Download Document

Detection of DDos Attack using HCIF Algorithm in
Cloud Computing
Ms. Bhoomika Gupta
Prof. M. Afshar Alam
Master of Technology
Professor
FMIT, Jamia Hamdard
New Delhi, INDIA
[email protected]
Computer Science Department, Jamia Hamdard
New Delhi, INDIA
[email protected]
Abstract—Cloud Computing is an emerging buzzword in the IT
industry and offers three types of services as Software as a Service
(SaaS), Infrastructure as a Service (IaaS) and Platform as a
Service (PaaS). To launch a coordinated Denial of Service attack
against one or more targets Distributed Denial of Service (DDoS)
attack uses distributed computers. By using client/server
architecture, the executioner is able to multiply the effectiveness of
the DoS significantly by harnessing the resources of multiple
unsuspecting accomplice computers which plays as an attack
platform. DDoS is emerging as the weapon of choice for cyberextortionists, hackers, and political "hacktivists". We use many
Intrusion Detection Techniques (IDS) to detect DDoS attack like
SNORT, Suricata etc. IDS is of different types like Active IDS,
Passive IDS, Host Intrusion Detection Systems (HIDS),
Distributed Intrusion Detection System (DIDS), Hybrid Intrusion
Detection System and Network Intrusion Detection Systems
(NIDS). In this paper proposed algorithm HCIF (Hop Count
Inspection and Filtering) is used to detect and discard spoofed
packets by considering transmission delay time and minimum,
maximum thresholds which increases response time of Intrusion
Detection Process in Cloud environment.
Keywords- DDoS (Distributed Denial of Service), IaaS
(Infrastructure as a Service), PaaS(Platform as a Service), SaaS(
Software as a Service), HIDS(Host Intrusion Detection System)
,NIDS(Network Intrusion Detection System).
I.
INTRODUCTION
Cloud computing is a type of computing that relies on sharing
computing resources rather than having local servers or
personal devices to handle applications. Key characteristics of
Cloud computing are as [5]: Agility, Cost Reduction, Device
and Location Independence, Maintenance, Performance,
Productivity, Reliability, Scalability and elasticity, Security,
Quick and Easy Implementation. Cloud Computing divided into
three service categories: IaaS, PaaS and SaaS. Cloud computing
services are of three types: private, public or hybrid. While there
are many definitions of cloud computing Mell and Grance
highlight the following essential characteristics [14]: Ondemand Service, Wide Network Accessibility, Resource Pool,
Rapid Elasticity and Regular Service.
A DDoS attack is a malevolent attempt to make a server or a
network resource unavailable to users, usually by temporarily
interrupting or suspending the services or flooding the network
of a host connected to the Internet. Distributed Denial of
Services attacks mainly categorized into three types:
 Volume Based Attacks: The attack’s target is to
saturate the bandwidth of the attacked site and its
magnitude is calculated in bits per second (bps). This
attack includes UDP & ICMP floods, and other
spoofed-packet floods.
 Protocol Attacks: This attack consumes actual server
resources, and their intermediate communication
equipment, such as firewalls and load balancers, and is
calculated in Packets per second. This attack includes
SYN floods, Ping of Death, fragmented packet attacks
and more.
 Application Layer Attacks: Goal of these attacks is
to crash the web server, and its magnitude is calculated
in Requests per second. This attack includes Slowloris,
Zero-day DDoS attacks, Windows or Open BSD
vulnerabilities and more.
II.
INTRUSION DETECTION SYSTEM
Intrusion detection system plays an important role in the
security and perseverance of active defense system against
intruder hostile attacks for any business and IT organization.
IDS implementation in cloud computing requires an efficient,
scalable and virtualization-based approach. In cloud computing,
user data and application is hosted on cloud service provider’s
remote servers and cloud user has a limited control over its data
and resources. In such case, the administration of IDS in cloud
becomes the responsibility of cloud provider. Although the
administrator of cloud IDS should be the user and not the
provider of cloud services. The intrusion detection message
exchange format (IDMEF) standard has been used for
communication between different IDS sensors. Alerts generated
are sent to “Event Gatherer” program. Event gatherer receives
and convert alert messages in IDMEF standard and stores in
event data base repository with the help of Sender, Receiver
and Handler plug-ins. The analysis component analyzes
complex attacks and presents it to user through IDS
management system. Intrusion detection system is mainly of
two types [15]:



