Qualified Vector Match and Merge Algorithm (QVMMA) for DDoS Prevention and Mitigation

Abstract Distributed Denial of Service (DDoS) attacks continue to instigate intense wars against popular ecommerce and content websites. One in five companies worldwide become a DDoS attack victim. Such attacks remain active causing prolonged damage from a few hours to several weeks. Deccan Chronicle 34,35 , dated April 29, 2015, reported above statement as conclusion of Kaspersky Lab's and B2B's international survey with categorizing two types of DDoS attacks: “a powerful short term attack or persistent long running campaign”. Both the above types of popular DDoS attacks can be detected, prevented and mitigated using the proposed novel Qualified Vector Match and Merge Algorithm (QVMMA) in real time. 14 feature components are used to generate an attack signature in real time and stored in dynamically updated DDoS Captured Attack Pattern (DCAP) 30 database. It's effective in detecting new and old attacks. Persistent DDoS attacks cause financial damage or reputation loss by loss of the company's valuable clients. The server's availability is heavily compromised. Popular websites Github and BBC UK faced DDoS attacks in 2015. Long term DDoS attack directed on Github continued for over 118 hours 34,35 . Short term DDoS attack experienced by BBC 36 website caused its patchy response. The main crux of the problem is the absence of a way to differentiate between attack records and legitimate records while the attack is occurring in real time. Several methods 1-31,37-42 are listed in the paper. Post mortem solutions are not applicable in real time. Available real time solutions are slow. QVMMA is an ideal faster real time solution to prevent DDoS attacks using Statistical Feature Vector Generation. Matlab is used for DDoS real time simulation where the topologies (bus, star, abilene network) are created using OMNET++ 33 . QVMMA generates and uses Statistical Feature Vector for Attack Signature Generation, Matching and Identification only for qualifier satisfied records. The web server's log files used as input to QVMMA are according to W3C log format standard 34 . Experimentation is completed with exhaustive 336 cases. Four networks are tested with 5, 8, 10, 13 nodes. Performance evaluation of QVMMA concludes EER is 11.8% when threshold is 1.6. Abilene network achieves best result. As the number of attackers, nodes and intermediate routers increase, detection time increases. If threshold is increased, the accuracy reduces. If the number of nodes increases, accuracy increases. Thus it is concluded that QVMMA can be used for effective layer 3 DDoS Prevention and Mitigation in real time based on results generated in Matlab simulation.

[1]  R. K. Pateriya,et al.  Mitigating DDoS using Threshold-based Filtering in Collaboration with Capability Mechanisms , 2014 .

[2]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.

[3]  Wanlei Zhou,et al.  Information theory based detection against network behavior mimicking DDoS attacks , 2008, IEEE Communications Letters.

[4]  Stéphane Mallat,et al.  A Theory for Multiresolution Signal Decomposition: The Wavelet Representation , 1989, IEEE Trans. Pattern Anal. Mach. Intell..

[5]  Vamsi Paruchuri,et al.  TTL Based Packet Marking for IP Traceback , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[6]  Daniel S. Yeung,et al.  A covariance analysis model for DDoS attack detection , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[7]  Xenofontas A. Dimitropoulos,et al.  Histogram-based traffic anomaly detection , 2009, IEEE Transactions on Network and Service Management.

[8]  Jose Anand,et al.  Performance Analysis of ACO-based IP Traceback , 2012 .

[9]  Naixue Xiong,et al.  An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory , 2011, The Journal of Supercomputing.

[10]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[11]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[12]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[13]  Manish Parashar,et al.  Cooperative Defence Against DDoS Attacks , 2006, J. Res. Pract. Inf. Technol..

[14]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .

[15]  Belhassen Zouari,et al.  A Distributed and Coordinated Massive DDOS Attack Detection and Response Approach , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops.

[16]  Wanlei Zhou,et al.  Chaos theory based detection against network mimicking DDoS attacks , 2009, IEEE Communications Letters.

[17]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[18]  Sonia Fahmy,et al.  Pegasus: Precision hunting for icebergs and anomalies in network flows , 2013, 2013 Proceedings IEEE INFOCOM.

[19]  Abhinav Bhandari,et al.  Detection Techniques against DDoS Attacks: A Comprehensive Review , 2014 .

[20]  Jung-Min Park,et al.  A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks , 2007, IEEE Transactions on Parallel and Distributed Systems.

[21]  Ali A. Ghorbani,et al.  A Novel Covariance Matrix Based Approach for Detecting Network Anomalies , 2008, 6th Annual Communication Networks and Services Research Conference (cnsr 2008).

[22]  Yinan Jing,et al.  A Coding-Based Incremental Traceback Scheme against DDoS Attacks in MANET , 2013 .

[23]  Ahmed Karmouch,et al.  Network anomaly diagnosis via statistical analysis and evidential reasoning , 2008, IEEE Transactions on Network and Service Management.

[24]  Wanlei Zhou,et al.  Mark-aided distributed filtering by using neural network for DDoS defense , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..