A Revised Ant colony Optimization Scheme for Discovering Attack Paths of Botnet Ping Wang
Hui-Tang Lin
Tzy Shiah Wang
Department of MIS Kun Shan University Tainan, Taiwan
[email protected]
Institute of Computer and Communication Engineering National Cheng Kung University Tainan, Taiwan
[email protected]
Institute of Computer and Communication Engineering National Cheng Kung University Tainan, Taiwan
[email protected]
Abstract—IP traceback technique is an effective method to find either the attack origin or command-and-control (C&C) server on the Internet. Because the traditional ACO (ant colony optimization) constantly converged to a local minimum solution easily such that the global optimality of the final solution might be miss. Accordingly, the present study proposes a modified ACS (ant colony system) scheme designated as ACS-IPTBK to solve the IP traceback problem, predict both the most probable attack path and the computational resources needed in botnets. The ability of the ants to search all feasible attack paths is enhanced by means of a global heuristics. A series of ns2 simulations are performed to investigate the minimum number of routing packets required to successfully reconstruct the attack path, the correlation between the packet quantity and the convergence time for attack paths of different attack lengths using random network topologies were constructed using a random graph generator based on Waxman’s scheme. Finally, the robustness of the proposed scheme toward spoofed IP attacks in investigated. Overall, the results confirm that the proposed method provides an effective means of reconstructing the path between the attacker and the victim based on the incomplete routing information from the related ISPs. Keywords-Botnet; IP traceback; Attack path; Ant colony system; Waxman’s scheme
I.
INTRODUCTION
The problem of identifying the origin of an attack over the Internet is referred to as the IP traceback (IPTBK) problem. Typically, the IPTBK problem involves collecting sufficient route information to determine all the possible paths between the attacker and the victim given a constraint on both the quantity of routing packets collected and the computational time. Solving the IPTBK problem is of crucial concern to information security management in detecting the origin of a malicious attack and bringing the perpetrator to court. Consequently, many methods for reconstructing the attack path have been proposed recently. Most existing methods for solving the IPTBK problem focus on DDoS (distributed denial of service) attacks [2,6] where In a DDoS attack, a malicious user, referred to as a herder, utilizes a Command and Control (C&C) server to initiate an attack on a single target by a multitude of compromised systems. The resulting flood of incoming messages overwhelms the target, causing it to shut down and to deny access to legitimate users. The compromised systems
are referred to as “zombies”, and collectively form a botnet. While the motivation of most herders in establishing a botnet is that of financial gain, or simply attracting recognition amongst his or her peers, the botnet may also be hired out to third parties to conduct a range of nefarious activities, including sending out spam messages, distributing viruses, installing spyware, and so on. Although various IP traceback methods [2,6] have been proposed for the detection network attacks and classification purposes, they invariably assume the full cooperation of all the servers between the victim and the C&C server in providing the routing information required to reconstruct the attack path. However, in practice, some service providers prefer not to provide this information. As a result, it is necessary to reconstruct the path given only a limited knowledge of the routing information. Furthermore, as discussed above, in solving the IPTBK problem, it is desirable to minimize both the convergence time and the amount of routing information required to reconstruct the attack path in order to ensure a prompt and effective response to perceived or actual attacks. Inspired by [11], the present study proposes a modified ACS (ant colony system) optimization scheme designated as ACS-IPTBK for solving the IPTBK problem subject to the constraint of minimizing both the number of routing packets required to reconstruct the path and the convergence time required for the reconstruction process. In developing the proposed algorithm, the ability of the ants to search all the feasible attack paths between the victim(s) and the attack origin is enhanced by means of a global heuristics. The validity of the proposed algorithm is demonstrated by performing a series of experiments conducted by Network Simulator 2 (ns2). Section II presents previous studies in the AS (ant system) field and describes the use of the AS method in solving the IPTBK problem. Section III describes the modified ACS scheme proposed in this study for solving the IPTBK problem, discusses the experimental results and examines the performance of the two global heuristics and investigates the correlation between the minimum number of routing packets required to reconstruct the attack path and the network size. Finally, Section VI provides some brief concluding remarks and indicates the intended direction of future research.
II.
THE AS OPTIMIZATION SCHEMES IN SOLVING IPTBK PROBLEM
This section overview of AS (ant system) optimization schemes and introduces the application of ACO to IP traceback problem as follows. A.
