Impact of Defending Strategy Decision on DDoS Attack

Zhang, Chunming

doi:https://doi.org/10.1155/2021/6694383

Complexity

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Coevolving Spreading Dynamics of Complex Networks

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6694383 | https://doi.org/10.1155/2021/6694383

Impact of Defending Strategy Decision on DDoS Attack

Chunming Zhang¹

Academic Editor: Wei Wang

Received14 Oct 2020

Revised15 Nov 2020

Accepted04 Mar 2021

Published16 Mar 2021

Abstract

Distributed denial-of-service (DDoS) attack is a serious threat to cybersecurity. Many strategies used to defend against DDoS attacks have been proposed recently. To study the impact of defense strategy selection on DDoS attack behavior, the current study uses logistic function as basis to propose a dynamic model of DDoS attacks with defending strategy decisions. Thereafter, the attacked threshold of this model is calculated. The existence and stability of attack-free and attacked equilibria are proved. Lastly, some effective strategies to mitigate DDoS attacks are suggested through parameter analysis.

1. Introduction

A distributed denial-of-service (DDoS) attack is a cyberattack in which hackers attempt to make a website or computer unavailable by flooding or crashing the website with too much traffic [1, 2]. Given the rapid development of cloud computing, big data, and artificial intelligence, distributed denial-of-service (DDoS) attacks have become one among the most critical threats to network security [3, 4]; for example, in February 2018, the official website of the PyeongChang Winter Olympics Organizing Committee was forced to shut down during the Winter Olympic Games due to a DDoS attack [5]; in March 2018, GitHub suffered a DDoS attack with the maximum peak traffic reaching 1.7 TBPS [6]; in October 2019, Amazon Web Services was attached by DDoS for several hours, resulting in an outage affecting many websites [7]. Therefore, it is an important issue to study the dynamic behavior of DDoS attacks and propose defense strategies on this basis. Numerous models of DDoS attacks have been proposed in recent years. Haldar et al. [8] proposed a DDoS attack model based on the compartment model and obtained threshold conditions that determine the success or failure of such attacks. Kumar et al. [9] presented a dynamic model of DDoS attack in a computer network and studied the dynamic behavior of this model through numerical simulation. Hou et al. [10] investigated a DDoS attack model with a saturated contact infection rate and proved the stability of this model. Mishra et al. [11] considered the characteristics of DDoS attacks on the Internet of Things (IoT) and proposed a DDoS attack model on IoT, given the conditions for a successful attack. Furthermore, some effective defense strategies, such as installing defense software and upgrading firewalls, have been widely used to mitigate DDoS attacks [12, 13]. Several DDoS attack dynamic models with defending strategies have been proposed recently to study the impact of defending strategies on DDoS attacks. Zhang et al. [13] studied a differential dynamics model for DDoS attacks with four states, namely, weak-defensive, attacked, strong-defensive, and compromised nodes. The global stability conditions of the model are given, and some defending strategies are proposed to mitigate the DDoS attack. Zhang et al. [14] used mean-field theory as basis to develop a DDoS attack model on arbitrary networks. Some reasonable strategies for defending against DDoS attacks have been provided based on theoretical analysis. Rao et al. [15] proposed a DDoS attack model with quarantine strategy; mathematical analysis demonstrated that quarantining infected computers can effectively block DDoS attacks. Zhang et al. [16] constructed an optimal control model for DDoS attacks on the Internet of Things and obtained its optimal defense strategy. Huang et al. [17] proposed a new low-cost DDoS attack architecture and got three optimal attack strategies based on variational method. Li et al. [18] established a low-rate DDoS attack model based on cloud computing environment and proposed a strategy to mitigate low-rate DDoS attacks.

