com's users went down to below 5% of normal volume and Zdnet.com and E*Trade.com were virtually unreachable. Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, Darrell Kindred in 2003 [7] developed methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. Jian Yuan and Kevin Mills in 2005 [12] proposed a method for early attack detection. Using only a few observation points, proposed method can monitor the macroscopic effect of DDoS flooding attacks. George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim and Hui Zhang in 2008 [11] proposed that the time series of entropy values of the address and port

3 Detection of DDoS Attacks Using Source IP Based Entropy 203 distributions are strongly correlated with each other and provide very similar anomaly detection capabilities. B. B. Gupta, Manoj Misra and R. C. Joshi in 2008 [9] proposed a novel framework that deals with the detection of variety of DDoS attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Anusha J. in 2011 [1] proposed a scheme to find out the source of the attack with the help of entropy variation in dynamic by calculating the packet size, which shows the variation between normal and DDOS attack traffic, which is fundamentally different from commonly used packet marking techniques. EXPERIMENT SETUP Preprocessing of Datasets For conducting all the experiments firstly the environment is created using the data analysis tools for preprocessing of the real time data sets. The preprocessing of data sets is performed by using the traffic analysis tools. The tools used for traffic analysis are: Libtrace Traffic Analysis tool and CoralReef Software Suite. Experiment Methodology In order to implement the detection methodology, the environment is created by installing various required softwares i.e. CoralReef, Automake, Libpcap, Libtrace. After that in order to flow legitimate real time traffic in the environment, we have explored various NZIX datasets and finalize one for use in the experiments. These files are preprocessed with special traffic analysis tool software, called Libtrace. Libtrace is used to read compressed and heavy size files easily with their tools. Libtrace has number of tools like Traceconvert, Tracereport, Tracesummary, Tracemerge, Tracesplit etc for conversion of files from one format to another, merging and splitting of files. With the help of Libtrace, these files are preprocessed easily and converted into the required format. Then the entropy of only legitimates packets is calculated. Next in order to identify the DDoS attack we have mix the attack traffic with legitimate traffic. So, for generating the attack traffic in the network we have choose CAIDA data sets. Various CAIDA datasets are explored and one most suitable for our experiments is finalized. These files are preprocessed by using traffic analysis tool CoralReef and data is retrieved in appropriate format. Then we have mixed the attack traffic with the legitimate traffic. And again the Entropy of mixed traffic is calculated. With the help of PERL programming language, selected data is retrieved from NZIX and CAIDA trace files and used as input files to the program for computing entropy. The change in the value of the entropy indicates that there is an attack in the network. Evaluation Metric Entropy is computed in order to detect the DDoS attack in a network. Entropy can be defined as measurement of the randomness and uniformity of the IP addresses. Entropy can be calculated as: H n = ( p p i = 1 i log 2 i ) (1) Where p i is the value of probability i.e. frequency of occurrence of each unique symbol divided by total number of symbols. Source IP address based entropy can be calculated for anomaly base attack detection. Source IP address based entropy is also called 32-bit entropy. In our proposed DDoS detection method, we have computed 32-bit entropy.

4 204 Jaswinder Singh, Monika Sachdeva & Krishan Kumar DDoS Detection Methodology Our DDoS detection methodology aims at detecting DDoS attacks in the network using Entropy Based Anomaly Detection Algorithm. In order to detect the attack in the network, two different approaches are used. In the first, Entropy with respect to time window is calculated and in the second approach, the Entropy with respect to packet window is calculated. In the time window approach, entropy of the traffic is calculated with respect to equal time stamps and in the packet window approach, equal numbers of flowing packets are taken from network traffic to compute the entropy. RESULTS AND DISCUSSIONS A number of experiments are conducted in order to check whether the network is under attack or not. An anomaly based detection method is used to identify the attack in the network. The detection of DDoS attack with the variation in the value of entropy in our experiments is analysed below. Entropy w.r.t. Time Window As shown in fig. 1, x-axis represents the time in seconds and y-axis represents the entropy value with respect to time. The complete scenario is taken for 10 minutes duration means 600 seconds. Time window is taken as 1 second i.e. entropy is computed after every 1 second for only legitimate traffic flowing through the network. The value of entropy in this graph lies within the range , that means the graph represents that the value of the entropy lies in the same range throughout the experiment. There is no heavy variation in the value of entropy. It indicates that there is no attack in the network. Figure 1: Entropy of Legitimate Packets w.r.t Time To illustrate the effects of an attack on the entropy, we examined the traffic of 600 seconds excerpt from the NZIX data set with an attack traffic excerpt from CAIDA data set comprising 10% of time stamp of total duration, starting at time 300 seconds and ending at time 360 seconds. In this attack, IP source addresses are chosen at random from a uniform distribution; we will focus on source-address-based detection. Before the attack begins, source address entropy measurements fall entirely within the range During the attack, the entropy decreases by approximately 4 and reaches near about 2.0. Any maximum-entropy threshold setting between 2.1 and 3.3 would detect this attack without generating any false-positives. In figure 2, represents the scenario, in which we examined both legitimate and attack traffic flowing through the network for same duration with time stamp 2 seconds i.e. Entropy for both legitimate and attack traffic is computed after every 2 seconds. During the time from 1 second to 300 seconds, the value of entropy in this graph lies within the range and time from 300 seconds to 360 seconds, the value of entropy falls down within the range 2.3 to 3.8 and again the value of entropy again lies in narrow range 6.3 to 7.4 during the time period from 360 seconds to 600 seconds. In this scenario, 600 times entropy is computed during total duration. The values of entropy are shown in graph. It indicate that

