A Novel Threat Assessment Method for DDoS Early ... - IEEE Xplore

2010 Fourth International Conference on Network and System Security

A Novel Threat Assessment Method for DDoS Early Warning Using Network Vulnerability Analysis

Qiang Liu, Jian-ping Yin, Zhi-ping Cai, Ming Zhu School of Computer National University of Defense Technology Changsha, China [email protected] in networks. With a monotonicity assumption, a polynomial time is needed to generate exploit-chains. Considering multiphase and distributed identities of DDoS attacks, we use three metrics to rationally assess the threat, namely the ratio of progress, botnet size, and bots distribution. In our approach, we present an algorithm based on vulnerability analysis to calculate the last two metrics. After that, we present an approach to assess threat in terms of those three metrics. The rest of this paper is organized as following: We discuss related work in the next section. In Section III, we present our assessment method. We study an actual case and evaluate the method over DARPA datasets in Section IV. At last, we conclude in Section V.

Abstract—Distributed Denial of Service (DDoS) attack is one of main threats to Internet security. Due to the spatio-temporal properties of the attack, it is possible to detect the attack at its early stage. In this paper, we propose a novel method of DDoS threat assessment based on network vulnerability analysis. Both the multi-phase character in the temporal dimension and the impacts in the spatial dimension are concerned in our method. We use three metrics to assess threat, namely the ratio of progress, botnet size, and bots distribution. Experimental results show that our method is sensitive to the changes of attack states, and is easy to be implemented in an early warning system because of its simplicity. Keywords-Threat assessment; DDoS attack; Early warning; Network vulnerability analysis; Botnet

I.

II.

INTRODUCTION

In the past decades, there has been a rapid development of the Internet. Various kinds of services have brought immense social and economic benefits. For example, the Web service has been turning more and more popular, and it has now become the foundation of surfing the Internet. Unfortunately, some malicious users wreck these services, especially the fundamental and important services, to gain malicious goals. Among all the network attacks, Distributed Denial of Service (DDoS) attack is one main threat. The attack occurs when multiple users or the hosts (also called bots) controlled by an attacker in different places launch a denial of services at the same time. The goal of the attack is to reduce or destroy availability of services. To protect the network from DDoS attacks, many researchers have made in-depth studies on the methods for DDoS detection [1]. Until now, a great progress has been made in this field, but we are still facing two challenges: Firstly, although various detection methods are useful to defend the attack, it has an impact on the network and information systems. Hence, how to detect the attack at its early stages becomes a challenge. Secondly, some researchers have proposed several quantitative evaluation methods and tools to evaluate security [2, 3], but few researchers consider the threat assessment of the attack. In this paper, we propose a method of threat assessment for DDoS early warning based on network vulnerability analysis. Recently, vulnerability analysis methods [4, 5] have been presented to analyze vulnerabilities and their relations 978-0-7695-4159-4/10 $26.00 © 2010 IEEE DOI 10.1109/NSS.2010.52

RELATED WORK

The methods for defending DDoS attacks are sorted to two categories: (1) elimination of the attack before launching and (2) detection and reaction to the attack immediately after happening [6]. A self-contained defense system can protect targets from the whole lifetime of the attack. We divided the whole lifetime of the attack into five phases: collecting information, capturing public servers, uploading the malicious software, expanding botnets, and finally launching the attack [7]. Because managers usually collect information to validate the security of networks, it is hard to distinguish abnormal behaviors from the normal in the first phase. In the second and the third phases, host based intrusion detection systems (HIDSs) can be used to detect the abnormal behaviors towards servers. However, it is unfeasible to install HIDSs with various functions in servers because of the performance impacts. Due to the distribution of the attack, it is clear that attackers must control lots of hosts spanning the network (also called botnet). Consequently, botnet detection, which has become a hotspot in the security field, plays an important role in defending the attack before happening. Reference [8] gave a survey of botnets and botnet detection methods. They introduced characteristics and the life-cycle of a botnet. Furthermore, they classified detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-based. After summarizing and comparing the techniques, they showed that the DNS based techniques and the data mining based ones were the most promising to 70

threat of the attack. Then, some details of the method are presented.

