Content uploaded by Renato Simões Silva
Author content
All content in this area was uploaded by Renato Simões Silva on Apr 23, 2021
Content may be subject to copyright.
Detecting Bandwidth DDoS Attack
with Control Charts
Anderson Fernandes P. Santos
1,2
, Renato S. Silva
2
1
Instituto Militar de Engenharia (IME)
Rio de Janeiro – RJ – Brasil
2
Laboratório Nacional de Computação Científica (LNCC)
Petrópolis – RJ – Brasil
{anderson, rssr}@lncc.br
Abstract- The Distributed Denial of Service, DDoS, is an
internet-wide threat and can be identified in the initial phase
through the anomalous behavior of the network traffic. We
present a control chart theory approach for the problem of
detection this kind of attack, it is designed for non-normal
process and is based on the evaluation of estimators that have a
minimal variance estimation process position and scattering,
whatever the data distribution. We proposed an algorithm to
identify the DDoS attacks analyzing these estimators behavior.
I. I
NTRODUCTION
The first information of Denial of Service, DoS, attack was
notified near 1996, when an internet service provider, from
New York, was unavailable during a week for non-reasons.
This attack was happened with PANIX (Public Access
Networks Corporation), and, theorically, was previewed
years before because of the protocol's weakness [1].
Later, in February 2000, a distributed version of that attack
was happen with several enterprises at same time, like Yahoo
and E-bay. These companies became unavailable for two
days, because of this attack [2]. One of the latest and famous
attacks was happened with SCO and Microsoft. The first
became unavailable for several days, while the second
changed the website position to avoid the attack.
In defense mechanisms taxonomy, established by
Mirkovic et al. [3], the classification strategy is organized in
four categories:
• Pattern Attack Detection: compare the pattern
with an attack signature; it is implemented in
various network intrusion and detection tools, like
snort [4];
• Anomalous Behavior: A specific behavior,
defined as normal, is compared with the current
one. Any difference may indicate a possible attack.
Network characteristic [5] and traffic [6] can be
used in this situation;
• Hybrid: contains characteristic of Pattern Attack
Detection and Anomalous Behavior. An example
of this, is the analyze done by Limwiwatkul and
Rungsawang [7].
• Third-party: does not handle with the process, but
with accessories that can be used to identify an
attack, like traceback mechanisms [8] or packet
marking [9].
In this paper it is proposed an algorithm to detect
bandwidth DDoS attack, based on statistical measures of the
traffic, classified as anomalous behavior, with a dynamic
small period of reference. Using a control process approach
of non-normal distribution we calculate a location and scale
estimators for sliding window. In each window is established
a threshold based on these estimators. The threshold and the
estimators determine if an attack happens. An attack is
considered to be happening if the value of the position
estimator exceeds the threshold. Otherwise, is considered
that there was no attack.
This paper contains six sections. Section II describes the
dataset used in this work. Section III outlines the theory of
control chart, that is the base of this study. Section IV
presents the proposed algorithm. Section V summarizes the
main results of the study and Section VI concludes the paper.
II. D
ATASETS
It was used a database from DARPA [10], an off-line
intrusion detection simulation, produced from System
Technology Group of Massachusetts Institute of Technology
(MIT), Lincoln Laboratory and Air Force Research
Laboratory (AFRL/SNHS).
The simulated datasets are organized in three databases:
1998, 1999 and 2000. Each of them have five weeks, of five
days each one (monday to friday). In all years, there is a
training subset that contain three weeks and a testing subset
that contains two weeks. In training subset, the first and the
third weeks don't contain any attack. The second week
contains known attacks. In testing subset, formed by weeks
four and five, there are some attacks.
The information presented in these datasets was collected
through tcpdump [11], a network tool that prints out the
headers of packets on a network interface. This information
is presented in an expanded shape with a great collection of
variables available.
For this work, the 1999 dataset was choose, because of the
existence of the variety of DDoS attacks.
