2017 IEEE International Conference on Consumer Electronics - Taiwan (ICCE-TW)
1 An NTP-based Detection Module for DDoS Attacks on IoT Tamotsu KAWAMURA, Masaru FUKUSHI, Yasushi HIRANO, Yusuke FUJITA and Yoshihiko HAMAMOTO Yamaguchi University, Japan between the clients and the NTP server. Using that information, the offset of clock (ro) is calculated for adjusting the local clock to the correct one. When a node (e.g. an IoT device) receives vast amounts of packets by a DDoS attack, many interrupts occur in a chain reaction inside the system, which lead the system to be overloaded. Accordingly, fluctuation occurs in the system clock and communication delay. In case of a critical situation, the fluctuation of system clock becomes large due to the skip of time synchronization processing. Focusing on this system behavior, we detect events and decide whether they are presages of an incident or not from the information of ro, δu and δd.
Abstract-- This paper proposes an event detection module for distributed denial of service (DDoS) attacks on Internet of Things (IoT). Different from existing detection modules using knowledgebased filtering, the proposed module focuses on the system behavior under DDoS attacks and detects it utilizing information obtained from NTP used in synchronization service. We conducted demonstration experiments with the developed module generating pseudo DDoS attacks. The result shows that the proposed module achieves high recall and precision values, indicating its usefulness in the real time event detection on IoT.
I. INTRODUCTION In recent years, there has been a rapidly growing interest in Internet of Things (IoT) and thus the information security control has been a primary concern. Event detection is to detect events as the presages of a security incident. As advised in the latest Information Security Management System (ISMS) [1], event detection is a key to prevent security incidents and mitigate the damages of security incidents. There are several types of event detection modules such as packet capture, firewall, IDS/IPS [2] and Honeypot. However, those modules need periodic maintenance involving technical knowledge and cannot detect unknown attacks [3]. Moreover, a detection module becomes a bottleneck and it may cause a system failure when the network is overloaded by attacks. Therefore, existing modules are not suitable for real time event detection on the IoT environment where system resource is limited. This paper proposes an event detection module which can be embedded into IoT devices. The proposed module focuses on the system behavior under DDoS attacks and detects it utilizing information obtained from NTP used in time synchronization service. The advantage of the module is that, different from the existing ones, it does not require any additional expensive equipment (e.g. monitoring server) nor periodic maintenance involving technical knowledges.
B. Procedure of Event Detection The procedure of the event detection is described below. 1) Data capture: record ro, δu and δd. Let d represent either ro, δu or δd. 2) Computation of basic statistics indicator: compute the average and the standard deviation of d for all ds recorded in the system. 3) Noise filtering: regard d as a noise and replace it by the average value if the standard deviation is out of the 96% confidential interval (i.e. triple standard deviation). 4) Computation of statistics indicator: compute the moving average of d, denoted by SMA(d), for ds over one span (i.e. last n ds). Then, compute the average and the standard deviation of SMA(d) for the last N SMA(d)s. Finally, compute the coefficient of variance, CV(d), defined by the standard deviation of SMA(d) / SMA(d). 5) Event detection: decide that an event occurred at the span if all CV(d)s are outside of the 68% confidential interval (i.e. double coefficient of variance). An event flag Fd is defined which takes the value of either 0 (no event) or 1 (event). 6) Incident detection: decide the event detected in 5) is a predictor of an incident if either one of the following two conditions is satisfied; a) (Fro = 1 ∧ Fδu = 1 ∧ Fδd = 1) ∧ (0.9 ≤ CV(ro) ∧ 0.5 ≤ CV(δu) ∧ 0.5 ≤ CV(δd)) b) (Fro = 1 ∧ Fδu = 1 ∧ Fδd = 1) ∧ (0.5 ≤ CV(ro) ∧ (0.9 ≤ CV(δu) ∨ 0.9 ≤ CV(δd))) Generally, it is said that fluctuation is observed on d if CV(d) is in the range of 0.5 from 1.0, and the fluctuation is significant if CV(d) over 1.0. We set more stringent conditions in a) and b) to avoid overlooking the predictor of incidents.
