FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
Title:
A SYSTEM AND METHOD FOR DETECTION AND PREVENTION OF DISTRIBUTED
DENIAL OF SERVICE ATTACKS
Applicant:
Tata Consultancy Services A company incorporated in India under The Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India
The following specification particularly describes the proposed invention and the manner in which it is to be performed.

FIELD
The Invention generally relates to the field of computer network security. More particularly, the invention relates to system and method for detection and prevention of distributed denial of service attacks by evaluation and differential time based monitoring of an inbound traffic on the server.
BACKGROUND
Computer networks and in particular the Internet is widely used for both business and personal reasons and it continues to grow at a rapid pace. For example, users increasingly rely on the Internet for business and personal communications, commercial transactions, and for distributing and gathering information of all kinds. The increasing popularity of web-based applications has led to several critical services being provided over the internet. This has made it imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and servers denying services to legitimate users.
With the emergence of distributed denial of service (DDoS), it has become apparent that the open and distributed nature of the Internet has certain vulnerabilities which are often exploited for malicious purposes. DDoS attacks can easily bring down an Internet host or router, making the mission critical services experience significant outages. A DDoS attack on a server can prove detrimental, since the attack will make the services of the server unavailable to its legitimate clients. Public servers of the banks and other financial institutions providing remote access provisions to its legitimate clients, news servers, airlines servers, railways servers are particularly vulnerable to such attacks. Detection and prevention of DDoS attacks on these servers are of critical business importance, since downtime of the servers will have catastrophic consequences on the businesses in the banking, finance, commercial and public services domain.
Protection against DDoS attacks highly depends on the model of the network and the type of attack. The prior art majorly addresses the issues related to prevention of DDoS attacks, causing blocking the traffic from legitimate as well as attacking sources.

However, a need of uninterrupted or early resumption of traffic from legitimate sources is not substantially disclosed in the prior art.
Moreover, the existing methods and systems fail to resolve the most important and challenging issue in DDoS attack detection: to detect and curtail an attack that involves a large number of attacking hosts with a very low rates of false positives and false negatives. Moreover, most of the current attack detection systems take substantial time during which substantial damages are already caused by the attackers on the target servers and the networks.
Further, the existing approaches require high computational and storage overhead for detection of large-scale distributed attacks While the attack detection is underway and even though the attack is detected, the existing systems are adapted to react to initiate an attack prevention operation by blocking the legitimate traffic as well as attacking sources. This causes the server resources to be unavailable for a considerable amount of time, disrupting the network operations.
In view of above, there is a long felt need for a system and method for early detection of DDoS attacks in networks and servers involving multiple hosts with very low rates of false positives and false negatives. The system is further required to mitigate the limitations associated with the conventional DDoS systems used for detecting and preventing distributed denial of service (DDoS) attacks. Further, there is a need to reduce the traffic congestion, increased load on the server and enable the server to quickly respond to the incoming traffic from the legitimate sources while the detection and prevention of DDoS attacks is in progress.
OBJECTIVES
The principal objective of the present invention is to provide a method and system for detecting and preventing distributed denial of service (DDoS) attacks that includes multiple attacking hosts in a network.
Another objective of the invention is to design the attack detection algorithms and traffic blocking algorithms for detecting and preventing DDoS attacks in a network.

Another objective of the invention is to minimize the computational and storage overhead for detection of large-scale distributed attacks.
Another objective of the invention is to minimize the adverse effects of an attack on the traffic from legitimate sources during the period corresponding to detection of DDoS attacks on the target servers and the networks.
Yet another objective of the invention is to provide statistical theory of estimation based frameworks for modeling and analyzing traffic so as to accurately detect attacks on the networks and hence to minimize the number of false positives.
SUMMARY
Before the present methods, systems, and hardware enablement are described, it is to be understood that this invention is not limited to the particular systems, and methodologies described, as there can be multiple possible embodiments which are not expressly illustrated in the present disclosure. It is also to be understood that the terminology used in the description is for the purpose of describing the particular versions or embodiments only, and is not intended to limit the scope of the present invention.
The present invention provides method and system for detection and prevention of DDoS attacks to protect a web server by early detection and deletion of attacking traffic and resumption of legitimate traffic. The invention enables adaptive configuration of the server such that it is not possible for the attacker to disable the server. Since the load on the server is not allowed to go beyond a threshold maximum, the normal service quality is never affected.
The invention comprises complex statistical theory of estimation based frameworks, for modeling and analyzing traffic so as to detect the attacks on the web server. The invention employs two detection methods namely approximate and accurate method. The approximate detection method is based on simple statistical analysis of the network traffic and involves very low computational and memory overhead on the server,

