Real-time Detection and Containment of Network Attacks using QoS Regulation

Real-time Detection and Containment of Network Attacks using QoS Regulation

Seong Soo Kim and A. L. Narasimha Reddy

Computer Engineering

Department of Electrical Engineering

Texas A&M University

{skim, reddy}@ee.tamu.edu


Texas A & M University ICC 2005

2

Outline• Introduction and Motivation• Our Approach• Implementation• Experiments & Discussion• Conclusion



3

Contents• Introduction and Motivation

• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management

• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)

• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection

• Conclusion



4

Attack/ Anomaly• Bandwidth attacks/anomalies, Flash crowds

• DoS – Denial of Service : – TCP SYN flood, UDP flooding, ICMP echo reply

• Typical Types:- Single attacker (DoS)- Multiple Attackers (DDoS)- Multiple Victims (Worm)



5

Motivation (1)• Current network-centric approaches are Attack-specific

- TCP SYN: by handling TCP SYN cookies or TCP SYN- ICMP : by turning off ICMP echo reply These attack-specific approaches become ineffective with DDoS

Need General & Aggregate Mechanisms

• Previous studies looked at individual Flow-based Mechanisms- Partial state- RED-PD These become ineffective with DDoS

need Resource-based regulation Link speeds are increasing

Need simple, effective mechanisms to implement at line speeds

Class-based buffer management



6

Motivation (2)• Class-based buffer management

– Rate Control, Window Control, Weighted Fair Queuing- Always parse packets and assign to designated buffers

However, most of the time, traffic is normal- Become ineffective when traffic changes dynamically

Because of predefined fixed rates in protocol or resources

• Flexible buffer management- Normal : non class-based- Attack : class-based Monitoring during normal & Switching during attack



7





• Conclusion



8

Nature of Network Attacks in Protocol

• Most network attacks are protocol specific

- by S/W codes exploiting specific vulnerability

• Various kinds of attacks staged in different protocols- Utility of class-based

regulation

Protocol Anomalies and Attacks

TCP TCP SYN FloodingACK ScanTelnet ScanTCP session hijacking (Hunt, Juggernaut)WinNukeChristmas TreeCode Red

UDP Echo-ChargenTrin00NimdaSQL Slammer

ICMP SmurfICMP echo replyPing of DeathRingZeroTFN (Tribe Flood Network)WinFreezeLoki

Typical attacks and their protocols



9

Structure of flexible buffer management• Non class-based management in normal times• Monitoring the ICMP traffic i(t), TCP traffic t(t), UDP traffic u(t) and

ETC. traffic e(t).• Anomaly detection through the variation of the input traffic in protocol• Switching to class-based management during attack

Switch

TCP

ICMP

UDP

Etc.

All in one (ICMP, TCP, UDP, Etc.)

WFQClassify

Attack

Detector



10





• Conclusion



11

• Wide-sense Stationary (WSS) property– The traffic-volume ratios of each protocol show stationary

property over long-range time periods

– 4 classes: ICMP, TCP, UDP and etc.

– During normal times, the weights for each class (protocol) are set

– These weights are adjustable according to input traffic

Weighted Fair Queuing

The proportion of major protocols over two different traffic traces



12

Thresholds (1)

• Traffic volume-based thresholds– TH: High threshold monitoring abnormal increase of specific

protocol traffic

– TL: Low threshold monitoring abnormal decreases

– TCP usually occupies most of traffic In case of TCP attack, attack could be detected through other

protocols indirectly Other indicators may be more sensitive

protocol theof proportioncurrent theis

protocol individual is where,

),(1),( , ),(1),(

t)r(p,

p

tpTtpTtprtpT HLH



13

Thresholds (2)

• 3-based threshold– The thresholds can be set as the 3 of normal distribution

for individual protocol

• Detection of anomalies

normal is )( , Otherwise

attack is )( , ),(1

),(1),( If

tp,

tp, tpT)*MA(p,t

tpT)*MA(p,ttpr

L

H



14

Exponential Weighted Moving Average (EWMA)

• For accommodating the dynamics of traffic, moving average of each protocol is applied.– Filter out short term noise

