Date post: | 08-Nov-2014 |
Category: |
Documents |
Upload: | international-journal-of-innovative-research-and-studies |
View: | 20 times |
Download: | 1 times |
RTDCP: Real Time Detection, Classification And
Prevention Of DDoS Attack
Abstract: Today in this world of computer technology DDoS(Distributed Denial of
Service) attacks is continuously critical threat to the internet security. These DDoS are
new in such way that there is no completely satisfying protection yet. A DDoS attack is
one in which a multitude of compromised systems attack a single target, thereby causing
denial of service for users of the targeted system. Normally there are two type of DDoS
attack i.e. Application layer attack and Network layer attack. Application layer DDoS
attack is derived from the lower layer of TCP/IP and OSI Model. Application layer DDoS
attack Utilizing legitimate HTTP requests to overwhelm victim resources such as sockets,
CPU, memory, disk, database bandwidth are more undetectable. Network layer attacks
are sends the SYN, UDP and ICMP requests to server and exhaust the bandwidth. An
anomaly detection mechanism is proposed in this paper to detect DDoS attacks using
Enhanced Support vector machine (ESVM) with string kernels. A novel anomaly detector
based on hidden semi-Markov model is proposed to describe the dynamics of Access
Matrix and to detect the attacks.
Keywords: Anomaly detection, DDoS, Enhanced Support vector machine (ESVM), string
kernel.
Vivek Malik
Student, Department of Computer Engineering,
University of Pune, MMIT, Lohgaon
Pune, Maharashtra, India
Akshay Kumar
Student, Department of Computer Engineering,
University of Pune, MMIT, Lohgaon
Pune, Maharashtra, India
Manoj Pawar
Lecturer, Department of Computer Engineering,
University Of Pune, MMIT, Lohgaon,
Pune, Maharashtra, India
ISSN 2319-9725
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 2
1. Introduction
As the technology is changing day by day and new software’s and websites are developing
rapidly. This will increase the possibility of attacks over the network. There are many
different way of securing the computer attacks but they are not efficient. Normally we use
firewall, antivirus, different monitoring softwares, digital signature and other hardware’s are
used to increase security. Computer security mainly comprise of Confidentiality, integrity
and availability of data. The major threats in security research are breach of confidentiality,
failure of authenticity, and unauthorized DoS. DDoS attack are carried out at the network
layer, such as ICMP flooding, SYN flooding, and UDP flooding, which are called Net-DDoS
attack. The intent of this attack is to consume the network bandwidth and deny service to
legitimate users of the victim system. In Application layer DDoS attacks zombies attack the
victim web servers by HTTP GET requests (e.g., HTTP Flooding) and pulling large image
files from the victim server in overwhelming numbers. In another instance, attackers run a
massive number of queries through the victim's search engine or database query to bring the
server down. On the other hand, a new special phenomenon of network traffic called flash
crowd has been noticed by researchers during the past several years.
Because burst traffic and high volume are the common characteristics of Application layer
DDoS attacks and flash crowds, it is not easy for current techniques to distinguish them
merely by statistical characteristics of traffic. Therefore, Application layer DDoS attacks may
be stealthier and more dangerous for the popular websites than the general Network layer
DDoS attacks when they mimic (or hide in) the normal flash crowd. In this paper we will
monitor the behavior of users over the network with the help of ESVM with string kernel.
Web user behavior is mainly influenced by the structure of web site and the way users access
web pages. Application layer DDoS attacks are considered as anomaly browsing behavior
and characteristic of web access behavior is used to construct the normal profile which is
used for differentiating attack traffic from normal traffic. The browsing behavior of a web
user is related to the structure of a website, which comprises of a huge number of web
documents, hyperlinks, and the way the user accesses the WebPages.
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 3
2. RTDCP: The Concept:
RTDCP is basically security software which will provide security at server without affecting
the working of server. In order to implement an efficient detection, we will use the concept of
Hidden semi-Markov model and ESVM to distinguish the difference between the normal user
and attacker over the network. The Hidden semi-Markov model is used to capture browsing
behaviors of Web users and apply the model to implement the anomaly detection for App-
DDoS attacks which are carried out by simulating the HTTP requests of normal Web users.
There are a number of statistical approaches for detection of DDoS attacks, including the use
of MIB traffic variables, IP addresses and TTL( time to live) values and TCP SYN/FIN
packets for detecting SYN flood attacks. In and, statistics in packet attributes are used for
both detection and setting of filtering policy for packet dropping.
