行政院國家科學委員會專題研究計畫 成果報告
以螞蟻演算法為基礎之來源追蹤之研究
計畫類別: 個別型計畫 計畫編號: NSC94-2213-E-110-049- 執行期間: 94 年 08 月 01 日至 95 年 07 月 31 日 執行單位: 國立中山大學資訊管理學系(所) 計畫主持人: 陳嘉玫 計畫參與人員: 賴谷鑫 報告類型: 精簡報告 報告附件: 出席國際會議研究心得報告及發表論文 處理方式: 本計畫可公開查詢中 華 民 國 95 年 10 月 16 日
行政院國家科學委員會補助專題研究計畫成果報告
以螞蟻演算法為基礎之來源追蹤之研究
計畫類別:■ 個別型計畫 □ 整合型計畫
計畫編號:NSC 94-2213-E-110-049-
執行期間:2005 年 8 月 1 日至 2006 年 7 月 31 日
計畫主持人:陳嘉玫
計畫參與人員:
成果報告類型(依經費核定清單規定繳交):■精簡報告 □完整報告
本成果報告包括以下應繳交之附件:
□赴國外出差或研習心得報告一份
□赴大陸地區出差或研習心得報告一份
□出席國際學術會議心得報告及發表之論文各一份
□國際合作研究計畫國外研究報告書一份
執行單位:國立中山大學資訊管理學系
中 華 民 國 95 年 10 月 15 日
Abstract.
The Denial-of-Service (DoS) attacks with the fake source IP addresses became a major threat to the Internet. Intrusion detection system is often used to detect DoS attacks. However, DoS attack packets attempt to exhaust resources, degrading network performance or, even worse, causing network breakdown. The proposed proactive approach is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.
Ant colony based traceback approach is presented in this study to identify the DoS attack original source IP address. Instead of creating a new function or processing a high volume of fine-grained data, the proposed IP address traceback approach uses flow level information to identify the origin of a DoS attack.
The proposed method is evaluated through simulation on various network environments. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments.
Keyword: IP traceback, NetFlow, DoS, Ant algorithm
Introduction1
According to a study conducted by the Computer Security Institute in 2003 [1], 90 percent of the 530 surveyed companies had detected computer security breaches in 2003. The same study found that 74 percent acknowledged financial losses due to these security breaches. Although only 47 percent were able to quantify their losses, the financial losses reported by 251 respondents totaled more than $202 million US dollars. However, it is just a proverbial tip of the iceberg. Furthermore, according to the statistics of Dollar Amount of Losses by Type [1], the denial of service (DoS) attack is the second most expensive computer crime among survey respondents with the cost of more than 65 million US dollars.
Nowadays, many organizations use firewall and Instruction Detection System (IDS) to secure their network. If the attacker conducts a DoS attack with a large amount of traffic, the network would still be tied up. Most work in this area has focused on tolerating attacks by mitigation their effects on the victim. Such passive approach can provide an effective stopgap measure, but does not eliminate the problem or does it discourages the attackers.
The proactive approach is to find the source of the DoS attack and to cooperate with the internet service provider (ISP) or the network administrators stopping the traffic from the origin. Hence, it can restore normal network functionality, preventing reoccurrences and, ultimately, holding the attackers accountable. However, many network-based DoS attacks use the flaw of TCP/IP to manipulate and falsify the source address in the IP header. Conventional trace methods might not be able to identify the origin as the source address could be spoofed.
The goal of this work is to propose an IP traceback approach to finding out the origin of the
1 This work has been published in EvoWorkshops 2006 conference on Evolutionary Computation in Communication, Networks and Connected Systems
DoS attack using the existing traffic flow information, without extra support from the routers. Furthermore, some previous work needs to process a large amount of packets, which may be too cost for detecting DoS attacks. An ant colony based traceback algorithm is proposed, using the traffic flow information as the trace for ants finding the attack path.
Ant-Colony approach to DoS Traceback
While an isolated ant moves essentially at random, an ant encountering a previously laid pheromone trail can detect it and decide with high probability to follow it, thus reinforcing the trail with its own pheromone. The collective behavior that emerges is a form of autocatalytic behavior where the more the ants are following a trail, the more attractive that trail becomes for being followed. In the proposed IP traceback scheme, we use the average amount of the octets belong to DoS attack as the pheromone. Therefore, a router with heavy traffic and more DoS attack flows; more ants will choose it as the next node to move. This will form a positive feedback loop, and finally most ants will follow the same path
In the initialization phase, ants are positioned on the victim and initial values for pheromone trail intensity are set on each router. When an ant starts from the victim, it will use the topology information to find out all the neighbor routers, and then read the flow information and the pheromone trail of neighbor nodes to compute the probability. Then choose next router to move with the probability, this procedure is repeated recursively until reach the boundary routers of the monitored network.
