A New Way to Detect DDoS Attacks within Single ...

A New Way to Detect DDoS Attacks within Single Router Ruoyu Yan a,b, Qinghua Zheng a, Guolin Niu a, Sheng Gao b a

MOE KLINNS Lab and SKLMS Lab, Department of Computer Science and Technology Xi’an Jiaotong University Xi’an ,Shanxi Proviance, China b School of Information Science Guangdong Ocean University Zhanjiang, Guangdong Proviance, China [email protected] router. When a current IP packet is coming, this history is used to decide whether a DDoS attack has happened. Literature [5] has analyzed the traffic patterns in router and adopted a nonparametric CUSUM (Cumulative Sum) to process traffic at each input/output port. Based on this method applied to single router, a hierarchical alarm system aimed at DDoS attacks is introduced. Literature [6] aims at the change of ports’ input and output traffic in core router, employing an improved CUSUM algorithm to trace traffic statistics characteristic in real time and detect DDoS attacks.

Abstractʊ Different from other research work focusing on network-wide traffic, the traffic we focus on for analysis is that of a traffic state viewed from a router’s interior. In this paper, at first, a kind of Port-to-Port traffic in a router is introduced, which we call IF flow. IF flows can amplify the ratio of attack traffic to normal traffic. Then RLS (recursive least square) filter is used to predict IF flows. After that, a statistical method using residual filtered process is proposed to detect anomalies. Finally we respectively apply the method to three types of traffics: IF flows, input links and output links within a router, and compare the anomaly detection results using ROC curves. Results show that IF flows are more powerful than input links and output links in DDoS attacks detection.

How to detect DDoS attacks in large-scale network has become a very active research area in recent years [5],[7],[8]. All these literatures have adopted distributed detection techniques to detect DDoS attacks: distributed detection method is applied to every single router respectively, after that all these intermediate results are sent to a control center, in the end a general result is computed by data fusion.

Keywordsʊ anomaly detection; distributed denial of service; recursive least square; router-wide traffic analysis

I. INTRODUCTION Internet-based attacks can be launched anywhere in the world, and unfortunately any Internet-based service is a potential target for these attacks. A denial of service (DoS) attack aims to deny legitimate users to access shared services or resources [1]. When the traffic of a DoS attack comes from multiple sources, it is called a distributed denial of service (DDoS) attack. By using multiple attack sources, the power of a DDoS attacks are amplified and the problem of defense is more complicated. Among all these Internet-based attacks, the consequences of DDoS attacks are thought to be one of the most serious. Hence, it is crucial to minimize the damage caused by DDoS attacks. DDoS attacks detection method may be roughly classified into three types according to the location which is deployed: deployed on single link, deployed on router, and deployed on large-scale network.  Many of today traffic monitors and intrusion detection systems(IDS) are deployed on single link[2],[3]. Because this kind of system only can monitor traffic on a physical link or small local network, its detection area is too small, and its performance is hard to extend. So detection methods used on router are developed [4,5,6]. Literature [4] proposes a method to keep a history of all the legitimate IP addresses which have previously appeared in the

Different from all methods mentioned above, we define a type of port-to-port traffic named IF flow to construct traffic matrix in a router. We use RLS (recursive least square) filter to predict IF flows, after getting prediction error, then use variance ratio statistic detection algorithm to detect DDoS attacks within a router. Our scheme in this paper also can be applied in large-scale network in a distributed way after some improvements, which is our future research work. The remainder of this paper is organized as follows. Section 2 defines three types of traffic and presents merits of IF flows in detail. The method for determining how to detect DDoS attacks is presented in Section 3. All of our evaluations and comparison results are shown in Section 4. Finally conclusions are made in Section 5. II. WHY USING IF FLOWS FOR ANOMALY DETECTION? A. Definition of Three Types of Traffic For the sake of facilitating the description, we give definitions of three types of flow traffic at first. IF flow: A group of packets traveling from one port to another different port in a router per unit time. Here we suppose packets traveling from one port to the same port are very sparse,

This work was supported in part by National Natural Science Foundation of China (60633020, 60473136) and National High Tech. Development Plan of China(2006BAH02A24-2, 2006BAK11B02, 2007AA01Z475˅

1-4244-2424-5/08/$20.00 ©2008 IEEE

1192

ICCS 2008

which can not affect detection results, so are not considered. Input link: A group of packets entering a router from one port per unit time. Output link: A group of packets leaving a router from one port per unit time. We use port serial number to mark IF flow, input link and output link like in Fig.1. For instance, a group of packets traveling from port A to port C per unit time are marked as IF flow A-C.

experiments: IF flows, input links, output links.

