Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric

Similar documents
Multivariate Correlation Analysis based detection of DOS with Tracebacking

RETRIEVAL OF DATA IN DDoS ATTACKS BY TRACKING ATTACKERS USING NODE OPTIMIZATION TECHNIQUE

SIMULATION OF THE COMBINED METHOD

Flow Based DetectingDDoS Attack in Large Scale Network by Using Entropy Variation Technique

A Survey on Different IP Traceback Techniques for finding The Location of Spoofers Amruta Kokate, Prof.Pramod Patil

ABSTRACT. A network is an architecture with a lot of scope for attacks. The rise in attacks has been

A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage

MITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK. J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy

A Probabilistic Packet Marking scheme with LT Code for IP Traceback

TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS

DDoS Attack Detection Using Moment in Statistics with Discriminant Analysis

International Journal of Intellectual Advancements and Research in Engineering Computations

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

1.1 SYMPTOMS OF DDoS ATTACK:

Low-rate and High-rate Distributed DoS Attack Detection Using Partial Rank Correlation

Geographical Division Traceback for Distributed Denial of Service

IT is an extraordinary challenge to traceback the source of

A Novel Approach to Denial-of-Service Attack Detection with Tracebacking

Spoofer Location Detection Using Passive Ip Trace back

Prof. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology

INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014

CLASSIFICATION OF LINK BASED IDENTIFICATION RESISTANT TO DRDOS ATTACKS

INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014 ISSN

A New Path for Reconstruction Based on Packet Logging & Marking Scheme

Destination Address Entropy based Detection and Traceback Approach against Distributed Denial of Service Attacks

Chapter 7. Denial of Service Attacks

Survey of Several IP Traceback Mechanisms and Path Reconstruction

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Comparative Study of IP Trace back Techniques

An Enhanced Deterministic Flow Marking Technique to Efficiently Support Detection of Network Spoofing Attacks

International Journal of Advance Research in Computer Science and Management Studies

IP traceback through (authenticated) deterministic flow marking: an empirical evaluation

Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India

Flow Control Packet Marking Scheme: to identify the sources of Distributed Denial of Service Attacks

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

On IPv6 Traceback. obaidgnetworking.khu.ac.kr,cshonggkhu.ac.kr. highlights the related works; Section 3 will give an overview

A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet

Scalable Hash-based IP Traceback using Rate-limited Probabilistic Packet Marking

Distributed Denial of Service (DDoS)

A Secure Method to Deliver Access Tokens to End Hosts

PROACTIVE & DETECTION STRATEGY DESIGNING FOR DRDOS ATTACK

A Lightweight IP Traceback Mechanism on IPv6

DDOS Attack Prevention Technique in Cloud

Enhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition

Basic Concepts in Intrusion Detection

PERFORMANCE ANALYSIS OF AODV ROUTING PROTOCOL IN MANETS

An Investigation about the Simulation of IP Traceback and Various IP Traceback Strategies

Design and Simulation Implementation of an Improved PPM Approach

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Computer Security: Principles and Practice

Denial of Service (DoS)

Multi Directional Geographical Traceback with n Directions Generalization

IP TRACEBACK Scenarios. By Tenali. Naga Mani & Jyosyula. Bala Savitha CSE Gudlavalleru Engineering College. GJCST-E Classification : C.2.

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Keywords MANET, DDoS, Floodingattack, Pdr.

AN UNIQUE SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK

Firecol: An Intrusion Prevention System for Minimization of DDoS attacks

Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. Basheer Al-Duwairi, Member, IEEE, and G. Manimaran, Member, IEEE

Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks

Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics

COMPUTER NETWORK SECURITY

DENIAL OF SERVICE ATTACKS

DDoS Attacks Detection Using GA based Optimized Traffic Matrix

TO DETECT AND RECOVER THE AUTHORIZED CLI- ENT BY USING ADAPTIVE ALGORITHM

Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter

WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE

DDoS and Traceback 1

IP Traceback Based on Chinese Remainder Theorem

A NEW IP TRACEBACK SCHEME TO AVOID LAUNCH ATTACKS

UNCOVERING OF ANONYMOUS ATTACKS BY DISCOVERING VALID PATTERNS OF NETWORK

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

Measuring Defence Systems Against Flooding Attacks

A Survey on DDoS Attack and Defense Strategies: From Traditional Schemes to Current Techniques

Enhancing Probabilistic Packet Marking by Integrating Dynamic Probability and Time to Live (TTL) Clustering

Single Packet IP Traceback in AS-level Partial Deployment Scenario

MODIFIED VERTICAL HANDOFF DECISION ALGORITHM FOR IMPROVING QOS METRICS IN HETEROGENEOUS NETWORKS

Network Attack and Defence: State-of- Art, Challenges, and Opportunities

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

An IP Traceback using Packet Logging & Marking Schemes for Path Reconstruction

Analyze and Determine the IP Spoofing Attacks Using Stackpath Identification Marking and Filtering Mechanism

