Detecting Application Denial of Service

8/3/2019 Detecting Application Denial of Service

1/14

Detecting Application Denial-of-ServiceAttacks: A Group-Testing-Based Approach

Ying Xuan, Incheol Shin, My T. Thai, Member, IEEE, and Taieb Znati, Member, IEEE

AbstractApplicationDoS attack, which aimsat disrupting application service rather thandepleting the network resource, has emerged

as a largerthreat to network services, compared to theclassicDoS attack. Owing to itshigh similarity to legitimate traffic andmuch lowerlaunching overhead than classic DDoS attack, this new assault type cannot be efficiently detected or prevented by existing detection

solutions. To identify application DoS attack, we propose a novel group testing (GT)-based approach deployed on back-end servers,which not only offers a theoretical method to obtain short detection delay and low false positive/negative rate, but also provides anunderlying framework against general network attacks. More specifically, we first extend classic GT model with size constraints for

practicepurposes,then redistributethe client servicerequests to multiplevirtualserversembedded within eachback-endservermachine,according to specific testing matrices. Based on this framework, we propose a two-mode detection mechanism using some dynamic

thresholds to efficiently identify the attackers. The focus of this work lies in the detection algorithms proposed and the correspondingtheoretical complexity analysis. We also provide preliminary simulation results regarding the efficiency and practicability of this new

scheme.Furtherdiscussionsover implementation issues andperformanceenhancementsare alsoappendedto showits great potentials.

Index TermsApplication DoS, group testing, network security.

1 INTRODUCTION

DENIAL-OF-SERVICE (DoS) attack, which aims to make aservice unavailable to legitimate clients, has become asevere threat to the Internet security [21]. Traditional DoSattacks mainly abuse the network bandwidth around theInternet subsystems and degrade the quality of service bygenerating congestions at thenetwork[2], [21].Consequently,several network-based defense methods have tried to detectthese attacks by controlling traffic volume or differentiatingtrafficpatternsattheintermediaterouters[10],[13].However,with theboost in network bandwidth and application servicetypes, recently, the target of DoS attacks has shifted fromnetwork to server resources and application proceduresthemselves, forming a new application DoS attack [1], [2].

As stated in [2], by exploiting flaws in application designand implementation, application DoS attacks exhibit threeadvantages over traditional DoS attacks which help evadenormal detections: malicious traffic is always indistinguish-able from normal traffic, adopting automated script to avoidthe need for a large amount of zombie machines orbandwidth to launch the attack, much harder to be traceddue to multiple redirections at proxies. According to thesecharacteristics, the malicious traffic can be classified intolegitimate-like requests of two cases: 1) at a high interarrivalrate and 2) consuming more service resources. We call thesetwo cases high-rate and high-workload attacks, respec-tively, in this paper.

Since these attacks usually do not cause congestion at thenetwork level; thus, bypass the network-based monitoringsystem[21], detection, andmitigation at theend system of thevictim servers have been proposed [1],[3], [19]. Among them,the DDoS shield [1] and CAPTCHA-based defense [3] are therepresentatives of the two major techniques of system-basedapproaches: session validation based on legitimate behaviorprofile and authentication using human-solvable puzzles. Byenhancing the accuracy of the suspicion assignment for eachclient session, DDoS shield can provide efficient session

schedulers for defending possible DDoS attacks. However,the overhead for per-session validation is not negligible,especially for services with dense traffic. CAPTCHA-baseddefenses introduce additional service delays for legitimateclients and are also restricted to human interaction services.

A kernel observation and brief summary of our method is:theidentificationofattackerscanbemuchfasterifwecanfindthem out by testing the clients in group instead of one by one.Thus,thekeyproblemishowtogroupclientsandassignthemto different server machines in a sophisticated way, so that ifanyserveris found underattack,we canimmediately identifyand filter the attackers out of its client set. Apparently, thisproblem resembles the group testing (GT) theory [14] whichaimstodiscoverdefectiveitemsinalargepopulationwiththe

minimum number of tests where each test is applied to asubset of items, called pools, instead of testing them one byone. Therefore, we apply GT theory to this network securityissue and propose specific algorithms and protocols toachieve high detection performance in terms ofshort detectionlatency and low false positive/negative rate. Since the detectionsaremerelybasedon thestatusof serviceresourcesusage ofthevictim servers, no individually signature-based authentica-tions or data classifications are required; thus, it may over-come the limitations of the current solutions.

GT was proposed during World War Two and has beenapplied to many areas since then, such as medical testing,computer networks, and molecular biology [6], [14], [16].The advantages of GT lie in its prompt testing efficiency

and fault-tolerant decoding methods [6]. To our best

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 8, AUGUST 2010 1203

. Y. Xuan, I. Shin, and M.T. Thai are with the Department of Computer andInformation Science and Engineering, University of Florida, CISEBuilding, Gainesville, FL 32611.E-mail: {yxuan, ishin, mythai}@cise.ufl.edu.

. T. Znati is with the Department of Computer Science, University ofPittsburgh, Pittsburgh, PA 15215. E-mail: [email protected].

Manuscript received 30 Nov. 2008; revised 12 Aug. 2009; accepted 17 Aug.2009; published online 25 Aug. 2009.Recommended for acceptance by X. Jia.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TPDS-2008-11-0439.

Digital Object Identifier no. 10.1109/TPDS.2009.147.1045-9219/10/$26.00 2010 IEEE Published by the IEEE Computer Society


2/14

knowledge, the first attempts to apply GT to networkingattack defense are proposed in parallel by Thai et al. [5](which is the preliminary work of this journal) and Khattabet al. [4]. The latter proposed a detection system based onReduced-Randomness Nonadaptive Combinatorial GroupTesting [8]. However, since this method only counts thenumber of incoming requests rather then monitoring the

server status, it is restricted to defending high-rate DoSattacks and cannot handle high-workload ones. (Moredetails about this work are included in Section 6).

In a system viewpoint, our defense scheme is to embedmultiple virtual servers within each physical back-end serverand map these virtual servers to the testing pools in GT, thenassign clients into these pools by distributing their servicerequests to different virtual servers. By periodically mon-itoring some indicators (e.g., average responding time) forresource usage in each server and comparing them withsome dynamic thresholds, all the virtual servers can bejudged as safe or under attack. By means of thedecodingalgorithmof GT,all theattackers can be identified. Therefore,thebiggest challenges of this method are threefold: 1) How toconstruct a testing matrix to enable prompt and accuratedetection. 2) How to regulate the service requests to matchthe matrix in practical system. 3) How to establish properthresholds for server source usage indicator, to generateaccurate test outcomes.

Similar to all the earlier applications of GT, this newapplication to network security requires modifications of theclassical GT model and algorithms, so as to overcome theobstacle of applying the theoretical models to practicalscenarios. Specifically, the classical GT theory assumes thateach pool can have as many items as needed and the numberof pools for testing is unrestricted. However, in order toprovide real application services, virtual servers cannot haveinfinite quantity or capacity, i.e., constraints on these twoparameters are required to complete our testing model.

Our main contributions in this paper are as follows:

. Propose a new size-constrained GT model forpractical DoS detection scenarios.

. Provide an end-to-end underlying system for GT- based schemes, without introducing complexity atthe network core.

. Provide multiple dynamic thresholds for resourceusage indicators, which help avoid error test fromlegitimate bursts and diagnose servers handlingvarious amount of clients.

. Present three novel detection algorithms based on theproposed system, and show their high efficiencies interms of detection delay and false positive/negativerate via theoretical analysis and simulations.

Besides application DoS attacks, our defense system isapplicable to DoS attacks on other layers, e.g., protocol layerattackSYN flood[13] where victimserversare exhaustedbymassive half-open connections. Although these attacks occurin different layers and of different styles, thevictim machineswill gradually run out of service resource and indicateanomaly. Since our mechanism only relies on the feedback ofthe victims, instead of monitoring the client behaviors orproperties, it is promising to tackle these attack types.

The paper is organized as follows: In Section 2, we brieflyintroduce some preliminaries of the GT theory, as well asthe attacker model and the victim/detection model of our

system. In Section 3, we propose the detection strategy

derived from the adjusted GT model and illustrate thedetailed components in the presented system. Descriptionand latency analysis of three concrete detection algorithmsare included in Section 4, while Section 5 provides theresults of our simulation in terms of the detection latencyand false positive/negative rate. The existing defenseschemes and related work are discussed in Section 6, andfinally, we reach our conclusion by summating ourcontributions and providing further discussions over falsepositive/negative rate in Section 7.