Whereas, the accurate detection method is based on statistical theory of hypothesis testing that results in more accurate detection of attacks at the cost of more computational and memory overhead on the server.
The combination of the approximate and accurate detection methods makes the detection framework adaptive to plurality of attacks yet being accurate. Moreover, the present invention does not disrupt traffic from any legitimate sources while the detection of the attack is in progress. This desirable feature is achieved by keeping a variable traffic analysis window of detection, so that legitimate traffics are retained in the buffer while detection analysis is in progress.
BRIEF DESCRIPTION OF DRAWINGS
The foregoing summary, as well as the following detailed description of preferred embodiments, is better understood when read in conjunction with the appended drawings. There is shown in the drawings example embodiments, however, the invention is not limited to the specific methods and architecture disclosed in the drawings.
Figure 1 shows a block diagram of a system 100 for detection and prevention of DDoS attacks on a server in a network.
Figure 2 shows a flow chart 200 describing steps to be followed for detecting DDoS attacks on the server in the network.
Figure 3 shows a flow chart 300 describing steps to be followed for identification of attacking sources in the network.
Figure 4 shows a flow chart 400 describing steps to be followed for disrupting DDoS attacks from the identified attacking sources in the network.
Figure 5 shows a flow chart 500 describing steps to be followed for checking the success of disrupting DDoS attacks from the identified attacking sources in the network.
Figure 6 shows a schematic flow diagram 600 of the attack detection simulation process,

DETAILED DESCRIPTION
Some embodiments, illustrating its features, will now be discussed in detail. The words "comprising", "having", "containing" and "including" and other forms thereof, are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms "a" "an" and "the" include plural references unless the context clearly dictates otherwise. Although any systems, methods, apparatuses, and devices similar or equivalent to those described herein can be used in the practice or testing of embodiments, the preferred methods and systems now described. The disclosed embodiments are merely exemplary.
Referring to Figure 1 is a system 100 for detection and prevention of DDoS attacks on a server in the network. In an embodiment, as shown in the figure, a server 101 is connected to a communication network. The said server 101 further includes a CPU 102, memory devices 103, and a FIFO buffer 104. An interface module 105 is attached to the server 101 at the communication network. The said interface module 105 may be a software component of the server 101, special-purpose hardware in the server 101 or an autonomous hardware component attached to the server 101.
As shown in Figure 1, the incoming traffic enters a FIFO buffer 104. A discrete time model is used for modeling and analysis. The incoming traffic is modeled and processed over unit time slot. In an embodiment, the CPU 102 of the server 101 processes u storage units per time slot from the buffer 104. As the buffer 104 is fed with the random traffic, there is a non-zero probability of an event of buffer overflow. The incoming traffic is increased quickly when a DDoS attack is launched and as a result the buffer 104 becomes full. At this time, most of the incoming packets will be dropped and the attacker becomes successful in degrading the quality of service of the server 101. However, the server host will not be completely disabled at this point of time. The goal of the interface module 105 is to effectively identify and disrupt the traffic from the attacking sources 107 as shown in figure 1 so that the quality of the service is restored to the normal level. The said attacking sources 107 are the machines on the internet or network controlled by the attacker.

In an embodiment, it is assumed that there are two states of the incoming channel namely, the normal state and the attack state. In the normal state, there is no DDoS attack on the server 101 while in the attack state, the server 101 is under a distributed attack. Let the attack begins at time t*. and at time t* + δ, the FIFO buffer 104 becomes full. At this time, the TCP modules running at the legal sources 106 and the attacking sources 107 observe that no or very few acknowledgements are being sent back by the server 101.
In order to defend against the DDoS attack, the first task is to detect the point of commencement the attack by making a reliable estimation of the time t*. Once the time of commencement of the attack is estimated, the next task is to identify the sources of the attack, and to disrupt the traffic arriving from these sources to the server 101. In the proposed scheme, this identification is done based on the statistical properties of the traffic flow.
In an embodiment, the interface module 105 at the server 101 identifies all active traffic sources, measures the traffic generated by these sources, and classifies them into different sets. In order to get reliable measurements of the traffic level, these measurements are carried out during time slots between t* and t* + δ. Consequently, the effectiveness of the mechanism is heavily dependent on the time duration 5. During the time 6, the traffic flow between the sources and the server 101 is not affected, i.e., the interface module 105 in the server 101 does not disrupt traffic from the attack sources 107. It is desirable to have a large value for the time duration 6 so that more time is available for traffic measurement.
A large value of 5 can be effectively achieved by using a very large buffer size. It is assumed that the total buffer size (L) of the server 101 consists of two parts. The first part (L1) is designed to serve the normal state of the server 101. The size of L1 Is chosen according to the service rate of the server 101 and the normal probability of packet loss due to the event of a buffer overflow. The size of L2 corresponds to the excess size of the buffer 104 introduced with the purpose of gaining enough time for traffic measurements during the start-up phase of the attack for identification of the attack sources 107. ..