Figure 2. Traffic anomaly detection model

B. Merits of Using IF flows to Detect DDoS Attacks Much of the work in anomaly detection has focused on single-link traffic data. A router-wide view of traffic enables detection of anomalies that may be dwarfed in individual link traffic. Assume there is a router with n ports, then it can produce

1) IF flow statistic module. At present there is not any tools to obtain IF flows directly, but we can fulfill this goal conveniently in virtue of Netflow function in router, although this may affect router’s normal function a little. NetFlow is proposed by Cisco Company, which is based on flow concept. Flow is a unidirectional stream of packets with the same five tuples: source IP, destination IP, source port, destination port and layer 3 protocol type. After configuring router to open NetFlow cache [9], NetFlow entries are then produced at every time bin. Byte count, packet count and flow count of Input links, output links and IF flows can be summed up respectively by input or output field in NetFlow entry per unit time. 2) RLS prediction module. According to different needs, IF Flow statistics are selected and then predicted by RLS at every time bin. 3) Prediction error module. When new IF Flow statistical value arrives at some time, Prediction error is calculated which is the difference between new arrived value and it’s predicted one computed previously. 4) Variance ratio statistic detection. A kind of variance analysis method is proposed to deal with prediction error in detection window and historical window. 5) Judge anomaly module. Alarm threshold is set by the results of variance analysis and experience of historical traffic for every statistic. If a statistical value goes beyond alarm threshold, anomaly is then decided. Finally the detection results of all statistics are united to decide whether to trigger an alarm. Using RLS to predict all IF flows may face a challenging to predict a large number of IF flows. However, we can use distributed computation to solve time consuming problem caused by large calculation. This can be achieved because all the statistics are independent and can be calculated respectively.

n 2 − n IF flows; as for n=4, a router can produce 12 IF flows. In order to represent the validity of our method clearly, according to the characteristic of DDoS attack path, we make some hypotheses, although the real situation is not so simple as in Fig.1: 1ǃAmong these IF flows, two of them are anomalous which are IF flow A-C and B-C; 2ǃtraffic count on each input links or output links is 1 and traffic count on each IF flow is 1/3 on average; 3ǃanomaly traffic count is 1/10 respectively on input links A and B. Hence anomaly traffic accounts for 10% of all on input links A and B, 20% on output links C, 30% on IF flow A-C and B-C. This means IF flows can amplify the ratio of attack traffic to normal traffic. Therefore, intuitively we conclude that IF flows are more effective than input links and output links in detecting anomalies, which can be proved in the following experiments.

B. Network Traffic Prediction Based on RLS As a matter of fact, RLS algorithm is a kind of Kalman filter in nature [10], which exactly meets least square criterion. RLS is mainly used to filter signal noise, but also can predict signal. Literature [11] points out that with the increase of prediction step, the prediction precision will decrease fast, hence we only use RLS to predict traffic in one step. Set weight vector for RLS filter at time n:

 Figure 1. Traffic relation sketch map within a router

III. DETECTION ALGORITHM BASED ON RLS FILTERING

w(n) = [w0 (n) w1(n) " wN−1(n)]T n = 1,2," , k

A. Detection Algorithm Model The detection algorithm model based on RLS is shown in Fig. 2. We will apply it to three types of traffic in the following

The traffic signal series is composed of N data before the time of n:

1193

HisVn of historical window (t n − HisWin, t n ) at time t n .

x N (n) = [ x(n − 1) x(n − 2) " x(n − N )]T We use d ( n ) to indicate the expected response at time n. As a matter of fact, here d ( n ) equals x ( n ) , and

Parameter

the sample of detection window from historical normal data at time t n . If there is an anomaly at present time, it will be

x ( n − 1) w(n − 1) means predicted value of x ( n ) . The T N

reflected in the results of detection window and ratio value will increase consequentially. The time when ratio value is more than that of alarm threshold is regarded as anomaly. There are three parameters involved in the detection algorithm: 1) Detection window. It is ideal if the size of detection window is equal to the lasting time of possible anomaly. However, we can’t in advance know lasting time of anomaly traffic to be detected, but can know lasting time of all historical anomaly traffics. Hence, we always select average lasting time of all historical anomaly traffics as detection window. 2) Historical window. Bigger historical window size can accurate the detection results. However, too large historical window will increase the cost of system's storage and computation. Hereby, we should balance both of them. 3) Judgement threshold. In the light of the analysis of historical traffic, anomaly threshold ratio threshold = x + mσ

algorithm for prediction is as follow: Initialize by setting:

T (0) = δI (δ >> 1) For each instant of time, n = 1,2,... 1) Read input values: d ( n ), x N ( n )

w(0) = x N (0) = 0

2) Calculate estimation error between original and predicted value:

ξ ( n | n − 1) = d ( n ) − x TN ( n − 1) w(n − 1) 3)

Calculate information gain:

g (n ) =

T ( n − 1) x N (n ) λ + x TN ( n )T ( n − 1) x N (n )

4)

Calculate

5)

Calculate autocorrelation inverse matrix:

w( n ) = w(n − 1) + g ( n )ξ ( n | n − 1)

T (n) =

[T (n − 1) − g (n) x λ 1

T N

weights:

( n )T ( n − 1)

is selected, in which x is average value, σ is standard deviation of ratio computed from historical normal traffic, m is a smaller positive value between 1 and 4.

