RTDCP: Real Time Detection, Classification And Prevention Of DDoS Attack ISSN 2319-9725

Vivek Malik Student, Department of Computer Engineering, University of Pune, MMIT, Lohgaon Pune, Maharashtra, India Akshay Kumar Student, Department of Computer Engineering, University of Pune, MMIT, Lohgaon Pune, Maharashtra, India Manoj Pawar Lecturer, Department of Computer Engineering, University Of Pune, MMIT, Lohgaon, Pune, Maharashtra, India

Abstract: Today in this world of computer technology DDoS(Distributed Denial of Service) attacks is continuously critical threat to the internet security. These DDoS are new in such way that there is no completely satisfying protection yet. A DDoS attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Normally there are two type of DDoS attack i.e. Application layer attack and Network layer attack. Application layer DDoS attack is derived from the lower layer of TCP/IP and OSI Model. Application layer DDoS attack Utilizing legitimate HTTP requests to overwhelm victim resources such as sockets, CPU, memory, disk, database bandwidth are more undetectable. Network layer attacks are sends the SYN, UDP and ICMP requests to server and exhaust the bandwidth. An anomaly detection mechanism is proposed in this paper to detect DDoS attacks using Enhanced Support vector machine (ESVM) with string kernels. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. Keywords: Anomaly detection, DDoS, Enhanced Support vector machine (ESVM), string kernel.

March, 2013 1. Introduction

www.ijirs.com

Vol 2 Issue 3

As the technology is changing day by day and new softwares and websites are developing rapidly. This will increase the possibility of attacks over the network. There are many different way of securing the computer attacks but they are not efficient. Normally we use firewall, antivirus, different monitoring softwares, digital signature and other hardwares are used to increase security. Computer security mainly comprise of Confidentiality, integrity and availability of data. The major threats in security research are breach of confidentiality, failure of authenticity, and unauthorized DoS. DDoS attack are carried out at the network layer, such as ICMP flooding, SYN flooding, and UDP flooding, which are called Net-DDoS attack. The intent of this attack is to consume the network bandwidth and deny service to legitimate users of the victim system. In Application layer DDoS attacks zombies attack the victim web servers by HTTP GET requests (e.g., HTTP Flooding) and pulling large image files from the victim server in overwhelming numbers. In another instance, attackers run a massive number of queries through the victim's search engine or database query to bring the server down. On the other hand, a new special phenomenon of network traffic called flash crowd has been noticed by researchers during the past several years. Because burst traffic and high volume are the common characteristics of Application layer DDoS attacks and flash crowds, it is not easy for current techniques to distinguish them merely by statistical characteristics of traffic. Therefore, Application layer DDoS attacks may be stealthier and more dangerous for the popular websites than the general Network layer DDoS attacks when they mimic (or hide in) the normal flash crowd. In this paper we will monitor the behavior of users over the network with the help of ESVM with string kernel. Web user behavior is mainly influenced by the structure of web site and the way users access web pages. Application layer DDoS attacks are considered as anomaly browsing behavior and characteristic of web access behavior is used to construct the normal profile which is used for differentiating attack traffic from normal traffic. The browsing behavior of a web user is related to the structure of a website, which comprises of a huge number of web documents, hyperlinks, and the way the user accesses the WebPages.

International Journal of Innovative Research and Studies

Page 2

March, 2013 2. RTDCP: The Concept:

www.ijirs.com

Vol 2 Issue 3

RTDCP is basically security software which will provide security at server without affecting the working of server. In order to implement an efficient detection, we will use the concept of Hidden semi-Markov model and ESVM to distinguish the difference between the normal user and attacker over the network. The Hidden semi-Markov model is used to capture browsing behaviors of Web users and apply the model to implement the anomaly detection for AppDDoS attacks which are carried out by simulating the HTTP requests of normal Web users. There are a number of statistical approaches for detection of DDoS attacks, including the use of MIB traffic variables, IP addresses and TTL( time to live) values and TCP SYN/FIN packets for detecting SYN flood attacks. In and, statistics in packet attributes are used for both detection and setting of filtering policy for packet dropping. 2.1 Hidden Semi-Markov: Web Browsing Behaviors A scheme based on document popularity is introduced in this paper. An access matrix is defined to capture the spatial temporal patterns of a normal flash crowd. Principal Component Analysis (PCA) and Independent Component Analysis (ICA) are applied to abstract the multidimensional access matrix. A novel anomaly detector based on Hidden semi-Markov Model (HsMM) is proposed and high classification accuracy is achieved and also proposed a mechanism to construct browsing behavior from HTTP request rate, and access matrix using Hidden semi-Markov Model. Usually, a legitimate Web browsing behavior consists of multiple requests sent during the lifetime of the access. Requests are either sent in a closed-loop fashion, i.e., the client sends a request and waits for the response before sending the next request, or they are pipelined, i.e., the client could send multiple requests without waiting for their response and thus have more than one request outstanding with the server. Main requests are typically dynamic and involve processing at the database tier while embedded requests usually are static. A client request is processed as follows: First, the clients initial request for a connection is routed to a proxy server. If the proxy server has cache the requested objects validly, it responses the clients requests directly, otherwise, it will parses the requests URL and routes the request to a web server. If the request is for a static web page or an image file, the server serves the requested page.If the request is for ecommerce functionality, it is served by an application script such as PHP, JSP or JavaScript.
International Journal of Innovative Research and Studies Page 3

