Early Detection of LDoS Attack using SNMP MIBs

. Early detection of Denial of Service (DoS) attacks are given more emphasizing due to its adverse effects on disrupting the services of legitimate users. LDoS attack is one among the DoS category which floods the target at ideal rate to keep the connections open for longer duration. Traditional defense measures are inadequate to filter due to its less traffic volume. The current works focus on either empirical studies or signal processing models to capture the behavioural characteristics of LDoS based on TCP’s congestion control and timeout mechanism but none carries out detection at a faster timestamp. Early detection solutions are the main focus as it could scale up the revenue losses in today’s online application issues. Hence our model is based on Simple Network Management Protocol (SNMP), through which the early detection of LDoS attacks is carried out. The relevant detection metrics are identified through theoretical validation of SNMP MIBs and existing dataset analysis. Experimental simulations illustrate the LDoS detection efficiency and the same has been validated for theoretically.


Introduction
Internet plays the vital role due to advanced computing technologies and digitized environment. It acts as the backbone without which the day-to-day activities turn out to be zero. The growth of technologies goes handby-hand with the security disruptions. Distributed Denial of Service (DDoS) attack is a critical threat as it makes complete disruptions to the internet community by keeping its traces in the availability feature. During DDoS, the target is flooded with continuous bogus requests which occupy victim's memory. The exhausted victim is unable to accept or respond to any kind of requests from legitimate users. Resources exhausted during such attacks include bandwidth of network, CPU cycles, and Server's memory; interrupt processing capability and protocol structures. The current applications also face low spike attacks which produce the effect similar to DDoS high spike. LDoS attack is one among the category of DDoS family as it makes the TCP sessions engaged for longer duration by sending low spikes of traffic. A large traffic spike originating from attacker reaches the target at a slower rate meanwhile very few connections are established to escape from the time out mechanism and traditional defense strategies.
LDoS attack exploits the vulnerability in the congestion control mechanism of TCP by either periodically or continuously sending attack requests in short term or at constant rate. The time out mechanism of TCP congestion control is based on the time taken for receiving a complete request from the source. In general the Round Trip Time (RTT) is constant and ranges from 10 to 100s of milliseconds. In case of delayed request from the source, the Retransmission Time Out (RTO) operates on a longer time-scale.
Since the LDoS attacks poses very less volume of incoming traffic which mostly goes undetected by the traditional security defenses. Due to large incubation periods, the attack traffic mixes with the normal ones which make the traffic segregation and analysis part most difficult. If an online service gets disrupted either due to high spike or low spike DDoS, the trust among legitimate users and regular customers will be vanished. Uninterrupted service is the success behind big online giants like Amazon, Flipkart, Snapdeal, etc. According to the latest Amazon report [1], even 100 millisecond disruptions of its online services causes 1% drop in the overall sales. Hence early detection is the expected and needy solution to better address the issues faced in the current scenario. We aim to offer such solution by employing the features of Simple Network Management Protocol.
Numerous researches are ongoing to address the DDoS issues and to provide better solutions. The existing solutions are categorized under detection measures in general and detection measures based on hypothesis testing.