1-4244-1230-7/07/$25.00 © 2007 IEEE ICON 2007519
III. C
ONTROL
C
HARTS
Control charts were first introduced by Dr W. Shewhart in
late 20's to control a manufacturing process at Bell
Telephone Labs. These tools are used to determine whether a
process is controlled or not. The basic idea behind the
control chart is that every process varies. There are two
causes of variability, one is called common-cause event,
present in all process that have a random variability that can
not be removed or controlled. The second one is called
special, caused by others events, which can be identified and
corrected [12].
Otherwise, these charts are indicated to be used only when
the data are normally distributed and this situation is not
present in the real process’ industry like Pyzdek [13] have
exposed in galvanizing process.
Duclos proposed a construction of a new control chart
adopted specially for non-normal processes [14], [15]. In
Shewhart control chart, it is used mean and standard
deviation to construct it. Duclos decided to use the mean (μ)
because it minimizes the loss, in the Tagushi sense, when it
coincides with the target of the process [16]. The standard
deviation (σ) was chosen because it is the most common
parameter of dispersion, presented in the literature.
To the construction of this control chart is necessary the
calculation of the covariance matrix (
Ω)
and the unitary
moments vectors (U
(r)
). For these, considered
(x
(1)
,
x
(2)
,x
(3)
, ..., x
(n
)) the ordered observation vector
(X
k
).
And,
then,
U
(r)
is expressed as:
(1)
From (U
(r)
) the first and second moments are constructed,
as described in the follow equations.
With equations (3) and (4) the covariance matrix (
Ω)
is
constructed. From this matrix, it can be used the least square
method to calculate the position (µ) and scale (σ) estimators,
as described in equation (5).
!
!
!
"
#
$%&'
()
*+,
-./0
!
/1/0
2
1
0
3
45
678
9:
!!
;:
!<
1=1
:
<!
;:
<<
>?
To assure that the matrix (Ω) represents the population
distribution, it is necessary the estimation of data from
stationary processes. In the case of stable processes, the
stationarity can be assumed in short periods of time. But in
these periods, is difficult to collect sufficient data to perform
the calculation, because the amount of data is so small. In
this situation, it can be applied the bootstrap method, because
it uses Monte Carlo sampling to generate an empirical
estimate of sampling distribution [17]. In bootstrap, some
elements from the population were collected, generating a
new population with the size necessary to perform the
calculation of a specific coefficient. All these phases are
repeated a great number of times, and then an approximation
for a specific coefficient is obtained.
The bootstrap algorithm can be summarized in four steps –
Algorithm 1.
BOOTSTRAP ALGORITHM
STEP 1: Let us consider an independent sample
E=(X
1
, X
2
, ..., X
m
).
STEP 2: Select N elements from E. These sample is
known as E*.
STEP 3: Study the behavior of the statistical
coefficient, constructed from E*.
STEP 4: Repeat STEPS 1, 2 and 3 a great number of
times (B).
Algorithm 1: Bootstrap Algorithm
Duclos´ algorithm is essentially the bootstrap algorithm
with the STEP 3 changed for the kernel of Duclos’
methodology, as described in Algorithm 2.
DUCLOS’ ALGORITHM - STEP 3
STEP 3.1: With the ordered observation sampled X
k
in STEP 2, generate the unitary moment vector U
(r)
.
STEP 3.2: With this, construct first (α) and second
(ω) order moments.
STEP 3.3: With these moments, calculate the matrix
A and the covariance matrix (Ω).
STEP 3.4: Resolve Equation 5 by least square. The
result is the location (µ) and scale (σ)
estimators.
Algorithm 2: Duclos’ Kernel Algorithm.
520
IV. P
ROPOSED
A
LGORITHM
In research of DDoS attack detection, is common the use
of periods of free attack to calibrate the algorithm. But in real
traffic is difficult to guarantee that, in a specific moment,
there is no attack happening. We see this situation as a
disadvantage in application of research product in real world.
