06-10-2016, 11:24 AM
1457979756-papersamplemit2.doc (Size: 229 KB / Downloads: 5)
Abstract -- Denial of service attack (DoS) is a class of attack which makes the computer or memory resources too busy or full to handle the request given by the legitimate users, thus denying users access to the machine. This attack range from sending millions of request or packets to a server in an attempt to slow it down. To reduce the effect of DoS attack fuzzy estimator is proposed based on attacker profile and the mean packet arrival time. In order to make the detection more accurate, we have divided the problem into two segments-one calculating the throughput, overhead and packet delivery ratio without the fuzzy estimator and another by using the fuzzy estimator. The results of two methods are compared. The proposed method is capable of detecting the DoS attack and drop unwanted packets before the victim service suffer from exhaustion of resources due to the attack. Through the evaluation, it is confirmed that the proposed method is capable of identifying the DoS attack before it affects our system and while using the fuzzy estimator the throughput and the overhead of the system is improved.
I. INTRODUCTION
Internet consist of number of nodes linked together to help them to share resources and computations. Every node has equal responsibility and no node is more computational or recourse powerful than other. So it is important to protect every node from attackers or any other person who tries to access a system without permission. Cyber-attack is any type of offensive act employed by an individual or an organization that targets the computer information system, infrastructures, computer network and personal computer devices by various means of malicious acts usually originating from anonymous sources that either steals, alters, or destroys a specific target by hacking into a susceptible system [4]. Most of the time, the attack is distributed among hundreds or thousands of computers. When that happens, the website’s regular customers are denied the service they want. Even worse, the company that runs the website is denied the money they’d earn for the day. And they may also lose some customers forever who get frustrated or worried about coming back to the site [1]. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.
The attack may be done by different techniques like TCP flooding, UDP flooding, SYN flood, Ping of Death, HTTP flood. There are many methods of flooding the packets to the victim for the purpose of attacking the system. The main aim of the attack is to target the network to slow it down or to permanently shut down the system from servicing its clients.
The most common DoS attacks will target the computers network bandwidth or connectivity. Bandwidth attacks will flood the network with a high volume of traffic that all available network resources are consumed and legitimate user requests cannot get through. So the legitimate client’s loss hope over the server for the delayed servers.
II. LITERATURE SURVEY
Now a days there are more powerful techniques available to attack a system [7]. Denial of service attack is one among them. This type of attack may also collapse a well-structured system. In Denial of service attack, bandwidth of the data packet sent is very important. If the bandwidth is high, then the effect of attack is also high if the bandwidth is low then the effect of the attack will also be reduced comparatively. Since it is a passive attack the attack can be detected only when it affects the system [3]. In order to avoid this the attack must be detected before it affects the system. The attack detection is purely based on the size of the data sent. The existing methodology [10] is very much prone to generate false positives that is when a legitimate users tries send a large number of packets he will be considered as an attacker thus he will not get any service from the system. This is one of the disadvantage in the existing system [10]. To overcome this a new technique has been introduced in the proposed work.
III. EXISTING WORK
In the existing system, a method called as fuzzy estimator is used to detect the Denial of service attack [10]. The network parameters that are used to monitor the attack are mean packet arrival time, throughput and the system overhead. The input data set used is DARPA Intrusion Detection Evaluation datasets [10]. During the DoS attack taking place, the observed packet arrival time will be greater than the mean packet arrival time. By using this, DoS attack can be identified before it affects the system. Generally, the data that import delays are based on the network traffic. The traffic system is generally categorized as low rate traffic period and High rate traffic period and time required for detecting the low rate traffic is less than the time required for high rate traffic period.
During the DoS attack, a large amount of packet from various zombie systems are sent to the victim system to shut down the system for a particular amount of time so that the legitimate users do not get proper service from the server [13]. To overcome this, a method called as fuzzy estimator is used to detect the DoS attack that occur in the server. During the detection process, time series will be non-stationary and is divided into smaller time windows to fit into the Poisson model [15]. For each period, we calculate the average packet arrival time and is compared with the historic data that is available in the system. Every time a packet is received mean packet arrival time is calculated and is compared with the previous values. By this method the attack is detected. In general, the existing system will detect the false positives that is the legitimate users will also try to send large number of packets at a time they will also be considered as an attacker and will not get any resources from the server. This is the main disadvantage in the existing system.
