520
International Journal of Fuzzy Systems, Vol. 16, No. 4, December 2014
Autonomous Agent for DDoS Attack Detection and Defense
in an Experimental Testbed
G. Preetha, B. S. Kiruthika Devi, and S. Mercy Shalinie
Abstract1
leaving no trace of their appearance in the network and
thus making their detection very difficult. Distributed
Distributed Denial of Service (DDoS) attacks im- Denial of Service (DDoS) attack is classified as a repinge on the availability of critical resources in the source and bandwidth exhaustion attack [1]. In most
Internet domain. The objective of this paper is to de- cases, attackers spoof IP addresses to evade source idenvelop an autonomous agent based DDoS defense in tity. Enormous packets bombard at the network, targetreal time without human intervention. A mathemati- ing routers, servers, and firewalls and preventing legitical model based on Lanchester law has been designed mate users from operating their normal services. Packto examine the strength of DDoS attack and defense et-flooding is a form of bandwidth exhaustion attack
group. Once attack strength is formulated efficient where attacker’s intention is to bombard TCP, UDP,
defense mechanism is deployed at the victim to block ICMP, DNS, HTTP packets to the target server [2]. Any
malicious flows. The proposed framework is vali- computer in the network can be easily compromised by
dated in an experimental testbed with geographically DDoS attacks without any knowledge of being attacked.
distributed testbed nodes. From the experimental re- Efficient and publicly available online resources such as
sults, the strength of attack group is observed as automated DDoS attack tools like Trinoo, TFN, TFN2K,
49%. The defense strength of Hop Count Filtering mstream, Stacheldraht, Shaft, Trinity, Knight etc., do not
mechanism is obtained as 31.3% whereas the pro- require technical knowledge to launch a high rate floodposed Hybrid Model defense effectiveness is com- ing attack. The victims are surprisingly government
puted as 48.7%. Also, Adaptive Bandwidth Manage- agencies, financial corporations, defense agencies and
ment (ABM) using fuzzy inference system provides military departments. Popular websites like facebook,
sustainable bandwidth to legitimate users by provid- twitter, wikileaks, paypal and ebay became DDoS vicing low bandwidth share for attackers. The proposed tims. The attack interrupted their normal operation leadautonomous agent based model defends against ing to financial losses, service degradation and lack of
DDoS attack in various aspects like prevention of IP availability [3].
spoofing, effective bandwidth management, imAgents play a vital role in the recent research involvprovement of Quality of Service provisioning, avail- ing Artificial Intelligence and Expert Systems [4].
ability of services to legitimate clients and protecting Agents can be further classified into Hardware and
critical infrastructure points. The defense mechanism Software agents [5]. The later is a software program
paves way to Critical Information Infrastructure which works irrespective of the operating platform. AuProtection.
tonomous agents function independently and act in response to attacks without any human intervention. ExKeywords: Adaptive bandwidth management, autono- tensive efforts of the researchers in solving these attacks
mous agent, DDoS, lanchester law, testbed.
get often exhausted in designing an agent according to
their own requirements. Software agent when properly
1. Introduction
designed has the ability to act on behalf of its users
autonomously. Autonomous agent is a software agent
Most modern attacks or intrusions are very intelligent, which resides on the victim machine and gets activated
only when the DDoS attack strikes the target network.
Corresponding Author: G. Preetha is with the Department of Com- Since the agent is placed at the victim level, there is no
puter Science and Engineering, Thiagarajar College of Engineering,
need to deploy distributed cooperative agents and cenMadurai, Tamilnadu, India, 625 015.
tralized controller. Agent usage is currently being enE-mail: [email protected]
B. S. Kiruthika Devi and S. Mercy Shalinie are with the Department couraged by Intrusion Detection System (IDS) for its
of Computer Science and Engineering, Thiagarajar College of Engi- fast detection, easy transportation, minimal complexity
neering, Madurai, Tamilnadu, India, 625 015.
etc. The software agent probes the detection system for
E-mail: [email protected]; [email protected]
Manuscript received 12 May 2014; revised 11 July 2014; accepted 16 any suspicious attack sources. SNMP MIB data are used
for DDoS symptom analysis and its fast detection. This
Sep. 2014.
