An Adaptive Approach to Mitigate Ddos Attacks in Cloud

—Distributed denial of service (DDOS) attack constitutes one of the prominent cyber threats and among the hardest security problems in modern cyber world. This research work focuses on reviewing DDOS detection techniques and developing a numeric stable theoretical framework used for detecting various DDOS attacks in cloud. Main sections in the paper are devoted to review and analysis of algorithms used for detection of DDOS attacks. The framework theorized here deals with the variability calculation method in conjunction with sampling, searching methods to find a current state of a particular parameter under observation for detecting DDOS attacks. This way a solution is to build that measure the performance and conduct the monitoring framework to capture adversity related to DDOS attacks. The described algorithm intends to capture the current context value of the parameters that determine the reliability of the detection algorithm and the online pass algorithm helps to maintain the variability of those collected values thus maintaining numerical stability by doing robust statistical operations at endpoints of traffic in cloud based network.


I. INTRODUCTION
Internet of Things (IoT) has evolved in modern times in leap and bounds.Incidents of attacks over the Internet especially DDOS attacks [1] are increasing day by day.News are dominated by successful DDOS attacks against a number of major Fortune 100 organizations in this arena.Hence, many security experts have being thinking on how does Organized Fraud Rings (OFR's) make money out by disrupting the information technology (IT) assets of a company?How can we detect and disrupt this activity?[28,29] Historically, the fragmented organizations that unwittingly constitute this "fraud supply chain" could provide no coherent indication of suspicious activity.Each step could only be observed in isolation.However, solutions are now available to correlate events across the multiple disparate systems involved to join the dots and see the complete picture.
Centralized collection of activities through every phase of the disruptive activity like DDOS attack [1] process can identify and alert on suspicious patterns and stop it in its tracks, even where evasive techniques such as geographical dispersion and Internet service provider (ISP) switching are employed.The purpose of the DDOS attack [3] is normally about breaking the business continuity.Hence, there is a need to build a mechanism on identifying the correlation of activity and transaction velocity of DDOS Attack.The existing network security mechanisms confront new challenges in the cloud [2] such as virtual machine intrusion attacks [4,5] and malicious user activities.Hence, new security methods [6] are required to increase users' level of trust in clouds.Presently, cloud service providers implement data encryption for the data centers, virtual firewalls and access control lists.
The number of threat vectors in today's cloud landscape [7] is increasing day by day that is the problem.The existing detection approaches are not foolproof.There is need to learn more about attackers and adopt an adaptive approach to defense at every stage.This can happen only if the algorithm of detections must be adaptive and numerically stable.There is need to focus on methods on how to gather threat Intelligence about our adversaries and know the motives of malicious attacker?
The cloud based networks [16] and services are prone to suffer from malicious attacks because of their inherent characteristics of being accessible globally any time and also due to the frequent changes in topology and development of IoT as well as because of landscape nature of Internet.Of particular concern, it is the denial of service attacks that makes the service unavailable to its intended cloud users.In fact, there are three major techniques which are: misuse detection, anomaly detection and specific detection like DDOS attack.Each of these detection methods has its pros and cons.These are however, reviewed in the Related Work section.But from the current incidence reports it is clear that new combinational methods need to be implemented for the proper working of cloud industry.It is known fact that both the internal and external anatomy [8] of the data-center matters, how it is structured architecturally to measure the volume of traffic is also the main critical point, if somehow the intruders are able to launch a slow attack it must be detectable or if it is a sudden flood of packets then the system must be able to mitigate the flood to have clean traffic.This is not possible unless there is continuous monitoring which includes the mapping of threats [18] cope with the understanding correlations of all the factors contributing to the adversity.Therefore, the thresholds of finding inflection points where the traffic changes to malicious is essential to successful running of data centers in cloud in thwarting the DDOS attacks.
The rest of this paper is as follows.Section II studies a couple of related works in detection and defense mechanism of DDOs attacks.In Section III, the main research gaps in the www.ijacsa.thesai.orgreviewed work are highlighted.Section IV contains the threshold calculation mechanism required for DDOS attack detection.Section V summarizes the shortcomings of already contributed work.In Section VI, some concluding remarks are given and finally the future scope of study is briefed in Section VII.

