Research on NTP Nonlinear Reflection Attack Identification Based on AHP Multidimensional Matrix in Global COVID-19 Environment

Wang, Xian; Xie, Xiaoyao

doi:https://doi.org/10.1155/2022/1581054

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Work Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Artificial Intelligence-Driven Sensing for Wireless Communications in Cyber-Physical Mobile Computing

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 1581054 | https://doi.org/10.1155/2022/1581054

Research on NTP Nonlinear Reflection Attack Identification Based on AHP Multidimensional Matrix in Global COVID-19 Environment

Xian Wang^1,2and Xiaoyao Xie²

Academic Editor: Mohammed Hammoudeh

Received24 Dec 2021

Revised04 Feb 2022

Accepted12 Feb 2022

Published11 Mar 2022

Abstract

Under the influence of the global epidemic, various businesses have moved online one after another. With the rise of emerging industries such as online medical treatment, online education, and online conference, the proportion of attacks in the network service industry has increased year by year. UDP-FLOOD is still the primary scenario of DDoS attacks. Among them, with a large number of attack resources and most of them are high configuration servers, NTP (Network Time Protocol) reflection has become the most common UDP reflection attack method, accounting for 59% of the overall distribution. Therefore, establishing an efficient NTP attack detection system is a very important content to prevent network malicious attacks. At present, NTP-attacking based defensed methods mainly include IP filtering, hop mapping, and response packet detection, but they all have obvious weaknesses. Among them, the IP detection scheme can only detect historical attack IP, the implementation of hop mapping scheme is complex, and the resource overhead of response packet detection scheme is too large. Therefore, this paper proposes a nonlinear detection algorithm based on AHP multidimensional matrix quad information entropy. Through simulation experiments, the change of quad information entropy of attack intensity from 10% to 100% is counted. The detection rate based on the traditional target IP and target port algorithm is only 50% and 60%, which is significantly lower than this algorithm. Experiments show that the detection rate of this algorithm is higher.

1. Introduction

In the form of global epidemic, due to the need to reduce personnel contact and more and more businesses migrate online, it is extremely urgent to protect these businesses from DDoS attacks. According to the “global DDoS threat report for the first half of 2021” [1] jointly released by Lvmeng technology and Tencent, the number of large traffic attacks above 100 g in the first half of 2021 reached 2544, an increase of more than half compared with H1 in the same year, and udp-flow is still the primary scenario of DDoS attacks. In the udp-flood attack, an attacker can send a large number of fake source IP addresses for unconnected UDP packages and can quickly fill the target resources, so that they cannot work properly. Among them, because there are a large number of attack resources and most of them are high configuration servers, NTP reflection has become the most common UDP reflection attack method, accounting for 59% of the overall distribution, as shown in Figure 1.

NTP (Network Time Protocol) is a network protocol that synchronizes the clocks of two computers through switching packets. The latest version is NTPv4, and the latest stable version is NTPv4.2.8p15. NTP attack is different from the general DDoS attack, and it uses the serving NTP server as the reflection point to send response packets to the victims [2, 3]. When a large number of response packets flow to the attack target, the target resources will be exhausted, resulting in denial of service attack [4]. The attacker can forge NTP server to attack by taking advantage of the hidden dangers in key management and can also take advantage of the buffer overflow and other vulnerabilities in NTP to control the server permissions to attack [5]. Therefore, the establishment of an efficient NTP attack detection system is a very important content to defend against network malicious attacks.

At present, there are many researches on NTP-related UDP reflection attacks. Generally speaking, they can be divided into three categories: IP filtering, hop mapping, and response packet detection. Peng et al. [6] proposed a filtering scheme based on IP address; in this scheme, many reflection monitors are set in the network. After detecting the attack, the monitor sends an attack message to other monitors. But the application area is relatively small, and the attack behavior of existing IP address cannot be detected. Jin et al. [7] proposed a filtering scheme based on packet hop mapping, this scheme clusters the hops of IP packets and establishes a hop mapping table to detect forged attack packets, but it is not easy to operate. Ohta and Yamamoto [8] proposed a response packet detection model, and the author of this article believes that the data packets reflecting DDoS attacks are limited. This scheme only detects limited sessions and confirms the validity of data packets based on the relationship between request and response, so as to identify attacks, but it takes too much resources. In this paper, a nonlinear detection algorithm based on AHP multidimensional matrix quad information entropy is proposed. First, the real attack environment is simulated, and the attack intensity is from 0% to 100%. The entropy values of network quads (source IP address, target IP address, source port, and target port) under different attack intensities are calculated, respectively, Then, the four tuple entropy is normalized based on the judgment matrix, and the comparison shows that this method is more effective than the traditional entropy algorithm: the traditional detection algorithm based on target IP address or target port number is more effective.