© 2014 TFSA
G. Preetha et al.: Autonomous Agent for DDoS Attack Detection and Defense in an Experimental Testbed
triggers the agent to drop all attack packets using the
drop list being generated every now and then. Upon detection, each DDoS attack source IP is logged into the
drop list by the hybrid system. In the shortest possible
time, the agents act rapidly so as to drop all the malicious sources, thereby saving the victim from overwhelming surge traffic. Fuzzy system plays a vital role
in complex non linear systems [6], when there is a difficulty in designing a mathematical model.
Attackers use IP spoofing as a weapon to disguise
their identity and the spoofed traffic also follows the
same principle as normal traffic. Qualitative description
of the detection with fuzzy estimators at mean packet
inter arrival time was proposed in [7] instead of statistical descriptors. DDoS attack with malicious IP is detected and discarded before the victim suffers from resource exhaustion. The arrival time is used as a main
metric to discriminate the DDoS traffic. The problem
faced by this method is that a single metric alone cannot
be sufficient to distinguish normal traffic from an attack.
Existing mechanisms defend DDoS attacks qualitatively
but not quantitatively [8-10]. Thus, the need for mathematical analysis on vulnerability exploited by DDoS attacks and scarce of intelligent agents to defend against
DDoS attacks in real time, motivated us to propose an
autonomous agent based solution to defend DDoS attacks. The contributions of this paper are: i) A testbed
infrastructure has been developed to carry out realistic
DDoS experimentation with different traffic generators
and the dataset. ii) Mathematical model is formulated to
evaluate the DDoS attack strength in quantitative terms
which enables a defender to calculate the impact analysis
of DDoS attacks and deploy mitigation algorithms accordingly for ending the combat. iii) Proof-of-concept
for the formulated mathematical model is validated by
generating traffic in the experimental testbed. Chosen
metrics are monitored online before and after DDoS attack. The degradation in the observed metrics is evaluated to define the strength of the attack. iv) Hybrid
DDoS attack detection technique has been designed and
implemented. This technique tests the incoming network
traffic in real time to segregate malicious traffic from the
legitimate one. The subsets of attack traffic are further
classified and trained for protocol exploit attacks. The
detection accuracy is increased with low false positive
rate. v) DDoS attack traffic has been weeded out automatically at the victim’s end with the help of intelligent
agents. In this paper, a framework has been proposed
which acts as a platform for the researchers to quantitatively detect, mitigate and defend DDoS attacks in real
time.
521
2. Related Work
Single metric alone [11] cannot exemplify the impact
of Denial of Service (DoS) attack. The rate of false
alarms is high because it detects attacks with the information from single performance metric. Instead of using
a single metric [12] to detect the DoS attack, multiple
metrics are to be attempted to derive conclusions that the
victim is suffering from flooding attack. Multiple metrics
are analyzed [9-10] to study the impact of DDoS attack
and service deterioration. Anomalies are noticed by online monitoring of host based (CPU, Memory Usage)
and network based (Latency, Link Utilization, Packet
Arrival Rate, Throughput) performance metrics [13] to
suspect the DDoS attack. Comprehensive survey to discover and defend DDoS attacks, security challenges and
research problems were detailed in [14-15]. DDoS attack
incidents, motivations behind the attack, their impacts
and vulnerabilities are surveyed in [16]. The researchers
have illustrated various attack detection and defense algorithms and the necessity of formulating a statistical
prototype. Quarantined intrusion detection is nightmare
for security analysts when the attack is launched from
several compromised nodes called botnets. To overcome
the issue, topology oriented collaborative IDS was proposed in [17] to elude DDoS attacks.
