2-14-1359957531-24.Detection of ddos.full

DETECTION OF DDoS ATTACKS USING SOURCE IP BASED ENTROPY

JASWINDER SINGH1, MONIKA SACHDEVA

2& KRISHAN KUMAR

3

1Assistant Professor at GTBKIET, Chhapianwali District, Mukatsar, Punjab, India

2Associate Professor at SBSSTC, Ferozepur District, Ferozepur, Punjab, India

3Associate Professor at PTU Main Campus, APIT, Kapurthla District, Jalandhar, Punjab, India

ABSTRACT

There are about nine hundred million people, who use internet now-a-days. They use the internet to communicate

with each other and all over the world, business-men can do their work over the internet, and there is much more to it. In a

nutshell, the world is highly dependent on the Internet. Therefore, the availability of internet is very critical for the socio

economic growth of the society. One of the major security problems in the current Internet, is the denial-of-service (DoS)

attack always attempts to stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-of-

service (DDoS) attacks cause a serious danger to Internet operation.

An important method for stopping DDoS attacks is to detect attackers and handlers. Detection of DDoS attacks is

a challenging problem for network security. In this paper, the proposed work aims at detecting DDoS attacks in the

network using Entropy Based Anomaly Detection Algorithm. The value of entropy is calculated with respect to time and

packet windows. The results indicate that during normal activity i.e. only legitimate traffic is flowing, value of entropy lies

in a narrow range but in case of attack, it increases or decreases considerably. So, attack can easily be detected.

KEYWORDS: DoS, DDoS, Availability, Entropy, Detection

INTRODUCTION

One of the major security problems in the current Internet, a denial-of-service (DoS) attack always attempts to

stop the victim from serving legitimate users. Denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks

cause a serious danger to Internet operation. A distributed denial-of-service (DDoS) attack is a DoS attack which relies on

multiple compromised hosts in the network to attack the victim [13]. There are mainly two types of DDoS attacks. The first

type of DDoS attacks aim of attacking the victim to force it not to serve legitimate users by exploiting software and

protocol vulnerabilities. The second type of DDoS attack is based on a massive volume of attack traffic, which is known as

a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim's network bandwidth with

real-looking but unwanted data. As a result, legitimate packets cannot reach the victim due to a lack of bandwidth resource.

DDoS attacks are comprised of packet streams from disparate sources. These attacks engage the power of a vast

number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate

clients. The traffic is usually difficult to distinguish legitimate packets from attack packets. The attack volume can be

larger than the system can handle. A DDoS victim can suffer from damages ranging from system shutdown and file

corruption, to total or partial loss of services [6]. There are no apparent characteristics of DDoS streams that could be

directly used for their detection and filtering. The attacks achieve their desired effect by the sheer volume of attack packets.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are specific attacks that attempt to

prevent legitimate users from accessing networks, servers, services or other resources. An important method for stopping

International Journal of Computer Science Engineering

and Information Technology Research(IJCSEITR)

ISSN 2249-6831

Vol. 3, Issue 1, Mar 2013, 201-210

© TJPRC Pvt. Ltd.

202 Jaswinder Singh, Monika Sachdeva & Krishan Kumar

DDoS attacks is to detect attackers and handlers. Attack detection aims to detect DDoS attack in process of an attack and

characterise to discriminate attack traffic from legitimate traffic [15].

Attack detection is responsible for identifying DDoS attacks or attack packets. The False Positive Ratio (FPR) and

False Negative Ratio (FNR) can quantitatively measure the effectiveness of attack detection. False Positive Ratio is given

by the number of packets classified as attack packets (positive) by a detection system that are confirmed to be normal

(negative), divided by the total number of confirmed normal packets. The False Negative Ratio, on the other hand, is given

by the number of packets classified as normal (negative) by a detection system that are confirmed to be attack packets

(positive), divided by total number of confirmed attack packets [26].

Attack detection techniques aims to detect DDoS attacks by monitoring the behavior of the host and network.

They generate profiles for normal usage by analyzing system and network behaviors under normal conditions. Once they

detect an abnormal behavior, they invoke preventive mechanisms, such as filtering or rate-limiting.

According to [7] in order to meet the increasing need for detection and response, researchers face following major

issues:

• A stand-alone router on the attack path should automatically recognize that the network is under attack and adjust

its traffic flow to ease the attack impact downstream.