2.1 Hidden Semi-Markov: Web Browsing Behaviors
A scheme based on document popularity is introduced in this paper. An access matrix is
defined to capture the spatial temporal patterns of a normal flash crowd. Principal Component
Analysis (PCA) and Independent Component Analysis (ICA) are applied to abstract the
multidimensional access matrix. A novel anomaly detector based on Hidden semi-Markov
Model (HsMM) is proposed and high classification accuracy is achieved and also proposed a
mechanism to construct browsing behavior from HTTP request rate, and access matrix using
Hidden semi-Markov Model.
Usually, a legitimate Web browsing behavior consists of multiple requests sent during the
lifetime of the access. Requests are either sent in a closed-loop fashion, i.e., the client sends a
request and waits for the response before sending the next request, or they are pipelined, i.e.,
the client could send multiple requests without waiting for their response and thus have more
than one request outstanding with the server.
Main requests are typically dynamic and involve processing at the database tier while
embedded requests usually are static. A client request is processed as follows: First, the
client’s initial request for a connection is routed to a proxy server. If the proxy server has
cache the requested objects validly, it responses the client’s requests directly, otherwise, it
will parses the request’s URL and routes the request to a web server. If the request is for a
static web page or an image file, the server serves the requested page.If the request is for e-
commerce functionality, it is served by an application script such as PHP, JSP or JavaScript.
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 4
Such requests typically consist of one or more database queries, the results of which are
collated together to produce the response page (dynamic requests). Each database query
emanating from a dynamic request is forwarded to a database server.
2.2 ESVM Classification of Attack:
ESVM is a machine which is used to differentiate the clients on the basis of profile generated
by the Hidden semi-Markov Model. Application layer attack and network layer DDoS attacks
such as TCP flooding, UDP flooding, ICMP flooding, Land Flooding, HTTP flooding and
Session Flooding are generated to the web server using the traffic generation program.
Information about the attack is collected, pre-processed and fed to the ESVM.
Normal profile is used by the ESVM to classify the attack traffic from normal traffic. After
attack is detected attacker’s IP’s are filtered using filtering request. The IP address of the
attacker is already present with the server. This IP address is blocked temporarily and used by
the server to trace the actual geography location.
2.2.1 Uniqueness Of The Research
ESVM with string kernels are used to classify the attack traffic from normal traffic which
shows effective results in classification. Since the count of packets is used as the major
parameter of detection. The phases of classification systems are:
i. Normal profile creation
ii. Attack generation
iii. Data pre-processing
iv. Attack detection
v. Attack classification system
2.2.2 Normal Profile Creation:
The behaviour of normal user is different from the attacker. The parameters collected for
normal user and attacker show distinct variations. The normal user behavior is linear and
regular where as the attacker behavior is fluctuating and completely irregular. The parameters
such as HTTP request rate, Session rate, Time spent on the page, number of TCP packets,
number of UDP packets, number of ICMP packets, number of land packets, and protocol are
derived from the collected traffic.
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 5
2.2.3 Attack Generation:
Application and Network layer DDoS attacks are generated to the web server. Attacking
scripts are created using traffic generation tool. Six types of attacks are generated in this
experiment, they are HTTP flooding session flooding, TCP flooding, UDP flooding, ICMP
flooding and land flooding. The HTTP packets may be HTTP-valid or HTTP-invalid packets.
HTTP-valid packets are used to request the inline objects like number of pages and resources
from the server. HTTP-invalid packets are used to flood the victim.
2.2.4 Data Pre-Processing:
Traffic to the web server is raw packets. After establish the connection attacker requests the
web page. HTTP request rate is the number of request generated by attacker within the time
duration. Session rate is the calculated by number of session generated by the attacker within
the time duration. Time spent on the page is the calculated by time taken by the attacker to
request one page from another page. Number of TCP packets is the total number of TCP
packets received by the server within the specified time duration.
2.2.5 Attack Detection:
Two approaches are possible for selecting the icebergs, i.e., by static threshold and by
adaptive threshold. In the static threshold approach, the profile only includes those attribute
values which appear more frequently than a preset threshold ratio. In the adaptive threshold
approach, the most frequently appearing attribute values that constitute a preset coverage of
the traffic. Static threshold has been used to detect Application and Network layer DDoS
attacks.
2.2.6 Attack Classification System:
ESVM classifies the attack traffic from normal traffic using kernel functions such as linear,
polynomial, radial bias kernel functions and string kernels. Weight is assigned to each pattern
of training samples. High priority is given to the patterns which deviates more from normal
flow. Low priority is given to the patterns which Real Time Detection and Classification of
DDoS Attacks using Enhanced SVM with String Kernels exactly follows the normal flow.
