DEVELOPMENT OF AN INTERNET PROTOCOL TRACEBACK SCHEME FOR DENIAL OF SERVICE ATTACK SOURCE DETECTION

ABSTRACT

This dissertation presents the development of an Internet Protocol (IP) traceback scheme for the detection of a denial of service (DoS) attack source base on shark smell optimization algorithm (SSOA). Detection of the source of DoS attack is very important due to the serious damages the attack do cause and the need to bring the perpetrators to justice to stop the menace. DoS attack is a major threat to the security of network systems and consists of attacks that exploit the vulnerability in a network to overload it with tasks and prevent it from attending to other legitimate users. Flash event (FE) can cause traffic surge in a part of the network crossed by the attack path that is being traced. Flash event traffic surge can be very similar to a DoS attack and may mislead the present IP tracebacks schemes that are based on swarm optimization algorithms when tracing the source of an attack using flow-based search method. The challenge is more pronounced with flow-based search for detecting attack source because the flash event flow surge share very similar characteristics with DoS flooding attack. In order to mitigate the challenge of flash event traffic surge causing error in IP traceback schemes, DoS attack source traceback scheme based on shark smell optimization algorithm called the SSOA-DoSTBK was developed. It is incorporated with discernment policy for implementing hop-by-hop search to avoid flash event traffic surge and ascertain the nodes that are actually involved in routing the attack packets. This scheme was simulated in Network Simulator version 2 (NS2). The performance of SSOA-DoSTBK was evaluated using False Error Rate (FER), convergence time, and ability to detect spoofed IP attack source based on the correctness of the returned path as performance metrics. It was compared with results obtained from a scheme reported in literature called the modified ant colony system algorithm for IP traceback (ACS-IPTBK). The SSOA-DoSTBK performed better in FER and spoofed IP attack tests by as much as 32.06%. However, ACS-IPTBK converged faster than the SSOA-DoSTBK in the tests by as much as 1.2%.