Method and system for defense against Distributed Denial-of-Service attack

Patent AU2021102049A4

Introduction

The present disclosure relates to a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud. The present disclosure also relates to a defensive mechanism for DDoS attacks that is based on variations in entropy between DDoS attack and a normal traffic with a low computational overhead and a mitigation technique to reduce the severity of the attack. On comparing with the existing DDoS mechanisms, there are three advantages of the proposed method and those advantages are, detection rate is high, false positive rate is low, and the mitigation ability. Simulations are carried out in mininet emulator with POX controller and open flow switches at different attack strength. 22 CN C ( C Cr ii I, q L L

FIELD OF THE INVENTION

The present disclosure relates to a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud.

BACKGROUND OF THE INVENTION

The Cloud technology is a dynamic platform and it provides a collection of configurable and sharable resources to the consumers and suppliers. As per the requirement of the user, resources can be scaled up and scale down, and accordingly, the users have to pay for the used resources. In 2011, National Institute of Standards and Technology (NIST) has provided a formal definition which includes deployments of cloud model (Public, Private, Hybrid and community), services of clouds (IaaS, Paas and SaaS) and its essential characteristics(On demand self-services, Broad Network Access, resources Pooling, Rapid Elasticity and Measured Services). Due to its essential characteristics, the consumers and providers of cloud computing are increasing like anything. However, there ISA significant increment also in the number of issues over cloud such as breach of data, the vulnerability in a shared technology, outdated versions and patching, abuse and nefarious use of cloud and distributed Denial of service (DDoS) attack. From the statistics of, we can see that DDoS is making itself more energetic day by day with the help of advanced tools and technology in cloud computing. Over the years DDoS has increased its volume to stop the legal services. DDoS which works at network layer and the conventional network architecture is itself a problem to invite many of the threats including DDoS.

SDN beautifully manages the three planes. The lower plane which is also known as data or infrastructure plane used to carry the switches, virtual switches, routers and access points and maintains information in related tables such as routing table, miss table and forwarding table. The data plane interacts with the control plane, where it may have one or multiple controllers. The main work of the controller is to manage the network. The control plane interacts with the application plane, which contains security related mechanisms to make the system secure and provide authenticated access to the users. It simplifies complexity exists in a traditional network. It attempts to segregate network activities in the following way: Prioritization, filtering and forwarding: Forwarding responsibilities, implemented in hardware tables, remain on the device.

Besides, features such as traffic prioritization and filtering based on ACLs are enforced locally on the required devices in the same way. Control: Complicated control software is evacuated from their devices and inserted into a centralized controller. It has a complete view and control of the network along with the ability to make routing decisions and optimal forwarding. It shows a shift to a programming standard for a control plane. On the controller, the underlying forwarding hardware on the networking device is available to be programmed by external software. The control plane is not any more closed, embedded, tightly coupled with the hardware, or optimized for specific embedded environments. Applications: Above the controller is where the network applications run, implementing higher-level functions and, additionally, participating in decisions about how best to manage and control packet forwarding and distribution within the network.

There are some factors related to balancing the load and enforcement of security when the virtual migration takes place. Such as a shared link on many different virtual networks and one of them can be compromised due to the DDoS attack which in turn affect the services. In such kind of cases, the other non-compromised networks should be migrated to different servers till the problem is solved. In SDN the logically centralized controller knows the entire system. This worldwide information on the system is valuable in the construction of proper defense approaches for network system that further aides to detect and mitigate the attacks. SDN has great ability of the technical programming over conventional network systems, which empowers the administrators of network in using different existing defense frameworks relying upon the kind of DDoS attacks. In a SDN domain, we can utilize various kinds of programming tools and intelligent algorithms to analyze traffic of a network. Consequently, SDN can detect the attack and mitigation the system more successfully by implementing programming based traffic examination.

In SDN, there is an essential and basic component as an OpenFlow switch. According to the OpenFlow determination, an OpenFlow empowered switch keeps up a flow table to perform forwarding of packets. In the switches, a flow table consists of number of flow entries, which contains match fields, priorities, counters, Action, Timeout, Cookies, and flag to be applied on the coordinating flows. After receiving a packet, matching begins from the absolute first flow table and proceeds to next flow tables in the succession. On matching of an entry with the match field, the packet is handled as per the action specified in the flow entry. However, if there is no match, the action is executed as per the action stored in the table-miss flow entry. In which it includes the probable set of actions, forward the packet, keep on searching, decline the entry, and many more. In the important components of a flow entry, each flow entry contains fields. Match Field: To compare it against approaching packets. Priority: It characterizes priority of a flow entry. We can utilize it with the match fields to distinguish novel flow entry in a specific flow table. Counter: It is refreshed and incremented on a match. Action: It includes a lot of moves to be made when a match field occurs as true. Timeout: It talks about a session maintained by a flow entry in the flow table. Cookies: The controller selects hazy information. It may be utilized to separate out flow entries influenced by statistics, alterations and deletion demands of a flow. During the processing of the packets, we cannot use it. Flags: To modify and keep track of the modified flow entries.