Network Intrusion Detection Systems: NIDS works
in a promiscuous mode and performs analysis of
passing traffic on the entire subnet. Then it matches
the entire traffic that is passed on the subnets to the
library of known attacks. When an attack is identified,
the alert can be sent to the inspector or administrator.
In the network NIDS are placed at a vital point or
points to monitor traffic to and from all devices.
OPNET & NetSim are commonly used tools for
simulation in NIDS.
Host Intrusion Detection Systems: HIDS monitors
inbound and outbound packets from device. Then it
will alert the user or administrator about the suspicious
activity which is detected. It captures the snapshot of
current system files and then matches it to the previous
snapshot. If system files were modified or dropped
then an alert is sent to the investigator to investigate.
HIDS may run on individual hosts or on devices the
network.
Passive and Reactive Systems: In passive IDS, when
IDS sensor detects a potential security breach then it
signals an alert on the console. Reactive IDS is also
known as intrusion prevention system (IPS). In
reactive IDS the IPS auto-responds to the suspicious
activity by reestablishing the connection or by
reprogramming the firewall to block network traffic
from the suspected malicious source.
Different intrusion detection tools are available as an open
source like: SNORT, Suricata, Bro, Kismet, OSSEC, Security
Onion etc.
III.
RELATED RESEARCH WORK
Aman et al. [2] uses SNORT on virtual switch for auditing
which analyzes the packets arriving over the Ethernet and looks
for an Intrusion pattern that might be used, based upon the
statistics. Qi Chen et al. [3] gave confidence based filtering
approach to detect spoofed packets where confidence is the
frequency of appearances of attributes in the packet flows. Tao
Zhang et al. [4] uses SOA trace back based approach for attack
detection. Shalini et al. [5] also uses SNORT as IDS for
detecting attack. Vincent Shi-Ming Huang, Robert Huang [6]
gave a DDoS Mitigation System with Multi-Stage Detection
with Text-Based Turing Test in Cloud Computing. For
proposed work I have selected five Papers [7] [8] [9] [10] [11]
therein they proposed different alternatives for Hop Count
Filtering algorithm. Vikas et al. [9] proposed to generate update
alarm on detection of spoofed packet. Haining Wang et al. [8]
used standard Hop Count Algorithm into its two states i.e.
learning state and filtering state to aegis against spoofed IP
traffic. Supriya et al. [7] and RPS Bedi [11] proposed
probabilistic approach in HCF algorithm.
Standard Hop Count Filtering Algorithm which is used to
detect spoofed and legitimate packets is as follows:
Step 1: For each packet count the number of hops as Hcount.
//By hop counter or simple inspection
Step 2: Retrieve the stored Hop count Index as Hstored
Step 3: For each packet
if (Hcount!= Hstored)
then “discard the packet” // packet is malicious
else
“allow the packet”
// packet is legitimate
Step 6: end if
IV.
PROPOSED HCIF ALGORITHM
HCIF (n, λ, µ, TTLmax, TTLi)
1. For each packet i=1 to n
2. Delay Time, Ti=1/(µ-λ),where µ= mean packet size in bits
λ=mean no. of packets arrival(packets/sec)
3. if((Ti>Tmax)&&(Ti<=Tmin))
“Discard the Packet”
4. Else
5. Hi=TTLmax-TTLi
6. End If
7. If ((Hi==0)&&(Hi==30))
“Drop the Packet”
8. Else if (Hi==Hstored)
“Legitimate Packet”
9. Else
“Spoofed Packet”
10. End If
11. End If
12. End For
V.
ABOUT SIMULATION TOOL [ CLOUDSIM ]
Validation of proposed algorithm is done by CloudSim
Tool. CloudSim is an Open Source toolkit (library) for
simulation of Cloud computing processes. It provides basic
classes like data centers, virtual machines, applications,
users, computational resources, and different policies for
management of diverse parts of the system (e.g.,
scheduling and provisioning). These all components are
assembled together for users to evaluate new strategies in
utilization of Clouds (policies, scheduling algorithms etc.).
It is also used to assess efficiency of strategies from
different perspectives, from cost/profit to speed up of
application execution time.
The CloudSim simulation layer provides support
for modeling and simulation of virtualized Cloud-based
data center environments including dedicated management
interfaces for VMs, memory, storage, and bandwidth.
Below given figure shows the multi-layered architecture of
the CloudSim software. Initial versions of CloudSim used
SimJava as the discrete event simulation engine that
supports several core functionalities, such as queuing and
processing of events, creation of Cloud system entities
(services, host, data center, broker, VMs), communication
between components, and management of the simulation
clock.
VI.
SIMULATION RESULTS
A. Simulation configuration
These simulations were performed on Intel Pentium dual core
CPU, 2.6 GHz, 2 GB of RAM. The dataset is prepared from
the simulation in this paper. The simulation program was set up
to test incoming traffic on Cloud Platform, and if one of these
messages was an attack, then it had a 50% chance to crash the
web server.
B. Simulaiton
If we have some kind of Remote Desktop Access (e.g. Remote
Desktop Connection, VNC, PC Anywhere, etc.) we can log in
to your web server, open a command prompt, and type "netstat
–ano" (without the quotes). netstat is a command line utility
which displays protocol statistics and current TCP/IP network
connections in a system. Here is what the netstat results should
look like under normal circumstances:
The first column of the netstat results shows the protocol. The
second column of the netstat results shows our computer's IP
address which is followed by a colon and a port number. The
third column shows the IP address of a remote computer. The
fourth column shows process identifier. In the "State" column,
we have a bunch of lines that end with "LISTENING",
"ESTABLISHED", "TIME_WAIT", etc. These tell us about the
current state of that connection (socket).