In an embodiment, it is assumed that the attack begins at time t*, i.e., all the attacking sources start sending.packets at this time onwards. It is also assumed that the network
was in normal state at any time t < t*. Let t denote the expected value of t*. For the sake of simplicity, it is assumed that the set of active sources is constant during the period of the attack.
Let Tn (t) be the aggregate network traffic from the legal sources 106 (i.e., the normal network traffic), and Ta (t) be the aggregate of the attacking traffic. Let the mean (per time slot) values of the normal and the attack traffic are An and Aa respectively, then
E(Tn(t)) = An E(Ta(t)) = λn (1)
Similarly, let the corresponding standard deviations be denoted by on and aa. Let Q denote the apriori unknown ratio between An and Aa, i.e. Q = Aa / An. As the time of commencement of attack (t*) is earlier than the time of its detection (t1), some precious time is wasted that cannot be used for traffic measurements. To minimize, this loss, the aggregate traffic level is estimated continuously by using a sliding window technique. The interface module 105 in the server 101 handles two sliding time windows. The longer window has a capacity of wl slots, and the shorter one has a capacity of ws slots. In this way, both an extended-time average level (t) and a short-time average level (t) of the incoming aggregate traffic per slot at time slot t are estimated.
In an embodiment, the interface module 105 in the server 101 executes number of algorithms in order to identify the DDoS attack and the attacking sources 107. These algorithms are executed sequentially in the same order as they are mentioned. These algorithms include detection of an attack, identification of the attack sources, disrupting the traffic arriving from the attack sources and testing whether the attack traffic has been successfully disrupted. In the following subsections, these algorithms and the steps implemented by these will be described with the help of flow charts in detail.
Referring to Figure 2 is a flow chart 200 describing the steps followed by the interface module in implementing the algorithm for detecting DDoS attacks on the server. An early

detection of an attack is necessary in order to ensure availability of the server. Thus, in that step 201 shown in figure 2, the beginning of an attack is assumed to take place time
t. The approximate value of time t is determined in any of the following two ways:
(i) t is the point of time when the buffer L1 becomes full.
(ii) t is the point of time when the following inequality holds:

In the equation (2) as above, r>0 and is considered to be a design parameter. It represents the maximum value of the fraction by which the short-term average of traffic level may exceed the long-term average without causing any alarm for attack on the server. As mentioned earlier, the present invention proposes an accurate method based on hypothesis testing for the identification of an attack. In this method, as indicated in the step 202 in the figure 2, the packet arrival rate (PAR) at each sample duration is periodically measured. For this, a large sample of packet arrival pattern on the server is
taken for a long duration. Further, in step 203, the sample mean (X) and the sample
standard deviation (S) of the packet arrival rate (PAR) are computed. The sample mean
(X) and the sample standard deviation (5)are calculated as follows:

Assume X1, X2...XN be a sample of N measurement. Then, (X) and (S) are given by equations (3) and (4):

The computation of the sample mean (X) and the sample standard deviation (5)is
followed by step 204, wherein a one-sample Kolmogorov-Smirnov (K-S) test is applied to verify whether the samples come from a population of normal distribution or not. In the step 205, the p-values for all K-S tests are compared with the threshold value (a = .05) to conclude that the packet arrival rate (PAR) follows the normal distribution.

In equation (5) Z is a standard normal variable and satisfies equation (6):
In the step 206, the standard value of sample mean (X) which is normally distributed with an unknown mean µ is calculated using the following equation 5:


In equation (6) a is the level of confidence which satisfies 0 < α < 1. Equation (6) discloses the fact that there is a probability of 1- α of selecting a sample for which the confidence interval will contain true value of µ. Zα/2 is the upper 100 α/2 percentage
point of the standard normal distribution. Therefore, the 100(1- α) % confidence interval of µ is given by the equation (7):

The confidence interval in equation (7) gives both a lower and an upper confidence boundary forµ.
In the step 207 as shown in figure 2, for detecting an attacking scenario a threshold value called maximum packet arrival rate (MPAR) is defined which distinguishes the normal PAR and the high PAR in an attack. In order to find MPAR, the upper confidence bounds for µ in equation (7) are obtained by setting the lower confidence bound to -∞ and replacing Za/2 by Za. A 100(1- a) % upper confidence bound for µ is then obtained from equation (8). The value of a in equation (8) is 0.025.