However, the existing dynamic models have assumed that defenders will adopt a defending strategy with a fixed probability. On the one hand, adopting defending strategies in the real world will benefit from mitigating DDoS attacks. On the other hand, defenders may choose not to adopt defense strategies owing to defensive costs, which can be considered a dilemma. As rational persons, defenders will compare the benefits and costs caused by DDoS attacks. If the benefits outweigh the costs, then defenders will be likely to adopt a defending strategy; otherwise, they will be less likely to adopt such a strategy. That is, defenders decide the probability of adopting a defending strategy based on a cost-benefit analysis. In addition, none of the existing defense strategy recommendations has analyzed the cost-benefit, so the defense strategies obtained are not feasible solutions.

To overcome the above shortcomings, this study uses the preceding discussions as bases to first propose a game theory-based DDoS attack model with defending strategy decisions. Our main contributions are summarized as follows:(a)In order to study the impact of defense strategy decisions on the dynamic behavior of DDoS attacks, according to the above cost-benefit analysis, this research first constructs two smooth logistic functions, which can describe the defense strategy choices of the defender under different cost-benefit conditions. Based on the above logistic function and compartmental model theory, this paper first proposed a game-theoretic DDoS attack dynamics model with a cost-benefit function.(b)The current study obtains the attack threshold of the above model, which is the condition for successful attack, and then the local stability of the attacked equilibrium and the attack-free equilibrium is proved, using the theory of differential stability. In addition, this study uses the analysis of the impact of parameters on model behavior as basis to propose some effective defending strategies to mitigate DDoS attacks. Some numerical experiments are also presented to verify the effectiveness of defending strategies.

The remainder of this paper is organized as follows. Section 2 proposes a novel DDoS attack model. Section 3 presents the mathematical properties of the proposed model. Section 4 provides some suggestions for the defense of DDoS attacks by analyzing the effects of parameters on model behavior. Section 5 concludes this study.

2. Model Descriptions and Cost-Benefit Analysis

This section proposes a dynamic model with defending strategy decision based on a cost-benefit analysis.

2.1. Differential Dynamic Model

A typical computer network system mainly consists of numerous client and server computers. Clients and servers often have different levels of cybervulnerabilities. Clients are considered to be relatively vulnerable to malware and flooding attacks. Servers are often equipped with firewalls. Although they are considerably resilient to malware, servers could still be vulnerable to flooding attacks.

A typical DDoS attack and defense is carried out in the following three-phase procedure, which is depicted in Figure 1.

2.1.1. Spreading Malware

Attackers attempt to spread malware to infect normal clients on networks by using fake emails or web links. Once normal clients have been affected by malware, they are controlled by attackers to become zombie clients capable of infecting other clients.

2.1.2. Launching Attacks

Attackers manipulate zombie clients to launch flooding attacks targeting at least one target server. Such attacks will compromise the target servers, thereby losing their abilities to provide services to the external environment.

2.1.3. Recovering

Defenders adopt some defense strategies, such as antivirus software or firewalls, to recover the attacked computers, including zombie clients and compromised servers.

The following reasonable assumptions can be obtained on bases of the preceding facts: (H1) Computers on the Internet can be divided into two parts: client and server parts. The total numbers of computers on the client and server parts are N_W and N_S, respectively [7]. (H2) Computers on the client part can be classified into three classes: normal clients (W nodes), infected clients (I nodes), and recovered clients (R nodes) [19, 20]. Let W(t), I(t), and R(t) represent the proportion of the W, I, and R nodes, respectively, in the total number of computers on the client part at time t. The total number is constantly equal to N_W: (H3) Computers on the server part can also be classified into three classes: normal servers (S nodes), compromised servers (C nodes), and recovered servers (D nodes). Let S(t), C(t), and D(t) represent the proportion of the S, C, and D nodes, respectively, in the total number of computers on the server part at time t. The total number is constantly equal to NS: (H4) Owing the implementation of some dangerous operations, such as browsing phishing sites, a W node will be infected with a probability of . (H5) Owing to the execution of some positive measures, such as running antivirus software, an I node will recover with a probability of . (H6) Owing to the reinstallation of an operation system, an R node becomes a W node with probability . (H7) Owing to DDoS attacks, a S node will compromise with probability . (H8) Owing to the implementation of some positive measures, such as running firewall software, a C node becomes a D node with probability . (H9) Owing to the reinstallation of an operating system, a D node becomes a S node with probability . (H10) Owing to the adoption of some defensive strategies, such as installing antivirus software, a W node becomes a R node with probability f [21, 22]. (H11) Owing to the implementation of some defensive strategies, such as upgrading firewall software, a S node becomes a D node with probability . Probabilities f and are determined by the cost-benefit analysis of defenders, which we will discuss in part B of this section.