3. Algorithm Design

3.1. Multidimensional Entropy Algorithm Based on Network Quad

Information entropy is a concept created by Shannon, which is used to reflect the degree of data dispersion in the set. In essence, it is a measure of the uncertainty of random events; on the contrary, the smaller the randomness, the greater the certainty, and the smaller the entropy [9]. Entropy is generally expressed in . Let system be composed of different sets of elements, and the probability of each variable is , expressed as

The formula of information entropy is defined as

In this paper, an entropy algorithm based on network quadruple is proposed. First, we define network packet quadruple (source IP address, destination IP address, source port, and destination port) as a flow table: , its entropy per unit time is , then, according to the different sensitivity of entropy to attack, the four tuple entropy is given a certain weight by using the judgment matrix , finally, the weighted entropy of the data stream is comprehensively calculated, and the formula is defined as

3.2. Evaluation of NTP Attack Packet Value Based on Judgment Matrix Analytic Hierarchy Process

3.2.1. AHP

Analytic Hierarchy Process, AHP [10], is proposed by Saaty, an American operational research scientist. It combines subjective and objective evaluation to simplify the problem and draw the final conclusion. AHP is divided into two steps. The first step is to compare the influencing factors to form a judgment matrix. The second step is to solve the matrix eigenvector to obtain the priority weight and finally calculate the final weight.

3.2.2. Construct Judgment Matrix

The idea of the model is to substitute the network quadruple into the analytic hierarchy process, determine the importance of each element according to the impact of each element on the target attack, and then calculate the value relative relationship of various messages [11]. Based on this, the importance of the network quadruple value evaluation is compared in pairs. Measured on the scale of 1 ~ 9, the importance of the quadruple is shown in Table 1.

According to the above table, the judgment matrix is obtained:

According to formulas (5), (6), and (7):

Verification:

Calculate the maximum eigenvalue of the judgment matrix and normalize the fourth-order matrix:

Constructing a fourth-order matrix :

Construct normalized matrix :

Calculate Cr and verify consistency:

Because , the constructed matrix meets the consistency verification, and the weight of each criterion is

As shown in Table 2.

3.2.3. Network Quad Message Value Calculation

According to Table 2, the normalized quadruple information entropy score can be obtained:

Compare with the evaluation weight calculated in the table . The final value of data message can be calculated by inner product and accumulation:

4. Simulation Experiment

4.1. Experimental Environment

The simulated experimental environment is carried on the server Intel(R) Core(TM) i7-7700HQ, RAM 48 G, UBUNTU16.04 operating system device, because Mininet [12, 13] is a very reliable tool, it is a process virtualization network simulation tool developed by Stanford University based on Linux container architecture. It can create a virtual network including host, switch, controller, and link, we installed this tool to simulate the attack environment. The network topology is shown in Figure 2.

Among them, one server is attacked and NTP service is enabled, and 40 PCs are reflective attack devices, which can also generate normal network traffic under different attack intensities.

4.2. Sensitivity of Quantitative Analysis

In the simulation experiment, the attack intensity increased from 0% to 100%, by 10% per , using wireshark to calculate the (Sip), destination IP address (Dip), source port (Sport), at different attack intensities, as shown in Table 3.

As can be seen from the table, the information entropy of the nonlinear increase of the attack intensity, as shown in Figure 3.

We used geometric rates of change to quantitatively describe the magnitude of variable variation in unit time, with the formula defined as

Each element entropy varies at different nonlinear attack intensities, as shown in Table 4.

From the calculated data, we can quantitatively see the trend of each element change rate, as shown in Figure 4.

The geometric change rate of each element is calculated from formula (21) and Table 4, as shown in Figure 5.

4.3. The Information Entropy under the Judgment Matrix

Bring Table 1 into formula (19), and the calculation is shown in Table 5.

It can be seen from the table that, after the weight assignment of the judgment matrix, the entropy trend of the network quaternel information changes significantly under different nonlinear attack intensities, as shown in Figure 6.

4.4. Calculate the Threshold

The threshold can be obtained by comparing the entropy change rate of the quaternel network without attack to the entropy rate of the unacceptable attack strength network. Defines the entropy rate of change threshold:

, it indicates the attack intensity of 10% to 100% of the attack, represents the network quaterniple elements, indicates the entropy change rate, and the calculated CTE represents the value with the largest entropy change rate of all attack intensities.

4.5. Attack Recognition Algorithm Comparison

Currently, based on source IP and target IP are the two most common methods to identify NTP attacks, their percentage difference computed absolute values from the method presented here are shown in Table 6.

Put the results of Table 6 into the formula (17):

Judging from the above table: (i)Based on the detection rate of the target IP method, both from 10% to 60% are higher than the CTE of 5.197110%, that is, if the attack intensity is 60% and below, the method cannot detect the presence of an NTP attack, with a detection rate of 40%(ii)Based on the detection rate of the target port method, both from 10% to 70% are above the CTE of 5.197110%, that is, if the attack intensity is 70% or below, the method cannot detect the presence of an NTP attack, and the detection rate is 30%(iii)The detection rate based on the judgment matrix quaterniple method, at 10% above the 5.083698% CTE, and the detection rate of 90%

As shown in Figure 7.