]

Note: λ is forget factor; δ is initial coefficient of autocorrelation inverse matrix T . λ can affect convergence rate of RLS algorithm, the smaller λ , the slower a rate of convergence. The bigger λ can speed up convergence, but also cause extreme vibration. Here we select a bigger value λ = 0.99 according to experiment results.

IV. EVALUATION AND RESULTS A. Measurement Data Used In order to validate any anomaly detection method, one common approach is to collect live data in the form of a packet or flow level trace, but operators must examine these data and have anomaly event “marked”. It’s a hard task to label or mark a trace, because operators can make mistakes, either missing an anomaly or generating a false positive. At the same time such live data contain limited number of anomaly events whose parameters cannot be varied. Thereby, it is needed to create synthetic attacks as test samples, the advantage of which is that the parameters of an attack can be carefully controlled. The method of create synthetic anomaly is described in literature [12] in detail. We mainly use its method to create DDoS attack traffic as experiment data. Concrete procedure is as follow: 1 2btain a week of NetFlow traffic in a five-port router at intervals of one minute in Xi’an JiaoTong University. IF flows traffic can be aggregated by input field and output field in NetFlow entry. 2) Use Daubechies-5 discrete wavelet transform to extract the long-term statistical trend from the selected IF flows. The goal is to capture the diurnal pattern by smoothing the original signal. 3) Add to the smoothed IF flow signal a zero mean Gaussian noise whose variance is computed as follows. Take the first 5 detailed signals from wavelet transform, and compute the variance of the sum of the 5 detailed signals.

C. Variance Ratio Statistic Detection Algorithm First, we obtain historical traffic statistics by monitoring the normal network; then calculate variance of prediction error between predicted and original value, get statistical characteristic of the normal traffic; finally, in real time detection, detect the present network traffic signal to decide whether there is an anomaly or not. We adopt sliding window's sample variance ratio detection algorithm, shown in Fig. 3. Historical window (HisWin) and detection window (DetWin) are involved in, and both of them are sliding in real time. With the change of the time, we compute variance DetVn of detection window

ration = ( DetVn / HisVn ) 2 reflects departure of

(t n − DetWin, t n ) and variance

Figure 3. Sliding window variance ratio detection

1194

4) Randomly select values of four parameters in Table 1 to characterize DDoS attack. Add anomaly on top of this resulting signal. 5) Use the created IF flow traffic to infer input links and output links traffic according to internal traffic matrix relationship within single router. Although most DDoS attacks lasted between 5 and 30 minutes [13], there were some outliers lasting less than 1 minute. Here we select attack lasting time between 1 and 30 minutes. In Table I, δ is a multiplicative factor which is multiple of 0.1, and multiplied by the baseline traffic to generate the new traffic load. For each δ we generate 40 DDoS attacks starting at different time, and per attack affects 2.5 IF flows on average. (Src,Dst) refers to DDoS attack coming from Src ports and leaving from Dst ports. Here Dst˙1 indicates DDoS attack traffics are only aggregated to one egress port. Ramp and Exponential are shape functions, detailed description about which can be found in literature [12]. TABLE I. DDoS ATTACK DESCRIPTION PARAMETERS Duration Num Parameter (minute) Volume (Src,Dst) Shape Possible values

1~30

0 .1 ≤ δ ≤ 1

(1, 1)̚ (4, 1)

Ramp Exponential

B. Validation Methodology In order to give a glimpse of synthetic DDoS attack traffic and process of anomaly detection, Fig.4 represents the intermediate results of this detection method. In the first sub figure, we show a synthetic IF flow traffic (in blue solid curve) and its predicted traffic (in red dash-dot curve).The area dotted line included is attack traffic. The second sub figure is the results after we directly apply variance ratio statistic method to original traffic. The third sub figure shows the prediction error at different time. It is can be validated that prediction error is normal distributed with mean zero. The final sub figure is detection results after we apply variance ratio statistic method to prediction error. In sub figure 2 and 4 red horizontal line is threshold when m is 3; blue curve is variance ratio. Obviously, using prediction error is more powerful than using original traffic in anomaly detection, which not only makes lesser mistakes, but also can detect DDoS attacks at the very start and tell its duration precisely.

