An Efficient Flash Crowd Attack Detection to Internet Threat Monitors (ITM) Using Honeypots

Now a days there is a rapid increase of traffic to a given web server within a short time as the number of Internet users increases, and such a phenomenon is called a flash crowd. Once flash crowds occurs a response rate decreases or the web server may crash as the load increases. In this paper we implement the Internet Threat Monitoring (ITM), is a globally scoped Internet monitoring system whose goal is to measure, detect characterize, and track threats such as distribute denial of service (DDoS) attacks and worms. To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address flash crowd attack against ITM system in which the attacker attempt to exhaust the network and ITM’s resources, such as network bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flash crowd attacks using Botnet on ITM. Based on this model we generalize the flash crowd attacks and propose an effective attack detection using Honeypots.

[1]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[2]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[3]  SpitznerLance The Honeynet Project , 2003, S&P 2003.

[4]  Bo Hong,et al.  Managing flash crowds on the Internet , 2003, 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer Telecommunications Systems, 2003. MASCOTS 2003..

[5]  Tatsuro Takahashi,et al.  A Load Reduction System to Mitigate Flash Crowds on Web Server , 2011, 2011 Tenth International Symposium on Autonomous Decentralized Systems.

[6]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[7]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[8]  Raphael C.-W. Phan,et al.  Augmented Attack Tree Modeling of Distributed Denial of Services and Tree Based Attack Detection Method , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[9]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[10]  Kwok-Yan Lam,et al.  Selection Policy of Rescue Servers Based on Workload Characterization of Flash Crowd , 2010, 2010 Sixth International Conference on Semantics, Knowledge and Grids.

[11]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[12]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[13]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[14]  Riccardo Bettati,et al.  Localization Attacks to Internet Threat Monitors: Modeling and Countermeasures , 2010, IEEE Transactions on Computers.

[15]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[16]  Xun Wang,et al.  iLOC: An invisible LOCalization Attack to Internet Threat Monitoring Systems , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[17]  Kuldip Singh,et al.  Performance Analysis of Web Service under DDoS Attacks , 2009, 2009 IEEE International Advance Computing Conference.