Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks

Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks

Anjali Sardana (Indian Institute of Technology Roorkee, India) and Ramesh C. Joshi (Indian Institute of Technology Roorkee, India)
DOI: 10.4018/jmcmc.2011010101
OnDemand PDF Download:
No Current Special Offers


DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual - level attack detection (D-LAD) scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors (MaLAD) attempt to detect congestion inducing attacks which cause apparent slowdown in network functionality. At lower and fine level, the microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and stealth attacks that remain undetected in transit domain and do not impact the victim. The response mechanism then redirects the suspicious traffic of anomalous flows to honeypot trap for further evaluation. It selectively drops the attack packets and minimizes collateral damage in addressing the DDoS problem. Results demonstrate that this scheme is very effective and provides the quite demanded solution to the DDoS problem.
Article Preview

Traffic Feature Selection

DDoS attacks are launched from distributed sources. Hence the attack traffic is spread across multiple links. As the distance from the victim increases, attack traffic is more diffused and harder to detect because the volume of attack flows are indistinguishable from legitimate flows. Current schemes for early attack detection are based on detecting aggregates causing sustained congestion on communication links (Ioannidis & Bellovin, 2002; Mahajan et al., 2001), imbalance between incoming or outgoing traffic volume on routers (Carl et al., 2005) and probabilistic packet marking techniques . These early detection methods, unfortunately, have to wait for the flooding to become widespread, consequently, they are ineffective to fence off the DDoS timely.

Lakhina et al. (2005) observed that most of traffic anomalies despite their diversity share a common characteristic: they induce a change in distributional aspects of packet header fields (i.e., source address, source port, destination address, and destination port etc called traffic features).

Let an information source have n independent symbols each with probability of choice pi. Then the entropy H is defined as:


Entropy can be computed on a sample of consecutive packets. The entropy detection method is used to calculate the distribution of randomness of some attributes which are fields in the network packets’ headers. These attributes can be values like source IP address, TTL etc. that indicate the packet’s properties. Entropy captures in a single value the distributional changes in traffic features, and observing the time series of entropy on the features exposes unusual traffic behavior.

Source IP based entropy algorithms are efficient in case of highly distributed DDoS attacks or highly concentrated high bandwidth attacks. A proficient and sophisticated attacker usually tries to defeat the detection algorithm based on source IP based entropy (Feinstein, Schnackenberg, Balupari, & Kindred, 2003) by secretly producing flooding attack and simulating the monitor’s expected normal data flow. After knowing some packet attributes’ entropy values, these attackers could use the attack tools to produce some flooding with adjustable entropy values. By guess, test or summary these attackers could probably know the normal entropy range in the monitors and adjust their own flooding to match it, although such stealthy attacks are not easy to realize.

We improve the previous entropy detection algorithms and propose enhanced algorithms for dual level detection: macroscopic detectors are based on entropy calculated over source IP and microscopic detectors are based on entropy calculated over destination IP.


Dual-Level Attack Detection Scheme

System Model

We use transit stub network model (Zegura, Calvert, & Bhattacharjee, 1996; Zegura, Calvert, & Donahoo, 1997) for the Internet as shown in Figure 1.

Figure 1.

Dual-level attack detection, characterization and response


Transit stub model is based on the hierarchical approach of the Internet (Zegura et al., 1996; Zegura et al., 1997). In such a model, every domain can be classified as either a stub network or a transit network. Backbone ISPs and regional ISPs are examples of transit networks. The traffic generating nodes (end hosts) are only connected to Stub networks. We model the Internet to measure the entropy in transit – stub network. During an attack, the Internet or IP domain is divided into the two networks; one for inside to be protected and the other is for outside where attackers may reside. The entropy is measured by recording the dynamics of packets on the border of the two networks. Packets flowing between these two networks may incur to sustain the current value of the entropy if those packets are in harmony with the system or change abruptly if those agitate the system. In the proposed system we keep track of the value of entropy in time to pinpoint the sudden changes in the value. Those changes are regarded as the installation of attacks in the network. Figure 1 shows the modeled dual-Level Attack Detection, Characterization and Response framework.

Complete Article List

Search this Journal:
Volume 13: 4 Issues (2022): Forthcoming, Available for Pre-Order
Volume 12: 4 Issues (2021)
Volume 11: 4 Issues (2020)
Volume 10: 4 Issues (2019)
Volume 9: 4 Issues (2018)
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing