ddos detect jehak

7/30/2019 DDoS Detect Jehak

1/16

A Novel Detection of DDoS AttacksUsing Optimized Traffic Matrix

Network Security Lab

The 4thSemester of the Masters Course

Je Hak Lee

Supervised by Prof. Jong Sou Park

2010/12/9

1

Master Thesis Presentation


2/16

2

Introduction

Proposed Approach

Experimental results

Conclusion

Future works

Contents


3/16

Introduction

DDoS attacks are a large-scale, coordinated attack targeting on the

availability of services at a victim system or network resources.

The intensity of DDoS attacks have become stronger according to

improvement of network infrastructure.

3

Architecture of a DDoS

attacks

Why is it difficult to defend?

does not usually contain

malicious contents

widely distributed

compromised hosts

IP spoofing


4/16

Defense Mechanisms4

Intrusion

Prevention

Anomaly

Detection

Misuse

Detection

Intrusion

Detection

Intrusion

Response

Intrusion

Tolerance

and

Mitigation

Defense Mechanisms

Statistical analysis techniques

Data mining techniques

Rate limiting techniques

Requirements

Detect the bandwidth attack as

soon as possible without raising a

false alarm, so that the victim has

more time to take action againstthe attacker.

Deal with large volume of traffic

in real-time network environments

Major challenges

Short detection time

High detection rates

Low computational overhead


5/16

Proposed Approach5

Main idea

Detection of DDoS attacks could be possible to measure

entropy of incoming traffic

Key variable

Source IP address field of IP packet header information

How to measure?

Derive variance by using traffic matrix

How to achieve the major challenges? Simple hash function

Packet based variable time window

Genetic Algorithm (GA) for parameters optimization


6/16

Overall flow6

Construct a traffic matrix

for one window size

Genetic Algorithm sets

three parameters

1. matrix size

2. packet based window size

3. threshold value T

Training

data

Alert

No

Yes

Compute variance

from the traffic matrix

Testing

data

Start

Variance < T ?


7/16

7

Analyze the inbound traffic stream with capturing thepackets come to the target host.

Construct a traffic matrix through a hash function, H(x)during a time window.

Traffic matrix size and the number of packets for a timewindow is declared by GA.

Construct Traffic Matrix

time t

inbound

packets

variable time window

ex) 10 packets per 1 window

n by n

traffic matrix

H(x)


8/16

8

Adopt a simple hash functionto scale down the huge IPaddress domain to a smalltraffic matrix domain andreduce calculation time.

A packet increase anelement value of the trafficmatrix.

Variance for a time windowcould be derived from acomplete traffic matrix.

2

( , ) ( , )

0 0

1( ) 0

m n

i j i j

j i

V M if M k

( , )

0 0

1 m n

i j

j i

Mk

Details of constructing a matrix

B C A

Packets coming from the network

AB BB

1

4

2

i

j

n by n Traffic Matrix

32bit Source IP address

High 16bit Low 16bit

Row = High 16bit mod n Column = Low 16bit mod n

Increment value of (i, j) in Traffic Matrix4

2


9/16

9

Genetic Algorithm

Traffic matrix size, windowsize, threshold value ofvariance are set by GA tomaximize detection rates

Initial Population of 30

Roulette wheel selection

Standard crossover

Probability of crossover : 0.6

Mutation operation

Probability of mutation : 0.05 Fitness function

Detection rates

Implemented in JAVA

Start

Evaluate

first population

Initialize

population of 30

Selection operation

(Roulette wheel)

Crossover operation

(Standard crossover)

(Pc = 0.6)

Mutation operation(Bit inversion)

(Pm = 0.05)

Evaluate

Evolved populationTraining

data

Generation > 50

End

No

Yes


10/16

10

Chromosomes for GA

Chromosome

Range

(closed

interval)

Degree of

precision

Length of

binary string

Matrix size (n by n) [1, 512] 10 9 bit

The Number of

packets for a time

window

[1, 1024] 10 10 bit

Threshold value T [0.1, 2048.0] 10 14 bit

0

0

-1

Length of binary string for each parameter can be declared by this equation.

Total length of binary string is 33bit.


11/16

11

Dataset

LBL-PKT-4 of Lawrence Berkeley Laboratory isemployed as normal traffic stream dataset for ourexperiment.

Sanitized source IP addresses which provided as arenumbered integer for a security problem are

preprocessed to IPv4 format via one-to-one fuction.

Dataset IP spoofingDuration

(sec)

The number of

compromised hostsAverage pps

LBL-PKT-4 N/A 360 N/A 250

DARPA 2000 LLDOS 1.0 whole random 6 unknown 5500

Generated traffic

16bit subnet 6 220 5500

16bit subnet 120 10 250

16bit subnet 120 20 500

16bit subnet 120 40 1000

16bit subnet 120 80 2000


12/16

12

Experimental Results

Experiments for subnet spoofed attack detection

DARPA 2000 LLDOS 1.0 with LBL-PKT-4 16bit subnet spoofed attack with LBL-PKT-4

Dataset Matrix SizeThe number of packets

for a Window

Threshold value

T

Detection

Rates

Detection Delay

(sec)

LLDOS 1.0 + LBL-

PKT-486x86 795 173.60 1.0 0.13

Generated attack +

LBL-PKT-4285x285 626 27.23 1.0 0.05


13/16

13

Experimental Results

Experiments with changing volume of attack

LBL-PKT-4 (250pps) + generated attack traffic

5-fold cross validation

0

0.2

0.4

0.6

0.8

1

1.2

Trainingdetection

rates

Testingdetection

rates

Detectiondelay (sec)

250pps

500pps

1000pps

2000pps


14/16

14

Conclusion

Meet major challenges

Short detection delay

High detection rates

Low computational overhead Can detect attacks containing subnet spoofed IP addresses

More effective to high bandwidth DDoS attacks


15/16

15

Future works

It is necessary to tune the parameters of GA operationand the chromosomes

False positive and false negative should be considered.

Calculation of computational overhead

Flash event


16/16

Thank you.

ddos detect jehak

Documents