Strategy
Liang Huang, Dengguo Feng, Yifeng Lian, Yingjun Zhang, and Yuling Liu
Trusted Computing and Information Assurance Laboratory,
Institute of Software, The Chinese Academy of Sciences, Beijing, China
{lancerhuang, feng, lianyf, yjzhang, ylliu}@tca.iscas.ac.cn
ABSTRACT
With the growing threat of DDoS attacks, new attacking mechanisms emerge every day. In order to confront
the ever-evolving DDoS attacks, it is insufficient to
select defending strategy merely from existing strategy
set. In this paper, we propose a method that generates
new defending strategies and that selects the optimal
one among them, thus increasing the defending ability.
The Game Model for DDoS Countermeasure Selection
is established to model the DDoS scenario that considers the attacker and the defender as two players in the
game. Then the new defending strategies are generated
and are included in the defending strategy set. Next,
the Nash equilibrium is calculated to indicate the optimal defending strategy. The experiments, which is
performed with the network simulator, show the effectiveness of our method.
KEYWORDS
DDoS, Game Theory, Optimal Defending Strategy,
Strategy Selection, Effect Evaluation
1 INTRODUCTION
The Distributed Denial-of-Service (DDoS) attack
has become one of the most severe threats to the
network security. Attackers utilize the compromised hosts to send overwhelmingly large number
of requests to the victim, exhausting the victims
resources, making it unable to provide services.
In order to fight against the DDoS attack effectively, not only countermeasures against the DDoS
attacks are proposed, but also methods of selecting
the optimal defense countermeasures are developed. These methods help to select the suitable
defending strategy in the defending strategy set.
However, attackers continuously refine attacking
process to increase the attack effect, so that new
ISBN: 978-0-9891305-4-7 2014 SDIWC
attacking mechanisms emerge every day. Therefore, it is insufficient to select the best countermeasure among existing defense countermeasures.
In order to confront the ever-evolving attacks, we
have to find a way to improve countermeasures.
This paper proposes an approach of generating
new defending strategies and selecting the optimal
one from them. As a result, the defense effect is
increased. Firstly, the defending strategies are
combined to generate new strategies. Secondly,
the Game Model for DDoS Countermeasure Selection (GMDCS) is built. The attacker and the
defender are two players in the model. Thirdly,
utility functions for the attacker and the defender
are introduced, including the functions of calculating the effect of the combined defending strategies
and the effect of the corresponding attacking strategies. Thirdly, the Nash equilibrium that indicates
the optimal defending strategy in both the original
defending strategy set and the newly generated
defending strategy set is solved. Finally, experiments are made using the network simulator to
validate the correctness and the effectiveness of
the method.
The rest of the paper is organized as follows.
We describe related works in Section 2, present
the GMDCS model in Section 3. Details of utility
functions for both the attacker and the defender
are provided in Section 4. We demonstrate the
experiments in Section 5, and we summarize this
paper in Section 6.
2 RELATED WORK
In order to confront the DDoS attacks, many countermeasures have been proposed, such as attack
detecting, flow filtering, source identifying, and so
on [1-3]. Mirkovic et al. [4] classified the DDoS
14
attacks and countermeasures, Peng et al. [5] surveyed the countermeasures defending the Dos and
DDoS attacks. They analyzed the defense effect of
every countermeasure.
Based on the solid work of DDoS attack and defense survey, methods of the attack evaluation and
the defense evaluation are proposed. Butler [6]
proposed Security Attribute Evaluation Method
(SAEM). The method first evaluated how well
each defense countermeasure mitigated the threats.