II. RELATED WORK
Due to mammoth size of network and IoT, there are various types of vulnerabilities in cloud based network.The impact of adversity on the cloud based network is not easy to estimate due the dynamic attributes of the system dynamics.These dynamics force us to think on developing various mathematical models based on which the adversity may be captured.Since, all these methods are based on mathematical model of DDOS threat detection and when they are put to test against the real life scenarios, their performance comes into question.Hence, this area of research explores many possibilities to mitigate the DDOS attacks.The Intrusion detection systems (IDS) [24,25,37] were first implemented as frugal, optional mitigation mechanisms but with Big Data technologies the direction of the industry to implement a permanent robust solutions at all ends of the network including ISP and customer end is now propagated.This leads to scenario where normal detection techniques using static values rendered becomes useless and as per our systematic review of related works in the field of intrusion/malicious attack detection [9,18], there are variety of mechanisms that can be used to detect anomalies or malicious behavior in the cloud based network.Each of these techniques/mechanisms discussed here are threshold basis and have their own pros and cons.A summary of some related literature that holds tradeoffs in its favour, is presented in this section.
In [10]  ) has used the concept of static threshold, although dynamic threshold is better solution.Threshold value is selected to take decision in identifying the DDOS attacks.It is the basic unit that differentiates between the normality and abnormality in the traffic over the cloud based network.In this static threshold method, a cutoff is fixed which decides the normal and abnormal levels.The basic features used in detection of attacks are mainly IP address of the victim machine, timestamp, time-duration of connection, protocol used, connection status flag, and source & destination services.
The threshold is used to differentiate between normal traffic and abnormal traffic [17] in the network.This threshold value is acquired by using observation and experimental technique and the verified by using statistical process control approach [13].Although static threshold methods are easy to implement for detection as well and have low computational complexity but the main weakness of this method is that fix value range is never close to real systems and are changing with respect to time.This method does not take into account the differential or cumulative threshold which given better response to adversity in real time.
In [15] Proactive DDOS attack detection and defense mechanisms propound by Keromytis, Misra & Rubenstein 2002.It focuses on the advance detection of attacks.In reactive mechanisms, detection the attacks is by using signatures (attack pattern) or anomaly behavior.Proactive mechanisms emphasize on to improve the reliability of the global Internet infrastructure by adding additional functionality to Internet components to detect and defend various attacks as well as vulnerability exploitation.The main objective of this approach is to make the infrastructure resistant to the attacks and to provide service to normal users continually under extreme conditions.
Reactive defense approach was suggested by Ioannidis & Bellovin 2002.Third-party Intrusion Detection Systems (IDS) are deployed to obtain attack related information and then action is taken according to this information.Various strategies are used for intrusion detection purpose.If the IDS system unable to detect the DDoS attack packets, then filtering mechanisms are used, that are able to filter out the attack stream completely, even at the source network.A rate limit is imposed by the IDS on the stream to characterize that the stream is malicious.
In [13], Dynamic threshold based approach is proposed by Gupta, Sanchika, Padam Kumar, and Ajith Abraham.[13] Paper addresses to vulnerabilities responsible for known attacks on cloud and analyzed various measures to secure cloud based network from these malicious attacks both insider and outsider.A profile is created for each machine to detect and prevent various cloud attacks.In this approach, the estimation of upper and lower cutoff points are figured after some time period, after every time slot, the value may change.However, there is not much difficulty in implementation of various methods of calculations like method based on average, mode, frequency, deviation from mean.But this method cannot handle extreme high and low values statistically that may cause to wrong calculations (numerically unstable) as change point detection method may calculate wrong threshold, thereby increase the false alarm rate.
[11] B. B. Gupta, R. C. Joshi, M. Misra proposed "Dynamic and Auto Responsive Solution for Distributed Denial-of-Service Attacks Detection in ISP Network," In this paper, they presented a framework which emphasize on characterization of a wide range of flooding DDOS attacks [32] and their detection.As per [11] flooding attacks are because of high rate disruptive, diluted low rate degrading and varied rate and there should be monitoring of the propagation of abrupt traffic changes inside ISP network.[11] suggested that a profile of the traffic normally seen in the network is to be created, and then anomalies are detected whenever traffic goes out of profile.Although they claimed that the said detection system is scalable to varying network conditions and adapts itself to different attacks [19] loads but to identify threshold values detection mechanism is not free from generating false positive alarm rates and hence not foolproof for detection of malicious flows characterization.
In [37], C. Modia, D. Patela, B. Borisaniyaa, H. Patelb, A. Patelc, and M. Rajarajanc in their paper, -A survey of intrusion detection techniques in cloud,‖ are really of the www.ijacsa.thesai.orgopinion that the existing Intrusion Detection Systems and Intrusion Prevention Systems for cloud environments are short of feasible solution.The authors explained that the explored solutions of IDS are still far from the integration in the clouds.They suggested that these must be combined with security information and event management in addition to adopting additional security measures and correlation rules to identify internal attacks or to be prepared for zero-day attacks.They made stress on the necessity of the centralized view in monitoring IDS and making advancements in existing solutions with competence to examine data stream by scaling up and down.
[14] Jun-Ho Lee, Min-Woo Park, Jung-Ho Eom, and Tai-Myoung Chung in their paper -Multi-level intrusion detection system and log management in cloud computing‖ proposed multi-level IDS in combination with log management approach to strengthen the security in cloud based network so that anomaly behavior can be detected in cloud environments.In this approach they are of the view that more rules and patterns are proportionate to the strength of the security in cloud computing provided that proper logs are to be administered.It is based on the quantification of risk levels and assigning risk points in proportion to risk anomaly behavior.Although the approach is fully quantitative in nature which is significant in any corporate security risk program but the main thing is that more the rules and patterns, more will be the complex and slow IDS in cloud computing.

