50320140501004 2

International Journal of Information Technology & Management Information System (IJITMIS),
ISSN 0976 – 6405(Print), ISSN 0976 – 6413(Online), Volume 5, Issue 1, January - April (2014), © IAEME
42
DEFENSE FRAMEWORK (STREAM) FOR STREAM-BASED DDoS
ATTACKS ON MANET
Dr. Imad S. Alshawi1
, Dr. Kareem R. Alsaiedy2
, Ms. Vinita Yadav3
,
Ms. Rashmi Ravat4
1, 2
(Department of Computer Science, College of Science/ Basra University, Basrah, Iraq)
3, 4
(Department of Computer Science, Goel Institute of Technology and Management/ U.P
Technical University Lucknow India)
ABSTRACT
MANET are usually characterized by limited resources such as bandwidth, battery
power, storage space and node mobility. The underlying assumption is that the intermediate
nodes cooperate in forwarding packets. Due to lack of infrastructure, the network can be
easily affected by several attacks. The security challenges in MANET have become a primary
concern to provide secure communication. The Attacks on MANET disrupts network
performance and reliability. Nowadays, DoS attacks are usually launched in a distributed
way: known as DDoS attacks i.e. the attacks where traffic originates from many attacking
sources and the aggregated traffic volume is so big that it can easily deplete the victim’s key
computing resources, such as bandwidth and CPU time. These attacks lead toward the
degradation or prevention of legitimate use of network resources. Preventing or mitigating
DDoS attacks is not an easy job .In this paper we develop the mechanism to deal with a
stream-based DDoS defense framework (STREAM) that provides: Protection against
different types of DDoS attacks (such as bandwidth flooding attacks and SYN flooding
attacks) which are efficient against on-line DDoS detection providing filtering of illegitimate
traffic.
Keywords: MANET, DOS, DDOS, Cluster, Attacks, STREAM.
INTERNATIONAL JOURNAL OF INFORMATION TECHNOLOGY &
MANAGEMENT INFORMATION SYSTEM (IJITMIS)
ISSN 0976 – 6405(Print)
ISSN 0976 – 6413(Online)
Volume 5, Issue 1, January - April (2014), pp. 42-52
© IAEME: http://www.iaeme.com/IJITMIS.asp
Journal Impact Factor (2014): 6.2217 (Calculated by GISI)
www.jifactor.com
IJITMIS
© I A E M E

43
I. INTRODUCTION
Security from the viewpoint of MANET[10-14] have been a primary concern
requiring an accurate analysis and classification of denial of service attacks specific to the
dynamic (ad-hoc) networks environment .MANET offer several advantages over the
traditional wired networks, they have associated set of challenges. Firstly, MANETs face
challenges in secure communication. Since nodes are resource constrained, secondly ad hoc
networks limit the cryptographic measures that are used for secure messages. Thereby
MANET link attacks ranging from passive eavesdropping to active impersonation, message
relay and message distortion. An attacker can listen, modify and attempt to masquerade all
the traffic on the wireless communication channel as one of the legitimate node in the
network. Thirdly, static configurationare not adequate for the dynamically changing topology
in terms of security solution. Various attacks like Denial of Service can easily be launched
and flood the network with spurious routing messages through a malicious node that gives
incorrect updating information by pretending to be a legitimate change of routing
information.
Attacks for MANET’s [27, 28, 29]. Can be identified into two categories either active
or passive, according to the attack means [38] [39].
Active attacks on network routing include flooding, modifying routing information,
providing false route requests and replies, attracting unexpected traffic, hiding error
messages, and fabricating false error messages. Passive attacks do not alter data but fail to
cooperate in providing services such as routing and packet forwarding.
Passive attacks include packet dropping to conserve resources .These abnormal node
behaviors result in performance degradation and cause denial of service attacks, packet
losses, longer delays, and low throughput.
Denial of Service (DoS) is the degradation or prevention of legitimate use of network
resources The MANETs are vulnerable to Denial of Service (DoS) due to their salient
characteristics.
DoS attacks that target resources can be grouped into three [1] broad scenarios namely as:
• Attacks targeting energy resources, specifically the power source(battery) of the
service provider(In such these attacks a malicious node may be continuously send a
bogus packet to a node with the intention of consuming the victim’s battery and
preventing other nodes from communicating with it.
• Those attacks aimed at targeting Storage and processing resources (these attacks are
carried out mainly to target memory, storage space, or CPU of the service provider.
• The third attack scenario targets bandwidth, where an attacker located between
multiple communicating nodes wants to waste the network bandwidth and disrupt
connectivity.
Distributed denial-of-service (DDoS) attacks commonly leads to overwhelming the
victims by sending a vast amount of legitimate-like packets from multiple attack sites(bots).
As a consequence the victim spends its key resources processing the attack packets and
cannot attend to its legitimate clients. During very large attacks, the only way to completely
eliminate the DDoS threat is to secure all machines on the Internet against misuse, which is
unrealistic.

