The cumulative sum (CUSUM) algorithm is an algorithm commonly used in
Age nt
Age nt
Age nt
Age nt
Age nt Age nt
Age nt
Age nt Age nt Age
nt
Age nt
Age nt
statistical process control which can detect the change of mean value of a statistical process [67]. This algorithm relies on the fact that if a change occurs, the probability distribution of the random sequence will equally change. The key advantage of the CUSUM algorithm is that it can accumulate the statistics of the anomalies in a sequential manner.
Normally, CUSUM requires a parametric model for the random sequence so that the probability density function can be applied to monitor the sequence. However, in many cases, particularly in a mobile ad hoc network setting, the underlying distribution of the statistics being observed is unknown. Consequently, a major challenge in using parametric methods is how to model {Xn}. As an alternative, non- parametric methods which are not model-specific are applied.
Consequently, the non-parametric CUSUM approach [67] is adapted in designing the detection algorithm for the distributed denial of service (DDOS) attacks. This general approach is based on the model presented in [54] for network attack detection using CUSUM. The underlying principle of applying the non-parametric CUSUM algorithm is that values of Xn that are significantly higher than the mean level under normal operation are accumulated.
Prior to formulating the detection algorithm, the key notations to be used are specified as follows:
Xn represents the statistics being monitored, such as the number of IP packets.
Figure 4.3 The CUSUM algorithm [67]
The top graph in Figure 4.3 illustrates the function {Xn}. For the random measurement sequence {Xn}, there is a step change of the mean value at time m from a to a + h.
The algorithm to detect changes of at least size h, and estimate the change point m in a sequential manner. In other words detecting changes as each new metrice arrives.
Therefore, the performance of the detection scheme can be measured in terms of:
i. the detection rate;
ii. the false alarm rate and the iii. communication, overhead
The main aim of formulating the detection algorithm is to enhance the detection rate and minimize the false alarm rate and the communication overhead. Hence, the random sequence (Xn) can be formalized as follows:
Xn= a + 4.1
where are random sequences, such that E (En ) = E
(nn) = 0, h ≠ 0
Where a = constant n = Time m = User node h = Threshold
∑ = Summation
∑n = Summation of time Xn = Number of packets
hn = Number of packets at the threshold
Classically, in a normal operation, {Xn} will be a small positive value, in other words, ∑ (Xn) = α < c, where c is a constant. Nevertheless, one of the assumptions for the non-parametric CUSUM algorithm is that the mean value of the random sequence is negative under normal condition, and becomes positive when a change occurs.
Thus, without loss of any statistical feature, {Xn} is transformed into another random sequence {Zn} with negative mean α, in other words, Zn= Xn – β, where
a = α - β
The parameter β is a constant value for a given condition of the measurement variable and is critical for establishing a random sequence, Zn with a negative mean.
For this reason, when a change occurs, Zn will abruptly transform becoming large and positive. This implies that h + a > 0,
Hence Zn with a positive value (h + a > 0) is gathered to determine whether a change occurs or not. Thus in the case of an abnormal event, h is defined as the minimum increase of the mean value and it is not the detection threshold. The detection threshold N is used for the yn, accumulated positive values of Zn.
Consequently the change detection is based on the observation of h>>β.
Meanwhile, the challenge is to find the abrupt change in the random sequence {Zn}, which is designated as follows:
Zn = a + EnI (n < m) + ( h + nn) I (n ≥ m) 4.2 where a < 0, -a < h, and other conditions are the same as in equation 4.1 .
For the purpose of this research, the recursive version of the non-parametric CUSUM algorithm [67] is applied in order to reduce the overhead while implementing the modified CUSUM algorithm also known as the multi-agent intrusion detection system for distributed denial of service attacks (MAIDSDDOS) as represented in algorithms 4.1 to 4.5, which are modified to detect DDOS attacks.
The recursive version of the non-parametric CUSUM algorithm is defined as follows: Yn = (Yn-1 + Zn) + , Yo = 0
Yn = 0 abnormality.
Essentially, the mobile ad hoc network is modeled as a directed graph G = (V, E) where V represents the set of client nodes in the network and E represents set of directed links [106].
V = N +M where N = n1, n2, …nr is the set of registered nodes in the network and each user node n ∉ N. M is the set of monitor nodes in the network and it is represented as follows:
M= Ua+ {Lm}
Where Ua represents the universal agent and Lm represents the local monitor.
The network consists of a group of intrusion detection systems (IDSs) with a universal agent, Ua and a group of local IDS Li.
Prior to joining a network, each user node n has to send a connect request message, Rc(n) to the universal agent Ua. To validate the identity of the user node, the Ua requests for a private message REQc (n) to client node n. The user in turn replies with its private message RESc (n) to the Um.
The private reply message consists of four pieces of information namely:
i. IP address of the client node IPn, ii. MAC address of the user node MACn,
iii. Timervalue of the user node Zn(ti) and
iv. LPn, the location proof information [107] of the user node which refers to the actual distance of the user node n from the universal agent
Ua Zn (ti) = Zn(tc) + Ksec
where Zn(tc) is the user node’s current time and Ksec is the user node’s secret key.
The subsequent values of Ksec is incremented by 1 bit from the initial value every ti time interval.
The LPn value is obtained by adding the user node’s current distance from the global IPDSDn with the user node’s current available time Zn(tc).
Thus if a user node wants to prove its identity, the IPn, MACn and LPn values should match Zn (ti). The Ua by checking the validity of confidential information, replies with a successful join and grants a bandwidth bn along with TTL to the user node n. TTL is the bandwidth validity period for user node n. The user node after receiving the bandwidth becomes a part of the network. At this stage, the initial stage of spoof detection is done.
Algorithms 4.1, 4.2, 4.3, 4.4 and 4.5 detailed1 the algorithms designed for bandwidth establishment, averting IP spoofing, detecting TCPSYN, UDP and ICMP flood attacks respectively.
Input: Cluster of unregistered user nodes n on the campus network
Output: Bandwidth establishment bn for user node n on the campus network Step 1: User node n sends a connect request message Rc to Ua
Step 2: The Ua demands for secret information REQ s from user node n Step 3: User node n responds with a secret response RES s to Ua Step 4: If IPn, MACn, LPn → Zn (Ti) then return true (n)
Else
Step 5: If IPn, MACn, Zn (Ti), LPn → true (n) then Grant (H(HMAC(bn, VT))
Step 6: User node n connects to the campus network Now n E N