The Complete Material is Available. View Abstract or Chapter One Below.

Download this complete Project material titled; Development Of An Internet Protocol Traceback Scheme For Denial Of Service Attack Source Detection with abstract, chapters 1-5, references, and questionnaire. Preview Abstract or chapter one below

  • Format: PDF and MS Word (DOC)
  • pages = 65

 3,000

100% Money-Back Guarantee

Do you need help?

Call or Whats-app us: (+234) 08060082010, 08107932631.

ABSTRACT

 

This dissertation presents the development of an Internet Protocol (IP) traceback scheme for the detection of a denial of service (DoS) attack source base on shark smell optimization algorithm (SSOA). Detection of the source of DoS attack is very important due to the serious damages the attack do cause and the need to bring the perpetrators to justice to stop the menace. DoS attack is a major threat to the security of network systems and consists of attacks that exploit the vulnerability in a network to overload it with tasks and prevent it from attending to other legitimate users. Flash event (FE) can cause traffic surge in a part of the network crossed by the attack path that is being traced. Flash event traffic surge can be very similar to a DoS attack and may mislead the present IP tracebacks schemes that are based on swarm optimization algorithms when tracing the source of an attack using flow-based search method. The challenge is more pronounced with flow-based search for detecting attack source because the flash event flow surge share very similar characteristics with DoS flooding attack. In order to mitigate the challenge of flash event traffic surge causing error in IP traceback schemes, DoS attack source traceback scheme based on shark smell optimization algorithm called the SSOA-DoSTBK was developed. It is incorporated with discernment policy for implementing hop-by-hop search to avoid flash event traffic surge and ascertain the nodes that are actually involved in routing the attack packets. This scheme was simulated in Network Simulator version 2 (NS2). The performance of SSOA-DoSTBK was evaluated using False Error Rate (FER), convergence time, and ability to detect spoofed IP attack source based on the correctness of the returned path as performance metrics. It was compared with results obtained from a scheme reported in literature called the modified ant colony system algorithm for IP traceback (ACS-IPTBK). The SSOA-DoSTBK performed better in FER and spoofed IP attack tests by as much as 32.06%. However, ACS-IPTBK converged faster than the SSOA-DoSTBK in the tests by as much as 1.2%.

 