Overview of AS optimization schemes AS, the first Ant Colony Optimization (ACO) algorithm, was proposed by Colorni et al [1] in 1991. In a later study, the performance of AS was enhanced via three new search strategies, namely Ant-density, Ant-quantity and Ant-cycle [9]. Furthermore, Stuetzle and Hoos [11], proposed a maxmin ant system (MMAS) in which a constraint was imposed on the pheromone intensity update range [τ max ,τ min ] in order to prevent premature convergence to a local sub-optimal solution. Only global best or iteration best tour deposited pheromone. All edges are initialized to τmax and reinitialized to τmax when nearing stagnation. Dorigo and Gambardella [8] developed an enhanced AS algorithm designated as Ant Colony System (ACS) to search for the optimal path within a complex solution space subject to both time and cost constraints. In general, ACO schemes provide an effective means of solving a range of complex optimization problems in the computer science and operations field, including quadratic assignment problems [12], Job-shop scheduling problems [13], vehicle routing (VR) problems [8-9], network routing problems [7], and so on.
B. Application of ACO to IP Traceback Problem Assume that the IPTBK problem is to be solved using an ant colony comprising m ants. In the solution procedure, each ant establishes a complete path between the attacker and the victim by choosing network nodes to visit in accordance with a state transition rule. Once all of the ants have completed their tours, the “pheromone intensity” at each of the nodes is updated using a global updating rule. The process is repeated iteratively in this way until the specified termination criteria are met. To global optimal solution of AS, a random searching policy was given to reconstruct the possible attack paths for finding their way back to nest as follows: When selecting a route between the victim and the attack source, each ant in the colony performs a complete search of all arcs (i, j) at time t in accordance with the following transition rule,
pij (t ) =
[τ ij (t )]α [η ij (t )]β
∑[τ
j∈N i
ij
(t )]α [η ij (t )]β
,
(1)
where pij (t ) is the probability that an ant chooses a path from node i to node j and η ij (t ) (namely the visibility) is defined as ηij (t ) = 1/ dij, where dij represents the distance (i.e., the number of hops) between node i and node j. Furthermore, α is a pheromone intensity weighting factor
and β is a visibility weighting factor. The ant colony updates the probability density function of the feasible attack paths and help the ant select the right path back to the nest. Finally, the notation j ∈ N i indicates that node j is a member of the set of nodes in the neighborhood of node i which the ant has not yet visited. Trace by the higher intensity of the pheromone over a trail. In reconstructing the possible attack paths, the path search of each ant between adjacent routers (i, j) is given by
τ ij (t + 1) = (1 − ρ ) × τ ij (t ) + Δτ ij (t ) ,
(2)
where τ ij (t ) denotes the amount of pheromone on arc (i, j) at time t. (Note that the initial pheromone intensity, i.e., τ ij (0) , can be set to any arbitrarily chosen value). Moreover, ρ represents the evaporation (or decay) rate of the pheromone and has a value in the interval [0,1], where a higher value indicates a more rapid decay. Finally, Δτ ij (t ) represents the additional pheromone deposited on arc (i, j) by the ants which travel along this arc during the current time period, i.e., m
Δτ ij (t ) = ∑ Δτ ijk (t ),
(3)
k =1
where Δτ ijk (t ) is the amount of pheromone laid by the kth ant on arc (i, j) between time (t1) and time t and m is the total number of ants in the colony. Colorni et al. [9] proposed the following Ant Quantity (ANT-Q) formula for determining the value of Δτ ij (t ) : ⎧Q if (i , j ) ∈ ⎪ ⎪L Δ τ ij (t ) = ⎨ k ⎪0 otherwise ⎪⎩
path done by k th ant ,
(4)
where Lk is the number of nodes along the path traversed by ant k and Q is a constant. (3) shows that the pheromone intensity along route (i, j) is inversely proportional to Lk. In other words, shorter routes attract a greater number of ants. Once every ant has moved, the selection probabilities of each path are computed in accordance with (1) ~ (4). Note that all of the nodes visited by each ant up to time t are memorized in a Tabu list to prevent the ant from re-visiting the same node during the search process. The process described above is repeated iteratively for a preset number of cycles. Finally, the ants found the appropriate path that leads them back to the nest (i.e., the attack origin). III.
ACS HEURISTIC MODEL FOR IPBK PROBLEM
In the present study, the ACS optimization method is used to solve the IPTBK problem because ants can
effectively search all the feasible attack paths between the victim(s) and the source subject to both time and cost constraints, even when the ISPs do not fully cooperate in providing all the routing information required. In implementing the optimization procedure, two research objectives are as follows: (i) to identify the most probable attack path subject to the constraint of minimizing both the number of routing packets (cost), and (ii) the convergence time required for the reconstruction process in different network topologies. Note that the attack path is assumed to be a non-cyclic directed graph in order to ensure the convergence of the solution procedure. Let the network topology be represented as a directed graph, G=(V,E), where V represents a set of nodes, V={v1, v2,…, vn}; Vs is a set of source nodes (i.e., attack sources); Vd is a set of sink nodes (i.e., victims), and E denotes the edges of the graph. In the ACS model, two arbitrary nodes of network topology representing attack source and victim are chosen to as end nodes of path for discovering the attack paths. Solving the IPTBK problem using the ACS algorithm exploits three fundamental characteristics of AS schemes, namely collective intelligence, cooperative learning and distributed optimization. Accordingly, in the following develop a modified algorithm designated as “ACS-IPTBKK” based on ACS optimization scheme, a meta-heuristics is proposed for increasing the diversity of the searched attack paths in the IPTBK problem. As discussed in the following, the algorithm is implemented using a three-step approach. Step 1: Creation of network topology The present study focuses on the security management aspect of network services. The service-oriented network topology is simulated and established for model analysis. To examine the minimum quantity of packets required to reconstruct the attack path by the ACS-TPBK model to solve the IPTBK problem, various experimental network topologies were constructed using a random graph generator based on Waxman’s scheme [3]. In constructing the topologies, the generator randomly placed p nodes at integer coordinates over a rectangular area of size n*n. Adjacent nodes, vi and v j , were then connected to form edges with a probability of P(i, j ) = η exp(
− d (i, j ) , ) Lγ
(5)
where d (i, j ) is the Euclidean distance between nodes
vi and v j , and L is the maximum possible distance between any two nodes in the topology. In addition, η and γ are two parameters with values in the interval (0,1] used to obtain the desired characteristics in the graph. Specifically, a higher value of η increases the average degree of the nodes, while a larger value of γ increases the ratio of the number of long edges to short edges.
Step 2: Tour Re-construction In solving the IPTBK problem using ACS, each ant builds a tour (i.e., a feasible path between the victim and the attacker) by repeatedly applying the state transition rule as follows. 1) State transition rule: The path searching process is accomplished using a state transition rule comprising two policies, namely exploitation and biased exploration. The exploitation policy (see 6(a)) chooses the arc with the greatest product of pheromone intensity and visibility, while the biased exploration policy (see 6(b)) is a random decision rule. Thus, an ant located at node i chooses the next node j in accordance with the following rule: ⎧arg max{[ τ ij (t ) α ][η ij (t ) β ]} if ⎪⎪ j∉tabu k j=⎨ ⎪S otherwise ⎪⎩ ⎧ [τ ij (t )]α [ηij (t )]β α β ⎪⎪ S = pij (t ) = ⎨ ∑[τ ij (t )] [ηij (t )] ⎪ 0 ⎩⎪
j ∈ Ni
q ≤ q o (a )
(6) (b )
(c )
otherwise
where q0 is a user-defined parameter which specifies the distribution ratio of the two policies, and q is a random number, 0 ≤ q ≤ 1 . Here η ij (t ) is calculated as the number of routing packets between router i and router j between time (t1) and time (t), and is used to simulate the visibility of the ants on arc (i, j). While constructing its path, each ant increases the amount of pheromone on the traversed trail by applying a local updating rule. Once all of the ants have completed their tour, the intensity of the pheromone on the path is updated once again by means of a global updating rule. As described above, to search the global optimal solution of ACS, two search polices are given to reconstruct the possible attack paths, when ants find their way back to nest. (i) Exploitation: trace by the higher intensity of the pheromone over a trail, however, this strategy might lead to algorithm converges to a local optimal solution, (ii) Exploration: reinforce ant’s sight ability for direction searching by examining trail intensity of pheromone. This strategy make ants search more flexible than that of the former. Based on exploration policy, path research of adjacent routers for each ant is given by the following local updating rule. 2) Local updating rule :The purpose of the local pheromone updating rule is to prevent an excessive number of ants from selecting the same trail, thereby causing the solution procedure to converge prematurely to a local suboptimal solution. After traveling a path, each ant updates the pheromone level on each arc of the path in accordance with