Stream-based DDoS defense framework [18] provides
anomaly based detection by analyzing the traffic features
and mitigation of DDoS attacks. Traffic features are extracted by streaming queries and compared with the features mentioned in the historical dataset. However, the
method doesn’t differentiate legitimate from illegitimate
traffic and also does not examine the reason for anomalies. A Confidence Based Filtering (CBF) method [19]
uses the correlation between IP and TCP headers as the
attribute value pairs to distinguish attack packets from
normal. CBF score is calculated based on the weighted
average of confidence among attribute pairs. The CBF
method will fail to filter the attack packets when the attacker mimics the correlation characteristics of the attribute value pair. In case of high rate of flooding attack,
the response, accuracy and the speed of the filtering
mechanism need to be analyzed. Hadoop based DDoS
defense mechanism was proposed in [20], which uses the
Map Reduce programming model to detect DDoS. Time
interval, threshold and unbalance ratio are given as input
to file system with the help of packet loader. The algorithm should be further optimized. Moreover it lacks
practical implementations.
Proactive surge protection [21] provides bandwidth
isolation for the traffic flows that are not under attack,
reducing the collateral damage. Two differentiated priority classes are formulated at the network perimeter, where
packets are tagged as high if the arrival rate is lower than
522
International Journal of Fuzzy Systems, Vol. 16, No. 4, December 2014
threshold and low priority when it is greater. Low priority
packets are preferentially dropped when the network link
is saturated. The preferential dropping does not happen
when the network conditions are normal with packets
being forwarded routinely. LOT [22] is a lightweight
tunneling protocol, which is used to discard spoofing IP
packets and flooding packets kind of attacks. Deploying
this algorithm at network gateways mitigate DNS poisoning, network scans and Distributed Denial of Service
(DDoS) attacks. Adaptive Selective Verification [23] is
designed to thwart DDoS attacks, based on selective
verification using a distributed adaptive mechanism. The
server uses random sampling method and processes legitimate user’s request to avoid bandwidth consumption
by the attackers. However this algorithm lacks practical
implementations and it eliminates bandwidth consumption attacks only. Discrete wavelet transforms methodology is used to find out the statistical analysis of the
incoming network traffic. Hurst parameter metric was
analyzed using Schwarz Information Criterion (SIC) and
intelligent fuzzy technology in [24]. These algorithms
are outside the purview of proof-of-concept implementations.
An adaptive and cooperative defense mechanism
against Internet attacks with multi-agent framework was
proposed in [25]. Interactive intelligent agents act according to the compliance based on the network conditions and the severity of the attack. The main drawback in
this approach is that the cooperation between routers is
mandatory. Botnet analysis and defense framework was
proposed in [26] where agents collect information from
different sources, to forecast the intentions and to deceive
the agents of computing team. Its major drawback is that
it lacks practical implementations and also requires cooperation among ISP. A Multi agent system based on
Artificial Neural Networks was proposed in [27] to detect intrusions in dynamic networks that guarantee computer network security architecture. A deliberative agent
with flexible and adaptable architecture is designed to
identify intrusions by probing anomalous situations with
the help of SNMP. Traffic Rate Analysis (TRA) for TCP
attack is envisaged based on tcp flags by Rule Based
Inductive Learning approach [28]. To summarize, the
above mentioned schemes lack in quantitative measurement, real time deployment, autonomous agent and
routers co-operation. In this paper, an autonomous agent
based DDoS defense framework is proposed to identify
the attacker’s strength and to choose a defense strategy to
overcome it.
3. Proposed Model
An overall framework for DDoS defense using
autonomous agent is proposed as shown in Figure 1.
This framework comprises of following major components 1) Traffic Generation Agent 2) Monitoring Agent 3)
Analyzer Agent 4) Detection Agent and 5) Decision
Agent. Distributed attack traffic is generated in an experimental testbed from various sites with the help of the
traffic generation agent. The anomalies are inferred
online with the peak increase or drop in the network traffic using the monitoring agent. The analyzer agent incorporates Lanchester law to quantitatively analyze the
strength of attack and defense group. The detection agent
deploys appropriate detection algorithm and triggers the
filtering module to drop the malicious flows at the router
itself. Finally the decision agent derives conclusion so as
to provide sustainable bandwidth for legitimate users and
minimal bandwidth for attackers.
