Detection of Attacks Causing Network Service Denial

: This article deals with ICT security and particularly the Denial of Service (DoS) executed on the application layer. The main objective of the article is to describe the original algorithm designed for timely detection of DoS application attacks and, subsequently, on the results of experimental verification of the designed process. This algorithm is focused on the detection of HTTP GET Flood attack, which will cause a crash of the attacked server. Appropriate detection of attack from the analysis of incoming traffic is able to prevent a crash of server from happening. To detect such an attack, an original algorithm designed by our team was used.


Introduction
This article deals with both DoS and DDoS attacks. In [1], an overview of existing systems performing various DoS detection systems is presented. These systems are systematically classified in the following way: • Audit Source: Network-based and Host-based  This article describes the development of an original detection algorithm on the application layer. The first designed methods of DoS / DDoS attack detection include: • Client Puzzle Protocol (CPP), • Input Filtration [3][4][5], • Intrusion Detection Systems (IDS) [6,7], • Threshold Limits [8]. These methods are unable to provide a complex, effective and timely detection of application attacks. The related problems are described in [3 to15]. The currently developed procedures for the detection of application DoS and DDoS attacks can be divided into two directions, based on the following principles: • the detection based on the signature of attack, • the detection based on anomalies in the network traffic. The result of combining these two directions is a hybrid system encompassing the advantages of the individual directions. The effective detection mechanism based on the identification of anomalies in the network traffic can be considered a more efficient and perspective tool which is described in the following parts of the paper.

Development of Detection Algorithm
The article presents a newly designed, original flow diagram for the detection algorithm of DDoS attacks. It was created on the basis of detailed analyses of application attacks focusing on the denial of services, in particular on the service offered by HTTP protocol. This designed detection algorithm combines the older detection method defining saturation level of the monitored device with the latest trend of application attack detection based on the identification of anomalies in the network traffic. We have produced a reference mathematical model of server traffic by applying the queuing theory and the model of real server traffic. These models were compared and the measured dissimilarities were evaluated. The threshold limit of traffic of the monitored server, which states the maximum number of requests processed by the server without saturating its services, was also defined.
The designed flow diagram of the original detection algorithm is shown in Fig. 1. The flow diagram consists of two blocks: • reference off-line mode, • real-time monitoring mode. In the off-line reference mode, the calculation of saturation level (SL) and risk interval (RI) is as follows. Saturation level is determined by the maximum of serving capacity of server which is given by the configuration of its hardware. That level is compared with actual intensity of incoming traffic. The overflow defined by SL indicates an irregular situation on server. Risk interval defines the limit for the capacity of incoming traffic. The defined limit of RI directly depends on the saturation level. The upper limit of RI lies under the limit of SL and is defined by percentage. The overflow of RI then indicates that on the server, there is a risk situation in receiving requests on processing that can lead to serving maximum of server, or even to its crash.

Experiments and Verification of the Designed Algorithm
The functionality of the newly designed detection algorithm for DoS / DDoS application attacks of HTTP GET Flood type was experimentally verified in laboratory conditions. For the purpose of the experiment, we used an Apache web server as an attack target, which is at present the most widely used solution for Web services [10]. From the configuration of the WEB server, it was possible to derive important parameters used in the queuing theory model, namely the number of serviced positions and further queue dimension, which is defined by 50 waiting positions using a FIFO system [12].
The modern multifunction device AVALANCHE 290 was used as a generator of both nominal and attack traffic. For experimental verification of the activity of the designed detection algorithm, a simple network topology was used, as depicted in Fig. 2 [17].
The use of the proposed topology guaranteed that between the generator of traffic and the monitoring server there was no additional delay caused by the activity of network components (routers or switches). Such direct interconnection of devices thus guaranteed that the specific profile and properties of generated traffic would not be modified by network components themselves. The aim of our experiments was to supply the input of the monitored WEB server traffic with "GET requests" type of message of varying intensity.
This was done with the aim not to influence the experimental load tests by the transit of artificially generated traffic from source to target.

Reference Models
For the reference model (RM) of the monitored WEB server, queuing system type M/G/1/50 was selected. Here the parameter M defines exponential distribution of the arrival time of requests, parameter G defines the general distribution of service time, number 1 defines that there is one service place in the system and number 50 defines the length of the waiting queue.

