Detection of DDoS Attacks via an Artificial Immune System-Inspired ...

Detection of DDoS Attacks via an Artificial Immune System-Inspired Multiobjective Evolutionary Algorithm Uğur Akyazı1 and A. Şima Uyar2 1

Computer Engineering Department, Turkish Air Force Academy, Yesilyurt, 34149, Istanbul, Turkey [email protected] 2 Computer Engineering Department, Istanbul Technical University, Maslak, 34469, Istanbul, Turkey [email protected]

Abstract. A Distributed Denial of Service Attack is a coordinated attack on the availability of services of a victim system, launched indirectly through many compromised computers. Intrusion detection systems (IDS) are network security tools that process local audit data or monitor network traffic to search for specific patterns or certain deviations from expected behavior. We use an Artificial Immune System (AIS) as a method of anomaly-based IDS because of the similarity between the IDS architecture and the Biological Immune Systems. We improved the jREMISA study; a Multiobjective Evolutionary Algorithm inspired AIS, in order to get better true and false positive rates while detecting DDoS attacks on the MIT DARPA LLDOS 1.0 dataset. We added the method of r-continuous evaluations, changed the Negative Selection and Clonal Selection structure, and redefined the objectives while keeping the general concepts the same. The 100% true positive rate and 0% false positive rate of our approach, under the given parameter settings and experimental conditions, shows that it is very successful as an anomaly-based IDS for DDoS attacks. Keywords: Intrusion Detection, Distributed Denial of Service Attack, DARPA LLDOS Dataset, Artificial Immune System, Multiobjective Evolutionary Algorithm.

1 Introduction An intrusion detection system (IDS) is used to detect intrusions, which are actions that attempt to compromise the integrity, confidentiality or availability of a resource. Usually, an intruder first gains access to a single host by exploiting the software flaws, then tries to break-into other hosts in the network via the formerly compromised host, like Denial of Service (DoS) attacks. The objective of a DoS attack is to cause the target system to fail the services it normally provides. In a Distributed Denial of Service (DDoS) attack, one target is attacked simultaneously from a large number of sources. DDoS attacks often use the computers that have been previously exploited, so that an outsider can use them to launch an attack [1, 2, 3]. These zombie computers play their roles in the intermediate phase of the attack. C. Di Chio et al. (Eds.): EvoApplications 2010, Part II, LNCS 6025, pp. 1–10, 2010. © Springer-Verlag Berlin Heidelberg 2010

2

U. Akyazı and A. Şima Uyar

We used the artificial immune system (AIS) as a method of anomaly-based intrusion detection because of the similarity between the IDS architecture and the biological immune system (BIS), which is a parallel and distributed adaptive system for detecting antigens. An AIS-based IDS classifies network traffic as either self or nonself by training a population of antigen detectors. jREMISA [4] is a multiobjective evolutionary algorithm (MOEA) inspired AIS has been developed previously. In this study, we enhanced jREMISA in order to get better true and false positive rates while detecting DDoS attacks on the MIT DARPA LLDOS 1.0 dataset.

2 Background 2.1 Intrusion Detection Systems (IDS) The main objective of IDS is detecting wrong, unauthorized and malicious usage of computer systems by inside and outside intruders. The key is to maximize accurate alerts (true-positive) while at the same time minimizing the occurrence of nonjustified alerts (false-positive). The metrics used in the evaluation of IDS are:

• True positive (TP) which is a real attack correctly categorized as an attack, • False positive (FP) which is a false alert erroneously raised for normal data, • True negative (TN) which is normal data that correctly does not generate an alert, • False negative (FN) which is a missed attack erroneously categorized as normal. IDS are classified into two groups as misuse detection and anomaly detection. In the misuse detection approach, network and system resources are examined in order to find known wrong usages by pattern matching techniques [5]. In anomaly detection systems, decisions are based on the normal network and system behaviors by using statistical or machine learning techniques to find both known and unknown attacks. A small deviation from normal behavior is detected as an intrusion [6, 7]. 2.2 Distributed Denial of Service Attack (DDoS) A DDoS attacker uses a large number of hosts to launch DoS attacks of SYN flooding, UDP flooding, and ICMP flooding against any target system. DDoS tools, like TFN, Trinoo, Stacheldraht, and Mstream install daemon programs on all of the compromised hosts which are controlled by a master program [2]. DDoS attacks can cause serious damages to Internet services. Tools to gain root access to other machines are freely available on the Internet [8]. 2.3 Datasets Releasing intrusion detection evaluation data is a problem because of privacy concerns. To overcome this problem, Lincoln Laboratory (LL), under sponsorship of Defense Advanced Research Projects Agency (DARPA), created the Intrusion Detection Evaluation Dataset (IDEVAL) that serves as a benchmark [9].