When all the ants complete its travel, we use the information gather by ants to recompute the pheromone trail intensity. Then the next cycle start with new pheromone trail intensity, until we find most of ants converge to the same path. The following section, we will describe the detail of the proposed IP traceback scheme:
When the IDS on the victim’s network detects a DoS attack with spoofed source(s), it could further analyze the packets of the DoS attack and find out the suspected spoofed source IP address list. The proposed solution could take the victim host as the starting point and perform the IP traceback. The detail of the ant colony based DoS path traceback is described as follows. At the initial stage, each network node uses the amount of total octets sent in duration as f i
and an initial valueτi(t). The flow information is selected to determine the probability when an
ant chooses path. where i
f is the total octets sent in duration of router j, and τii(t) be the
intensity of pheromone trail on router i at time t.
Figure 1(a) illustrates the case that the ants arrive at Router4, the probability of their next move is determined based on the flow information of the neighbor routers. We assume that the total octet sent from Router5 is 2000, Router6 is 5000 and Router7 is 3000. Therefore, the probability of choosing Router5 is 20%, Router6 is 50% and Router7 is 30%. Figure 1(b) shows the probabililty of the next move to each neighbor router. More ants would choose the path with more flow, as a DoS attack generates lots of flows.
[
] [ ]
[
] [ ]
∑
∈ ⋅ ⋅ = neighbor i i i i i i f t f t t p α β β α τ τ ) ( ) ( ) (Fig. 1. (a) the flow of Router 4; (b) the probability of selecting next step
While exploring the network, the each ant keeps track of the path and the number of DoS flows. The above procedure is repeated tracing back to the upstream routers until the ant reaches a boundary router of the monitored network.
The intensity of pheromone trail is revised after all the ants complete their route from the victim to a boundary router. The path information obtained by each ant is used to calculateΔτiij
(
t,t+1)
: k i τ Δ = k k L Q ,where Qk is the total amount of the octets belonging to the DoS attack on the k-th ant’s path
and Lk is the length of the k-th ant‘s path. Δτi(t,t+1) is the summation of the pheromone laid by
all the ants, expressed below.
∑
− + Δ = + Δ m k k i i t t t t 1 ) 1 , ( ) 1 , ( τ τ ,where Δτik(t,t+1) is the quantity per unit of length of pheromone laid on router i by the k-th ant between time t and t+n, so the more ants pass through the edge, the more pheromone will be laid on edge. The change of pheromone results in positive feedback -- the more ants are following a path, the more attractive that path becomes for being follow.
The intensity of pheromone on router i can be revised once Δτi(t,t+1) is obtained and is
formulated as below.
(
t
+
1
)
=
⋅
i( )
t
+
Δ
i(
t
,
t
+
1
)
i
ρ
τ
τ
τ
,where ρ is a coefficient such that (1-ρ) represents the evaporation of pheromone.
Each time when all ants complete one iteration (cycle), the intensity of pheromone on each router will be recalculated based on the above equation. Following the above illustration shown in Figure 1, there would be more pheromone accumulated on Router 7 which results in attracting more ants on Router 4 to choose Router 7 in the following iterations, as Router 7 is on the DoS attack path.
The ant traceback process iterates until the tour counter reaches the user-defined number of cycles or all ants make the same tour. The DoS attack path is constructed by following the biggest probability of the upstream upstream router. In other words, the proposed traceback follows the most ants’s path to find the DoS attack path.
NetFlow
NetFlow is a traffic profile monitoring technology [8] and could provide vital information for DoS traceback. If the packet belongs to an existent flow, traffic statistics of the corresponding flow will be increased, otherwise a new flow entry will be created
A conceptual diagram of DoS NetFlow records is shown in Figure 2. The NetFlow records exported by the routers along the DoS attack path will contain the DoS flows whose source IP addresses are the spoofed ones. Such feature is used to determine if a router is on the DoS attack path and a traceback task can initiate to find the source of the DoS attack.
Fig. 2. DoS NetFlow records
Performance Evaluation
We verify the proposed solution by implementing the proposed system and evaluating the performance by simulation. A simulated network with NetFlow-enable routers is deployed, as the proposed DoS traceback solution uses the flow-level information to perform the traceback.
System Architecture
The proposed system architecture contains two major components in a monitored network: the flow management component and traceback module, as shown in Figure 3. The flow management component collects the flow information of the routers in the monitored network in support of the traceback module querying the related flow information. The traceback module performs the traceback based on the flow information
Fig. 3. The proposed system architecture
The flow management component collects the flow based attributes. The open-source tools, Scientific Linux [9], flow-tools [10], STREAM [11], are adopted in this research to achieve the above NetFlow management purpose.
The proposed IP traceback scheme is based on ant algorithm and use NetFlow logs to simulate the IP traceback process. Using artificial ants to explore the network and collect information about the denial-of-service attacks to forecast the possible attack path and traceback to the origin of the DoS attack.
Experimental Results
A simulated network environment, illustrated in Figure 4, deployed by VMware Workstation [12]. Zebra [13], a routing freeware managing TCP/IP based routing protocol, is adpoted to simulate the routers in the experimental environment running on FreeBSD.