If a socket is "LISTENING", it a program is waiting
for some remote computer to connect to it via the
network.

If a socket is "ESTABLISHED", it means a client is
connected to your machine (e.g. a customer is visiting
your website).

If the socket says "TIME_WAIT", the socket may be
setting up a connection, or it may be tearing down a
connection. In any case, its waiting for something.
We implement our customized code for both standard
algorithm and proposed HCIF algorithm in Data Center Broker
Class of CloudSim tool. The following graph shows the
comparison of response time (in milliseconds) and delay time
(in milliseconds). The response time decreases when delay time
increases by using proposed HCIF algorithm.
key parameters for work and improves the existing problems
such as multicast routes, fabrications etc. Here the hop count
value is the difference of final TTL value and initial TTL value
which is compared with stored Hop Count.
VIII. REFERENCES
[1]
Marwan Darwish, Abdelkader Ouda, Luiz Fernando Capretz “Cloudbased DDoS Attacks and Defenses” ©2013 IEEE.
[2]
Aman Bakshi and Yogesh B, “ Securing Cloud from DDOS attacks using
Intrusion Detection System in Virtual Machine”
2010 Second
International Conference on Communication Software and Networks 9 ©
2010 IEEE.
Qi Chen, Wenmin Lin, Wanchun Dou, Shui Yu " CBF: A packet filtering
method for DDOS attack defence in cloud environment” 2011 Ninth
IEEE International Conference on Dependable, Autonomic and Secure
Computing © 2011 IEEE.
Lanjuan Yang,Tao Zhang et al. “ Defence of DDos attack for Cloud
Computing”, ©2012 IEEE.
Naresh Kumar and Shalini Sharma, “ Study of Intrusion Detection System
for DDOS attacks in cloud computing” ©2013 IEEE.
Vincent Shi-Ming Huang, Robert Huang, Ming Chiang,”A DDOS
mitigation system with mutistage detection and text based turing testing in
clooud computing” 2013 27th International Conference on Advanced
Information Networking and Applications Workshops©2013 IEEE.
Supriya Sawwashere, Sanjeev Shrivastava, Ashutosh Lanjewar, D.S.
Bhilare,” Optimizing DDoS attack using LCIA” IJAIEM Volume 2, Issue
12, December 2013.
Haining Wang, Cheng Jin et al. ”Defence against spoofed IP traffic using
Hop Count Filtering” IEEE/ACM Transactions on Networking, February
2007.
Mr. Govind M Poddar, Mr. Nitesh Rastogi,”UHCF: Updated Hop Count
Filter Using TTL probing and varying threshold for a\spoofed packet
separation” IJERMT, Volume 3,Issue-4, April 2014.
Vikas Chouhan et al. ”Packet Monitoring approach to prevent DDoS
attack in cloud computing” IJCSEE ISSN No.2315-4209,Vol-I ,Issue-I
2012.
RPS Bedi,” Intrusion detection using the hop count inspection method
algorithm” IJES,Inaugural Issue 2010.
http://www.webopedia.com/TERM/C/cloud_computing.html
http://en.wikipedia.org/wiki/Cloud_computing
P. Mell and T. Grance, “The NIST Definition of Cloud Computing, NIST
Special Publication 800-145 (SP800-145),” Gaithersburg, September
2011.
http://en.wikipedia.org/wiki/Intrusion_detection_system
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
VII. CONCLUSION
In this work a novel Hop Count Inspection and Filtering
(HCIF) method is proposed to overcome the issues generated
due to inferred and spoofed IP packets. The designing of HCIF
filtering function follows the conditions of discriminations of
actual packets from the spoofed packets. The suggested
approach is capable of identifying the DDoS attacks and its
variants at the early stages of data transfers and hence reduces
the probability of losses and attacks occurrences. The approach
is taking TTL and transmission delay time considerations as
[12]
[13]
[14]
[15]