COMPOSITE DoS ATTACK MODEL

. Preparation for potential threats is one of the most important phases ensuring system security. It allows evaluating possible losses, changes in the attack process, the effectiveness of used countermeasures, optimal system settings, etc. In cyber-attack cases, executing real experiments can be difficult for many reasons. However, mathematical or programming models can be used instead of conducting experiments in a real environment. This work proposes a composite denial of service attack model that combines bandwidth exhaustion, filtering and memory depletion models for a more real representation of similar cyber-attacks. On the basis of the introduced model, different experiments were done. They showed the main dependencies of the influence of attacker and victim’s properties on the success probability of denial of service attack. In the future, this model can be used for the denial of service attack or countermeasure optimization


Introduction
The Internet becomes a quite important part of daily life and gives us an opportunity to easily and quickly get the newest and necessary information. However, an increase in the need of particular Internet services makes its quality and availability very important and sometimes even a critical factor for proper company's operation.
Denial of Service (DoS) attacks is a type of cyberattacks aimed at disturbing or denying the Internet services, thus making difficult usage of it by its legitimate users. According to CERT-LT, in 2010, Denial of Service attacks were in the 4 th place considering the frequency of occurrence in Lithuania. The office of the State Chief Information Security Officer (State of Texas) in the United States of America accepted that DDoS attacks as a way to make ransom attacks would also be one of the most popular attacks in the future.
Depending on a situation, DoS attacks can cause huge damage and loses. It can be quite difficult to prepare for similar attacks, because of insufficient ways or methods for estimating attack success. The aim of this work is to suggest a composite DoS attack model and use it for the analysis of how different properties of the attack and victim influence the overall attack success probability.
The coming sections of this paper describe why modelling DDoS attacks is a better solution than real experiments. Most common model types used for DoS attack modelling are mentioned to show why we suggest using mathematical models and what models have already been proposed to be used for modelling different types of DoS attacks.
The following sections represent the ideas and calculations of the above proposed composite DoS attack model used for modelling different DDoS attack situations and for distinguishing the impact of attack and victim properties on the success probability of composite attack. The results of the performed experiments and imposed conditions are also represented.

Denial of Service Attacks and Models
In the denial-of-service attack, the attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network con nection or the computers and network of the sites you are trying to use, the attacker may be able to prevent you from an accessing email, websites, online accounts or other services that rely on the affected computer (McDowell 2004). In order to increase the attack power, many controlled computers can be used. This kind of attack is also known as a Distributed Denial of Service (DDoS) attack.
Practical experiments with DoS and DDoS attacks are difficult because of the following reasons: − the area of attack sources spreads in a wide geographical area and experiments in the local network can be insufficient to illustrate the real situation; − DDoS attacks require plenty of controlled computers, and therefore make difficulties in getting a sufficient amount of infected and ready to attack computers; − execution of the DoS attack on the Internet can be illegal; − real experiments on the Internet can cause problems for the third parties, disturb the work of innocent Internet users or even services. The examination of attack properties without the real execution of DoS attacks can be done using different modelling methods and tools. Modelling allows making the estimation of the influence of different attack properties with less time and resource supplies.
For DoS and DDoS attack modelling different methods is used. C. Meadows (1999) proposed a cost-based framework useful to analyse protocol resistance to DoS attacks. The framework was used for researching different protocols (Meadows 2011;Diffie et al. 1992;Gong, Syverson 1995;Lafrance, Mullins 2003;Smith et al. 2006;Aiello et al. 2004;Cao et al. 2007). While this type of the model did not represent two confronting sides (attacked and victim), the other type of the multi-agent based DoS attack model -game-based model -was proposed by B. Bencsath et al. (2003). This type of models was used for computer science (Shenker 1994;Altman 1994;Maheswaran, Basar 1998;Hespanha, Bohacek 2001;Lye, Wing 2002) while B. Bencsath started using it for DoS attack modelling. The idea of game-based models in DoS attack modelling was developed by M. Fallah (2010) and I. Kotenko (2005). However, game-based models were not meant to represent the dynamics of object changes. Thus, rewrite theory models found a place in agent based DoS attack modelling and some researches were done using it (Agha et al. 2005;AlTurki et al. 2009;Kim et al. 2007).
These models relay on programming approaches (simulation, multi agent, rule-based models). However, the existing mathematical DoS and DDoS models can be used separately or combined with programming to produce model results without long lasting simulation or model execution. Those models are more dependent on a type of the DoS attack and use an appropriate queuing theory system for a certain situation. Q. Huang (Huang et al. 2003a(Huang et al. , 2003b and R. K. Chang (2002)  According to many different researches (Puigjaner 2006;Jain, Routhier 1986;Leland et al. 1994;Vandalore et al. 1999;Paxson, Floyd 1995), the present Erlang models do not represent the Internet traffic precisely and can be used only at a session level. Meanwhile, for model composition, burst and packet levels require more detailed traffic activity states and their intrinsic characteristics analysis. Therefore, Y. Wang et al. (2007) andK. Salah (2010) propose to model DoS attacks in a more general form and use Markov chains. It allows representing transitions from one state to another in a more detailed way. However, to describe a DoS attack in detail using Markov chain sometimes can be challenging and bring more complexity to model execution.
We believe that usually DoS and DDoS attacks can be modelled at the session rather than at the package level. Therefore, mathematical models of Poisson process with arrival rate is one of the most appropriate solutions taking into account both a model adequate to a certain situation and computation resources. However, as mentioned before, these models can vary depending on DoS type.

