Comparison of DDOS Attacks and Fast ICA Algorithms on The Basis ...

International Journal <strong>of</strong> Computer Applications in Engineering Sciences[VOL I, ISSUE III, SEPTEMBER 2011] [ISSN: 2231-4946]<strong>Comparison</strong> <strong>of</strong> <strong>DDOS</strong> <strong>Attacks</strong> <strong>and</strong> <strong>Fast</strong> <strong>ICA</strong><strong>Algorithms</strong> on The Basis <strong>of</strong> Time ComplexityD. Raghu 1 , M. Arani 2 , Ch. Raja Jacob 31,2,3 Dept <strong>of</strong> Computer Science <strong>and</strong> Engineering, Nova College <strong>of</strong> Engineering & Technology,JNTU-K, Andhra Pradesh.1 raghuau@gmail.com, 2 aarani.mantena@gmail.com, 3 rchidipi@gmail.comAbstract— In Distributed denial <strong>of</strong> service (<strong>DDOS</strong>) attack,an attacker may use your computer to attack anothercomputer by taking security weakness an attacker couldtake control <strong>of</strong> your computer. He could then force yourcomputer to send huge amounts <strong>of</strong> data to a website. Orsend spam particular email address. The “Attack” isdistributed because the attacker is using multiplecomputers including yours to enter the denial <strong>of</strong> serviceattack. DDoS attack is a continuous critical threat to theInternet. Derived from the low layers, new applicationlayer-basedDDoS attacks utilizing legitimate HTTPrequests to overwhelm victim resources are moreundetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event <strong>of</strong> apopular Website. Distributed denial <strong>of</strong> service attacks onroot name servers are several significant Internet events inwhich distributed denial-<strong>of</strong>-service attacks have targetedone or more <strong>of</strong> the thirteen Domain Name System rootname servers. The root name servers are criticalinfrastructure components <strong>of</strong> the Internet, mappingdomain names to Internet Protocol (IP) addresses <strong>and</strong>other information. <strong>Attacks</strong> against the root name serverscan impact operation <strong>of</strong> the entire Internet, rather thanspecific websites.Keywords— Application-layer, Distributed denial <strong>of</strong>service (DDoS), Flash Crowd, Name Servers, <strong>ICA</strong>algorithm.I. INTRODUCTIONDistributed denial <strong>of</strong> service (DDoS) attack has causedsevere damage to servers <strong>and</strong> will cause even greaterintimidation to the development <strong>of</strong> new Internetservices. Traditionally, DDoS attacks are carried out atthe network layer, such as ICMP flooding, SYNflooding, <strong>and</strong> UDP flooding, which are called Net-DDoS attacks in this paper. The intent <strong>of</strong> these attacks isto consume the network b<strong>and</strong>width <strong>and</strong> deny service tolegitimate users <strong>of</strong> the victim systems. Since manystudies have noticed this type <strong>of</strong> attack <strong>and</strong> haveproposed different schemes (e.g., network measure oranomaly detection) to protect the network <strong>and</strong>equipment from b<strong>and</strong>width attacks, it is not as easy as inthe past for attackers to launch the DDoS attacks basedon network layer.When the simple Net-DDoS attacks fail, attackersshift their <strong>of</strong>fensive strategies to application-layerattacks <strong>and</strong> establish a more sophisticated type <strong>of</strong> DDoSattacks. To circumvent detection, they attack the victimWeb servers by HTTP GET requests (e.g., HTTPFlooding) <strong>and</strong> pulling large image files from the victimserver in overwhelming numbers. In another instance,attackers run a massive number <strong>of</strong> queries through thevictim’s search engine or database query to bring theserver down .We call such attacks application-layerDDoS (App-DDoS) attacks. The MyDoom worm <strong>and</strong>the CyberSlam are all instances <strong>of</strong> this type attack. Onthe other h<strong>and</strong>, a new special phenomenon <strong>of</strong> networktraffic called flash crowd, has been noticed byresearchers during the past several years.On the Web, “flash crowd” refers to the situationwhen a very large number <strong>of</strong> users simultaneouslyaccess a popular Website, which produces a surge intraffic to the Website <strong>and</strong> might cause the site to bevirtually unreachable. Because burst traffic <strong>and</strong> highvolume