1

Master Thesis Presentation

A Novel Detection of DDoS Attacks Using Optimized Traffic Matrix

2010/12/9

Network Security Lab The 4th Semester of the Masters Course Je Hak Lee Supervised by Prof. Jong Sou Park

Contents
2

Introduction Proposed Approach

Experimental results
Conclusion Future works

Introduction
3

DDoS attacks are a large-scale, coordinated attack targeting on the availability of services at a victim system or network resources. The intensity of DDoS attacks have become stronger according to improvement of network infrastructure.

Architecture of a DDoS attacks

Why is it difficult to defend? does not usually contain malicious contents widely distributed compromised hosts IP spoofing

Defense Mechanisms
4

Defense Mechanisms
Intrusion Prevention

Requirements

Intrusion Detection

Anomaly Detection
Statistical analysis techniques Data mining techniques

Detect the bandwidth attack as soon as possible without raising a false alarm, so that the victim has more time to take action against the attacker. Deal with large volume of traffic in real-time network environments

Intrusion Response

Rate limiting techniques

Misuse Detection

Intrusion Tolerance and Mitigation

Major challenges

Short detection time High detection rates Low computational overhead

Proposed Approach
5

Main idea

Detection of DDoS attacks could be possible to measure entropy of incoming traffic

Source IP address field of IP packet header information Derive variance by using traffic matrix

Key variable

How to measure?

How to achieve the major challenges?

Simple hash function Packet based variable time window Genetic Algorithm (GA) for parameters optimization

Overall flow
6

Start

Genetic Algorithm sets three parameters 1. matrix size 2. packet based window size 3. threshold value T

Training data

Construct a traffic matrix for one window size

Testing data

Compute variance from the traffic matrix

No Variance < T ? Yes Alert

Construct Traffic Matrix

7
inbound packets variable time window ex) 10 packets per 1 window

H(x)

time t

n by n traffic matrix

Analyze the inbound traffic stream with capturing the packets come to the target host. Construct a traffic matrix through a hash function, H(x) during a time window. Traffic matrix size and the number of packets for a time window is declared by GA.

Details of constructing a matrix

8
Packets coming from the network
B C B B A B A

32bit Source IP address High 16bit Row = High 16bit mod n Low 16bit

Column = Low 16bit mod n

4 4

Increment value of (i, j) in Traffic Matrix

2 2

Adopt a simple hash function to scale down the huge IP address domain to a small traffic matrix domain and reduce calculation time. A packet increase an element value of the traffic matrix. Variance for a time window could be derived from a complete traffic matrix.
if M (i, j ) 0

1 m n V ( M ( i , j ) ) 2 k j 0 i 0
n by n Traffic Matrix

1 m n M ( i , j ) k j 0 i 0

Genetic Algorithm
9
Start

Initialize population of 30

Evaluate first population

Selection operation (Roulette wheel) No Crossover operation (Standard crossover) (Pc = 0.6) Generation > 50 Yes Mutation operation (Bit inversion) (Pm = 0.05)

Traffic matrix size, window size, threshold value of variance are set by GA to maximize detection rates Initial Population of 30 Roulette wheel selection Standard crossover

Probability of crossover : 0.6 Probability of mutation : 0.05 Detection rates

Mutation operation

Fitness function

End

Evaluate Evolved population

Training data

Implemented in JAVA

Chromosomes for GA
10

Chromosome

Range (closed interval) [1, 512]

Degree of precision
0

Length of binary string

Matrix size (n by n) The Number of packets for a time window

10
0

9 bit

[1, 1024]

10-1

10 bit

Threshold value T for each [0.1,parameter 2048.0] can 10 be declared 14 Length of binary string by bit this equation.

Total length of binary string is 33bit.

Dataset
11
Duration Dataset IP spoofing (sec) LBL-PKT-4 DARPA 2000 LLDOS 1.0 N/A whole random 16bit subnet 16bit subnet Generated traffic 16bit subnet 360 6 6 120 120 compromised hosts N/A unknown 220 10 20 250 5500 5500 250 500 The number of Average pps

16bit subnet
16bit subnet

120
120

40
80

1000
2000

LBL-PKT-4 of Lawrence Berkeley Laboratory is employed as normal traffic stream dataset for our experiment. Sanitized source IP addresses which provided as a renumbered integer for a security problem are preprocessed to IPv4 format via one-to-one fuction.

Experimental Results
12

Experiments for subnet spoofed attack detection

The number of packets Dataset Matrix Size for a Window T 173.60 Rates 1.0 (sec) 0.13 Threshold value Detection Detection Delay

LLDOS 1.0 + LBL86x86 PKT-4 Generated attack + 795

285x285
LBL-PKT-4

626

27.23

1.0

0.05

DARPA 2000 LLDOS 1.0 with LBL-PKT-4

16bit subnet spoofed attack with LBL-PKT-4

Experimental Results
13

Experiments with changing volume of attack LBL-PKT-4 (250pps) + generated attack traffic 5-fold cross validation
1.2 1 0.8 0.6 0.4 0.2 250pps 500pps 1000pps 2000pps

0
Training detection rates Testing detection rates Detection delay (sec)

Conclusion
14

Meet major challenges

Short detection delay High detection rates Low computational overhead

Can detect attacks containing subnet spoofed IP addresses More effective to high bandwidth DDoS attacks

Future works
15

It is necessary to tune the parameters of GA operation and the chromosomes False positive and false negative should be considered. Calculation of computational overhead Flash event

Thank you.