Detection of DDoS Attacks

3

In 1998, 1999 and 2000, they built a network to simulate an Air Force base. They gathered tcpdump, Sun BSM, process and file system information after the background activities were produced with scripts, and attacks were injected at well defined points. More than 200 instances of 58 different attacks were embedded in the test data [10]. The first attack scenario example dataset to be created for DARPA in 2000 is LLDOS 1.0 which includes a DDoS attack. In the LLDOS 1.0 scenario, the attacker uses the Solaris sadmind exploit to gain root access to three Solaris hosts of the simulated network and the Mstream DDOS tool to launch the attack. An Mstream "server” is installed on each of the three abused intermediate hosts, while an Mstream "master", which controls the "servers" is installed on one of these hosts. The DDoS attack is started by these “servers” simultaneously [11]. The attack scenario has five phases: 1. 2. 3. 4. 5.

IPsweep of the network, Probe of active hosts to look for the sadmind tool running on Solaris hosts, Break-ins via the sadmind exploits, Installation of the trojan mstream DDoS software on three hosts, Launching the DDoS attack.

3 JREMISA (Java REtrovirus-inspired Multiobjective Immune System Algorithm) In [4], an Artificial Immune System [12] is used together with Multiobjective Evolutionary Algorithms [13] in order to get good detectors with the best classifying fitness degree and multiobjective hypervolume size. Network traffic is classified as self and non-self with the help of antigen detectors which are trained using a dataset. Multiobjective evolutionary algorithms (MOEA) are added to the AIS. A MOEA is preferred because it presents a set of trade-off solutions to the decision maker instead of one solution after evaluating the data for more than one objective. The objectives used in [4] are: 1. Minimization of the classification error rate which is obtained by adding the number of contradicting bits in true positive evaluations and adding the number of non-contradicting bits in true negative evaluations, since efficiency of the detector increases while total score of this objective decreases. 2. Minimization of the deviation from the negative selection affinity threshold. The scope of the detectors should not be too high to label the normal traffic as anomaly and too low to label the anomaly traffic as normal. As a result, it is aimed to maximize the hypervolume of detectors which is the rectangular area covered by Pareto-front points and a reference point in the target space that shows the quality of the solutions. 3.1 Representation of Antigens and Antibodies Antigen (Ag) and Antibody (Ab) chromosomes are binary arrays. Antigens are represented differently for three most common IP protocols of TCP, UDP and ICMP

U. Akyazı and A. Şima Uyar

4

traffic, where TCP Ag is coded using 240 bits, UDP Ag is coded using 170 bits and ICMP Ag is coded using 138 bits as representing all possible fields of IP, TCP, UDP and ICMP headers (IP=122, TCP= 118, UDP=48, ICMP=16). Decimal values of Ag packet header fields are transformed to equivalent binary values. Ab chromosomes are composed of three parts as DNA (binary), RNA (binary), and seven state properties (integer). DNA bits are created during negative selection and is the only part that is evaluated against Ag chromosomes. RNA is a copy of DNA and is used to escape local optima. If the fitness value of the after-mutation DNA is better than before-mutation DNA, the new DNA is copied to RNA; otherwise RNA is copied to DNA in order to return the old gene values. There are seven characters at the end of the chromosome: λ=name, α=number of false detections, ρ= (true positive + true negative) fitness score, φ= (false positive + false negative) fitness score, η=deviation from affinity threshold, β=whether broadcasted on the network (yes/no), ψ=number of Ab’s dominating to this Ab. Hamming distances are used as the affinity measure. 3.2 Immune Algorithm Pseudocode of jREMISA is given Algorithm 1. Crossover is not applied since mutation is considered to be sufficient to make Ab’s move in the objective search space, and not corrupt the good solutions. Through the 3-7 lines of the algorithm, the negative selection phase is implemented in which Ab’s are created randomly and evaluated against all of the Ag’s in a self-only dataset according to a pre-determined affinity threshold. The creation of this dataset is explained in detail in Section 5.1Test Designs. If an Ab shows similarity to a self Ag, it is discarded without a replacement. The primary population is separated into three groups according to the IP protocols, so that a non-TCP Ab is not compared with a TCP Ab. Every Ag in the evaluation window represents a new generation and operations explained below are applied to all of the Ab’s in the population:

• Fitness function: Hamming distance (H) which is defined as the similarity of the Ab and Ag DNA genes is calculated. One of the below cases will occur when the affinity threshold and the truth set are evaluated together: True negative (Ag=self, Ab evaluates it as self): obj1+= H, copy DNA to RNA, obj2 += %1; o True positive (Ag= non-self , Ab evaluates it as non-self): obj1+= (Aglength – H), copy DNA to RNA, obj2+= %1; o False positive (Ag=self, Ab evaluates it as non-self): falseDetections++, copy RNA to DNA, obj2-= %1; o False negative (Ag= non-self , Ab evaluates it as self): falseDetections ++, copy RNA to DNA, obj2-= %1. First objective is penalized in true positives/negatives and second objective is penalized in false positives/negatives. H should be zero in an ideal true negative; otherwise the number of non-contradicting bits is added to the obj1 value. H should be equal to the length of Ag in an ideal true positive; otherwise the number of contradicting bits is added to obj1 value. o

Detection of DDoS Attacks

5

• Cauchy Mutation is applied on the penalized Ab bits. • P*-Test: It is applied to each Ab in order to calculate how many of the other Ab’s dominate it. All of the Ab’s are sorted using the Quicksort algorithm according to these domination values. procedure jREMISA begin repeat Creation of Primary TCP, UDP and ICMP Population (Popp) Empty Initialization of Secondary Population (Pops) Negative_selection(Popp,data_setclean,threshold) until (end of data_setclean) repeat FitnessFunction (ag,threshold) MutationCauchy(Popp) P_optimality() ClonalSelection(0.05) MutationUniform(Pops) Popp ĸ3RSs //Copy the best Pops to the Popp of next generation if (networking) broadcast(Pops) // Offer non-dominated Ab’s to other AIS processReceived() Endif until (end of data_setattack) End

Algorithm 1. The pseudocode of the jREMISA algorithm

• Clonal Selection: %5 of the non-dominated Ab’s of the primary population are selected with an elitist selection and copied to the secondary population. Copied Ab’s are cloned six times in order to have a large population. Copied and cloned Ab’s are mutated for n-random bit position (n=objective number (2) + Paretodominance value). The Ab’s from the secondary population with the highest fitness values are copied to the primary population instead of the discarded Ab’s because of the maximum false detection count; so that Popp reaches its original size. At last, all of the dominated Ab’s are discarded from Pops. 4 Proposed Improvements on jREMISA In this study, we did the following improvements on jREMISA in order to get better false-positive rates: 1. Hamming distance evaluations in the Negative Selection, Fitness Function and Clonal Selection steps are enhanced using r-continuous bit evaluations. Two compared chromosomes need to have at least r-continuous bits the same to be considered alike. We used the r-continuous bits requirement with the previous Hamming distance calculations in order to get a stronger evaluation.

6

U. Akyazı and A. Şima Uyar

2. The random Ab’s of Negative Selection which recognize the self Ag’s are discarded but they are replaced with new random Ab’s until the number of mature Ab’s reaches the predefined population sizes. Therefore, there will be a sufficient number of mature Ab’s under any condition. 3. Minimization of false positive and negative fitness scores is used as the second objective instead of minimization of deviation from the affinity threshold. 4. Not all of the dominated Ab’s in the secondary population are discarded at the end of the Clonal Selection, but the size of the secondary population is trimmed to the size of the primary population and the rest of the dominated Ab’s are sorted according to their dominance values. 5. Cloned Ab’s are re-evaluated with a new Fitness Function and P-optimality test in Clonal Selection since their chromosomes have changed after Uniform Mutation. Therefore, later selected Ab’s of the secondary population will have even parameter values with the Ab’s of the primary population. 6. Uniform Mutation is not applied to the originals of the cloned Ab’s in Clonal Selection in order not to destroy their elitism. We made all of the above additions in order to get not only good training results as the original jREMISA but also good test results. R-continuous bits evaluation decreases the false detections since it puts another strict criterion for Ab similarities. Before the second improvement we couldn’t have enough number of non-self Ab populations after the Negative Selection process under high threshold values like 42 and over. We decided not to aim the minimization of the deviation from the affinity threshold since the system had better values under larger deviations as stated in third improvement.