Decision
Agent
Decision
Detection Agent
Hybrid Model
HCF
SVM
Adaptive
Bandwidth
Management
MLP
Monitoring
Agent
Monitoring
Analyzer
Agent
Analyzer
Host
HostMetrics
Metrics Network
NetworkMetrics
Metics
CPU Usage
Packet Loss
Memory Usage Latency
Link utilization
Throughput
Lanchester
Combat
Model
Traffic Generation Agent
Distributed Testbed
Attacker 1
UDP
Site I
Attacker 2
ICMP
Site II
Attacker 3
TCP SYN
Site III
Attacker 4
TCP SPOOF
Site IV
Figure 1. Autonomous agent based DDoS defense framework.
A. Traffic generation agent
Testbed has been developed to meet the emerging vulnerabilities in cyber society. It is distributed among sites
in eight collaborative institutions across various geographical locations connected through MPLS-VPN cloud
as shown in Figure 2.
G. Preetha et al.: Autonomous Agent for DDoS Attack Detection and Defense in an Experimental Testbed
523
Monitoring Agent
CPU Usage
Host & Network
Based
Performance
Metrics
Memory Usage
Packet Loss
Latency
Link Utilization
Throughput
Figure 4. Online monitoring system.
Figure 2. Distributed testbed environment.
Traffic generation, monitoring and management are
enabled through the testbed nodes. Emulated DDoS attacks using modest hardware resources are achieved by
experimental testbed. DDoS detection and defense solutions are validated using this testbed for protecting critical infrastructure from DoS attacks. Traffic generation
was carried out in the testbed with automated tools,
command line arguments and user written scripts. Network layer attacks like TCP, UDP, ICMP and TCP SYN
flooding packets are pumped into the victim network.
Figure 3 depicts the DDoS attack scenario wherein the
victim at site V is attacked by four different types of attacks such as UDP flooding, ICMP flooding, TCP SYN
and TCP SPOOF simultaneously. Bandwidth along the
consortium nodes is 2 Mbps and attack time is set to 120
seconds.
Figure 3. DDoS attack scenario.
B. Monitoring agent
Traffic traces are monitored in an experimental testbed
through monitoring agent. The DDoS effect is monitored
with the help of performance metrics like CPU usage,
memory usage, packet loss, latency, link utilization and
throughput [15] as shown in Figure 4. Measuring single
metric will lead to false alarms. So, multiple metrics are
monitored by monitoring agent to compute the deprivation of web servers experienced in attacking mode.
C. Analyzer agent
In heterogeneous network like the Internet, it is hard
to classify the legitimate and attack traffic where experimenters depend on quantitative model. Predicting
and forecasting attacks lead to the efficient defense system design to throttle DDoS attacks. Lanchester law is
used to calculate the relative strengths of Attack/Defense
group. Its application is validated for DDoS attack which
is a great threat to cyber security. F.W. Lanchester formulated a mathematical model to analyze the strength of
attack and defense group in warfare [29-30].
DDoS attack consist of two groups namely attack
group X and defense group Y . Let xt  and y t 
define the strength of the DDoS attack group X and
defense group Y at time t . Attack group X considers traffic intensity as the major parameter. Similarly the
Defense group y considers defense effectiveness to
combat DDoS attack [31].
The strength of each group depends on the product of
size of both parties.
dx
dy
(1)
 xy
  xy
dt
dt
where x , y is the group size of attack group and defense group respectively.  is the rate that a defense
group can mitigate the attack strength and  is the rate
that an attack group can deteriorate the defense strength.
Applying chain rule followed with integration, the state
equation is obtained as:
(2)
  y  y 0    x  x0 
The fighting strength of defense group is higher when
(3)
y  x
A General Model [31] is developed to show that a
group’s attrition rate may be affected by its own size and
fighting abilities.  is the rate at which group size is
reduced over a period of time and  is the rate at
which individual fighting ability is reduced over a period
of time. State equations and diminishing functions are
introduced and then the equations in [24] are solved to
arrive at equation (4).
Thus, defense group wins if,
524
International Journal of Fuzzy Systems, Vol. 16, No. 4, December 2014
1
1
   y     x y  Ax   
(4)
 F
 

   x  
 y x  Ay  
When the individual fighting ability reduces by a factor of ‘  ’, then the strength of the group also reduces
accordingly [31]. By rearranging and substituting  =1
in equation (4), equation (5) is evolved.
 r 1  Ar 
(5)


Ar
The group size is ‘1’ because detection and defense is
carried out at the victim’s network [32].
are observed as in [33]. When the source IP is found in
IP2HC table the incoming packet is tagged as legitimate
else it is tagged as spoofed.