Because of this, we understand that a good algorithm must
be applicable in any situation. So, a reference period without
attack was not used here, to calibrate the algorithm. In stead
of, we use a small dynamic period as a reference.
Bandwidth DDoS attacks is characterized by a great
amount of solicitations to a specific service or server made at
same time. The main reason to that synchronization is
because of the management of the zumbi´s machine [18]. So,
the amount of packets, in the network, increasingly very fast,
and, with this the interval time between packets became very
small. Another phenomenon that can generate a small
interval time is flash crowds, but in this situation, it became
small more slowly. This difference of behavior of these two
situations motivates the choice of time interval as a variable
in our algorithm. There is no protocol selected to the
calculation, because there are some attacks that can be done
with different protocols, like TFN2K [19].
In this work, we explore the behavior of the time interval
between packets with an algorithm based on Duclos’
algorithm. First of all, we understand that the analyze must
be made in a small period of time, named as window, of the
network traffic. The size of the window, in the current stage
of the research, is a variable of our algorithm, and there is no
information on how small it needs to be.
Let us consider W as the window size, i.e., the period of
time where we collect the interval time between the packets
in the network. Consider j-nth window, and the interval time
sequence (S
j
) that is captured in this window. This sequence
is non-normal distributed, because of the characteristic of the
internet behavior, as it can be seen in the sample of Figure 1,
where it is plotted the histogram of the three weeks in
analyze.
Figure 1 : Histogram of dataset used.
Applying the Duclos’ algorithm in this sequence we obtain
the position (µ
j
) and scale (σ
j
) estimators for this sequence
(equation 6). In this moment we can not conclude anything
about the presence or not of an attack. Even if there is an
attack present in this window (j), we believe that, because
the period is short, theorically the server (or service) is still
responding, so the possibility of a problem is small. These
estimators are stored to be used in the next step.
After this, the window has a new position (j+1) and there
is a new sequence of interval time (S
j+1
). This change can be
done by two different forms. The first one, implemented in
this study, there is no common interval time between W
j
and
W
j+1
. Another way is sliding the window and constructs a
new one that we have common elements between then.
With this new position, we obtain the values of position
(µ
j+1
) and scale (σ
j+1
) estimators. As described early, we
believe that, in a DDoS attack, the amount of packets in the
network increasingly very fast, so we assume that an attack
is happening if the position estimator of the window in j+1
position (µ
j+1
) is greater than a constant, named k, multiplied
by the previous scale estimator (σ
j
) plus the previous position
estimator (µ
j
), i.e.,
An attack is happening if μ
i+1
> μ
i
+ kσ
i
(9)
In the same wa y, we can construct a similar expression to
indicate an attack that had happened with the previous
interval:
An attack had happened if μ
i+1
< μ
i
- kσ
i
(10)
These equations are very similar with those presented in
the control chart theory. In that theory, the values of k was
obtained through practical cases. In this research, we
attribute for k the values 1 to 10. These steps are
summarized through the algorithm 3, described above.
Algorithm Proposed (WindowSize, Step, k, B)
BEGIN
FOR j=1 TO SAMPLESIZE, Step by Step
BEGIN
Get Current Window;
FOR i=1 TO B
BEGIN
Constructed the sample;
Calculate the location and scale estimator for
the sample;
END
With these values, calculate the location (µ
j
)
and scale (σ
j
) estimators for that Window;
If µ
j
> µ
j-1
+ k. σ
j-1
Then mark the i-interval as an
attack that was happened .
If µ
j
< µ
j-1
- k. σ
j-1
Then mark the i-interval as an
attack that is happening.
END
END
Algorithm 3: Proposed algorithm.
Time interval betw een packets
Amount of intervals
521
V. R
ESULTS
The dataset used in the algorithm, as described early, is
formed by the first three weeks from 1999 MIT’s database.