2 PRELIMINARY

2.1 Classic Group Testing Model

2.1.1 Basic IdeaThe classic GT model consists of t pools and n items(including at most dpositive ones). As shown in Fig. 1, thismodel can be represented by a t n binary matrix M whererows represent the pools and columns represent the items.An entry Mi; j 1 if and only if the ith pool contains the

jth item; otherwise, Mi; j 0. The t-dimensional binarycolumn vector V denotes the test outcomes of these t pools,where 1-entry represents a positive outcome and 0-entryrepresents a negative one. Note that a positive outcomeindicates that at least one positive item exists within thispool, whereas negative one means that all the items in thecurrent pool are negative.

2.1.2 Classic MethodsTwo traditional GT methods are adaptive and nonadaptive[14]. Adaptive methods, a.k.a. sequential GT, use the resultsof previous tests to determine the pool for the next test andcomplete the test within several rounds. While nonadaptiveGT methods employ d-disjunct matrix [14], run multipletests in parallel, and finish the test within only one round.We investigate both these methods and propose threealgorithms accordingly.

2.1.3 Decoding Algorithms

For sequential GT, at the end of each round, items innegative pools are identified as negative, while the ones inpositive pools require to be further tested. Notice that one

item is identified as positive only if it is the only item in apositive pool. Nonadaptive GT takes d-disjunct matrices asthe testing matrix M, where no column is contained in theBoolean summation of any other d columns. Du and Hwang[14] proposed a simple decoding algorithm for this matrixtype. A sketch of this algorithm can be shown using Fig. 1 asan example. Outcomes V3 and V4 are 0, so items in pool3 and pool 4 are negative, i.e., items 3, 4, and 5 are negative.If this matrix M is a d-disjunct matrix, items other thanthose appearing in the negative pools are positive; there-fore, items 1 and 2 are positive ones.

2.1.4 Apply to Attack Detection

A detection model based on GT can be assume that there

are t virtual servers and n clients, among which dclients are

1204 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 21, NO. 8, AUGUST 2010

Fig. 1. Binary testing matrix M and testing outcome vector V.


3/14

attackers. Consider the matrix Mtn in Fig. 1, the clients canbe mapped into the columns and virtual servers into rowsin M, where Mi; j 1 if and only if the requests fromclient j are distributed to virtual server i. With regard to thetest outcome column V, we have Vi 1 if and only ifvirtual server i has received malicious requests from at leastone attacker, but we cannot identify the attackers at onceunless this virtual server is handling only one client.Otherwise, if Vi 0, all the clients assigned to server iare legitimate. The d attackers can then be captured bydecoding the test outcome vector V and the matrix M.

2.2 Attacker Model

The maximum destruction caused by the attacks includesthe depletion of the application service resource at the serverside, the unavailability of service access to legitimate user,and possible fatal system errors which require rebooting theserver for recovery. We assume that any malicious behaviorscan be discovered by monitoring the service resource usage, based on dynamic value thresholds over the monitoredobjects. Data manipulation and system intrusion are out ofthis scope.

Similar to [1], we assume that application interfacepresented by the servers can be readily discovered andclients communicate with the servers using HTTP/1.1sessions on TCP connections. We consider a case that eachclient provides a nonspoofed ID (e.g., SYN-cookie [9]),which is utilized to identify the client during our detectionperiod. Despite that the application DoS attack is difficult tobe traced, by identifying the IDs of attackers, the firewallcan block the subsequent malicious requests.

As mentioned in Section 1, the attackers are assumed tolaunch application service requests either at high inter-arrival rate or high workload, or even both. The termrequest refers to either main request or embedded requestfor HTTP page. Since the detection scheme proposed will be

orthogonal to the session affinity, we do not consider therepeated one-shot attack mentioned in [1].

We further assume that the number of attackers d( nwhere n is the total client amount. This arises from thecharacteristics of this attack [2]. Due to the benefits of virtualservers weemploy,this constraint canbe relaxed,but wekeepit for the theoretical analysis in the current work.

2.3 Victim/Detection Model

The victim model in our general framework consists ofmultiple back-end servers, which can be Web/applicationservers, database servers, anddistributed file systems. We donot take classic multitier Web servers as the model, since ourdetection scheme is deployed directly on the victim tier and

identifies the attacks targeting at the same victim tier; thus,multitier attacks should be separated into several classes toutilize this detection scheme. The victim model along withfront-end proxies is shown in Fig. 2. We assume that all the back-end servers provide multiple types of applicationservices to clients using HTTP/1.1 protocol on TCP connec-tions. Each back-end server is assumed to have the sameamount of resource. Moreover, the application services toclientsareprovidedby Kvirtualprivateservers(Kisaninputparameter), which are embedded in the physical back-endserver machine and operating in parallel. Each virtual serveris assigned with equal amountof static service resources, e.g.,CPU, storage, memory, and network bandwidth. The opera-tion of any virtual server will not affect the other virtual

serversinthesamephysicalmachine.Thereasonsforutilizing

virtual servers aretwofold:first, eachvirtualserver canrebootindependently,thusisfeasibleforrecoveryfrompossiblefataldestruction; second, the state transfer overhead for movingclients among different virtual servers is much smaller thanthe transfer among physical server machines.

As soon as theclient requests arrive at thefront-end proxy,they will be distributed to multiple back-end servers forload-balancing, whether session sticked or not. Notice that our

detection scheme is behind this front-end tier, so the load-balancing mechanism is orthogonal to our setting. On beingaccepted by one physical server, one request will be simplyvalidated based on the list of all identified attacker IDs (blacklist).If it passesthe authentication,it will be distributed to onevirtual servers within this machine by means of virtualswitch. This distribution depends on the testing matrixgenerated by the detection algorithm. By periodicallymonitoring the average response time to service requestsand comparing it with specific thresholds fetched from alegitimate profile, each virtual server is associated with anegative or positive outcome. Therefore, a decision overthe identities of all clients can be made among all physical

servers, as discussed further in the following Section 3.

3 STRATEGY AND DETECTION SYSTEM

3.1 Size Constraint Group Testing

As mentioned in the detection model, each testing pool ismappedto a virtual serverwithin a back-end server machine.Although the maximum number of virtual servers can beextremely huge, since each virtual server requires enoughservice resources to manage client requests, it is practical tohave the virtual server quantity (maximum number ofservers) and capacity (maximum number of clients that canbe handled in parallel) constrained by two input parametersKand w, respectively. Therefore, the traditional GT model is

extended with these constraints to match our system setting.

Definition 3.1 (Size constraint group testing (SCGT)). Forany 01-matrix M, let wi

Pnj1 Mi; j be the weight of the

ith pool and t be the number of pools. The model is foridentifying ddefected items in the minimum period of time, byconstructing matrix Mtn and conducting group testingprocedures based on that, where wi w for given w and t Kfor given server quantity K.

The maximum number of attackers d is assumed known beforehand. Scenarios with nondeterministic d are out ofthe scope of this paper. In fact, these scenarios can bereadily handled by first testing with an estimated d, then

increasingd

if exactlyd

positive items are found.

XUAN ET AL.: DETECTI NG APPLICATION DENIAL-OF-SERVICE ATTACKS: A GROUP-TESTI NG-BASED APPROACH 1205

Fig. 2. Victim/detection model.


4/14

3.2 Detection System

The implementation difficulties of our detection schemeare threefold: how to construct proper testing matrix M, howto distribute client requests based on M with low overhead, andhow to generate test outcome with high accuracy. We will

address the last two in this section and leave the first oneto the next section.Table 1 includes the notations used throughout the paper.

