Proactive Detection of DDoS Attacks

Using MIB Variables

Presented By

R.Manjula
SSE Project Team
PSG College of Technology
10/24/16

CDBR - SSE

Agenda

Problem
Introduction
Existing Methods
Proposed Solution
Experimental Results
Conclusion
References

10/24/16

CDBR - SSE

Problem
Proactive Detection of DDoS
Attacks

10/24/16

CDBR - SSE

Introduction
Status of a network can be classified into 3 classes
namely
Pre-attack ( Proactive stage)
Phase-1 : selection of handlers and agents
Phase-2 : communication and compromise
Attack
Phase-3 : launch of DDoS attack
Normal
- normal status of the network

10/24/16

CDBR - SSE

Existing Methods
Papers Published

Authors

Year

Methods Used

Proactive Detection of
Distributed Denial of Service
Attacks using MIB Traffic
Variables - A Feasibility
Study

Joao B.D.Cabrera
et al

2001

A methodology for utilizing Network

Management Systems for the early
detection of Distributed Denial of
Service (DDoS) Attacks using Granger
Causality Test.

An Experimental Analysis
of Proactive Detection of
Distributed Denial of Service
Attacks

Cobra
Rahmani,
Mohsen
Sharifi
and Tala Tafazzoli

2003

Implemented an SNMP-based system

to detect some attacks in a network
test bed. Five attacks were tested and
analyzed in their experiment and MIB
variables were recorded for each type
of attack.

Proactive Detection of
DDOS Attacks Utilizing K-NN
classifier in an Anti-DDoS
framework

Hoai-VuNguyen
and Yongsun choi,
Inje
University,
South Korea

2009

Investigating the procedures of the

network status and using K-nearest
neighbor method to classify the
network status to detect DDoS attack.

10/24/16

CDBR-SSE

Proposed Solution
Management Information Base(MIB)
is a logical database that would be useful to know
information stored at each device.
Flexible
Extendible
Standardized

10/24/16

CDBR - SSE

Proposed Solution
Block Diagram

10/24/16

CDBR - SSE

Proposed Solution (Cont..)

Main Features considered :
ipOutRequests - total no of datagrams originating locally
ipInReceives - total no of incoming datagrams
tcpInSegs - total no of segments received
tcpOutSegs - total no of segments sent

10/24/16

CDBR - SSE

Proposed Solution (Cont..)

Additional Features considered for UDP Attack
icmpInDestUnreachs total no of incoming ICMP
Destination Unreachable messages
udpNoPorts - total no of received udp datagrams for which
there was no application at the destination port

Additional Features considered for ICMP Attack

icmpInMsgs total no of incoming ICMP messages
icmpOutMsgs total no of ICMP messages sent
icmpInEchos no of incoming ICMP Echo request
messages

10/24/16

CDBR - SSE

Experimental Results
Experimental setup :
1. Training :
a) Dataset :
- Normal , Attack and Pre-attack data
are collected from PSG College of
Technology ( Bandwidth rate 1Gbps)
b) 2 Windows XP Machine
c) Back Orifice XP (Trojan) for Pre-attack.
d) Konstanz Data Miner tool (open source) is used
to create a training model based on fuzzy cmeans clustering.
2. Testing :
- Normal , Attack and Pre-attack data.
10/24/16

CDBR - SSE

10

Experimental Results (Cont..)

MIB variables are collected for 2 hours at an interval of 5

seconds.
Training Samples
ipOutRequests ipInReceives tcpOutSegs

10/24/16

tcpInSegs

Class

3776

3908

3724

3854

Attack

3457

3622

3405

3568

Attack

3412

3615

3360

3561

Attack

53

132

Normal

53

138

10

Normal

43

145

Normal

337

469

264

317

Preattack

274

243

230

120

Preattack

238

309

192

213

Preattack

CDBR - SSE

11

Experimental Results (Cont..)

MIB Count

ipOutRequests

MIB Count

Time Interval

ipInReceives

Time Interval
10/24/16

CDBR - SSE

12

Experimental Results (Cont..)

MIB Count

tcpInSegs

MIB Count

Time Interval

tcpOutSegs

Time Interval
10/24/16

CDBR - SSE

13

Experimental Results (Cont..)

10/24/16

Samples

Correct
classification
%

Incorrect
classification
%

Normal

1440

90.1

9.9

Pre-attack

300

91.9

8.1

Attack

1180

94.1

5.9

CDBR - SSE

14

Experimental Results (Cont..)

Samples

Correct
classification
%

Incorrect
classification
%

500

93.4

6.6

UDP Flood
Attack

380

97.1

2.9

ICMP Flood
Attack

300

91.7

8.3

TCP-SYN
Flood
Attack

10/24/16

CDBR- SSE

15

Experimental Results (Cont..)

10/24/16

Method
Used

Correct Classification
%

K Nearest Neighbour

91.8

Fuzzy C Means Clustering

92.1

CDBR - SSE

16

Conclusion
The proposed method uses MIB variables.
Detailed classification of various types of
DDoS attacks.
Increased number of MIB variables to improve
efficiency.
Defense mechanism.

10/24/16

CDBR SSE

17

References

Dr. Sidnie Feit, Jay Ranade, Series Advisor, SNMP A GUIDE TO NETWORK
MANAGEMENT, McGraw-Hill, 1995.

Joao B.D.Cabrera, Lundy Lewis, Xinzhou Qin, Wenke Lee, Ravi K.Prasanth,
B.Ravichandran and Raman K.Mehra, Proactive Detection of Distributed
Denial of Service Attacks using MIB Traffic Variables - A Feasibility Study,
Proceedings of the 7th IFIP/IEEE International Symposium on Integrated
Network Management, Seattle, WA - May 14-18, 2001. In Press.

Chandan Singh Negi, Using Network Management Systems to Detect

Distributed Denial of Service Attacks, Master Thesis, September 2001.

Cobra Rahmani, Mohsen Sharifi and Tala Tafazzoli, An Experimental Analysis

of Proactive Detection of Distributed Denial of Service Attacks, 2003.

Hoai-Vu Nguyen and Yongsun Choi Proactive Detection of DDoS Attacks

Utilizing K-NN Classifier in an Anti-DDoS Framework, International Journal of
Electrical and System Engineering,2009.

10/24/16

CDBR - SSE

18

SUGGESTIONS
THANK YOU!
10/24/16

CDBR-SSE

19