D.2. Hybrid model (SVM-MLP)
The traffic samples are fed to the Support Vector Machine (SVM) classifier to evaluate its performance with
high detection accuracy and low false positive rate. Host
and Network metrics say latency, link utilization, CPU
usage, memory usage, packet arrival rate and throughput
are input to SVM model which discriminates attack traffic from benign traffic. If the victim host is confirmed to
be under attack, the next step is to find the potential atD. Detection agent
tackers. The online monitoring system is probed further
The online monitoring system is probed further to to gather information about the attackers that the SVM
gather information about the attackers using spoofed IP model has listed. The vital information about the attackaddress, high traffic senders with source address, traffic ers such as IP flow statistics per protocol is fed into
intensity, volume and protocol type. An efficient detec- Multi Layer Perceptron (MLP) classifier. Since the MLP
tion algorithm for detecting spoofed traffic before Model is already updated with attack signatures, it is
reaching the target is very essential.
now capable of finding the kind of flooding attack that is
being initiated to deny legitimate requests, by consuming
D.1. Hop count filtering algorithm
system and network resources of the victim.
Incoming Packets
E. Decision agent
Six MIB variables are observed and they are from
TCP,
UDP and ICMP groups. The variables that are of
Infer Source IP & TTL (Tf)
interest from those groups are tcpAttemptFails,
tcpOutRsts, udpInErrors, icmpInErrors, icmpOutMsgs
Get Initial TTL Ti
and icmpOutDestUnreachs. Changes in SNMP MIB
variables statistics are observed when the bogus traffic
reaches the victim. SNMP MIB collector collects the
Compute Hop Count Hc=Ti-Tf
SNMP MIB data on the victim system at different layers
and protocols. The excessive monitoring information is
exploited for the detection of flooding style of attacks.
Search Stored Hop Count Hs
Six MIB variables are collected using the SNMP MIB
collector, which constantly increments the value accordingly as the incoming/outgoing traffic increases enorY
Hc = Hs
Accept Packet
mously. Since DDoS attack is very aggressive and
overwhelms the victim network by seemingly legitimate
N
packets, the SNMP MIB data is updated frequently in a
very short interval of time. The duration in which the
Drop Packet
victim network is probed for data, is kept as 5 seconds.
Figure 5. Hop Count Filtering algorithm.
Figure 6 shows the proposed Adaptive Bandwidth Management (ABM) system based on fuzzy inference to
Time to Live (TTL) field is the unique parameter to regulate efficient bandwidth allocation based on subsets
check the number of hops required to reach the destina- of attack traffic.
tion. This information is available in the IP header and
The subsets of attack traffic TCP, UDP and ICMP
cannot be modified by the attacker since it is dependent flooding segregated from MLP is input to ABM algoon Operating System (OS) and routing protocols. The rithm for further rule based decisions to make adaptive
hop count and the source IP is stored in IP2HC table bandwidth allocation. The SNMP-MIB variables for TCP,
when the target network is operating in normal mode. UDP and ICMP flows are inputted to fuzzy inference
The flowchart for the Hop Count Filtering algorithm system and it provides low bandwidth share for attackers
shown in Figure 5, computes the hop count by finding and high bandwidth for legitimate users as shown in
the difference between final and initial TTL Values. The
Figures 7-9.
initial TTL values are based on the OS and TTL values
525
G. Preetha et al.: Autonomous Agent for DDoS Attack Detection and Defense in an Experimental Testbed
mitigated by online filtering of malicious source IP’s
immediately after detection. To evaluate the detection
accuracy of the chosen classifiers, True Positive (TP),
False Positive (FP), precision, recall, F-measure and accuracy metrics are observed. Table 1 shows the performance metrics for hybrid model.
Table 1. Hybrid model output.
Figure 6. Proposed Adaptive Bandwidth Management.