3.2.1 System Overview

As mentioned in the detection model, each back-end serverworks as an independent testing domain, where all virtualservers within it serve as testing pools. In the followingsections, we only discuss the operations within one back-end server, and it is similar in any other servers. Thedetection consists of multiple testing rounds, and eachround can be sketched in four stages (Fig. 4):

First, generate and update matrix M for testing.Second, assign clientsto virtual servers based on M.The

back-end server maps each client into one distinct column inMand distributes an encrypted token queue to it. Each tokenin the token queue corresponds to a 1-entry in the mappedcolumn, i.e., client j receives a token with destination virtualserver i iff Mi; j 1. Being piggybacked with one token,each request is forwarded to a virtual server by the virtualswitch. In addition, requests are validated on arriving at thephysical servers for faked tokens or identified malice ID.This procedure ensures that all the client requests aredistributed exactly as how the matrix M regulates andprevents any attackers from accessing the virtual serversother than the ones assigned to them.

Third, all the servers are monitored for their serviceresource usage periodically, specifically, the arriving re-

quest aggregate (the total number of incoming requests)and average response time of each virtual server arerecorded and compared with some dynamic thresholds to be shown later. All virtual servers are associated withpositive or negative outcomes accordingly.

Fourth, decode these outcomes and identify legitimate ormalicious IDs. By following the detection algorithms(presented in the next section), all the attackers can beidentified within several testing rounds.

To lower the overhead and delay introduced by themapping and piggybacking for each request, the system isexempted from this procedure in normal service state. Asshown in Fig. 3, the back-end server cycles between twostates, which we refer as NORMAL mode and DANGER

mode. Once the estimated response time (ERT) of any virtual

server exceeds some profile-based threshold, the whole back-end server will transfer to the DANGER mode and executethe detection scheme. Whenever the average responsetime (ART) of each virtual server falls below the threshold,the physical server returns to NORMAL mode.

3.2.2 Configuration Details

Several critical issues regarding the implementation are as

follows:Session state transfer. By deploying the detection service

on theback-endserver tier, ourscheme is orthogonal with thesession statetransfer problem caused by the load-balancing atthe reverse proxies (front-endtier). To simplify the discussionof implementation details, we assume that the front-endproxies distribute clientrequestsstrictly even to theback-endservers, i.e., without considering session sticked. The way ofdistributing token queues to be mentioned later is tightlyrelated to this assumption. However, even if the proxiesconduct more sophisticated forwarding, the token queuedistribution can be readily adapted by manipulating thetoken piggybacking mechanismat the clientside accordingly.

Since the testing procedure requires distributing intra-

session requests to different virtual servers, the overheadfor maintaining consistent session state is incurred. Ourmotivation of utilizing virtual servers is to decrease suchoverhead to the minimum, since multiple virtual serverscan retrieve the latest client state though the sharedmemory, which resembles the principle of Network FileSystem (NFS). An alternative way out is to forwardintrasession requests to the same virtual server, which callsfor longer testing period for each round (to be furtherdiscussed later), but we prefer faster detection in this paper,and thus, adopt the former method.

Matrix generations. The testing matrix M, which reg-ulates distributing which client request to which server,poses as thekernel part of this paper.All the three algorithms

proposed in the next section are concerning with the designof M for the purpose of shortening the testing period anddecreasing the false positive/negative rate. Since the detec-tion phase usually undergoes multiple testing rounds, M isrequired to be regenerated at the beginning of each round.Thetime overhead forcalculating this Mis quite low and willbe shown via analytical proofs in Section 4.

Distributing tokens. Two main purposes of utilizingtokens are associating each client with a unique, non-spoofed ID and assigning them to a set of virtual servers based on the testing matrix. On receiving the connectionrequest from a client, each back-end server responses with atoken queue where each token is of 4-tuple: (client ID,virtual server ID, matrix version, and encrypted key).

client ID refers to the unique nonspoofed ID for each


TABLE 1Main Notations

Fig. 3. Two-state diagram of the system.

Fig. 4. One testing round in DANGER mode.


5/14

client, which we assume unchanged during our testingperiod (DANGER mode). virtual server ID is the index ofeach virtual server within the back-end server. This can beimplemented as a simply index value, or through amapping from the IP addresses of all virtual servers. Theback-end server blocks out-of-date tokens by checking theirmatrix version value, to avoid messing up the requestdistribution with nonuniform matrices. With regard to theencrypted key, it is an encrypted value generated byhashing the former three values and a secured service key.This helps rule out any faked tokens generated by attackers.

Assume that the load-balancing at the proxies is strictlyeven for all back-end servers, the client has to agree onpiggybacking each request with a token at the head of onetoken queue, and then, the next request with the token atthe head of the next token queue, when receiving thisapplication service. Notice that there are multiple tokenqueues released by multiple back-end servers, it is non-trivial to implement the correct request distribution.

Length of testing round P. Since we need to distribute therequestsexactly theway Mregulates, it is possible that: ifPistoo short, some clients may not have distributed their

requests to all their assigned servers, i.e., not all the 1-entriesin M are matching with at least one request. For an attackerwho launches a low-rate high-workload attack, its high-workload requests may only enter a part of its assignedservers, so false negative occurs in this case. However, ifP istoo long, the detection latency will be significantly increased.In this paper, we predefine a proper value for P, which islong enough for each client to spread their requests to all theassigned servers, i.e., each column needs to be mapped withat least

Pti1 Mi; j requests. Therefore,

P maxnj1

Xti1

Mi; j=rmin;

where rmin denotes the minimum interarrival request rateand provides a theoretical lower bound of P.

Legitimate profile. The legitimate profile does not refer tothe session behavior profile for legitimate clients, but insteadrecords the distribution of the ART on a virtual serverreceiving only legitimate traffic. Malicious requests arecertainly to generate destructions to the victim servermachines, whose ARTwill usually be much higher than thatof normal cases. Therefore, ARTcan work as an indicator ofthe application resource usage. However, the resource usagevaries for different time intervals (peak/nonpeak time) dueto the change of client quantity, so we also investigatethe ART distributions regarding each possible number ofclients, assuming that there are at most n clients.

A sample construction of this profile is: The distributionsof ART in legitimate traffic at different time intervals forseveral weeks are obtained after the system is established.Legitimate traffic can be achieved by denoising measuresand ruling out the influences of potential attacks [25]. Theith entry of the profile records the distribution of ARTon avirtual server with i 2 1; n clients. Specifically, we assign iclients to a virtual server, and evenly divide the roundlength P into 100 subintervals (which we refer as Psubthroughout the paper), and monitor the server ART withineach subinterval Psub.

NORMAL mode and transfer threshold. To decrease thelength of detection period, where additional state main-tenance overhead and service delay cannot be avoided, the

back-end server cluster provides normal service to clients,

without any special regulations. This is referred asNORMAL mode, which takes ERT as a monitoring object.Notice that ERT is an expected value for ART in the nearfuture, and can be computed via

ERT 1 ERT ART;where is decay weight for smoothing fluctuations. Since

the interarrival rate and workload of client request can berandomized distributed, it is difficult to perfectly fit theART distribution using classic distribution functions. Con-sidering that Normal Distribution [18] can provide anapproximate fitting to ART, we adopt a simplified thresholdbased on Empirical Rule: If any virtual server has an ERT > 4 ( and denote the expected value and standarddeviation of the fitted ART distribution), the back-endserver is probably undergoing an attack, and thus, transfersto DANGER mode for detection. To enhance the accuracy ofthis threshold, more sophisticated distributions can beemployed for fitting the samples; however, higher compu-tation overhead will be introduced for the threshold.

DANGER mode and attack threshold. In DANGER

mode, besides the ART values, the back-end serversimultaneously counts the arriving request aggregate with-in each Psub for each virtual server. The motivation of thisstrategy arises from the fact that high-rate DoS attacksalways saturate the server buffer with a flood of maliciousrequests. By counting the number of arriving in the bufferrequests periodically, possible high-rate attacks can bedetected even before depleting the service resources.

We predefine R as a maximum legitimate interarrivalrate and derive a upper bound of the arriving requestaggregate Cj for virtual server j within period Psub as

Cj

XMj;i "Ptsj1 Ms; i R PsubPt

k1 Mk; i #:Once this threshold is violated in a virtual server, it is forsure undergoing high-rate attacks or flash crowd traffic. Apositive outcome can be generated for this testing round.

The outcome generation by monitoring the ART valuefor a virtual server consists of the following detailed steps:

1. Check the ART distribution profile for the values ofparameters and , as mentioned in the NORMALmode section.

2. Among all the 100 subintervals Psub (each is P =100)within the current testing period P, if no violation:ART! 4 occurs in any Psub, the virtual servergets negative outcome for this testing round.