combat botnets. Reference [9] proposed a botnet detection method based on the analysis of the spam mail flow. They used the entropy theory to quantify the randomness of different host groups and distinguished botnets by effective time, arrival time, sending frequency, and content length of the mails from normality. Likewise, [10] applied the entropy theory and proposed an entropy based multi-chart CUSUM algorithm to detect a peer-to-peer (P2P) botnet. To improve the precision, they adjusted the threshold dynamically by using the Kaufman algorithm. However, the method is useful to detect known P2P botnets (like the Storm Botnet) but weak in detecting unknown botnets. When the DDoS attack is launched, either network links are unavailable under huge attack flows or servers are turned down because of numerous anomalistic requests. The studies aiming to solve the problems can be sorted to two categories: detecting the attack and reacting to it. For detecting DDoS attacks, many methods were proposed based on traffic patterns or statistic features [11-13]. To reduce false positives and boost performance, researchers used diverse machine learning techniques to train and identify the attack. Some examples were support vector machine [14], neutral network [15], genetic algorithm [16], and so on. Particularly, [1] surveyed coordinated attacks and collaborative intrusion detection approaches. They summarized three types of the coordinated attacks and current research directions in detecting the attacks. They also reviewed the current approaches in terms of four challenges: system architecture, alert correlation algorithm, data privacy, and security/trust. In DDoS reaction, traceback mechanisms work well [6]. An attacker may fade his trails using spoofed source addresses, which brings a challenge for the traceback mechanisms to trace the true attacker. Reference [6] proposed a fast autonomous system traceback (FAST) method to trace origins at the autonomous system (AS) level. They employed AS border routers for marking packets forwarded to routers belong to another ASs. Once the victim received 5-10 packets, the FAST performed traceback and constructed AS paths. Reference [2] presented a simulation method for quantitative security evaluation based on discrete-event simulation by SimEvents. The simulation took availability of system as security measure. They concluded that the increases of security failures and attacker entities induced the decreases of the system availability. Reference [17] proposed a dual- purpose analytical model called Janus to characterize the behaviors of a multi-stage collusive attack in terms of key spatio-temporal properties. They developed an attackers nondeterministic trail search algorithm in the attackercentric analysis, and an attacker’s pivots discovery via backward searching algorithm in the defender-centric analysis. To validate the model, they conducted a case study in a simulated enterprise network under DDoS attack. III.

A. An algorithm for predicting botnet To control hosts absolutely, attackers exploit some vulnerabilities to gain the root privilege. In the real world, it is difficult to exploit vulnerable hosts directly in the protected intranet, so attackers will exploit multi-host vulnerabilities to construct botnets. Network vulnerability analysis analyzes the relations of various vulnerabilities in hosts spanning the whole network, and it is an effective tool to predict potential bots. In this paper, the botnet size means the total number of bots in network, and the bots distribution is defined as the ratio of bots number in each subnet. To predict values of these two metrics, we present a real-time algorithm based on vulnerability analysis to predict the botnet size and the bots distribution. Before we show details of the algorithm, we assume that all vulnerabilities are known. In fact, this goal can be achieved via some scanners, Nessus as an example. We also assume that the botnet progress is not so rapid that it is impossible to carry out early warning. The algorithm, as shown in Fig. 1, includes following three steps: Step 1. Taking each host as an attack goal, we apply network vulnerability analysis to generate corresponding vulnerability exploit-chains. Step 2. According to the current event, if it is vulnerability exploitation, we match the event with links of exploit-chains generated in Step 1 and add all hosts downstream of matching chains to bots set. Step 3. We calculate the total number of predicted bots and the number of bots in each subnet on the basis of bots set constructed in Step 2. Network vulnerability analysis

Selected goal

Generating vulnerability exploit-chains

Current event

Constructing bots set

Calculating output variables Outputs Threat assessment

Figure 1. An algorithm for predicting botnet based on vulnerability analysis

Because network vulnerability analysis runs in a polynomial time with a monotonicity assumption [4, 5], the time complexity for step 1 is a polynomial time. In step 2, matching operations take O(mn) time, for a exploit-chain list consisting of m paths, each path contains at most n hosts. The time complexity for step 2 is a polynomial time too. Consequently, the algorithm runs in a polynomial time.