Given the preceding assumptions, the following DDoS attack model can be obtained (see Figure 2):where 0 ≤ W(t), I(t), R(t), S(t), C(t), D(t)≤1, and 0 ≤ , , , , , ≤ 1.

2.2. Cost-Benefit Analysis

Although defensive strategies may bring benefits, there are costs to adopting these defensive strategies, which is considered a dilemma for defenders. Logistic function can be used to describe the rational decision problem of whether to adopt defensive strategies. When the cost of adopting a defending strategy is greater than the benefit, defenders will not adopt such a strategy. Otherwise, defenders will adopt this strategy. For the client part, the benefit is directly proportional to the loss of not adopting this strategy L_W, the number of computers infected N_WI(t), and the probability of infection . The cost of adopting this strategy is C_W. Thus, the total payoff of adopting this strategy for the client part is . For the server part, let L_S represent the cost of not adopting a defending strategy and C_W represents the cost of adopting a defending strategy. The total payoff of adopting this strategy for the server part is .

To describe the strategic decision problem, we define the following two logistic functions. Figure 3 depicts the logistic equation [23–25].where and represent the smooth exponents of functions f and , respectively, and and represent the maximum value of functions f and , respectively. 0 ≤ and ≤ 1.

3. Theoretical Analysis

This section investigates some mathematical properties of the proposed model, including equilibrium, attacked threshold, and stability of system (3).

Given that W(t) + I(t) + R(t) ≡ 1 and S(t) + C(t) + D(t) ≡ 1, we use a simple calculation to obtain W(t) ≡ 1 − I(t) − R(t) and S(t) ≡ 1 − C(t) − D(t). Hence, the first and fourth equations in system (3) can be represented by the other four equations in this system. Therefore, system (3) can be simplified to the following system:where and . The parameter range of system (6) is as follows:

Evidently, the domain of system (6) is as follows:

Given that systems (3) and (6) are equivalent, the remainder of this paper mainly focuses on the properties of system (6).

3.1. Attack-Free Equilibrium

Theorem 1. A unique attack-free equilibrium is present in system (6), where and .

Proof. By solving the following equations,E₀ is evidently a solution to equation (7). Thus, E₀ is constantly an attack-free equilibrium of system (6).

Remark 1. An equilibrium represents a possible final state of DDoS attacks. Thereafter, attack-free equilibrium represents the possible final state of DDoS attack extinction.
The attacked threshold is a crucial parameter that determines whether computers on a network will experience DDoS attacks. This section calculates the attacked threshold by using the FV method proposed in [26, 27].
Let and . Accordingly, the following functions can be obtained:By considering the partial derivative of I and C at E₀, we obtain as follows:By calculation, we obtain as follows:The attacked threshold can be obtained by calculating the eigenvalue of FV⁻¹. Lastly, the two eigenvalues of FV⁻¹ are calculated as and , while the eigenvalue is disregarded. Hence, the attacked threshold can be obtained as follows:

Theorem 2. When system (6) is considered, E₀ is locally asymptotically stable if T₀ < 1.

Proof. When system (6) is considered, the Jacobian matrix at E₀ is as follows:The corresponding characteristic equation can be deduced as follows:Equation (17) has three negative roots , , and . The remaining root is determined by the following equation:As by calculation, we obtain as follows:All roots of the characteristic equation (17) are negative. Thus, E₀ is locally asymptotically stable if T₀ < 1.

Remark 2. Theorem 2 shows that DDoS attacks would die out if T₀ < 1.