3. If for some subinterval Psubs, ART! 4 occurs,this virtual server is in danger, either under attack,or undergoing flash crowd traffic. In this case, wewait till the end of this round to get the distributionof ART values for all Psubs for further decision.

4. If the ratio of danger subintervals Psubs withART! 4, over the total subinterval amount(100 in this case), exceeds some quantile regulated by the Empirical Rule, e.g., quantile 4 percent forconfidence interval 2;1, this virtual serverwill be labeled as positive.

5. For the other cases, the virtual server will have anegative outcome.



6/14

After identifying up to dattackers, the system remains inthe DANGER mode and continues monitoring the ART foreach virtual serverforone more round.If allthevirtualservershave negative outcomes, this back-end server is diagnosed ashealthy andreturn to theNORMAL mode; otherwise, furtherdetections will be executed (because of error tests).

With regard to the two objects monitored, Cj providesdifferent counting thresholds for different virtual servers,while ART profile supplies dynamic thresholds for virtualserver containing different amounts of client. The combina-tion of these two dynamic thresholds helps decrease thetesting latency and false rate.

4 DETECTION ALGORITHMS AND LATENCYANALYSES

Based on the system framework above, we propose threedetection algorithms SDP, SDoP, and PND in this section.Note that the length of each testing round is a predefinedconstant P; hence, we analyze the algorithm complexity interms of the number of testing rounds for simplicity. Since

all these algorithms are deterministic and introduce no falsepositive/negative rate (compared to the nondeterministicconstruction in [4]), all the test errors result from theinaccuracy of the dynamic threshold. We will discuss onthis in Section 7.

Based on our assumption, there is a unique ID for each client;thus, the two items ID and client are interchangeable in thissection. In addition, all the following algorithms are executed ineach physical back-end server, which is an independent testingdomain as mentioned. Therefore, the term servers denote the Kvirtual servers in this section.

For simplicity, we assume that n 0 modmod K;n > w !d! 1, and jAj ! d 1. Notice that the last inequality holdsin practice as the properties of application DoS attacks

indicate in Section 1.4.1 Sequential Detection with Packing

This algorithm investigates the benefit of classic sequentialgroup testing, i.e., optimizing the grouping of the subse-quent tests by analyzing existing outcomes. Similar totraditional sequential testing, each client (column) onlyappears in one testing pool (server) at a time. However, tomake full use of the available K servers, we have all serversconduct test in parallel. Details can be found in Algorithm 1.

Algorithm 1. Sequential Detection with Packing (SDP)1: while jSj 6 0 do2: for all server i in A do

3: wi d

jSjjAje

// Assign even number of distinctclients to each server.

4: end for5: G dnjSjjAnIjwiw e // Identified legitimate IDs

exempt from the following tests. Their subsequent

requests are handled by G nontesting servers, whichare selected from the K servers and only providenormal services (no testing). We call this process aspacking the clients into nontesting servers.

6: for all server i under attack do

7: Q set of IDs on i8: if jQj 1 then9: S SnQ // This ID belongs to an attacker.

Add it into the black-list.

10: end if

11: end for

12: S Sn L // All IDs on safe (with negative testoutcome) servers are identified as legitimate.

13: A {server 1,..., server KG} // Select the first Gservers as nontesting machines.

14: end while

4.1.1 Algorithm Description

The basic idea ofSDP algorithm can be sketched as follows:Given a set S of suspect IDs, we first randomly assign (i.e.,distribute their requests) them to the available testing serversin set A, where each server will receive requests fromapproximately the same number of clients, roughlywi djSjjAje. For each test round, we identify the IDs on thenegative servers as legitimate clients, and pack them into anumber G of nontesting machines. Since they need no moretests, only normal services will be provided for the followingrounds. As more testing servers will speed up thetests, givenat most K server machines in total, G is then supposed to be

minimized to the least, as long as all identified legitimateclients can be handled by the nontesting w-capacity servers.Hence, G dnjSjjAnIjwiw e.

With the assumption jAj ! d 1, we have at least jAj dservers with negative outcomes in each testing round;hence, at least jAj dwi legitimate IDs are identified. Ifany server containing only one active ID is found underattack, the only ID is surely an attacker. Then its ID isadded into the black-list and all its requests are dropped.Iterate the algorithm until all IDs are identified, malicious,or legitimate. Via the packing strategy, legitimate clientscan exempt from the influence of potential attacks as soonas they are identified.

4.1.2 Performance Analysis

With regard to the computational overhead of the matrixM in this context, it is a remapping of the suspect clientsto the testing servers based on simple strategies andprevious testing outcomes, thus is negligible and up toO1. The time cost of each testing round is at most P,including the recomputation time of the testing matrix.

Besides this, the overall time complexity of this algo-rithm in terms of the number of testing rounds is depictedin the following lemma and theorem:

Lemma 4.1. The number of available testing server machines:jAj 2 K dndw e; K.

Proof. In each round, the total number of legitimate IDsn j

Sj j

An

Ij

wi

is nondecreasing. Hence, the num-ber of servers used for serving identified legitimate IDs,G dnjSjjAnIjwiw e, is nondecreasing. Therefore, jAj KG will finally converge to K dndw e. tu

Theorem 4.1. The SDP algorithm can identify all the dattackerswithin at most OlogK0

d

nd testing rounds, where K

0 K dndw e.

Proof. In each round, at most dservers are under attack, i.e.,at most djSjjAj IDs remain suspect. Since at the end of theprogram, all legitimate IDs are identified and at most dmalicious IDs remain suspect. If they happen to behandled by d different servers, i.e., each positive servercontains exactly one attacker, then the detection is

completed. If not, one more testing round is needed.



7/14

Assume that we need at most j testing rounds in total,then n djAjj1 d, where K dndw e jAj K. Therefore,

j logK0d nd 1, where K

0 K dndw e. tu4.2 Sequential Detection without Packing

Considering the potential overload problem arises from thepacking scheme adopted in SDP, we propose anotheralgorithm where legitimate clients do not shift to otherservers after they are identified. This emerges from theobservation that legitimate clients cannot affect the testoutcomes since they are negative. Algorithm 2 includes theabstract pseudocode of this SDoP scheme. Notice that in thisalgorithm for the DANGER mode, requests from one clientare still handled by one server, as SDP did.

Algorithm 2. Sequential Detection without Packing (SDoP)1: wi number of IDs on server i;2: for all server i do

3: wi dSAe // Evenly assign clients to servers as SDPdid.

4: end for

5:6: while jSj 6 0 do7: Randomly reassign jSj suspect IDs to K servers, and

keep legitimate IDs unmoved.8: L set of IDs on safe servers9: S Sn S\ L // jS\ Lj IDs are identified as

legitimate.10: for all server i under attack do11: Q set of IDs on i12: if jQ \ Sj 1 then13: S SnQ // The clients in Q \ S are attacker

and added into the black-list.14: end if

15: end for16: for all servers i do17: if wi w // The volume approaches the

capacity. then18: Reassign all n jSj legitimate IDs to K

servers, and go to 6 // Load balancing.19: end if

20: end for

21: end while


The basic idea of the SDoP algorithm can be sketchedbelow. Given a suspect IDs set S with initial size n, evenly

assign them to the K server machines, similar to SDP in thefirst round. For the following rounds, assign suspect IDs tothe K servers instead of jAj available ones. For theidentified legitimate IDs, never move them until theirservers are to be overloaded. In this case, reassign alllegitimate IDs over the K machines to balance the load. Forserver with positive outcome, the IDs active on this serverbut not included by the set of identified legitimate ones, i.e.,suspect IDs, will still be identified as suspect. However, ifthere is only one suspect IDs of this kind in a positiveserver, this ID is certainly an attacker.


It is trivial to see that the computation overhead of the

testing matrix M is similar to that of the SDP algorithm,

therefore can be ignored. The following lemmas exhibit theoverall detection delay of the algorithm, in terms of thenumber of testing rounds:

Lemma 4.2. The number of IDs wi on server i does not exceedserver capacity w till round j where j logK

d

nnwKd.

Proof. At most d servers get positive outcomes in eachround. If we assume that round j is the last round thathas no overloaded servers, then the maximum number ofIDs on one server at round j is: wjmax

Pji1 nK dKi1.