IV. FUZZY ESTIMATOR
In existing work they have attempted to construct the fuzzy estimator by calculating the packet arrival interval, the mean packet arrival time and comparing the results using the fuzzy algorithm [10]. As stated earlier, the fuzzy estimator is capable of capturing all the statistical information generated from the historical data in a single (fuzzy) number [10]. In a DDoS event, the observed packet arrival time will be less than the mean packet arrival time. This consists of the triangle-shaped lines which are constructed by the discrete observations obtained from the empirical network data. Here, they have used both the h-ping and black energy bots for transferring the packets. And the analysis is done during both the high rate visit period and low rate visit period and the results are produced by combing the results
V. PROPOSED APPROACH
To overcome the drawbacks of the fuzzy estimator, profiling of the attackers behavior must be done before analyzing or detecting an attack. In this profiling, certain activities of the attacker is predefined so that if the received packets matches with any of the activities mentioned in the attacker profile then that particular system is considered to be the attacker and his packets are dropped. This will protect the system from the DoS attack. The attacker profile is set using some conditions like the maximum hop count, bandwidth of data, packet rate, packet size and time to transfer the packet. If the values exceeds the maximum value then it will be considered as an attack. And also the proposed method increases the throughput of the system to increase the performance. In the proposed method, modified fuzzy estimator is used for calculating the mean packet arrival time. In general, fuzzy has a frizzy structure that is without any order or conditions. Here fuzzy data means large amount of data in an unordered manner. α-cut algorithm is used to filter the packets in fuzzy estimator. To overcome the drawback in the existing system an attacker profiling based modified fuzzy estimation is done during the analysis in the network transmission.
B. Creation of Attacker Profile
To overcome the defects of fuzzy estimator, an attacker profile is created. In this attacker profile, certain conditions are mentioned so that the server analyses the received packets before accepting it. During this analysis process the server verifies if the received packets are from attackers or a legitimate user. The attacker profile is set using some conditions like number of hop counts that the attacker uses, Maximum bottleneck bandwidth, Net bandwidth, Net delay, time for transferring the packets, attacker minimum spoof address and attacker maximum spoof address. If any of the condition matches with the received packet then this will be considered as an attacker and packets will be dropped immediately
VI. IMPLEMENTATION
A .General Categorization of problem
In this technique there exists two methods, one with the normal fuzzy estimator method and in the next an attacker predictive profiling is created for the attacker. This profile conditions are taken from the historic data. During attack the intrusions and the network traffic are monitored and the data is collected. By using this data an attacker profile is created based on the intrusions and the network traffic created by the attackers. Certainly there will be difference between the normal users and the attackers. On analyzing the difference it is noticed that the attacker’s intrusions and the data traffic will always be high so based on these conditions the attacker profiling is done.
B. Broadcasting
In our method 40 nodes are used. Some are movable nodes and the network structure used here is AODV routing protocol. This protocol is used because it is congestion free and can avoid malicious nodes. The performance will also be high because it uses the shortest path method. When a source node transfers packets to a destination node the initial step that happens is the broadcasting of the message. This broadcasting of the message is done for the purpose of finding the shortest route from the source to destination. Once the neighboring nodes finds the destination, then the transferring of the packets will begin. Due to the availability of movable nodes the node may change positions, so during this time the transfer of packets will be interrupted. In order to avoid this every time a node transfers its message, a broadcast message is done to verify whether the packets are sent correctly or not.
C. Fuzzy estimator
In order to make the analysis more clear, we have divided the problem into two parts. One attack detection using the fuzzy estimator and the other using the attacker predictive profiling method. The data sets that we have taken is LLS DDOS DARPA 1.0 Intrusion Detection Evaluation data sets. So the data sets are added into all the nodes. And the transferring mechanism is done using the Transition control protocol (TCP). During the transfer of packets from the source to destination packet arrival time is calculated along with throughput, overhead, packet delivery ratio and the node energy are calculated. In the fuzzy estimator a data limit is set, if the number of received packets exceeds the maximum amount then the person who tried to send that packets will be considered as an attacker and the packets will be dropped immediately. In such situation when a legitimate user tries to send packets which exceeds the maximum number then he will also be considered as an attacker and he will not get any resources from the server. To avoid this an attacker predictive profiling method is created.
D. Attacker predictive profiling
To avoid the identification of false positives, attacker profiling is created by using certain conditions. These conditions are given based on the historic data available about the attackers. The conditions given for the predictive profiling are the maximum number of hops available between two nodes is 16, bottleneck
bandwidth is 1Mb, Bottleneck delay is 5ms, Bottleneck queue size is 100, 1 Drop tail, Net bandwidth is 10Mbps, Net delay is 2ms, normal number of users is 2, User flows package size is 1000b, user flow starts at 20ms stops at 120ms, no random starts, attacker flow packet size 0.5Mbps, attacker packet size 200B, attackers burst period is 500ms, attack period is 1000ms, max spoof address is 100, min spoof address is 1 and the TCP CWND.
Check period is 10ms. After analyzing these conditions are being tested the index values of the nodes will be verified. During the verification process the number of packets received is checked with the number of packets sent, if they are equal then the packets will be accepted, if they packets differ then the node will request for resending of the packets. If any of the conditions matches the above mentioned conditions then he will be conformed as an attacker and the packets from that particular node will be dropped.
Fig 3 Packet Delivery Ration improved during DOS
Fig 4 Throughput improved during DOS
EVALUATION
To analyze the results of both the methods, performance measures are calculated during the data flow namely are throughput, packet delivery ratio and the node energy. The packet delivery ratio of the number of delivered data packet to the destination. This illustrates the level of delivered data to the destination.
Packet delivery ratio = Number of packet receive/ Number of packet send
Throughput is the amount of work that a computer can do in a given time period. Historically, throughput has been a measure of the comparative effectiveness of large commercial computers that run many programs concurrently.