Fig. 4. the simulated network environment
In order to simulate the NetFlow function on Cisco equipments, we use fprobe[14]2 to monitor the traffic and periodically export NetFlow record to proposed NetFlow management. In the simulated network environment, we use Harpoon[14] to generate realistic network traffic which can generate TCP and UDP packet flows and simulates the temporal and spatial characteristics as measured at the routers in a live environment. Hping [15] is selected to simulate SYN Flood attack with IP spoofing. Hping, a complex ping-based program, can send the customized pings to the remote hosts and networks. The simulated attack scenario is illustrated in Figure 5.
Fig. 5. DoS attack scenario
Once the DoS flows are identified, the flow management component can find out the octets sent by the DoS flows with the source address in the suspected source address list. The finding then will be fed to the traceback component to find the DoS attack path.
The results of the traceback are shown in the following figures presented in three dimensional graphs, where the x-axis represents the path discovered by ants, the y-axis represents the number of iterations, and the z-axis represents the number of ants in y-th cycle found x-th path. The attack path found by the proposed ant colony based traceback method is the one with the most ants.
Figure 6 shows the results of the traceback with full flow information provided by the network. The proposed traceback method explores all the possible attack paths in the initial stage of traceback and the ants would tend to converge to the attack path in the following iterations. After about half of the simulation, most ants will converge on the DoS attack path.
According to the results of the preliminary experiment, we verify that the proposed solution can find out the DoS attack path in case all the routers in the network provide flow information. However, in real environments, some flow information might be lost, especially at the router on the DoS attack path. Other experimental results are eliminated due to the length of the paper, but they all conclude that the proposed solution can find the DoS path efficiently and correctly.
0->1 -> 4->5->8 0->1 ->4-> 6 0->1 ->4-> 7->1 0 0->2 ->4-> 5->8 0->2 ->4-> 6 0- >2->4->7 ->10 0->2 -> 4->7->9 1 3 5 7 9 0 1 2 3 4 5 6 7 8 9 10
the number of ants
Dos path found
the number of iterations
Fig. 6. The results of the traceback
Conclusion
DoS attack becomes one of the major threats in the Internet and causes massive revenue loss of many companies. However, DoS attacks often associate with spoofed source addresses, making them hard to identify the attacker. A proactive approach to DoS attacks are finding the original machine which issues the attack and stopping the malicious traffic.
In this research, the traceback based on ant colony is proposed to identify the DoS attack origin. Unlike the previous traceback schemes, such as packet marketing and logging, which use packet level information, the proposed traceback approach use flow level information. Although
the packet level information provides detailed information about the network, the high processing cost is a challenge for deploying those IP traceback methods in the real networks.
Ant colony algorithm is successfully applied to various routing and optimization problems. Based on our observation, the proposed traceback problem is a variation of a routing problem and hence ant colony based algorithm could be used to find the DoS attack path.
The proposed method is verified and evaluated through simulation. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments. Hence, we conclude that the proposed solution is an efficient method to find the DoS attack origin in the networks.
The proposed DoS traceback method can identify the DoS attack path in case of the spoofed source addresses. However, there are other attacks with spoofed source addresses which need to be identified. Ant algorithm or other artificial intelligent approaches could be further investigated for more generalized IP traceback problems. A distributed flow management might be more scaleable for large networks. Further study on the practical implementation and deployment on a large network can be done to evaluate the scalability of the proposed solution.
Reference
1. Computer Security Institute, “CSI/FBI Computer Crime and Security Survey, “2003,
http://www.crime-research.org/news/11.06.2004/423/.
2. S. Savage, D. Wetherall, A.Karlin, and T.Anderson ., “Network Support for IP Traceback,”
IEEE/ACM Trans. Networking, vol. 9, no. 3, 2001, pp.226–237 .
3. D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,”
Proc. IEEE INFOCOM, IEEE CS Press, 2001, pp. 878–886.
4. A.C. Soneren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tachakountio, B. Schwartz, S.T. Kent and W.T. Strayer ,”Single-packet IP Traceback,” IEEE/ACM Trans. Networking, vol. 10, no.6, 2002, pp.721–734.
5. W.T Strayer, C.E. Jones, F. Tachakountio, B. Schwartz, R.C. Clements, M. Condell and C. Partridge ,”Traceback of Single IP Packets Using SPIE,” Proc. DARPA information
Survivability Conference and Exposition – vol. 2 April 22 -24, 2003 Washington, DC. pp. 266
6. G. Upton, “Swarm Intelligence,”
http://www.cs.earlham.edu/~uptongl/project/Swarm_Intelligence.html\.
7. M. Dorigo, V. Maniezzo & A. Colorni,” The Ant System: An Autocatalytic Optimizing Process,” Technical Report No. 91-016 Revised, Politecnico di Milano, Italy, 1991. 8. Y. Gong ,”Detecting Worms and Abnormal Activities with NetFlow,”
http://www.securityfocus.com/infocus/1796
9. Scientific Linux https://www.scientificlinux.org/
11. Stanford Stream data manager http://www-db.stanford.edu/stream/
12. VMware http://www.vmware.com/
13. zebra http://www.zebra.org/
14. fprobe http://fprobe.sourceforge.net/