Detecting IP Spoofing by Modelling History of IP Address Entry Points

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Artificial Neural Network To Detect Know And Unknown DDOS Attack

Distributed Traffic Adaptive Wavelength Routing in IP-Over- WDM networks

An Enhanced Dynamic Packet Buffer Management

IP TRACEBACK (PIT): A NOVEL PARADIGM TO CATCH THE IP SPOOFERS

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

A Survey - Energy Efficient Routing Protocols in MANET

Detection Of Dos Attack Using Multivariate Correlation Analysis

PERFORMANCE ANALYSIS OF AF IN CONSIDERING LINK UTILISATION BY SIMULATION WITH DROP-TAIL

NOWADAYS, more and more critical infrastructures are

Hardware Supports for Network Traffic Anomaly Detection

Computer Based Image Algorithm For Wireless Sensor Networks To Prevent Hotspot Locating Attack

Single Packet ICMP Traceback Technique using Router Interface

A Novel Packet Marking Scheme for IP Traceback

CSE Computer Security (Fall 2006)

Xiang, Yang and Zhou, Wanlei 2005, Mark-aided distributed filtering by using neural network for DDoS defense, in GLOBECOM '05 : IEEE Global

Provider-based deterministic packet marking against distributed DoS attacks

STF-DM: A Sparsely Tagged Fragmentation with Dynamic Marking an IP Traceback Approach. Online Publication

Transcription:

Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric HeyShanthiniPandiyaKumari.S 1, Rajitha Nair.P 2 1 (Department of Computer Science &Engineering, New Horizon College of Engineering, Banglore, India) 2 (Department of Computer Science &Engineering, New Horizon College of Engineering, Banglore, India) Abstract: One of the major threats to network security is Distributed Denial of Service (DDoS) attacks. DDoS attack causes service disruptions on the victim system by sending large number of packets destined to victim. Lots of mechanisms such as packet marking and packet logging are proposed for identifying the attack sources. Entropy variation based trace back approach is better than other techniques in terms of scalability, storage space and operation overload. On the other hand, the entropy variation metric cannot differentiate legitimate flash crowd flows from DDoS attack flows since both involve sending large number of packets to the victim. To overcome this problem, in this paper, a hybrid metric of entropy variation and Sibson distance to perform the traceback process with flash crowd discrimination has been proposed. Using experiments, it has verified that the accuracy of the traceback process is improved significantly by the proposed method. Keywords: DDoS attack, Entropy, Packet marking, Flash crowd, IPv6, Sibson distance. 1. Introduction Cyber security is a major concern in the current Internet world. New threats are emerging day by day. Among them, Distributed Denial-of- Service (DDoS) attacks pose critical threats to the Internet1. DDoS attacks involve bombarding the victim networks with a high volume of attack packets originating from a large number of machines with the intention of causing service disruptions on the victim by exhausting the bandwidth or system resources. The attack takes place simultaneously from large number of systems. Identifying the attack source of is a difficult problem because of the stateless and anonymous nature of Internet. The source may be a zombie, reflector or a final link in a chain. The problem of identifying the source of offending packets is called the IP trace back problem. A number of IP trace back approaches have been suggested to identify attackers. Some of the major methods are the probabilistic packet marking (PPM), the deterministic packet marking (DPM), packet logging and entropy variation [1]. Entropy variation based trace back approach is a reactive mechanism and is better than the available PPM and DPM methods in terms of scalability, operation overload and storage space. But this method may treat legitimate flash crowd as a DDoS attack. Flash crowd is the sudden surging of packets from legitimate users. The major contributions of this work are as follows: - The proposed method can effectively distinguish flash crowds from DDoS attacks during the trace back process. - The discrimination process can be performed independently by any router. They do not need cooperation from other routers. - The proposed method introduces almost no additional traffic into the network for solving the trace back problem. - No need to create infrastructure or change the router configuration. The proposed algorithm can be integrated with the router as an additional module. - The proposed method is scalable and practical. 2. Related Work Yu et al.[2], proposed a trace back method using entropy variation. During non-attack periods, routers are required to observe and record entropy variations of local flows. Once a DDoS attack has been identified, the victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers and so on until the source is identified. Baba and Matsuda.[3] presented a hop-by-hop packet logging approach for detecting DDoS attacks in IPv6 networks. The tracer or router, logs incoming packet information named, the packet feature, in a buffer memory called packet information area. It then replaces the packet s data link-level identifier with its interface www.ijlera.com 2017 IJLERA All Right Reserved 1 Page

