Volume II

3 downloads 0 Views 1MB Size Report
Tianyu Zheng and Xiaodong Gu. Protein Structure Prediction Algorithms .... Liang-liang Liu and Guo-dong Han. Channel Coding and Decoding in a MIMO ...
2012 International Conference on Computer and Management ᧤CAMAN 2012᧥

March 9-11, 2012

Wuhan, China

Sponsors - IEEE Wuhan Section - Wuhan University

Volume II

- Lanzhou University - Xi'an Jiaotong University - Dalian University of Technology - Shandong University

CFP1225M-CDR

ISBN: 978-1-4577-1137-4

2012 International Conference on Computer and Management (CAMAN) Copyright © 2012 by the Institute of Electrical and Electronic Engineers, Inc. All rights reserved. Copyright and Reprint Permissions Abstracting is permitted with credit to the source. Libraries are permitted to photocopy beyond the limit of U.S. copyright law for private use of patrons those articles in this volume that carry a code at the bottom of the first page, provided the per-copy fee indicated in the code is paid through Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923. For other copying, reprint or republication permission, write to IEEE Copyrights Manager, IEEE Service Center, 445 Hoes Lane, Piscataway, NJ 08854. All rights reserved. IEEE Catalog Number: ISBN 13:

CFP1225M-CDR 978-1-4577-1137-4

Printed copies of this publication are available from: Curran Associates, Inc 57 Morehouse Lane Red Hook, NY 12571 USA Phone: (845) 758-0400 Fax: (845) 758-2633 E-mail: [email protected]

Produced by IEEE eXpress Conference Publishing For information on producing a conference proceedings and receiving an estimate, contact [email protected] http://www.ieee.org/conferencepublishing

ii

Preface With the development of industrialized and information-based society, Computer and Management are becoming more and more important in diverse areas. Lots of relevant research achievements have been created in the last few years. The 2012 International Conference on Computer and Management (CAMAN) which is held in Wuhan, China on March 9-11, 2012, will be a platform for numerous experts and scholars freely exchanging the research results and information on Algorithm and Applications, Communication Networks and Protocols, Operating Systems, Business Intelligence and Strategy, Project and Quality Management, Risk Management and so on. Thanks to our sponsors: IEEE Wuhan Section, Wuhan University, Lanzhou University, Xi'an Jiaotong University, Dalian University of Technology and Shandong University. Meanwhile, thanks to our committee members and the reviewers for the excellent work. Owing to their support, we can have the chance to get together and carry on academic exchanges. The proceeding has concisely and duly presented the latest research results for all the authors. We hope all the readers can benefit from it! Finally, thanks again for all the attention and support from our authors. The Organizing Committee is looking forward to the continued support from the scholars.

CAMAN Organizing Committee

iii

Technical Program Committee Chair Prof. Hengjin Cai, Wuhan University, China

Members Prof. Michael L. Werner, University of Miami, USA Dr. Denis V. Bogdanovich, Moscow State Technical University of Civil Aviation, Russia Prof. Nitin Nayak, Thomas J. Watson Research Center, USA Prof. Michael B. Gurstein, Centre for Community Informatics Research, Canada Prof. Hongwei Wang, University of Portsmouth, UK Prof. Yongjie (Jessica) Zhang, Carnegie Mellon University, USA Prof. Selwyn Piramuthu, University of Florida, USA Prof. Heming Zhang, Tsinghua University, China Dr. Haiyan Luo, University of Nebraska-Lincoln, USA Prof. Mingyan Jiang, Shandong University, China