In DoS attack, a single machine or connection generates large amount of traffic to make the victim machine unavailable to process other legitimate requests. DoS attack can be categorized in three modes, first one focuses on consumption of limited resources of the victim machine which could be the network connectivity, bandwidth, processing power or memory. Second, changing or destructing the configuration information of the machine and lastly physically altering or destructing the network components.

In DDoS attack, network is saturated to an extent that no other request can be entertained by the victim. The attacker uses the hierarchical architecture to perform the attack. First, the attacker creates some zombie machines also known as bots. These machines are created by installing some malicious code on the victim machines. In this hierarchical structure there exists a Bot master or the main attacker which issues the command to handlers who further sends it to the zombie machines to perform the attack. All the zombie machines after receiving the command generates huge amount of traffic on the victim machine or network to overwhelm it so that it cannot process any other legitimate requests. The intensity of the attacks mainly depends on the number of zombie machines used. In one of the existing solution, the attention was paid on the approach to the detection of the DDoS attack. 25 window size is used for the simulation with a POX controller, where a faster mode was tried to detect an attack. It works well in the suggested scenario, but it may not be suitable for the larger volume of the attack. Also, they a timestamp was used for recording the number of packets in the attack period, but further, it was not recommended it. In one of the existing solution a model of selective cloud egress filter (SCEF) was proposed for detection of DDoS attack. Once the attack is detected, the proposed model relays information regarding participation VM in attack to the virtual machine monitors for taking the right action. The benefit is the scope of the system extends to a diverse variety of network attacks. In one of the existing solution an idea was presented to defend from the DDoS attack by using the probability distribution and somehow succeeded to gain optimized Flow Table space but did not reduce the false positive rate as per the requirement.

In one of the existing solution an automatic framework ArOMA was proposed that utilizes the important features of SDN such as programmability and centralized manageability to mitigate DDoS. The thought process is to efficiently incorporate different mitigation frameworks that are dispersed among its clients. In one of the existing solution the attack was identified by using the SDN controller and to ensure its architecture. The fundamental destinations of this methodology are to use the controller's expansive of system features to distinguish the attack and to make the detection framework compelling and lightweight as far as resources uses. In one of the existing solution a system was proposed to trigger the detection method for DDoS attack with the aim to diminish the reaction time to detect the attack framework. In the event that the reaction time is longer, it enforces the SDN controller to process countless attacking packets. It might even crash or degrade the controller. In one of the existing solution the effect of SDN on detection of attack in the cloud computing was researched. The SDN was considered as a help with regards to attack if the barrier framework is sufficiently structured. Researchers constructed an attack defense architecture called "DaMask". An adaptable control structure which is used to perform for faster response of attack was discussed.

However, DDoS which works at network layer and the conventional network architecture is itself a problem to invite many of the threats including DDoS. The existing mechanism does not focus on the many of the features of attacks and works for majorly for passive defensive mechanisms, that is also a problem and therefore they are not sufficient to trackback the attack. In spite of, so many developments in tools and technology, it is still hard to detect the DDoS attack. Therefore, in order to avoid aforementioned drawbacks there is a need of a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud.

SUMMARY OF THE INVENTION

The present disclosure relates to a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud. A defensive mechanism is proposed for DDoS attack that is based on variations in entropy between DDoS attack and a normal traffic with a low computational overhead and also a mitigation technique to reduce the severity of the attack. The three advantages of the present disclosed method are detection rate is high, false positive rate is low, and the mitigation ability. Simulations are carried out in mininet emulator with POX controller and open flow switches at different attack strength.

The present disclosure seeks to provide a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud. The method comprises: receiving incoming flow rate of packets and verifying whether said flow rate of packets exceeds beyond a specified threshold or not in order to identify an unusual traffic; collecting all statistics of switch's flow by a controller plane upon receiving said unusual traffic; parsing incoming packets by offering many primitives using a POX controller; extracting packets information and thereby creating match for flow rules; sending messages to program a switch using said controller; identifying a distributed denial-of-service (DDoS)attack by comparing current entropy with specified entropy threshold using statistics; incrementing a counter upon obtaining an attack period or going into a non-attack period and asking said controller to modify packet to forward it to a next address through said switches; and diminishing effect of said DDoS attack by said plane and mitigating DDoS attack upon identifying of an attack in a software defined network cloud (SDN-Cloud).

An objective of the present disclosure is to provide a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud.Another object of the present disclosure is to achieve high detection rate and low false positive rate.

Another object of the present disclosure is to develop a mitigation technique to reduce the severity of the attack.

Another object of the present disclosure is to carry out simulations in mininet emulator with POX controller and open flow switches at different attack strength.

Yet, another object of the present disclosure is to use the attributes of flow table along with the entropy variations in SDN to recognize and alleviate DDoS attack.

To further clarify advantages and features of the present disclosure, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.

AU2021102049A4 - Method and system for defense against Distributed Denial-of-Service attack - Google Patents
The present disclosure relates to a method for defense mechanisms against DDoS attack based on entropy in software defined network cloud. The present disclosure also relates to a defensive mechanism for DDoS attacks that is based on variations in entropy between DDoS attack and a normal tra…