DDOS THREAT ASSESSMENT

This section presents an algorithm for predicting botnet based on vulnerability analysis and a novel method to assess

71

B. Assessment method The process of the attack contains two dimensions: one is the temporal and the other is the spatial. To warn the attack early, we consider both the temporal metric and the spatial metric. More precisely, we focus on three metrics in a DDoS assessment: the ratio of progress (rp), the botnet size (n), and the bots distribution (d). Then, we use a interpolation function to predict the threat in terms of these metrics. The temporal metric represents the multi-phase character of DDoS in the temporal dimension, while the spatial metric represents impacts of the attack in the spatial dimension. It is essential to note that the threat of DDoS is severe when the attack is about to be launched and affects a wide range of hosts. The threat decreases along with decreases of rp or decreases of n. We denote mtime as the temporal metric and mspace as the spatial metric. The predicting threat (PT) is defined as PT f mtime mspace (1)

Zi

where Uj is the quantitative weight of the jth type, and Nij is the number of the jth type hosts located in the ith subnet. Then, we take (8) into (3). After normalization, we have mspace

mspace

m § n · n¦ ¨ Zi i ¸ n¹ i 1©

Nn x

N n x Rn x

(3)

Level Severe High Elevated Normal Low

Weight 5 4 3 2 1

SUMMARY OF WARNING LEVELS

Threat interval [90, 100] [80, 90) [70, 80) [60, 70) [0, 60)

IV.

Criterion rp t 0.8; n t 0.8¦iNi rp t 0.6; n t 0.6¦iNi rp t 0.4; n t 0.4¦iNi rp t 0.4; n t 0.2¦iNi otherwise

EXPERIMENTS

A. Setup To validate our method in a real network, we conducted a set of experiments using DARPA 2000 DDoS 2.0.2 dataset from MIT library. The dataset is collected from a real network as shown in Fig. 2, where the "Total" label represents the total number of hosts in corresponding subnet. We find that the experimental network is divided into three domains: the networks inside the Air Force base, the Internet outside the Air Force base, and the DMZ. In this section, we applied our method to protect the DMZ and the inside networks. We divided protected network into three segments: the DMZ, the safe-LAN (sLAN) and the unsafe-LAN (uLAN), where the DMZ segment contained subnet 114, the sLAN contained subnet 115-118 and the uLAN contained subnet 112-113. Fig. 2 shows several key hosts in the network, such as DNS server in the subnet 115, inside sniffer and inside gateway in the subnet 112, DMZ sniffer in the subnet 114, etc. We listed the statistic numbers of hosts in Table 3, where G/F was the abbreviation for "Gateway/Firewall", IS for "Important server", NS for "Normal server", IH for "Important host", and NH for "Normal host".

(5)

j 0

x x j f N [ x0 ,", xn ]

Type Gateway/Firewall Important server General server Important host General host

TABLE II.

f N x0 x x0 f N [ x0 , x1 ] " x x j f N [ x0 ,", xn ] (6)

Rn x

j 1

Before selecting the interpolation points, we define five warning levels. Table 2 summarizes the warning levels and their corresponding criteria. To ensure the interpolation accuracy, we select four points from the level boundaries and two special points: minimum and maximum threats. Then, we have six interpolation points, and fN is a polynomial function of the fifth degree.

n 1

n

5

¦ Nij (9)