44
The seriousness of DDoS problem and growing sophistication of attackers have led to
development of numerous defense mechanisms [19, 30]. An important requirement for DDoS
defenses is to recognize legitimate packets in the flood, separate them from the attack and
deliver them safely to the victim. A practical DDoS defense must these critical issues:
filter out malicious traffic effectively minimizing the degradation of effective
throughput of the legitimate traffic
Minimizing the degradation of effective throughput of legitimate traffic.
DDoS Defense mechanism can be categorized into two major categories:
Proactive DDoS defense mechanism, these defense strategy focus on making
malicious packets distinguishable from the legitimate ones, which usually requires the
legitimate packets to contain some valid tokens and the corresponding checking procedures to
be always turned on at the checking entry points (routers),but they compromise with the
throughput of the legitimate traffic when defending DDoS attacks.
On the other hand Reactive DDoS defense mechanism does not affect the throughput
of the legitimate traffic when there is no attack. There is a need to provide an incentive or
credit based mechanism that can provide cooperation among nodes in the network and
improve overall network performance and functionality by prevention, detection and control
of DOS and DDOS attacks.
This paper is organized in chapters. In chapter - 1 discussed regarding of MANET,
security issues in MANET, various attack types related to MANET specifically DoS and
DDoS attacks, and Problem Identification, subsequently in chapter 2, we undergoes through
literature survey. Chapter 3, presents Proposed Architecture and mechanism Defense
framework (STREAM) for stream-based DDoS Attacks on MANET which describes the
traffic scenario being identified and maintained for the detection in MANET. chapter 4
mention about Conclusion of this Finally Chapter- 5 mention all references used in this paper.
II. BACKGROUNDS
The security issues for MANET’s [6,7,40] can be analyzed on basis of individual
layers[41] namely application layer, transport layer, network layer, link layer and physical
layer. On the network layer, an adversary could take part in the routing process and exploit
the routing protocol to disrupt the normal functioning of the network. Network layer is
relatively more vulnerable to attacks than all other layers in MANET. A variety of security
threats is imposed in this layer. StreamCloud [18], a distributed-parallel stream processing
engine, which can handle multi-hundred of thousands packets per second with only using a
small number of processing instances. The performance (detection accuracy, filtering
efficiency and monitoring overhead) of the proposed method is evaluated using data sets that
are derived from real network traffic collected by CAIDA [19] and SUNET [33, 39].
According to the experiment results, STREAM offers good scalability to the incoming traffic
load. The DDoS attack from the real network dataset can be quickly detected with low false
negatives, and most malicious packets are filtered out, meanwhile keeping high percentage of
the legitimate packets unaffected.

45
III. PROPOSED ARCHITECTURE FOR DEFENSE FRAMEWORK (STREAM) FOR
STREAM-BASED DDoS ATTACKS ON MANET
The proposed architecture and mechanism is mention in section 3.1 and 3.2 respectively.
3.1 Architecture of creation of cluster in stream-based DDoS attacks in MANET
STREAM monitors the network traffic between cluster nodes and detects the traffic
discrepancies by comparing the real time traffic behavior with the expected traffic pattern
which is referred to referenced profile. Figure 3.1.1 shows the architecture of node interaction
to form a cluster in STREAM and the information flow among cluster nodes:
Figure 3.1.1: Cluster Node interaction