III. RESEARCH OUTLINE
The major gaps are found on the basis of review study and its findings are as follows:

IV. MECHANISM TO COMPUTE THRESHOLD FOR DDOS DETECTION
An ‗abnormality' may be found while observing a particular network factor.It is either the values of parameters that start touching abnormal ‗lows' or ‗highs' at certain ‗intervals' of data series or values of parameters start scaling higher values from the normal scale.There is variance [36] which indicates the abnormality.It is more suitable to use online algorithm in cases where cost of computation is sensitive to the response time of an operation.Moreover, the method of (SEM) Structured Equation Modeling [23] which is mainly used to test conceptual/theoretical model, intends to identify an equation that defines a sequence of values between two or more parameters under observations for DDOS detection, based on time series sampling and then further sample for threshold value based methods.

(a1) Pseudo code of Online Algorithm to compute variance for n samples:
For defined timeline; End.

(a2) Empirical rule:
The empirical rule [20,21] (Three Sigma rule) states that for a normal distribution, nearly all of the data will fall within three standard deviations of the mean.
The empirical rule can be broken down into three parts:  68% of data falls within the first standard deviation from the mean. 95% fall within two standard deviations.
 99.7% fall within three standard deviations.

Check "Empirical Rules as if:
a) 68% values within the first standard deviation values b) 95% values within two standard deviation values c) 97% values within three standard deviation then attack flag='true' else attack flag='false'; (a3) Area Elimination Method www.ijacsa.thesai.orgLet there be 2 points x 1 and x 2 which lie in the interval (a,b) of the sample extracted at any given time for analysis and satisfy (x 1 <x 2 ), hence the three rules: i.If f(x 1 )>f(x 2 ) then the threshold does not lie in (a,x 1 ) ii.If f(x 1 )<f(x 2 ) then the threshold does not lie in (x 2 ,b) iii.If f(x 1 )=f(x 2 ) then the threshold does not lie (a,x 1 ) and (x 2 ,b).

First Rule Scenario:
If the function value at x 1 is larger than that at x 2 , threshold point x cannot lie on the left side of x 1 .

Second Rule Scenario:
If the function value at x 1 is less than x 2 , the threshold point ‗x' cannot lie in right side.

Third Rule Scenario:
When f(x 1 )==f(x 2 ), implies that there is one lowest or highest value that can be taken as threshold.Hence R 1 and R 2 areas are eliminated.