QUANTITATIVE CRITERION OF HOST IMPORTANCE Level E1 E2 E3 E4 E5

where rp[0, 1], n is the total number of predicted bots, ni the number of bots in the ith subnet, Zi the importance of ith subnet, and m the number of subnets in network. In our previous work [7], we used finite state automata to track the attack, and explained how to calculate the rate of progress. Besides, we find that mspace satisfies: i) if the network does not change and botnet size increases, mspace will increase; ii) keeping the network and botnet size unchangeable, mspace increases if more bots appear in subnets with higher importance. To assess a DDoS attack, we use Newton interpolation function fN to calculate the threat approximately. The reasons are following: fN(x) is a polynomial fitting function versus variable x, and it is easy to get the result in appointed point; Based on difference quotient, fN can effectively adapt to the increases of interpolation points. To sum up, we have f N [ x0 ,", xn ] f N [ x0 ,", xn 1 ] f N [ x1 ,", xn ] / x0 xn (4) fN x

§ m § 5 ·· § m § 5 ·· ¨¨ ¦ ni ¨¨ ¦ U j N ij ¸¸ ¸¸ / ¨¨ ¦ Ni ¨¨ ¦ U j Nij ¸¸ ¸¸ , N i ¹¹ © i 1 © j 1 ¹¹ ©i 1 ©j 1

TABLE I.

(2)

rp

(8)

j 1

mtime and mspace are calculated by mtime

5

¦ U j Nij

(7)

j 0

where fN[x0, }, xn] is the difference quotient of n+1 different points x0, }, xn, Nn(x) the fitting result, and Rn(x) the fitting error. C. Details argumentation We consider the following things to discuss more detailed: calculating the importance of subnet and selecting proper interpolation points. Reference [18] provided quantitative criteria to measure the host importance, as listed in Table 1. We define importance of subnet as

72

TABLE V.

Subnet 118 Total: 10

DMZ

Shielding by Firewall-inside

DMZ Sniffer (114.30) Marx (114.50)

Source All sLAN sLAN sLAN

Subnet 117 Total: 4

DMZ LAN

Subnet 116 Total: 3

Internet Firewall (114.2)

Eyrie AFB DNS Server (172.16.115.20)

Pascal (112.50)

Smith (114.20)

Subnet 113 Total: 8

Inside Gateway (112.20)

Subnet 112 Total: 7

Inside Sniffer (112.10)

Figure 2. Experimental network of DARPA 2000 DDoS 2.0.2 dataset

TABLE III.

STATISTIC NUMBERS OF HOSTS BY DIFFERENT TYPES IN Subnet 172.16.114.* 172.16.112.* 172.16.113.* 172.16.115.* 172.16.116.* 172.16.117.* 172.16.118.*

G/F 1 1 0 1 1 1 1

IS 0 0 0 1 0 0 0

NS 0 0 0 0 0 0 0

IH 1 1 0 0 0 0 0

NH 3 5 8 3 3 4 10

Total 5 7 8 5 4 5 11

TABLE VI.

Curve of interpolation function fN(x) 90

LLS_DDOS_2.0.2-inside

LLS_DDOS_2.0.2-outside

100

70

90

60

80

50 40 30 20 10 0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

100 90

73.22

70

78.05

81.46

Forecasting threat of DDoS

80



Exploit-chain Attacker ovul HostMill ovul HostDMZ Attacker ovul HostMill ovul HostuLAN Attacker ovul HostMill

Rethinking vulnerabilities in the network, we got the predicting bots set and the bots distribution. After that, we assessed the threat of DDoS in real time. In order to validate improvement of this method, we compared our method to the previous [7]. In our previous work, the DDoS threat increased rapidly with respect to phases of early stage.

100

0

Action Allow Allow Allow Allow

VULNERABILITY EXPLOIT-CHAINS OF DIFFERENT TARGETS

Target Host in DMZ Host in uLAN Host in sLAN

According to the definition of subnet importance, we calculated results as following: Z1=10, Z2=12, Z3=8, Z4=12, Z5=8, Z6=9, Z7=15. Based on the definition of metrics and the criteria of warning levels, we established six interpolation points: (2, 100), (1.53, 90), (1.102, 80), (0.702, 70), (0.524, 60), (0, 0). The curve of function was shown in Fig. 3.