• The detection and response techniques should be adaptable to a wide range of network environments, preferably

without significant manual tuning.

• Attack detection should be as accurate as possible. False positives can lead to inappropriate responses that cause

denial of service to legitimate users. False negatives result in attacks going unnoticed.

• Attack response should employ intelligent packet discard mechanisms to reduce the downstream impact of the

flood while preserving and routing the non-attack packets.

The detection method should be effective against a variety of attack tools available today and also robust against

future attempts by attackers to evade detection.

RELATED WORK

The first well-publicized DDoS attack in the public press was in February 2000. On February 7, Yahoo! was the

victim of a DDoS during which its Internet portal was inaccessible for three hours. On February 8, Amazon, Buy.com,

CNN, and eBay were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them down

significantly. And, on February 9, E*Trade and ZDNet both suffered DDoS attacks. Analysts estimated that during the

three hours Yahoo was down, it suffered a loss of e-commerce and advertising revenue that amounted to about $500,000.

According to book seller Amazon.com, its widely publicized attack resulted in a loss of $600,000 during the 10 hours it

was down. During their DDoS attacks, Buy.com went from 100% availability to 9.4%, while CNN.com's users went down

to below 5% of normal volume and Zdnet.com and E*Trade.com were virtually unreachable.

Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, Darrell Kindred in 2003 [7] developed methods to

identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. Jian Yuan

and Kevin Mills in 2005 [12] proposed a method for early attack detection. Using only a few observation points, proposed

method can monitor the macroscopic effect of DDoS flooding attacks. George Nychis, Vyas Sekar, David G. Andersen,

Hyong Kim and Hui Zhang in 2008 [11] proposed that the time series of entropy values of the address and port

Detection of DDoS Attacks Using Source IP Based Entropy 203

distributions are strongly correlated with each other and provide very similar anomaly detection capabilities. B. B. Gupta,

Manoj Misra and R. C. Joshi in 2008 [9] proposed a novel framework that deals with the detection of variety of DDoS

attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry

attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Anusha J.

in 2011 [1] proposed a scheme to find out the source of the attack with the help of entropy variation in dynamic by

calculating the packet size, which shows the variation between normal and DDOS attack traffic, which is fundamentally

different from commonly used packet marking techniques.

EXPERIMENT SETUP

Preprocessing of Datasets

For conducting all the experiments firstly the environment is created using the data analysis tools for

preprocessing of the real time data sets. The preprocessing of data sets is performed by using the traffic analysis tools. The

tools used for traffic analysis are: Libtrace Traffic Analysis tool and CoralReef Software Suite.

Experiment Methodology

In order to implement the detection methodology, the environment is created by installing various required

softwares i.e. CoralReef, Automake, Libpcap, Libtrace. After that in order to flow legitimate real time traffic in the

environment, we have explored various NZIX datasets and finalize one for use in the experiments. These files are

preprocessed with special traffic analysis tool software, called Libtrace. Libtrace is used to read compressed and heavy size

files easily with their tools. Libtrace has number of tools like Traceconvert, Tracereport, Tracesummary, Tracemerge,

Tracesplit etc for conversion of files from one format to another, merging and splitting of files. With the help of Libtrace,

these files are preprocessed easily and converted into the required format. Then the entropy of only legitimates packets is

calculated.

Next in order to identify the DDoS attack we have mix the attack traffic with legitimate traffic. So, for generating

the attack traffic in the network we have choose CAIDA data sets. Various CAIDA datasets are explored and one most

suitable for our experiments is finalized. These files are preprocessed by using traffic analysis tool CoralReef and data is

retrieved in appropriate format. Then we have mixed the attack traffic with the legitimate traffic. And again the Entropy of

mixed traffic is calculated. With the help of PERL programming language, selected data is retrieved from NZIX and

CAIDA trace files and used as input files to the program for computing entropy. The change in the value of the entropy

indicates that there is an attack in the network.

Evaluation Metric

Entropy is computed in order to detect the DDoS attack in a network. Entropy can be defined as measurement of

the randomness and uniformity of the IP addresses. Entropy can be calculated as:

∑=

−=

n

iipipH

1)2log( (1)

Where pi is the value of probability i.e. frequency of occurrence of each unique symbol divided by total number of

symbols.