are the common characteristics <strong>of</strong> App-DDoSattacks <strong>and</strong> flash crowds, it is not easy for currenttechniques to distinguish them merely by statisticalcharacteristics <strong>of</strong> traffic. Therefore, App-DDoS attacksmay be stealthier <strong>and</strong> more dangerous for the popularWebsites than the general Net- DDoS attacks when theymimic (or hide in) the normal flash crowd.In this paper, we meet this challenge by a novelmonitoring scheme. To the best <strong>of</strong> our knowledge, fewexisting papers focus on the detection <strong>of</strong> App-DDoSattacks during the flash crowd event. This paperintroduces a scheme to capture the spatial-temporalpatterns <strong>of</strong> a normal flash crowd event <strong>and</strong> to implementthe App-DDoS attacks detection. Since the trafficcharacteristics <strong>of</strong> low layers are not enough todistinguish the App-DDoS attacks from the normal flashcrowd event, the objective <strong>of</strong> this paper is to find aneffective method to identify whether the surge in trafficis caused by App-DDoS attackers or by normal Websurfers.Our contributions in this paper are fourfold: 1) wedefine the Access Matrix (AM) to capture spatialtemporalpatterns <strong>of</strong> normal flash crowd <strong>and</strong> to monitorApp-DDoS attacks during flash crowd event; 2) based365 | P a g e

Raghu et. al.on our previous work , we use hidden semi-Markovmodel (HsMM) to describe the dynamics <strong>of</strong> AM <strong>and</strong> toachieve a numerical <strong>and</strong> automatic detection; 3) weapply principal component analysis (PCA) <strong>and</strong>independent component analysis (<strong>ICA</strong>) to deal with themultidimensional data for HsMM; <strong>and</strong> 4) we design themonitoring architecture <strong>and</strong> validate it by a real flashcrowd traffic <strong>and</strong> three emulated App-DDoS attacks.This paper is organized as follows: Section IIExisting system. Section III describes ProposedworkSection IV presents experimental results <strong>and</strong>performance analysis. Section V presents conclusion<strong>and</strong> future scope.II.EXISTING SYSTEMFew existing papers focus on the detection <strong>of</strong> App-DDoS attacks during the flash crowdevent.Net-DDoSattacks versus stable background traffic, Net-DDoSattacks versus flash crowd (i.e., burst backgroundtraffic) are dealt the existing system. Some simple App-DDoS attacks (e.g., Flood) still can be monitored byimproving existing methods designed for Net-DDoSattacks, e.g., we can apply the HTTP request rate, HTTPsession rate, <strong>and</strong> duration <strong>of</strong> user’s access for detecting.Most existing methods used on document popularity formodeling user behavior merely focus on the averagecharacteristics (e.g., mean <strong>and</strong> variance), we use astochastic process to model the variety <strong>of</strong> the documentpopularity, in which a r<strong>and</strong>om vector is used to representthe spatial distribution <strong>of</strong> document popularity <strong>and</strong> isassumed to be changing with time Existing algorithms<strong>of</strong> HsMM will be very complex when the observation isa high-dimension vector with dependent elements in thespatial-temporal matrix <strong>of</strong> AM. In the practicalimplementation, the model is first trained by the stable<strong>and</strong> low-volume Web workload whose normality can beensured by most existing anomaly detection systems,<strong>and</strong> then it is used to monitor the following Webworkload for a period <strong>of</strong> 10 min.Stochastic pulses are very difficult to be detectedby the existing methods that are based on traffic volumeanalysis, because the average rate <strong>of</strong> the attacks is notremarkably higher than that <strong>of</strong> a normal user. In contrastto existing anomaly detection methods developed inbiosurveillance, the non stationary <strong>and</strong> the non-Markovian properties <strong>of</strong> HsMM can best describe theself-similarity or long-range dependence <strong>of</strong> networktraffic that has been proved by vast observations on theInternet.Each layer can be developed independently <strong>of</strong> theother provided that it adheres to the st<strong>and</strong>ards <strong>and</strong>communicates with the other layers as per thespecifications. Presentation Layer Business