II. PRPOPSED EVENT DETECTION MODULE A. Basic Idea Local clock (i.e. system clock) is important for nodes on the Internet. The local clock delays and precedes from the correct time due to various factors. Therefore, the local clock is generally adjusted and synchronized with the standard time by network time synchronization service. This service has both functions of NTP [4] client and server. Each NTP client accesses its local NTP server to measure the deviation from the primary reference clock (i.e. clock of a top-level NTP server), and request delay time (δu) and response delay time (δd)
III. EXPERIMENT A. Experimental Methodology We have developed an event detection module based on the above detection method using C language and conducted demonstration experiments. The purpose of the experiment is to confirm the effectiveness of the developed detection module; therefore, we check if the module can definitely detect incidents when pseudo-DDoS attacks are generated, and if it does not mistakenly detect incidents at normal times without attacks. Fig. 1 shows the experiment environment. The target node of the DDoS attacks is T L-IoT. There are two attack routes; in the first route, an outside attacker MW violates TL-IoT directly, and in the second route, the MW violates TL-IoT indirectly via a node ML in the same LAN. Nodes TL-IoT and ML have been implemented using board computer Raspberry Pi [5] and the node MW using a personal computer. The specification of the computers is listed in Table I. To conduct the experiment in a realistic situation, some background processes are run on the node T L-IoT, such as WWW, FTP and File sharing (Samba) services. As the time synchronization module, we adopt chrony [6], which has a superior function of time correction. The polling interval between TL-IoT and a local NTP server ND is set as 2 seconds and that between ND and a top-level NTP server NW as 1024 seconds. The number of the data recorded in the system (i.e. N) is set as 600, and that in one span (i.e. n) is set as 30. We have conducted the following two experiments; Experiment 1: with DDoS attacks Exp-1-1: detection target TL-IoT is the victim of attacks; MW violates TL-IoT directly. Exp-1-2: detection target ML is the springboard of attacks; MW violates TL-IoT via ML. In both experiments, Apache Bench [7], a web-load examination tool, is used to generate DDoS attacks. The attack has 100 simultaneous connections that issue total 100000 requests. Experiment 2: without DDoS attacks (normal times) Exp-2-1: no user process is executed. Exp-2-2: file transfer is executed as a user process. A file of 10MiB is transferred from T L to T L-IoT by ftp. Experiment time of one trial is approximately 20 minutes. Total number of trials is 60, i.e. 30 for each experiment. B. Results The results of the experiments 1 and 2 are shown in Table 2. The column titled “presence” represents the results of experiment 1 and “absence” represents those of experiment 2. All attacks are detected perfectly, but there are a few miss detection. From the results in Table I, we calculate precision and recall defined by TP/(TP+FP) and TP/(TP+FN), respectively. The value of precision is 0.92 and that of recall is 1.0, which show the favorable balance of the strictness and completeness [8][9]. This indicates that the developed module is useful for the real time event detection on IoT.
Fig. 1. Experiment environment.
Node TL-IoT, ML MW
ADM Athlon II X2 220 (2.8GHz)
10GB
Fedora 21 (4.1.13)
TABLE II RESULT OF E VENT DETECTION DDoS attack detection presence absence positive TP 30 FP 5 negative FN 0 TN 25 Note: T = true, F = false, P = positive, N = negative
IV. CONCLUSIONS In this paper, we have proposed an event detection module for DDoS attacks utilizing the information from network time synchronization service. The module is implemented into a compact board computer and demonstration experiments are conducted. From the result of experiment, we confirmed the usefulness of the detection module for the real time event detection on IoT. REFERENCE [1] [2] [3] [4] [5] [6]
[7] [8] [9]
16
TABLE I SPECIFICATION OF COMPUTERS CPU (clock freq.) Memory OS (kernel) ARM1176JZF-S 512MB Raspbian 7.8 ARMv6l (700MHz) (4.1.13+)
ISO/IEC JTC 1/SC 27, “ISO/IEC 27002:2013”. O. Depren, M. Topallar, E. Anarim, M. K. Ciliz,“An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks,” Expert Systems with Applications, vol. 29, pp. 713–722, 2005. C. Buragohain, M. J. Kalita, S. Singh, D. K. Bhattacharyya,”Anomaly based DDoS Attack Detection”, International Journal of Computer Applications (FCS), vol. 123, no. 17, pp.35-40, 2015 D. Mills, U. Delaware, J. Martin, J. Burbank, W. Kasch, “Rfc590: Network time protocol version 4 Protocol and algorithms specification,” 2010. https://www.ietf.org/rfc/rfc5905.txt Raspberry Pi Foundation, http://www.raspberrypi.org/ R.H. Inc., “Red Hat Enterprise Linux: Differences Between ntpd and chronyd”,https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring _NTP_Using_the_chrony_Suite.html#sect-differences_between_ntpd_ and_chronyd The Apache Software Foundation, “ab”, http://httpd.apache.org/docs/2.4 /programs/ab.html Megan Davidson, “The interpretation of diagnostic tests,” Australian J. Physiotherapy, vol. 48, no. 3, pp. 227–232, 2002. A. S. Glas, J. G. Lijmer, M. H. Prins, G. J. Bonsel, P. M. M. Bossuyt, “The diagnostic odds ratio,” J. Clinical Epidemiology, vol.56, pp.1129– 1135, 2003.
Report "An NTP-based Detection Module for DDoS Attacks on IoT"