Then it analyzed the types of threat each defense
countermeasure could handle. At last, it evaluated
the cost of each defense countermeasure. These
three factors were considered as a whole to guide
the selection of defense countermeasures. Bellaiche et al. [7] pointed out that the evaluation and
comparison were based on 4 aspects, i.e. performance, cost of deployment, influence to the target
system, robust. Schwab et al. [8] put the indices
for DDoS evaluation into three categories: indices
of network traffic, indices of attack effect and indices of effectiveness of defense. He stated that
the attack effect should be evaluated by the change
of the indices before and during the attack, the
defense effect should be evaluated by the change
of defense effect before and after the deployment
of the defense countermeasure. However, no concrete calculation method was provided. Meadows
[9] defined the cost set C and the intruder capability set G. Then the tolerance relation set CG was
defined to analyze whether the protocol could resist the DoS attack or not. This method provided a
comprehensive analysis for the strategies of both
attacks and defenses. However, it was too theoretical to be put into practice. Mirkovic et al. [10]
suggested that the key of DDoS defense was to
keep the service running at a user-acceptable level.
With this idea, Mirkovic et al. [11, 12] proposed a
threshold based DDoS attack effect evaluation
method using QoS indices issued by 3rd Generation Partnership Project (3GPP). If the index was
beyond the normal QoS range, the application was
considered as failed. The percentage of failed
transactions (PFT) was used as the evaluation metric of DDoS attack effect. The weighted sum of
PFT of the whole applications in the network traffic illustrated the overall effect of DDoS attacks.
Li et al. [13] evaluated the effect of DDoS attacks
based on packets. The LAR, ratio of the legitimate
ISBN: 978-0-9891305-4-7 2014 SDIWC
15
S DefCom
i=2
S DefCom
={IQ-RL, IQ-
= S Def 0i ,
i =1
n =| S Def 0 | .In
this paper,
However, the strategy with the biggest utility under one attacking strategy may not be the strategy
with the biggest utility under another attacking
strategy. Therefore, the Nash equilibrium is incorporated to select the optimal defending strategy
against DDoS attacks. The Nash equilibrium is the
state that each player gains his maximum utility.
They have no incentive to change their strategy in
that state. As a result the Nash equilibrium can
guide the defender to select the optimal defending
strategy. In this paper, the Nash equilibrium is
presented as a vector:
S Nash = {s Att *, sDef *} .
s Att *
sDef *
(1)
(2)
E=
E Att E Att _ with _ Def
Def
= Avano _ Att Ava Att ( Avano _ Att Ava Att _ with _ Def )
(4)
(ti ' ti )
n i 1=
ni1
=
=
Tres
(5)
EDef _ i
i =1
E Att 0
[1 (1
EDefCom =
(8)
)]E Att 0
(9)
i =1
Ti
=
Pres
CReq_Success
CReq_Total
100%
(6)
The availability is calculated using average responding time Tres and responding probability Pres :
Avail = Tob [ Pres Tres + (1 Pres )Tob ]
(7)
Tob is the observation time.
In fact, the expression Pres Tres + (1 Pres )Tob is the
mathematical expectation of the time between
sending a request and receiving the corresponding
response for a legitimate user.
Above all, the process of calculating the utility
is presented. Moreover, the processes of calculating the utility of the combined defending strategy
5 EXPERIMENT
The experiment is simulated using SSFNet [18], a
network simulator. It contains modules to mimic
the DDoS attack activities. For the universality,
we randomly generated a network topology with
100 routers. Attackers, the victim and legitimate
users are all attached to the routers. Attackers and
legitimate users send requests to the victim, and
the victim responds to the requests.
The experiment uses the SYN-flood attack as
the attacking method. The SYN-flood attack creates an incomplete TCP three-way handshake state
with the victim by missing the ACK packet. The
victim is forced to keep a large number of halfopened connections so that the resource is exhausted. Therefore, the victim is unable to respond
to new requests. The objective of the DDoS attack
is achieved.
In this experiment, the LZSR implements as 500
zombies sending at 1/3 request/sec each. The
SZFR implements as 200 zombies sending at 1
request/sec each. The IQ implements as increasing
the Qlimit from 4000 to 8000. The RL implements as
dropping all the packets if traffic is over 800Kbps.