Then in the step 208, a statistical t-test is applied to verify the difference between normal PAR and the attack PAR. Let µ1 and µ2 denote the population means of two traffic flows. The f-test is applied to determine the significance of the difference between the two
means, i.e. (µ1 - µ2). Let the difference between the two sample means be (Xl-X2), and the standard deviation of the sampling distribution of differences is The
t-statistic is computed in equation (9):

The resultant t-statistic is computed in equation (11):
Since the two groups may contain different sample sizes, a weighted variance estimate f-test is used. The weighted variance is computed in equation (10):


To detect attack traffic, the null hypothesis H0: µ1 - µ2 is tested against the alternative hypothesis H1: µ1 # µ2. Thus, at step 209 the attack traffic is detected by applying Levene's test for assessing HO (null hypothesis). The assessment of HO is done at step 210 wherein the p-values obtained as a result of the Levene's test is compared with the critical value, i.e.0.05. If the p-values are less than 0.05, then HO is rejected and it is concluded that there is a difference in the variances of the populations. This indicates that the current traffic flow is attack traffic. This accurate statistical algorithm has 100% detection accuracy in all experimental runs conducted on the system. However, it due to complex computational overhead, it is a bit slower than the approximate algorithms.

It is essential to disrupt the traffic emanating from the attack sources 107 at the interface module 105 of the server 101 after an attack is detected. For this purpose, the interface module 105 must be able to distinguish between the traffic from the attack sources 107 and the normal traffic from legitimate client hosts 106. As mentioned earlier, the distinguishing characteristic of the attack sources is the higher mean (Aa) of their aggregate traffic level. It is assumed that the interface module 105 can measure the traffic characteristics of all the active sources at each time instance by recognizing their network addresses. This characteristic of the Interface module 105 enables it to identify the attacking sources.
Referring to Figure 3 is a flow chart 300 describing the steps followed by the interface module in implementing the algorithm for identification of attack sources. In the step 301
as shown in figure 3, Starting at time t, the traffic level corresponding to every source
is measured. Then in the step 302, if the attack is correctly identified, i.e. t* < t < t* + δ,
traffic measurement and analysis can be made over the period (t* + 6 - t). Further, in step 303, mean aggregate traffic level of the legal and attacking sources are estimated.
Let the aggregate level of traffic be λ r (t* + δ), and the traffic for the source i be λ (/) (t* + 5). As the exact traffic from the legal sources during the attack cannot be determined,
the expression λ (' - c), (c > 0), is used as an estimate of mean aggregate traffic level of the legal sources in time interval [t*, t* + δ], and an estimate for the mean aggregate
traffic level of the attacking sources (λ a) is derived as in equation (12):

The estimation of aggregate traffic level is followed by decomposing a set of active sources into set of legal sources and set of attack sources respectively in the step 304. This is done as follows:
Assume Z set of active sources are decomposed into two mutually disjoint sets Zn and Za, where Zn is the set of legal sources and Za is the set of attacking sources. The sets Z, Zn and Za will satisfy equation (13):


The identification algorithm implemented by the interface modufe attached to the server produces as output a set Za* which is a subset of the set Z and very closely resembles the set Za. The closer the sets Za and Za* are, the more accurate is the detection of the sources of attacks. The identification of the attacking sources is made in the step 305 by the following two ways:
(i) In this approach, the maximal subset of Za* = {i1, i2, iL) of Z is computed that
corresponds to sources with the highest measured traffic levels so that the inequality
(14) is satisfied. The set Za* contains the attack sources.