Input:
tcp_out_rsts,tcp_attempt_fails
Output: bw_alloc
If (tcp_out_rsts is high && tcp_attempt_fails is
high) then
{bw_alloc is low;}
else
{bw_alloc is high;}
Figure 7. Pseudo code for allocating bandwidth for TCP flows.
Input:
Udp_in_err
Output: bw_alloc
If (udp_in_err is high) then
{bw_alloc is low;}
else
{bw_alloc is high;}
Metrics
SVM Output
MLP Output
Normal
1
Attack
0.974
TCP
1
UDP
1
ICMP
0.933
0.026
0
0.056
0
0
0.962
1
1
0.974
0.993
1
1
1
1
0.933
F-Measure
0.98
0.987
0.977
1
0.966
Accuracy
98.42%
True Positive
(TP)
False Positive
(FP)
Precision
Recall
99.39%
The combat model facilitates to recover the target
from DDoS attack by deploying efficient defense solution terminating the combat. The proposed combat model is analyzed and its defense effectiveness using HCF
and Hybrid model in real time is depicted as in Figure
10.
Figure 8. Pseudo code for allocating bandwidth for UDP flows.
Input:
icmp_in_err,
icmp_in_msg,icmp_out_unreach
Output: bw_alloc
If (icmp_in_err is high && icmp_in_msg is high
&& Icmp_out_unreach) is high) then
{bw_alloc is low;}
else
{bw_alloc is high;}
Figure 9. Pseudo code for allocating bandwidth for
ICMP flows.
4. Results and Discussions
In this paper, a victim based solution is proposed to
proactively detect DDoS attacks without the involvement of intermediate routers. The attack strength evaluated through online monitoring system is 49% (α = 49%)
for the attack scenario that has been considered using
distributed testbed. The HCF effectiveness is evaluated
as 31.3% (β = 31.3%). By enabling hybrid model the
defense strength is computed as 48.7% with low false
positive rate. The DDoS attack is detected quickly and
Figure 10. Effectiveness of attack and defense strength.
Finally, it is necessary that the bandwidth has to be
managed adaptively to allow access to services for legitimate users. Adaptive bandwidth management (ABM)
algorithm takes real time input of tcp, udp and icmp
flood and allocates bandwidth accordingly. Based on
TCP, UDP and ICMP packet rate if the incoming packet
rate is high bandwidth allocation is low and vice versa as
shown in Figures 11-13.
5. Conclusion & Future Enhancements
In this paper, a mathematical model has been formulated to analyze the vulnerability of DDoS attacks quantitatively for DDoS detection, mitigation and defense.
526
International Journal of Fuzzy Systems, Vol. 16, No. 4, December 2014
[2]
Figure 11. Bandwidth Allocation for TCP flow.
[3]
[4]
Figure 12. Bandwidth Allocation for ICMP flow.
[5]
[6]
[7]
Figure 13. Bandwidth Allocation for UDP flow.
Then proof-of-concept for the proposed mathematical
model has been validated by quantitatively (i) analyzing
the strength of attacker and defender (49%) (ii) demonstrating the model for DDoS attack scenario (iii) measuring the effectiveness of DDoS detection techniques
such as HCF and hybrid model with 31.3% and 48.7%
respectively. iv) allocating the bandwidth adaptively to
legitimate users by ABM algorithm.
The outcome of this proposed work will act as a prototype which will enable researchers to:
(i) estimate the strength of the attack and
(ii) deploy their own defense mechanisms at the victim.
Future enhancement of the proposed work is to:
(i) build resilient network architecture to prevent DDoS
attacks by upgrading critical infrastructure protection.
(ii) provide continuous operability and monitoring for
critical services during DDoS attacks.
(iii) optimize cost, reaction time and overhead complexity.
[8]
[9]
[10]
[11]
[12]
References
[1]
S. M. Specht and R. B. Lee, “Distributed denial of
service: Taxonomies of attacks, tools and countermeasures,” in Proc. 17th International Conference
[13]
on Parallel and Distributed Computing Systems,
San Francisco, California, USA, 2004, pp.
543-550.
J. Mirkovic and P. Reiher, “A taxonomy of DDoS
attacks and defense mechanisms,” ACM SIGCOMM Computer Communications Review, vol.
34, pp. 39-54, 2004.
Ketki Arora, Krishnan Kumar, and Monika Sachdeva, “Impact analysis of recent DDoS attacks,”
International Journal of Computer Science and
Engineering, vol. 3, pp. 877-884, 2011.
S. Ganapathy, P. Yogesh, and A. Kannan, “Intelligent agent-based intrusion detection system using
enhanced multiclass SVM,” Computational Intelligence and Neuroscience Journal, vol. 12, pp.
1-10, 2012.
Y. Shoham, “An overview of agent-oriented programming,” in: J. M. Bradshaw. Menlo Park. (eds.)
Software Agents, Calif, AAAI Press, 1997.
Y.-Q. Fan, Y.-H. Wang, and W.-Q. Wang, “Adaptive
fuzzy tracking control with compressor and limiters
for u1ncertain nonlinear systems,” International
Journal of Fuzzy Systems, vol. 16, no. 1, pp. 31-38,
2014.
S. N. Shiaeles, V. Katos, A. S. Karakos, and B. K.
Papadopoulos, “Real time DDoS detection using
fuzzy estimators,” Computers & Security, vol. 31,
no. 6, pp. 782-790, 2012.
J. Mirkovic, A. Hussain, S. Fahmy, P. Reiher, and R.
Thomas, “Accurately measuring denial of service
in simulation and testbed experiments,” IEEE
Trans. on Dependable and Secure Computing, vol.
6, no. 2, pp. 81-95, 2009.
M. Sachdeva, K. Kumar, G. Singh, and K. Singh,
“Performance analysis of web service under DDoS
attacks,” IEEE International Advance Computing
Conference (IACC 2009), Patiala, India, 2009.
M. Sachdeva, G. Singh, K. Kumar, and K. Singh
“Measuring impact of DDOS attacks on web services,” Journal of Information Assurance and Security, vol. 5, no. 4, pp. 392-400, 2010.
B. Safaiezadeh, A. M. Rahmani, and E. Mahdipour,
“A new fuzzy congestion control algorithm in computer networks,” IEEE International Conference on
Future Computer and Communication, April 03-05,
Kuala Lumpur, Malaysia, 2009, pp. 314-317.
C. Siaterlis and B. Maglaris, “Towards multisensor
data fusion for DoS detection,” in Proc. of the
ACM symposium on Applied computing, 2004, pp.
439-446.
B. S. K. Devi, G. Preetha, S. D. Nidhya, and S. M.
Shalinie, “DDoS detection using host-network
based metrics and mitigation in experimental testbed,” IEEE International Conference on Recent
G. Preetha et al.: Autonomous Agent for DDoS Attack Detection and Defense in an Experimental Testbed
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
Trends in Information Technology (ICRTIT), MIT,
Anna University, Chennai, pp. 423-427, 2012.
S. T. Zargar, “A survey of defense mechanisms
against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046-2069, 2013.
M. H. Bhuyan, H. J. Kashyap, D. K. Bhattacharyya,
and J. K. Kalita, “Detecting distributed denial of
service attacks: Methods, tools and future directions,” The Computer Journal, vol. 57, no. 4, pp.
537-556, 2014.
G. Loukas and G. Öke, “Protection against denial of
service attacks: A survey,” Computer Journal, vol.
53, no. 7, pp. 1020-1037, 2010.
C. V. Zhou, C. Leckie, and S. Karunasekera, “A
survey of coordinated attacks and collaborative intrusion detection,” Computers & Security, vol. 29,
no. 1, pp. 124-140, 2010.
M. Callau, V. Gulisano, Z. Fu, R. Jimenez-Peris, M.
Papatriantafilou, and M. Patino-Martinez, “Stone:
A stream-based DDoS defense framework,” 28th
Annual ACM Symposium on Applied Computing
(SAC), March 18-22, Coimbra, Portugal, 2013.
W. Dou, Q. Chen, and J. Chen, “A confidence
based filtering method for DDoS attack defense in
cloud environment,” Future Generation Computer
Systems, vol. 29, pp. 1838-1850, 2013.
S. Tripathi, B. Gupta, A. Almomani, A. Mishra, and
S. Veluru, “Hadoop based defense solution to handle distributed denial of service (DDoS) attacks,”
Journal of Information Security, vol. 4, pp.
150-164, 2013.
J. C. Chou, B. Lin, S. Sen, and O. Spatscheck,
“Proactive surge protection: A defense mechanism
for bandwidth-based attacks,” IEEE/ACM Trans.
on Networking, vol. 17, no. 6, pp. 1711-1723, 2009.
Y. Gilad and A. Herzberg, “LOT: A defense against
IP spoofing and flooding attacks,” ACM Trans. on
Information and System Security, vol. 15, no. 2,
2012.
S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan,
and C. A. Gunter, “Adaptive selective verification:
An efficient adaptive countermeasure to thwart
DoS attacks,” IEEE/ACM Trans. on Networking,
vol. 20, no. 3, pp. 715-728, 2012.
Z. Xia, S. Lu, and J. Li, “Enhancing DDoS flood
attack detection via intelligent fuzzy logic,” Informatica, vol. 34, pp. 497-507, 2010.
I. Kotenko and A. Ulanov, “Multi-agent framework
for simulation of adaptive cooperative defense
against internet attacks,” in International Workshop
on Autonomous Intelligent Systems: Agents and
Data Mining, LNCS, Springer, LNAI 4476, pp.
212-228, 2007.
527
[26] I. Kotenko, A. Konovalov, and A. Shorov,
“Agent-based modeling and simulation of Botnets
and Botnet Defence,” in C. Czosseck, K. Podins
(eds.). in Proc. Conference on Cyber Conflict. CCD
COE Publications, Tallinn, Estonia, pp. 21-44,
2010.
[27] E. Herrero, M. Corchado, A. Pellicer, and A. Abraham, “Hybrid multi agent-neural network intrusion
detection with mobile visualization,” Innovations
in Hybrid Intelligent Systems, vol. 44, pp. 320-328,
2007.
[28] S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting
distributed denial of service (DDoS) attacks
through inductive learning,” Lecture Notes in
Computer Science, IDEAL 2003, pp. 286-295,
2003.
[29] F. W. Lanchester, “Mathematics in Warfare,”
Simon & Schuster. (eds.) The World of Mathematics, vol. 4, pp. 2138-2157, 1956.
[30] Y. Xiang and W. Zhou, “Safeguard information
infrastructure against DDoS attacks: Experiments
and modeling”, in proc. of CANS, pp. 320-333,
2005.
[31] E. S. Adams and M. Mesterton-Gibbons,
“Lanchester’s attrition models and fights among
social animals,” International Society for Behavioral Ecology, vol. 14, pp. 719-723, 2003.
[32] G. Preetha, B. S. K. Devi, and S. M. Shalinie
“Combat model based DDoS detection and defence
using experimental testbed: A quantitative approach,” International Journal of Intelligent Engineering Informatics, vol. 1, no. 3-4, pp. 261-279,
2011.
[33] The Swiss Education and Research Network - Default TTL values in TCP/IP (2002) [Online].
Available: http://secfr.nerim.net/docs/fingerprint/
en/ttldefault.html.
G. Preetha is currently pursing Ph.D. at
Anna University. She received her MSIT
in Information Technology in 2002 and
M.phil in Computer Science from
Madurai Kamaraj University in 2005.
She worked as a Lecturer from 2002 to
2008. Her current research interests
include network security and wireless
adhoc networks.
B. S. Kiruthika Devi is currently
pursuing M.S (by Research) at Anna
University. She received her BE in
Electronics and Communication Engineering from Coimbatore Institute of
Engineering and Information Technology
in 2006. Her current research interests
include network security and machine
528
International Journal of Fuzzy Systems, Vol. 16, No. 4, December 2014
learning.
S. Mercy Shalinie is currently the Head
of the Department of Computer Science
and Engineering at Thiagarajar College
of Engineering. She has published
several
papers
in
International
Journals/Conferences. Her current areas
of interest include machine learning,
neural networks and information security.