17
Parameter
Meaning
Value
the
maximum
number
of
halfQlimit
4000
opened connections
the bandwidth of the bottleBWthres
2
neck link(Mbps)
the time of observaTob
1000
tion(second)
the adjust parameter for the
Att
0.6
attack effect
the adjust parameter for the
Att
0.1
attack cost
the adjust parameter for the
Def
1
defense effect
the adjust parameter for the
Def
0.03
defense cost
Cost LZSR
the cost of LZSR
100
CostSZFR
the cost of SZFR
75
Cost IQ
the cost of IQ
200
Cost RL
the cost of RL
500
CostSB
the cost of SB
1000
SSFNet is used to simulate different DDoS scenarios where the attacker and the defender take
different strategies. Parameters of Pres and Tres in
these scenarios are collected and are shown in
Table 2.
Table 2. Pres and Tres collected in different sceniros
Pres
Tres
Scenario
No Attack No Defense 0.998529 1.69191
LZSR without Defense 0.50834 6.54349
SZFR without Defense 0.273042 6.05851
LZSR vs. IQ
0.610428 7.16152
LZSR vs. RL
0.939933 8.328
LZSR vs. SB
0.632467 6.88435
SZFR vs. IQ
0.483054 6.68494
SZFR vs. RL
0.442215 6.16911
SZFR vs. SB
0.995257 5.33536
Defense effects of the strategies in S Def 0 are calculated based on formula (3), (4), (7). Defense
effects of the strategies in S DefCom are calculated
using formula (8). The results are rounded to integer and demonstrated in Table 3.
Utility
LZSR SZFR
IQ
32.4
97.2
RL
218
62.6
SB
5.6
363.2
IQ-RL
196.4 129.8
IQ-SB
22.4 334.4
RL-SB
158.2 324.4
IQ-RL-SB 134.2 295
18
391
65
369
51
291
48
38
517
558
7
396
5
5
4
Utility
LZSR SZFR
IQ
388
514
RL
62
555
SB
366
4
IQ-RL
48
393
IQ-SB
288
2
RL-SB
45
2
IQ-RL-SB
35
1
6 CONCLUSION
In order to confront the severe threat of DDoS
attacks, this paper proposed an approach that first
generates new defending strategies, and that selects the optimal one among them. First, the
GMDCS model is built based on Game theory.
Then, from the legitimate users perspective, the
attack effect and the defense effect is defined.
They are involved in calculating the attack utility
and the defense utility in GMDCS. Next, new defending strategies are generated by combining existing defending strategies together. The utilities
of the combined defending strategies and the corresponding attacking strategies are calculated. Finally, by solving the Nash equilibrium, the optimal defending strategy is selected. Using the network simulator SSFNet, the experiments are performed to validate the effectiveness of the method.
There is still a lot to research. The cost of the
defending strategies should be surveyed from
more aspects. An efficient method of generating
strategy combinations and eliminating the bad
choice at the early stage have to be found. We
shall work on these jobs in the future.
7 ACKNOWLEDGEMENT
This work was supported by National High-Tech
Research and Development Plan of China under
Grant
No.
SQ2013GX02D01211,
2011AA01A203, the National Natural Science
Foundation of China under Grant No. 61100226,
61303248, the Beijing Natural Science Foundation
under Grant No. 4122085, 4144089, the National
Science & Technology Pillar Program of China
during the Twelfth Five-year Plan Period under
Grant No. 2012BAK26B01.
8 REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
19
Jiang, W., et al. Optimal Network Security Strengthening Using Attack-Defense Game Model. in Sixth International Conference on Information Technology: New
Generations, 2009. ITNG '09. 2009.
[17] Bedi, H.S., S. Roy, and S. Shiva. Game theory-based
defense mechanisms against DDoS attacks on TCP/TCPfriendly flows. in 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS). 2011.
[18] SSFNet, Scalable simulation framework network models,
http://www.ssfnet.org/homePage.html.
[16]
20