iv

Volume 1 – Computer Science and Technology (1) Algorithm and Applications A Graphical Visualization Tool for Analyzing Metaheuristic Algorithm Behavior ................................................................ 1 Joaquín Pérez, Adriana Mexicano, René Santaolaya, Lizbeth Alvarado and Jaime Muñoz Flight Path Planning based on an Improved Dualpopulation Genetic Algorithm ................................................................ 5 Xiao-ting Ji, Hai-bin Xie, Li Zhou and Yi-feng Niu Visualization Analysis of Multi-Domain Access Control Policy Integration Based on Tree-Maps and Semantic Substrates ................................................................................................................................... 9 Qian Xu and Li Pan Multiple Differential Evolution Optimizers with Diversity-Preserving Mechanisms for Multi-Objective Optimization ............................................................................................................................................ 13 Youyun Ao Soccer Detection Based on Attention Selection and Neural Network .............................................................................. 20 Tianyu Zheng and Xiaodong Gu Protein Structure Prediction Algorithms Applied in Bioinformatics .................................................................................. 24 Qi Chen, Ye Gao and Yuhong Nan A Privacy Protection Frequency Sets Discovery Method on Web Logs Mining ................................................................. 28 Bao Yu On a Nonsmooth Directional Newton Method ................................................................................................................. 32 Jisheng Kou and Ying Gu Flight Track Data Fusion Algorithm Based on Multi-sensor .............................................................................................. 35 Cao Lei and Chen Guolong A Dynamic Boundary Constraint Algorithm for Multi-user OFDM Systems ...................................................................... 40 Li Zhao, Laibo Zheng, Jianli Wang and Dan Tian Automatic Selection of Camera Calibration Images by Object Posture ............................................................................ 44 Xin Chang, Hui Chen, Mengsheng Li and Ranran Li A Charge Design Algorithm Based on Differential Evolution ............................................................................................. 48 Jun Zhu, Bin Du, Shujin Jia and Bin Du Computer Realization of Assignment Problem Based on Vogel Method and Closed Circuit Method .............................. 52 Xing-you Gao and Xiang-hui Zhang Robust Adaptive Pulse Compression Method of MIMO Radar for Moving Target ........................................................... 57 Jian Gong, Chun-yang Wang and Di Shen Differential Evolution of Concrete Thermal Parameters Solution ..................................................................................... 61 Jun-cai Xu and Zhen-zhong Shen A Joint DOA Estimation Algorithm of ESPRIT Based on Vector Hydrophone Array ........................................................... 65 Guangjin He, Jinfang Cheng, Nan Li and Dawei Xiao Study on Linearity Analysis and Bias of Measurement System Based on Minitab ............................................................ 69 Jinwei Yu Research and Application of Improved Fuzzy Clustering Algorithm ................................................................................. 73 Chang-jiang Zhu and Jin-ke Wang A Multiagent System for the Automatic Extraction of Definitions from Ontologies and Linguistic Patterns ................... 76 Luis F. Castillo, Juan S. Quintero, Maria Mercedes Suarez and José Fernando Londoño Research and Implementation on Automatic Scoring Methods for Programs Based on Program Understanding .......... 81 Yaning Wang and Lannan Xiao AC VFSR System Based on Parameter Fuzzy Self-adjusted PID Control ............................................................................ 85 Xing-ju Wang and Ying-zhan Hu The Batch Scheduling Problem with Early Award and Tardy Penalty ................................................................................ 89 Zhigang Zhang, Hongluan Zhao and Linsheng Zhao