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 6
3. Defence Requirements For Each Attack Phase:
IF one of attack phase in the attack process could be disabled the DDoS attack would be
failed. In this section we suggested defence requirements for attack phase blocking.
3.1 Attack Agent Development Phase Prevention:
This phase is very difficult to let attackers do not develop malwares. It is almost impossible.
However, if degree of law against hacking and DDoS attack is much more reinforced then the
attackers would not try the attack easily.
3.2 Attack Agent Distribution Phase Prevention:
These days, attacks agents are distributed via legitimate application operations such as file
download from web sites, P2P network, or e-mail. So, this kind of DDoS attack is not
appeared. The best way for this is during the agent distribution, the agent has to be detected.
That means, while the agent is transmitted via network that should be detected and identified.
Usually files are divided into packets and transmitted via network. Therefore, executable file
should be detected from network packets and the fragmented pieces of the file should be
gathered and reconstructed. On top of that, automated executable file analysis techniques
should be developed. Currently, only the PE file could be detected and reconstructed with
network packets on limited circumstances.
3.3 Attack Agent Control Phase Prevention:
When the connection is established then the commands are received via this connection.
During this process, usually agent periodically initiates a connection is repeatedly generated;
it can be treated as the C&C server connection. These C&C server detection methods utilize
this characteristic.
3.4 Attack Phase Prevention:
In order to prevent DDoS attack effectively, all the defence techniques have to be optimized
for their positions. Hence, we divide defence position into three layers:
i. Backbone network level layer
ii. Edge network level layer
iii. Host level layer
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 7
i. Backbone Network Level Layer:
When the attack occurs, then the attack traffic is transmitted via backbone
network of the target system’s country. So, if backbone network is monitored and
analysed, DDoS prevention systems.
ii. Edge Network Level Layer:
Edge network is actually the last position which can block the attack traffic before
the traffic gets inside the internal network. At least, all the attacks have to be
prevented at this position or we can’t avoid the damages. For that, the application
behavior analysis is very important. In here, behavior means the applications
service request behavior. In behavior analysis, the performance is very important
factor. Because, if very high amount of network traffic occurs then software based
analysis methods could not handle the situation and the analysis results can show
high rate of false negatives.
iii. Host Level Layer:
Servers can directly identify the DDoS attack occurrence situation, but actually,
there are not many things that server can do. It is because the main goal of a server
is offering a service. There are not many security functionalities for server itself.
If lots of network traffic is getting into a server, then the server would be failed.
Therefore, in host level layer, DDoS defense techniques have to be optimized
minimized for the server. These days, however, server based DDoS attack defense
technology is currently being researched.
4. Conclusions:
Through this paper, we introduce RTDCP – it is software which is used to monitor the
network as well as it will helps in protecting the server from DDoS attack. The server is
protected from both application layer and network layer attack, we suggest the defense
requirement for each phase of attack process such as attack agent development phase, attack
agent distribution phase, attack phase and ager attack phase.
The DDoS attack are successfully generated and detected by proposed real time anomaly
detection system designed using ESVM with string kernels. In future new variations in DDoS
attacks such as port scan and DNS spoofing will be employed to maintain the detection
accuracy towards best.
March, 2013 www.ijirs.com Vol 2 Issue 3
International Journal of Innovative Research and Studies Page 8
Acknowledgment
We would like to sincerely thank Mr. Manoj R Pawar, our mentor (Lecturer, MMIT,
Lohgaon), for his support and encouragement.
__________________________________________________________________________
References:
1. Jie Yu and Zhoujun Li, "A Detection and Offense Mechanism to Defend Against
Application Layer DDoS Attacks" IEEE 2007.
2. Yi Xie and Shun-Zheng Yu, "A Novel Model for Detecting Application Layer DDoS
Attacks", IEEE 2008.
3. Yi Xie, and Shun-Zheng YU, "A Large-Scale Hidden Semi-Markov Model for
Anomaly Detection on User Browsing Behaviors", IEEE/ACM Trans.on networking,
Vol. 17, No.1, pp. 54-65, 2009.
4. J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proceedings of
ICNP 2002, pp. 312-321, Paris, France, November 2002.
5. Takeshi Yatagai, Takamasa and Iwao Sasse,”Detection of HTTP-GET flood Attack
Based on Analysis of Page Access Behaviot” IEEE 2007.
6. Yi Xie, and Shun-Zheng, "Monitoring the Application layer DDoS Attacks for
Popular Websites", IEEE/ACM Trans. on networking, Vol. 17, No. 1,pp. 15-25, 2009.
7. Yi Xie, and Shun-Zheng, “A novel model for detecting application layer DDoS
attacks”,IEEE 2006.