The basic principle for this method is that the attacker always tries to hide, and therefore limits the number of attacking sources. At the same time, to make the attack effective, the attacker intends to send a high volume of attack traffic to the server. Thus, there is a trade-off with the volume of the attack and the number of attack sources. As a result of this trade-off, the volume of traffic emanating from the attacking sources is higher than the volume of traffic from the legitimate client hosts. This criterion is used for identification of attack sources in the equation (14).
(ii) In this method, the sources from the set of traffic sources Z which are active during the interval (t- c), c > 0, are omitted and equation (14) is used to identify the attack sources. After identifying the attacking sources correctly, the next task is the disruption of the traffic from the attacking sources.
Referring to Figure 4 is a flow chart 400 describing the steps followed by the interface module in implementing the algorithm for disruption of the attack traffic. In the step 401, the incoming packets with source addresses belonging to set Za* are discarded. Further, in the step 402, a filter rule is used at the server inbound interface to discard any incoming packets from the identified attacking sources. Next, in the step 403, any previously stored packet already existing in the interface buffer from these source addresses are deleted to ensure that the server does not process any request from the

attack sources. Thus, by implementing the steps 401, 402 and 403, shown in figure 400, the interface module helps in disrupting the traffic form the attacking sources.
After the successful execution of traffic disruption, the next task of the interface module is to check whether the disrupting of traffic from the attacking sources has been successful. Figure 5 is a flowchart 500 describing the steps followed by the interface module in implementing the algorithm for checking the success of attack traffic.
As shown in Figure 5, in the step 501, the level of buffer is checked for a specific time interval tout. Then, in the step 502, the size of buffer level is compared with the normal level L1. If the size of the buffer is less than or equal to L1, then as indicated in the step 505, the disruption of traffic is successful. If not, then in the next step, i.e. 503, the active source that has highest level of measured traffic for discarding packets is chosen and in the step 504, the additional packets form the identified source is discarded. Following this, the available buffer size is checked again. If the buffer size is stiil not restored, another source is chosen for discarding its packets. These steps are repeated until the occupied buffer size comes to the level of L-,. The equation (15) gives a conservative estimate for the timeout interval tout.

In the next part of the specification, experiments carried out and the observations and conclusion with results that demonstrate the effectiveness of the invention is disclosed.
The Interface module 105 as shown in Figure 1 is simulated for observing the experimental results for detection of attacks on the server 101. Figure 6 shows a schematic flow diagram 600 of the attack detection simulation process. The simulation process includes a database 601 for storing data related to traffic. The interface simulator module 603 performs the buffering and scheduling of the incoming packets from the packet generator module 602 for further processing. It also collects statistical data on traffic for detection of possible attacks, identification of the sources of such attacks, and disrupting communication from such sources.

The simulation program is run on a workstation with operating system controlling the simulation program For example, the simulation program has been written in C and the program is run on a workstation with Red Hat Linux operating system {Version 9). The time interval is set at 10-6 seconds. Statistical data are collected in every second interval. The simulation is done with first 100 seconds as the normal traffic. The attack simulation is started at the 100th second and is allowed to continue till the 200th second. The simulation is ended with another 100 seconds of normal traffic to test efficacy of the recovery function of the system.
Parameter setting for simulation:
The traffic arrivals at the interface module 105 in figure 1 are modeled as Poisson process. The packets are stored in a buffer 104 and are passed on to the CPU 102 for further processing by the interface module 105. The queue type is assumed to be M/M/1. The inter-arrival time and service times are assumed to follow the negative exponential distribution. The number of sources is kept constant throughput the simulation duration.
Poisson model of traffic arrival is chosen as it is particularly suitable for dealing with some Internet protocols if its parameters are set appropriately. Internet control message protocol (ICMP), network time protocol (NTP) and domain name service (DNS) clients send many small packets of constant size with uniformly distributed inter-packet arrival time. These protocols resemble very closely to the assumptions that have been made in the simulation. This makes the results in simulation realistic.
Since in practical scenarios, the number of legitimate clients that connect to a server may also vary over a broad range, the following cases are considered:
Case 1: For a small corporate server, the number of legal clients is low, say N (t) = 5, where N (t) is number of legal sources 106 as shown in figure 1. Assuming that the capacity of the server is high, the average load on the server will be less. Therefore, the number of attacking hosts should be high, say A (t) = 40, where A (t) is number of attack sources 107. Hence, in this scenario, for an effective attack we must have N (t) « A (t).