• Operation Modes– Non class-based: FCFS

– Class-based: Weighted round robin

– Buffer management: RED or Drop-Tail

,1)r(,1)MA(

tpMAtprtpMA

where,

)1,()1(),(),(



15





• Conclusion



16

• KREONet2 Traces- 5 major actual attacks- 10 days long

Real attack trace Case

1 2 3 4 5

Duration 5.3 h 4.5 h 4.1 hours 12.3 h 3.6 h

IP semi-random randoma random semi-randomrandom

random

Protocol TCP UDP TCP/UDP TCP/UDP/ICMP UDP

Port #80 #1434 random/#1434 #80 / #1434 / #0 #1434

Size 48B 404B random/ 404B 48B / 404B/ 28B 404B



17

Input Traffic – Real attacks

• The vertical lines show the 5 salient attack periods

• UDP, ICMP can be detected by their variations

• TCP can be detected by TCP or other variations

• The last sub-figure shows the generated attack detection signal through majority voting



18

Output Traffic -- flexible buffer management• The traffic volume delivered

• Non class-based scheduling- During attack, the protocols

responsible for attack increase abruptly

- Other protocols suffer from congestion

• Flexible buffer management- All protocols maintain their

predefined weights regardless of attack

- At the onset of attack, the instantaneous peaks result from the latency of detection and switching

Output traffic proportion by protocol in non class-based

Output traffic proportion by protocol in flexible-based



19

Forwarded Traffic -- flexible buffer management

Forwarded traffic proportion by protocol in non class-based

Forwarded traffic proportion by protocol in flexible-based

• Output / input traffic volume (%)

• Non class-based scheduling- During attack, not only the

culpable protocols but other innocent protocol decrease together

• Flexible buffer management- Generally the only responsible

protocol is filtered out

- In 4th multi-protocol based attack, the TCP, UDP and ICMP are mitigated sequentially



20

• Simulated virtual attacks- Synthesized attacks + the Univ. of Auckland without attacks from NLANR U of Auckland trace consists of only TCP, UDP and ICMP- To evaluate the sensitivity of our detector over attacks of various configurations.

• Persistency - Intermittent : send malicious packets in on-off type at 3-minute interval- Persistent : continue to assault through the attack

• IP address : target IP address type - Single destination : (semi) single destination - Semi-random : mixed type ( fixed portion + randomly changeable portion )- Random : randomly generated

• Port- Reserved, randomly generated and ephemeral client ports.

Simulated attacks



21

Input Traffic – Simulated attacks



22

Output Traffic – simulated attacks

Non class-based Buffer management

Flexible Buffer management



23

Forwarded Traffic by Protocol in flexible buffer

Forwarded traffic proportion by protocol in non class-based

Forwarded traffic proportion by protocol in flexible-based

• Output / input traffic volume (%)

• In the 360 ~ 1080, the gradual decrease comes from not by attacks but by congestion drops, due to processing limitations of system



24

Evaluation of Anomaly DetectionEvaluation Results of protocol composition signals

Tracesmajorit

yT.P. F.P. LR 3 NLR 4

SimulatedAttacks

1 out of 4

92.5%767/829

0.48% 17/3516

191.4 0.08

2 out of 4

80.1%664/829

0.17% 6/3516

455.2 0.20

ICMP72.9%

570/7821.94%

69/356337.6 0.28

RealAttacks

TCP81.0%

633/7820.42%

15/3563192.3 0.19

UDP77.5%

606/7820.39%

14/3563197.2 0.23

ETC.31.7%

248/7820.00% 0/3563

0.68

1 out of 4

89.8%702/782

2.30% 82/3563

39.0 0.10

2 out of 4

82.4%644/782

0.73% 26/3563

112.9 0.181.True Positive rate2.False Positive rate3.Likelihood Ratio by /, ideally it is infinity4.Negative Likelihood Ratio by 1-/1-, ideally it is zero

• Composite detection signal

- Logical OR

- Majority voting

• Detection signal is used for switching the buffer management

• Complexity

- O(1) processing cost per packet

- O(n) storage cost per sample, n is number of protocols



25





• Conclusion



26

Conclusion• We studied the feasibility of detecting anomalies

through variations in protocol traffic.• We evaluated the effectiveness of our approach by

employing real and simulated traffic traces• The protocol composition signal could be a useful

signal• Real-time traffic monitoring is feasible

– Simple enough to be implemented inline• Flexible buffer management effective in

containing attacks



27

Thank you !!http://ee.tamu.edu/~reddy

Real-time Detection and Containment of Network Attacks using QoS Regulation

Documents

icmp traffic

detectionoutput traffic

protocolforwarded traffic

traffic changes

traffic et

tcp traffic tt

udp traffic ut

protocolmost network