46
Cluster node interaction is illustrated by figure -3.1.1, based on the cluster interaction
nodes form cluster so that traffic pattern can be evaluated on the basis of traffic source i.e.
Cluster Ci
Cluster node interaction is illustrated by figure-3.1.1, based on the cluster interaction
nodes form cluster so that traffic pattern can be evaluated on the basis of traffic source i.e.
Cluster Ci Based on the nature of flooding-based DDoS attacks, where every malicious data
packet may seem legitimate, however if each of them analyzed individually but where the
overall traffic behavior may suffer abrupt flow variations (e.g. sudden increases of traffic
volume),anomaly-based detection is always used to detect flooding-based DDoS attacks.
In recent decades, many anomaly-based detection methods were proposed to identify
DDoS attacks from network traffic. Basically, these detection methods can be classified into
two categories:
off-line mode of DDoS detection
on-line mode of DDoS detection.
Off-line DDoS mining usually try to find attacks by analyzing the main characteristics
of feature distributions of the network traffic.
Anomalies in the network traffic can be identified since their dominate states deviate
significantly from the normal ones. When the network anomalies are identified, data
clustering methods, such as the one given below in order to group different types of
anomalies together for further identification and correlating anomalies to attacks.
Cluster formation(Ni)
{
The Cluster Head (Cluster_Head)i = id of ith
Cluster is given by the pseudo code:-
Node id is assigned as
Nid = Random_generator();
Divide Mobile Nodes in Clusters
Assign each Cluster to Unique Cluster id “(Cluster)id”.
The Cluster Head (Cluster_Head)i = id of ith
Cluster is given by the pseudo code:-
If (Ni<NodeRange&& Ni !=Ck) // where Ck = Set of Clusters in the Network
[Ci ] ← (Ni) // Ni = is assigned to ClusterCi
}
ClusterHeadSelection ( )
{
Assume the following parameters as follows.
Score = NodeScoreValue ();
Reputation = NodeReputation ();
Smax= Scoremax( ); //Assign max. value of Score to the variable Smax
Rmax = Reputationmax( ); //Assign max.
value of Reputation to the variable Rmax
For each cluster belonging to
MANET
{
For (each node Ni && Ni = 1 to Ni = n)

47
{
If( Smax || Rmax)
{
Set Node Ni = (ClusterHead)j,
}
else
{
Add node to jth Cluster i.e.Cj
Cj Ni
}
}
}
}
Handling DDOS attacks using STREAM
A. Handling anomalies in data traffic
Step-1: Server received large no. of SYN packets from clients.
observeSYNPacket( )
{
IF(protocol.type = tcp && tcp.Flag = SYN(ki) && destination.IP = victimServer.IP &&
t<=T && n<= N )
{
If(Server monitors SYN packets)
{
Seq_No=Seq_No+1;
}
Elseif(Server received SYN packets)
{
Pass SYN packets;
}
Else
{
Drop SYN packets;
}
}
}
This attack could also use TCP data packets, which would be rejected by the server as
not belonging to any known connection. But again, by this time the attack has already
succeeded in flooding the links to the server.

48
Figure 3.1.2: Detection of SYN flooding attacks
Step-2: Monitor Traffic pattern to detect anamolies
Monitortraffic_Profile()
{
Σ ; /*Monitor the Traffic profile*/
If(Davg ≥ Delayth)
{
“Nornal traffic profile”;
}
Else
{
“ Anamolies in the profile of Traffic flowing”;
AH = AH+1;
}
}
Step-3: SYN flooding attack detected
SYNFloodAttack()
{
If(AH ≥ Th)
{
GenerateSYNAlarmMessage()
{
“SYN Attack is detected”
}
}
}
.