Case 2: For a server of medium size, it may be assumed that N (t) = 50 and a successful attacker can launch his/her attack from a fewer number of hosts. Thus it may be assumed that A (t) = 50 in this case. As the number of legal clients 106 and the number of attacking sources 107 are of comparable size, it is easier for the attacker to hide his/her attack in this case. Therefore, in this situation, N (t) = A (t).
Case 3: For a global portal server, there can be a very large number of legal clients 106, say N (t) = 10000. In this situation, it is not possible for that attacker to easily estimate the required number of attacking hosts 107. In this case, it is assumed that the attacker chooses a reasonably high value of A (t), say A (t) = 5000, and opts for a very high attacking rate: λa = λn*10. Therefore, in this case: N(t)>A (t).
In the first set of experiments, a large number of hosts are taken to test the effectiveness of the proposed mechanism on a large system. The experimental parameters are listed in Table 1.
Table 1. Simulation parameters for Experiment I

Parameter Value
Number of legal clients (N(t)) 10000
Number of attacking hosts {A(t)) 5000
Mean normal traffic rate (λn) 0.1
Mean attack traffic rate (λa) 0.4
Service rate (µ) (packets/sec) 1500
With 10000 legal clients and λn = 0.1, the capacity of the server should be at least 1000. However, the attack is successful only when the service rate (p) is less than 3000 (λa*A(t) + λn*N(t)). The value of µ is, therefore, taken as 1500.
The buffer size for normal situation is taken as 40 packets i.e., L1 = 40 (packets). For choosing the size of L2. it is observed that the normal traffic rate is 1000 packets/sec. Thus a safe value of L2 = 3000 (packets) is taken. The values of the parameters of the attack detection algorithm are given in Table 2.
The available time for traffic analysis depends on the value of 6. Therefore, an accurate estimation of the value of this parameter is crucial for effective working of the proposed
mechanism. In the simulation work, a constant value (δ < δ ) for this parameter is used

for traffic analysis. It is assumed that the total traffic (normal and attack) is known and its value is Tn + Ta = 3000. As the service rate (u) is 1500, one can expect the buffer L1 to be full after 40/ (3000-1500) = 0.3 seconds. The whole buffer (L= L1 + L2) will be full in
30040/ (3000-1500) = 200 seconds. Therefore, a safe estimation of δ = 10 is made. In real world situation, one does not have any preliminary knowledge about the attack and
so 5 should be estimated over a period of time. For the sake of simplicity, the value of δ is set equal to ws.
Table 2. Parameters of the attack detection algorithm

Parameter Value
Sliding window size (ws)
Tolerance for traffic jump (r)
Time frame for last correct value of A 10 sec 0.6 45 sec
Experiment I
Table 3 shows the results of the simulation with different values of the window size (ws). It is clear that a larger window size and hence a large 6 gives a more accurate identification of attacks. However, with a larger window size the system is more likely to enter into a situation of buffer overflow. However, during the attack, the buffer will allow for traffic measurement during the initial 20 seconds. After the buffer overflow, the detection algorithm will produce very inaccurate and unreliable results. Therefore it is not worthwhile to increase the window size beyond a limit. On the other hand, as evident from Table 3, when the time window is too short, the algorithm can detect only a very small proportion of the attacking hosts. The determination of an optimum window size is a challenging research problem. In summary, the simulation results In Table 3 show that the mechanism can successfully detect an attack with a window size of 10 seconds.

Table 3. Results of Experiment I

Observed metrics δ (δ = ws)
5 10 20 30 40
Correctly identified attackers 2982 3784 4529 4784 4892
Filtered legal clients 1 557 260 132 59
Dropped, packets 0 0 0 14251 28765
Max. buffer level and corresponding time frame 29717 (200 s) 14941 (110s) 29732 (119s) 30040 (120s) 30040 (120s)
Time to restore (after t*) 149 104 73 71 81
Experiment II
In this case, a smaller system is simulated with parameters are listed in Table 4. The buffers L1, and L2 are chosen as 40 and 160 respectively. The value of 5 is set equal to
ws, i.e. δ = ws = 10.The remaining parameters are kept the same as in Experiment I. Table 4. Parameters for Experiment II
Parameter Value
Number of legal clients (N(t)) 50
Number of attacking hosts (A(t)) 50
Mean normal traffic rate (λn) 0.1
Mean attack traffic rate (λa) 0.2
Service rate (µ) (packets/sec) 8
Table 5. Results of Experiment II

Observed metrics Observed values
Min Avg Conf. Int. (95%)
Traffic restoration time (after t*) 49 114.732 1.942
Packets dropped 0 0.695 0.321
Normal user filtered (type II error) 1 7.115 0.231
Number of attackers filtered 21 32.413 0.235
Attack detection time (after r*) 0 2.95 0.09
In experiment II, test runs are repeated on 500 different sets of input data to have an insight into the statistical properties of the system under normal and attack situations.