Rules Layer Data Access Layer Database/Data StoreThe intent <strong>of</strong> these attacks is to consume thenetwork b<strong>and</strong>width <strong>and</strong> deny service to legitimate users<strong>of</strong> the victim systems.A. DDoS <strong>Attacks</strong>Denial <strong>of</strong> Service (DDoS) attacks has proved to bea serious <strong>and</strong> permanent threat to users, organizations,<strong>and</strong> infrastructures <strong>of</strong> the Internet. The primary goals <strong>of</strong>these attacks are to prevent access to a particularresource like a web server. A large number <strong>of</strong> defensesagainst DoS attacks have been proposed in the literature,but none <strong>of</strong> them gives reliable protection. There willalways be vulnerable hosts in the Internet to be used forDoS purposes. In addition, it is very difficult to reliablyrecognize <strong>and</strong> filter only attack traffic without causingany collateral damage to legitimate traffic. This paperdescribes how DoS attacks can be carried out <strong>and</strong> how avictim can mitigate them in ordinary IP networks.Especially wireless ad hoc networks have theiradditional vulnerabilities, but these kind <strong>of</strong> wirelessnetworks are not the subject <strong>of</strong> this paper. A DoS attackcan be carried out either as a flooding or a logic attack.A flooding DoS attack is based on brute force. Reallookingbut unnecessary data is sent as much as possibleto a victim. As a result, network b<strong>and</strong>width is wasted,disk space is filled with unnecessary data (e.g., spam E-mail, junk ftp data, intentional error messages), fixedsize data structures inside host s<strong>of</strong>tware are filled withbogus information, or processing power is spent forunusual purposes. To amplify the effects, DoS attackscan be run in a coordinated fashion from several sourcesat the same time (DDoS). A logic DoS attack is based onan intelligent exploitation <strong>of</strong> vulnerabilities in the target.For example, a skillfully constructed fragmented IPdatagram may crash a system due to a serious fault inthe operating system (OS) s<strong>of</strong>tware. Another example <strong>of</strong>a logic attack is to exploit missing authenticationrequirements by injecting bogus routing information toprevent traffic from reaching the victim’s network.There are two major reasons making DoS attacksattractive for attackers. The first reason is that there areeffective automatic tools available for attacking anyvictim, i.e., expertise is not necessarily required. Thesecond reason is that it is usually impossible to locate anattacker without extensive human interaction or withoutnew features in most routers <strong>of</strong> the Internet [1].Thispaper gives a short tutorial on DoS attack mechanismsin IP networks <strong>and</strong> some important defenses proposed inthe literature. The emphasis <strong>of</strong> this paper is on DoSattacks in general, <strong>and</strong> DDoS attacks are treated as asubset <strong>of</strong> DoS attacks. DDoS attacks are based on thesame mechanisms as basic DoS attacks, but there is one366 | P a g e

<strong>Comparison</strong> <strong>of</strong> <strong>DDOS</strong> <strong>Attacks</strong> <strong>and</strong> <strong>Fast</strong> <strong>ICA</strong> <strong>Algorithms</strong> on The Basis <strong>of</strong> Time Complexityexception during the deployment phase. A DDoS toolneeds to be installed on many vulnerable hosts. Thespreading mechanisms for DDoS tools are described in aseparate section. The installation <strong>of</strong> DoS s<strong>of</strong>tware on asingle vulnerable host is, however, a commonprerequisite for most DoS attacks. Thus defensesdescribed in this paper are applicable to both DoS <strong>and</strong>DDoS attacks. The set <strong>of</strong> defenses described in thispaper is definitely not exhaustive, but it gives a goodoverview <strong>of</strong> the different possibilities in combating DoSattacks. It is claimed in this paper that a comprehensiveset <strong>of</strong> defenses are needed to get defense in depthagainst DoS attacks. It is important to have defenses forboth the deployment <strong>and</strong> the attack phase. The earlierthe preparation or actual use <strong>of</strong> a Do Stool is detected,the better the chances are for mitigating an attack. Theselection <strong>of</strong> a cost-effective set <strong>of</strong> defenses must,however, include many business aspects. The mostimportant assets <strong>of</strong> an organization must be protectedwith a finite amount <strong>of</strong> money. The selection <strong>and</strong>implementation <strong>of</strong> different defenses should be guidedby a risk management process. This paper is organizedas follows. First the basic terminology is explained.III. PROPOSED WORKA.1FAST <strong>ICA</strong><strong>ICA</strong> is a statistical signal processing technique. Incontrast to the PCA which is sensitive to high-orderrelationships, the basic idea <strong>of</strong> <strong>ICA</strong> is to represent a set<strong>of</strong> r<strong>and</strong>om variables using basis function, where thecomponents are statistically independent <strong>and</strong> as non-Gaussian as possible:The <strong>ICA</strong> task is briefly described as follows. Giventhe set <strong>of</strong> input samples X= , where T is thenumber <strong>of</strong> samples, <strong>and</strong> = is the N-dimensional observed vector at the t th time unit. Theobserved vector is assumed to be generated by alinear combination <strong>of</strong> statistically independent <strong>and</strong>stationary components (sources), i.e.,= R , t=1,…,T (1)Where = is the N-dimensionalstatistically independent signal vector at t th time unit <strong>and</strong>R is the N N mixing matrix. Corresponding to thesample dataset X, the source data set can be denoted asY= = . The issue is how todetermine the N N invertible de-mixing matrix W =so as to recover the components <strong>of</strong> by exploitinginformation hidden in , i.e., to determine W such thatcomponents y 1t ...y Nt <strong>of</strong> the transformed vector= W (2)are mutually independent. We denote W by itscomponents or vectors as W= , where isthe transpose vector <strong>of</strong> the i th row <strong>of</strong> W with constraintE =1.If some abnormities hiding in the incoming Webtraffic are found, the “defense” system will beimplemented. For example, we can cluster the Websurfers <strong>and</strong> evaluate their contributions to the anomaliesin the aggregate Web traffic. Then, different prioritiesare given to the clusters according to their abnormalities<strong>and</strong> serve them in different priority queues. The mostabnormal traffic may be filtered when the network isheavy loaded. We implement the algorithm in the NS2simulator. The network topology is generated by GT-ITM Topology Generator provide by NS2. Thesimulation includes 1000 client nodes each <strong>of</strong> whichreplays one user’s trace collected from one <strong>of</strong> thesemifinals <strong>of</strong> FIFAWorldCup98. The ratio <strong>of</strong> r<strong>and</strong>omlyselected attack nodes to whole nodes is 10%.Furthermore, we assume the attackers can interceptsome <strong>of</strong> the request segment <strong>of</strong> normal surfers <strong>and</strong>replay this segment or "hot" pages to launch the App-DDoS attacks to the victim Web server. Thus, when theattack begins, each potential attack node replays asnippet <strong>of</strong> another historical flash crowd trace. Theinterval between two consecutive attack requests isdecided by three patterns including constant rate attacks,increasing rate attacks <strong>and</strong> r<strong>and</strong>om pulsing attacks. Weuse the size <strong>of</strong> requested document to estimate thevictim node’s processing time (delay) <strong>of</strong> each request,i.e., if the Requested document is larger, thecorresponding processing time will be longer. By thisway, we simulate the victim’s resource (e.g., CPU) costby client’s requests. Fig. 1 shows our simulationscenario. The whole process lasts about 6 h. As shownin Fig. 2, the first 2 h data are used to train the model,<strong>and</strong> the remaining 4 h <strong>of</strong> data including a flash crowdevent are used for test. The emulated App-DDoS attacksare mixed with the trace chose from the period <strong>of</strong> [3.5 h,5.5 h]. Fig. 3 shows our method on how to collect theobserved sequences for detection system. The time unit<strong>of</strong> this experiment is 5 s. We group 12consecutiveobservations into one sequence, the “moving” step isone observation unit <strong>and</strong> a new sequence is formedusing the current observation <strong>and</strong> the preceding 11observations. Thus, two consecutive Sequences willhave 11 overlapped observations. We used 25consecutive sequences, which last for 36 observationsUnits or 3 min, to detect anomaly accesses.IV. EXPERIMENTAL RESULTSIn order to implement the required comparison <strong>of</strong><strong>DDOS</strong> attacks <strong>and</strong> <strong>Fast</strong> <strong>ICA</strong> algorithms comparisons367 | P a g e