xiii

DMTMAC:A Novel Directional MAC Protocol Based on Multiple Tones in Ad hoc Networks .................................... 1117 Ming-ce Cheng and Ying Li Monetary Policies for the Reputation System based on Auctions ................................................................................ 1121 Mingfei Zeng and Shunzheng Yu Design of a Security Protocol for Low-cost RFID ........................................................................................................... 1127 Yuanzhong Xu and Zhangqing He Static Buffer Allocation for Virtual Channels of Network-on-Chip ................................................................................ 1130 Liang-liang Liu and Guo-dong Han Channel Coding and Decoding in a MIMO TWRC with Physical-layer Network Coding ................................................ 1135 Shengli Zhang, Liya Lu, Canping Nie and Gongbin Qian Efficient Data Collection Based on Compressive Sensing in Wireless Sensor Networks ............................................... 1139 Yan Yin and Peng Li A Novel Sniffer System for ZigBee WSN ........................................................................................................................ 1143 Zhen-Hua Shi and Sheng-Jun Su A Parallel Median Filter Sharpening Algorithm Based on Embedded MPP Model ....................................................... 1147 Guangyuan Fu, Hongqiao Wang, Hanzhao Wu and Xu Yang Recover to Self: BFT Re-Abstract Family........................................................................................................................ 1150 Ali Shoker and Jean-Paul Bahsoun A Dynamic Federation Model Based on Reputation Mechanism .................................................................................. 1156 Tao Xiang and Jianhua Gu A Reliable and High-Performance Distributed Storage System for P2P-VoD Service .................................................... 1160 Jing Zhao, Hongbo Wang and Shiduan Cheng A Study on the Parallel Computing Strategies of Spatial Overlay Analysis for Vector data in Multi- Core Computer ....................................................................................................................................... 1164 Zhong Xie, Dingwen Zhang and Zhanlong Chen An Efficient Paralleled Method for Constructing Remote Sensing Image Pyramid ....................................................... 1168 Jun Hu, Hui Zhao, Zheng Gao and Jie Zhang Maximizing Utilization of Multi-Core CPU and GPU for List Intersection ...................................................................... 1172 Huaichao Wang and Lei Zhao The Research of Distributed Network Management System Based On Mobile Agent and SNMP ............................... 1176 Xiande Zhuo and Wei Cui A New Intelligent Anomaly Detection Algorithm based SVM ....................................................................................... 1179 Yong Xie and Yilai Zhang Network Intrusion Detection System using Feature Reduction and Ensemble Classifiers ............................................ 1182 Tahereh Kazemi and Hadi Shahriar Shahhoseini Multi-level Network Security Situation Assessment Based on Information Entropy .................................................... 1188 Dapeng Man, Wu Yang, Wei Wang and Shichang Xuan An Air Channel Audio Watermarking Algorithm Based on Energy Ratio of Adjacent Bands ........................................ 1192 Yanbin Zhao, Pingpan Cheng and Qijun Guo A Novel Scale of Information Hiding for Webpage Based Tag’s Multi-Express ............................................................. 1196 Yong Xie, Juan Li and Yilai Zhang A Robust and Efficient Remote Authentication Protocol using Smart Card and ECC .................................................... 1200 Hongbin Tang and Xinsong Liu A Security Access Control Model based on Roles and Tokens ...................................................................................... 1205 Yi Xu, Beijun Shen, Yongqing Sun and Xiang Zou Comparison of Singlehoming and Multihoming Honeypot Defense System to Mitigate Flooding based DDoS Attacks ......................................................................................................... 1209 Hari Siswantoro, A. Sumarudin, Agus Mulyanto and Riri Fitri Sari

xxv

Comparison of Singlehoming and Multihoming Honeypot Defense System to Mitigate Flooding based DDoS Attacks Hari Siswantoro Department of Electrical Engineering Universitas Indonesia Kampus UI Depok, 16424 Indonesia

A. Sumarudin Department of Electrical Engineering Universitas Indonesia Kampus UI Depok, 16424 Indonesia

Agus Mulyanto Department of Electrical Engineering Universitas Indonesia Kampus UI Depok, 16424 Indonesia

Abstract— Distributed Denial of Service (DDoS) attacks is one of the worst nightmares to the Internet infrastructure. A massive amount of traffic attacks could prevent the legitimate traffic from being served by the attacked system. This work focused on a defense method that can be feasibly implemented in real network. Adding redundant provider connection (multihoming) to the servers and honeypots network will significantly improve the service availability when the attacks arrived. The honeypots will absorb the attack traffic and let the real server only serve the legitimate traffic. We validate the multihoming honeypot defense system by simulating the scenarios on NS-2 simulator, and comparing the performance with the singlehoming one. Multihoming; DDoS; Honeypot; NS-2

I.

INTRODUCTION

The advancement of Internet technology leaves some serious security threat. One of those threats is Distributed Denial of Service (DDoS) attacks, the evolution version of Denial of Service (DoS) attacks. DDoS employs a lot of hosts (usually some compromised hosts) to generate the traffic attacks while DoS using only one single host and one connection to attack [1]. Therefore, DDoS will cause severe effect to the victim compared to DoS. Rather than break into the target site, DDoS is simply flooding the victim by an enormous number of traffic and preventing the legitimate traffic to reach the server. There are three types of DDoS attacks, according to CERT Coordination Center (CERT/CC) [2], i.e. flood attacks, protocol attacks, and logical attacks. Flood attacks are relatively straightforward attempts to consume resources, such as network bandwidth or equipment throughput. Protocol attacks do not directly exploit weaknesses in TCP/IP stacks or network applications. Instead, it uses the expected behavior of protocols such as TCP, UDP, and ICMP to the attacker's advantage. Unlike flooding and protocol attacks, which seek to consume network or state resources, logic attacks exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack. The recent DDoS attack example occurred when some of the main Internet business sites attacked by a group of hackers,