Mathematical Models of Bandwidth Exhaustion DoS Attack
A bandwidth exhaustion DoS attack happens when an intruder consumes all available bandwidth on a certain network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets but in principle they may be anything (CERT 2001).
Q. Huang, H. Kobayashi and B. Liu suggested two models for modelling bandwidth exhaustion DoS attacks: one is for the attacks in the global network (Huang 2003a), and the other is for wireless networks (Huang 2003b). These two models offer the methods allowing finding a minimal number of agents necessary to execute successful DDoS attacks; however, the models do not pay enough attention to the properties of all attacks. More attack properties are taken into account in the paper focusing on modelling DoS attacks using stochastic methods (Ramanauskaitė, Čenys 2009). Also, this paper represents a mathematical expression of calculating the success of DoS attack using the known data on the attacks, normal flow and other properties of the victim.

Mathematical Models of Memory Exhaustion DoS Attack
DoS resource depletion attacks involve the attacker sending packets that misuse network protocol communications or sending malformed packets that tie up network resources so that none are left for legitimate users (Specht, Lee 2004). Memory is usually exhausted, and thus no new queries can be stored and served.
Memory depletion DoS attacks are the most common because of noticeable effect and quite low attack expenses. This is why there is a quite big range of the proposed models for memory depletion DoS attacks: − Q. Huang et al. (2003a) apply the simplified Engest loss model G(N)/G/m(0) that enables to estimate the success of the SYN flooding attack when average attack flow, the average storage time of open-state connections and buffer size are known. However, these authors do not consider legitimate users, so there are no characteristics of legitimate users in this model and only the attack itself is characterised; − R. K. C. Chang (2002) uses G/D/∞/N model to calculate minimal attack flow necessary to make a successful TCP SYN attack. However, in this work, the model is not described in detail, and only the results of the conducted experiment are given. Therefore, no possibility of making a conclusion concerning the comprehensiveness of this model exists. − Y. Wang et al. (2007) use the model of two-dimensional embedded Markov chain taking into account legitimate and attack flow characteristics and buffer size. Nevertheless, this model is difficult to use in practice because of complex calculations. − S. Ramanauskaitė (2010) suggests the SYN flooding attack model that can be used for any kind of memory depletion DoS attacks and allows estimating the success probability of the attack considering both victim and attacker properties.