τ ij (t + 1) = (1 − w) ×τ ij (t ) + wΔτ ij ,
(7)
where w represents the evaporation or decay rate of the local pheromone, residing in [0,1], and Δτ ij (t ) is equal to τ 0 in the initial state, and is specified by the ANT-quantity (see (3)) or ANT-cycle strategy [9]. 3) Global updating rule:Once all of the ants have completed their tours in the current iteration, the intensity of the pheromone assigned to each arc of the optimal path is recalculated, that is, the intensity of the pheromone path can be revised after all the ants select their route from the victim to an attack source as follows:
τ ij (t + 1) = (1 − ρ ) × τ ij (t ) + ρΔτ ij (t ) ⎧C if route (i , j ) is the optimal ⎪L ⎪ G Δ τ ij (t ) = ⎨ ⎪0 otherwise ⎪⎩
(8) path
where C is a constant and LG is the number of nodes on the optimal path. A higher value of C results in a more rapid convergence time. (6)~(8) are applied repeatedly until all of the members of the ant colony trace the same path back to the nest. 4) Route Improvement Strategies: A meta-heuristics are proposed to increase the number of explored attack paths, thereby prevent the ACS algorithm from converging prematurely to a local, sub-optimal solution. The proposed heuristics satisfy two specific objectives, namely (i) to find the global optimal solution rather than a local optimal solution by reducing the updating speed of the global pheromone; and (ii) to achieve a balance between the updating speed of the local pheromone and the updating speed of the global pheromone. As described in the following, the four heuristics are implemented by modifying the global updating rule in the original ACS algorithm. 5) ANT-Subgroup: The ant colony is divided into multiple subgroups, where each subgroup has a different pheromone updating rule. The ant subgroups are designed to prevent the ACS algorithm from converging too rapidly and get stuck in local optima; thereby precluding the identification of a more suitable global optimal solution. Thus, in the ANT-Subgroup model, the pheromone updating rule is given as
τ ij (t + 1) = (1 − ρ ) × τ ij (t ) + ρΔτ ij (t ) kth route is the optimal ⎧ C if ⎪ sth sub group ⎪ L path in Δ τ ij (t ) = ⎨ ks ⎪0 otherwise ⎪⎩
(9) path
where C is a weighted constant, and Lks is the hop number of attack path k for the s-th subgroup of ants. In accordance with (8), the increase in the pheromone intensity along the path from router i to router j is re-calculated only when an ant within the s-th Subgroup walks along the k-th route, which belongs to the optimal path. Step 3: Against Spoofed IP attacks If bot herders want to masquerade by hiding their attack location using fake IP, then true origin might be lost. Thus, attack scenarios with fake source addresses needed to be verified whether ACS algorithm can discover the correct attack paths or not. In the following, authors describe how to locate source addresses of fake IP. Based on the network behavior anomaly detection, ACS scheme can easily find the correct attack path by comparing the quantity change of attack packets (i.e., trail intensity of pheromone). Furthermore, two detailed cases can be discussed in the following, (i) Not on attack path: If fake IP does not locate on the attack path but near attack origin, ACS can avoid tracing to a discontinuous path in nature and get a feasible solution by path searching rules using (6)-(8). (ii) On attack path: If fake IP is located on the attack path. For nodes of near fake IP, quantity of attack packets received might be dramatically reduced. Thus defender need set a rational threshold of collected attack packets to detect the situation of an attack has occurred. Once the packet rating of a node lowers a preset threshold, a spoofed IP attack might happen. In practice, it is hard to choose a certain value of threshold theoretically over a network, because upper bound of packet quantity of botnet attacks is random. However, trail intensity of pheromone silently reveals the information by comparing the quantity variation of attack packets between the upstream node and downstream node. From [4], it disclosed that nodes close to the victim constantly gathered higher quantity of attack packets than the farther cases that lead to higher trail intensity of pheromone. This useful detection rule can help defender discover some network anomaly behaviors. Therefore, when the quantity of collected attack packets in downstream node diminished under the threshold, defender can add a penalty function, μij to the node and cause to decrease in pheromone intensity for punishment. When spoofed IP attack has happened, adjust the update rule of pheromone intensity as (10) τ ij (t + 1) = (1 − ρ ) × τ ij (t ) + μ ij ⎧ ρΔτ 0 if
μ ij = ⎨
AttPackets i − AttPackets j < δ
⎩− ρΔτ 0 otherwise AttPacketsi represents the quantity of attack packets for
node i, δ means a threshold whose value is decided by quantity mean of packets collected on paths. In the further, defender is interested in the issue how to determine the lower bound of the quantity of attack packets to discover the anomaly situation occurred.
