Professional Documents
Culture Documents
Design Issues of Enhanced DDoS Protecting Scheme under the Cloud Computing
Environment
AbstractDu to the growth of the Internet and the increase of attack trace-back, and attack filtering [2, 4]. This paper
data, many companies have begun to migrate their data examines the attack filtering approaches and the detection of
services from the Web to the Cloud, but it comes with many cyber-attacks. A number of past research have proposed
security issues, such as Distributed Denial of Service (DDoS) ways of filtering out DDoS attacks. The consuming cost
attacks and Zero-day attacks. DDoS is a critical threat under involved in most of these methods indicate that they are
cloud computing environment, it attempts to make a machine inefficient at processing a high volume of packets, or are
or network unavailable to their users. Confidence Based only confined to spoofed IP attacks and not against
Filtering (CBF) is one of the conventional approaches to
distributed attacks. The current Confidence Based Filtering
defending against DDoS. The CBF method is to collect the
packets and extract attribute pairs for calculating the score of
(CBF) method extracts a packet and looks at the attribute of
each packet, then it decides to discard it or not. However, the the packet header to determine its legitimacy. But the CBF
weight of each attribute pair and the threshold value in the method does not adjust the attribute weight and threshold
calculation is static in the CBF method. Therefore, we propose during processing the current packet. This increases the
a novel method called N-CBF that improves these drawbacks chance of packets being misidentified, leading to a reduced
of the CBF method. First, the N-CBF scheme can dynamically detection ratio, and accuracy ratio. Therefore, this paper is
adjust the weight values of each attribute pair. Second, each focused on the following purposes:
packet will have the unique threshold value. Third, we x Since the weight of each attribute pair and the threshold
performed simulations to compare and analyze the value in the calculation is static on the CBF method, we
effectiveness and efficiency of N-CBF scheme according to the propose a novel method called N-CBF that improves
KPIs. Then, the simulation results indicate that the proposed upon several deficiencies in the CBF method among
N-CBF scheme can obtain higher detection ratios on average of existing DDoS defense mechanisms.
9.02% and a little overhead in average processing time than x Propose a weight reference table for calculating the N-
CBF. Finally, the N-CBF can support more refined and robust CBF score in each packet. The confidence value of each
protection mechanisms against DDoS attacks and also provide
attribute can then be used to find the corresponding
a more secure cloud computing environment.
weight.
Keywords-Cloud Computing; DDoS; N-CBF; CBF; Detection x When designing the threshold, adjust the threshold based
ratio on the confidence value assigned to that packet attribute
in order to deal with different packet attributes.
I. INTRODUCTION x The N-CBF method proposed in this paper is to design a
Cloud computing is a resource optimization and simulator for carrying out simulation experiments.
measured pricing of service platform, in which the Performance was also compared against the existing CBF
computing, storage, network resources, hardware, software method and analyzed to prove that real-time dynamic
or other IT resources are virtualized. The cloud service has adjustment of the weight and threshold used for
an on-demand utility computing delivered over the network calculations did not waste computing resources but
anytime and anywhere [20]. The ability of cloud computing instead, achieved a more effective use of resources while
to process large amounts of data and increase computing also improving the detection ratio.
speeds is based on resource sharing and the provider x Two key performance indicators will be proposed:
consolidating massive resources for the use of multiple users. detection ratio and average processing time. Simulation
This in turn leads to concerns over information security. experiments and results analysis can be used to indicate
Distributed Denial of Service (DDoS) attacks is one of the that the proposed N-CBF scheme can refine the CBF.
major threats under the cloud environment. DDoS is a This paper is organized as follows. Section I, this paper
malicious network attack that previous researchers have introduces the research background and purpose. Section II,
found to be mainly aimed at exhausting network and we will survey and describe the review of related literature
computing resources in order to prevent them from providing and current issues in DDoS defense. Section III will explain
normal services to users. [2, 9]. our research process and methods. Section IV comprises the
Previous studies have found three main approaches to building of simulation experiments and results analysis. A
defending against DDoS attacks such as attack detection, conclusion will be drawn in Section V.