identifier and forwards the packet. Once a DDoS attack is detected, the tracer identifies adjacent node of an attack packet by searching in the packet information area. Savage et al.[4] introduced the probabilistic packet marking scheme for IP trace back. Goodrich.[5] proposed the randomize-and-link approach to implement IP trace back based on the probabilistic packet marking mechanism. According to his method, every router X calculates a checksum value, C = C (M x ), named as cord from its unique message M x (e.g., IP address) and fragments M x into several pieces, M 0, M 1,...M i. The router then marks the packets probabilistically with b bits where b i = [i, C, M i ] fragments M x into several pieces, M 0, M 1,...M i. The router then marks the packets probabilistically with b bits where b i = [i, C, M i ]. 3. Proposed System In this paper, an entropy-based trace back system that can efficiently discriminate DDoS attack flows from legitimate flash crowd flows has proposed. The entropy metric to monitor the randomness of flows at the router was used. If there is an abnormal change of entropy, then some suspicious flows are present in the system. These flows may be DDoS attack flows or flash crowd flows. Since both DDoS and flash crowd flows involve large number of packets, the entropy metric is sensitive to both and treats both the flows as attack flows. These flows considered as suspicious flows and categorize them into DDoS attack flows and flash crowd flows. On the other hand, flash crowd flows are generated by randomly distributed users who generate packets at different rates. Hence the flow similarity among flash crowd flows will be very less. To find the flow similarity we use the information theoretic parameter, Sibson distance. The Sibson distance metric is already used for flash crowd discrimination in DDoS detection context [6]. In contrast, for our IP trace back problem, at each node on the attack path we have to perform the flash crowd discrimination and hence involving two cooperating routers for performing flash crowd discrimination at each node on the attack path is difficult to achieve and also will slow down the trace back process. But by our proposed method individual nodes can perform the discrimination process on their own without requiring any cooperating node. 3.1 System Model In the proposed system, each trace back enabled router will have three modules for performing the trace back process. The modules are flow observer, suspicious flow identifier and flow classifier as depicted in Fig.1. Fig.1. System model 3.1.1. Flow Observer The flow observer module monitors the flows that are passing through the router in time intervals of ΔT [7]. The packets that are passing through a router R during time interval ΔT are categorized into different flows. The packets that are from the same upstream router and destined to the same system are grouped into a single flow. Thus, at a router R, a flow f (u, d) is identified by the upstream router u of its packets and by the destination address d of its packets. Let n be the number of flows at router R during the time period ΔT. Let f i denotes the number of packets in a particular flow fi during time interval ΔT. The total number of packets that passed through router R during ΔT is given by f i. For the time interval ΔT, the probability of each flow f i can be calculated by using (1). Then, the entropy of i = 1 fi flows at the router R during ΔT, can be calculated using the probability values as (2). In the routers the mean and standard variation of entropy values are maintained. The difference between the current entropy value, H and the mean is calculated. We call this difference, H-M as entropy www.ijlera.com 2017 IJLERA All Right Reserved 2 Page

variation. If the entropy variation is greater than the standard deviation σ, i.e. H-M >σ then the change in the randomness of the system is abnormal. Here the standard deviation value σ is used as the threshold. If there are no such events then, H-M σ holds with higher probability. Algorithm for flow observer: n 1. Identify flows f 1, f 2, f n ; 2. During time period ΔT, for each flow f i calculate count of packets f i ; 3. After Δ T is over, calculate probability of each flow f i as follows, (1): Pi= fi n i=1 fi 4. Compute entropy of flows, i=1 (2): H = p i.logp i 5. If H- M σ, a) progress mean and standard variation of entropy as follows, k i=1 (3): M t = α i.m t-i k i=1 b) Iterate the process (4):σ t = α i.σ t-i 3.1.2. Suspicious Flow Identifier In the case of drastic change of entropy, the suspicious flow identifier is invoked to identify the flows responsible for the extensive change of entropy [8]. Let F be the set of flows at the router R during ΔT and S be the set of suspicious flows detected by the suspicious flow identifier. First the flows in F are sorted in descending order f 1, f 2 f n, then the flow with the maximum packet count, f 1 is added to the suspicious flow set S and is removed from the set of flows, F. The entropy is calculated for the flows in F and the entropy variation value is computed. If the newly computed entropy variation is still greater than the threshold σ, then the next flow with the maximum packet count is added to the suspicious flow set S and the process is repeated until the entropy variation becomes normal. On the other hand, if the entropy variation is less than the threshold, then the flows in the suspicious flow set are finalized as the flows responsible for the abnormal entropy change and are given to the flow classifier for differentiating flash crowd flows from DDoS attack flows. Algorithm for Suspicious Flow Identifier: 1. Sort the flows f1, f2, fn in descending order f1, f2 fn ; 2. For i = 1 to n, { a) Add fi to suspicious flow set S; b) Calculate H(F fi); ' c) If H(F - fi) - M > σ, then continue; ' d) Else break; } 3.1.3. Flow Classifier The flow classifier module categorizes the suspicious flows given to it as input into flash crowd flows and attack flows. Algorithm for Suspicious Classifier: 1. For each flow f i in S, { www.ijlera.com 2017 IJLERA All Right Reserved 3 Page

