u È ¹! 173 u È ¹ Forecast of Deial of Service (DoS) Attacks via eural etworks ç æ ž Taiwa, R.O.C. wdchag@mail.stu.edu.tw ì sgáváù uò ¹ ÙŒ È ¹ ~ ò  ٠uà þ m u ïä ¾ ò Ùv Ì kæ³ žu pè ¹ Ùv Ì u k z ³à Ú ¹ þì ¹ ¹ ¹ Á ½ k uãs ¹ u h sl Ù } sg ò y } kes Á À½ k u} È ¹ z Abstract The forecast of Deial of Service (DoS) attacks is achieved via the back-propagatio eural etworks i this paper. It is well kow that artificial eural etwork is to simulate the behavior of real biological euro ad has successfully applied to a variety of applicatio fields due to its great learig capabilities. The back-propagatio eural etwork belogs to the category of supervisory etworks, which is suitably used for system diagoses ad forecasts. Moreover, the DoS attack is a quite sigificat topic o the etwork security ad always bores the etwork maagers. The mai feature of the DoS attack is that a large umber of cliets sed the service requests simultaeously to certai server via the iteret such that this server is too busy to provide ormal services for others. Util ow, there is o good ad effective solutio for solvig this kid of attack problem. Therefore, i this paper the back-propagatio eural etwork is used to lear the traiig data geerated from the ormal ad abormal operatios of the server, ad further to forecast whether the server is attacked by the DoS. Keywords: Deial of Service (DoS), Network Security, Neural Networks. 1 Ì! u Á û Û h É à ~Á u k Web u à ¾ Ù}y Ù plç çñ hé u uqp à ÙÚ Web } ~ zá h m È ¹ (deial of service, DoS) d È ¹ (distributed deial of service, DDoS) (worm) É Ú ž Þ kepß [1] É Úež Þ ž e ÃÛ ä Ý Œ Š pßáqp p Á w Ù š DoS Ù DDoS Ð u ~ Áh ~Èh ICMP ÓmÞ i É ž Ô ke u ACL(access cotrol lie) [2] vì Ù Á É ž u[3]-[5] zm Áh s Óm ì khé ž ì h Áh½ Ù dº¹ ugóm SYN TCP Ómì ¹ ¹ } ó SYN+ACK Á} Óm ug Õ Ìz} ACK Óm ¹ TCP à gw (three-way hadshake) ~Óm p ug Ù } ÁÓmw ¹ Á¹  } ÔÁÀ  w¹ [][7] ~¹ Ák h Ìž u ½z k ì ¹ Œ àè ¹ [1][7]-[13] o p ~¹ug Ùl ÐÓm ¹ Á Ù u } ÓmÁh ¹ wÿáè o Á DoS [2] } g [3] Ãd Ð DDoS Á ýkeòg s uá ý lá ŸÐ IP traceback h½ DDoS Á Þ Ê s Òg Á