Here authors proposed a packet-based detection rule using the cubic-spline interpolation formula to predict the quantity mean of attack packets, AttPackets m in process of computation. By applying the standard derivation of statistical packet number to show the confidence degree of evidence, we can gain the upper and lower bound of confidence [λ, w]. And then w can be used for assisting defender to determine a fake IP.
[λ ,ϖ ] = AttPackets m ± 2σ AttPackets
(11)
The False Alarm Rate (FAR) is defined as the ratio of between false counts and total test runs against spoofed IP attacks as, FAR= False counts/Total test runs
(12)
The pseudo-code of the ACS-TPBK model for path reconstruction process is illustrated in Fig. 1. IV.
TESTING AND VALIDATION
A series of ns2 simulations was performed to investigate the potential threat to a typical service network by botnet attacks and to explore the effectiveness of the ACS-TPBK model in solving the IPTBK problem. The simulations were performed using a PC with an Intel Dual core CPU 3.0G, DDR2 1G of RAM and the MS Windows XP operating system. The proposed method is applied to solve this problem according to the following four steps: Step 1. Creation of network topology. Assume that the generator randomly places 100, 200, and 500 nodes (p=100,200,500) at integer coordinates over a rectangle area of size 50*50, as shown in Fig. 2. The random network topologies are then created in accordance with (5) by constructing edges between adjacent nodes with various values of η in the ranges 0.3~1.5 and γ in the ranges 0.05~ 0.15, respectively. The main differences between our research with our previous approaches in our work [5] are summarized as (i) Both attack and victim are arbitrary point , such A and B in Fig.2 which not constrained to end points in the topology that increases the feasible solutions. (ii) The arbitrary two point of IP trackback problem raises the searching difficulty of attack path. Table 1 indicates the minimum, average and maximum degree of a node, respectively as well as maximum and average length of a path for each combination of η and γ . From Table 1, parameter η affects the average degree of these nodes, that is, increase of η will bring about a high average degree. Nevertheless too small η case might lead to the low the average degree; in the worst case, generates some cases of edges that can not create the connected paths.
Step 1. Initialize Construct route graph based on topology Set t:=0 for i,j = 1 to k Initialize pheromone τ 0 for nodes on route(i,j) for t = 1 to k Lay h ants on starting node i for q = 1 to m Reset Δτij(t):= 0 for every i and j Step 2. Reconstruction of attack paths for q = 1 to m if ant(q) not arrived at victim node Move ant to neighbor node j Update probability Pij(t ) using (6) Add node j into qth route solution //Local pheromone update for i,j = 1 to k if route(i,j) is in qth route solution Set τ ij (t + 1) = (1 − w) × τ ij (t ) + wΔτ 0 using (7) else Set τ ij (t + 1) = (1 − w ) × τ ij (t ) + w Δ τ ij (t ) //Global pheromone update Compute most probable route solution and LG If node(t) is in most possible route solution Set τ ij (t + 1) = (1 − ρ ) × τ ij (t ) + ρ C using (8) LG //The tabu list records the route solutions Step 3. If spoofed IP attack is occurring Set τ ij (t +1) = (1− ρ) ×τ ij (t) + uij (t) using (10) If termination criteria (200 rounds) not satisfied Empty all route solutions (tabu list) for q = 1 to m Swap starting node into qth route solution Return to Step2 else output optimal route solution
Figure 1. ACS algorithm for IP traceback of botnet detection
Step 2: Reconstruction of attack paths The attack paths were constructed using the following two-step procedure: Step 2.1: Attack on victim The test case with 500 random attacks was simulated using a Monte Carlo model and lay 16 (32) ants to generate the routing information for each network node. The average packets quantity of visited node is counted as the basis of
Applying the searching rule as (6), ants travel around all traits back to nest using the local and global pheromone updating rules given in (7)~(8). Consequently, there are several possible attack paths to be discovered. Then, examine the relationship between the scales of network topology and the feasible solutions where both the iteration process and ratio of ants on the attack path are calculated for monitoring the convergence effects of ACS-TPBK scheme. From Fig. 3, a large topology with long distance d (hops) requires a high substantial quantity of packet to successfully reconstruct the attack path. Fig. 4 revealed that routes with long edges in a network topology might increase the probability of searching in a wrong-path direction such that smaller groups of ants were found on the attack path when iterations had performed.