5 Detection of DDoS Attacks Using Source IP Based Entropy 205 when the value of entropy lies between 6.1 to 7.2, then there is no attack in the network and when entropy values falls down, then there is an attack in the network. This graph represents that the attack is occurred between time periods 300 seconds to 360 seconds, during this time attack traffic is flowing through the network. Figure 2: Entropy w.r.t. Time (Time Window=2 Seconds) As shown in fig. 3, the entropy is calculated by taking time window of 5 seconds. As compare to fig. 2, line in this graph (indicates the value of entropy w.r.t. time) is thin because the value of entropy is computed after every 5 seconds. It means that entropy is computed 120 times in this scenario where as in previous scenario 300 times entropy values shown i.e. more congested, more values on same space. As a result, in fig. 3, entropy values represented as thick line. Figure 3: Entropy w.r.t. Time (Time Window=5 Seconds) In figure3 scenario shows that during attack time, the value of entropy lies in the range between 2.4 to 3.9, otherwise the value of entropy lies between ranges 7.0 to 7.6 when only legitimate traffic is flowing through the network. Entropy w.r.t. Packet Window In figure 4, x-axis represents the packet count and y-axis represents the entropy value with respect to packet. Again the scenario is taken for 600 seconds, as discussed in previous section. Figure 4: Entropy of Legitimate Traffic w.r.t. Packet Window

6 206 Jaswinder Singh, Monika Sachdeva & Krishan Kumar There are packets are flowing through the network during this time. In this scenario, entropy is computed w.r.t. packet count (no. of packets). Packet count is taken as 100 packets, so entropy is computed after every 100 packets. During this time span, times entropy is computed and shown in graph, so the graph becomes more congested and values represented with solid and thick line as compared to previous section. In this graph, the value of entropy lies between the ranges 3.0 to 6.1, when only legitimate traffic is flowing through the network. In figure 5, packet window is taken as 1000 packets i.e. entropy is computed after every 1000 packets. There are 9050 times entropy is computed and shown on graph, so the graph becomes less congested and values represented with more thin line as compared to previous figure. The value of entropy in this graph lies within the range , when normal traffic is flowing through the network and when value falls down and lies between the range , then there is an attack. Figure 5: Entropy w.r.t. Packet Count (Window Size= 1000 Packets) Similarly, in figure 6, entropy is computed after every 10,000 packets. So there are 905 times entropy is computed and shown on graph, which shows very thin line as compared to previous fig. 6. The value of entropy in this graph lies within the range , when normal traffic is flowing through the network and when value falls down and lies between the range , then there is an attack. Figure 6: Entropy w.r.t. Packet Count (Window Size= 10,000 Packets) CONCLUSIONS As objective of this paper is to propose a framework to detect the DDoS attack using real time attack traces as well as legitimate traces. After identification of different types of DDoS detection methods, Anomaly based detection method is selected. Source IP address based entropy is used to identify DDoS attack in the network. Through our experimentation we observed that:

