Network Security Situation Evaluation Method for Distributed Denial of Service

abusivetrainerNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

68 views

Network Security Situation Evaluation Method
for Distributed Denial of Service

Jin Qi
1,2
, Cui YiMin
1,2
, Huang MinHuan
1,2
, Kuang XiaoHui
1,2
, TangHong
1,2

1) Science and Technology on Information System Security Laboratory, Beijing, China
2) Beijing Institute of System and Engineering, Beijing, China
kingkey@sohu.com

A
bstract: +The measurement of network congestion and degradation of quality of service during distributed denial of
service attacks remained an elusive goal. This paper analyzes the impacts that all congested links cause on attack
victim and network architecture, introduces the min+cut set and presents a new method to assess the network security
situation under DDoS attacks, which computes the influence value that attacks cause on network security situation
according to the distance between the congested link and victim and whether the link is in the min+cut set, and this
value is used for quantitative situation assessment. The applicability of this method is verified by simulated
experiments with the network simulation tool.


Keywords:DDoS attack security situation link congestion degree metric

1 Introduction
Distributed Denial of service (DDoS) is a major threat
today. Its intended effect is to prevent legitimate users
from doing routine business with the victim, by
exhausting some limited resource via a packet flood or
by sending malformed packets that cause network
elements to crash. Service denial is experienced by users
as a severe slowdown, service quality degradation or a
complete disruption of communication with the victim.
There are many evaluation methods have been
researched, in order to analyze the security situation
under DDos attacks, and guide security engineers to
adopt effective countermeasures. For example, there are
the Vulnerability Evaluation Method, the Analyze of
Survivability, and the Security Situation Evaluation
Method, etc. The Security Situation Evaluation Method
is capable of describing the overall situation of the
network, analyzing the development of security
situation, support to make patching measurement, and
consequently becoming a hotspot in network security
research area.
In [1] [2], the authors propose a Joint Director of
Laboratories Data Fusing Model, for apperceiving
network security situation. They deploy many sensors in
the testbed, use data fusing and data mining to identify
the adversary and the victim, evaluate the network
security situation. In [3], the authors propose a Security
Situation Assessment and Response Evaluation method
base on the Bayes Network Model and Symbolic
Probabilistic Inference Algorithm. The algorithm can
detect ongoing large+scales network intrusion, display
the situation evaluation result, and make efficient
reaction.
Current DoS measurement approaches are concerned for
the partial of the target network or capture traffic
measurement from the low level of the network. The
performance data need to be expressed in terms of
extracting from the raw data. And several factors must
be synthesized, and then deduce the entire network
security situation. The amount of data need to be
captured and extracted is very large. It is a challenge to
display network security situation in real time. Other
researchers frequently choose one DDoS impact ,
which they feel is the most relevant. This causes the
results to be incomplete, as each displays the aspect of
the service denial unilaterally.
We propose an effective approach to DDoS impact
measurement that relies on easy computing network
traffics. It deal with large scale network, can display the
security situation of the entire network. We present
several metrics that comprehensively capture the DDoS
impact in a variety of test scenarios, in testbed
experimentation or in simulation. And we experiment on
NS2[4] testbed under several DDoS attacks to validate
our principles and algorithms. After experiment, the
principles and algorithms are proved to be applicable for
DDoS impact evaluation.


2 Security situation influence analysis
based on link congestion
Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
62
Target Server
Daemon NodesDaemon Nodes
Master Nodes
adversary
Network

Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
63
Input: raw network monitoring data
Output: the situation curve
BEGIN
1 DO every time slot
2 IF some links e fulfill ρ(e) >ρMAX and e not in EJ
3 Add each e in EJ
4 IF some links e fulfill ρ(e) ≤ρMAX and e in EJ
5 Delete each e from EJ
6 IF | EJ|>ρMAX
7 Get current situation value S by calling algorithm 2
8 Append S to the situation curve
END

The parameters of network security situation can be
grouped into two categories: the network static structure
NA and the network congestion situation N
C
.