49
3.2 Defense mechanism
The defense mechanism consists of a filtering table (FT) of all the mobile node. It
contains time, sender_id, node coordinate axis and receiver_id id, transport_info,
protocol_type, event_type contained in the filtering unit.
Filtering unit continuously compares traffic pattern with the referenced profile and an
alarm is generated any time a suspicious variation between the two pattern is detected. While
comparing the real time and the referenced profile, it also maintains and updates the latter.
STREAM defines monitoring periods during which the real time and referenced traffic
profiles are compared. Each time the monitoring period expires the referenced profile is
updated with the real time profile if no attack has been detected.
IV. CONCLUSION
In this study we reviewed the design and implementation of a scalable online DDoS
defense algorithm, which can detect and mitigate DDoS attacks, thus offering a protection at
an early stage in the network. By investigating the traffic patterns of different forms of DDoS
attacks (including connection requests flooding and bandwidth flooding), we proposed an IP-
prefix based aggregation method to monitor and detect DDoS related anomalies.
Furthermore, differentiating from the prior DDoS detection solutions, we interrogated
the design space of combining parallel-distributed data streaming with both online detection
and baseline profile monitoring, and gave detailed solutions for achieving this. The proposed
data streaming based DDoS defense solutions are implemented using STREM. DDoS
detection can be carried out at the network links, where streams of packets are processed by
continuous queries to find anomalous traffic patterns in real time. Data streaming queries are
referred to as continuous as they are constantly “standing” over the streaming points and
continuously producing spurt traffic flow. Most data-streaming based DDoS detection
methods focus on using space efficient and time-efficient algorithm to keep track of the
heavy hitters, e.g. a source sending lots of packets to many destinations, in the monitored
traffic.
V. REFERENCES
[1] Mieso K. Denko,” Detection and Prevention of Denial of Service (DoS) Attacks in
Mobile Ad- Hoc Networks using Reputation - Based Incentive Scheme”.
[2] [Pfl03] Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing,
Third Edition, Prentice Hall PTR, Saddle River, New Jersey, 03.
[3] Muftic, S., Patel, A., Sanders, P., Colon, R., Heijnsdijk,J. & Pulkkinen, U. Security
Architecture in Open Distributed Systems, John Wiley & Sons, Bath, UK,1993.
[4] Dietrich, S., Long, N. & Dittrich, D., "Analyzing Distributed Denial of Service Tools:
The Shaft Case, "14th Systems Administration Conference (LISA 2000), New
Orleans, Louisiana, 2000.
[5] Power, R., "2001 CSI/FBI Computer Crime and Security Survey", Computer
Security Institute/Federal Bureau of Investigation Technical Report, vol. 7, no. 1,
Spring 2001.
[6] H Yang, H Y. Luo, F Ye, S W. Lu and L Zhang, “Security in mobile ad hoc networks:
Challenges and solutions”, (2004). IEEE Wireless Communications. 11 (1),
pp. 38 – 47, Postprint available free at: http://repositories.cdlib.org/postprints/618.

