Printer Friendly

Sequential hypothesis testing method of anomaly detection against flooding attack.


About DDoS

Denial of service attacks are a major cause of incorrect operation in the Internet and are arguably the most serious threat that the Internet community faces today, because they render a computer (or) network incapable of providing normal services. In a DDOS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim as shown in figure.1.



Flooding based distributed denial of service (DDOS) attack presents a very serious threat to the stability of the Internet. SYN Flooding: Although this type of attack benefits from TCP protocol features (TCP three-way handshake), we consider it as a flood attack, since its impact is due to flood principles. Due to the importance of this DDOS attack type, we present a detailed explanation of how it works.

TCP connection establishment (3 way handshake): When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages (Figure 2).

i. The client system begins by sending a SYN message to the server.

ii. When the server receives the "SYN" message, it reserves some of its resources for the expected connection and sends a "SYN-ACK" message back to the client.

iii. The client then finishes establishing the connection by responding with an ACK message.

iv. After reception of the last message "ACK" from the server, the connection is successfully established and the two peers are able to start exchanging their data.


Attack description

The attacking system sends SYN messages with spoofed source IP address to the victim server system; these appear to be legitimate but in fact reference a client system that does not exist or that will not respond to the SYN-ACK messages (Figure.2) This means that the final ACK message will never sent to the victim server system. The allocated resources of the half-open TCP connections will only be released after time-out. Since system resources are finite and limited, the system will soon be unable to accept any new incoming connections.


The magnitude of the combined traffic is significant enough to exhaust system resources. The DDOS attacks against yahoo [1], eBay, shows the vulnerability of even well equipped networks. Many DDOS attacks go unreported in the internet. There are more number of user friendly attack tools available [6,8]. So DDoS attack launching becomes very easy. But, there is still a lack of effective solutions to defend against them in terms of aborting an ongoing attack in a timely fashion. In out work we propose a comprehensive sequential test method against DDoS attack, which consumes short detection time and accuracy in more.

The remainder of the paper is organized as follows: Section.2 explains about related work--traditional Network Intrusion Detection System (NIDS). Section.3 details our proposed work. Section.4 discusses about the implementation--Architecture, sequential test method and DDoS detection. Section.5 details about performance evaluation and discusses about the results. Section.6 states conclusion and future work.

Related Work

Due to the readily available toole, "Flooding" attack becomes most common DDoS attack. They intend to overflow and consume resources available to the victim. When the number of attackers is very large, the flows from each attacker can be very small to detect. So, detection based on instantaneous deviation will be useless. Because, the deviation will be very small in small flow. [Multtops, D-ward]. [3,7]

Most of the DDoS detection system models are based on traffic flow rates. As many new applications are coming up and End user's behavior also vary, it is difficult to get a general efficient model based on traffic flow alone.

So, we need a DDoS detection system which is not only based on traffic flow. We propose a sequential method to detect DDoS attack quickly, which captures cumulative deviations from a normal behavior over time.

Proposed Work

In our proposed work, we make use of a comprehensive sequential test method to detect DDoS attack quickly. Our work consists of two phases namely Phase 1 and Phase 2.

In phase 1, We consider a time series T1, T2, T3 ... Tn. We find the difference between the number of opening and closing connections over the time series. (Number of SYN vs. FIN). From this testing we compute the accumulative likelihood ratio statistic. The alarm is raised if this ratio exceeds some threshold.

In phase 2, We monitor the percentage of new IP addresses over the time series T1, T2, T3, ... Tn. This will be very effective in detecting the attacks.

The combined belief of Phase 1 and Phase 2 is considered to detect the DDoS attack. The sequential analysis test is very much useful to reduce detection time and to reduce misdetection rates. It is possible to balance the trade of between the three quantities namely detection time, false alarm and misdetection rate.


The proposed method can be used at the core as well as at edge routers. But it is more suitable to use this method at edge routers, because reflected attacks can be detected early [5].


