Development of an Internet Protocol Traceback Scheme for Denial of Service Attack Source Detection

Development of an Internet Protocol Traceback Scheme for Denial of Service Attack Source Detection

Chapter One

Aim and Objectives

The aim of this research work is the development of an internet protocol traceback scheme for denial of service attack source detection.

The followings are the objectives of this research work;

1. To develop the SSOA based DoS attack source detection scheme called the SSOA- DoSTBK
2. To simulate the SSOA-DoSTBK used for implementing the discernment policy using Network Simulator version 2(NS2)
3. To compare the SSOA-DoSTBK with another IP Traceback scheme that is based on a nature inspired algorithm. The modified ant colony system algorithm for IP traceback (ACS-IPTBK) scheme developed by Wang et al (2016) was selected for the comparison because it is based on a nature inspired algorithm that is commonly used for IP traceback, the ant colony optimization (ACO) algorithm. There have been trend of improvements on using ACO for IP Traceback from ordinary ACO, Ant System, Ant Colony System, up to the ACS-IPTBK as reported in literature. The comparisons were based on False Error Rate (FER), convergence time, and ability to differentiate sudden surge in normal traffic flow from attack flow and detection of source of spoofed IP packets as performance metrics. The FER includes False Acceptance Rate (FAR), and False Rejection Rate (FRR).

CHAPTER TWO

LITERATURE REVIEW

Introduction

This literature review comprises of the review of fundamental concepts and the trend of the previous works that are related to this research with a view to gain the knowledge of the fundamental concepts of the research area.

Review of Fundamental Concepts on DoS attack IP traceback

The fundamental concepts of the DoS attack IP traceback and the SSOA are discussed here with related previous research works that are relevant to this work.

 The DoS Attack and its Variants

Denial of service attack is one of the dreadful network attacks that basically exhaust the computing resources of the victim. It denies the legitimate clients of the victim access to the desired services as provided by the victim’s system at the desired time. This may subject the victim to great loss. There are several mechanisms to carry out DoS attack, prominent among them are; the simple DoS attack, the reflective DoS attack, the Coordinated DoS attack, and the distributed DoS attack, as illustrated in Figure 2.1.

The simple DoS attack in Figure 2.1a is so called because it usually involves one attacker and a victim but it is fundamental to all other DoS attacks. Identification of the original malicious node where the attack was initiated is often not easy because the attackers usually spoof or conceal their identity in the attack packets header.

Distributed Denial of Service (DDoS) shown in Figure 2.1b is a DoS attack carried out by conspiring multiple compromised hosts in the network to attack a victim and bring down its operations for a reasonable length of time (Maheshwari & Krishna, 2013).

Figure 2.1c shows coordinated denial of service which is a DoS attack in which malicious nodes sequentially or concurrently target different network vulnerabilities in a victim’s system and use it to disrupt its network communication (Ahmed & Fapojuwo, 2016; Tan et al., 2010). Reflective denial of service, Figure 2.1d, is a DoS attack whereby the attacker sends crafted data packets spoofed with the victim’s IP address as source address to compromised nodes, called reflectors, making reflectors to send replies to the victim (Rasti et al., 2015). Other mechanisms except the simple DoS usually involves attacker conspiring with intermediary systems compromised unknowingly and unwillingly by the attacker to magnify the effects of the attack on the victim’s system. Each of such compromised systems is called bot and all bots in an attack are referred to altogether as BOTNET. The higher the number of the bots used the more complex the attack because the attacker may shield itself with the compromised systems and make it difficult to trace the attack path back to the original attacker. Many big and well-established organisations in IT industry have reported been attacked with a form of DoS attack at one time or the other. Among the reported cases is a computer that was taken out of service for 2 days in the University of Minnesota in 1999, in year 2000 Yahoo! Inc., Amazon, Buy.com, Cable News Network (CNN), and eBay all experienced DoS attacks that either caused them to stop functioning completely or significantly slowed down their operations for a period of time (Bhuyan et al., 2014).

There are two broad categories of DoS attacks which are high-rate and low-rate DoS (Mohamed et al., 2018). The high rate DoS attacks are flooding attacks including SYN flooding, Internet Control Message Protocol (ICMP) message flooding, Smurf attack, Transmission Control Protocol (TCP) attack, etc. (Zargar et al., 2013). They generate large volume of traffic packets at a high rate and can consume as much as 600Gbps of the network bandwidth (Mohamed et al., 2018). Figure 2.2 shows screenshot of traffic data captured with Wireshark during User Datagram Protocol (UDP) flood attack (Stone, 2000).

₦3,000.00 – DOWNLOAD CHAPTERS 1-5 PROCEED TO DOWNLOAD Added to cart

 

CHAPTER THREE

MATERIALS AND METHODS

Introduction

The details of the materials and the procedures used for the successful completion of this research are discussed in this chapter and the SSOA-DoSTBK is developed.

 Materials

The resources used for developing a simulation of the prototype of the developed scheme are listed here:

• Operating System: Ubuntu 16.04LTS
• Simulation software: Network Simulator version 2 (NS2),ns-allinone-2.35
• Programming software: C++,OTCL
• Graph plotting software:
• Laptop PC: x64-based processor, Intel Core i3-3110M CPU 2.4 GHz, 4.0 GB RAM. The knowledge of computer network data transmission and

Methodology

The methodology adopted for achieving the aims and objectives set for this work is explained in this section. Details of the steps for creating the components of the developed scheme and the implementation of the tools used for creating them are given. Explanations on how the scheme was executed and how results were obtained were made at the end of this section.

CHAPTER FOUR

RESULTS AND DISCUSSIONS

Introduction

The evaluation of SSOA-DoSTBK with ACS-IPTBK is discussed here in this chapter. The evaluation tests conducted were three types. Each of the three tests was carried out under three different conditions. These tests types were False Error Rates, Correctness of returned path, and convergence time. Each of those tests were conducted with DoS attack only, combined DoS attack with flash event, and spoofed DoS attack with flash events. Two dimensional (2D) graphic plots of the results are presented for clearer view of the performance of the developed scheme.

Simulation Results

To evaluate the efficiency of the developed SSOA-DoSTBK IP traceback scheme, the attack path tracing results are recorded (Appendix A-IX, Appendix A-X, Appendix A-XI) and compared with results obtained in similar tests from the benchmark scheme, ACS-IPTBK, in the following sub sections.

CHAPTER FIVE

CONCLUSION AND RECOMMENDATIONS

Summary

Deep search for attack flow was implemented on ingress hops using discernment policy developed based on details extracted from the attack packets. The proposed scheme used the discernment policy in a hop-by-hop search to determine the most probable hops involved in routing the attack packets from the attacker to the victim. This was aimed at reducing errors in the attack path reconstruction that may cause failure to detect the true attack source.

The proposed scheme was implemented in NS2 version known as ns2-allinone-2.35 and was used for attack path reconstruction under different conditions with ordinary DoS attack alone, DoS attack with flash event present on the traced path, and spoofed DoS attack when there is presence of flash event surge traffic on the attack path. The performance of the developed scheme was measured based on FER, amount of the attack packets on the returned path, and convergence time. The developed scheme recorded 31.8%, 32.06%, and 28.45% lower FER for DoS only, DoS with FE, and spoofed DoS with flash event tests, respectively. It also recorded better efficiency in terms of correctness of attack packets detection on the attack path by 4.76%, 11.6%, and 5.2% higher performance in attack path detection for DoS only, DoS with FE, and spoofed DoS with flash event tests, respectively. But the ACS-IPTBK was faster than SSOA-DoSTBK in the attack path reconstruction by 0.4%, 0.78, and 1.2% for DoS only, DoS with FE, and spoofed DoS with flash event tests, respectively.

Conclusion

This research was aimed at the development of an Internet Protocol traceback scheme for detecting source of DoS attack based on SSO algorithm that cannot be disrupted by flash event surge traffic. It was tested against ACS-IPTBK developed by (Wang et al., 2016) using the same test procedures under the same conditions. The result obtained from the proposed scheme when compared with those of ACS-IPTBK showed improvement over the ACS- IPTBK in terms of FER with as much as 32.06% and Performance tests with as much as 11.6%. ACS-IPTBK converges a little faster than the proposed scheme by the maximum recorded difference of 1.2% in convergence time at the worst test condition when there is flash event on the traceback routes and the DoS attack packets were spoofed.