Figure 4. An example of detection results

as DDoS attacks. In Fig. 5, one false negative ratio (FNR) and one FPR are average results of detecting synthetic anomaly traffic with the same attack intensity. In Fig.6, one TPR and one FPR are average detection results at the same threshold (means the same m ). It is intuitive that the more enormous anomalies, the easier to be detected, vice versa. Hence we foresee that FNR and FPR will also decrease with the increase of anomaly intensity. As a matter of fact, we can see the same conclusion in Fig. 5 and 6. Besides, we can know: 1) In Fig. 5, with the decrease of attack size, the curves for FPR and FNR of the three types of flows are more convergent. It is easy to find that, when attack intensity is trailing off to a certain degree, detection method is hard to detect anomaly with the three types of flows. 2) With the increase of attack size, FPR and FNR of IF flows are distinctly smaller than that of input links and output links; FPR and FNR of output links are smaller than that of input links. 3) Fig. 6 witnesses a judgment we give previously in this paper. That is anomaly detection with IF flows is more effective than with input links and output links. Clearly at the same FPR, TPR of IF flows is about 10% higher than that of output links, 30% higher than that of input links. To sum up, we propose: if IF flows can be obtained at lesser cost, detection with IF flows is a good option; even though it can not be obtained, output links are preferable than input links.

C. Comparison Results Within each type of flow, for each value of the threshold, the entire traffic matrix (thus traversing all anomalies and non-anomalies) is examined. We can thus compute one false positive percentage and one false negative percentage for each threshold configuration of a scheme. The performance of the method applied to three types of flows is depicted in Receiver Operation Characteristic (ROC) curves. The ROC curve is the plot of true positive ratio(TPR), calculated as the percentage of DDoS attacks detected, against False Positive Ratio (FPR), calculated as the percentage of normal traffic falsely classified

1195

detection rate. Compare detection effects of three types of flows (IF flows, input links, output links). Experiments show that IF flows are more powerful than other two types of flows, however, the commonly used input links is the worst. This scheme we proposed can be generalized to multiple key routers in large-scale network. So DDoS attacks can be detected by a distributed system at early time; attack source and its affected scope can be pinpointed accurately. 3)

REFERENCES [1] [2]

[3] Figure 5. FNR and FPR as a function of the anomaly size

[4]

[5]

[6]

[7]

[8]

[9] Figure 6. ROC curves using synthetic data

[10]

V. CONCLUSIONS

[11]

This paper proposes a new scheme to detect DDoS attack within single router, of course, which can detect other types of attacks too. We mainly have three contributions as follows: 1) Based on internal traffic within a router, define a new type of traffic IF flows as detection traffic. 2) Propose a new method to predict traffic and detect anomalies based on RLS filtering, which has higher

[12]

[13]

1196

GLIGOR, V. D, “A note on denial-of-service in operating systems,” IEEE Trans. Softw. Eng. 10, 3, pp.320–324,1984. Zhengbing Hu, Zhitang Li, Junqi Wu. A Novel Network Intrusion Detection System (NIDS) Based on Signatures Search of Data Mining. Knowledge Discovery and Data Mining, 2008 PP:10 - 16. T. M. Gil, and M. Poletto. Multops: a data-structure for bandwidth attack detection. Proceedings of the 10th USENIX Security Symposium, 2001. Tao Peng, Leckie. C, Ramamohanarao. K. Protection from distributed denial of service attacks using history-based IP filtering. ICC’03, 2003,pp482-486. Yu Chen, Kai Hwang, Wei-Shinn Ku. “Collaborative Detection of DDoS Attacks over Multiple Network Domains,” IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,18(12), pp.1649-1662,Dec.2007. SUN Zhi-Xin, TANG Yi-Wei, CHENG Yuan. Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms. Journal of Software, 2005, 16(12), pp2117-2123. Krishan Kumar, R.C Joshi, Kuldip Singh. A Distributed Approach using Entropy to Detect DDoS attacks in ISP Domain. International Conference on Signal Processing, Communications and Networking , 2007,pp331-337 David K. Y. Yau, John C. S. Lui, Feng Liang, and Yeung Yam, “Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles,” IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 13, NO. 1, pp.29-42, FEBURARY. 2005. Cisco IOS NetFlow White Papers(2006). http://www.cisco.com/en/US/products/ps6601/prod_white_papers_lis t.html Simon Haykin, Adaptive Filter Theory. Beijing : Publishing House of Electronics Industry, 2002 V. Paxson, Bro, “A System for Detecting Network Intruders in Real-time,” Computer Networks, vol. 31, no. 23–24, pp.2435–2463, 1999. Augustin Soule, Kave Salamatian, Nina Taft, “Combining Filtering and Statistical Methods for Anomaly Detection,” USENIX Association, Internet Measurement Conference,2005,pp.331-344. MOORE,D.,VOELKER,G.M.,SAVAGE,S, “Inferring internet Denial-of-Service activity,” In Proc. the 10th USENIX Security Symposium, pp.9-22,2001.