Technical Backgrounds
Low rate attack detection through information metrics [8] helps in measuring the difference in distance between the normal and attack traffic cases. Information metrics can quantify the differences in network traffic concerning various probability distributions. The generalized entropy metric and information distance metric are utilized in the process of detecting low rate DoS attacks. The entropy metric can detect the attack seven hops earlier than the traditional Shannon metric. This approach outperforms the famous Kullback-Leibler divergence approach as it enlarges the adjudication distance and yields the optimal detection sensitivity. The information metric can effectively reduce the low rate DoS attacks with a clear reduction in the false-positive rate. The IP traceback algorithm can find all attacks as well as attackers within the own Local Area Network (LAN) and discards the incoming traffic. It also considers the attacks based on the category of insiders.
Low rate shrew based DoS attacks [9] are detected through the TCP congestion control window behavior. The shrew based DoS attacks are threatening for realtime applications as it can easily throttle TCP flows through a very low attack cost. By capturing the adjustment behaviors of the TCP's congestion control window, the combined effect of the attack pattern concerning the network environment is realized.
Empirical evaluation of the information metrics [10] attempts to detect the low and high rate DoS attacks in the networked environment. The empirical evaluation is carried out for the metrics namely Hartley entropy, Shannon entropy, Renyi's entropy, generalized entropy, kullback-Leibler divergence and generalized information measure in the process of detecting both low and high rate DoS attacks. These metrics help greatly in the differentiation of network traffic data and facilitates the process of building an optimal model. For illustrating the efficiency and effectiveness of the metrics related to DoS through the data sets MIT Lincoln Laboratory, CAIDA, and TUIDS.
Robust RED algorithm [11] is applied for detecting low rate DoS attacks. The RED algorithm maximizes the TCP throughput and attempts to filter, detect attack packets before the adoption of a normal RED algorithm for attack flows. The RRED algorithm claims the incoming flow as an attack only if the majority packets in the flow are sent within the short duration after a packet drop. RRED is efficient in suspecting both TCP and UDP based flow in the case of detecting low rate DoS attacks.
CPR based approach is used for the detection and filtering of the LDoS attack as they intend to cause network congestion. An incoming flow with Congestion Participation Rate (CPR) higher than the expected threshold is declared as suspicious and all the subsequent packets are dropped. The effectiveness of CPR is quantified through the average CPR distance for the normal and attack flows. This approach is more effective in terms of comparison with the existing Discrete Fourier Transform (DCT) technique in the process of detecting the LDoS attacks. A major difference in differentiating the TCP flows is that the normal TCP flows usually avoid the network congestion as it poses the TCP congestion control mechanism whereas the LDoS attack traffic introduces network congestion to degrade the network performance. In extreme cases, the LDoS attack throttles all normal TCP incoming flows and the aggregate value of the attack is very closer to the bandwidth of the network. CPR approach works well as it doesn't drop any packet and no network congestion is observed.
Low rate DoS detection based on network multifractal [12] considers the characteristics of network traffic in the process of detecting DoS attack. LDoS sends periodic pulse sequences with a lowfrequency relative to form aggregation flows at the victim side. LDoS attacks, in general, are harder to detect as it poses the low rate property. For characterizing and analysing the network traffic, mathematical models are used for exploring the complex multifractal structure. Even though the LDoS attacks are slow, it contributes to the multifractal characteristics of network traffic.
The Multifractal Detrended Fluctuation Analysis Algorithm (MF-DFA) identifies the changes in the multifractal characteristics in small quantity for detecting the LDoS. Through the wavelet analysis process, the singularity, bursty nature of network traffic is captured and estimated using the Holder exponent. The difference values of Holder exponent between the normal and LDoS attack traffic are distinguished. The difference value is used as the basis for differentiating normal flow with the attack ones.
The dynamic time warping approach is used for robust and accurate identification of DDoS attacks. When the affected TCP flow enters into timeout and starts to retransmit the packets, the LDoS attack will send a small burst to force the TCP flows to enter into the RTO again. This results in very low transmission bandwidth for the TCP flows. When an attack is identified through the dynamic warping approach, the count of affected TCP flow is minimized, sufficient resource protection is done for the affected flows and behavioural analysis based prediction is carried out. This method has very low false positives and false negatives and efficient in the process of isolating legitimate users with the attacker.

Characterization of LDoS Attack
In LDoS, the attacker sends low traffic spikes at a very low frequency in order to hide its presence in the network. Complete analysis of attack pattern and characteristics plays a vital role for yielding a prominent and proactive solution. Representation of LDoS is depicted as in below Fig 1. LLDoS indicates the duration of attack pulse, SLDoS is the beginning of attack, RLDoS is the rate of requests received during attack and FLDoS represents the frequency of attack. The attack strength ASLDoS is represented as below.
The range of ASLDoS is very small in the case of normal traffic whereas it varies significanlty during attack traffic. The general behvarioural inhibitence of DDoS least helps in the LDoS detection procedure.