978-1-4577-1139-8/12/$31.00 ©2012 IEEE

1209

Riri Fitri Sari Department of Electrical Engineering Universitas Indonesia Kampus UI Depok, 16424 Indonesia

named Anonymous, that support WikiLeaks. Visa, MasterCard, PayPal and Moneybookers have also experienced the Operation Payback DDoS attacks [3]. These attacks have caused a considerable lost of profit during the disruption. In this paper, we tried to contribute in how to sustain the service availability of the system under DDoS attacks. We deployed honeypot to achieve our goals. Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems [4, 5]. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource valuable to attackers. In addition to the honeypot, we also proposed the multihoming connection to mitigate the DDoS attacks. Multihoming is a technique to increase the reliability of the Internet connection for an IP network [6]. There are some variants of multihoming setup, for example, single link multiple IP spaces, multiple interface single IP address per interface, multiple links single IP space and multiple links multiple IP spaces. The general definition of multihoming is the third variant, which is multiple links with single IP address space. We use this variant in our simulation. The main goal of this simulation is to compare the performance of multihoming honeypot defense system with the singlehoming system. We organize our paper as follows. Section 2 discusses the related work. Section 3 describes our simulation mechanism. Section 4 explains the result of the simulation. And finally section 5 concludes the paper. II.

RELATED WORK

Our work is mostly based on two previous works by [7] and [8]. A new quantitative study of flood attacking DDoS is proposed by [7]. They validate their study using NS-2 to verify some conclusions. They can prove that UDP flood attacks is stronger than TCP attacks. Therefore, we will use only UDP attacks in our simulations, rather than TCP ones. They also introduced attack time (Ta) parameter to measure the performance of a DDoS defense system. Ta is defined as a period of time between the beginning of attack until the system is overwhelmed. If a defense system can detect the attacks in the period less than Ta, then there will be a chance to mitigate

the attacks. Our goal is to lengthen the attack time, so we can have more time to detect the attacks and sustain the service availability. Why do we need more time to detect the attacks? Because in the future, a newer methods of DDoS attacks that has not been recognized before will appear. In [8] a defense system against DDoS attacks, based on honeypot has been proposed. They developed an algorithm that adaptively change the number of honeypot machines in response of the attack intensity. They verified that honeypots could significantly increase the service availability. Some study on DDoS attacks have been reported on [8, 9]. [9] proposed the deployment of honeypot in the defense system. In [10] a simulations on different types of queuing discipline at the router affecting the number of packet loss during the attacks has been reported. III.

MULTIHOMING HONEYPOT DEFENSE SYSTEM

A singlehoming system is composed when there is only one single connection to the Internet or one Internet Service Provider (ISP). On the other hand in multihoming topology we have more than one ISP. As we have described before, the general definition of multihoming is multiple links with single IP address space, and usually implemented by Border Gateway Protocol (BGP) routing protocol. BGP is a routing protocol that is used to communicate between different Autonomous System (AS). In this paper, we are not focusing on how to detect DDoS attack traffic. Instead, we study on how to sustain the service availability during the event of a DDoS attack. We propose a combination of multihoming and honeypot. The honeypot has a same service as the real server. The legitimate traffic will be served by the server and the attack traffic will be diffused to the honeypot machine. In our simulation, we simply neglect the attack detection. Instead of detection phase, we directly route the attack traffic to the honeypot. We will compare the performance of singlehoming versus multihoming and without honeypot versus using honeypot. IV.

time from the start of the decreasing amount of legitimate traffic until it reaches zero. TABLE I. Parameter

BASIC PARAMETERS OF SIMULATIONS Value

Description

TCP legitimate traffic

80% (up to 1.6 Mbps)

based on statistical data of Internet's TCP traffic

UDP legitimate traffic

20% (400 Kbps)

based on statistical data of Internet's UDP traffic

UDP attack traffic

Router-router or host-router BW/Delay

50% (1 Mbps)