Since round j 1 will have at least one overloadedserver, we have wjmax w, then j logKd nnwKd. tu

Lemma 4.3. All malicious IDs are identified within at mostOlogK

d

nd testing rounds if w ! ndKd.

Proof. In each round with no overloaded servers, at mostdKjSj legitimate IDs remain suspect. After i logKd nKrounds, at most K suspect IDs are left, so we need onlyone more round to finish the testing. Hence, we need i1 logK

d

nd rounds. Since it requires that no servers are

overloaded within these rounds, we have i 1 < j logK

d

nn

wK

d

which yields w

!ndK

d.

tuLemma 4.4. All malicious IDs are identified within at mostOlogK

d

nd testing rounds if 1 w ndKd.

Proof. If w ndKd, reassignments for legitimate IDs will beneeded after round j logK

d

nnwkd. Assume that the

algorithm needs x more testing rounds in addition to i1 logK

d

nd to reassign and balance legitimate IDs on all

servers, since the position changes of these legitimate IDswill neither influence test outcomes nor delay theidentifications of suspect set S (they take place simulta-neously), we, hence, have

x i 1j

logKd

n

d logKd

n

n wk d logK

d

n wK dd

logKd

n

d:

Therefore, the total number of testing rounds is at mostOlogK

d

nd. tu

Theorem 4.2. The SDoP algorithm can identify all attackerswithin at most OlogK

d

nd testing rounds.

Proof. Directly from Lemmas 4.3 and 4.4. tu4.3 Partial Nonadaptive Detection

Considering the fact that in the two sequential algorithms

mentioned, we cannot identify any attackers until we isolateeach of them to a virtual serverwith negative outcome, whichmay bring up the detection latency. Therefore, we propose ahybrid of sequential and nonadaptive method in this section.In this scenario, the requests from the same client will bereceived and respondedby different servers in a round-robinmanner. Different from SDP and SDoP, a d-disjunct matrix isused as the testing matrix in this scheme and attackers can beidentified without the need of isolating them into servers.

As mentioned in Section 2, matrix M is called d-disjunctif no single column is contained in the Boolean sum of anyother d columns, and all positive items can be identifiedwithin one round. Numerous construction methods for d-disjunct matrix have been proposed in [14], [27] where Dus

method [14] has a better performance in terms of the size



8/14

complexity (number of rows). Therefore, we adopt thismethod as a subroutine to generate M for each testinground. For the following analysis, we refer to this algorithmas dDisjunctn; d, which takes n; d as input and outputs ad-disjunct matrix with n columns.

Lemma 4.5. Let Tn be the smallest number of rows in theobtained d-disjunct matrix, then

Tn minf2 o1d2 log22 n=log22dlog2 n; ng:

Next, we introduce our PND detection method using d-disjunct matrix, for now we assume that the row weight of theconstructed matrix does not exceed the server capacity w.Algorithms with respect to the weight constraint will beinvestigated in the future. Considering different ranges ofinput K, the algorithm differs in two cases.

Case 1: K! Tn. All n suspect IDs can be assigned toTn servers according to an MTnn d-disjunct matrix, andthus, identified with one testing round.

Case 2: K < Tn. With inadequate servers to identify all nclients in parallel, we can iteratively test a part of them, say

n0 < n , where Tn0 jAj. The detailed scheme is depicted asfollows and the pseudocode is shown in Algorithm 3.

Algorithm 3. Partial Nonadaptive Detection with K < Tn1: Evenly assign n IDs to K servers with no two servers

having the same client IDs. Pack all legitimate IDs oninto G servers.

2: jAj KG // Update the number of testing servers.3: if jAj ! TjSj then4: Run dDisjunctjSj; d, decode from the obtained

d-disjunct matrix and identify all IDs; S 0;// Testing finishes.

5: else

6: while jSj 6 0 do7: Partition S into S1; S2 where jS1j n0 and

n0 max n00 2 1; jSj satisfying Tn00kAj.8: Run dDisjunctjS1j; d, decode from the obtained

d-disjunct matrix and identify all IDs inS1, update d.

9: Pack legitimate IDs in S1 to G machines, updateG and A; S S2. // Iteration with suspect IDset S2.

10: end while

11: end if


First, evenly assign n suspect IDstoall Kservers, as theotheralgorithms did. After the first round, we can pack allidentified legitimate IDs into G dnjSjw e servers. Therefore,jAj KG servers are available for testing afterward. IfjAj ! TjSj, we can construct a d-disjunct matrix MjAjjSj bycalling function dDisjunctjSj; d and identify all IDs in onemoretestingrounds.Nevertheless,ifjAj < TjSj,wecanfirstfindthemaximum n0 (1 n0 jSj)suchthat Tn0 jAj;thensecond partition set S into two disjoint sets S1 and S2 withjS1j n0;andthirdpackall S2 to G nontestingservermachinesand call subroutine dDisjunctjS1j; d with updated d toidentify all IDs in S1; then drop the attackers and pack alllegitimate IDs into G machines and continue to test S S2.Iterate this process until all IDs are identified.


The time complexity of the function dDisjunctn; d isOsqn, i.e., OKn with sq K. As mentioned in Section 3,this can be decreased to O1 time cost in real time. Since itis t oo complicate d t o use t he uppe r b ound 2o1d2 log22 n=log22dlog2 n for Tn in analysis, we thenuse T

n

n to get a rough estimate on the algorithm

complexity in terms of the number of rounds. Moreover, wefurther investigate its performance based on an optimal d-disjunct, so as to demonstrate the potential of this scheme.

Lemma 4.6. The PND algorithm identifies all the attackerswithin at most Odw2=Kw w n testing rounds.

Proof. Let us consider the worst case. In each round,assume that no attackers are identified and filtered outpreviously, we have Tn0 dnn0w e K. Since Tn0 n0,then n0 ! Kwwnw1 . Therefore, the maximum number oftesting rounds needed is:

dn

K

0Kw w n

w 1 dw2=Kw w n

Odw2=Kw w n:ut

This complexity for PND is not as good as that of the previoustwo algorithms. However, we are still interested in finding outhow it works if we have the d-disjunct matrix constructionmethod improved. Since some tight lower bounds for Tn havebeen proposed, we then use one of them [16] to compute Tn andinvestigate the corresponding performance of PND next.

Lemma 4.7 (Dyachkov-Rykov lower bound [16]). Let n >w ! d! 2 and t > 1 be integers. For any superimposedd 1; n ; w-code (d;n;w-design) X of length t (X is calleda

d

1

-disjunct matrix with t rows and n columns), the

following inequality holds:

t ! dnw

$ %:

The following are the related performance analysesbased on this lower bound of Tn:Corollary 4.1. In the PND algorithm, given w ! d! 1, we have:

n0 min jAjwd 1 ; nKw w jAjw

& ':

Proof. According to Lemma 4.7, with number of columnsn002

1;jSj

, we have

jAj !$ d 1n00

w

%! d 1n

00

w) n0 max n00 jAjw

d 1 :

Meanwhile, in the PND algorithm, for each round i,we have

jAij ! Kn n0

w

) n0 nKw w jAjw:ut

Lemma 4.8. In any testing round i:

1. n0 jAi

jw

d1 when K2 d;dw

n

w

w ;



9/14

2. n0 nKw w jAijw w h e n K2 k1; dnnww with

k1 dw w n

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffidw w n2 4wnd2

q2w

:

Proof. According to Corollary 4.1,

1. we have

K dw n ww

, wK dw n w;

jAj ! d 1 , jAjwdd 1 ! wd;

hence,

n wKw jAjw ! jAjwd 1 :

2. In order to get

jAjwd 1 ! nKw w jAjw;

we need

jAj K 1m nd 1wd

;

which requires

K K dnKw

K 1m nd 1wd

;

hence, we need

wK2 dw w nK nd2 ! 0:Solving this inequality, we have K2 k1;1.Note that ifK! ddnnw e, we need not do partitionsin PND algorithm and since

k1 dn n ww

;

we have

K2

k1;dn n w

w

:

Moreover,

k1 >dw w n

w! d

2 w nw

;

there are thus no overlaps between these two

intervals.

tu

Therefore, we split K2 d;1 into four disjoint inter-vals and study which interval of value Kyields O1 testingrounds in worst case besides the interval K2 dnnww ;1shown above, as well as complexity for other intervals.