With different data sets, it is observed that the approximate detection algorithm was faster in detecting the attack in 454 cases. In 42 cases, the attack was correctly identified by both algorithms - heuristic and the statistical test. The statistical test-based (accurate) detection algorithm could detect all the 50 of attack sources without any filtering of traffic from the legitimate clients in all the 500 experimental runs. Therefore, in terms of detection accuracy and reduced false positives the accurate statistical algorithm for detection outperformed both the approximate algorithms. However, the approximate algorithm is found to be faster in detecting the attacks. Table 5 summarizes the simulation results,
ADVANTAGES
1. The detection and prevention of distributed denial of service attacks with very high detection accuracy and negligible false positive rates.
2. An adaptive attack detection framework employing two attack detection mechanisms namely a simple detection heuristic with less computational and memory overhead and a more complex statistical hypothesis-based detection providing accurate attack detection at the expense of higher computational and memory overhead.
3. The traffics from the legitimate sources are not affected during attack by adaptively increasing the window size of traffic flow in the buffer while the detection of an attack is in progress.
4. Capable of detecting a distributed attack and subsequently blocking traffic from the identified attack sources.
5. As the attack detection module identifies a potential attack, the traffic from the attack sources are blocked and load on the server is restored to its normal level very fast.
6. A checking procedure to identify whether the load on the server has come back to its normal level after the attack is detected and the traffics from the attack sources are blocked by making a timeout interval computation and checking whether the buffer occupancy in the server has come back to the normal average level after the attack traffic are blocked.

What is claimed is:
1. A method for approximate detection and prevention of distributed denial of service attacks {DDoS) from plurality of attacking hosts on a server in a network characterized in early detection of the said DDoS attacks by evaluating differential time based inbound traffic on the said server, the said method comprising processor implemented steps of:
a) dividing a memory buffer stored on the server into two parts, the first part capable of receiving traffic from multiple hosts in the network and the second part for measuring the traffic received;
b) receiving at least one incoming packet data from at least one host on the said first part of the said memory buffer;
c) estimating the instance of commencement of attack on the server;
d) determining an average traffic by measurement of traffic received continuously from the at least one host during at least two sliding time windows by the second part of the memory buffer;
e) identifying the at least one host as either a legal host or an attacker host based on the average traffic determined;
f) continuing the receipt of additional packets on the first part of the memory buffer from the at least one host identified as legal host;
g) discarding the additional packets received on the first part of the memory buffer from the at least one host identified as attacker host; and
h) restoring the size of the first part of the memory buffer to a normal by deleting the initial packets received on the first part of the memory buffer from the at least one host if the host identified as an attacker host.
2. The method of claim 1, wherein the size of the said second part of the memory buffer is larger than the said first part of the memory buffer.
3. The method of claim 2, wherein the larger size of the second part of the buffer enables large amount of time for effective measurement of traffic.
4. The method of claim 1, wherein the estimation of commencement of attack prior to the first part of the memory becoming full enables reception of next incoming

data packet on the first part of the memory from the at least one host in the network.
5. The method of claim 1, wherein the first part of the size of the buffer is determined as full when the server stops acknowledging the receipt of further packet data from at least one host in the network.
6. The method of claim 1, wherein the average traffic is determined for a time interval between the estimated instance of commencement of attack and the point at which the size of the first part of the memory buffer is full.
7. The method of claim 1, wherein the at least one sliding time window comprises time slots of small duration than the times slots of at least another sliding time window.
8. The method of claim 1, wherein the at least one host is identified as the attacker host if the average traffic determined is of higher value.
9. The method of claim 1, wherein the at least one host is identified as the legal host if the average traffic determined is of lower value.
10. The method of claim 1, wherein the packets received from the identified at least one attacker host is disrupted by applying a filter rule at the first part of the memory buffer stored on the server enabling filtering the packets received from the identified attacker host in the network.
11. The method of claim 1, wherein the restoration of the size of the first part of the memory buffer enables the server to receive packets from the at least other legal host thereby achieving higher Quality of Service (QoS).
12. The method of claim 1, wherein the discarding of additional packets from the identified at least one attacker host is repeated until the size of the first part of the memory buffer is brought to the normal size.
13. A system for an approximate detection and prevention of distributed denial of service attacks (DDoS) from plurality of attacking hosts on a server in a network characterized in early detection of the said DDoS attacks by evaluating