50
[7] L. Zhou , Z. J. Haas, Cornell Univ., “Securing ad- hoc networks,” IEEE Network,
Nov/Dec 1999, Volume:13, Page(s): 24-30, ISSN: 0890-8044.
[8] H. Yang, H. Luo, F. Ye, S. Lu, L. Zhang, “Security in mobile ad hoc networks :
challenges and solutions,” In proc. IEEE Wireless Communication, UCLA , Los
Angeles, CA , USA; volume- 11, Page(s):38- 47, ISSN: 1536-1284.
[9] P. Michiardi, R. Molva, “Ad hoc networks security, IEEE Press Wiley, New York,
2003.
[10] Ali Ghaffari. ”Vulnerability and Security of Mobile Ad hoc Networks”, Proceedings
of the 6th WSEAS International Conference on Simulation, Modelling and
Optimization, Lisbon, Portugal, September 22-24, 2006.
[11] Karan Singh, R. S. Yadav, Ranvijay, “A REVIEW PAPER ON AD – HOC
NETWORK SECURITY”, International Journal of Computer Science and Security,
Volume (1): Issue (1).
[12] Levente Butty, Jean-Pierre Hubaux,. ”Report on a Working Session on Security in
Wireless AdHoc Networks”, Mobile Computing and Communications Review,
Volume 6, Number 4.
[13] Pin Nie, “Security in Ad hoc Network”, 2006.
[14] Kamanshis Biswas and Md. Liakat Ali; “Security Threats in Mobile Ad Hoc
Network”; Master Thesis; Thesis no: MCS-2007:07; March 22, 2007.
[15] http://www.merl.com/projects/DenialServiceAttack.
[16] M.K. Denko, “A Localized Architecture for Detecting Denial of Service (DoS)
Attacks in Wireless Ad-Hoc Networks”, In Proc. IFIP INTELLCOMM'05, Montreal,
Canada,
[17] Carl G., Kesidis G., Brooks R., and Rai S.,“Denial of Service Attack Detection
Techniques,” Computer Journal of IEEE Internet Computing, vol. 10, no. 1,
pp. 82-89, 06.
[18] V. Gulisano, R. Jim´enez-Peris, M. Pati˜no-Mart´ınez, and P. Valduriez. Streamcloud:
A large scale data streaming system. In ICDCS 2010: International Conference on
Distributed Computing Systems, pages 126–137, June 2010.
[19] P. Hick, E. Aben, and k. claffy. The caida “ddos attack 2007” dataset.
http://www.caida.org/data/passive/ddos-20070804_ dataset.xml.
[20] Gurjinder Kaur, Yogesh Chaba, V. K. Jain;Distributed Denial of Service Attacks in
Mobile Ad-hoc Networks,2011 World Academy of Science, Engineering and
Technology 73 2011.
[21] Chang C., “Defending Against Flooding-Based Distributed Denial of Service
Attacks : A Tutorial,” Computer Journal of IEEE Communication Magazine, vol. 40,
no. 10, pp.42- 51, 2002.
[22] Cheswick R. and Bellovin M., Firewalls and Internet Security: Repelling the Wily
Hacker, Addison Wesley, 1994.
[23] McAfee, “Personal Firewall,”http:// www.mcafee.com, 2003.
[24] Moore D., Voelker G., and Savage S., “Inferring Internet Denial of Service Activity,”
in Proceedings of the 10th USENIX Security Symposium, pp. 20-25, Washington,
2001.
[25] Bai Y. and Kobayash H., “Intrusion Detection Systems: Technology and
Development,” in Proceedings of the 17th International Conference on Advanced
Information Networking and Applications, USA, pp. 710-715, 2003.

51
[26] Chen R., Park J., and Marchany R., “A Divide and Conquer Strategy for Thwarting
Distributed Denial of Service Attacks,” Computer Journal of IEEE Transactions on
Parallel and Distributed Systems, vol. 18, no. 5, pp. 577-588, 07.
[27] Abhay Kumar Rai, Rajiv Ranjan Tewari & Saurabh Kant Upadhyay, “Different Types
of Attacks integrated MANET-Internet Communication”, International Journal of
Computer Science and Security (IJCSS) Volume (4): Issue (3) 2010.
[28] Hoang Lan Nguyen, Uyen Trang Nguyen. “A study of different types of attacks on
multicast in mobile ad hoc networks”. Ad Hoc Networks, Volume 6, Issue 1, Pages
32-46, January 2008.
[29] Bin Xie and Anup Kumar. “A Framework for Internet and Ad hoc Network Security”.
IEEE Symposium on Computers and Communications (ISCC-2004), June 2004.
[30] L. Zhou and Z. J. Haas. “Securing Ad Hoc Networks”. IEEE Network Magazine,
Volume.13, no. 6, Pages 24-30, December 1999.
[31] Mieso K. Denko, “Detection and Prevention of Denial of Service (DoS) Attacks in
Mobile Ad Hoc Networks using Reputation-Based Incentive Scheme”.
[32] Huang Zun -guo, Hu Hua -ping and Gong Zheng-hu Hu Guang -ming, " SLID:A
secure Lowest -ID clustering algorithm," Wuhan University Journal of Natural
Sciences, vol. 10, no.1, pp. 39 -42, January 2005.
[33] http://en.wikipedia.org/wiki/Wireless_ad_hoc _network
[34] E. M. Royer and C.K. Toh, "A Review of Current routing Protocols for Ad-Hoc
Mobile Wireless Networks," IEEE Personal Communications Magazine, pp. 46–55,
April 1999.
[35] C. E. Perkins, Ad Hoc Networking.: Addison--Wesley, 2001.
[36] R. Ramanathan and J. Redi, " A Brief over- view of Ad Hoc Networks: Challenge and
Directions," IEEE Communication Magazine, vol. 40, no. 5, 2002.
[37] Srikanth Krishnamurthy Prasant Mohapatra, Springer Science+Business Media, 2005.
[38] S. Yi and R. Kravets, Composite Key Management for Ad Hoc Networks .Proc. of
the 1st
Annual International Conference on Mobile and Ubiquitous Systems:
Networking and Services (MobiQuitous’04), pp. 52-61, 2004.
[39] R. Oppliger, Internet and Intranet Security, Artech House, 1998.
[40] Nishu Garg, R.P.Mahapatra, “MANET Security Issues”, IJCSNS International
Journal of Computer Science and Network Security, VOL.9 No.8, August 2009.
[41] Bing Wu, Jianmin Chen, Jie Wu, Mihaela Cardei, “A Survey on Attacks and
Counter-measures in Mobile Ad Hoc Networks”
[42] S. Zhong, J. Chen, and Y. Yang, (2003) “Sprite: a simple, cheat-proof, credit based
system for mobile ad-hoc networks,” IEEE INFOCOM, San Francisco, CA, USA,
Vol 3.
[43] Prof. S.B. Javheri and Shwetambari Ramesh Patil, “Attacks Classification in
Network”, International Journal of Information Technology and Management
Information Systems (IJITMIS), Volume 4, Issue 3, 2013, pp. 1 - 11, ISSN Print:
0976 – 6405, ISSN Online: 0976 – 6413.
[44] Nada M. Badr and Noureldien A. Noureldien, “Review of Mobile Ad Hoc Networks
Security Attacks and Countermeasures”, International Journal of Computer
Engineering & Technology (IJCET), Volume 4, Issue 6, 2013, pp. 145 - 155,
ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.