5. Conclusion

This paper presents a NTP nonlinear attack detection method to judge the information entropy of matrix hierarchical analysis. Through simulation experiments, we find the change rules of the entropy of the quartet under different attack strengths, then use the judgment matrix hierarchical analysis method, and then calculate the CTE under the NTP nonlinear attack. Finally, the experimental conclusion is obtained through data comparison, and the proposed method has the highest detection rate. The detection rate of proposed method is 90%, and it has the highest detection rate. In the next step, applying this algorithm to other types of UDP-FLOOD attacks in the context of global outbreaks is the direction of future research.

Data Availability

The data that support the findings of this study are available from the corresponding author upon reasonable request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

Global DDoS Threat Report in the First Half of 2021, https://view.inews.qq.com/a/20210907A0DQJE00.
Z. H. A. N. G. Xu-bo, H. U. A. N. G. He, and L. I. A. O. Zhang-liang, “Vulnerability analysis of NTP protocol,” Communications Technology, vol. 53, no. 11, pp. 2806–2810, 2020.
View at: Google Scholar
P. Wang, Z. Cai, D. Kim, and W. Li, “Detection mechanisms of one-pixel attack,” Wireless Communications and Mobile Computing, vol. 2021, Article ID 8891204, 8 pages, 2021.
View at: Publisher Site | Google Scholar
X. Bao and C. Z. Honghai, King of destruction DDoS attack and prevention in-depth analysis, Machinery Industry Press House, Beijing, 2014.
D. I. A. O. Zao-xiang, Z. H. A. N. G. Xiao-ning, and W. A. N. G. Shu-jun, “The vulnerability of NTP under forged server attack,” Electronic Information Warfare Technology, vol. 11, no. 6, pp. 67-68, 2016.
View at: Google Scholar
T. PENG, C. LECKIE, and K. RAMAMOHANARAO, “Detecting reflector attacks by sharing beliefs,” in GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489), pp. 1358–1362, San Francisco, CA, USA, 2004.
View at: Publisher Site | Google Scholar
C. JIN, H. WANG, and K. SHIN, “An effective defense against spoofedtraffic,” in ACM International Conference on Computer and Communications Conference Security, pp. 30–41, Washington D.C., 2003.
View at: Google Scholar
K. OHTA and A. YAMAMOTO, “Detecting DRDoS attacks by a simple response packet confirmation mechanism,” Computer Communications, vol. 31, no. 14, pp. 3299–3306, 2008.
View at: Publisher Site | Google Scholar
M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection,” Pattern Recognition Letters, vol. 51, pp. 1–7, 2015.
View at: Publisher Site | Google Scholar
T. Saaty, “How to make a decision: the analytic hierarchy process,” European Journal of Operational Research, vol. 48, no. 1, pp. 9–26, 1990.
View at: Publisher Site | Google Scholar
Y. U. E. Qiaoli, L. V. Wanbo, H. U. Weihong, and Z. H. A. N. G. Haikuo, “Mitigating DDoS attack based on DNS response value assessment,” Netinfo Security, vol. 19, no. 9, pp. 56–60, 2019.
View at: Google Scholar
N. Dayal, P. Maity, S. Srivastava, and R. Khondoker, “Research trends in security and DDoS in SDN,” Security & Communication Networks, vol. 9, no. 26, pp. 6386–6411, 2016.
View at: Google Scholar
Z.-M. Wang, J.-Y. Tian, J. Qin, H. Fang, and L.-M. Chen, “A few-shot learning-based Siamese capsule network for intrusion detection with imbalanced training data,” Computational ntelligence and Neuroscience, vol. 2021, article 7126913, 17 pages, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Xian Wang and Xiaoyao Xie. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Wireless Communications and Mobile Computing

Artificial Intelligence-Driven Sensing for Wireless Communications in Cyber-Physical Mobile Computing

Research on NTP Nonlinear Reflection Attack Identification Based on AHP Multidimensional Matrix in Global COVID-19 Environment

Abstract

1. Introduction

2. Related Work

3. Algorithm Design

3.1. Multidimensional Entropy Algorithm Based on Network Quad

3.2. Evaluation of NTP Attack Packet Value Based on Judgment Matrix Analytic Hierarchy Process

3.2.1. AHP

3.2.2. Construct Judgment Matrix

3.2.3. Network Quad Message Value Calculation

4. Simulation Experiment

4.1. Experimental Environment

4.2. Sensitivity of Quantitative Analysis

4.3. The Information Entropy under the Judgment Matrix

4.4. Calculate the Threshold

4.5. Attack Recognition Algorithm Comparison

5. Conclusion

Data Availability

Conflicts of Interest

References

Copyright