Upload
techne-phobos
View
221
Download
0
Embed Size (px)
Citation preview
7/30/2019 DDoS Detect Jehak
1/16
A Novel Detection of DDoS AttacksUsing Optimized Traffic Matrix
Network Security Lab
The 4thSemester of the Masters Course
Je Hak Lee
Supervised by Prof. Jong Sou Park
2010/12/9
1
Master Thesis Presentation
7/30/2019 DDoS Detect Jehak
2/16
2
Introduction
Proposed Approach
Experimental results
Conclusion
Future works
Contents
7/30/2019 DDoS Detect Jehak
3/16
Introduction
DDoS attacks are a large-scale, coordinated attack targeting on the
availability of services at a victim system or network resources.
The intensity of DDoS attacks have become stronger according to
improvement of network infrastructure.
3
Architecture of a DDoS
attacks
Why is it difficult to defend?
does not usually contain
malicious contents
widely distributed
compromised hosts
IP spoofing
7/30/2019 DDoS Detect Jehak
4/16
Defense Mechanisms4
Intrusion
Prevention
Anomaly
Detection
Misuse
Detection
Intrusion
Detection
Intrusion
Response
Intrusion
Tolerance
and
Mitigation
Defense Mechanisms
Statistical analysis techniques
Data mining techniques
Rate limiting techniques
Requirements
Detect the bandwidth attack as
soon as possible without raising a
false alarm, so that the victim has
more time to take action againstthe attacker.
Deal with large volume of traffic
in real-time network environments
Major challenges
Short detection time
High detection rates
Low computational overhead
7/30/2019 DDoS Detect Jehak
5/16
Proposed Approach5
Main idea
Detection of DDoS attacks could be possible to measure
entropy of incoming traffic
Key variable
Source IP address field of IP packet header information
How to measure?
Derive variance by using traffic matrix
How to achieve the major challenges? Simple hash function
Packet based variable time window
Genetic Algorithm (GA) for parameters optimization
7/30/2019 DDoS Detect Jehak
6/16
Overall flow6
Construct a traffic matrix
for one window size
Genetic Algorithm sets
three parameters
1. matrix size
2. packet based window size
3. threshold value T
Training
data
Alert
No
Yes
Compute variance
from the traffic matrix
Testing
data
Start
Variance < T ?
7/30/2019 DDoS Detect Jehak
7/16
7
Analyze the inbound traffic stream with capturing thepackets come to the target host.
Construct a traffic matrix through a hash function, H(x)during a time window.
Traffic matrix size and the number of packets for a timewindow is declared by GA.
Construct Traffic Matrix
time t
inbound
packets
variable time window
ex) 10 packets per 1 window
n by n
traffic matrix
H(x)
7/30/2019 DDoS Detect Jehak
8/16
8
Adopt a simple hash functionto scale down the huge IPaddress domain to a smalltraffic matrix domain andreduce calculation time.
A packet increase anelement value of the trafficmatrix.
Variance for a time windowcould be derived from acomplete traffic matrix.
2
( , ) ( , )
0 0
1( ) 0
m n
i j i j
j i
V M if M k
( , )
0 0
1 m n
i j
j i
Mk
Details of constructing a matrix
B C A
Packets coming from the network
AB BB
1
4
2
i
j
n by n Traffic Matrix
32bit Source IP address
High 16bit Low 16bit
Row = High 16bit mod n Column = Low 16bit mod n
Increment value of (i, j) in Traffic Matrix4
2
7/30/2019 DDoS Detect Jehak
9/16
9
Genetic Algorithm
Traffic matrix size, windowsize, threshold value ofvariance are set by GA tomaximize detection rates
Initial Population of 30
Roulette wheel selection
Standard crossover
Probability of crossover : 0.6
Mutation operation
Probability of mutation : 0.05 Fitness function
Detection rates
Implemented in JAVA
Start
Evaluate
first population
Initialize
population of 30
Selection operation
(Roulette wheel)
Crossover operation
(Standard crossover)
(Pc = 0.6)
Mutation operation(Bit inversion)
(Pm = 0.05)
Evaluate
Evolved populationTraining
data
Generation > 50
End
No
Yes
7/30/2019 DDoS Detect Jehak
10/16
10
Chromosomes for GA
Chromosome
Range
(closed
interval)
Degree of
precision
Length of
binary string
Matrix size (n by n) [1, 512] 10 9 bit
The Number of
packets for a time
window
[1, 1024] 10 10 bit
Threshold value T [0.1, 2048.0] 10 14 bit
0
0
-1
Length of binary string for each parameter can be declared by this equation.
Total length of binary string is 33bit.
7/30/2019 DDoS Detect Jehak
11/16
11
Dataset
LBL-PKT-4 of Lawrence Berkeley Laboratory isemployed as normal traffic stream dataset for ourexperiment.
Sanitized source IP addresses which provided as arenumbered integer for a security problem are
preprocessed to IPv4 format via one-to-one fuction.
Dataset IP spoofingDuration
(sec)
The number of
compromised hostsAverage pps
LBL-PKT-4 N/A 360 N/A 250
DARPA 2000 LLDOS 1.0 whole random 6 unknown 5500
Generated traffic
16bit subnet 6 220 5500
16bit subnet 120 10 250
16bit subnet 120 20 500
16bit subnet 120 40 1000
16bit subnet 120 80 2000
7/30/2019 DDoS Detect Jehak
12/16
12
Experimental Results
Experiments for subnet spoofed attack detection
DARPA 2000 LLDOS 1.0 with LBL-PKT-4 16bit subnet spoofed attack with LBL-PKT-4
Dataset Matrix SizeThe number of packets
for a Window
Threshold value
T
Detection
Rates
Detection Delay
(sec)
LLDOS 1.0 + LBL-
PKT-486x86 795 173.60 1.0 0.13
Generated attack +
LBL-PKT-4285x285 626 27.23 1.0 0.05
7/30/2019 DDoS Detect Jehak
13/16
13
Experimental Results
Experiments with changing volume of attack
LBL-PKT-4 (250pps) + generated attack traffic
5-fold cross validation
0
0.2
0.4
0.6
0.8
1
1.2
Trainingdetection
rates
Testingdetection
rates
Detectiondelay (sec)
250pps
500pps
1000pps
2000pps
7/30/2019 DDoS Detect Jehak
14/16
14
Conclusion
Meet major challenges
Short detection delay
High detection rates
Low computational overhead Can detect attacks containing subnet spoofed IP addresses
More effective to high bandwidth DDoS attacks
7/30/2019 DDoS Detect Jehak
15/16
15
Future works
It is necessary to tune the parameters of GA operationand the chromosomes
False positive and false negative should be considered.
Calculation of computational overhead
Flash event
7/30/2019 DDoS Detect Jehak
16/16
Thank you.