differential time based inbound traffic on the said server in a communication network, the said server communicating with multiple hosts in the said communication network, the system comprising: a processor; a memory coupled to the said processor, to store instructions that, when executed by the processor, cause the processor to configure an interface module to:
a) divide a memory buffer stored on the server into two parts, the first part capable of receiving traffic from multiple hosts in the network and the second part for measuring the traffic received;
b) receive at least one incoming packet data from at least one host on the said first of the said memory buffer stored on the server in the network;
c) estimate instance of commencement of attack on the server;
d) determine an average traffic by measurement of traffic received continuously from the at least one host during at least two sliding time windows by the second part of the memory buffer,
e) identify the at least one host as either a legal host or an attacker host based on the average traffic determined;
f) continue the receipt of additional packets on the first part of the memory buffer from the at least one host identified as legal host;
g) discard the additional packets received on the first part of the memory buffer from the at least one host identified as attacker host; and
h) restore the size of the first part of the memory buffer to a normal by deleting the initial packets received on the first part of the memory buffer from the at least one host if the host identified as an attacker host.
14. The system of claim 13, wherein the size of the said second part of the memory buffer is larger than the said first part of the memory buffer.
15. The system of claim 14, wherein the larger size of the second part of the buffer enables large amount of time for effective measurement of traffic.
16. The system of claim 13, wherein the estimation of commencement of attack prior to the first part of the memory becoming full enables reception of next incoming data packet on the first part of the memory from the at least one host in the network.

17. The system of claim 13, wherein the first part of the size of the buffer is determined as full when the server stops acknowledging the receipt of further packet data from at least one host in the network.
18. The system of claim 13, wherein the average traffic is determined for a time interval between the estimated instance of commencement of attack and the point at which the size of the first part of the memory buffer is full.
19. The system of claim 13, wherein the at least one sliding time window comprises time slots of small duration than the times slots of at least another sliding time window.
20. The system of claim 13, wherein the at least one host is identified as the attacker host if the average traffic determined is of higher value.
21. The system of claim 13, wherein the at least one host is identified as the legal host if the average traffic determined is of lower value.
22. The system of claim 13, wherein the packets received from the identified at least one attacker host is disrupted by applying a filter rule at the first part of the memory buffer stored on the server enabling filtering the packets received from the identified attacker host in the network.
23. The system of claim 13, wherein the restoration of the size of the first part of the memory buffer enables the server to receive packets from the at least other legal host thereby achieving higher Quality of Service (QoS).
24. The system of claim 13, wherein the discarding of additional packets from the identified at least one attacker host is repeated until the size of the first part of the memory buffer is brought to the normal size.
25. A method for accurate detection of distributed denial of service attacks (DDoS) from plurality of attacking hosts on a server in a network characterized in detection of the said DDoS attacks by evaluating differential time based inbound traffic on the said server, the said method comprising processor implemented steps of:

a) measuring a packet arrival rate (PAR) for at least one packet received from at least one host in the network during at least one sample duration;
b) computing a sample mean and a standard deviation based on the measured packet arrival rate (PAR) for at least one packet received;
c) comparing the computed PAR with a maximum packet arrival rate (MPAR) for checking whether at least one packet received from the at least one host contains a norma) PAR or a high PAR;
d) distinguishing at least one host with normal PAR and at least one another host with high PAR to determine the attacks on the server by using a maximum packet arrival rate (MPAR);
e) computing the difference between the computed sample mean of the at least one host containing the normal PAR and the at least other host containing the high packet arrival rate; and
f) detecting the attack on the server based on the difference computed.

26. The method of claim 25, wherein the attack is detected on the server if the difference computed is less than a critical value.
27. A system for accurate detection of distributed denial of service attacks (DDoS) from plurality of attacking hosts on a server in a network characterized in detection of the said DDoS attacks by evaluating differential time based inbound traffic on the said server in a communication network, the said server communicating with multiple hosts in the said communication network, the system comprising:
a processor;
a memory coupled to the said processor,
to store instructions that, when executed by the processor,
cause the processor to configure an interface module to:
a) measure a packet arrival rate (PAR) for at least one packet received from at least one host in the network during at least one sample duration;
b) compute a sample mean and a standard deviation based on the measured packet arrival rate (PAR) for at least one packet received;
c) compare the computed PAR for checking whether at least one packet received from the at least one host contains a normal PAR or a high PAR;

d) distinguish at least one host with normal PAR and at least one another host with high PAR to determine the attacks on the server by using a maximum packet arrival rate (MPAR);
e) compute the difference between the computed sample mean of the at least one host containing the normal PAR and the at least other host containing the high packet arrival rate; and
f) detect the attack on the server based on the difference computed.
28. The system of claim 27, wherein the attack is detected on the server if the difference computed is less than a critical value.