Source IP address based entropy can be calculated for anomaly base attack detection. Source IP address based

entropy is also called 32-bit entropy. In our proposed DDoS detection method, we have computed 32-bit entropy.


DDoS Detection Methodology

Our DDoS detection methodology aims at detecting DDoS attacks in the network using Entropy Based Anomaly

Detection Algorithm. In order to detect the attack in the network, two different approaches are used. In the first, Entropy

with respect to time window is calculated and in the second approach, the Entropy with respect to packet window is

calculated. In the time window approach, entropy of the traffic is calculated with respect to equal time stamps and in the

packet window approach, equal numbers of flowing packets are taken from network traffic to compute the entropy.

RESULTS AND DISCUSSIONS

A number of experiments are conducted in order to check whether the network is under attack or not. An anomaly

based detection method is used to identify the attack in the network. The detection of DDoS attack with the variation in the

value of entropy in our experiments is analysed below.

Entropy w.r.t. Time Window

As shown in fig. 1, x-axis represents the time in seconds and y-axis represents the entropy value with respect to

time. The complete scenario is taken for 10 minutes duration means 600 seconds. Time window is taken as 1 second i.e.

entropy is computed after every 1 second for only legitimate traffic flowing through the network. The value of entropy in

this graph lies within the range 6.0-7.3, that means the graph represents that the value of the entropy lies in the same range

throughout the experiment. There is no heavy variation in the value of entropy. It indicates that there is no attack in the

network.

Figure 1: Entropy of Legitimate Packets w.r.t Time

To illustrate the effects of an attack on the entropy, we examined the traffic of 600 seconds excerpt from the

NZIX data set with an attack traffic excerpt from CAIDA data set comprising 10% of time stamp of total duration, starting

at time 300 seconds and ending at time 360 seconds. In this attack, IP source addresses are chosen at random from a

uniform distribution; we will focus on source-address-based detection. Before the attack begins, source address entropy

measurements fall entirely within the range 6.0-7.3. During the attack, the entropy decreases by approximately 4 and

reaches near about 2.0. Any maximum-entropy threshold setting between 2.1 and 3.3 would detect this attack without

generating any false-positives.

In figure 2, represents the scenario, in which we examined both legitimate and attack traffic flowing through the

network for same duration with time stamp 2 seconds i.e. Entropy for both legitimate and attack traffic is computed after

every 2 seconds. During the time from 1 second to 300 seconds, the value of entropy in this graph lies within the range 6.3-

7.4 and time from 300 seconds to 360 seconds, the value of entropy falls down within the range 2.3 to 3.8 and again the

value of entropy again lies in narrow range 6.3 to 7.4 during the time period from 360 seconds to 600 seconds. In this

scenario, 600 times entropy is computed during total duration. The values of entropy are shown in graph. It indicate that


when the value of entropy lies between 6.1 to 7.2, then there is no attack in the network and when entropy values falls

down , then there is an attack in the network. This graph represents that the attack is occurred between time periods 300

seconds to 360 seconds, during this time attack traffic is flowing through the network.

Figure 2: Entropy w.r.t. Time (Time Window=2 Seconds)

As shown in fig. 3, the entropy is calculated by taking time window of 5 seconds. As compare to fig. 2, line in this

graph (indicates the value of entropy w.r.t. time) is thin because the value of entropy is computed after every 5 seconds. It

means that entropy is computed 120 times in this scenario where as in previous scenario 300 times entropy values shown

i.e. more congested, more values on same space. As a result, in fig. 3, entropy values represented as thick line.

Figure 3: Entropy w.r.t. Time (Time Window=5 Seconds)

In figure3 scenario shows that during attack time, the value of entropy lies in the range between 2.4 to 3.9,

otherwise the value of entropy lies between ranges 7.0 to 7.6 when only legitimate traffic is flowing through the network.

Entropy w.r.t. Packet Window

In figure 4, x-axis represents the packet count and y-axis represents the entropy value with respect to packet.

Again the scenario is taken for 600 seconds, as discussed in previous section.

Figure 4: Entropy of Legitimate Traffic w.r.t. Packet Window


There are 9050000 packets are flowing through the network during this time. In this scenario, entropy is computed

w.r.t. packet count (no. of packets). Packet count is taken as 100 packets, so entropy is computed after every 100 packets.