179
behavior while browsing the website was used to detect The confidence value is the frequency of associated values
DDoS attacks [12]. The CBF method therefore uses the appearing in two attributes divided by the total packet count.
packet IP and TCP header attributes as the basis for To facilitate access for subsequent calculations, we
correlation. By finding and quantifying the attribute pairs establish a data set called the Nominal Profile (NP) for
within the packet, a CBF score can be calculated to storing the confidence values that attribute pairs correspond
determine whether the packet is from legitimate access or to. If the confidence value is greater than NP or this field in
illegitimate access. NP is empty, then NP is updated. Conversely, if the
CBF calculations are in two parts. The first is the confidence value is less than NP then NP is not updated. If
calculation of the confidence value. The confidence value is there are still unread packets, then go back to the first step
the frequency of attribute pairs with the same values divided and keep reading. If all packets have been read then proceed
by the total number of packets in the packet flow over a set to calculating the N-CBF score. Using the attribute pairs in
time interval. A higher frequency of identical values means a the packet to look up the corresponding confidence value in
higher confidence value. In a packet, each attribute pair has NP, then use the confidence value to find the corresponding
one confidence value. The second part is the calculation of weight ratio in the weight reference table. Then each
the CBF score. In this method, each attribute pair is assigned confidence value is calculated with each attribute weight to
a weight. The CBF score is based on a weighting of the derive the N-CBF score. The calculation method for the N-
attribute confidence values on each packet. Finally, the CBF CBF score is as shown in Equation (2):
score is compared with the pre-defined threshold. If it is
() , ()
N CBF Score =
(2)
greater than the threshold then the packet came from a
legitimate channel and if not, the packet may be from a In Equation (2), 15 is the total number of attribute pairs,
DDoS attack. The weakness of the CBF method is that the is the confidence value's corresponding weight,
attribute weight and threshold used in its calculations are !"#$ = %(&1) , = %(&2) is the confidence value
fixed and cannot be adjusted based on the circumstances of of the attribute pair, while the N-CBF score is calculated by
each packet. Although fixed data is convenient for using the pairing of the fifteen-packet attribute types then
computation and improves processing speed, its accuracy using the derived confidence value and corresponding weight
ratio may be affected. Hence, this paper can further improve value to do the weighting calculation. Finally, the N-CBF
the CBF method by proposing a method named N-CBF for score is compared with the threshold value. If the score is
dynamically adjusting the attribute weight and the threshold higher than the threshold value, then the packet is legitimate
value based on the circumstances of each packet. and can be accepted. If the value is lower than the threshold
value, then it is determined to be a malicious packet and
III. N-CBF OPERTIONS ISSUE AND ALGORITHM DESIGN discarded. Threshold value is calculated as shown in
The emphasis of this paper was to take the existing Equation (3):
DDoS defense mechanism known as the CBF method and
() ,
()
Threshold_VAL =
(3)
verify the problems during handling of packet filtering in '
order to enhance the key performance indicators such as In Equation (3), the threshold value (Thrshold_VAL) is
detection ratio and average processing time. So the N-CBF the average of the fifteen confidence values in each packet.
method will be proposed as a way of solving the original The six packet attributes extracted in this paper are as
CBF method's problem of being unable to adjust its filtering shown in Table I. The two attributes Source IP address and
mechanism for each packet attribute. Simulation experiments Flag used in the CBF method have been replaced because the
will also be conducted to prove that processing speed can be packet source is usually spoofed and the type of service is
improved without wasting computing resources. used instead to track the type of service requested. Window
The N-CBF method is based on the following principles: size is faster to calculate compared to the Flag attribute so
x Automatically adjust the weight of each attribute's it is used here instead as well.
confidence value for calculating the N-CBF score. TABLE I. DESCRIPTION OF THE PACKET ATTRIBUTES
x Dynamic adjustment of threshold value to enable correct
identification of legitimate or malicious packets. Attributes Details
IP Total length Length of entire IP Packet.
The algorithm of this paper followed the procedure
header Time to live Tell the network how many routers
below: First, read the packet attributes in order to extract the (hops) this packet can cross to avoid
six necessary attribute types then pair them together to derive looping in the network.
fifteen different attribute pairs. Calculate their confidence Protocol type The type of transport packet being
values using Equation (1): carried.
,
, , Type of service Define the way routers should queue
Conf = , , = , =
(1) packets while they are waiting to be
forwarded.
In Equation (1), is the packet attribute, , is the value
TCP Destination port The destination port number.
of attribute , = , , = , is the header number
frequency that when attribute equals , and attribute Window size Indicated in the acknowledgment field
which the sender of this segment is
equals , both appears, is the total packet count. willing to accept.
180
Using the six separate attributes for pairing gives a total The pseudo code for designing N-CBF is expressed as
of 15 possible different attribute pairs. Hence, the goal is to follows:
highlight how the confidence value for the paired values Algorithm N-CBF(){
increases as well when the probability of two different Input:
attribute values appearing together increases. In summary, #define Packet[1...i] i = 1...N;
the process flow of N-CBF operations is shown in Figure 1. #define Packet[].TL[]; //Total Length
#define Packet[].TTL[]; //Time to Live
START
#define Packet[].PT[]; //Protocol Type
#define Packet[].ToS[]; //Type of Service
Read the incoming packet
#define Packet[].DP[]; //Destination Port
#define Packet[].WZ[]; //Window Size
Use the Packet Attributes to calculate the confidence value(CV)
#define NP[][];
#define NPCV[];
Yes
If the CV bigger than Update the CV to NP #define CV_Comp();
Nominal Profile(NP)
#define N-CBF_Comp();
No
#define Threshold_Comp();
Yes Double CV_VAL;
If there
is still have
the incoming packet Double N-CBF_Score;
No Double Threshold_VAL;
Int N;
According to each packet attribute pairs look-up the NP to find the correspond CV
Output: To complete Filtering packet Process;
Method:
Use the correspond CV and the weight to calculate the N-CBF value and Threshold value
BEGIN{
Int N = 0
If the N-CBF
value bigger Incoming Packet
than Threshold value No For(int i = 1; i <= N; i ++){
Yes Packet[i] = input.Packet;
Accept the Packet Discard the packet N++;}
For each Packet do
For(int i = 1; i <= N; i ++){
If there is still have the
packet not distinguish?
NP[i][1] = Packet[i].TL[i];
NP[i][2] = Packet[i].TTL[i];
No
NP[i][3] = Packet[i].PT[i];
Yes
END NP[i][4] = Packet[i].ToS[i];
NP[i][5] = Packet[i].DP[i];
Figure 1. The operational flow of N-CBF. NP[i][6] = Packet[i].WZ[i];
For(int j = 1; j <= 6; j ++){
The Table II shows that compares the features between CV_Comp( NP[i][j] );
the CBF and the N-CBF methods. The weight of each If (CV_VAL > NPCV[i]) then
attribute pair and the threshold value is static on the CBF Update NPCV[i] with CV_VAL;
method, the N-CBF method we proposed that improves upon End if}}
several deficiencies in the CBF method among existing For(int i = 1; i <= N; i ++){
DDoS defense mechanisms. Therefore, the N-CBF will N-CBF_Comp(NPCV[i]);
enhance the detection ratio. Threshold_Comp(NPCV[i]);
If (N-CBF_Score > Threshold_VAL) then
TABLE II. DIFFERENCES BETWEEN THE CBF AND THE N-CBF
Accept the packet;
DDoS Scheme CBF N-CBF Else if (N-CBF_Score <= Threshold_VAL) then
Features
Packet attributes Total length, Time to live, Protocol type,
Discard the packet;
Destination port number End if}}
Source IP Type of service, Window End
address, Flag size Procedure CV_Comp(NP[i][j]){
The weight ratio Static According to each packets
attribute pair, it will be
Int Count = 0;
adjusting dynamically. For(int z = 1; z < =N; z ++){
The threshold value Static According to each packet , it If(NP[i][j] == NP[z][j])
will be adjusting Count ++;
dynamically.
End if}
181
CV_VAL = Count / N; In our simulations, we can capture the data from the Web
Return CV_VAL;} of MAWI Traffic Archive (http://mawi.wide.ad.jp/mawi/)
End into the testing packets for our experiments. Also, all our
Procedure N-CBF_Comp(NPCV[i]){ testing data to be simulated in N-CBF is similar to the CBF
Int CV = 0; method.
Int W = 0;
B. Results Analysis
For(int i = 1; i <= 15; i ++){
CV += * NPCV[i]; Our simulations using two virtual machines to perform
W += ;} N-CBF and CBF source code in the cloud environment. The
N-CBF_Score = CV / W; numbers of packets each in 1000, 2000, 5000, 10000 and
50000 are to be performed simulations, and then executed
Return N-CBF_Score;}
ten times, respectively in order to obtain the average
End
processing time. The simulation results are shown in Figure
Procedure Threshold_Comp(NPCV[i]){ 2, Figure 3 and Table V.
Int CV = 0;
For(int i = 1; i <= 15; i ++){
Detection Ratio
CV += NPCV[i];}
Threshold_VAL = CV / 15;
100%
Return Threshold_VAL;}
End}
End N-CBF. 50%
1000 2000 5000 10000 50000
IV. SIMULATIONS SETUP AND RESULTS ANALYSIS
Packet Numbers
A. Simulation Setup N-CBF CBF
The experiments of this paper will build up the
simulation environment of clouds through virtual machines
and physical machines; whereas all virtual machines use Figure 2. The Detection Ratio of the Simulations.
Oracle VM Virtual Box 5.0.10 to be installed on the Ubuntu
system, the JDK version is 1.8.0 and the Hadoop version
used is 2.7.1. The hardware and software specifications of Average Processing Time
the experimental environment arelisted in Table III. 10
Second
182
TABLE V. THE EXCUTION RESULTS BETWEEN N-CBF AND CBF [2] Wanchun Dou, Qi Chen and Jinjun Chen, A Confidence-Based
filtering method for DDoS attack defense in cloud environment,
Features Packet Difference Future Generation Computer Systems, Vol. 29, No. 7, pp. 1838-1850,
N-CBF CBF
KPIs Numbers ratio September 2013.
1000 78% 77% 1.2% [3] Christos Douligeris and Aikaterini Mitrokotsa, DDoS attacks and
2000 80% 76% 5.2% defense mechanisms: classification and State-of-the-Art, Computer
Detection ratio 5000 84% 80% 5% Networks, Vol. 44, No. 5, pp. 643-666, April 2004.
10000 88% 74% 18.9%
50000 93% 81% 14.8% [4] Yoohwan Kim, Wing Cheong Lau, Mooi Choo Chuah and Chao H. J,
1000 0.085 0.082 -3.6%
PacketScore: a Statistics-Based packet filtering scheme against
Distributed Denial-of-Service attacks, IEEE Transactions
Average Processing 2000 0.1811 0.1724 -5.%
on Dependable and Secure Computing, Vol. 3, No. 2, pp. 141-155,
Time 5000 1.02 0.983 -3.7%
April-June 2006.
(unit: Sec.) 10000 3.85 3.65 -5.4%
50000 6.453 5.89 -9.5% [5] Felix Lau, Stuart H. Rubin, Michael H. Smith and Ljiljana Trajkovicl,
Distributed Denial of Service attacks, In Proc. of the 2000 IEEE
International Conference on Systems, Man, and Cybernetics, Vol. 3,
The N-CBF method is proposed with more accurate pp. 2275-2280, October 2000.
filtering capabilities through the validation and improvement [6] Shamsul Anuar Mokhtar, Siti Haryani Shaikh Ali, Abdulkarem Al-
on the CBF method. After using the N-CBF method, the Sharafi and Abdulaziz Aborujilah, Cloud computing in academic
institutions, In Proc. of the 7th International Conference on
detection ratio is enhanced. Although the average processing Ubiquitous Information Management and Communication, January
time is a little overhead owing to the calculation of the 2013.
dynamic adjustment process, we will make some [7] Jelena Mirkovic and Peter Reiher, A taxonomy of DDoS attack and
improvements on this indicator in the future. DDoS defense mechanisms, ACM SIGCOMM Computer
Communication Review, Vol. 34, No. 2, pp. 39-53, April 2004.
V. CONCLUSION [8] Turner Rik, Tackling the DDoS threat to banking in 2014, White
This paper proposed an N-CBF method that is an Paper of Alamai, 2014.
improved version of the existing CBF method among DDoS [9] Peng Tao, Christopher Leckie and Kotagiri Ramamohanarao, Survey
of network-based defense mechanisms countering the DoS and DDoS
defense mechanisms. In the original CBF method, a problem problems, ACM Computing Surveys (CSUR), Vol. 39, No. 1,
with the filtering process is that the weight used for Article 3, April 2007.
calculating the CBF score is not modified for different [10] Haining Wang, Cheng Jin and Kang G. Shin, Defense against
packet attributes. Its threshold is not adjusted according to spoofed IP traffic using Hop-Count filtering, IEEE/ACM
the content of the current packet either. This increases the Transactions on Networking, Vol. 15, No. 1, pp. 40-53, February
chance of packets being misidentified, reducing the detection 2007.
ratio. By using the weight reference table proposed in this [11] Bing Wang, Yao Zheng, Wenjing Lou and Y. Thomas Hou, DDoS
attack protection in the era of cloud computing and software-defined
paper to dynamically adjust the attribute weight needed for networking, Computer Networks, Vol. 81, pp. 308-319, April 2015.
calculating the N-CBF score and adjusting the threshold
[12] Xie Yi and Shun-Zheng Yu, A large-scale hidden Semi-Markov
based on the confidence value of each packet, the detection Model for anomaly detection on user browsing behaviors,
ratio can be improved. Also, we can perform experiments to IEEE/ACM Transactions on Networking, Vol. 17, No. 1, pp. 54-65,
compare the N-CBF and CBF methods. The simulation February 2009.
results indicate that the proposed N-CBF method can obtain [13] Peter Mell and Timothy Grance, The NIST definition of cloud
a higher detection ratio by about an average of 9.02% and computing, 2011.
with little overhead in processing time over CBF. In the [14] Top Threats Working Group, The notorious nine: cloud computing
future, we will find other KPIs such as the accuracy ratio to top threats in 2013, Cloud Security Alliance, 2013.
further prove that the proposed N-CBF scheme can offer a [15] Chris Preimesberger, DDoS attack volume escalates as new methods
emerge,
more refined and robust protection mechanism against DDoS
http://www.eweek.com/security/slideshows/ddos-attack-volume-
attacks and also provide a more secure cloud computing escalates-as-new-methods-emerge.html
environment.
[16] US-CERT Understanding Denial-of-Service Attacks,
ACKNOWLEDGEMENTS https://www.us-cert.gov/ncas/tips/ST04-015
[17] WiKi Denial-of-Service Attack,
The partial work of this paper is funded and supervised by
https://en.wikipedia.org/wiki/Denial-of-Service_attack#cite_note-
the Ministry of Science and Technology in Taiwan under preimesberger2014-1
Grant MOST 104-2410-H-031 -036 -. [18] http://ics.stpi.narl.org.tw/html/rept_content.jsp?id=1390205301659
[19] http://www.informationsecurity.com.tw/article/article_detail.aspx?tv=
REFERENCES &aid=7695&pages=1
[1] Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao and Wing Cheong [20] http://www.uis.com.tw/edm/uisnews/uisnews042/learning.aspx
Lau, ALPi: a DDoS defense system for high-speed networks, IEEE
[21] http://newsletter.ascc.sinica.edu.tw/news/read_news.php?nid=1869
Journal on Selected Areas in Communications, Vol. 24, No. 10, pp.
1864-1876, October 2006.
183