2 Mbps (singlehoming) or 1 Mbps (multihoming)/ 1 ms

medium load of attack, we choose UDP traffic as an attack traffic because UDP attack is stronger than TCP attack [7] bandwidth and delay of the link

1) Scenario 1: singlehoming topology without honeypot With the topology model in Fig. 3, node 0 sent 80% of TCP traffic to node 5, node 1 sent 20% of UDP traffic to node 5 and node 2 sent 50% of UDP traffic to node 5. The bandwidth of each link is 2 Mbps. We notice that the traffic from node 3 to node 4 exceeds 50% of the link bandwidth. Consequently, some packets from the legitimate clients may be dropped at node 3. In this case, we will have a short period of Ta. The router link is overwhelmed quickly, and the server is also busy serving the attack traffic. Fig. 2 shows the throughput diagram of all traffic.

EXPERIMENTAL RESULTS AND EVALUATION

To validate our proposed defense system, we developed some simulation scenarios on NS-2. There are four simulation scenarios, i.e. singlehoming without honeypot, singlehoming with honeypot, multihoming without honeypot and multihoming with honeypot. The complete simulation's parameters are shown in Table 1. We chose the value of simulation's parameters based on the statistical data of Internet traffics. We put two different values of router link for scenario 2, in order to compare the result with the double link of scenario 3. Our aim is to compare the performance of singlehoming and multihoming defense system under DDoS attacks. To make equality between single multihoming, we set the same aggregate of the router-router bandwidth. For example, if we take 2 Mbps on singlehoming, than we must set 1 Mbps on each link of multihoming topology. In these simulations, we investigate the throughput parameter behavior and the attack time parameter. Attack time as defined by [7] is a period of

978-1-4577-1139-8/12/$31.00 ©2012 IEEE

1210

Figure 1. Singlehoming without honeypot.

Figure 2. UDP and TCP traffic under UDP attack.

2) Scenario 2: singlehoming topology with honeypot This scenario is similar to the first one, except that we employ honeypot machine to absorb the attack traffic. Fig. 3 illustrates the network topology and Fig. 4 shows the throughput diagram. If we compare the result of scenario 1 and 2 we will notice a similar characteristic of throughput. The dropped packets also happen on node 3 as the first point of network bottleneck. The main difference is that the link between node 4 and node 5 is less occupied than in scenario 1.

throughput diagram in Fig. 8. We put the attacker and legitimate users on different network, as a simulation from real network that traffic may come from any network. If we noticed the simulation result, the attack traffic is flowing through node 1 – node 3 – node 6 and let the other path to server, free to legitimate traffic. The throughput diagram in Fig. 6 shows that TCP legitimate traffic from node 9 (yellow curve) has been dropped to zero, because it was beaten by the UDP attack traffic from node 0. The UDP legitimate traffic from node 2 remains on its starting level. On the other path (node 4 – node 6), the legitimate traffic is not affected by the attack and safely arrived to server. In this scenario, we did not determine the path that will be passed by the attack, but it chooses its own way. In real network, it is the task of a routing protocol to determine the route to destination address.

Figure 3. Singlehoming topology with honeypot.

Figure 5. Multihoming topology without honeypot.

Figure 4. UDP and TCP traffic under UDP attack.

This is caused by the split of traffic after passing node 4. The legitimate traffic goes to the server and the attack traffic goes to the honeypot. After this two simulations, we conclude that honeypot on singlehoming topology does not help much to sustain the service in case of DDoS flooding attack. We noted that TCP legitimate traffic is reduced when the attack coming. And UDP traffic is not much affected by the attack. This behavior is caused by the nature of TCP. TCP sending rate is determined by the receiving station. If the transmission rate exceeds the receiving ability at the receiving end, the transmitting node will be informed to reduce the transmission rate. In opposite, UDP is connectionless-oriented. Its transmission rate is not controlled by the receiving end. Therefore, TCP traffic is generally easier to be attacked by DDoS bandwidth attacking than UDP traffic. 3) Scenario 3: multihoming topology without honeypot In this topology, we have two connections for the router (node 6) in front of the server. This topology is called multihoming, in condition that the two connection comes from two different service provider with different autonomous system number. We can observe the topology in Fig. 5, and the

978-1-4577-1139-8/12/$31.00 ©2012 IEEE

1211

Figure 6. UDP and TCP traffic under UDP attack.