During this time span, 90500 times entropy is computed and shown in graph, so the graph becomes more congested and

values represented with solid and thick line as compared to previous section. In this graph, the value of entropy lies

between the ranges 3.0 to 6.1, when only legitimate traffic is flowing through the network.

In figure 5, packet window is taken as 1000 packets i.e. entropy is computed after every 1000 packets. There are

9050 times entropy is computed and shown on graph, so the graph becomes less congested and values represented with

more thin line as compared to previous figure. The value of entropy in this graph lies within the range 5.2-7.1, when

normal traffic is flowing through the network and when value falls down and lies between the range 2.3-2.9, then there is

an attack.

Figure 5: Entropy w.r.t. Packet Count (Window Size= 1000 Packets)

Similarly, in figure 6, entropy is computed after every 10,000 packets. So there are 905 times entropy is computed

and shown on graph, which shows very thin line as compared to previous fig. 6. The value of entropy in this graph lies

within the range 7.0-7.5, when normal traffic is flowing through the network and when value falls down and lies between

the range 2.8-3.9, then there is an attack.

Figure 6: Entropy w.r.t. Packet Count (Window Size= 10,000 Packets)

CONCLUSIONS

As objective of this paper is to propose a framework to detect the DDoS attack using real time attack traces as

well as legitimate traces. After identification of different types of DDoS detection methods, Anomaly based detection

method is selected. Source IP address based entropy is used to identify DDoS attack in the network. Through our

experimentation we observed that:


• While a network is not under attack the value of Entropy for various packets fall in a narrow range.

• While the network is under DDoS attack, the value of Entropy decreases in a detectable manner due to high

volume DDoS attack.

REFERENCES

1. Anusha, J. (2011). Entropy Based Detection of DDOS Attacks, International Journal of Soft Computing and

Engineering (IJSCE), Vol. 1, pp. 564-567.

2. CAIDA Datasets, Available at: http://www.caida.org/data/passive/ddos-20070804_134936.pcap.gz [last accessed

February, 2012]

3. Carl, G., Kesidis, G., Brooks, R. R. and Rai, S. (2006). Denial-of-Service Attack- Detection Techniques,

Published by the IEEE Computer Society, pp.82-89.

4. CoralReef Documentation, Available at: http://www.caida.org/tools/measurement/coralreef/doc. [last accessed

April, 2012]

5. DDoS History In Brief, Available at: http://www.anml.iu.edu/ddos/history.html. [last accessed January, 2010]

6. Douligeris, C. and Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-the-

art, ELSEVIER Journal of Computer Networks, vol.44, No.5, pp. 643-666.

7. Feinstein, L., Schnackenberg, D., Balupari R. and Kindred, D. (2003). Statistical Approaches to DDoS Attack

Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition

(DISCEX’03), Washington, DC, USA, Vol. 1, pp. 303-314.

8. Fernandez, G. M., Dıaz-Verdejo, J. E. and Garcia-Teodoro, P. (2008). Evaluation of a low-rate DoS attack against

application servers, Computers & Security, Vol. 27, ISSN: 0167-4048, pp. 335-354.

9. Gupta, B. B., Misra, M., and Joshi, R. C. (2008). An ISP Level Solution to Combat DDoS Attacks using

Combined Statistical Based Approach, Journal of Information Assurance and Security 2, pp.102-110.

10. Koutepas, G., Stamatelopoulos, F. and Maglaris, B. (2004). Distributed Management Architecture for Cooperative

Detection and Reaction to DDOS Attacks, Journal of Network and Systems Management, Volume 12, Issue 1,

pp.73-94.

11. Nychis, G., Sekar, V., Andersen, D. G., Kim, H. and ZhangS, H. (2008). An Empirical Evaluation of Entropy-

based Traffic Anomaly Detection, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement,

pp.151-156.

12. Yuan, J., and Mills, K. (2005). Monitoring the Macroscopic Effect of DDoS Flooding Attacks, IEEE Transactions

on Dependable and Secure Computing, Vol.2, No.4, pp.277-288.

13. You, Y., (2007). A Defense Framework for Flooding-based DDoS Attacks, Master’s Thesis, Queen's University

Kingston, Ontario, Canada.