174 Joural of Iteret Techology Volume 9 (2008) No.2 }g [8] u RBF DDoS u uá DARPA ç Óm û mø Á port Òg Óm ke ò RBF l DDoS { í Áh såžù ÐÓmÈ ¹ ŸÁ DoS h Á mø CPU u Process Memory u Óm l ò Áh uáh mø u DARPA98 DARPA99 ke DARPA2000 Õ zdºq s u ke u uò ½(back-propagatio eural etworks) Á u Õ u l l ò u l Á Ð u ¹ ž ½ u vœ  f p 2 ò såž uá Ùò keûá ³ ò í~á g [14][15] et O 1 W O θ i i ) i ( et ) (1) f ( et (2) 1 + exp Æv Æv ó W 1 Á i ó Á i ó ïò(weights) et f () (activatio fuctio) θ óá ò O óá lò vá} lò v ò ü d u ü (error fuctio)kæ Î E 1 2 ( T O ) 2 1 (3) T l v ò O l lò Œós ä Á îk ~ E E ΔW η, Δ θ η (4) i W θ η à(learig rate) 3 È ¹ i ¹ Á Ù ïá m ª ¹ Á ÂDoS Ái u Ãv Ð k d Logical Attack ke Floodig Attack 3.1 Logical Attack h ì u Á Þ Ùž Á Á h Ù ä ž Œ à ~ [1][7] i. WiNuke Ù Out of Bad(OOB) ùu Widows 95/NT ž NetBIOS Á Þ Ãoì ó URG Á TCP Óm Œ v ž ii. Teardrop ó d Á IP Óm Offset ò ÓmÇÔ ÙÓm ïéž iii. Lad Attack à TCP SYN Óm vá à IP é à Áª Ôv ž ½ Pig of Death óçô ICMP Echo Óm d ós IP Óm ž ï u Á é ž 3.2 Floodig Attack h ì u Óm úã ž ½ s uã ¹ ì u { d TCP SYN Flood UDP Flood ke ICMP Flood [2][12] i. TCP SYN Flood à u TCP Ôvg w (three-way hadshake TWH)Á ³ u Á IP v l SYN TCP Óm v } SYN+ACK ÓmÕ Ô} ~vs u¹ uã ½ ¹ Œ
u È ¹! 175 ii. UDP Flood UDP 7 } echo ¹ Õ vœ}ó m à u h vá 7 UDP Óm IP à v IP } Óm u (broadcast)h lõ Óm k } óóm v é v À é ¹ iii. ICMP Flood  IP ICMP echo Óm v } ~ Smurf Ão ICMP echo Óm IP v IP k h l Óm ¹ } ó echo reply Óm v év À ¹ íá òè ¹ Ù u TCP/IP ¹ Á à ³ r y Á ³ ž l Ø d Á Á 4 dº s vá} uò ½ DoS TCP SYN Flood l Á 4.1 ¹ Û ½~ 1 v ~ i. uhé RedHat Liux 9.0 ž Û v ¹ Web ¹ FTP ¹ SNMP (simple etwork maagemet protocol)m ž ä v v ¹ C D A B Æ Ð Ð Petium 4 2.8GHz 512MB RAM Petium 4 1.8GHz 512MB RAM Petium M Ð D-Lik 5 port Switch-Hub 100Mbps Etheret ii. A B C D p ev ¹ k iii. A B àé s u v ¹¹ iv. u Koppix-STD Liux Û C D uá DoS } ä ~Æ v 4.2 s z ¹ ä Á uk ÙŒs i. CPU v CPU vìá u ~¹ } CPU i ï Æv u CPU Á Ô ii. u ž ó  u Á  iii. ÓmÞ ¹Óm }žk ìáh ò 2 Á 32 h Œ ï ì iv. ÓmÞl l ¹Óm h ~ v. ž (process)vì vìž s} Á à s} Á òk vìž Á ÙŒ ò ½ ì Á ~ i. q s v ¹ ž ìò e v ò à(1)cpu (2) u (3)ž vì (4) ÓmÞl (5) ÓmÞ ke() v ò à 0 ii. v { Õ () v ò à 1 iii. u v È ¹ ž ò íì àò ½ sìù à s ÌÙ u Liux ž Net-Smp ùx ž ä u SNMP m ke PHP ž MySQL ý k
17 Joural of Iteret Techology Volume 9 (2008) No.2 4.3 ò ä ò u Áò ~ i. u ó ò à(1) CPU u (2) u (3)ž vì (4) ÓmÞl ke(5) ÓmÞ ii. ó iii. l } òvœ ÙŒ Ùo ó l iv. Æ ïòe ò u 0~1 Á u 4.4 TCP SYN Flood ¹dº ~ i. } 1 A ª B v ¹ u ¹ ii. v ¹ v ò à 0 æ sà 187 d iii. C ª D TCP SYN Flood iv. h à u Koppix-STD Liux flood_coect Øk gä{øk gøk l TCP Ómû SYN ò Ø v ¹ Web ¹ v. v ¹ ii v òà 1 à 47 d A B vi. Õ u A ª B 10 d v ¹ v òà 0 vii. h u A ª B v ¹ v òà 0 