Raghu et. al.Fig. 1 Line chart shows comparison <strong>of</strong> time complexityFig.3 Line chart shows comparison <strong>of</strong> space complexityFig.4 Bar chart shows comparison <strong>of</strong> space complexityFig.2 Bar chart shows comparison <strong>of</strong> time complexityV. CONCLUSION AND FUTURE WORKCreating defenses for attacks requires monitoringdynamic network activities in order to obtain timely <strong>and</strong>signification information. While most current effortfocuses on detecting Net-DDoS attacks with stablebackground traffic, we proposed a detection architecturein this paper aiming at monitoring Web traffic in orderto reveal dynamic shifts in normal burst traffic, which368 | P a g e

<strong>Comparison</strong> <strong>of</strong> <strong>DDOS</strong> <strong>Attacks</strong> <strong>and</strong> <strong>Fast</strong> <strong>ICA</strong> <strong>Algorithms</strong> on The Basis <strong>of</strong> Time Complexitymight signal onset <strong>of</strong> App-DDoS attacks during the flashcrowd event. Our method reveals early attacks merelydepending on the document popularity obtained fromthe server log.The proposed method is based on PCA, <strong>ICA</strong>, <strong>and</strong>HsMM. We conducted the experiment with differentApp-DDoS attack modes (i.e., constant rate attacks,increasing rate attacks <strong>and</strong> stochastic pulsing attack)during a flash crowd event collected from a real trace.Our simulation results show that the system couldcapture the shift <strong>of</strong> Web traffic caused by attacks underthe flash crowd <strong>and</strong> the entropy <strong>of</strong> the observed datafitting to the HsMM can be used as the measure <strong>of</strong>abnormality. In our experiments, when the detectionthreshold <strong>of</strong> entropy is set 5.3, the DR is 90% <strong>and</strong> theFPR is 1%. It also demonstrates that the proposedarchitecture is expected to be practical in monitoringApp-DDoS attacks <strong>and</strong> in triggering more dedicateddetection on victim network.REFERENCES[1] K. Poulsen, “FBI Busts Alleged DDoS Mafia,” 2004. [Online].Available:http://www.securityfocus.com/news/9411[2] “Incident Note IN-2004-01 W32/Novarg. A Virus,” CERT,2004.[Online].[3] Available: http://www.cert.org/incident_notes/ IN-2004-01.html[4] S. K<strong>and</strong>ula, D. Katabi, M. Jacob, <strong>and</strong> A. W. Berger, “Botz-4-Sale: Surviving Organized DDoS <strong>Attacks</strong> that Mimic FlashCrowds,”MIT, Tech. Rep. TR-969, 2004 [Online]. Available:http://www.usenix.org/events/nsdi05/tech/ k<strong>and</strong>ula/k<strong>and</strong>ula.pdfI. Ari, B. Hong, E. L. Miller, S. A. Br<strong>and</strong>t, <strong>and</strong> D. D. E. Long,[5] “Modeling, Analysis <strong>and</strong> Simulation <strong>of</strong> Flash Crowds on theInternet,”Storage Systems Research Center Jack Baskin School<strong>of</strong> Engineering University <strong>of</strong> California, Santa Cruz Santa Cruz,CA,[6] Tech. Rep. UCSC-CRL-03-15, Feb. 28, 2004 [Online].Available: http://ssrc.cse.ucsc.edu/, 95064[7] J. Jung, B. Krishnamurthy, <strong>and</strong> M. Rabinovich, “Flash crowds<strong>and</strong> denial <strong>of</strong> service attacks: Characterization <strong>and</strong> implicationsfor CDNs <strong>and</strong> web sites,” in Proc. 11th IEEE Int. World WideWeb Conf., May 2002,pp. 252–262.[8] Y. Xie <strong>and</strong> S. Yu, “A detection approach <strong>of</strong> user behaviors based[9] onHsMM,” in Proc. 19th Int. Teletraffic Congress (ITC19),Beijing, China, Aug. 29–Sep. 2 2005, pp. 451–460.[10] Y. Xie <strong>and</strong> S. Yu, “A novel model for detecting application layerDDoS attacks,” in Proc. 1st IEEE Int. Multi-Symp.Comput.Computat.Sci.(IMSCCS|06), Hangzhou, China, Jun. 20–24, 2006, vol. 2, pp. 56–63.[11] S.-Z. Yu <strong>and</strong> H. Kobayashi, “An efficient forward-backwardalgorithmfor an explicit duration hidden Markov model,” IEEESignal Process.Lett., vol. 10, no. 1, pp. 11–14, Jan. 2003.[12] L. I. Smith, A Tutorial on Principal Components Analysis[EB/OL],2003 [Online].369 | P a g e