Compared to singlehoming topology, multihoming topology spare more bandwidth for legitimate user. Singlehoming leaves 1.05 Mbps and multihoming leaves 1.175 Mbps for legitimate traffic. Or we can say that there is 12% of increase from singlehoming to multihoming, in the same number of bandwidth aggregate (2 Mbps) and attack load (1 Mbps). 4) Scenario 4: multihoming topology with honeypot In the last scenario, we add a honeypot as an absorber for the attack traffic. And we will compare the throughput with the previous scenarios. Fig. 9 shows the topology of scenario 4 and Fig. 10 illustrates the throughput diagram. The throughput

diagram is similar to scenario 3, except that scenario 4 can withstand more attack traffic. Scenario 3 only resists 800 Kbps and scenario 4 can hold 1 Mbps of attack traffic.

In the future, it will be useful if we can also simulate the CPU server load under DDoS attack. The limitation of our study is it only based on line throughput saturation and we do not know when the server is saturated by the attack. The simulation of CPU load will give us more precise measure on DDoS simulation. V.

CONCLUSIONS

Based on our simulation results, we verify that honeypot defense does not contribute much in singlehoming topology. But, in multihoming topology with the same aggregate bandwidth link of singlehoming one, the honeypot helps the real server to face the DDoS attack. Since, in multihoming system, the incoming traffic divided into several paths. Hence, the service availability of the server is increased under the DDoS attacks. The multihoming topology increases the legitimate traffic by 12% than singlehoming.

Figure 7. Multihoming topology with honeypot.

REFERENCES [1]

Figure 8. UDP and TCP traffic under UDP attack.

We summarized the results of the throughput (Mbps) in Table 2, after attacked by 1 Mbps of UDP traffic. TABLE II. Parameters

RESULT SUMMARY OF SIMULATION AFTER ATTACK Scenario 1

Scenario 2

Scenario 3

Scenario 4

Received legitimate traffic by server (Mbps)

1

1

0.2

1

Received attack traffic by server (Mbps)

1

-

0.8

-

Absorbed Attack traffic by honeypot (Mbps)

-

1

-

0.8

Table 2 shows that there is only a slight difference between scenario 2 and 4. But, we should also consider that scenario 2 has only one single connection that has been saturated. Whether scenario 4 has two connections and the server can serve more legitimate clients.

978-1-4577-1139-8/12/$31.00 ©2012 IEEE

1212

__, Denial of service attack, http://en.wikipedia.org/wiki/Denial-ofservice_attack, accessed on 6 May 2011 [2] __, CERT Coordination Center, http://www.cert.org/certcc.html, accessed on 2 May 2011 [3] __, Netcraft: Internet Research, Anti-Phishing and PCI Security Services, http://news.netcraft.com/archives/2010/12/08/mastercardattacked-by-voluntary-botnet-after-wikileaks-decision.html, accessed on 1 May 2011 [4] __, Honeypot (computing), http://en.wikipedia.org/wiki/Honeypot_ (computing) , accessed on 2 May 2011 [5] L. Spitzner, “Honeypots: simple, cost-effective detection”, 30 April 2003. URL: http://www.symantec.com/connect/articles/honeypotssimple-cost-effective-detection, accessed on 1 May 2011 [6] __, Multihoming, http://en.wikipedia.org/wiki/Multihoming, accessed on 2 May 2011 [7] M. Li, J. Li, W. Zhao, Simulation study of flood attacking of DDoS, IEEE International Conference on Internet Computing in Science and Engineering, p286 – 293, 28-29 Jan 2008. [8] A. Sardana, R.C. Joshi, Autonomous dynamic honeypot routing mechanism for mitigating DDoS attacks in DMZ, IEEE ICON, 2008. [9] L. Lei-jun, A New type of DDoS defense system study, IEEE Conference, p307-310, 2010 [10] C. Liu, C. Lo, The simulation for the VoIP DDoS attack, IEEE International Conference on Multimedia and Information Technology, p280-283, 2008