March, 2013

www.ijirs.com

Vol 2 Issue 3

Such requests typically consist of one or more database queries, the results of which are collated together to produce the response page (dynamic requests). Each database query emanating from a dynamic request is forwarded to a database server. 2.2 ESVM Classification of Attack: ESVM is a machine which is used to differentiate the clients on the basis of profile generated by the Hidden semi-Markov Model. Application layer attack and network layer DDoS attacks such as TCP flooding, UDP flooding, ICMP flooding, Land Flooding, HTTP flooding and Session Flooding are generated to the web server using the traffic generation program. Information about the attack is collected, pre-processed and fed to the ESVM. Normal profile is used by the ESVM to classify the attack traffic from normal traffic. After attack is detected attackers IPs are filtered using filtering request. The IP address of the attacker is already present with the server. This IP address is blocked temporarily and used by the server to trace the actual geography location. 2.2.1 Uniqueness Of The Research ESVM with string kernels are used to classify the attack traffic from normal traffic which shows effective results in classification. Since the count of packets is used as the major parameter of detection. The phases of classification systems are: i. ii. iii. iv. v. Normal profile creation Attack generation Data pre-processing Attack detection Attack classification system 2.2.2 Normal Profile Creation: The behaviour of normal user is different from the attacker. The parameters collected for normal user and attacker show distinct variations. The normal user behavior is linear and regular where as the attacker behavior is fluctuating and completely irregular. The parameters such as HTTP request rate, Session rate, Time spent on the page, number of TCP packets, number of UDP packets, number of ICMP packets, number of land packets, and protocol are derived from the collected traffic.

International Journal of Innovative Research and Studies

Page 4

March, 2013 2.2.3 Attack Generation:

www.ijirs.com

Vol 2 Issue 3

Application and Network layer DDoS attacks are generated to the web server. Attacking scripts are created using traffic generation tool. Six types of attacks are generated in this experiment, they are HTTP flooding session flooding, TCP flooding, UDP flooding, ICMP flooding and land flooding. The HTTP packets may be HTTP-valid or HTTP-invalid packets. HTTP-valid packets are used to request the inline objects like number of pages and resources from the server. HTTP-invalid packets are used to flood the victim. 2.2.4 Data Pre-Processing: Traffic to the web server is raw packets. After establish the connection attacker requests the web page. HTTP request rate is the number of request generated by attacker within the time duration. Session rate is the calculated by number of session generated by the attacker within the time duration. Time spent on the page is the calculated by time taken by the attacker to request one page from another page. Number of TCP packets is the total number of TCP packets received by the server within the specified time duration. 2.2.5 Attack Detection: Two approaches are possible for selecting the icebergs, i.e., by static threshold and by adaptive threshold. In the static threshold approach, the profile only includes those attribute values which appear more frequently than a preset threshold ratio. In the adaptive threshold approach, the most frequently appearing attribute values that constitute a preset coverage of the traffic. Static threshold has been used to detect Application and Network layer DDoS attacks. 2.2.6 Attack Classification System: ESVM classifies the attack traffic from normal traffic using kernel functions such as linear, polynomial, radial bias kernel functions and string kernels. Weight is assigned to each pattern of training samples. High priority is given to the patterns which deviates more from normal flow. Low priority is given to the patterns which Real Time Detection and Classification of DDoS Attacks using Enhanced SVM with String Kernels exactly follows the normal flow.