Composite DoS Attack Model
Bandwidth exhaustion and memory depletion models allow analysing only certain parts of the overall DoS or DDoS attack. The real situation usually involves the interaction between different types of attacks. Therefore, the re lations of DoS attacks should be taken into account and DoS attack models should be represented using a combined model involving at least a few types of the DoS attack. When analyzing the DoS attack, we allow for accounts both bandwidth and memory depletion DoS models as well as for the filtering properties of the system. The concept of this composite model is explained in Fig. 1 or this way: incoming traffic can be blocked because of insufficient bandwidth. The rest part of traffic can be blocked by the filtering system. Finally, everything left after filtering can be blocked by an insufficient place in the buffer devoted to store open connections.
We denote bandwidth exhaustion probability as P B , the probability of filtering legitimate traffic as P Fn and memory depletion probability as P M . Composite attack probability P can be calculated as the probability of blocking legitimate traffic at least in one of these three subsystems (bandwidth exhaustion, filtering or memory depletion): For estimating bandwidth exhaustion probability P B we use the model of stochastic bandwidth exhaustion (Specht, Lee 2004): s Bn -normal traffic (bps); T -channel bandwidth (bps); l a -the average query size of the attack (b); l n -the average query size of legitimate users (b); λ Ba -an arrival rate Fig. 1. A model of a conceptual composite DoS attack of attack queries (qps); λ Bn -an arrival rate of legitimate user queries (qps). We assume that the filtering system has two properties: the probability of filtering legitimate traffic P Fn and the probability of filtering attack traffic P Fa . These properties show the part of legitimate and attack traffics that are blocked on average using filters.
To estimate incoming traffic, these properties are important both to composite attack probability and a subsystem of memory depletion. Considering the bandwidth exhaustion model, we assume that both legitimate and attack traffic has the same distribution in time as the overall incoming data. After passing the bandwidth exhaustion model, the rate of incoming traffic will be reduced to λ Fa and λ Fn : Fn Bn B (1 ) P λ = λ ⋅ − . (4) The filtering system should block traffic equally considering time; thus, incoming legitimate traffic λ Ma and attack traffic λ Mn should change in size but not in its distribution. The extent to which traffic size will be reduced depends on filtering properties P Fa and P Fn : The third subsystem of this composite DoS attack model is the memory depletion model. To represent this kind of the DoS attack, we use the SYN flooding attack model (Ramanauskaitė 2010) that might be also used for more general DoS attack types (for all DoS attacks based on extended information storage time to disturb the normal work of systems): where Ma a Mn n t t σ = λ ⋅ + λ ⋅ ; M -buffer size; t a -the average processing time of the attack query (s); t n -the average processing time of the legitimate query (s).

Modelling Results
Using the proposed model of the composite DoS attack, different situations were examined. The purpose of these experiments was to distinguish the influence of different attack properties on the success of the DoS attack.
For the analysis of these experiments, standard situation parameters may be chosen: − regular 20 Mbps traffic (100 queries per second by 200 bits in each); − 10 Mbps attack traffic (50000 queries per second by 200 bits in each); − 1 channel with 100 Mbps bandwidth; − victim uses filters that filter 20% of the attack and 2% of legitimate users queries; − legitimate query takes 200 ms to execute; − attack query execution takes 2 000 ms; − buffer can hold information of 50 connections. These attack and victim parameters lead to 8.7% of bandwidth exhaustion. 2% of legitimate queries are blocked by filtering system and memory depletion probability is 39.3%. The success probability of the composite DoS attack is 45.7%.
Changing filtering properties brings clarity that the blocking probability of legitimate queries is very important and linearly increases the success probability of the composite DoS attack. Meanwhile, the percentage of filtering attack traffic influences the memory and probability of the composite DoS attack to change in a not linear way (Fig. 2a). Similar tendencies also apply to the influence of service time on attack success. When increasing average service time (both legitimate and attack queries), the probability of memory depletion increases, although its influence on the success of the composite attack is not proportional (Fig. 2b).
The previous experiments had influence only on memory depletion and composite attack probabilities. Meanwhile, changes in incoming traffic properties also have influence on bandwidth exhaustion probability.
An increase in legitimate and attack traffic leads to an increase in attack success. However, in our experimental environment, an increase in memory depletion is higher than bandwidth exhaustion probability. Even if we decreased service time 10 times, the impact of bandwidth exhaustion on the success probability of the composite attack would be stronger only until the attack rate is quite low. While using heavier attack traffic, memory depletion probability has a more significant influence and is more sensitive to the attack size (Fig. 3).

Conclusions
The article shows the need for the composite DoS attack model due to the fact that though there are models for the exact DoS attack type they do not reveal the overall DoS success. Therefore, the composite DoS attack model was proposed for a more accurate estimation of attack success probability. When using this model, experimental modelling was done and revealed some facts concerning the success probability of the DoS attack: − incorrect configurations of the filtering system can make more damage than the DoS attack itself; − memory depletion attacks are more sensitive to changes in incoming traffic and can be the main