Professional Documents
Culture Documents
INTRODUCTION:
Availability of services in a networked system is a security concern that has received enormous attention in recent years. Most researches in this area are on designing and verifying defense mechanisms against denial-of-service (DoS) attacks. A DoS attack is characterized by a malicious behavior, which prevents the legitimate users of a network service from using that service. There are two principal classes of these attacks: flooding attacks and logic attacks. A flooding attack such as SYN flood, Smurf, or TFN2K sends an overwhelming number of requests for a service offered by the victim. These requests deplete some key resources at the victim so that the legitimate users requests for the same are denied. A resource may be the capacity of a buffer , CPU time to process requests, the available band width of a communication channel, etc. This paper uses the concept of Nash equilibrium not only in a descriptive way but also a prescriptive one. In doing so , he difficulty level of puzzles, random number generators , and the other parameters of a puzzle-based defense are so adjusted that the attackers optimum strategy, prescribed by the Nash equilibrium, does not lead to the exhaustion of defenders resources. If the defender takes his part in the Nash equilibrium prescription as his defense against flooding attacks, the best thing for the attacker to do is to be inconformity with the prescription as well.
The games well suited to the modeling of possible interactions between a defender and an attacker in a flooding attackdefense scenario. Describes the game of the client-puzzle approach in details. Explains the technique of designing puzzle-based defense mechanisms using game theoretic solution concepts. Section 6 discusses the defense mechanisms proposed in this paper and compares them with the earlier puzzle-based defenses. It also outlines future researches in the game-theoretic study of the client-puzzle approach.
LITERATURE SURVEY: Client-puzzle approach: They bring attacks from Internet and mobile users as well. Denial-of-service (DoS) attacks aim to frustrate a legitimate user's access to mobile services or bring down servers by depleting system resources. Many approaches are proposed to thwart these attacks. A
client puzzle from the server, which forces the client to resolve it before communication, is one of these approaches. The server can adjust the difficulty levels of the puzzle for access control and against DoS attacks according to current resource consumption and communication scenario. Currently, many types of client puzzles have no fine-grained control over difficulties. In a client puzzle, the next higher difficulty level is often twice as hard as the current one. In this paper, we propose a method based on partial collisions in hash functions. Our approach provides fine-grained control over difficulties by introducing a quasi partial collision concept. The results obtained confirm the fine granularity and efficiency of our approach. We explore new techniques for the use of cryptographic puzzles as a countermeasure to Denial-ofService (DoS) attacks. We propose simple new techniques that permit the out-sourcing of puzzles; their distribution via a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion. We show how a bastion, somewhat surprisingly, need not know which servers rely on its services. Indeed, in one of our constructions, a bastion may consist merely of a publicly accessible random data source, rather than a special purpose server. Our out-sourcing techniques help eliminate puzzle distribution as a point of compromise.Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism itself, withstanding over 80% more attack traffic than
previous methods in our experiments. Second, our scheme is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, our method allows clients to solve puzzles offline, reducing the need for users to wait while their computers solve puzzles. We present a prototype implementation of our approach, and we describe experiments that validate our performance claims. Flooding DoS Attack: A denial-of-service attack (DoS attack) or distributed denialof-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management. There are two general forms of DoS attacks: those that crash services and those that flood services. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as
to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations. A permanent denial-of-service (PDoS), also known loosely as phlashing,[9] is an attack that damages a system so badly that it requires replacement or reinstallation of hardware.[10] Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware imagea process which when done legitimately is known as flashing. This therefore "bricks" the device, rendering it unusable for its original purpose until it can be repaired or replaced.The PDoS is a pure hardware targeted attack which can be much faster and requires fewer resources than using a botnet in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs),
this technique has come to the attention of numerous hacker communities. PhlashDance is a tool created by Rich Smith[11] (an employee of Hewlett-Packard's Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security Conference in London. GAME THEORY: Game theory is a branch of applied mathematics that is used in the social sciences, most notably in economics, as well as in biology (particularly evolutionary biology and ecology), engineering, political science, international relations, computer science, and philosophy. Game theory attempts to mathematically capture behavior in strategic situations, or games, in which an individual's success in making choices depends on the choices of others. While initially developed to analyze competitions in which one individual does better at another's expense (zero sum games), it has been expanded to treat a wide class of interactions, which are classified according to several criteria. Today, "game theory is a sort of umbrella or 'unified field' theory for the rational side of social science, where 'social' is interpreted broadly, to include human as well as non-human players (computers, animals, plants)" (Aumann 1987).Traditional applications of game theory attempt to find equilibria in these games. In an equilibrium, each player of the game has adopted a strategy that they are unlikely to change. Many equilibrium
concepts have been developed (most famously the Nash equilibrium) in an attempt to capture this idea. These equilibrium concepts are motivated differently depending on the field of application, although they often overlap or coincide. This methodology is not without criticism, and debates continue over the appropriateness of particular equilibrium concepts, the appropriateness of equilibria altogether, and the usefulness of mathematical models more generally.Although some developments occurred before it, the field of game theory came into being with mile Borel's researches in his 1938 book Applications aux Jeux des Hazard, and was followed by the 1944 book Theory of Games and Economic Behavior by John von Neumann and Oskar Morgenstern. This theory was developed extensively in the 1950s by many scholars. Game theory was later explicitly applied to biology in the 1970s, although similar developments go back at least as far as the 1930s. Game theory has been widely recognized as an important tool in many fields. Eight game theorists have won the Nobel Memorial Prize in Economic Sciences, and John Maynard Smith was awarded the Crafoord Prize for his application of game theory to biology.