Example 1. Consider system (6) with = 0.02, = 0.01, = 0.1, = 0.1, = 0.02, = 0.005, = 0.03, = 0.6, = 0.5, = 1, = 1, N_W = 1000, N_S = 1000, L_W = 1, L_S = 1, C_W = 1, and C_S = 2. By calculation, E₀ = (0, 0.814, 0, 0.936)^T and T₀ = 0.371 < 1 satisfies the condition of Theorem 2. Hence, the system is locally asymptotically stable at E₀ (see Figure 4).

3.2. Attacked Equilibrium

Theorem 3. Consider system (6) on domain . If T₀ > 1, then system (6) has an attacked equilibrium:where and x is a positive solution of the transcendental equation as follows:

Proof. By solving equation (9), we can obtain , , , and x () is the root of equation (24).
Thereafter, we examine the existence of the solution of equation (24).
Equation (24) can be organized as follows:LetAs , function G₁ is an increasing function. As , function G₂ is also an increasing function.
As and , according to we have . As and , . Therefore, transcendental equation (24) has at least one solution x ().
The proof is complete.

Remark 3. The attacked equilibrium represents the possible final state of DDoS attacks.

Theorem 4. Consider system (6). If , , , and , then E₁ is locally asymptotically stable:

Proof. For system (6), the Jacobian matrix at E₁ isThe corresponding characteristic equation of the Jacobian matrix (40) can be deduced as follows:whereBy calculation, the roots of the characteristic equation (41) are determined by the following two equations:The Hurwitz criterion [28, 29] indicates sufficient conditions for all roots of the characteristic equation (30) to be negative are , , , and .
The proof is complete.

Remark 4. Theorems 3 and 4 imply that DDoS attacks would persist if conditions in theorems are satisfied.

Example 2. Consider system (6) with = 0.02, = 0.05, = 0.1, = 0.1, = 0.02, = 0.004, = 0.03, = 0.6, = 0.5, = 1, = 1, N_W = 1000, N_S = 1000, L_W = 1, L_S = 1, C_W = 1, and C_S = 2. By calculation, , T₀ = 2.321 > 1, , , , and satisfy the condition of Theorem 4. Hence, the system is locally asymptotically stable at E₁ (see Figure 5).

4. Further Discussion

This section investigates the impact of some parameters on the dynamic behavior of the proposed model.

From Theorem 2, T₀ is an important parameter that determines whether DDoS attacks are successful. If T₀ < 1, then the attacks will not succeed. Hence, we need to take some measures to make T₀ considerably below one.

Given that , taking the derivative with respect to , , , , , and C_W, we obtain the following:

T₀ is strictly increasing with parameters and (see Figures 6 and 7) and strictly decreasing with , , , and C_W (see Figures 8–11).

Some reasonable suggestions for computers on the client prat to mitigate the DDoS attack are provided as follows based on the preceding calculation:(1)Adopting some defensive strategies (e.g., installing firewalls) on the client part, the infected probability can be remarkably reduced.(2)Keeping defensive software updates in time on the client part, can be maintained low.(3)Upgrading antivirus software, will be enhanced.(4)Strengthening defense strength on the client part will enhance .(5)Decreasing the cost of the defending strategy will reduce C_W.

Accordingly, controlling the preceding parameters will be conducive to the mitigation of DDoS attacks on the client part. Thereafter, we focus on the defensive strategies for computers on the server part.

As where , parameters , , , , , N_S, C_S, and L_S are independent of I₁. Thus, we investigate the effects of these parameters on C₁:

C₁ is strictly increasing with parameter :

From the preceding form of C₁, we can see that C₁ increases with an increase in .

From the form of C₁, we can see that C₁ increases with an increase in , N_S, and L_S, and C₁ decreases with an increase in , , and C_S.

The following defense strategies are proposed for computers on the server part to deduce DDoS attacks:(1)Detecting possible security holes may facilitate the reduction in .(2)Restarting computers on the server part will significantly increase .(3)Upgrading defensive software of DDoS attack, will decrease.(4)Strengthening defense strength on the server part will enhance .(5)Decreasing the cost of the defending strategy will reduce C_S.(6)Increasing the number of computers on the server part facilitates the enhancement of N_S.