14. Wang, F., Wang, H., Wang, X. and Su, J. (2012). A new multistage approach to detect subtle DDoS attacks,

Journal Mathematical and Computer Modelling, Volume 55, Issues 1-2, pp. 198-213.


15. Sachdeva, M., Singh, G., Kumar, K., and Singh, K. (2010). Measuring Impact of DDOS Attacks on Web

Services, Journal of Information Assurance and Security 5, pp. 392-400.

16. Sachdeva, M., Singh, G., Kumar, K. and Singh, K. (2010). DDoS Incidents and their Impact: A Review,

International Arab Journal of Information Technology, Vol. 7, No. 1, pp. 14-20.

17. Sachdeva, M., Singh, G. and Kumar, K. (2011). Deployment of Distributed Defense against DDoS Attacks in ISP

Domain, International Journal of Computer Applications (IJCA), Vol. 15, No .2, pp. 25-31.

18. Sachdeva, M., Singh, G., Kumar, K. and Singh K. (2009). A Comprehensive Survey of Distributed DDoS

Attacks, International Journal of Computer Science and Network Security, Vol. 9, No. 12, pp. 7-15.

19. Peng, T., Leckie, C. and Ramamohanarao, K. (2007). Survey of Network-Based Defense Mechanisms Countering

the DoS and DDoS Problems, ACM Computing Surveys, Vol. 39, No. 1, Article 3, pp. 553-557.

20. Peng T., Leckie C. and Ramamohanarao, K. (2003). Protection from Distributed Denial of Service Attacks Using

History-Based IP filtering, In Proceedings of ICC2003, USA, pp. 482-486.

21. NZIX Datasets, Available at: http://www.wand.net.nz/wits/nzix/2/ 20000709-000000.gz [last accessed March,

2012].

22. Mirkovic, J., and Reiher, P. (2005). “D-WARD”: Source-End Defense Against Flooding DDoS Attacks, IEEE

Transactions on Dependable and Secure Computing.

23. Mirkovic, J., Arikan, E., Wei, S., Fahmy, S., Thomas, R.,and Reiher, P. (2006). Benchmarks for DDoS Defense

Evaluation, Proceedings of the IEEE AFCEA MILCOM, pp. 1-10.

24. Mirkovic, J., Prier, G., Reiher, P. (2002). Attacking DDoS at the source, Proceedings of ICNP -2002, Paris,

France, pp. 312-321.

25. Libtrace Documentation, Available at: http://research.wand.net.nz/software/libtrace.php [last accessed May,

2012].

26. Cheng, C. M., Kung, H. T. and Tan, K. S. (2002) (2002). Use of spectral analysis in defense against DoS attacks,

Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, pp. 2143-2148.

AUTHOR’S DETAILS

Jaswinder Singh has done B.Tech. Computer Science & Engineering from Punjab Technical University Jalandhar,

Punjab, India in year 2006. He has done M.Tech. Computer Science & Engineering from Punjab Technical University,

Jalandhar, Punjab, India in 2012. Currently, he is an Assistant Professor in CSE Department at GTBKIET, Chhapianwali,

Malout, Punjab, India. His research interests include Distributed Denial-of-Service and Design and analysis of algorithms.


Dr. Monika Sachdeva has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT,

Jalandhar in 1997. She finished her MS software systems from BITS Pilani in 2002. She finished his Ph. D. from

Department of Computer Science & Engineering at Guru Nanak Dev University, Amritsar in 2012. Currently she is an

Associate Professor & H.O.D. in CSE Department at SBS College of Engineering & Technology, Ferozepur, Punjab, India.

Her research interests include Web Services, Distributed Denial-of-Service, and Design and Analysis of algorithms.

Dr. Krishan Kumar has done B.Tech. Computer Science and Engineering from National Institute of Technology NIT,

Hamirpur in 1995. He finished his MS Software Systems from BITS Pilani in 2001. In Feb. 2008, he finished his Ph. D.

from Department of Electronics & Computer Engineering at Indian Institute of Technology, Roorkee. Currently, he is an

Associate Professor & H.O.D in CSE Department at PIT Punjab Technical University, Jalandhar, Punjab, India. His

general research Interests are in the areas of Information Security and Computer Networks. Specific research interests

include Intrusion Detection, Protection from Internet Attacks, Web performance and Network architecture/protocols.

Documents

2-14-1359957531-24.Detection of ddos.full