Fig. 1. Representation of LDoS
On receiving the low traffic spikes, the TCP's timeout delay gets increased from its initial value. In general, the delay is increased to facilitate proper connectivity and to prevent connection breakdown for the requesting client.
As per RFC 6298 standard [2], the RTO calculation for TCP is achieved through its two states SRTT (Smoothed Round-Trip Time) and RTTVAR (Round Trip Time Variation). The clock granuarity is assumed as G seconds. Initially the RTO is updated as 1 second till the RTO measurement is estimated.
For the first measurement of RTO value, RTTVAR=R and SRTT=R/2. For the subsequent RTO measurements the values :(1-β)*RTTVAR+β*|SRTT-R| . In case of abnormal behaviour, where the ACK is not received from the sender within the depicted RTO value, then the RT gradual increase in RTO is depicted in  In general, the requests arises in a network is modeled as a Poisson distribution where the events are random [3]. 'n' number of arrivals in a time interval 't' is considered. The arrival rate is represented as 'ƛ'. P (n_t) = (ƛt)^n e^(-ƛt)/n! (4) A modulation of the above assumption could be done from the little's formula as few days network will be congested where it will not be the case for all times. In such cases, a network system could be modelled as (R_a,R_t). 'Ra' is the average number of reqeusts in the system and 'Rt' is the amount of time spent by each request in the system and 'ƛ' is the arrival rate.
The little's theorem [4] could be applied to either a whole system or part of a system as both serves the purpose. In the case of LDoS attack, the parameters affected network metrics could be packet transmission time, propagation delay, average queueing delay and average number of packets received. Estimating all these metrics values helps in faster attack detection as well helps to analyse the performance issues raised during LDoS. All the packets are considered as requests as we are employing the SNMP for anlaysing the incoming traffic. SNMP captures all incoming requests which are further considered for a detailed analysis. The various system parts considered for a bried analysis are listed as below

Attack Modelling of TCP Variants
Detection solution for LDoS is achieved by considering the current variant of TCP adopted in today's Internet scenario and majority of websites. Among the other prevalent TCP variants, BBR [4], [5], [6], [7] is the dominant as it is adopted in most of the websites inclusive of Google cloud and Amazon Web Services (AWS). Our solution is modelled by assuming the constraints specific to behav-ioural characteristics of BBR. It attempts to provide solu-tions on the basis of traffic delivery and latency of roundtrips. BBR adopted in Amazon CloudFront effectively increased the performance gain upto 22% on aggregate throughput across various networks and regions. The performance gains rely on quality, capacity and distance of the connectivity. The congestion indicators of TCP BBR are Current Bandwidth Estimate (BWE) and RTTmin which is depicted in below cases. Rrate indicates the response rate of BBR TCP connections, B qu is the bottleneck queue utilization, tcp is the transit capacity, B asr is the base sending rate, B a is available bandwidth.

