An Adaptive Protection of Flooding Attacks Model for Complex Network Environments

Bashar Ahmad Khalaf,Mazin Abed Mohammed,Adam Marks,Shukor Abd Razak,Bander Ali Saleh Al-Rimy,Salama A Mostafa,Moamin A Mahmoud,Aida Mustapha,Mohamed Elhoseny,Chalee Vorakulpipat

doi:10.1155/2021/5542919

Abstract

Currently, online organizational resources and assets are potential targets of several types of attack, the most common being flooding attacks. We consider the Distributed Denial of Service (DDoS) as the most dangerous type of flooding attack that could target those resources. The DDoS attack consumes network available resources such as bandwidth, processing power, and memory, thereby limiting or withholding accessibility to users. The Flash Crowd (FC) is quite similar to the DDoS attack whereby many legitimate users concurrently access a particular service, the number of which results in the denial of service. Researchers have proposed many different models to eliminate the risk of DDoS attacks, but only few efforts have been made to differentiate it from FC flooding as FC flooding also causes the denial of service and usually misleads the detection of the DDoS attacks. In this paper, an adaptive agent-based model, known as an Adaptive Protection of Flooding Attacks (APFA) model, is proposed to protect the Network Application Layer (NAL) against DDoS flooding attacks and FC flooding traffics. The APFA model, with the aid of an adaptive analyst agent, distinguishes between DDoS and FC abnormal traffics. It then separates DDoS botnet from Demons and Zombies to apply suitable attack handling methodology. There are three parameters on which the agent relies, normal traffic intensity, traffic attack behavior, and IP address history log, to decide on the operation of two traffic filters. We test and evaluate the APFA model via a simulation system using CIDDS as a standard dataset. The model successfully adapts to the simulated attack scenarios’ changes and determines 303,024 request conditions for the tested 135,583 IP addresses. It achieves an accuracy of 0.9964, a precision of 0.9962, and a sensitivity of 0.9996, and outperforms three tested similar models. In addition, the APFA model contributes to identifying and handling the actual trigger of DDoS attack and differentiates it from FC flooding, which is rarely implemented in one model.

Highlights

A Distributed Denial of Service attack (DDoS) is the most common type of flooding attack, which floods computer networks
O Dismiss: stops the tracing process (iv) Adaptive Traffic Control Module (ATCM): controls traffic flow in the case of abnormal traffics by invoking o ati: identifies traffic conditions o atd: classifies the traffic type o ath: controls the traffic flow (v) Kalman and Bloom Filters Module (KBFM): filters traffic flow in the case of abnormal traffics by invoking o rkf: temporarily filters the traffic according to random IP addresses and specific thresholds o skf: temporarily filters the traffic according to specific IP addresses and specific thresholds o sbf: permanently filters the traffic according to specific IP addresses and specific thresholds (vi) Results: displays the information of the data analysis, processing cycles, and the simulation results through a GUI
Results of the AL-DDoS Model. e performance of the AL-DDoS base model is calculated according to the window size, period, and Special Sequence Matrix (SSM) parameters for every execution of external traffic data. e AL-DDoS model performance is evaluated based on correctly classifying traffic instances into normal, and DDoS attack traffics only. e volume of attack traffics detected by the AL-DDoS model is 26,8496 requests triggered by 13,583 IP addresses

Summary

Introduction

A Distributed Denial of Service attack (DDoS) is the most common type of flooding attack, which floods computer networks. E first type targets the Network Application Layer (NAL) such as HTTP flood, DNS flood, and FTP [6, 7] In this type, the attacker issues vindictive or noxious bundles/packets aimed at the unfortunate casualty to cause disarray concerning the convention or any application that keeps running on it (e.g., vulnerability or defencelessness attack) [5]. We assume that it is important to develop an effective method that detects DDoS attacks and expunge malicious traffics at the application layer level before they cause harm to the web servers and applications. E ATCM represents our main contribution, which integrates an adaptive agent with the belief-desireintention (BDI) architecture to identify, classify, and control traffics of network systems.

Related Work

Window size

Results

Evaluation metrics

Conclusion and Future Work