0

Service DNS All All All

B. Results Because hosts in the same segment were logically equal to outside, we considered each segment as a logical host. Table 6 lists the exploit-chains generated by network vulnerability analysis. The results suggest that a remote attacker prefers to utilize public server to gain the privilege of hosts indirectly located in the intranet.

EACH SUBNET

NO. 1 2 3 4 5 6 7

Destination Mill sLAN uLAN DMZ

In the dataset, a remote attacker uses "Solaris Sadmind Buffer Overflow" to gain the root privilege. The vulnerability impacts Solaris 2.5, Solaris 2.5.1, Solaris 2.6, and Solaris 2.7, numbered CVE-1999-0977. In the experimental network, vulnerable hosts include Plato (172.16.114.10), Smith(172.16.114.20), Solomon (172.16. 114.30), Locke(172.16.112.10), Pascal(172.16.112.50), Falcon(172.16.112.194), Goose(172.16.113.204), Swan(172. 16.113.169), and Mill(172.16.115.20).

Firewall -inside Subnet 115 Total: 4

Plato (114.10)

FIREWALL-INSIDE RULES

64.18

60 50 40

27.65

30 20

80

73.22 70

64.18

60 50 40

27.65

30 20

Time metric + Space metric

Figure 3. The curve of fN(x) (Step: 0.1)

0

In all experiments, we assumed the principle "anything will be rejected if it is not admitted" as the basic rule of all firewalls. We listed Firewall rules in Table 4, and FirewallInside rules in Table 5. TABLE IV. Source All DMZ DMZ

Service DNS All All

0 0

1

2

3

Phase

4

5

0

1

2

3

4

5

Phase

Figure 4. Experimental results of the novel method

Fig. 4 illustrates the results of the novel method, where the maximum threat of DDoS attack is 100. An increase in attack phase causes an increase in threat of the attack, and the increase rate is high in the beginning while low in the latter phases. We note that the increase of threat means the adjustment of warning level. For example, the threat is 27.65

FIREWALL RULES

Destination Mill DMZ Internet

10

10

Action Allow Allow Allow

73

[3]

after the first phase of the attack. Then, the early warning system adjusts its warning level to "Low", warning a new attack. When an important server is captured, the threat increases rapidly to 64.18. Then, the system adjusts its level to "Normal", warning an advance of the attack. Similarly, the system upgrades its level to "Elevated" and further "High" if the attacker finishes subsequent phases of the attack. This figure justifies the correctness of our novel method. LLS_DDOS_2.0.2-inside 100

The novel method The previous method

90 80 70 60 50 40 30 20

[6]

The novel method The previous method

90



[5]

LLS_DDOS_2.0.2-outside

100

80

[7]

70 60

[8]

50 40

[9]

30

[10]

20 10

10 0

[4]

0

1

2

3

4

5

0

0

1

2

3

4

[11]

5

Phase

Phase

Figure 5. Comparative results of the novel and the previous methods [12]

Fig. 5 illustrates the comparative results of different methods, where the maximum threat of DDoS attack is 100. In the early and mid phases, the novel method is more sensitive than the previous to changes of attack phases. For example, when an important server is captured, the early warning system with the novel method adapts its level to "Normal", while its level does not change with the previous method. We note that the warning level with the novel method is lower than the previous in the last phase, and it is also reasonable because we rethink spatial metrics here. In the experiment, the botnet is not large enough to impact the whole network. This figure validates the advantage of our novel method. V.

[13]

[14]

[15]

[16]

CONCLUSION

This paper presents a novel threat assessment method for DDoS early warning based on network vulnerability analysis. Our method takes into account the spatio-temporal properties of the attack. In this way, our method is sensitive to the changes of attack states, and is easy to be implemented in an early warning system because of its simplicity. In the future, we will focus on improving precision of interpolation. Some other theories will perform well to gain reasonable results, such as neural network, genetic algorithm, etc. We will consider various vulnerabilities and larger scale networks to further test the effect of our work as well.

[17]

[18]

REFERENCES [1]

[2]

C. V. Zhou, C. Leckie, and S. Karunasekera, "A survey of coordinated attacks and collaborative intrusion detection", Computers & Security, vol. 29, no. 1, Feb. 2010, pp. 124-140. G. Khazan and M. A. Azgomi, A distributed attack simulation for quantitative security evaluation using SimEvents, New York: IEEE, pp. 382-385, 2009.

74

X. Z. Chen, Q. H. Zheng, X. H. Guan, and C. G. Lin, "Quantitative hierarchical threat evaluation model for network security", Journal of Software, vol. 17, no. 4, Apr. 2006, pp. 885-897. (in Chinese) R. Hewett and P. Kijsanayothin, "Host-centric model checking for network vulnerability analysis", in 24th Annual Computer Security Applications Conference, Anaheim, CA, 2008, pp. 225-234. S. Malhotra, S. Bhattacharya, and S. K. Ghosh, "A vulnerability and exploit independent approach for attack path prediction", in 8th IEEE International Conference on Computer and Information Technology, Sydney, AUSTRALIA, 2008, pp. 282-287. A. Durresi, V. Paruchuri, and L. Barolli, "Fast autonomous system traceback", Journal of Network and Computer Applications, vol. 32, no. 2, Mar. 2009, pp. 448-454. Q. Liu, J. P. Yin, J. R. Cheng, and Z. P. Cai, "Novel approach of DDoS forewarning", Computer Engineering and Application, vol. 45, no. 21, July 2009, pp. 132-135. (in Chinese) M. Feily, A. Shahrestani, and S. Ramadass, A survey of botnet and botnet detection, New York: IEEE, pp. 268-273, 2009. C. D. Wang, T. Li, and H. B. Wang, Botnet detection based on analysis of mail flow, New York: IEEE, pp. 2067-2070, 2009. J. Kang and J. Y. Zhang, Application entropy theory to detect new peer-to-peer botnet with multi-chart CUSUM, Los Alamitos: IEEE Computer Soc, pp. 470-474, 2009. W. Z. Lu, W. X. Gu, and S. Z. Yu, "One-way queuing delay measurement and its application on detecting DDoS attack", Journal of Network and Computer Applications, vol. 32, no. 2, Mar. 2009, pp. 367-376. M. Li, "An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition", Computers & Security, vol. 23, no. 7, Oct. 2004, pp. 549-558. F. Y. Lee and S. Shieh, "Defending against spoofed DDoS attacks with path fingerprint", Computers & Security, vol. 24, no. 7, Oct. 2005, pp. 571-586. J. Yu, H. Lee, M. S. Kim, and D. Park, "Traffic flooding attack detection with SNMP MIB using SVM", Computer Communications, vol. 31, no. 17, Nov. 2008, pp. 4212-4219. D. Gavrilis and E. Dermatas, "Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features", Computer Networks-the International Journal of Computer and Telecommunications Networking, vol. 48, no. 2, Jun. 2005, pp. 235245. Y. Li, L. Guo, Z. H. Tian, and T. B. Lu, "A lightweight web server anomaly detection method based on transductive scheme and genetic algorithms", Computer Communications, vol. 31, no. 17, Nov. 2008, pp. 4018-4025. Z. H. Zhang and P. H. Ho, "Janus: A dual-purpose analytical model for understanding, characterizing and countermining multi-stage collusive attacks in enterprise networks", Journal of Network and Computer Applications, vol. 32, no. 3, May 2009, pp. 710-720. J. Q. Si, B. Zhang, D. P. Man, and W. Yang, "Approach to making strategies for network security enhancement based on attack graphs", Journal on Communications, vol. 30, no. 2, Feb. 2009, pp. 123-128. (in Chinese)