5 Experiments 5.1 Test Designs The tests are implemented on Pentium Core 2 Duo 2.4 GHz computers which have Windows XP SP3 operating systems. There are three different tests of the improved jREMISA with different settings of the parameters of affinity threshold values, rcontinuous values and primary population sizes in order to find the best parameter group to get better true and false positive results. Finally, the original and the improved jREMISA’s are compared according to the changing threshold values in order to see the improvement. Each test has 20 runs to get the mean and standard deviation values of the evaluation metrics of true positive rate, which is the fraction of all attacks that are actually detected and false positives rate, which is the fraction of all normal data that produces (false) alerts. DARPA LLDOS 1.0 dataset is used in all of the tests. However, the truth set of this dataset is not given on the Lincoln Laboratory website. So, we created the truth set ourselves since we knew the structure of the attack and the identity of the attacker. We obtained a self-only data set to train our Ab population by removing all of the incoming traffic related to the DDoS attack by using Ethereal [14]. Secondary population Ab chromosomes are used in the tests with the original dataset which includes the attack traffic.

Detection of DDoS Attacks

7

5.2 Results Affinity Threshold Tests. Affinity threshold values changing from 38% up to 54% are applied to the improved jREMISA to decide the best threshold value that yields the best true and false positives. These threshold values are selected with respect to the original jREMISA study [4] in which they are experimentally obtained. TCP, UDP and ICMP population sizes are 100 chromosomes each and 10 is used as the rcontinuous value. The system doesn’t work for the threshold values over 54%. As it is seen on the Figures 1 and 2, there is not a great difference in these results; most of the true positive rates are above 97%, some of them are 100% and most of the false positive rates are below 1,5 %.

Fig. 1. True positives rates of changing affinity thresholds (%)

Fig. 2. False positives rates of changing affinity thresholds (%)

8

U. Akyazı and A. Şima Uyar

R-continuous Tests. R-continuous values changing from 8 up to 15 are applied to the improved jREMISA to decide the best r-continuous value that yields the best true and false positives. TCP, UDP and ICMP population sizes are 100 chromosomes each and 50% is used as affinity threshold value. As it is seen in Fig. 3, there is not a great difference in the results of true positives; most of them are above 97%. False positive rates are below 1,5 % except the first two. R-continuous value of 15 has 0% false positive rate.

Fig. 3. True and false positives rates of changing r-continuous values

Popp size Tests. TCP Ab numbers changing from 100 up to 500 under the condition of constant UDP and ICMP Ab population sizes of 100 chromosomes each, are applied to the improved jREMISA to decide the best TCP Ab population size that yields the best true and false positives. 50% is used as affinity threshold value and 10 is used as the r-continuous value.

Fig. 4. True and false positives rates of changing Popp TCP Ab numbers

As it is seen in Fig. 4, there is not a great difference in the results of true positives; all of them except the first one are 100%. Figure 4 shows that false positive rates are below 0.1 % except the first one. 500 TCP Ab number has a 0% false positive rate. The computational overhead of increasing the population size can be ignored since this training part of the IDS will be executed offline. Comparison of the original and the improved jREMISA. When we compare the performance of the original and the improved jREMISA over the DARPA LLDOS 1.0 dataset, we see that the improved version is better than the original one. All of the

Detection of DDoS Attacks

9

true positive rates of the improved jREMISA with TCP, UDP and ICMP population sizes of 300,100 and 100 respectively and 10 as r-continuous value, are 100% as seen in Fig. 5. On the other hand, the true positive rates of the original jREMISA are above 92% except the last two ones. The big difference in the false positive rates can be seen in the Fig. 5. All of the false positive rates of the improved jREMISA are 0% where all of the false positive rates of the original jREMISA are 99,98%. The orginal jREMISA has these high false detection rates since it was left with only successful training results which was not enough to get good test results.