TABLE OF CONTENTS

DECLARATION …………………………………………………………………………………………………… II
CERTIFICATION ………………………………………………………………………………………………… III
DEDICATION ……………………………………………………………………………………………………… IV
ACKNOWLEDGEMENT ………………………………………………………………………………………. V
ABSTRACT ………………………………………………………………………………………………………… VII
List of Figures ………………………………………………………………………………………………………. XI
List of Tables ………………………………………………………………………………………………………. XII
List of Appendices ……………………………………………………………………………………………… XIII
ABBREVIATIONS ……………………………………………………………………………………………. XIV
CHAPTER ONE
INTRODUCTION
1.1 Background on Network Attacks …………………………………………………………………. 1
1.1.1 Background on Internet Protocol Packets Source Detection ………………………………. 3
1.2 Significance of Research …………………………………………………………………………….. 4
1.3 Statement of Problem …………………………………………………………………………………. 4
1.4 Aim and Objectives ……………………………………………………………………………………. 5
CHAPTER TWO
LITERATURE REVIEW
2.1 Introduction ………………………………………………………………………………………………. 7
2.2 Review of Fundamental Concepts on DoS attack IP traceback ………………………… 7
2.2.1 The DoS Attack and its Variants ………………………………………………………………………. 7
2.2.2 Flash Event …………………………………………………………………………………………………. 11
2.2.3 DoS Attack IP Traceback Methodologies ………………………………………………………… 14
2.2.4 DoS Attack Source Detection Process …………………………………………………………….. 17
2.3 Shark Smell Optimization Algorithm ………………………………………………………….. 18
2.3.1 Initialization ………………………………………………………………………………………………… 20
2.3.2 Scouring……………………………………………………………………………………………………… 20
2.3.3 Advancing …………………………………………………………………………………………………… 21
2.3.4 SSOA Exploitation ………………………………………………………………………………………… 22
2.3.5 SSOA Exploration ………………………………………………………………………………………… 23
2.3.6 Flowchart of SSOA Algorithm Search Process ………………………………………………….. 23
2.4 Reconstructing the Network Topology ………………………………………………………… 25
2.4.1 Implementation of Waxman Topology …………………………………………………………… 27
IX
2.4.2 Determining edges on attack path …………………………………………………………………. 28
2.5 Network Simulator Version 2 (NS2) …………………………………………………………… 32
2.6 Review of Similar Works ………………………………………………………………………….. 33
CHAPTER THREE
MATERIALS AND METHODS
3.1 Introduction …………………………………………………………………………………………….. 38
3.2 Materials …………………………………………………………………………………………………. 38
3.3 Methodology ……………………………………………………………………………………………. 38
3.3.1 Development of the SSOA-DoSTBK ………………………………………………………………… 38
3.3.2 Discrimination Policy ……………………………………………………………………………………. 39
3.3.3 Solving DoS IP Traceback Problem Using SSOA-DoSTBK ……………………………………. 44
3.3.4 Comparison of SSOA-DoSTBK with ACS-IPTBK …………………………………………………. 47
3.3.5 Performance Evaluation ……………………………………………………………………………………… 48
CHAPTER FOUR
RESULTS AND DISCUSSIONS
4.1 Introduction …………………………………………………………………………………………….. 49
4.2 Simulation Results ……………………………………………………………………………………. 49
4.2.1 Evaluation of False Error Rate ……………………………………………………………………….. 49
4.2.1.1 FER of the Schemes under DoS attack ……………………………………………………………. 49
4.2.1.2 FER of the Schemes under Combined FE and DoS attack ………………………………….. 50
4.2.1.3 FER of the Schemes under Combined FE and Spoofed DoS attack ……………………… 51
4.2.2 Performance Evaluation ………………………………………………………………………………. 52
4.2.2.1 Performance under DoS attack ……………………………………………………………………… 53
4.2.2.2 Performance under concurrent FE traffic and DoS attack …………………………………. 53
4.2.2.3 Performance under concurrent FE traffic and Spoofed DoS attack ……………………. 54
4.2.3 Evaluation of Convergence time …………………………………………………………………… 56
4.2.3.1 Convergence under DoS attack ……………………………………………………………………… 56
4.2.3.2 Convergence under Concurrent FE and DoS attack ………………………………………….. 57
4.2.3.3 Convergence under Concurrent FE and spoofed DoS attack ……………………………… 57
4.3 Attack path detection results ………………………………………………………………………. 59
4.3.1 FER Tests Results …………………………………………………………………………………………. 59
4.3.2 Returned Attack Path Correctness Tests Results ……………………………………………… 60
4.3.3 Convergence Time Tests Results ……………………………………………………………………. 61
4.4 Quantified Comparison of Results ……………………………………………………………… 62
X
4.5 Discussions ……………………………………………………………………………………………… 62
4.6 Packets Required for Attack Path Reconstruction …………………………………………. 63
CHAPTER FIVE
CONCLUSION AND RECOMMENDATIONS
5.1 Summary …………………………………………………………………………………………………. 64
5.2 Conclusion ………………………………………………………………………………………………. 64
5.3 Significant Contributions …………………………………………………………………………… 65
5.4 Recommendations for Further Work …………………………………………………………… 66
References ……………………………………………………………………………………………………………. 68
XI

 

Project Topics

 