The tests results show that ACS-IPTBK deviated further than SSOA-DoSTBK from the true attack path and that SSOA-DoSTBK is more effective for detecting source of spoofed IP attacks. The time difference between SSOA-DoSTBK and ACS-IPTBK convergence was negligibly small. The results indicated that SSOA-DoSTBK performed better in the detection of true DoS attack path because ACS-IPTBK works on the basis of parallelism whereby different agents examined different segments of the network concurrently to estimate a probable attack path. However, SSOA-DoSTBK performed a sequential search to detect the most probable attack path which resulted in a little longer convergence time. ACS-IPTBK examined more areas most of which are not on attack path but SSOA-DoSTBK narrowed its search to the most relevant area of the network based on defined heuristics and avoided confusing traffic flows. The detailed examination of the traffics enhanced SSOA-DoSTBK performance to return a more correct attack paths when attack packets were spoofed and flash event traffics were encountered during traceback process.

 Significant Contributions

The significant contributions of this work are;

1. Development of SSOA-DoSTBK IP traceback scheme that can avoid flash event and other legitimate flows that may be symptomatically similar to attack
2. Discrimination policy created based on details extracted from the detected attack packets was incorporated into SSOA-DoSTBK IP traceback scheme for improved performance and to obtain more accurate
3. SSOA-DoSTBK IP traceback scheme outperformed ACS-IPTBK that it was benchmarked against by 31.8%, 32.06%, and 28.45% lower FER for DoS only, DoS with FE, and spoofed DoS with flash event tests, respectively and 4.76%, 11.6%, and 5.2% higher performance in the correctness of attack path detection for DoS only, DoS with FE, and spoofed DoS with flash event tests, respectively. But ACS-IPTBK was faster than SSOA-DoSTBK by just 0.4%, 0.78%, and 1.2% for DoS only, DoS with FE, and spoofed DoS with flash event tests,

Recommendations for Further Work

The proposed IP traceback scheme falls short of been perfect as observed from the results of tests conducted with it. There is room for improving it for better performance. The following areas are recommended for possible further research in future research works:

1. The choice of parameters used in the discrimination policy was not based on experimentation but they were just considered as relevant to identifying the traffic. Better method of determining the parameters of discrimination policy can be investigated for better convergence and better path detection. Data that are specific to the traffic and more persistent on the routers can allow more time for the traceback system.
2. The scheme was tested with simple DoS attack. Swarming of artificial sharks can be researched to make it applicable for detection of DDoS attack with large bots whereby different shark can trace different bots.
3. Attackers are information technology professionals and they understand the techniques used by defenders to develop preventive or corrective schemes against their attacks. Investigating the possible ways that attacker can exploit to thwart the operations of the proposed scheme in order to escape detection, e.g. replicating the attack traffic data on a false router to mislead the scheme, will make the proposed scheme more reliable.

References

• Abedinia, O., & Amjady, N. (2015). Short-term wind power prediction based on Hybrid Neural Network and chaotic shark smell optimization. International Journal of Precision Engineering and Manufacturing-Green Technology, 2(3), 245-254. DOI: 10.1007/s40684-015-0029-4
• Abedinia, O., & Amjady, N. (2016). Net demand prediction for power systems by a new neural network-based forecasting engine, Complexity, DOI: 1099-0526 10.1002/cplx.21807 Retrieved from http://dx.doi.org/10.1002/cplx.21807
• Abedinia, O., Amjady, N., & Ghasemi, A. (2014). A new metaheuristic algorithm based on shark smell optimization. Complexity, 00(00), 1-20. DOI: 10.1002/cplx.21634, Retrieved from http://dx.doi.org/10.1002/cplx.21634
• Abedinia, O., Amjady, N., Yousefi, N., & Aramli, M. S. (2016). A Descriptive Study on Mathematical Model of Shark’s Capabilities as a Successful Hunter. Recent Advances in Biology and Medicine, 2(-), 48-56. DOI: 10.18639/RABM.2016.02.292390, Retrieved from http://dx.doi.org/10.18639/RABM.2016.02.292390
• Ahmadigorji, M., & Amjady, N. (2016). A multiyear DG-incorporated framework for expansion planning of distribution networks using binary chaotic shark smell optimization algorithm. Energy, 102, 199-215.
• Ahmed, I. K., & Fapojuwo, A. O. (2016). Security threat assessment of simultaneous  multiple Denial-of-Service attacks in IEEE 802.22 Cognitive Radio networks. Paper presented at the IEEE 17th International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM), Coimbra, 2016, pp. 1-9. DOI: 10.1109/ WoWMoM.2016.7523510

₦3,000.00 – DOWNLOAD CHAPTERS 1-5 PROCEED TO DOWNLOAD Added to cart