. I: K2 d; dwnww yields n0 jAjwd1 ;

. II: K2 dwnww ; k1 yields n0 minfjAjwd1 ; nKw w jAjwg;

. III: K2 k1; dnnww yields n0 nKw w jAjw;

. IV: K2 dnnww ;1 yields ONE testing round intotal.

Lemma 4.9. The PND algorithm needs at most O1 testingrounds with K2 k2; dwnww , where

d wffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

w2 4n2n wp2n w ;

and

k2 n wffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

n2 w2 2nw 4n2w 4d2wn 4dwnp

2w:

Proof. Since at least one server gets positive outcome at the

first testing round, we have

jA0j ! K$ K 1n

Kw

%:

With simple algebraic computations, we can reach the

interval k2; dwnww on the condition that

d wffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

w2 4n2n wp

2n w ;

within interval I; however, for intervals II and III, no

such detailed subintervals of K yielding O1 testingrounds can be obtained. tu

Lemma 4.10. Within interval I, PND algorithm can identify all

IDs with Od Kffiffin

p testing rounds.Proof. We derive the time complexity from the following

recurrence:Starting round 0. jS0j dnK , and

K$ K 1n

Kw

% jA0j K

$ K dnKw

%:

Ending round T. 0 < jSTj jATjwd1 .Iteration. For 8i 2 0; T 1, we have

jSi1j jSij jAijwd 1 ;

and

K$

n jSi1jw

% jAi1j K

$n jSi1j d

w

%;

hence,

jAi1j ! K nw jSi jw jAijd1 1;S0 P

T

i0 jAi jwd1 :

8 w, we have >0 and > 0. So, with trivial computation, we can get

T 2d 1Kw

ffiffiffiffiffiffiffiffiffiffiffi

d 1

r

< 1 2d 12

K

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi4K 2d 1

n 2d 1

d 1

r

< 1 2d 1 ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

4Kd 1n

2r

< 3ffiffiffi

2p

2d 2K

ffiffiffin

p :

Therefore, PND will complete the identification within atmost Od Kffiffi

np testing rounds. tu

Note that since K is always much smaller than n, the

complexity will approach Od in fact.Lemma 4.11. Within interval III, PND can identify all IDs with

at most Od testing rounds.Proof. Similarly, we can get T 2d 1 2

ffiffiffiffiffiffi1d

4

qby solving

the following recurrence:Starting round 0. jS0j dnK and

K K 1nKw$ % jA0j K

K dnKw$ %:

Ending round T. 0 < jSTj nKw w jATjw.Iteration. 8i 2 0; T 1, jSi1j jSij nKw

w jAijw and K dnjSi1 jw e jAi1j K dnjSi1jdw e.Hence, PND will complete the identification within at

most Od testing rounds. tuCorollary 4.2. Within interval II, PND algorithm can identify

all IDs with Od Kffiffin

p testing rounds.Proof. According to Lemmas 4.10 and 4.11, the time

complexity of PND algorithm depends on the value of

n0 at each round, and since n0 within interval II oscillatesbetween jAjwd1 and nKw w jAjw, the time complex-

ity is at most OdKffiffi

np . tu

Theorem 4.3. Given 1 d w, the PND algorithm can identifyall IDs within

1. at most Od Kffiffin

p testing rounds when K2 d; k1,while at most O1 testing rounds when

K

2k2;

dw n ww

! on condition thatd w

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiw2 4n2n w

p2n w ;

2. at most Odtesting rounds when K2 k1; dnnww ;3. at most O1 testing rounds when

K2

dn n ww

;1

;

where

k1 dw

w

n ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffidw w n

2

4wnd2q

2w

and

k2n wffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

n2 w2 2nw4n2w 4d2wn 4dwnp

2w:

Despite the number of needed testing rounds differs forthese three algorithms above, the time complexity ofcalculating each testing round for these algorithm is approx-imate in practice. It is trivial to see that the costs for SDP andSDoP are negligible, but not for PND algorithm whichinvolves polynomial computation on Galois Field. However,considering that the upper bound of both the number of

clients n and attackersdis estimated, the detectionsystem canprecompute the d-disjunct matrices for all possible n; dpairs offline, and fetch the results in real time. Therefore, theoverhead can be decreasedto O1 and theclientrequestscanbe smoothly distributed at the turn of testing rounds withoutsuffering from long delays of matrix update.

5 SIMULATION CONFIGURATIONS AND RESULTS

To demonstrate the theoretical complexity results shown inthe previous section, we conduct a simulation study on theproposed system, in terms of four metrics: average testinglatency T which refers to the length of the time interval fromattackers starting sending requests till all of them are

identified; average false positive rate fp; false negative rate fn; aswell as the average number of testing rounds Rtest whichstands for the number of testing rounds needed foridentifying all the clients by each algorithm.

5.1 Configurations

The purpose of this simulation is not to fully implement adetection system for use, but instead to validate all thetheoretical results we derived. Although we make severalassumptions below to simplify the implementation of thesimulation environments, as we will show later, these issuesare orthogonal to the performance of our scheme. Therefore,the simulation results could provide a reliable overview ofthe applicability and practical performance of our frame-

work for general network types.



11/14

To this end, we implement a simulator in Java bymodeling both the n clients and K virtual servers asindependent threads. Consider that all back-end servers areindependent testing domains, we only simulate one back-end server as we did for the algorithms, and thus, does nottest the flash crowd scenario which was mentioned andsettled in Section 3 using multiple back-end servers.

In order to mimic the real client (including attacker) behavior and dynamic network environment, we imple-ment the client/server system as follows:

. Each legitimate client joins in and leaves the systemat random times which are uniformly distributed,while the attacker threads arrive at time t 30 s andkeep live until being filtered out. (More complicatedclient behaviors might be more favored, but sinceour scheme contains a learning phase over variousclient behavior and adjusts the threshold accord-ingly, the performance of this system will notsignificantly decay by applying it to a differentnetwork type, i.e., the network type is orthogonalwith the scheme.)

. Both legitimate and malicious clients send requestswhich are with a random interarrival rate and CPUprocessing time (workload) to the virtual servers;however, legitimate ones have a much smallerrandom range than that of the attackers.

. Eachvirtualserverisequippedwithaninfiniterequestbuffer and all the client requests arrive at the bufferswith 0 transmission anddistribution delays, as well as1 ms access time for retrieving states from the sharedmemory; eachserver handles theincoming requests inits own buffer in FCFS manner and responds to theclient on completing the corresponding request; theaverage response time and incoming request aggre-gate are recorded periodically to generate the test

outcomes by comparing them to the dynamic thresh-olds fetched from established legitimate profiles.

The purpose of assuming both transmission and distribu-tiondelaystobe0istosimplyquantifythelengthofthewholedetection phase (testing latency). With regard to thetransmission delay, it can be large due to the geographicaldistances in large-scale distributed system and possibly canbring up the testing latency if the client sends request in astop-and-wait manner (it does not send a request until theprevious requests are all responded; therefore, the requestrate is quite low and the length of each testing round isrequired to be longer), yet since the detection will becompleted just in several rounds, such increases in thedetection length are not significant. The assumption of 0

distribution delay is also practical, since the computationaloverheads for the testing matrix and dynamic thresholds arenegligible by precomputing and fetching the results from theprofiles. For the 1 ms state maintenance time, since all theclients are residing in one physical servers, and all the virtualservers can quickly retrieve the client states from the sharedmemory, this is also a practical assumption.

With regard to the details of client behavior, the legitimaterequest interarrival rate is randomized from 1 to 3 request perms,and thelegitimate workload is randomized from 1 to 3 msCPU processing time. On the contrary, the malicious requestinterarrival rates range from 5 to 20 per ms, and maliciousworkloadsrangefrom5to20msCPUtime.Althoughrequestswith arbitrarily large rate or workload are favored by

attackers, they are, in fact, easier to be discovered, so we

consider malicious requests with small margin from legit-imate ones.

