Article Preview
TopTraffic Feature Selection
DDoS attacks are launched from distributed sources. Hence the attack traffic is spread across multiple links. As the distance from the victim increases, attack traffic is more diffused and harder to detect because the volume of attack flows are indistinguishable from legitimate flows. Current schemes for early attack detection are based on detecting aggregates causing sustained congestion on communication links (Ioannidis & Bellovin, 2002; Mahajan et al., 2001), imbalance between incoming or outgoing traffic volume on routers (Carl et al., 2005) and probabilistic packet marking techniques . These early detection methods, unfortunately, have to wait for the flooding to become widespread, consequently, they are ineffective to fence off the DDoS timely.
Lakhina et al. (2005) observed that most of traffic anomalies despite their diversity share a common characteristic: they induce a change in distributional aspects of packet header fields (i.e., source address, source port, destination address, and destination port etc called traffic features).
Let an information source have n independent symbols each with probability of choice pi. Then the entropy H is defined as:
(1)Entropy can be computed on a sample of consecutive packets. The entropy detection method is used to calculate the distribution of randomness of some attributes which are fields in the network packets’ headers. These attributes can be values like source IP address, TTL etc. that indicate the packet’s properties. Entropy captures in a single value the distributional changes in traffic features, and observing the time series of entropy on the features exposes unusual traffic behavior.
Source IP based entropy algorithms are efficient in case of highly distributed DDoS attacks or highly concentrated high bandwidth attacks. A proficient and sophisticated attacker usually tries to defeat the detection algorithm based on source IP based entropy (Feinstein, Schnackenberg, Balupari, & Kindred, 2003) by secretly producing flooding attack and simulating the monitor’s expected normal data flow. After knowing some packet attributes’ entropy values, these attackers could use the attack tools to produce some flooding with adjustable entropy values. By guess, test or summary these attackers could probably know the normal entropy range in the monitors and adjust their own flooding to match it, although such stealthy attacks are not easy to realize.
We improve the previous entropy detection algorithms and propose enhanced algorithms for dual level detection: macroscopic detectors are based on entropy calculated over source IP and microscopic detectors are based on entropy calculated over destination IP.
TopDual-Level Attack Detection Scheme
System Model
We use transit stub network model (Zegura, Calvert, & Bhattacharjee, 1996; Zegura, Calvert, & Donahoo, 1997) for the Internet as shown in Figure 1.
Figure 1. Dual-level attack detection, characterization and response
Transit stub model is based on the hierarchical approach of the Internet (Zegura et al., 1996; Zegura et al., 1997). In such a model, every domain can be classified as either a stub network or a transit network. Backbone ISPs and regional ISPs are examples of transit networks. The traffic generating nodes (end hosts) are only connected to Stub networks. We model the Internet to measure the entropy in transit – stub network. During an attack, the Internet or IP domain is divided into the two networks; one for inside to be protected and the other is for outside where attackers may reside. The entropy is measured by recording the dynamics of packets on the border of the two networks. Packets flowing between these two networks may incur to sustain the current value of the entropy if those packets are in harmony with the system or change abruptly if those agitate the system. In the proposed system we keep track of the value of entropy in time to pinpoint the sudden changes in the value. Those changes are regarded as the installation of attacks in the network. Figure 1 shows the modeled dual-Level Attack Detection, Characterization and Response framework.