The first (28/02 to 05/03) and third (07/03 to 12/03) weeks
have known attacks, while second (14/03 to 19/03) week
don´t have any attack. With these dataset, it was generated
by the proposed algorithm ten graphics corresponding,
figures 2 and 3, to the five values of k (only even values are
plotted) to both conditions: the beginning of attack (our main
objective) and the end attack.
Figure 2 : Graphs of original attacks and response algorithm, before attack situation, for each k.
Figure 3: Graphs of original attacks and response algorithm, after attack situation, for each k.
522
In figures 2 and 3 we do a comparison of efficiency
from the successive values of
k
. In the first row of these
figures, it were plotted all the 29 attacks that can be
identified with this algorithm, as described in [20]. Those
attacks identified by the algorithm, as function of
k
, are
plotted in the others rows.
Those vertical lines in the rows that are collinear with
those in the first row are interpreted as a positive
identification. Those lines in the rows that don’t have a
correspondent line in the first row are interpreted as a
false positive. In opposite case, those lines present in the
first row that are not present in the other rows are
interpreted as false negative.
In figure 2 we put the moments identified in the
beginning of the attack. It can be viewed that as the value
of
k
became large, the amount of attack identified
increasingly together. Looking deeper in these result, as
described in Table 1, we can see that with
k=1
we have
identified all the points in the dataset while with
k=10
we
identified only four. This happen because of the threshold
generated with the process, as described in (equation 9).
Otherwise, the amount of false positive is so big when
k=1
in comparison when
k=10
. From Table 1, we can
identify that until
k=3
there is no false negative, but it
must be interpreted as coincidence when compared with
usual value used in traditional control chart theory.
k identified
attacks
false
negative
false
positive
all
points
1 29 0 166 195
2 29 0 165 194
3 29 0 159 188
4 27 2 116 143
5 16 13 54 70
6 12 17 37 49
7 12 17 32 44
8 11 18 29 40
9 6 23 25 31
10 4 25 24 28
Table 1: Quantitative results, in the beginning of the
attack, for each
k
.
In the same way, we calculate those moments identified
after the attack, generating the same behavior,
independent of
k
, as can be observed in Table 2.
This algorithm, because of bootstrap methodology, is
non-deterministic, in other words, in each execution of
this algorithm, different values of location and scale
parameters can be obtained, however, the identification of
the attacks still happen in the same position, because it is
not the value of these estimators that indicates an attack,
but the comparison of these values with others obtained in
the windows immediately after and before the current
window.
k identified
attacks
false
negative
false
positive
all
points
1 28 1 314 343
2 28 1 314 343
328 1 314343
428 1 314343
5 28 1 314 343
6 28 1 314 343
7 28 1 314 343
8 28 1 314 343
928 1 314343
10 28 1 314 343
Table 2: Quantitative results, in the end of the attack, for
each
k
.
VI. C
ONCLUSIONS
In this work an algorithm is presented to detect DDoS
attacks that uses a Shewhart Control charts modified to
work with non-normal process. This detection algorithm
presents the characteristics of no necessity of previous
knowledge of the network behavior neither the training
period. We notice that the efficiency of detection of our
algorithm is function of the sliding window (
W
) and the
threshold (
k
). With
W=100
and
k
= 3 all the attacks (29)
are detected.
In this version of the algorithm
W
and
k
are given as
initial data and kept constants during the detection and to
reduce the number of false positive and negative alarms it
will be necessary that
W
and
k
have their values
changed during detection as function of the behavior of
network. To keep the main characteristics of the algorithm
it will be necessary implementing a Fuzzy control do deal
with sizes of
W
and
k
with out any previous knowledge.
In the implementation phase, this code will be use in the
multi-core platform, because of the complexity of the
code, including the matrix inversion present in the
algorithm. This is crucial, because of the response time
need by the application of this algorithm in practical
situation.
A
CKNOWLEDGMENTS
This work was partially supported by Intel
semicondutores do Brasil under the research contract
'Multi-core Tecnologies' Intel® Higher Education
Program.