International Journal of Innovative Research and Studies

Page 5

March, 2013

www.ijirs.com

Vol 2 Issue 3

3. Defence Requirements For Each Attack Phase: IF one of attack phase in the attack process could be disabled the DDoS attack would be failed. In this section we suggested defence requirements for attack phase blocking. 3.1 Attack Agent Development Phase Prevention: This phase is very difficult to let attackers do not develop malwares. It is almost impossible. However, if degree of law against hacking and DDoS attack is much more reinforced then the attackers would not try the attack easily. 3.2 Attack Agent Distribution Phase Prevention: These days, attacks agents are distributed via legitimate application operations such as file download from web sites, P2P network, or e-mail. So, this kind of DDoS attack is not appeared. The best way for this is during the agent distribution, the agent has to be detected. That means, while the agent is transmitted via network that should be detected and identified. Usually files are divided into packets and transmitted via network. Therefore, executable file should be detected from network packets and the fragmented pieces of the file should be gathered and reconstructed. On top of that, automated executable file analysis techniques should be developed. Currently, only the PE file could be detected and reconstructed with network packets on limited circumstances. 3.3 Attack Agent Control Phase Prevention: When the connection is established then the commands are received via this connection. During this process, usually agent periodically initiates a connection is repeatedly generated; it can be treated as the C&C server connection. These C&C server detection methods utilize this characteristic. 3.4 Attack Phase Prevention: In order to prevent DDoS attack effectively, all the defence techniques have to be optimized for their positions. Hence, we divide defence position into three layers: i. ii. iii. Backbone network level layer Edge network level layer Host level layer
Page 6

International Journal of Innovative Research and Studies

March, 2013 i.

www.ijirs.com

Vol 2 Issue 3

Backbone Network Level Layer: When the attack occurs, then the attack traffic is transmitted via backbone network of the target systems country. So, if backbone network is monitored and analysed, DDoS prevention systems.

ii.

Edge Network Level Layer: Edge network is actually the last position which can block the attack traffic before the traffic gets inside the internal network. At least, all the attacks have to be prevented at this position or we cant avoid the damages. For that, the application behavior analysis is very important. In here, behavior means the applications service request behavior. In behavior analysis, the performance is very important factor. Because, if very high amount of network traffic occurs then software based analysis methods could not handle the situation and the analysis results can show high rate of false negatives.

iii.

Host Level Layer: Servers can directly identify the DDoS attack occurrence situation, but actually, there are not many things that server can do. It is because the main goal of a server is offering a service. There are not many security functionalities for server itself. If lots of network traffic is getting into a server, then the server would be failed. Therefore, in host level layer, DDoS defense techniques have to be optimized minimized for the server. These days, however, server based DDoS attack defense technology is currently being researched.

4. Conclusions: Through this paper, we introduce RTDCP it is software which is used to monitor the network as well as it will helps in protecting the server from DDoS attack. The server is protected from both application layer and network layer attack, we suggest the defense requirement for each phase of attack process such as attack agent development phase, attack agent distribution phase, attack phase and ager attack phase. The DDoS attack are successfully generated and detected by proposed real time anomaly detection system designed using ESVM with string kernels. In future new variations in DDoS attacks such as port scan and DNS spoofing will be employed to maintain the detection accuracy towards best.
International Journal of Innovative Research and Studies Page 7

March, 2013 Acknowledgment

www.ijirs.com

Vol 2 Issue 3

We would like to sincerely thank Mr. Manoj R Pawar, our mentor (Lecturer, MMIT, Lohgaon), for his support and encouragement. __________________________________________________________________________ References: 1. Jie Yu and Zhoujun Li, "A Detection and Offense Mechanism to Defend Against Application Layer DDoS Attacks" IEEE 2007. 2. Yi Xie and Shun-Zheng Yu, "A Novel Model for Detecting Application Layer DDoS Attacks", IEEE 2008. 3. Yi Xie, and Shun-Zheng YU, "A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors", IEEE/ACM Trans.on networking, Vol. 17, No.1, pp. 54-65, 2009. 4. J. Mirkovic, G. Prier, and P. Reiher, Attacking DDoS at the Source, Proceedings of ICNP 2002, pp. 312-321, Paris, France, November 2002. 5. Takeshi Yatagai, Takamasa and Iwao Sasse,Detection of HTTP -GET flood Attack Based on Analysis of Page Access Behaviot IEEE 2007. 6. Yi Xie, and Shun-Zheng, "Monitoring the Application layer DDoS Attacks for Popular Websites", IEEE/ACM Trans. on networking, Vol. 17, No. 1,pp. 15-25, 2009. 7. Yi Xie, and Shun-Zheng, A novel model for detecting application layer DDoS attacks,IEEE 2006.

International Journal of Innovative Research and Studies

Page 8