CHAPTER ONE

INTRODUCTION
1.1 Background on Network Attacks
Network attacks are cybercrimes. It include unauthorized practices such as use of restricted online assets without permission, stealing or gaining unauthorized access into a system, exposing private resources, or malicious disabling or altering or destroying services of a system on the network (ISO/IEC, 2009). Computer network is now involved in most of human day-to-day activities because it makes the way things are done easier. The need for adequate security in computer networks is a rapidly growing area of interest because of the increasing reliance on the networks and the new networks attacks that are springing up at an alarming rate. Attacks on computer networks have serious effects on business and economy because the networks carry large volume of data that are the main focus of business executives for making business decisions. Also, government and security establishments, including military, rely on the data on the networks for making vital decisions and strategical planning. Because of the relative importance of computer networks in vital areas of human endeavours attack on it have direct or indirect impacts on many people. Denial of Service (DoS) attack is a prominent network attack. DoS is not used to steal, eavesdrop, bridge privacy, or compromise data integrity on a system rather it is used to deny victim access to their own network and clients lose transactions. DoS attack and its variants are the largest ravaging network problems. It is identified in literature as the most powerful damaging attacks used to harm a business or organization (Mary & Begum, 2017). In recognition of the serious setbacks that cybercrimes are causing to humanity different countries of the world, including Nigeria, have enacted laws and policies to fight the scourge of cyber-attacks. Examples are the United States Stop Online Piracy Act and Protect IP Act (SOPA/PIPA)
2
(Schmitz, 2013), The UK Data Protection Act (Data Protection Act, 1998), and the Nigerian cybercrime act 2015 (Cybercrime Act, 2015). Resolving DoS attacks requires identifying its perpetrators and engaging legal battle against the perpetrator to serve as deterrent and to be able to compensate the victim. Successful legal battle can only be achieved based on proven infallible facts used to establish criminal offence against a perpetrator. Network forensic professionals use Internet Protocol (IP) traceback tools to acquire network data that can be used as fact about an attack and also detect the source of the attack.
Denial of service (DoS) attack is a type of cybercrime that require IP traceback scheme specifically designed to take into consideration its intricate attributes and discriminate it from normal transactions on the network that are transmitting large data which may be symptomatically comparable to DoS (Bhandari et al., 2016). A normal network traffic scenario known as flash event (FE) is very similar to Distributed DoS (DDoS) attack, which is a variant of DoS. Flash event (or flash crowd (Bhandari et al., 2016)), refers to a situation whereby a circumstance arouses interest of a majority of network users toward accessing a particular network resource on a server. A practical example of flash event when legitimate traffic overwhelmed the server is the case of 1998 FIFA hosting website that experienced more visitor than its capacity (Chawla et al., 2016). Both flash event and DDoS attack generate heavy traffic from different sources to a particular server. File download manager software that is capable of breaking a download into different segments and use multiple threads to download the segments concurrently is similar to a simple DoS attack. Depending on the size of the traffic generated by the download process, it may affect the services of the server like a DoS attack. High packets flow traffic that is caused by flash event can be distinguished from a DoS attack by studying some characteristics of the traffic. Flash event characteristics like rate of request from the same source IP address to see the timing between
3
request packets arrival, the sizes of request packets and their contents, and relation between packets will be different from that of DoS attack that is automated (assuming no spoofing). Also, examining the characteristics of the source nodes collectively in terms of the physical distribution of source nodes based on the IP, and the randomness of packet generations between nodes may show a correlation between packets from different nodes to be more apparent. Other characteristics that may be examined to differentiate FE and DoS are packets traffic features including delays, throughput, packets sequences and entropy, and their randomness to deduce if they are from the same node or different nodes (Mohamed et al., 2018). Most of the characteristics mentioned are applicable to DoS attack detectors. IP traceback scheme needs a more dynamically adaptable approach than the detector and thus require other features of the traffic flows. This is to ensure that it is robust against different possible traffic flow surges along the edges of the attack path.
1.1.1 Background on Internet Protocol Packets Source Detection