Controlling these parameters is conducive to the mitigation of DDoS attacks on the server part.

5. Conclusion

This paper studies the decision-making problem of DDoS attack defense strategy. In order to mitigate DDoS risk with minimum defending loss and cost, based on game theory, this paper establishes a dynamic differential system with the defense cost and loss function. We perform analytical analysis to show that the attack model has two equilibria, i.e., an attack-free equilibrium E₀ and an attacked equilibrium E₁. The attacked threshold T₀ is an important parameter that determines whether DDoS attacks are successful or failed. Some beneficial recommendations to mitigate DDoS attacks are provided after conducting some numerical experiments of the proposed model with different parameters. These suggestions for effective defense against DDoS attacks include installing firewalls, upgrading antivirus software, reducing defense costs, and detecting possible security holes. This research not only has strong theoretical value but can also be widely used in the following fields: (1) advanced persistent threats: study the dynamic behavior of DDoS attack and defense with advanced persistent threat characteristics [30, 31]; (2) Honeynet defense: study the influence of honeynet defense on the dynamic behavior of DDoS attacks [32]; (3) smart grid: study the dynamic behavior of DDoS attack and defense on the smart grid [16].

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The author declares that there are no conflicts of interest.

References

J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM Special Interest Group on Data Communication, vol. 34, no. 2, pp. 39–53, 2004.
View at: Google Scholar
S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013.
View at: Publisher Site | Google Scholar
P. Passeri, “Cyber attacks statistics,” 2016.
View at: Google Scholar
P. Passeri, “Symantec internet security threat report,” 2019.
View at: Google Scholar
S. Sharwood, “Winter olympics website downed by cyber attack,” 2020.
View at: Google Scholar
S. Ranger, “GitHub hit with the largest DDoS attack ever seen,” 2020.
View at: Google Scholar
N. Arboleda, “AWS hit by DDoS attack dragging half of web down,” 2020.
View at: Google Scholar
K. Haldar and B. K. Mishra, “A mathematical model for a distributed attack on targeted resources in a computer network,” Communications in Nonlinear Science and Numerical Simulation, vol. 19, no. 9, pp. 3149–3160, Sep. 2014.
View at: Publisher Site | Google Scholar
U. Kumar and S. K. Pandey, “Dynamic model on DDoS attack in computer network,” 2016.
View at: Google Scholar
W. T. Hou and H. Wang, “Study of a mathematical model for a distributed attack on targeted resources in a computer network,” Journal of Natural Science of Heilongjiang University, vol. 3, pp. 315–321, 2016.
View at: Google Scholar
B. K. Mishra, A. K. Keshri, D. K. Mallick, and B. K. Mishra, “Mathematical model on distributed denial of service attack through Internet of things in a network,” Nonlinear Engineering, vol. 8, no. 1, pp. 486–495, 2018.
View at: Google Scholar
C. Zhang and J. Xiao, “Stability analysis of an advanced persistent distributed denial-of-service attack dynamical model,” Security and Communication Networks, vol. 2018, pp. 1–10, 2018.
View at: Publisher Site | Google Scholar
C. M. Zhang, J. B. Peng, and J. W. Xiao, “Advanced persistent distributed denial of service attack model on scale-free networks,” 2018.
View at: Google Scholar
C. M. Zhang, J. B. Peng, and J. W. Xiao, “An advanced persistent distributed denial-of-service attacked dynamical model on networks,” Discrete Dynamics in Nature and Society, vol. 2019, 2019.
View at: Google Scholar
Y. S. Rao, A. K Keshri, B. K. Mishra, and T. C. Pand, “Distributed denial of service attack on targeted resources in a computer network for critical infrastructure: a differential e-epidemic model,” Physica A: Statistical Mechanics and Its Applications, vol. 2019, 2019.
