An Anomaly Detection System For Ddos Attack

Published Date: 02 Nov 2017

Evolving computing networks are fully dependent on cloud computing that provides reliable access across the various distributed resources. It has brought dramatic changes in the field of IT that significantly marks the various advantages such as providing services with different levels of infrastructure by adopting less cost in maintenance and development, increasing the scalability and resources utilization. The intrusion detection systems encrypt and detect the hidden attacks which categorize the attack type whether network based or host based on knowledge and behavior analysis that identifies the specific intrusions. Signature based IDS [12] will perform poor capturing in large volume of anomalies. Another problem is that Cloud Service Provider (CSP) hides the attack that is caused by intruder, due to distributed nature; cloud environment has high possibility for vulnerable resources. By impersonating genuine users, the intruders can use a service’s plentiful resources. In Proposed System we combine few concepts

Which are available with new intrusion detection techniques. Here we merge Entropy based System with Anomaly detection System for providing multilevel Distributed Denial of Service (DDoS). This is done in two steps: First, Users are allowed to pass through router in network site in that it incorporates Detection Algorithm and detects for legitimate user. Second, again it pass through router placed in cloud site in that it incorporates confirmation Algorithm and checks for threshold value, if it’s beyond the threshold value it considered as legitimate user, else it’s an intruder found in environment. This System is represented and maintained by as third party. When attack happens in environment, it sends notification message for client and advisory report to Cloud Service Provider (CSP).

INTRODUTION

Cloud Computing is being changed and altered to a new model consisting of services that are delivered in a style similar to conventional utilities such as water, gas, electricity, and telephone service. Cloud computing which resembles the infrastructure as a "Cloud" in which businesses and customers are take part in it and capable to access applications from anywhere in the world according to their requirement.

DDoS: it is an attack where multiple compromised systems infected with a Trojans are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack with a high impact on the service provider than the clients..

Background and Related Work:

Distributed Cloud Intrusion Detection Model NIDS and HIDS are not suitable for security environment of cloud. Cloud as middleware layer, which having an audit system that design to cover an attacks that HIDS and NIDS can’t cover. Irfan Gul,et al.[2] have suggested So by means of using this model we able to bring the IDS as middle ware and any information from cloud user to CSP will reached through by means of it. This middleware is said to be as third party and it was fully maintained by service provider.

Cloud QoS, High Availability & Service Security Issues with Solutions

Distributed Denial of Service (DDoS) poses as a potential intimidation and danger to this key technology of the expectations and future. Muhammad Zakarya et al.[4] have suggested a new Cloud Environment and Architecture and an Entropy based Anomaly Detection System (ADS) approach to mitigate the DDoS attack which further improves network performance in terms of computation time, Quality of Service (QoS) and High Availability (HA) under Cloud Computing environment. Entropy uses two algorithm to mitigate the intruders namely detection algorithm and confirmation algorithm.

An Anomaly Detection System for Ddos Attack in Grid Computing

Grid computing is fast rising field for wide area distributed computing. Grid computing is a collection of mixed computers and resources across multiple organizations and delivers computing and resources as services to its users.. Distributed Denial of Service attack (DDoS) is one of the major problems to grid computing services. Sumit kar et al.[6] have proposed the method to secure system for DDoS attack is made through 3 methods: (i) Attack prevention, (ii) attack detection and recovery, and (iii) attack identification. This paper speaks about weakness of Grid computing in presence of DDoS attack.

Integrating a Network IDS into an Open Source Cloud Computing Environment

The analyzed data source, IDS can be classified in network and host based. Network based IDS analyze traffic flowing through a network segment, by capturing packets in real time, and analyzing and checking them against some "classification" criteria. Claudio Mazzariello et al.[8] have suggested that IDS can be further characterized with respect to the type of detection mechanism implemented.

ANOMALY

Maintaining security in Cloud Environment is a real challenge and most tough part in security management of large high speed networks like Grid and Cloud is the detection of suspicious anomalies in network traffic patterns due to DoS and DDoS attacks. To secure Cloud from DoS attack its must be detected before it affects the cloud user with high detection rate and low false rate, So that attack traffic will be discarded, without affecting legitimate traffic. The use of entropy for analyze the changes in traffic distribution which has two advantage i) Using entropy for anomaly detection which will increases the detection capability when compared with volume based methods. ii) Entropy method will provide additional information to categorize among dissimilar types anomaly (worms, DDoS attack scanning).

ENTROPY BASED APPROACH

Entropy or Shannon-Wiener index is an important concept of information theory, which is a measure of the uncertainty or randomness associated with a random variable or in this case data coming over the network. If it was more random it contains more entropy. The value of sample entropy lies in range [0, logn]. The rate of entropy is lesser when the class distribution is pure i.e.it belongs to one class. The rate of entropy is larger when the class distribution is impure i.e. class distribution belongs to many class.. The entropy H (X) of a random variable X with possible values {x1, x2…, xn} and distribution of probabilities P = {p1, p2, . . . , pn} with n elements, where 0 <= pi <= 1 and Here p (xi) where xi belongs to X is the probability that X takes the value xi. then p (xi) = mi/m, where mi is the frequency or number of times we observe X taking the value xi

When we want calculate probability of any source (destination) address then,

Number of pkts with x as src (dst) address

P(x) = -----------------------------------------------------------------

Total number of packets

mi = number of packets with xi as source (Destination) address, m = total number of packets

Similarly we can calculate probability for each source (destination) port as

Number of pkts with X as src (dst) port

P(x) = -----------------------------------------------------------------------

Total number of pkts

Normalized entropy = (H / log n0)

If NE<th1, th1 is threshold value1, Mark flow as suspected and raise an alert

Here nois the number of distinct xi values in the given time window

Projected Entropy: According to for a stochastic processes the entropy rate H (x) of two random processes are same.

If H(x) <=th2, th2 is the threshold value2,Mark the flow as attacked, raise a final alert, discard the attack flow

Cloudsim

The CloudSim simulation layer provides support for modeling and simulation of virtualized Cloud-based data center environments including dedicated management interfaces for VMs, memory, storage, and bandwidth. The fundamental issues, such as provisioning of hosts to VMs, managing application execution, and monitoring dynamic system state, are handled by this layer .A Cloud provider, who wants to study the efficiency of different policies in allocating its hosts to VMs (VM provisioning), would need to implement his strategies at this layer. Such implementation can be done by programmatically extending the core VM provisioning functionality. There is a clear distinction at this layer related to provisioning of hosts to VMs. A Cloud host can be concurrently allocated to a set of VMs that execute applications based on SaaS provider’s defined QoS levels. This layer also exposes the functionalities that a Cloud application developer can extend to perform complex workload profiling and application performance study. The top-most layer in the CloudSim stack is the User Code that exposes basic entities for hosts (number of machines, their specification, and so on), applications (number of tasks and their requirements), VMs, number of users and their application types, and broker scheduling policies.