3.1.1 The Network Static Characteristics
The Network Static Characteristics: N
A
. It contains the
network diagram, important node set and the min+cut set.
N
A
is denoted by the triple+form N
A
=(G,V
I
,E
C
). The
static characteristics will be recalculated only when the
network structure changes.
• The network diagram: G= (V, E). Where V is the
set of vertexes, E is the set of edges.
• The important vertexes set: V
I
. It indicates the
routers which connect to the servers.
• The min+cut set: E
C
.

3.1.2 The Network Congestion Situation
The Network Congestion Situation N
C
. Mainly refers to
the congested links set and related functions. It is
denoted by the five+form:
N
C
=(E
J
,lev(ei,vj),ρ(e),δ(ei,vj),λ(e)). N
C
is changed based
on real+time network congestion situtaion.
• The congested links set: E
J
.
• The function about level: lev(e
i
,v
j
): e
i
∈E
J
,
v
j
∈V
I
. It
describes the level of link e
i
relative to the node v
j
.
• The link congestion degree metric: ρ(e) : e
i
∈E
J
. It
describes the congestion degree of link e.
• The distance metric: δ(e
i
,v
j
): e
i
∈E
J
,
v
j
∈V
I
.. It
describes the influence of congestion link e
i
on
node v
j
.
• The structure metric: λ(e): e
i

E
J
. It describes the
degree of the influence of congested link e on
network structure.


3.2 The Evaluation Algorithm based on Link
C
ongestion
Evaluation algorithm based on link congestion is divided
into three steps: initial construction, situation monitoring
and situation assessment.

3.2.1 The Initial Construction Algorithm
The static characteristics of the network are constructed
in the initial construction phase. The network diagram
construction and the important node identification
require human involvement, and the min+cut set is
calculated using the Stoer+Wagner algorithm [5]. The
BFS algorithm [6] is implemented by using each server
as a starting point during the changing of network
structure, and the other nodes’ the shortest distance will
be stored. In situation evaluation, the lev(e
i
,v
j
) can be
gotten through calculate the level of congested link e’s
starting router relative to the server v.

3.2.2 The Situation Monitoring Algorithm
Assume that each router has the mechanism that can
detect the congestion happens and calculate the degree
of congestion. Once the degree of congestion on a
particular link exceeds the threshold ρ
MAX
, the
monitoring system will report to the evaluation center.
When the number of congested links exceed the
threshold ρ
MIN
, the network situation will be
recalculated. The algorithm is defined in Figure 3.

Fig 3. Monitoring the network situation and calculating
the situation curve

3.2.3 The Situation Evaluation Algorithm
As mentioned above, the influence of security situation
included the degradation of quality of service and the
congestion of the network, which will be described as
follows.
• The link congestion influence on the degradation
of quality of service: S
S
. The distance metric can
be calculated according to the distance of a
congested link to a server, and then multiplied
with the degree of link congestion; at last the
degree of the congested link influence on the
server can be obtained. It can be calculated using
(1):


∈ ∈
⋅=
Ji Ij
Ee Vv
ijis
eves )(),(
ρδ
(1)
• The link congestion influence on the network
structure: S
N
. According to whether a congested
link is in the min+cut set, the different structure
coefficients multiply with the degree of link
Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
64
Input: network
graph
G
, import node set
V
I
, edge cut set
E
C
, congestion link set E
J

Output: situation value of the network
BEGIN
1 set initial network situation S=0
2 FOR each e
i
in E
J

3 FOR each important v
j
in V
I

4 compute the coefficient e
i
to v
j
:δ(e
i
,v
j
)
5 S=S+δ(e
i
,v
j
)) ρ(e
i
)

6 compute the coefficient e
i
to network structure λ(e
i
)

7 S=S+λ(e
i
)) ρ(e
i
)
8 RETURN S
END

X


congestion, then the degree of influence of the
congested link on the network structure can be
obtained. It can be calculated using (2):


⋅=
Ji
Ee
iiN
ees )()(
ρλ
(2)
The overall network security situation status can be
calculated using: S=S
S
+S
N
. The algorithm is shown in
Figure 4.

Fig 4. Quantitatively analyzing the situation value of
the network
The impact of network security situation caused by
network congestion is the negative income of situation.
Therefore, the larger S value is, the worse the network
security situation is, whereas the situation is better.


3.3 DDoS Impact Metrics
In the algorithm mentioned above, the link congestion
degree, the distance and the network structure are three
important DDoS impact metrics in the security situation
evaluation.

3.3.1 The Link Congestion Degree Metric
The link congestion degree metric is defined as the bytes
transferred into the router divide the maximum bytes the
router can transfers. Let’s abstract the router protocol
using the method described in the figure 5. A, B and C
are three input links of the router RA. Packets
transferred from A and B will route to the output link D,
arrive at the router RB. The other output links of RA is
denoted by X.

Fig 5. The abstraction of the router protocols
In transaction duration, we can capture all packets
transferred from the router RA to link D, which is
denoted by λ
in
. Second, we can get the maximum packets
the router can transfers by checking the user manual of
the router, which is denoted by λ
max
. Finally, we get the
value of the link congestion metric ρ(D)=λ
in
/ λ
max
.

3.3.2 The Distance Metric
Ideally, DDos data flooding is generated from daemon
nodes, congregated at the victim in the last. This
procedure can be described as figure 6. From the figure,
we can deduce that the nearer the data are transferred to
the victim, the fewer router paths that there are. In
ideally DDos data flooding scenario, the number of
router paths is depend on two parameters. One is the
distance; the other is the node attack degree.

Fig 6. DDos data flooding scenario in ideally
The node attack degree is differing from the concept
origin from the graph algorithms. It only contains the
nodes that have processed malicious traffic. So, we only
take care of the paths that the malicious data are
transferred. From the node attack degree, we can
compute the average node attack degree, which is
denoted by Avgdeg
ddos
. For the first layer of routers in
network topology, when data are arrived, the number of
the routes that the data can be transferred is
Avgdeg
ddos
+1. In the same way, we get (3).
Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
65
1
degdeg
degdeg
+
+

⋅=⋅=
num
numAvg
kAvgkAvg
ddos
(4)

3.3.3 The Structure Metric
We have defined the min+cut set before, and denoted by
E
C
. If the link in the min+cut set is congested, the value
which expresses the contribution that the congested path
will cut the entire network into two subnets is 1/ E
C
. The
contribution value is the parameter that congested links
exist in the min+cut set. When a congested link exists in
more than one min+cut set, we choose the biggest value
of the 1/ E
C
.
The number of all graph edges is denoted by E. When a
congested link does not exist in the min+cut set, we use
1/ E expresses the contribution that the path impact on
the network structure. Then we get (5).
{
Cji
Cji
C
i
EEe
E
EEe
E
e




=
1
1
)(
λ
(5)


4 Experiment Analyze

4.1 Description of Experiment
In this section, we describe the topology and traffic
scenarios in the NS2 testbed that we employ to illustrate
our algorithm. The experimental topology is shown in
Figure 7. It consists of three client networks and each
network is interconnected via two routers. Each client
network has four routers. The victim servers are
connected to router F and G. The label on the edge in the
topology is the maximum data process rate of the path.
In Figure 7, we only consider the edges that exist in min+
cut set E
C
= {(C,I),(H,J)}.We get the average node degree
is 11/3, and use this value as the average attack degree.
The link congestion metric ρ is 1.
Fig 7. Experimental topology

4
.2 Experiment Result

4
.2.1 Experiment 1: Validate the Principle that Take
Priority of the Adjacent Link
DDos attack scenario 1: The flooding data is generated
by node A. The data will be processed by node B and D.
And the node G is the target. At the same time, the
flooding data is generated by node L. The data will be
processed by node I. And the node F is the target. The
data transfer rate is 2.8Mb/s, which cause the
forane links congestion.
DDos attack scenario 2: The flooding data is generated
by node E. And the node G is the target. The data
transfer rate is 4.5Mb/s, which cause the adjacent links
congested.
Table 1. VALIDATE THE PRIORITY PRINCIPLE OF THE
ADJACENT LINK

Congested
Link
Congested

Level
Impact on Qos
Impact
on
structure
Gener
al
Impact
F G
1
<A,D> 1.5 0.082 0.082

0.065
0.638
<A,B> 1.5 0.082 0.082

0.065
<L,I> 1.5 0.082 0.082

0.065
2 <E,G> 1.5 0.521 0.521 0.065 1.192
After experiment 1,we get that for the links which
have the same congestion metrics, the links which far
Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
66
away from the victim make less impact on the
degradation of quality of service during DDos attacks.

4.2.2 Experiment 2: Validate the Principle that Take
Priority of the Links in the Min-cut Set.
DDos attack scenario 3: The flooding data is generated
by node B. The data will be processed by node E. And
the node G is the target. The data transfer rate is
5.6Mb/s, which cause the links which are not in the min+
cut set congestion.
DDos attack scenario 4: The flooding data is generated
by node J. The data will be processed by node H. And
the node F is the target. The data transfer rate is 5.6Mb/s,
which cause the links which are in the min+cut set
congested.
Table 2. VALIDATE THE PRIORITY PRINCIPLE OF THE
LINKS IN THE MIN+CUT SET

Congested
Link
Congested

Level
Impact on Qos
Impact
on
structure
Gener
al
Impact
F G
1
<B,E> 1.5 0.195 0.195 0.065
1.681
<E,G> 1.5 0.521 0.521 0.065
<J,H> 1.5 0.195 0.195 0.78
2 <H,F> 1.5 0.521 0.521 0.065 2.368

After experiment 2,we get that for the links which
have the same distance to the victim, the links which are
in the min+cut set, make greater impact on the
degradation of quality of service during DDos attacks
than the links which are not in the min+cut set.


5 CONCLUSION
Ultimately, DDoS attacks are about create network
congestion and denying end user service. We propose
the network security situation evaluation method for
DDos measurement. The method builds network model
introduces graph algorithms, base on the principles that
the links which are adjacent to the victim and in the min+
cut set have more impact on the degradation of quality of
service during DDos attacks, and can get the links
congestion impact on the degradation degree of security
situation. It can work out large+scale network security
situation and reduce the data processing time. At last, we
use NS2 testbed validate the theories and algorithms
mentioned in the paper.
We believe there is much more work to be done in
developing effective methods for DDoS technology
evaluation. We will research how to use the Analytic
Hierarchy Process [7] base on this method in the future.


References
[1] Bass T, Muhisensor data fusion for next generation
distributed intrusion detection systems, 1999 IRIS
National Symposium on Sensor and Data Fusion,
Laurel, 1999.
[2] Bass T, Intrusion detection systems and multisensor
data fusion: Creating cyberspace situational
awareness, Communications of the ACM, 2000,
43(4):99+105.
[3] D’Ambrosio B, Takikawa M, and Upper D, et a1.
Security Situation Assessment and Response
Evaluation(SSARE), DARPA Information
Survivability Conference

Exposition II. 2001.
[4] The network simulator+NS2,
http://www.isi.edu/nsnam/ns
[5] Stoer M, Wagner F, A simple min+cut algorithm,
Journal of the ACM, 1997, 44(4): 585+591.
[6] Robert Sedgewick, and Kevin Wayne, Algorithms
FOURTH EDITION, Addison+Wesley, US:
Princeton University, 2011.
[7] Satty T L, How to Make a Decision:The Analytic
Hierarchy Process, European Journal of
Operational Research, 1990, 1(48):9+26.

Recent Researches in Mathematical Methods in Electrical Engineering and Computer Science
ISBN: 978-1-61804-051-0
67