Golden Ratio method
Golden Ratio method [20], may be used as golden ratio pattern is also found in nature extensively, the ‗abnormal' threshold values may be captured using golden ratio interval division method.
The sample search space (a,b) is first linearly mapped to a unit interval search space (0,1) and then two data points [22] at from either end of the search space are chosen so that at every iteration, the elimination region (1-) to that in the previous iteration is covered.This can be achieved by equaling (1-) with ( x ).This yields the golden number =0.618.Step3 : If no, set k=k+1, goto Step 2; Else Terminate.
Step 4: Online algorithm as in section [a1] Step 5: Check ‗Empirical Rules' as in section The number of function evaluation ‗n' required for achieving a desired accuracy, is calculated by solving the following equation There is plethora of methods to overcome the issue of rise in DDOS attacks and have understood that it affects their overall eco-system of conducting ‗Business on Internet or Cloud'.These algorithms offer various degrees of stability, reliability in their working.The latest findings, occurrences, incidence reports [33] on DDOS attacks suggest that these methods still need a deeper examination as inadequate interpretations are done.Bandwidth [30] is one way to measure DDOS attacks including application layout attacks.Our solution also checks periodically the DNS TTL of all the DNS associated with our cloud endpoints.The ratio of abnormal data to the normal data will normally be imbalanced so the golden method tries to compensate this imbalance.The proposed method as discussed above is also better as real time information of deviation may not be possible every time due to inherent nature of data stream analyzed at any given time.This method is based on capturing abnormality at certain logical intervals.If a particular ‗current' threshold or current value of the objective function, defined by well defined relationship, occurs above ‗normal range' successively in multiple intervals during evaluation, there is high possibility that the network is going under ‗adversity'.Care has been taken to evaluate the successive function evaluation values whose average does not go far away from the mean using robust online algorithm.The method has advantage in the sense that it checks the well defined mathematical relationship www.ijacsa.thesai.org between two variables that influence the performance of network under ‗adversity' using structure equation modeling.

VI. CONCLUSION
Today we have entered a world where cyber enemy politics [31], cyber terrorism, cyber hacktivism have taken over cyber crime space or attack landscape.Now, DDOS attacks can also be launched from phone, in fact nearly any kind of device with IP address can launch DDOS attacks.Network level DDOS attacks typically require IP-threat level assessment strategy to safeguard against DDOS attacks.Reflective DDOS attacks [12] need ‗state flow' awareness strategy for Outbound DDOS attacks and in case of Bidirection flood detection [26], the strategy with algorithms having numerical stability is required.In fact, our proposed algorithm can also cover those kinds of DDOS attacks which involve ‗specially crafted ‗packet attacks, where protocol analysis reveals the correct situation in conjunction with threshold techniques discussed in Section-III.Other than the DDOS attacks that involve Recon (Scan) [26] or that involve highly advanced evasion, detection requires further advanced methods in this context.The latest Gartner report suggests that application layer level DDOS attacks account for maximum incidences (25%) which requires behavioral analysis techniques due to multifold increase in DDOS attacks [33].It is also evident that today's service provider solutions cannot avoid analysis of protocol behaviour, volume, type of traffic for its survival.In summary, the proposed work covers following aspects to break into the anatomy of DDOS attacks.It covers the numerically stable calculations of DDOS attacks that impact network level Flow Volumetric attacks [38].
1) Proposed method covers the attacks initiated as "randomized" ,"slow" and "low" [30,35] at application layer.The method proposed do calculations based on application"s traffic end points also, where, "payload" matching or entropy [27] based methods become useless due to high pattern variations.
2) Deploy multi stage algorithm [34] that can block spectrum of unwanted traffic as well as dynamic unwanted users.This way detection becomes more effective.
3) However, support from other components of defense mechanism shall also be solicited which include keeping an eye on application users and unwanted activities or simply enforcing usage standard, enforcement of protocol anomalies and violation by enforcing RFC and industry standards.

VII. FUTURE SCOPE
The proposed solution can easily be integrated into big data analysis based solutions as it allows scalability where application of machine learning algorithms may also help.For future work, it is suggested that SEM may be used for threat modeling of DDOS attacks along with column based data mining algorithms, which use partial probability theory for detection of DDOS attacks in cloud based network.

Fig. 1 .
Fig. 1.Golden Ratio points (x1 and x2)Algorithm: DDOS data under observations is divided into golden ratio parts.Step 1:Choose a lower bound a and an upper bound b. using Synthetic Division method[21,22].Set small value .