a) Sample the count of packets for size Lin times lotsttoobtainx 1, x 2, x L in slots t 1, t 2, t L respectively; b) Calculate probability distribution, x i k L x=1 x i for k=1,2, L } 2. For each pair of flows (f i,f j ) in S, { a) Calculate Sibson distance, D S = D[Pi(Pi+ Pj)] + D[Pj(Pi+ Pj)] } b) If D S δ, then add f i and f j to attack flow set A; 3.2 Trace back scheme Trace back requests are sent to the upstream routers of the flows classified as attack flows by the flow classifier. The upstream routers perform the same process and this scheme continues until the edge routers of the zombies are identified. Then the edge routers identify the zombies and deliver the confirmed zombies information to the victim. Thus, the trace back process is performed in a parallel and distributed manner. 4. Experimental Results To analyze the effectiveness of our proposed work, we have first evaluated the effectiveness of the metrics used in this work. We tested the stability of the entropy metric under non-attack cases. We simulated the Poisson distribution and measured the entropy for different number of flows [9]. The entropy value is computed for different number of flows and is plotted in a graph. The results are shown in the Fig.2, which infers the entropy value smoothly increases with the increase in number of flows and is stable against traffic fluctuations. Fig.2. Entropy against normal flows www.ijlera.com 2017 IJLERA All Right Reserved 4 Page

Next, efficiency of entropy metric under attack caseshas evaluated and simulation done for 100 traffic flows using Poisson distribution. Among them one is attack flow and the remaining are normal flows. The packet rates of normal flows are maintained at the same level. From Fig.3, we can see that the entropy value drops almost linearly with the increase in attack strength. Fig.3. Entropy against attack flow The efficiency of Sibson distance metric is then evaluated. Two flows are simulated with Poisson distribution and the distance between the mis measured using Sibson distance metric. FromFig.4, we can infer that the Sibson distance metric is stable and smooth for different distributions. Fig.4. Sibson distance between normal, attack and flash crowd flows 5. Conclusion In this paper, an entropy- based trace back system for distributed denial-of-service attacks that can differentiate legitimate flash crowd traffic from attack traffic by using the Sibson distance metric has been proposed. Sibson distance is used to find out the similarity between packet flows. We have analyzed the effectiveness of the proposed system using simulations and the results are discussed. By this method used in this work, flash crowd flows can be efficiently discriminated from DDoS attack flows even when both occur simultaneously in IPv6 network. The limitation of our work is that it cannot detect the low rate DDoS attacks. We encourage future works in this aspect. www.ijlera.com 2017 IJLERA All Right Reserved 5 Page

References [1]. L Feinstein, D Schnackenberg R Balupari and D Kindred, Statistical Approaches to DDoS Attack Detection and Response. In Proceedings of the DARPA Information Survivability Conference and Exposition, vol.1, IEEECS Press, 22-24 April 2003, pp. 303 314. [2]. S Yu, W Zhou, R Doss, and W Jia, Trace back of DDoS Attacks Using Entropy Variations. IEEE Trans. Parallel and Distributed Systems, vol. 22, no. 3, pp. 412-425, Mar. 2011. [3]. T Baba and s Matsuda, Tracing Network Attacks to Their Sources. IEEE Internet Computing, vol.6, no.2, pp.20-26, Mar. 2002. [4]. S Savage, D Wetherall, A Karlin, and T Anderson, Network Support for IP Trace back. IEEE/ACM Trans. Networking, vol. 9, no. 3, pp. 226-237, June 2001. [5]. MT Goodrich, Probabilistic Packet Marking for Large-Scale IP Trace back. IEEE/ACM Trans. Networking, vol.16, no.1, pp. 15-24, Feb. 2008. [6]. P. Jain, J. Jain, and Z. Gupta, Mitigation of Denial of Service (DoS) Attack. International Journal of Computational Engineering & Management (IJCEM), vol. 11, pp. 38-44, January 2011 [7]. Craig Labovitz, The Internet goes to war. Arbor Networks, Dec. 2010. [8]. S Yu, T Thapngam, J Liu, S Wei and W Zhou, Discriminating DDoS Flows from Flash Crowds Using Information Distance. in Proceedings of the 3rd IEEE International Conference on Network and System Security (NSS 09), 18-21 October 2009. [9]. A Belenky and N Ansari, IP Trace back with Deterministic Packet Marking. IEEE Comm. Letters, vol.7, no.4, pp.162-164, Apr. 2003 www.ijlera.com 2017 IJLERA All Right Reserved 6 Page

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback