Master in Web Science Mathematics Department Aristotle University of Thessaloniki

Entropy and Denial of Service Attacks

Zlatis Chris

Contents
Denial of Service attacks Definitions, related surveys Traceback of DDoS Attacks Proposed method,
advantages, future work

Detection methods with Shannon and Renyi cross entropy Previous works, proposed method, dataset
and results

The added value of entropy detection methods References

Definitions
Distributed Denial of Service Attacks (DDoS Attacks) are defined as [4] attempts to make a computer resource unavailable to its intended users.
The attacker gains control of a huge number of independently owned and geographically distributed computers, called zombies, almost always without any knowledge of their owners.

Ping flood is a type of DDoS attack directing a huge number of ping requests to the target victim. It exploits the Internet Control Message Protocol (ICMP). [4]
Huge number of ping echo requests from a very large number of zombies unable to conduct any network activity other than answering the ping echo requests overloaded and standstill.

Recent surveys
It has been a major threat to the Internet since year 2000, and a recent survey on the largest 70 Internet operators in the world [4] demonstrated that: 1. DDoS attacks are increasing dramatically, and individual attacks are more strong and sophisticated 2. The network security community does not have effective and efficient traceback methods to locate attackers as it is easy for attackers to disguise themselves 3. The Mafiaboy attacks of February 2000 against Amazon, eBay caused millions of dollars damage

There is a need to detect DDoS attacks as early as possible so that proper countermeasures can be applied and damage can be minimized.

Traceback of DDoS attacks

IP traceback means the capability of identifying the actual source of any packet sent across the Internet successful if they can identify the zombies from which the DDoS attack packets entered the Internet. There are two major methods for IP traceback: [6] 1. The probabilistic packet marking (PPM) and 2. The deterministic packet marking (DPM). The PPM strategy can only operate in a local range of the Internet (ISP network) we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. Both of these strategies require routers to inject marks into individual packets vulnerable to hacking, referred to as packet pollution.

IP Traceback using entropy variations

IP traceback using information theoretical parameters [6] there is no packet marking in the proposed strategy avoid the inherited shortcomings of the packet marking mechanisms. The packets that are passing through a router are categorized into flows [6], which are defined by the upstream router where a packet came from, and the destination address of the packet. During non attack periods, routers are required to observe and record entropy variations of local flows. Once a DDoS attack has been identified, the victim initiates a pushback process to identify the locations of zombies

IP Traceback using entropy variations

The pushback process: [6] 1. The victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then 2. submits requests to the related immediate upstream routers. 3. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. 4. Once the immediate upstream routers have identified the attack flows, 5. they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further. This procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s).

Advantages of traceback mechanism

The proposed traceback mechanism possesses the following advantages: [6] It overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space, and vulnerability to packet pollutions. It brings no modifications on current routing software work independently as an additional module on routers for monitoring and recording flow information. It will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns. It can archive real-time traceback to attackers. Once the shortterm flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure.

Future work on Traceback methods

Future work could be carried out in the following promising directions: [6] 1. The metric for DDoS attack flows could be further explored. The proposed method deals with the packet flooding type of attacks perfectly.
The attacks with small number attack packet rates, e.g., if the attack strength is less than seven times of the strength of non attack flows, the current metric cannot discriminate it. Therefore, a metric of finer granularity is required to deal with such situations.

2. Location estimation of attackers with partial information. When the attack strength is less than seven times of the normal flow packet rate, the proposed method cannot succeed at the moment.
The attack can be detected with the information that we have accumulated so far using traditional methods or recently developed tools.

Detection methods with Shannon and Renyl cross entropy

An entropy-based method [1] is proposed to detect network attack: The Shannon entropy is used to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length that reflect the regularity of network status
When the monitored network runs in normal way, the entropy values are relatively smooth. Otherwise, the entropy value of one or more features would change.

Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The Renyi cross entropy of these features is calculated to measure the network status and detect network attacks.

Previous works on entropy detection methods

Gina investigated the extent of false alerts problem in Snort using the 1999 DARPA IDS evaluation data.
They found that 69% of total generated alerts are considered to be false alerts. [1] These problems make it a frustrating task for security officers to detect network attack quickly and accurately.

Gu proposed an approach to detect anomalies in the network traffic using Maximum Entropy estimation.
The packet distribution of the benign traffic was estimated using Maximum Entropy framework and used as a baseline to detect the anomalies.

Qin used Renyi cross entropy to detect dynamic changes in network traffic of large enterprises. Three traffic features were proposed to capture dynamic changes of traffic. A. Wagner and B Plattner applied entropy to detect worm and anomaly in fast IP networks. The entropy contents of IP addresses were used to indicate a massive network event.

Dataset and results

Methodology: [1] Use of Snort to monitor 32 C-class subnets in the campus network for two weeks, which include more than 3,000 end users.
Alerts in Mar. 2nd as the experimental data: 1,147,906 alerts in this day with 79 signatures, 32,409 source IP addresses, 12,642 destination IP addresses two alerts sets collected from different time period in Mar. 2nd as training and test data.

The statistical results of alerts suggest several interesting results: 1. More alerts were generated in daytime than that in night due to peoples living habit. There were two peaks of alerts: 12:00 to 14:00 and 21:00 to 23:30 the end users are campus students. 2. The destination IP addresses change abruptly from 0:00 to 4:00, 6:00 to 10:00, 12:00 to 16:00 and 18:00 to 22:00. By analyzing the alerts, they found many host scan attacks at these time periods.

The added value of Entropy methods

The Shannon entropy is used to analyze the alerts to measure the regularity of current network status.
They are relative smooth when no attack occurs; otherwise, one or some of the values would change abruptly.

The Renyi cross entropy is employed to detect network attack.

The Renyi cross entropy value is near 0 when the network runs in normal, otherwise the value will change abruptly when attack occurs.

However, although the Shannon entropies reflect the regularity of network status, it is difficult to detect attack directly by using five fixed thresholds [1], because the Shannon entropy value varies with the activities of end users even the network runs in normal way.

References
[1] Zhiwen Wang, Qin Xia, An Approach on Detecting Network Attack Based on Entropy, Xian Jiaotong University, China [2] Hoa Dinh Nguyen, Sandeep Gutta, Qi Cheng, An Active Distributed Approach for Cyber Attack Detection, Oklahoma State University [3] Tsern-Huei Lee - Jyun-De He, Entropy-Based Profiling of Network Traffic for Detection of Security Attack, National Chiao Tung University, Taiwan [4] Anna T. Lawniczak, Bruno N. Di Stefano, Hao Wu, Detection & Study of DDoS Attacks Via Entropy in Data Network Models, CISDA, 2009 [5] Stephen Schwab, Brett Wilson, Roshan Thomas, Methodologies and Metrics for the Testing and Analysis of Distributed Denial of Service Attacks and Defenses, SPARTA Inc. [6] Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, Traceback of DDoS Attacks Using Entropy Variations, IEEE, March 2011

Thank you.