The process by which data packets are traced back to their source using available information on the packets, e.g. source IP address, is called IP traceback. IP traceback technique employs a mechanism for storing routing path information of the packets like marking schemes (Bhavani et al., 2015; Suresh & Ram, 2018), so that it can later be used to trace the packet back to its source from the receiving end. IP traceback can use a single packet (Malik & Dutta, 2017), or many packets (Saurabh & Sairam, 2016), to acquire adequate information that can be extracted from them for the traceback. If the source information on a packet is correct the IP address in the packet header can simply be used with applications like Telnet, tracert, traceroute, or ping together with IP geolocation tool, e.g. IP locator, to implement IP traceback to detect the node where the packet originated. IP traceback become challenging when the IP spoofing and concealment of source address are employed by attackers to hide their identity (Bhuyan et al., 2016), as often done in DoS attack. IP spoofing is the process by
4
which other IP address than the true IP address of the source of the packet is used as the packet’s source address in the packet header. The IP address used may belong to a trusted computer (Daya, 2013), or just taken arbitrarily. This practice is usually carried out by attackers to conceal their identity or impersonate the owner of the address used (Tiwari et al., 2014).
1.2 Significance of Research
IP traceback is a tool that is used by network forensic professionals to acquire data about an attack and detect the source of a network attack. Accurate detection of source of attack is essential to prevent further malicious transmissions from the same source or expose the perpetrator for the purpose of taking appropriate actions as may be necessary. Many IP traceback schemes for detecting the source of DoS attacks have been reported in literature but they do not have the facility for differentiating FE flow from DoS attack flow. This may cause them to mistakenly identify FE traffic paths as attack path during traceback process. This research work proposes an IP traceback scheme for acquiring accurate data about an attack and detect genuine source of the attack by avoiding other network traffics, including flash event traffics, which may cause false error in its results. This will ensure acquisition of infallible data about the attack for detecting the source and enhance taking appropriate actions against the real perpetrator of the attack.
1.3 Statement of Problem
The problem that SSOA-DoSTBK solved is the difficulty to distinguish the sudden surge in traffic flow of normal network usually caused by a flash event from the DoS attack traffic which can be misleading to IP traceback mechanisms during traceback process. There are DoS attack detectors that are capable of differentiating DoS traffic and normal traffic with large flow but existing IP traceback schemes with this capability is not known to the
5
researcher as at the time of this research. The existing IP traceback solutions that are based on nature inspired algorithms used flow-based approach to detect the edges that attack packets followed to reach the victim. In some cases, normal network transaction can involve large flow of packets on a segment on the attack path, e.g. File Transfer Protocol (FTP) uploading or downloading large files, or large number of users accessing a resource on a server at the same time. It will be difficult for a flow-based mechanism to differentiate the two flows on a shared part of a multipath transmission and can cause false alarm. This can cause a network forensic investigator to acquire incorrect facts that cannot be used by a cybercrime legal practitioner to convince the jury and establish a criminal case against the attacker. SSOA-DoSTBK employs hop-by-hop based search and used discernment rules to mitigate the challenge.
1.4 Aim and Objectives
The aim of this research work is the development of an internet protocol traceback scheme for denial of service attack source detection. The followings are the objectives of this research work;
1. To develop the SSOA based DoS attack source detection scheme called the SSOA-DoSTBK
2. To simulate the SSOA-DoSTBK used for implementing the discernment policy using Network Simulator version 2 (NS2)
3. To compare the SSOA-DoSTBK with another IP Traceback scheme that is based on a nature inspired algorithm. The modified ant colony system algorithm for IP traceback (ACS-IPTBK) scheme developed by Wang et al (2016) was selected for the comparison because it is based on a nature inspired algorithm that is commonly used for IP traceback, the ant colony optimization (ACO) algorithm. There have been trend
6
of improvements on using ACO for IP Traceback from ordinary ACO, Ant System, Ant Colony System, up to the ACS-IPTBK as reported in literature. The comparisons were based on False Error Rate (FER), convergence time, and ability to differentiate sudden surge in normal traffic flow from attack flow and detection of source of spoofed IP packets as performance metrics. The FER includes False Acceptance Rate (FAR), and False Rejection Rate (FRR).

 

GET THE COMPLETE PROJECT»
Do you need help? Talk to us right now: (+234) 08060082010, 08107932631, 08157509410 (Call/WhatsApp). Email: edustoreng@gmail.com