Académique Documents
Professionnel Documents
Culture Documents
2010/12/9
Network Security Lab The 4th Semester of the Masters Course Je Hak Lee Supervised by Prof. Jong Sou Park
Contents
2
Experimental results
Conclusion Future works
Introduction
3
DDoS attacks are a large-scale, coordinated attack targeting on the availability of services at a victim system or network resources. The intensity of DDoS attacks have become stronger according to improvement of network infrastructure.
Why is it difficult to defend? does not usually contain malicious contents widely distributed compromised hosts IP spoofing
Defense Mechanisms
4
Defense Mechanisms
Intrusion Prevention
Requirements
Intrusion Detection
Anomaly Detection
Statistical analysis techniques Data mining techniques
Detect the bandwidth attack as soon as possible without raising a false alarm, so that the victim has more time to take action against the attacker. Deal with large volume of traffic in real-time network environments
Intrusion Response
Misuse Detection
Major challenges
Proposed Approach
5
Main idea
Key variable
How to measure?
Simple hash function Packet based variable time window Genetic Algorithm (GA) for parameters optimization
Overall flow
6
Start
Genetic Algorithm sets three parameters 1. matrix size 2. packet based window size 3. threshold value T
Training data
Testing data
H(x)
time t
n by n traffic matrix
Analyze the inbound traffic stream with capturing the packets come to the target host. Construct a traffic matrix through a hash function, H(x) during a time window. Traffic matrix size and the number of packets for a time window is declared by GA.
32bit Source IP address High 16bit Row = High 16bit mod n Low 16bit
4 4
Adopt a simple hash function to scale down the huge IP address domain to a small traffic matrix domain and reduce calculation time. A packet increase an element value of the traffic matrix. Variance for a time window could be derived from a complete traffic matrix.
if M (i, j ) 0
1 m n V ( M ( i , j ) ) 2 k j 0 i 0
n by n Traffic Matrix
1 m n M ( i , j ) k j 0 i 0
Genetic Algorithm
9
Start
Initialize population of 30
Selection operation (Roulette wheel) No Crossover operation (Standard crossover) (Pc = 0.6) Generation > 50 Yes Mutation operation (Bit inversion) (Pm = 0.05)
Traffic matrix size, window size, threshold value of variance are set by GA to maximize detection rates Initial Population of 30 Roulette wheel selection Standard crossover
Mutation operation
Fitness function
End
Training data
Implemented in JAVA
Chromosomes for GA
10
Chromosome
Degree of precision
0
10
0
9 bit
[1, 1024]
10-1
10 bit
Threshold value T for each [0.1,parameter 2048.0] can 10 be declared 14 Length of binary string by bit this equation.
Dataset
11
Duration Dataset IP spoofing (sec) LBL-PKT-4 DARPA 2000 LLDOS 1.0 N/A whole random 16bit subnet 16bit subnet Generated traffic 16bit subnet 360 6 6 120 120 compromised hosts N/A unknown 220 10 20 250 5500 5500 250 500 The number of Average pps
16bit subnet
16bit subnet
120
120
40
80
1000
2000
LBL-PKT-4 of Lawrence Berkeley Laboratory is employed as normal traffic stream dataset for our experiment. Sanitized source IP addresses which provided as a renumbered integer for a security problem are preprocessed to IPv4 format via one-to-one fuction.
Experimental Results
12
285x285
LBL-PKT-4
626
27.23
1.0
0.05
Experimental Results
13
Experiments with changing volume of attack LBL-PKT-4 (250pps) + generated attack traffic 5-fold cross validation
1.2 1 0.8 0.6 0.4 0.2 250pps 500pps 1000pps 2000pps
0
Training detection rates Testing detection rates Detection delay (sec)
Conclusion
14
Can detect attacks containing subnet spoofed IP addresses More effective to high bandwidth DDoS attacks
Future works
15
It is necessary to tune the parameters of GA operation and the chromosomes False positive and false negative should be considered. Calculation of computational overhead Flash event
Thank you.