52
BIOGRAPHY
Dr. Imad S. Alshawi (M’12) was born in Basra, Iraq, in 1976. He received
the B.Sc. and M.Sc. degrees in computer science from the College of
Science, Basra University, Basra, Iraq, in 2001 and 2003, respectively. He
received the Ph.D. degree in information and communication system from
Southwest Jiaotong University, Chengdu, China. He is currently an
Assistant Professor with Computer Science Dept., Basra University. He is a
frequent referee for more than 10 journals. He is the author or co-author of
more than 30 papers published in prestigious journals and conference proceedings. His
current research interests include wireless sensor network and artificial intelligent.
Dr. Alshawi is a member of the IEEE, the IEEE Cloud Computing Community and the IEEE
Computer Society Technical Committee on Computer Communications.
Dr. Kareem R. Alsaiedy was born in Basra, Iraq, in 1959. He received the
B.Sc. degree from engineering collage and M.Sc. degree in computer
science from the College of Science, Basra University, Basra, Iraq, in 1985
and 2000, respectively. He received the Ph.D. degree in simulation and
control system from Basra University, Iraq. He is currently a lecturer in
Computer Science Dept., Basra University. He is a frequent referee for 4
journals. He is the author or co-author of more than 20 papers published in
journals and conference proceedings. His current research interests include
wireless sensor network and artificial intelligent. Dr. Alsaiedy is a manager of Basra
university publishing and book shop center.
Ms. Vinita Yadav is a student of M.Tech, Department of Computer Sc,
Goel Institute of Technology and Management, Lucknow, India. Uttar
Pradesh Technical University Lucknow India. She did her Bachelor in
Engineering from Department of Computer Science; M.B.M Engineering
College Jodhpur, India in 2003. She has a work experience of 7 years in the
field of Telecommunications (Reliance Communications Limited, India)
and teaching. Her areas of interest are Artificial intelligence and Computer
Networks.
Ms. Rashmi Ravat is a student of M.Tech, Department of Computer Sc,
Goel Institute of Technology and Management, Lucknow, India. Uttar
Pradesh Technical University Lucknow India. She did her Bachelor in
Engineering from Department of Information Technology, University
Institute of Engineering & Technology, Kanpur, India in 2008.She has a
work experience of 4 years in the field of Software Development. Her areas
of interest are Software Engineering and DataBase Management System.

50320140501004 2

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie 50320140501004 2

Ähnlich wie 50320140501004 2 (20)

Mehr von IAEME Publication

Mehr von IAEME Publication (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

50320140501004 2