5.2 Results

By setting K 50; n 1;000; w 100; d 40; P 1 second,we first show the efficiency of our detection system usingPND algorithm, in terms of reducing the service resourceusage ratio (SRUR) and the ART,as shown in Figs. 5aand 5b.The values of SRUR and ART climb up sharply at t 30 swhen the attack starts, and then, gradually falls to normalbefore t 100 s. Therefore, it takes only 70 s for the system tofilter out attackers and recover to normal status. Notice thatactual detection latency should be shorter than this, becausethe thresholdofARTforthesystemtoconvertfromDANGERmode back to NORMAL mode is slightly higher than normalART. Therefore, the system SRUR and ART will recover tonormal shortly after the detection period ends.

In the following, we show the robustness of the perfor-mance toward different environment settings: an increasingnumber of 1) virtual servers K; 2) malicious clients d; and3) all clients n.

In Fig. 6, we simulate identifying d 10 attackers out ofn 1;000 clients with the number of virtual servers rangingin 25; 200. It can be seen, on the one hand, that all the falsenegative (Fig. 6a) and positive (Fig. 6b) rates are upperbounded by 5 percent and decreasing as Kgoesup for all thethree algorithms. This makes sense since the most possiblecase for an attacker to succeed hiding itself is that it isaccompanied by many clients with low request rate andworkloads in a testing pool. In this case, it is quite possiblethat the aggregate interarrival rates and workloads in thisserverare still less than that of a serverwiththe samenumberof legitimate clients. Therefore, the less clients serviced byeach server, theless possibly this false negative case happens.Notice that even if there is only one attacker but no legitimateclient in a server whose incoming traffic is not quite dense,the server can still be tested as positive since all the tests are

conducted based on some dynamic threshold (use thethreshold for server with one client in this case), whichchanges as the number of active clients varies in the currentvirtual server. On the other hand, the testing latencies andnumber of testing rounds keep declining from less than 11 sand four rounds, respectively, which is because the identi-fication will be speeded up with more available virtualservers. With respect to the three different algorithms, theyobtained approximate performances except that SDoP hasslightly higher false negative rate than the other two. This isbecause of those legitimateclientswhoare identifiedat earlierstages and staying in the servers till the end of the detection.Since their request rates and workloads are likely to besmaller than normal (that is why they are identified earlier),

they may camouflage attackers in the following rounds.


Fig. 5. Status of the back-end server. (a) Service resource usage ratio.

(b) Average response time.


12/14

Due to the space limitation, we briefly summarize theresults for the following two experiments. In Fig. 7, wesimulate the identifications for n 1;000; K 50; w 100; P 1 s with 1; 15 attackers, and find that all thevalues of the four measures slowly increase as d goes up.Overall, the false negative/positive rates are limited to lessthan 5 percent and the testing latencies are smaller than6 seconds with five testing rounds. Similar as the previousexperiments, PND and SDP exhibit better performancesthan SDoP in terms of false negative rate, but for the othermeasures, they are approximately the same.

Fig. 8 shows its robustness for the cases d 10; K50; w 100; P 1 s with [1,000, 2,000] clients. Apparently,both the false rates and the number of testing rounds keepstably below 5 percent and four rounds, respectively,toward increasing client amount. The testing latencies growup from 10 to 20 seconds for all three algorithms, due to theincreasing time costs for state maintenance toward a doublenumber of clients (from 1,000 to 2,000). However, this smalllatency is still tolerable in real-time applications and can befurther reduced by decreasing the state maintenance timecost within the same physical machine.

Overall, the simulation results can be concluded asfollows:

. In general, the system can efficiently detect theattacks, filter out the malicious clients, and recoverto NORMAL mode within a short period of time inreal-time network scenarios.

. All the three detection algorithms can complete thedetection with short latency (less than 30 s) and lowfalse negative/positive rate (both less than 5 percent)for up to 2,000 clients. Thus, they are applicable tolarge-scale time/error-sensitive services.

.

The PND and SDP algorithms achieve slightly betterperformance than the SDoP algorithm. Furthermore,the efficiency of the PND algorithm can be furtherenhanced by optimizing the d-disjunct matrixemployed and state maintenance efficiency.

6 RELATED WORK IN DoS DETECTION

Numerous defense schemes against DoS have been pro-posed and developed [7], which can be categorized intonetwork-based mechanisms and system-based ones.

Existing network-based mechanisms aim to identify themalicious packets at the intermediate routers or hosts [10],[12], by either checking the traffic volumes or the traffic

distributions. However, the application DoS attacks have no


Fig. 6. Robustness by different numbers of back-end server machines k. (a) False negative rate. (b) False positive rate. (c) Detection latency.

(d) Number of testing rounds.

Fig. 7. Robustness by different numbers of attackers d. (a) False negative rate. (b) False positive rate. (c) Detection latency. (d) Number of testing

rounds.

Fig. 8. Robustness by different total numbers of clients n. (a) False negative rate. (b) False positive rate. (c) Detection latency. (d) Number of testing

rounds.


13/14

necessary deviations in terms of these metrics from thelegitimate traffic statistics; therefore, network-based me-chanisms cannot efficiently handle these attack types.

On the other hand, plenty of proposed system-basedmechanisms tried to capture attackers at the end server viaauthentications [3], [24] or classifications [1], [26]. Honey-pots [24] are used to trap attackers who attempt to evadeauthentications, and can efficiently mitigate flood attacks.However, this mechanism kind relies on the accuracy ofauthentication. Once the attacker passes the authentication,all the productive servers are exposed and targeted.Classification-based methods study on the traffic behaviormodel, for example, the interarrival time distribution [1]and the bandwidth consumption pattern [26]. With arigorous classification criteria, abnormal packets can befiltered out, but this requires individually checking eachsession statistically and can significantly increase theoverhead of the system. Besides these two defense types,Kandula et al. [3] augment the protected service withCAPTCHA puzzles which are solvable by human clients but zombie machines. This technique can eliminate theservice requests from bonnets, but it also brings in

additional operations at the client ends, which delays theconsumer from receiving services.

In parallel with our previous work [5], Khattab et al. [4]proposed another system-based live-baiting defensescheme by applying group testing theory to applicationDoS detection. Based on a high-probability d-disjunct [8]matrix, their system avoids large modifications to thenetwork topology by spanning the incoming requests tomultiple virtual serves for testing, using encrypted token,which will also benefit our detection system. However, thelive-baiting mechanism needs to be improved in severalfacets: First, the number of states (pools for testing) is not assmall as Od, but instead approaching On. Second, thestatic threshold High-Water-Mark (HWM), which is the

arriving request aggregate at each server periodically, is notaccurate for the possible asymmetric request distribution onthe assigned servers to one client in round robin. Moreover,this threshold cannot be used to servers with dynamic clientset. Third, the virtual servers are merely request counters,and cannot tackle the high-workload requests. In oursystem, virtual servers with limited service resources aremapped to testing pools and tested with dynamic thresh-olds, thus can overcome these limitations.

7 CONCLUSIONS AND DISCUSSIONS

We proposed a novel technique for detecting applicationDoS attack by means of a new constraint-based group

testing model. Motivated by classic GT methods, threedetection algorithms were proposed and a system based onthese algorithms was introduced. Theoretical analysis andpreliminary simulation results demonstrated the outstand-ing performance of this system in terms of low detectionlatency and false positive/negative rate.

Our focus of this paper is to apply group testingprinciples to application DoS attacks, and provide anunderlying framework for the detection against a generalcase of network assaults, where malicious requests are in-distinguishable from normal ones. For the future work, wewill continue to investigate the potentials of this schemeand improve this proposed system to enhance the detectionefficiency. Some possible directions for this can be:

1. the sequential algorithm can be adjusted to avoid therequirement of isolating attackers;

2. more efficient d-disjunct matrix could dramaticallydecrease the detection latency, as we showed in thetheoretical analysis. A new construction method forthis is to be proposed and can be a major theoreticalwork for another paper;

3. the overhead of maintaining the state transfer amongvirtual servers can be further decreased by moresophisticated techniques;

4. even that we already have quite low false positive/negative rate from the algorithms, we can stillimprove it via false-tolerant group testing methods,as discussed next.