z 5 d viii. h lv ¹ çz 3,01 ix. lvç x. Á Á ò dih k h ~ z (1) CPU }õ ŒÙ di ò ÙÙ u (2) u v 512MB Á  k ~ u u ò 100% 512 1024kbytes (3) ž vì ¹ u s 300 ÙÙk 300 à dsò ~ u ž vì 300 100% (4) ÓmÞl u ž õ ÙÓm Á ì ~  ÁÞl r ì Ì op òoì 2 Á 32 h Œ ï ì ÙÙr d ì ò h ~ z ~¹ òiì ò Ævs 2Á32 hò ( ) Þl s ò ò 100% 12.5 10 ~¹ òiì ò Æv 2Á32 hò 32 s ò + ) 2 ò* Þl 100% 12.5 10 (5) ÓmÞ ì h ä{ h ~ z ~¹ òiì ò Ævs 2Á32 hò )s ò ò* Þ 12.5 10 100% ~¹ òiì ò Æv 2Á32 hò 32 s ò+ ) 2 ò* Þ 100% 12.5 10 ÕÁ ~ v CPU u e u ÓmÞl eþ
u È ¹! 177 u Matlab Á dºi {Á 0.25 0.5 0.75 e 1 Á ~ p v Õkà 0.5 à uá ï k ÙŒks l à ¹~ v Ì v op Á ¹Á ä sgá h½ s } lùœs ÁÀ½ p {Á RMSE op 5 s åž sg uòm} ¹ ÙŒ DoS È ¹ } ~¹Ú ½ ž Á u í ó Ø p r k Á ~ s } l { s åžáh l z 1. u ¹ ~ ½ u Á ¹ 2. ~ u s o TCP SYN Flood h Á Áh½h h } ì ~ { Á { l 3. ò ½ m Ô Ù u k k g [1] ² ÔŸ È ¹ e Vol. 109, 2004, pp. 111-120 [2],, Network DoS/DDoS e h ½ åž, TANET 2000. [3] Sug Miho ad Xu Ju, IP Traceback-Based Itelliget Packet Filterig: A Novel Techique for Defedig agaist Iteret DDoS Attacks, IEEE Trasactios o PARALLEL AND DISTRIBUTED SYSTEMS,Vol. 14, No. 9, 2003 [4] J.M.B. Jr, A.M.Casia, ad A.C.P.L.F. de Carvalho, Neural Network Applied i Itrusio Detectio, IEEE Iteratioal Joit Coferece o Neural Networks, vol. 1,1998, pp. 205-210. [5] B.L. Hutchigs, R. Frakli ad D. Carver, Assistig Network Itrusio Detectio with Recofigurable Hardware, 2002 Proc. 10 th Aual IEEE Symposium o Field-Programmable Custom Computig Machies, 2002, pp. 111-120. [] A.S. Taebaum, Computer Networks, 4th Editio, 2003. [7] Shotgu, SYNFlood Á sõ, http://www.study-area.org/tips/ sy_flood.htm. [8] D. Gavrilis ad E. Dermatas, Real-time Detectio of Distributed Deial-of- Service Attacks Usig RBF Networks ad Statistical Features, Computer Networks, Vol.48, No.2, 2005, pp. 235-245. [9] Ⱥ u Á É žvol. 107, 2004, pp. 89-102 [10] ±w u É ž å ž v æ ž g
178 Joural of Iteret Techology Volume 9 (2008) No.2 2003. [11] k Þ à Á É ž { åž g 2004 [12] TWCERT, DDoS Á http://www.cert.org.tw [13] B. Al-Duwairi ad G.. Maimara, Distributed Packet Pairig for Reflector Based DDoS Attack Mitigatio,Computer Commuicatios, Vol. 29, No.12, 200,pp. 229-2280. [14] M.T. Haga, H.B. Demuth ad M. Beale, Neural Network Desig, PWS Publishig Compay, Bosto, 1995. [15] ³ u À ºlÀ 2002 à ç } 1997 ƒ Âf ž 2005 æ v Ì} v Ç à ì ž 2002 v vìà æ ž yåž mø ÐÉ Ê ke 200 æ vì} ïº â¹ Ç à