523
R
EFERENCES
[1]
Managing the Threat of Denial-of-Service Attacks - CERT®
Coordinator Center - http://www.cert.org/archive/
pdf/Managing DoS.pdf
[2]
Paul, B. – “DDoS: Int ernet Weapons of Mass Destruction” –
Network Computing – http://networkcomputing.com/
1201/1201f1c1.html, Jan 8
TH
, 2001
[3]
Mirkovic, J., Martin, J.and Re.iher, P., “A Taxonomy of
DDoS Attacks and DDoS Defense Mechanisms,”
ACM
Sigcomm Computer Comm. Rev.
, vol. 34, no. 2, 2004, pp. 39–
53.
[4]
SNORT – http://www.snort.org
[5]
Siaterlis, C., and Maglaris, V., “Detecting incoming and
outgoing DDoS attacks at the edge using a single set of
network characteristics”,
10th IEEE Symposium on Computer
and Communications. ISCC2005
.
[6]
Gil,T.M. and Poletto, M., “MULTOPS: a data-structure for
bandwidth attack detection”, In
Proceddings of 10
th
Usenix
Security Symposium,
August 2001.
[7]
Limwiwatkul, L. and Rungsawang, A. “Distributed Denial of
Service Detection using TCP/IP Header and Traffic
Measurement Analysis”.
International Symposium on
Communications and Information Technologies 2004
(ISCTI2004)
Sapporo, Japan, October 26-29, 2004.
[8]
Wong, T. Y., Law, K. T., Lui, J. C. S. and Wong, M. H., “An
Efficient Distributed Algorithm to Identify and Traceback
DDoS Traffic”, The Computer Journal 2006 49(4):418-442.
[9]
Savage, S., Wetherall, D., Karlin, A., Anderson, T., “Pratical
Network Support For IP Traceback” –
ACM Special Inter est
Group on Data Communication 2000 – Stockholm –
Sweeden
.August 28, September 1 – 2000.
[10]
DARPA - Defense Advanced Research Projects Agency -
http://www.ll.mit.edu/IST/ideval/index.html.
[11]
TCPDUMP - http://www.tcpdump.org.
[12]
ENGINEERING STATISTICS HANDBOOK –
http://www.itl.nist.gov
[13]
Pyzdek, T. – “Non-Normal Distributions in the Real World” -
Quality Engineering
: "Why Normal Distributions Aren't [All
That Normal]," 1995, 7(4), pgs. 769-777
[14]
Duclos, E. and Pillet, M. “Contribution à la Maîtrise
Statistique des Precédés, Cas des Procédés Non Normaux”.
PhD, Université de Savoie. 1997.
[15]
Duclos, E., Pillet, M. and Avrillon, L. “The L-Chart for Non -
Normal Processes”. Quality Technology & Quantitative
Management. Vol 2, No 1, pp. 77-90, ICQAQM 2005.
[16]
Taguchi, G. “Introduc tion to quality engineering : designing
quality into products and processes.” . Tokyo : The
Organization – 6 ed. 1986
[17]
Cugnet, P. – “Confidence Interva l Estimation for Distribution
Systems Power Consumption by using the Bootstrap Method”
– Master Thesis – Virginia Polytech Institute and State
University – Virginia – USA – July 15, 1997.
[18]
Dietrich, S., Long, N. and Dittrich, D. – “Analysing
Distributed Denial of Service Tools: The Shaft Case” –
Proceedings of the 14
th
Systems Administration Conference –
LISA 2000,
New Orleans, Louisiana, USA, December 3-8,
2000.
[19]
TFN2K - http://packetstormsecurity.org
[20]
Haines, J. W., Lippmann, R. P., Fried, D. J., Zissman, M.A.,
Tran, E., Boswell, S. B., - “1999 DARPA Intrusion Detection
Evaluation: Design and Procedures” – Technical Report 1062
– ESC-TR-99-061-Lincoln Laboratory – Massachussets
Institute of Technology – February 26, 2001.
.
524