Besides attempting to alleviate the errors resulting fromthe proactive learning on legitimate traffic, we will developour algorithms using the error-tolerant d-disjunct matrix[23], which can still provide correct identification resultseven in the presence of some error tests. Specifically, atesting matrix M is d; z-disjunct ifany single column of it hasat least z elements that are not in the union of any d other

columns. By applying this matrix M to our PND algorithm,up to d positive items can be correctly identified, if thenumber of error tests is not more than z 1. With efficientdecoding algorithms proposed by Du and Hwang [14], thiserror-tolerant matrix has great potentials to improve theperformance of the PND algorithm and handle applicationDoS attacks more efficiently.

ACKNOWLEDGMENTS

The work of Dr. My T. Thai is supported in part by the USNational Science Foundation (NSF) grant number CNS-0847869. A preliminary version of this paper: M.T. Thai, Y.Xuan, I. Shin, and T. Znati, On Detection of MaliciousUsers Using Group Testing Techniques, is in the Proceed-ing of International Conference on Distributed ComputingSystems (ICDCS), 2008.

REFERENCES[1] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDos-

Resilient Scheduling to Counter Application Layer Attacks underImperfect Detection, Proc. IEEE INFOCOM, Apr. 2006.

[2] S. Vries, A Corsaire White Paper: Application Denial of Service(DoS) Attacks, http://research.corsaire.com/whitepapers/040405-application-level-dos-attacks.pdf, 2010.

[3] S. Kandula, D. Katabi, M. Jacob, and A.W. Berger, Botz-4-Sale:Surviving Organized DDoS Attacks That Mimic Flash Crowds,Proc. Second Symp. Networked Systems Design and Implementation

(NSDI), May 2005.[4] S. Khattab, S. Gobriel, R. Melhem, and D. Mosse, Live Baiting forService-Level DoS Attackers, Proc. IEEE INFOCOM, 2008.

[5] M.T. Thai, Y. Xuan, I. Shin, and T. Znati, On Detection ofMalicious Users Using Group Testing Techniques, Proc. IntlConf. Distributed Computing Systems (ICDCS), 2008.

[6] M.T. Thai, P. Deng, W. Wu, and T. Znati, ApproximationAlgorithms of Nonunique Probes Selection for Biological TargetIdentification, Proc. Conf. Data Mining, Systems Analysis andOptimization in Biomedicine, 2007.

[7] J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDoSAttacks and DDoS Defense Mechanisms, Technical Report020018, Computer Science Dept., UCLA, 2002.

[8] M.J. Atallah, M.T. Goodrich, and R. Tamassia, IndexingInformation for Data Forensics, Proc. Intl Conf. Applied Crypto-

graphy and Network Security (ACNS), pp. 206-221, 2005.[9] J. Lemon, Resisting SYN Flood DoS Attacks with a SYN Cache,

Proc. BSDCON, 2002.



14/14

[10] Service Provider Infrastructure Security, Detecting, Tracing,and Mitigating Network-Wide Anomalies,http://www.arbornetworks.com, 2005.

[11] Y. Kim, W.C. Lau, M.C. Chuah, and H.J. Chao, Packetscore:Statisticsbased Overload Control against Distributed Denial-of-Service Attacks, Proc. IEEE INFOCOM, 2004.

[12] F. Kargl, J. Maier, and M. Weber, Protecting Web Servers fromDistributed Denial of Service Attacks, Proc. 10th Intl Conf. WorldWide Web (WWW 01), pp. 514-524, 2001.

[13] L. Ricciulli, P. Lincoln, and P. Kakkar, TCP SYN FloodingDefense, Proc. Comm. Networks and Distributed Systems Modelingand Simulation Conf. (CNDS), 1999.

[14] D.Z. Du and F.K. Hwang, Pooling Designs: Group Testing inMolecular Biology. World Scientific, 2006.

[15] M.T. Thai, D. MacCallum, P. Deng, and W. Wu, DecodingAlgorithms in Pooling Designs with Inhibitors and FaultTolerance, Intl J. Bioinformatics Research and Applications, vol. 3,no. 2, pp. 145-152, 2007.

[16] A.G. Dyachkov, A.J. Macula, D.C. Torney, and P.A. Vilenkin,Two models of Nonadaptive Group Testing for DesigningScreening Experiments, Proc. Sixth Intl Workshop Model-OrientedDesigns and Analysis, pp. 63-75, 2001.

[17] J. Kurose and K. Ross, Computer Networking: A Top Down Approach,fourth ed. Addison-Wesley, July 2007.

[18] Y. Chu and J. Ke, Mean Response Time for a G/G/1 QueueingSystem: Simulated Computation, Applied Math. and Computation,

vol. 186, no. 1, pp. 772-779, Mar. 2007.[19] G. Mori and J. Malik, Recognizing Objects in Adversarial Clutter:Breaking a Visual Captcha, Proc. IEEE Conf. Computer Vision andPattern Recognition, 2003.

[20] P. Sharma, P. Shah, and S. Bhattacharya, Mirror HoppingApproach for Selective Denial of Service Prevention, Proc.Intl Workshop Object-Oriented Real-Time Dependable Systems(WORDS 03), 2003.

[21] V.D. Gligor, Guaranteeing Access in spite of Distributed Service-Flooding Attacks, Proc. Security Protocols Workshop, 2003.

[22] T.V. Zandt, How to Fit a Response Time Distribution,Psychonomic Bull. and Rev., vol. 7, no. 3, 2000.

[23] A.G. Dyachkov, V.V. Rykov, and A.M. Rashad, SuperimposedDistance Codes, Problems of Control and Information Theory,vol. 18, pp. 237-250, 1989.

[24] S.M. Khattab, C. Sangpachatanaruk, D. Mosse, R. Melhem, andT. Znati, Honeypots for Mitigating Service-Level Denial-of-

Service Attacks, Proc. Intl Conf. Distributed Computing Systems(ICDCS 04), 2004.[25] V. Sekar, N. Duffield, K. van der Merwe, O. Spatscheck, and H.

Zhang, Large-Scale Automated DDoS Detection System, Proc.USENIX Ann. Technical Conf., 2006.

[26] F. Kargl, J. Maier, and M. Weber, Protecting Web Servers fromDistributed Denial of Service Attacks, Proc. World Wide Web Conf.,pp. 514-524, 2001.

[27] D. Eppstein, M.T. Goodrich, and D. Hirschberg, ImprovedCombinatorial Group Testing Algorithms for Real-World ProblemSizes, Proc. Workshop Algorithms and Data Structures (WADS),pp. 86-98, 2005.

Ying Xuan received the BE degree in computerscience and engineering from the University ofScience and Technology of China, Anhui, China,in 2006. He is currently working toward the PhDdegree at the Department of Computer andInformation Science and Engineering, Universityof Florida, under the supervision of Dr. My T.Thai. His research topics include group testingtheory, network security, and network reliability.

Incheol Shin received the BE degree incomputer science and engineering from theHansung University, Seoul, Korea, in 2002. Heis currently working toward the PhD degree atthe Department of Computer and InformationScience and Engineering, University of Florida,under the supervision of Dr. My T. Thai. Hisresearch interests include network security andgroup testing.

MyT. Thai received the PhD degree in computerscience from the University of Minnesota, Twin

Cities, in 2006. She is an assistant professor inthe Department of Computer and InformationSciences and Engineering at the University ofFlorida. Her current research interests includealgorithms and optimization on network scienceand engineering. She also serves as an associ-ate editor for the Journal of CombinatorialOptimization (JOCO) and Optimization Letters.

She is a recipient of Young Investigator Awards from the DoD. She is amember of the IEEE.

Taieb Znati received the MS degree in computerscience from Purdue University in 1984, and thePhD degree in computer science from MichiganState University in 1988. He is a professor in theDepartment of Computer Science, with a jointappointment in Telecommunications in the De-partment of Information Science, University ofPittsburgh. He currently serves as the director ofthe Computer and Network Systems (CNS)Division at the National Science Foundation

(NSF). From 2000 to 2004, he served as a senior program director fornetworking research at NSF. He also served as the committeechairperson of the Information Technology Research (ITR) Programand an NSF-wideresearch initiative in information technology.His currentresearch interests are on network scienceand engineering,with the focuson the design of scalable, robust, and reliable network architectures andprotocols for wired and wireless communication networks. He is arecipient of several research grants from government agencies and fromindustry. He is frequently invited to present keynotes in networking anddistributed conferences both in the United States and abroad. He is amember of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Detecting Application Denial of Service

Documents

Transcript of Detecting Application Denial of Service