Sunday, July 11, 2010

Monitoring the Application-Layer DDoS Attacks for Popular Websites

Aim:
            The main aim of the proposed framework is to implement the Application-Layer DDoS Attacks Monitoring for Popular Websites that utilizing legitimate HTTP requests to overwhelm victim resources and to implement an effective method to identify whether the surge in traffic is caused by App-DDoS attackers or by normal Web surfers.

Synopsis:

Distributed Denial Of Service (DDoS) attack has caused severe damage to servers and will cause even greater intimidation to the development of new Internet services. Traditionally, DDoS attacks are carried out at the network layer, such as ICMP flooding, SYN flooding, and UDP flooding, which are called Net-DDoS attacks. The intent of these attacks is to consume the network bandwidth and deny service to legitimate users of the victim systems. Since many studies have noticed this type of attack and have proposed different schemes (e.g., network measure or anomaly detection) to protect the network and equipment from bandwidth attacks, it is not as easy as in the past for attackers to launch the DDoS attacks based on network layer. When the simple Net-DDoS attacks fail, attackers shift their offensive strategies to application-layer attacks and establish a more sophisticated type of DDoS attacks. To circumvent detection, they attack the victim Web servers by HTTP GET requests (e.g., HTTP Flooding) and pulling large image files from the victim server in overwhelming numbers. In another instance, attackers run a massive number of queries through the victim's search engine or database query to bring the server down. We call such attacks application-layer DDoS (App-DDoS) attacks. On the Web, "flash crowd" refers to the situation when a very large number of users simultaneously access a popular Website, which produces a surge in traffic to the Website and might cause the site to be virtually unreachable. Because burst traffic and high volume are the common characteristics of App-DDoS attacks and flash crowds, it is not easy for current techniques to distinguish them merely by statistical characteristics of traffic. Therefore, App-DDoS attacks may be stealthier and more dangerous for the popular Websites than the general Net-DDoS attacks when they mimic (or hide in) the normal flash crowd. This paper introduces a scheme to capture the spatial-temporal patterns of a normal flash crowd event and to implement the App-DDoS attacks detection and to find an effective method to identify whether the surge in traffic is caused by App-DDoS attackers or by normal Web surfers.

We classify the process into four:

1) We de-fine the Access Matrix (AM) to capture spatial-temporal patterns of normal   flash crowd and to monitor App-DDoS attacks during flash crowd event.
 2) Based on our previous work. We use hidden semi-Markov model (HsMM) to describe the dynamics of AM and to achieve a numerical and automatic detection.
 3) We apply principal component analysis (PCA) and independent component analysis (ICA) to deal with the multidimensional data for HsMM.
4) We design the monitoring architecture and validate it by real flash crowd traffic and three emulated App-DDoS attacks.

Existing System:

  • Consume the network bandwidth and deny service to legitimate users.
  • Server overwhelming.
  • Large amount of data is required to train.
  • Only positive data's are used to train

Proposed System:

  • Identifying abnormalities and serve them in different priority queues.
  • Identifying most abnormal traffic and filter when the network is heavily loaded.
  • More accurate identification.
  • Identifies abnormalities with small amount of Training data.




Modules:
Ø  Attacker Module.

Ø  Web Server Module.

Ø  Flash crowd dismisser.

·         Data preparation.
·         Training.
·         Monitoring.

Ø    Attacker Module:

This module consists of webpage through which Attackers attack the victim Web servers by HTTP GET requests (e.g., HTTP Flooding) and pulling large image files from the victim server in overwhelming numbers. In another instance, attackers run a massive number of queries through the victim's search engine or database query to bring the server down. Very large number of attackers simultaneously accesses a popular Website, which produces a surge in traffic to the Website and might cause the site to be virtually unreachable.

Ø    Web Server Module:
Web servers are computers on the internet that host websites, serving pages to viewers upon request. This service is referred to as web hosting. Every web server has a unique address so that other computers connected to the internet know where to find it on the vast network. When your request reaches its destination, the web server that hosts website sends the page in HTML code to your IP address. This return communiqué travels back through the network. Your computer receives the code and your browser interprets the HTML code then displays the page for you in graphic form.
Ø    Flash crowd dismisser:

This model is first trained by the stable and low-volume Web workload whose normality can be ensured by most existing anomaly detection systems, and then it is used to monitor the following Web workload for a period of 10 min. When the period is past, the model will be updated by the new collected Web workload whose normality is ensured by its entropy fitting to the model. Then, the model is used in anomaly detection for the next cycle. If some abnormities hiding in the incoming Web traffic are found, the "defense" system will be implemented

The process is divided into three phases:

a.   Data preparation.
b.      Training.
c.       Monitoring.
a.      Data preparation:
The main purpose of data preparation is to compute the AM by the logs of the Web server.
b.   Training:

The training phase divided into three parts:

1) PCA transition
a) Compute the average matrix and difference matrix, respectively.
b) Compute the eigenvectors and eigenvalues of the covariance matrix.
c) Sort the eigenvalues and select the first eigenvectors, where is given in this paper.
d) Construct the eigenmatrix by the first eigenvectors.
e) Transform the AM into -dimensional uncorrelated principal component dataset.
2) ICA transition

a) Use the outputs of the PCA module (i.e., -dimensional uncorrelated principal component dataset) to estimate the unmixing matrix by ICA algorithm.
b) Transform the -dimensional dataset into independent signals.

3) HsMM training

a) Use the outputs of ICA module as the model training data set to estimate the parameters of HsMM.
b) Compute the entropy of the training data set and the threshold.
c.    Monitoring:
1) Compute the difference matrix between the testing AM and the average matrix obtained in the training phase by the PCA.
2) Using the eigenmatrix, compute the feature dataset of the testing AM.
3) Using the de-mixing matrix, compute the independent signals.
4) The independent signals are inputted to the HsMM entropies of the testing dataset are computed.
5) Output the result based on the threshold of entropy that was determined in the training phase based on the entropy distribution of the training data set.
Implementation:
We can cluster the Web surfers and evaluate their contributions to the anomalies in the aggregate Web traffic. Then, different priorities are given to the clusters according to their abnormalities and serve them in different priority queues. The most abnormal traffic may be filtered when the network is heavy loaded.

Application:
ü  Web servers.
ü  Application DoS attacks allow for efficient DoS with only little resources at hand, and thus pose a serious threat to organization
ü  High-speed Internet
ü  Mobility tracking in Wireless Networks
Conclusion:

Creating defenses for attacks requires monitoring dynamic network activities in order to obtain timely and signification information. While most current effort focuses on detecting Net-DDoS attacks with stable background traffic, we proposed a detection architecture in this paper aiming at monitoring Web traffic in order to reveal dynamic shifts in normal burst traffic, which might signal onset of App-DDoS attacks during the flash crowd event. Our method reveals early attacks merely depending on the document popularity obtained from the server log. The proposed method is based on PCA, ICA, and HsMM. It also demonstrates that the proposed architecture is expected to be practical in monitoring App-DDoS attacks and in triggering more dedicated detection on victim network.

Software Requirements:

Ø  Windows Operating System 2000 above
Ø  JDK1.6
Ø  JavaFx1.1

Hardware Requirements:

Ø  Hard Disk: 10 GB and above
Ø  RAM: 512MB and above
Ø  Processor: Pentium III and above

--
http://www.co5.in/

0 comments:

Post a Comment

 

Complete Online Solution | Make the internet world into your hands Copyright © 2009 Community is Designed by CO5 | Web designing | Web hosting