Detection metrics based on Dataset Analysis
To understand the behavioural characteristics and traffic pattern of Denial of Service attacks, a complete analysis of the existing data set is important. To carry out the same, the KDD-99, NSL-KDD data set are chosen as it is one of the standard bench-marked data set. Out of the overall 41 features, the incoming frequency count is a derived one which plays a vital role in DoS detection. In order to achieve a complete traffic distinction between attack and normal traffic, additional parameters need to be explored. Hence the EDGAR (Electronic Data Gathering, Analysis, and Retrieval) data set is considered. Differentiation of normal traffic with Denial of Service is the expected outcome of the analysis, based on which the mitigation measures could be tested by generating the synthetic data set. The Division of Economic and Risk Analysis (DERA) has assembled information on internet search traffic for EDGAR filings through SEC.gov generally covering the period February 14, 2003 through June 30, 2017.The data is intended to provide insight into the usage of publicly accessible EDGAR company filings in a simple but extensive manner.
The attack features are exactly understandable through the traffic patterns of the KDD data set but the normal requests which could be received per second from vari-ous IP addresses could not be retrieved from it as the data set does not contain the IP address column. The data set utilized for analysis is the most the recent year 2017 log record data set where it contains numerous factors particularly IP address, data and incoming time of request entry in seconds. These properties are utilized for further detailed analysis. Hence the U.S government data set EDGAR is used for observing the patterns of normal traffic. The detailed steps in the process of extracting requests based on the IP address and mapping it to the time scale are illustrated as below steps:

Experimental Testbed for LDoS
In order to validate the finding from the real time EDGAR data set analysis, experimental test bed set up is done to generate the synthetic data set based on the input metrics Arrival Rate and Request Size. To carry out the validation procedure, TCP specific SNMP MIBs are monitored by performing the experimental set up of SNMP in a controlled environment as per the study. The set up involved 1 PC as Attacker, 1 PC as Normal user, 1 L2 switch and 1 PC as SNMP manager. SNMP agent is installed in both the attacker PC and Normal user PC for collecting the statistics. A test bed is set up for simulating the TCP-SYN attack and normal traffic requests. Any Web servers such as either Apache or XAMPP server will be handling requests in the victim system.
The test bed setup is connected to the D-Link DES-3528 switch. The switch could be managed through the serial port, telnet or web based management agent. The Com-mand Line Interface (CLI) is utilized for configuring and managing the switches through the serial port or telnet interfaces. This type is designed to provide the features fault tolerance, flexibility, port density, robust security and maximum throughput by providing the user-friendly management interface for the users. The test bed consists of one web server, an attacker, legitimate user, SNMP agent and SNMP manager system is depicted in

Traffic Differentiation Based EDGAR Metrics on IP Frequency
The frequency of incoming requests from the same host is an important metric for differentiating the DoS traffic with the normal one which is derived from the EDGAR data set. During the first observation of per second arrival rate, the incoming requests from the same IP address are not exceeding the maximum threshold of 10. The observations are repeated for 30 days of the data set and the arrival rate of incoming IP addresses is monitored randomly to estimate the rough arrival rate of requests from the same IP address per second. All the 30 days results illustrate that the maximum requests which arise from the same IP address per second range between 10 to 40.
Graphs are constructed for a peak day of traffic from 9 AM to 5 PM in order to analyse the maximum requests which arise from the same IP addresses in the interval of 1 hour from the time period of 9 AM to 5 PM in a randomly chosen day of data. The obtained results are plotted with respect to the IP address and number of incoming requests depicted in  Based on the incoming frequency analysis of the graphs based on the data collected from 9 AM to 5 PM, it is inferred that the count of requests which arrive from the same IP address reaches the maximum point of 34 in all the graphs. The analysis is done for the random 1-hour traffic data chosen for the 30 days statistics of the EDGAR data set and all the graphs are showing the same variation. Another interesting feature that has to be observed in the EDGAR analysis is that, even if the repeated requests arise from the same IP address, the request size is different for every individual request which is evident from the below graph. The overall incoming requests from the same IP address from 9 AM to 5 PM are represented in  From the above graphs, it can be concluded that if the incoming request is normal, as per human behavioural and EDGAR analysis, a request of same size cannot be executed more than 5 by a normal user even if he tries to access the same file, for any scenario the request size will vary and it doesn't remains the same. This contradicts the attack scenario, as the incoming attack request sizes follows the same size and the arrival rates of attack varies from the range of 100 to 1 million as it merely depends on the capacity of the attacker system.
On observing the arrival rates of normal pattern of EDGAR, it ranges between 1 to maximum of 40 requests and not exceeding the mentioned range. From this analysis, conclusion is drawn for differentiating the normal traffic with the attack one. The analysis of each 1 hour traffic on every day is captured and analysis for a day is illustrated in the below Fig 6. It illustrates the number of IP's with the same number of request count for the randomly chosen 1 hour time period in a day of EDGAR data set. It is concluded based on the observation of complete 30 days of EDGAR traffic, that if a request comes from a normal IP address, the maximum threshold from various IP addresses are not exceeding the range 373 and the number of requests per second from the same IP address is not exceeding the range of 40. In order to strongly conclude the incoming traffic as either attack or normal, additional parameter request size also needs to be considered as according to the EDGAR analysis, even maximum of 40 requests from the same IP address is handled as it belongs to different request sizes.
From the overall observation, only 2 requests originate from the same IP for the same request size which is termed as normal as it is within the threshold 5. Hence for traffic to be normal, the incoming request from the same IP should contain the various size of request else it will be distinguished as DoS attack traffic. The conclusions from the EDGAR dataset for attack distinction are carried out for the detection of LDoS attack.