View at: Google Scholar
C. Zhang, F. Luo, M. Sun, and G. Ranzi, “Modeling and defending advanced metering infrastructure subjected to distributed denial-of-service attacks,” IEEE Transactions on Network Science and Engineering, vol. 99, p. 1, 2020.
View at: Publisher Site | Google Scholar
K. Huang, L. X. Yang, X. Yang, Y. Xiang, and Y. Y. Tang, “A low-cost distributed denial-of-service attack architecture,” IEEE Access, vol. 99, pp. 1–9, 2020.
View at: Google Scholar
Z. Li, H. Jin, D. Zou, and B. Yuan, “Exploring new opportunities to defeat low-rate DDoS attack in container-based cloud environment,” IEEE Transactions on Parallel and Distributed Systems, vol. 31, no. 3, pp. 695–706, 2020.
View at: Publisher Site | Google Scholar
X. Zhong, F. Deng, and H. Ouyang, “Sharp threshold for the dynamics of a SIRS epidemic model with general awareness- induced incidence and four independent brownian motions,” IEEE Access, vol. 8, pp. 29648–29657, 2020.
View at: Publisher Site | Google Scholar
E. González and M. J. Villena, “On the spatial dynamics of vaccination: a spatial SIRS-V model,” Computers & Mathematics with Applications, vol. 80, no. 5, pp. 733–743, 2020.
View at: Publisher Site | Google Scholar
H. Zhang, F. Fu, W. Zhang, and B. Wang, “Rational behavior is a 'double-edged sword' when considering voluntary vaccination,” Physica A: Statistical Mechanics and Its Applications, vol. 391, no. 20, pp. 4807–4815, 2012.
View at: Publisher Site | Google Scholar
G. Liu, S. Peng, H. Qiu, B. Shi, and Y. W. Chen, “Voluntary vaccination through perceiving epidemic severity in social networks,” Complexity, vol. 2019, 2019.
View at: Google Scholar
J. Yang, M. Martcheva, and Y. Chen, “Imitation dynamics of vaccine decision-making behaviours based on the game theory,” Journal of Biological Dynamics, vol. 10, no. 1, pp. 31–58, 2016.
View at: Publisher Site | Google Scholar
F. Xu and C. Ross, “Disease control through voluntary vaccination decisions based on the smoothed best response,” Computational and Mathematical Methods in Medicine, vol. 2014, 2014.
View at: Google Scholar
J. S. Cramer, Logit Models from Economics and Other Fields, Cambridge University Press, Cambridge, UK, 2003.
X. Zhou and J. Cui, “Analysis of stability and bifurcation for an SEIV epidemic model with vaccination and nonlinear incidence rate,” Nonlinear Dynamics, vol. 63, no. 4, pp. 639–653, 2011.
View at: Publisher Site | Google Scholar
C. Gan, X. Yang, W. Liu, and Q. Zhu, “A propagation model of computer virus with nonlinear vaccination probability,” Communications in Nonlinear Science and Numerical Simulation, vol. 19, no. 1, pp. 92–100, 2014.
View at: Publisher Site | Google Scholar
R. C. Robinson, “An introduction to dynamical systems: continuous and discrete,” American Mathematical Society, vol. 2012, 2012.
View at: Google Scholar
L. X. Yang, M. Draief, and X. Yang, “Heterogeneous virus propagation in networks: a theoretical study,” Mathematical Methods in the Applied Sciences, vol. 40, no. 5, 2017.
View at: Publisher Site | Google Scholar
L.-X. Yang, P. Li, Y. Zhang, X. Yang, Y. Xiang, and W. Zhou, “Effective repair strategy against advanced persistent threat: a differential game approach,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 7, pp. 1713–1728, 2019.
View at: Publisher Site | Google Scholar
L.-X. Yang, P. Li, X. Yang, Y. Xiang, F. Jiang, and W. Zhou, “Effective quarantine and recovery scheme against advanced persistent threat,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 1, 2020.
View at: Publisher Site | Google Scholar
J. Ren, C. Zhang, and Q. Hao, “A theoretical method to evaluate honeynet potency,” Future Generation Computer Systems, vol. 116, pp. 76–85, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Chunming Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1604

Downloads

1107

Citations