Model 2 -Boundary Load
The In the second alternative block of the first level of decision (1 st LD), the parameters of the RM and the present model of boundary load (BL) are compared, as shown in Tab. 1. In this case, we observe differences between the compared models and the increase of the request arrival intensity λ, as well as the increase of the intensity of load factor of system ρ that has the average value of 0.832 for a model boundary situation. The index of the load increase of the system is also the parameter defining the average number of requests in the system in the optional time L and also the size of request denial probability PB.
By comparing the values of the model that emulates the situation of the boundary load (BL) to the values of the RM, it can be observed that the allowed variances do not exceed the middle value of the load factor ρ = 0.832. The final decision of the designed algorithm is the declaration about the absence of attack that is based on the comparison of selected indicators of attack from Tab. 1.

Model 3 -Attack
And finally, the model of attack (MA) is an emulation of the application of HTTP GET Flood attack that is focused on the monitored WEB server. In this case, it is not possible to fulfil the condition and to accept the hypothesis that the request input flow in this modelling situation obtains exponential distribution. This discovery indicates a nonstandard change of request input flow in the network interface of the WEB server. The index of the loss of exponential character χ 2 of input requests in the designed detection algorithm is considered as supporting the identifier of attack. It is independent from the queuing theory.
In the first alternative block of the first level of decision (1 st LD) of the designed detection algorithm, we can compare the intensity of arrival requests of the present model with the interval risk and saturation level of the monitored WEB server. In this case, the intensity of arrival requests on average 237.031 requests per second exceeds the initial boundary interval of risk, which was defined by the dimension of 50 requests per second. This intensity of arrivals also exceeds the saturation level of the monitored WEB server, defined by the dimension of 67 requests per second. The result of the first alternative block of the first level of decision (1 st LD) is therefore an indication of a high-danger situation. It results in a significant overload of the established service capacity of the WEB server.
In the second alternative block of the first level of decision (1 st LD), the parameters of the RM and the present model of load from Tab. 1 are compared.
The explicit index of attack is the probability of blocking or request denial expressed by parameter PB. In this case of model situation, the presence of attack achieves the average dimension of 97.55 %, which expresses a high probability of failure.
Another important indicator of the attack presence is the average difference in the number of received requests in individual seconds of test Dif. The difference between the compared models expressed in this way clearly indicates a very fast change of the input flow, which is with high probability the cause of malicious activity of the attack flow. The extreme changes and anomalies also occur in comparison of percentage of retransmitted request quantity in the input flow of incoming requests. In the case of reference load, retransmission of unserved requests does not occur. On the contrary, such a state occurs when there is a fully reserved waiting queue in the server and other requests are coming with intensity λ higher than intensity µ of the server service. The requests that cannot be stored in the waiting queue due to its overflow are thrown out. The consequences are repetitions of requests (messages) for dropped requests (messages) in the server. In that case the model represents the presence of attack and it incurs up to 38.914 % retransmissions. In the case of the designed detection algorithm, the percentage of tolerated retransmissions is defined as 15 %. If this value is exceeded, the algorithm indicates the state of danger and increased receiving of requests causing system overload with resulting request denial.
The last model completely exceeds the permitted values of dissimilarities of the selected detection parameters. Owing to this, the result in the third alternative block of the second level of decision (2 nd Level Decision -1 st LD) of the designed detection algorithm is the declaration about the presence of attack.

Conclusion
On the basis of the analysis of the well-known attacks of DDoS type on the application layer and their prevention, we designed an original universal algorithm, described in Fig. 1 and in detail in [16].
The submitted article provides the results of a complex theoretical analysis of the problem of attacks of DoS and DDoS types on the Internet, as well as the decisions about their detection with specific focus on the application layer.
The function of the new original detection algorithm of attacks on WEB server was described theoretically and subsequently verified by a series of experiments in the form of studies of 3 model cases of traffic load. The results of the designed detection algorithm are presented in Tab. 1 and evaluated above.
In the RM, ML and BL models (when load factor of system ρ is in the interval of 0 to 1) parameters λ, µ, L, χ 2 , P B , Dif, R, E are in regular boundaries. This is the declaration about the absence of attack. When ρ is more than 1, the parameters are rapidly growing. This is the declaration about the presence of attack.