Fig. 5. Comparison of true and false positives rates with changing thresholds (%)

6 Conclusion We used the artificial immune system as a method of anomaly type intrusion detection because of the similarity between the IDS architecture and the biological immune system. We improved jREMISA [4]; a multiobjective evolutionary algorithm inspired artificial immune system, in order to get better true and false positive rates while detecting DDoS attacks on the MIT DARPA LLDOS 1.0 dataset. We added the rcontinuous evaluation method, changed the Negative Selection and Clonal Selection structure, redefined the second objective while keeping the general concept the same. We made three different tests of the improved jREMISA with different settings for the parameters of affinity threshold values, r-continuous values and primary population sizes in order to find the best parameter group to get better true and false positive results. At last, the original and the improved jREMISA’s are compared using the determined good parameter groups. The tests are performed by changing the threshold values in order to see the improvement. The 100% true positive rate and 0% false positive rate of our improved algorithm is a very noteworthy success as an anomaly intrusion detection system. This study is an important part of our project in which our objective is distributed detection of DDoS attacks in the intermediate phase using mobile agents and natureinspired algorithms; and informing the security managers before the attack succeeds. We will combine our previous study [15] and this one in order to reach our objective. Other intrusion detection datasets will be tested with this algorithm in order to see its overall performance. Finally, this IDS can be used with real-time network traffic with an adaptive truth set.

10

U. Akyazı and A. Şima Uyar

References 1. Abraham, A., Grosan, C., Chen, Y.: Cyber Security and the Evolution of Intrusion Detection Systems. Journal of Educational Technology, Special Issue in Knowledge Management (2005), ISSN 0973-0559 2. Kannadiga, P., Zulkernine, M.: DIDMA: A Distributed Intrusion Detection System Using Mobile Agents. In: Proceeding of the ACIS 6th International Conference on Software Engineering, Networking and Parallel/Distributed Computing (SNPD/SAWN), pp. 238–245 (2005) 3. Chandler, J.A.: Security in Cyberspace: Combatting Distributed Denial of Service Attacks. University of Ottawa Law & Technology Journal 1, 231 (2003-2004) 4. Haag, C.R., Lamont, G.B., Williams, P.D., Peterson, G.L.: An artificial immune systeminspired multiobjective evolutionary algorithm with application to the detection of distributed computer network intrusions. In: GECCO 2007: Genetic and evolutionary computation Conference, London, UK (2007) 5. Du, Y., Wang, H.-Q., Pang, Y.-G.: IADIDS-Design of A Distributed Intrusion Detection System Based on Independent Agents. In: Proceedings of International Conference on Intelligent Sensing and Information Processing, pp. 254–257 (2004) 6. Mark, C., Gene, S.: Defending a Computer System using Autonomous Agents. In: Proceedings of the 18th National Information Systems Security Conference (1995) 7. Uwe, A., Julie, G., Jamie, T.: Immune System Approaches to Intrusion Detection - A Review. In: Nicosia, G., Cutello, V., Bentley, P.J., Timmis, J. (eds.) ICARIS 2004. LNCS, vol. 3239, pp. 316–329. Springer, Heidelberg (2004) 8. Lin, S.: A Survey on Solutions to Distributed Denial of Service Attacks, Research Proficiency Examination Report, TR-201, Experimental Computer System Lab, SUNY at Stony Brook (2006) 9. Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) 10. Brugger, S.T., Chow, J.: An Assessment of the DARPA IDS Evaluation Dataset Using Snort, UC Davis Technical Report CSE-2007-1, Davis, CA (2007) 11. MIT Lincoln Laboratory, Information Systems Technology, http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/data/2000/LLS_DDOS_1.0.html 12. Aickelin, U., Dasgupta, D.: Artificial Immune Systems Tutorial. In: Burke, E., Kendall, G. (eds.) Search Methodologies: Introductory Tutorials in Optimization and Decision Support Methodologies, ch. 13. Springer, Heidelberg (2005) 13. Coello, C.A., Lamont, G.B., Van Veldhuizen, D.A.: Evolutionary Algorithms for Solving Multi-Objective Problems, Genetic and Evolutionary Computation, 2nd edn. Springer, Heidelberg (2007) 14. Ethereal: Open-source network protocol analyzer, http://www.ethereal.com 15. Akyazi, U., Etaner-Uyar, A.S.: Distributed Intrusion Detection using Mobile Agents against DDos Attacks. In: 23rd International Symposium on Computer and Information Sciences (ISCIS). IEEE, Los Alamitos, DOI:10.1109/ISCIS, 4717920, ISBN: 978-1-42442880-9 (2008)