7 Detection of DDoS Attacks Using Source IP Based Entropy 207 While a network is not under attack the value of Entropy for various packets fall in a narrow range. While the network is under DDoS attack, the value of Entropy decreases in a detectable manner due to high volume DDoS attack. REFERENCES 1. Anusha, J. (2011). Entropy Based Detection of DDOS Attacks, International Journal of Soft Computing and Engineering (IJSCE), Vol. 1, pp CAIDA Datasets, Available at: [last accessed February, 2012] 3. Carl, G., Kesidis, G., Brooks, R. R. and Rai, S. (2006). Denial-of-Service Attack- Detection Techniques, Published by the IEEE Computer Society, pp CoralReef Documentation, Available at: [last accessed April, 2012] 5. DDoS History In Brief, Available at: [last accessed January, 2010] 6. Douligeris, C. and Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-theart, ELSEVIER Journal of Computer Networks, vol.44, No.5, pp Feinstein, L., Schnackenberg, D., Balupari R. and Kindred, D. (2003). Statistical Approaches to DDoS Attack Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX 03), Washington, DC, USA, Vol. 1, pp Fernandez, G. M., Dıaz-Verdejo, J. E. and Garcia-Teodoro, P. (2008). Evaluation of a low-rate DoS attack against application servers, Computers & Security, Vol. 27, ISSN: , pp Gupta, B. B., Misra, M., and Joshi, R. C. (2008). An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach, Journal of Information Assurance and Security 2, pp Koutepas, G., Stamatelopoulos, F. and Maglaris, B. (2004). Distributed Management Architecture for Cooperative Detection and Reaction to DDOS Attacks, Journal of Network and Systems Management, Volume 12, Issue 1, pp Nychis, G., Sekar, V., Andersen, D. G., Kim, H. and ZhangS, H. (2008). An Empirical Evaluation of Entropybased Traffic Anomaly Detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pp Yuan, J., and Mills, K. (2005). Monitoring the Macroscopic Effect of DDoS Flooding Attacks, IEEE Transactions on Dependable and Secure Computing, Vol.2, No.4, pp You, Y., (2007). A Defense Framework for Flooding-based DDoS Attacks, Master s Thesis, Queen's University Kingston, Ontario, Canada. 14. Wang, F., Wang, H., Wang, X. and Su, J. (2012). A new multistage approach to detect subtle DDoS attacks, Journal Mathematical and Computer Modelling, Volume 55, Issues 1-2, pp

8 208 Jaswinder Singh, Monika Sachdeva & Krishan Kumar 15. Sachdeva, M., Singh, G., Kumar, K., and Singh, K. (2010). Measuring Impact of DDOS Attacks on Web Services, Journal of Information Assurance and Security 5, pp Sachdeva, M., Singh, G., Kumar, K. and Singh, K. (2010). DDoS Incidents and their Impact: A Review, International Arab Journal of Information Technology, Vol. 7, No. 1, pp Sachdeva, M., Singh, G. and Kumar, K. (2011). Deployment of Distributed Defense against DDoS Attacks in ISP Domain, International Journal of Computer Applications (IJCA), Vol. 15, No.2, pp Sachdeva, M., Singh, G., Kumar, K. and Singh K. (2009). A Comprehensive Survey of Distributed DDoS Attacks, International Journal of Computer Science and Network Security, Vol. 9, No. 12, pp Peng, T., Leckie, C. and Ramamohanarao, K. (2007). Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys, Vol. 39, No. 1, Article 3, pp Peng T., Leckie C. and Ramamohanarao, K. (2003). Protection from Distributed Denial of Service Attacks Using History-Based IP filtering, In Proceedings of ICC2003, USA, pp NZIX Datasets, Available at: gz [last accessed March, 2012]. 22. Mirkovic, J., and Reiher, P. (2005). D-WARD : Source-End Defense Against Flooding DDoS Attacks, IEEE Transactions on Dependable and Secure Computing. 23. Mirkovic, J., Arikan, E., Wei, S., Fahmy, S., Thomas, R.,and Reiher, P. (2006). Benchmarks for DDoS Defense Evaluation, Proceedings of the IEEE AFCEA MILCOM, pp Mirkovic, J., Prier, G., Reiher, P. (2002). Attacking DDoS at the source, Proceedings of ICNP -2002, Paris, France, pp Libtrace Documentation, Available at: [last accessed May, 2012]. 26. Cheng, C. M., Kung, H. T. and Tan, K. S. (2002) (2002). Use of spectral analysis in defense against DoS attacks, Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, pp AUTHOR S DETAILS Jaswinder Singh has done B.Tech. Computer Science & Engineering from Punjab Technical University Jalandhar, Punjab, India in year He has done M.Tech. Computer Science & Engineering from Punjab Technical University, Jalandhar, Punjab, India in Currently, he is an Assistant Professor in CSE Department at GTBKIET, Chhapianwali, Malout, Punjab, India. His research interests include Distributed Denial-of-Service and Design and analysis of algorithms.

9 Detection of DDoS Attacks Using Source IP Based Entropy 209 Dr. Monika Sachdeva has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT, Jalandhar in She finished her MS software systems from BITS Pilani in She finished his Ph. D. from Department of Computer Science & Engineering at Guru Nanak Dev University, Amritsar in Currently she is an Associate Professor & H.O.D. in CSE Department at SBS College of Engineering & Technology, Ferozepur, Punjab, India. Her research interests include Web Services, Distributed Denial-of-Service, and Design and Analysis of algorithms. Dr. Krishan Kumar has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT, Hamirpur in He finished his MS Software Systems from BITS Pilani in In Feb. 2008, he finished his Ph. D. from Department of Electronics & Computer Engineering at Indian Institute of Technology, Roorkee. Currently, he is an Associate Professor & H.O.D in CSE Department at PIT Punjab Technical University, Jalandhar, Punjab, India. His general research Interests are in the areas of Information Security and Computer Networks. Specific research interests include Intrusion Detection, Protection from Internet Attacks, Web performance and Network architecture/protocols.

10