A
B
Figure 2. Simulated network topology (p=200) TABLE I.
η=0.3 η=0.6 η=0.9 η=1.2 η=1.5
RANDOM TOPOLOGIES BASED ON WAXMAN’S SCHEME (P=200, γ =0.10)
Max degree
Min degree
Avg degree
Max length
Avg length
9.30 13.50 17.70 22.90 26.40
0.00 0.10 0.90 1.60 3.20
5.97 11.47 16.74 22.68 28.03
36.40 39.83 37.43 40.83 41.05
4.28 4.32 4.31 4.32 4.32
updating the pheromone intensity, assisting ants to search paths and evaluate the solution quality.
5
10
15
20
25
30
35
Figure 3. The number of packets required for path reconstruction with different d (hops)
Step 2.2: Traceback to attack paths The routing information generated in Step 2.1 was used as the input dataset to the ACS model. Four important parameters in ACS are: (i) population of colony is set to 16 (or 32). (ii) execute 10 times loop and update path searching rules by 200 iterations (generations) for each loop, (iii) set α (pheromone intensity weighting factor) 1.5 and β(visibility weighting factor) 1.2 based on analysis of Table 2 , and (iv) the decay rate of pheromone is 0.5 in (1), (v) constant C in (8) is set to 5. TABLE II.
SOLUTION QUALITY (NUMBER OF PACKETS ON ATTACK PATH) WITH DIFFERENT VALUES OF Α, Β
50
100
150
200
node100 α=0.9 α=1.2 α=1.5 α=1.8 α=2.1 β=0.6
154.5 147.8 143.6 137.2 132.6
β=0.9
174.4 158.8 151.6 148.8 140.8
β=1.2
189.3 177.9 167.2 155.3 149.4
β=1.5
248.5 217.1 183.5 176.2 158.7
β=1.8
273.8 255.4 225.9 184.8 166.5
Figure 4. The coverage percentage of ants on attack paths with different quantity of packets
In performing the simulations, the ant colony (m=16) was divided using three different sub-grouping polices, namely 2p (i.e., 2 subgroups with each subgroup having 8 ants), 4-p, 8-p and 16-p. For each of the considered sub-grouping policies, the pheromone intensity was re-calculated using (9) only when the subgroup members traversed the optimal
(attack) path. The computational results of performance evaluation of ant-subgroup model are presented in Fig. 5. It shows solution quality for 2-p, 4-p, 8-p and 16-p is better than the original ACS model (control). Furthermore, the 2-p subgroup converges faster than those of the other three subgroups, since the computational overhead incurred by the communication among the sub-group causes the overall efficiency to reduce. In further, set the ant colony m=32 redo this experiment and gains the similar results.
20.0% 16.0%
nodes=60
nodes=80
nodes=100
12.0% 8.0% 4.0% 0.0%
40
1
35 Ant num ber on attack path (%)
nodes=40
3
5
7
9
11
13
15
17
19
control
30
Figure 6. False rate on path researching of spoofed IP attack
2-p
25
4-p
20 15
8-p
10
16-p
5 0 1
8
15 22 29 36 43 50 57 64 71 78 85 92 99 Generation
Figure 5. Percentage of the ants on the best route of Ant-Subgroup
Once performance efficiency tested, cost factor of ACSTPBK also need be investigated for objectively evaluating. From Table3, convergence time of the optimal path for four subgroups are derived in 20-25 cycles whose converge is slower than the original ACS model (control) about 20 cycles to converge. A special case is 16-p where the efficiency of scheme will decrease with more sub-groups, i.e., a decreasing number of ants in each subgroup. TABLE III.
control
CONVERGENCE TIME OF DIFFERENT SUBGROUPS (P=200, 2000 GENERATIONS)
2-p
4-p
8-p
V.