Traffic Differentiation based on SNMP Metrics
We aim to address the above research gaps in the existing measures through the Simple Network Management Protocol (SNMP) [17] [18]. The characterization of SNMP MIBs should be done initially which helps greatly to identify the purpose and importance of each. Based on the reference, the below SNMP MIBs are chosen.
The SNMP components, basic structure and the way of retrieving Management Information Base (MIB) variables are observed from the references. The MIBs relevant for LDoS detection are identified through the techniques theoretical validation and Linear Regression.
The metrics Request Size and Arrival Rate are fetched based on the real time data behaviour analysis of the KDD-99 dataset. To derive relation between the various attack distinction metrics for the LDoS attack traffic, the below ones are formulated. To have a detailed in depth analysis, the overall traffic, normal traffic, statistic traffic and attack traffic need to be represented which are denoted as ov(t), n(t), s(t) and a(t). The ov (t) could be expressed as ov (t) = n(t)+a(t) (12) If the server is under normal traffic, then the representation is Therefore ov(t) = n(t) If the server is under attack, then there is a rapid increase in the value of a(t) to larger levels. For easy attack identification, a(t) value needs to be captured. Our proposed method helps to capture the value of a(t) through the Management Information Base (MIB) variables of Simple Network Management Protocol (SNMP). The related MIB's are tcpActiveOpens, tcpPassiveOpens and tcpCurrEstab [14], [15], [16]. The attack detection algorithm is formulated as below.  From the above, it is inferred that the during the nor-mal traffic, minimum variation exists between the SNMP MIB's tcpActiveOpens and tcpCurrEstab as 30 connections are established in 30 seconds. During attack traffic, there exists huge deviation between the chosen MIB's as only single connection is established in 30 seconds. Hence by combining the detection measures tcpActiveOpens, tcpCurrEstab, Time and maximum requests validation, 98.7 % detection accuracy is achieved. The general features and characteristics of DoS and LDoS [20], [21], [22], [23], [24] are analyzed based on the literature to arrive at a conclusion of the defensive measures.

Conclusion
The SNMP based detection measure is accompanied with the metrics based on the real time analysis of EDGAR dataset which helps in accurate detection of LDoS attacks and yields 98.7%. Early detection is another important criterion which is achieved in 6.9 seconds. The reseach gaps mentioned in the existing literature are examined carefully which paved way for the identification of an important metric tcpCurrEstab which helped to boost the accuracy. The chosen TCP specific SNMP MIB's are effective in distinguishing the LDoS attack from the normal one which is demonstrated through the simulation tools deployed in the experimental testbed. Theoretical validation is done is incorporated for the the aforementioned SNMP MIB's. The future work aims to analyse the real time log patterns to enhance the detection accuracy.