EFFICIENT SERVER
SENDING PUZZLE
CONNECTION ESTABLISH
FILE REQUEST
SHARING DATA
DATABASE
MODULES:
CLIENT REQUEST FLOODING DENIAL OF SERVICE ATTACK SENDING PUZZLE TO CLIENT EFFICIENT SERVER RESPONSE FILE REQUEST EFFICIENT SERVER SENDS FILE
MODULES DESCRIPTION: MODULE 1: CLIENT REQUEST: In this module A System has to ask the connection to the efficient server, the server system has to make a connection with any one efficient server for a communication. Then server process the request from the client. MODULE 2: FLOODING DENIAL OF SERVICE ATTACK: In this module the attackers sends the n number of request to the server to slow down the process of the server. Due to this process the server cant able to provide response to the client request.
MODULE 3: SENDING PUZZLE TO CLIENT: In this module a system sends puzzle to the client, the client should solve the puzzle in a particular time. The solved puzzle client should sends to efficient server or (Defenders). The server repeat this process to every client.
MODULE 4:
MODULE 5: FILE REQUEST: In this module, the client asks the (word document file) to the main server i.e (Efficient server). The Efficient server check the particular information file in the efficient server database if found send their port number.
MODULE 6: EFFICIENT SERVER SENDS FILE : In this module the efficient server sends the file to the authenticated client . The efficient server create a mutual connection to the client. After an authenticated connection the client can access the server in efficient way. MODULE DIAGRAM: CLIENT REQUEST:
REQUEST
GAME SOLUTION
CLIENT RECEIVES PUZZLE AND FIND SOLUTION
RESPONSE
AUTHORIZATION CLIENT
FILE REQUEST:
AUTHORIZATION SERVER
SENDING FILE
AUTHORIZATION CLIENT
DEFENSE STRATEGIES: The solution concepts of infinitely repeated games with discounting to design the optimum puzzle-based defense strategies against flooding attacks. In general, the strategies prescribed by such solutions are divided into two categories: history independent (open loop) and history dependent (closed loop).
Open-Loop Solutions: In an open-loop strategy, the action profiles adopted at previous periods are not involved in a players decision at the current period. More formally, in the repeated-game of the client-puzzle approach.
Closed-Loop Solutions: However, there are many payoff vectors in the convex hull with greater payoffs for the defender. Thus, here, a natural question
arises: Is there a better fair solution to the game, which results in a greater payoff to the defender as proven in the games of perfect information, there is a large subset of the convex hull whose payoff vectors can be supported by perfect Nash equilibria provided that suitable closed-loop strategies are adopted.
PUZZLE
CLIENT
CLASS DIAGRAM:
STATE DIAGRAM:
EFFICIENT CLIENT
EFFICIENT SERVER
SENDING PUZZLE
AUTHENTICATION CONNECTION
SEQUENCE DIAGRAM:
EFFICIENT SERVER
ATTACKERS
REQUEST
SENDING PUZZLE
SENDING PUZZLE
ACCURATE SOLUTION
INCORRECT SOLUTION
AUTHENTICATED CONNECTION
FILE REQUEST
COLLABORATION DIAGRAM:
EFFICIENT CLIENT
EFFICIENT SERVER
4: SENDING PUZZLE
ATTACK ERS
COMPONENT MODEL:
ATTACK ERS
EFFICIENT SERVER
EFFICIENT CLIENT
SYSTEM ARCHITECTURE:
EFFICIENT CLIENT 1
EFFICIENT CLIENT 2
ATTACKERS
SEND FILES
PRIMARY DATABASE
SECONDARY DATABASE
ADVANTAGE: o Proposed puzzle using game theory, thus attacker cannot solve the puzzles. o Without solves the game theory puzzle attackers cannot performs an intense attack.
CONCLUSION: This paper utilizes game theory to propose a number of puzzle-based defenses against flooding attacks. It is shown that the Interactions between an attacker who launches a flooding attack and a defender who counters the attack using a puzzle-based defense can be modeled as an infinitely repeated game of discounted payoffs. Then, the solution concepts of this type of games are deployed to find the solutions, i.e., the best strategy a rational defender can adopt in the face of a rational attacker. In this way, the optimal puzzle-based defense strategies are developed.
REFERENCE OR BIBLIOGRAPHY: D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, and S. Savage, Inferring Internet Denial-of-Service Activity, ACM Trans.Computer Systems, vol. 24, no. 2, pp. 115-139, May 2006. A. Hussain, J. Heidemann, and C. Papadopoulos, A Framework for Classifying Denial of Service Attacks, Proc. ACM SIGCOMM 03, pp. 99-110, 2003. A.R. Sharafat and M.S. Fallah, A Framework for the Analysis of Denial of Service Attacks, The Computer J., vol. 47, no. 2, pp. 179-192, Mar. 2004.
C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram, and D. Zamboni, Analysis of a Denial of Service Attack on TCP, Proc. 18th IEEE Symp. Security and Privacy, pp. 208-223, 1997.
Smurf IP Denial-of-Service Attacks. CERT Coordination Center, Carnegie Mellon Univ., 1998.