The figure.4 shows how the proposed method is implemented in edge routers.


The comprehensive DDoS detection system consists of two phases as shown in figure.5.Phase.1.Sequential test method and Phase.2.monitoring new IP addresses. The two phases raise alarms when they find the observed statistical ratio crosses some threshold. Based on the combined belief of the two alrms DDoS attack is confirmed.


Phase.1.Sequential test method

This is based on inherent request vs reply protocol behavior. We have taken TCP-SYN flooding attack. Here, a large number of TCP SYN packets is sent to victim's server port. If the port is actively listening for connection requests, the victim would respond by sending back SYN-ACK packets. However, since the source addresses in these packets are spoofed addresses, these response packets are sent elsewhere in the Internet. Thus the victim retransmits the SYN-ACK packets several times before giving up. However, these half open connections will quickly consume all the memories allocated for pending connections, thus preventing the victim from accepting new request.

In phase 1, the number of requests and number of replies are calculated. We consider a time series {T1, T2, T3,...Tn}. We find the number of SYN (opening connections) and FIN (RST) (closing connections) packets. For each sampling period we calculate the average number of replies R'. n [SIGMA]Xi= Total number of requests--corresponding replies for one sampling period. t=1 This value is normalized by R' as follows.

n [DELTA]n = [SIGMA]Xi/R' t=1

Now we consider this ratio for deciding hypothesis and to raise alarm.

i. H = 0 (Null hypothesis)--Normal situation H = 1 (Alternative hypothesis)--abnormal situation.

ii. Sequence of observed data X1,X2,X3,...Xn

iii. Decision consists of

--Stopping time N(stop taking samples)

--Make a hypothesis--H=0 (or) H=1?

Now as shown in figure.6.the alarm is raised if the .n value exceeds the threshold value N.


Phase.2.Monitoring new IP addresses

Monitoring the percentage of new IP addresses is effective in detecting the attacks. Over the same time series T1,T2,T3,...Tn, the incoming IP addresses are collected. Let F be the collection of frequent IP addresses, and M be the collection of incoming IP addresses in time interval T.

Yn = |M| - |M U F |/|F|,

Where Yn is the percentage of new IP addresses in time interval T. When this value Yn exceeds the threshold value say N, then alarm is raised.

DDoS Detection

When both phase I and phase II raise alarms, based on the combined belief DDoS attack is confirmed as shown in figure 7.


Based on the values of .n and Yn the hypothesis is decided, and DDoS attack is confirmed.

Discussion of Results and Performance Evaluation

The simulation model of comprehensive sequential test method is implemented with JAVA as front end and MS-access as backend.

Packages used

The following are some of the packages used to implement the system. import * This provides support for I/O operations in java. Data is retrieved from input sources. The results of a program are sent to an Output.

import java.awt. * and import java.awt.event. * This provides support for the development of user interface and its corresponding events respectively.

import javax.swing. * and import javax.swing.event. * The swing is a set of classes that provides more powerful and flexible component than are possible with the AWT. The event-handles the events of the placed components.

import * This package supports for creating the network connection like socket, TCP/IP, Client/server programming. Interfaces: Action Listener: This interface defines the actionPerformed () method that is invoked when an action event occurs.

Screen shots

i) Server Authentication

As shown in figure.8., all the clients who wish to get some services from the server or who wants to communicate with the users both within the network and the users in other network has to be authenticated first. For this purpose all the clients have to login into the server.


ii) The client can log in to the local network and internet. For the purpose of login the user has to give his user name, password and should enable the check box [internet server or local stub]. If the client logs in into a local server the server of the local stub will perform authentication. If the client logs in into the Internet, the Internet server will do the authentication.


iii) The figure.10.shows the screen shot how the packets are chosen from the clients and sent to the server. It shows the list of all online users and the received status.


iv) The figure.11.shows the screen shots of sending the request and getting acknowledgement. Figure.12. shows how the request and reply packets are classified.



v) After the request and reply packets are differentiated the sequential test method is applied. Then according to the method mentioned in section 4.2. and 4.3.and 4.4 the values of [DELTA]n and Yn are calculated and compared with the threshold value shown in figure.13.