This study has presented an ACS-based IP traceback model with a heuristic scheme for botnet detection, which allows defenders to reconstruct the most probable attack path even though not all of the IPs cooperate in providing routing information. The application of ant technology to the botnet detection problem provides a reasoned approach for understanding the behavior of attackers. As a result, the proposed method improves the precision of the IP traceback solution. The experimental results confirm the ability of the proposed scheme to detect the attack source and the probable zombies within the attack path despite an incomplete knowledge of the routing information within the botnet. The search efficiency using different algorithms with different network topologies in the botnet detection problem will be tackled in future studies.
References [1]
16-p [2]
1591.2 sec
1687.4 sec
1734.7 sec
1810.5 sec
1875.0 sec
Step 3. Spoofed IP attack Botmaster constantly hide the attack origins using fake IP. This experiment set an alternative node as fake IP to find the true address of attack source; Here a rational threshold (ε) is set to 0.5, and then conduct a detection experiment using (10)~(12). After executed 100 runs of simulations, the iteration number and false rate derived by spoofed IP attacks is shown as Fig. 6. From Fig. 6, Ants eventually would not be attracted by the spoof IP and most ants can walk back to the correct attack paths progressively by increasing the intensity of colony pheromone after 5, 8, 10 and 11 iterations for different nodes, respectively. As a result, ACS-TPBK can conquer the spoofed IP attacks.
CONCLUSIONS
[3]
[4]
[5]
[6] [7]
[8]
M. Dorigo, V. Maniezzo, A. Colorni, “Positive Feedback as a Search Strategy”, Technical report, No. 91-016, Department of Electronics, Milan Polytechnic Institute, June 1991. A. C. Snoeren, C. Partridge, L. A. Sanchez, and C. E. Jones, “Hashbased IP traceback”, in Proceedings of ACM (SIGCOMM’01), San Diego, California, August 27-31, 2001, pp.27-31. B. M. Waxman, “Routing of multipoint connections”, IEEE Journal on Selected Area on Communications, Vol. 6, No.9, pp. 1617–1622, 1988. C. Langin, Z. Hongbo, S. Rahimi, B. Gupta, M. Zargham, and M.R. Sayeh, “A Self-Organizing Map and its Modeling for Discovering Malignant Network Traffic”, IEEE Symposium on Computational Intelligence in Cyber Security, pp. 122-129, 2009. P. Wang, H.T. Lin ,T. C. Wang, P.T. Kuo, “A new approach for solving the IP traceback problem for Web services”, International Journal on Advances in Information Sciences and Service Sciences, Vol.3, No.2, pp.46-59, 2011. S. Bellovin, M. Leech, and T. Taylor, “ICMP traceback messages,” Internet Draft: draft-ietf- itrace-01.txt, Oct. 2001. G. Di Caro, M. Dorigo, “AntNet: Distributed stigmergetic control for communications networks”, Journal of Artificial Intelligence Research, Vol. 9, pp.317–365, 1998 M. Dorigo, L.M. Gambardella, “Ant colony system: A cooperative learning approach to the traveling salesman problem”, IEEE Transactions on Evolutionary Computation, Vol. 1, No.1,pp. 53–66, 1997.
[9]
[10]
[11]
[12]
[13]
A. Colorni, M. Dorigo, V. Maniezzo, “Distributed optimization by ant colonies”, in: Proceedings of ECAL91 — European Conference on Artificial Life, Paris, France, 1991, pp. 134–142. G. H. Lai, C. M. Chen, B. C. Jeng, W. Chao, “Ant-based IP traceback”, Expert Systems with Applications, Vol. 34, 2008, pp.3071–3080. Stuetzle, T., Hoos, H. (1997) “Improvements on the ant system: Introducing max-min ant system”, in Proceedings of ICANNGA'97, International Conference on Artificial Neural Networks and Genetic Algorithms, Springer, Vienna, 1997. A. Colorni and V. Maniezzo, “The ant system applied to the quadratic assignment problem”, IEEE Transactions on Knowledge and Data Engineering, Vol. 11, No. 5, pp. 769 - 778 1998. D. Martens, M. De Backer, R. Haesen, J. Vanthienen, M. Snoeck, B. Baesens, “Classification with Ant Colony Optimization, IEEE Transactions on Evolutionary Computation, Vol. 11, No. 5, pp. 651665, 2007.