Since the proposed system make use of sequential test method, it detects the DDoS attack early. Because the percentage of new IP addresses help to detect the attack before. The method can be used to detect DoS as well as DDoS attacks.


In this paper we proposed a comprehensive sequential test method to detect DDoS attack .Over a time series, we capture the deviations and sum up, which will be used to find out the deviation from normal behavior over time. This method is applicable to find out flooding attack and spoofing. This method consumes short detection time and accuracy is more.

This work can be further extended to work in a distributed manner [1]. For example, we can have the same detection method in more than one Autonomous System(AS) and alerts from all detection systems could be exchanged with each other. Here we can make use of consensus type of algorithms for message exchange. So that the global decision can be taken quickly and accurately.


[1] Guangsen Zhang And Manish Parashar, Department of Electrical and Computer Engineering, RUTGERS, The State University of New Jersey, Cooperative defence against DDoS attacks, Journal of research and Practice in Information Technology, Vol.38, No.1, February 2006.

[2] Haining Wang, Member,IEEE, Danlu Zhang, Member, IEEE, and KANG G.SHIN,Fellow,IEEE, Change Point Monitoring for the Detection of DoS Attacks, IEEE Transactions On Dependable and Secure Computing, Vol.1,No.4,October-December 2004.

[3] J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the Source," presented at ICNP 2002, 2002.

[4] JOHN HAGGERTY, member, IEEE, QI SHI, Member, IEEE, and MADJID MERABTI,Member, IEEE,Early Detection and Prevention of Denial-Of-service Attacks: A Novel Mechanism With Propogated Traced-Back Attack Blocking, IEEE Journal On selected Areas in Communication, Vol 23, No.10,October 2005.

[5] SHIGANG CHEN, Member, IEEE, and QINGGUO SONG, Perimeter-Based Defense against Bandwith DDoS Attacks, IEEE Transactions on Parallel and Distributed systems, Vol.16, No.6, June 2005.

[6] Stephen M. Specht, 2004, electrical Engineering, Princeton University, RUBY B LEE, Electrical Engineering, Princeton University, Distributed Denial Of Service : Taxonomies of attacks, tools and countermeasures, Proceedings 17th international Conference on parallel and distributed computing system,2004,International workshop on security in parallel and distributed system, pp:543-550.

[7] T.M. Gil, M. Poleto, MULTOPS: a data-structure for bandwidth attack detection, in: Proceedings of 10th Usenix Security Symposium, Washington, DC, August 13-17, 2001, pp. 23-38

[8] Valer Bocan, Department of computer science and engineering, Politechnica University of Timisoara, Bd.V.Parvan, Romania, Developments in Dos research and mitigating technologies, Transactions on automatic control and computer science, vol 49(63), 2004,ISSN 1224-600X

S. Meenakshi

Research Scholar, Sathyabama University,

Chennai, Tamil Nadu, India


Dr. S. K. Srivatsa

Senior Professor, St. Josephs' college of Engineering,

Chennai, Tamil Nadu, India
COPYRIGHT 2008 Research India Publications
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2008 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Meenakshi, S.; Srivatsa, S.K.
Publication:International Journal of Applied Engineering Research
Article Type:Report
Geographic Code:1USA
Date:Dec 1, 2008
Previous Article:Effect of piston bowl geometry on flow, combustion and emission in DI diesel engine--a CFD approach.
Next Article:Concurrent and modern approaches for designing.

Related Articles
Contingent screen 'attractive option' for down detection: decreases need for second-trimester tests.
Improving interpretation of SCC anomalies found by ultrasonic ILI.
Dependability of computer systems; proceedings.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters