T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/978-3-540-24693-0_63

2004-01-01

Abstract:In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.

Tao Peng,Christopher Leckie,Kotagiri Ramamohanarao

DOI: https://doi.org/10.1109/GLOCOM.2003.1258460

2003-01-01

Abstract:In this paper, we present a distributed approach to detecting a type of distributed denial of service attack known as reflector attacks. In our approach, every potential reflector monitors the incoming packets and broadcasts a warning message to other potential reflectors if any abnormal traffic is observed. The warning message contains a description of the abnormal traffic it has observed. A detection decision can be made based on the information from multiple potential reflectors. We present a learning algorithm to decide when to broadcast the warning message.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

B. B. Gupta,R. C. Joshi,Manoj Misra

DOI: https://doi.org/10.48550/arXiv.1204.5592

2012-04-25

Abstract:Denial of service (DoS) attacks and more particularly the distributed ones (DDoS) are one of the latest threat and pose a grave danger to users, organizations and infrastructures of the Internet. Several schemes have been proposed on how to detect some of these attacks, but they suffer from a range of problems, some of them being impractical and others not being effective against these attacks. This paper reports the design principles and evaluation results of our proposed framework that autonomously detects and accurately characterizes a wide range of flooding DDoS attacks in ISP network. Attacks are detected by the constant monitoring of propagation of abrupt traffic changes inside ISP network. For this, a newly designed flow-volume based approach (FVBA) is used to construct profile of the traffic normally seen in the network, and identify anomalies whenever traffic goes out of profile. Consideration of varying tolerance factors make proposed detection system scalable to the varying network conditions and attack loads in real time. Six-sigma method is used to identify threshold values accurately for malicious flows characterization. FVBA has been extensively evaluated in a controlled test-bed environment. Detection thresholds and efficiency is justified using receiver operating characteristics (ROC) curve. For validation, KDD 99, a publicly available benchmark dataset is used. The results show that our proposed system gives a drastic improvement in terms of detection and false alarm rate.

Cryptography and Security

Xin Xu,Yongqiang Sun,Zunguo Huang

DOI: https://doi.org/10.1007/978-3-540-71549-8_17

2007-01-01

Abstract:In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

Hasen AlMomin,Abdullahi Abdu Ibrahim

DOI: https://doi.org/10.1109/hora49412.2020.9152873

2020-06-01

Abstract:Software Defined-Network (SDN) is still lately attracting much new research of interest. SDN networks introduce a new design that works on split the control plane from the data plane in order to allow a broader filed to program the network smoothly and efficiently to gain much simplicity, compared to the traditional networks. Any change in traditional networks required a re-configuration on a set of resources for the network. Whereas in new SDN network needs one person with knowledge on the control layer (controller) to manage all network resources and update rules with less time. One of the most critical attacks that increased lately is the Distributed Denial of Service (DDoS), which works to make the service unavailable for an unknown period. In this paper, we will suggest a method to detect a DDoS attack that targeting one or multiple victims concurrently by combining two algorithms of Machine Learning (ML), which is entropy and Principal Component Analysis (PCA). Also, we examined the efficiency of our schema through a Mininet emulator and a pox controller and using open vSwitch as a switch. We have obtained high detection accuracy to detect DDoS attacks.

Theerasak Thapngam,Shui Yu,Wanlei Zhou,S. Kami Makki

DOI: https://doi.org/10.1007/s12083-012-0173-3

2012-10-25

Abstract:In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

computer science, information systems,telecommunications

Yan Chen,Aaron Beach,Jason Skicewicz

2004-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today’s networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a distributed IDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of three common types of intrusions: DoS attacks, port scanning and virus/worm infection; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP addresses in scans. We further propose load-aware node bootstrapping to distribute the alarms more evenly across the fusion centers. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 Worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. Open questions on querying and attack-resilience of CDDHT are also discussed.

Xin Wang,Xiaobo Ma,Jian Qu

DOI: https://doi.org/10.1109/dsa52907.2021.00026

2021-01-01

Abstract:In recent years, a new type of DDoS attacks against backbone routing links have appeared. They paralyze the communication network of a large area by directly congesting the key routing links concerning the network accessibility of the area. This new type of DDoS attacks make it difficult for traditional countermeasures to take effect. This paper proposes and implements an attack detection method based on non-cooperative active measurement. Experiments show that our detection method can efficiently perceive changes of network link performance and assist in identifying such new DDoS attacks. In our testbed, the network anomaly detection accuracy can reach 93.7%.

Peng Xiao,Zhiyang Li,Heng Qi,Wenyu Qu,Haisheng Yu

DOI: https://doi.org/10.1109/trustcom.2016.0038

2016-01-01

Abstract:Distributed Denial of Service (DDoS) attacks are becoming one of the major threats in the distributed data center networks which are loosely connected. Recent work has found new ways to attack network link instead of network servers. However, existing methods have limitations when detecting the link attacks, particularly in data store. To address this issue, in this paper, we propose an attack detection system that can deal with the link flooding attacks. Our method is based on Bloom Filter and Software-Defined Networking (SDN). We propose a real-time link attack detection system and define a two-module detection framework to detect the attacks. Then we apply our strategy in SDN. Extensive experiments on different settings have been performed, showing that our method is good at detecting the link flooding attack with high detection rates and low overhead.

Li He,Binhua Tang,Shunzheng Yu

DOI: https://doi.org/10.1109/ICCS.2008.4737370

2008-01-01

Abstract:Detection of distributed denial of service (DDoS) attacks over the Internet is crucial for many Internet applications, such as electronic commerce, network games, P2P, etc. Based on anomaly detection information, network route selection, quality of service (QoS) provision, and traffic engineering can be performed to bypass the abnormal areas or to immigrate the attack traffic. To detect the DDoS attacks in networks outside manageable areas, we need to send probing packets. This paper first surveys the existing available bandwidth estimation tools (ABETs) and divides them into two categories. Most ABETs can measure the available bandwidth of a path over networks, and provide knowledge about the tight link of the path. This paper then presents a method using the ABETs and the bottleneck localization tools to estimate total available bandwidth inside a network from the network edge without additional cooperation of the edge or core routers. The method continuously measures the network bandwidth. The measurement results are then used to detect whether DDoS attacks appear by a special cumulative sum (CUSUM) algorithm. Simulations verified the efficiency of the network available bandwidth measurement method and the detection algorithm.

Loïc D. Tsobdjou,Samuel Pierre,Alejandro Quintero,Loic D. Tsobdjou

DOI: https://doi.org/10.1109/tnsm.2022.3142254

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Distributed denial of service attacks are cyber-attacks that target the availability of servers. As a result, legitimate users no longer have access to the service. This can have a negative impact on an organization, such as lack of reputation and economic losses. Therefore, it is important to design defense mechanisms against these attacks. There are systems for detecting distributed denial of service attacks in the literature, which still have various shortcomings. Some of these systems detect the presence of attack traffic without identifying the attack packets or flows. Others use static thresholds and therefore cannot adapt to changes in legitimate traffic. In this paper, we propose an online system that aims to detect flooding attacks in a short timeframe and a client–server environment. The proposed detection system consists of five modules, namely features extraction and connections construction, suspicious activity detection, attack connections detection, alert generation and threshold update. The suspicious activity detection module calculates the normalized Shannon entropy by considering the source Internet Protocol address as a random variable. Suspicious activity is detected when the computed entropy is below a threshold. The threshold calculation is based on Chebyshev’s theorem. We propose a dynamic threshold algorithm to track changes in legitimate traffic. We evaluate the proposed system through simulations and using a publicly available dataset. Compared to other similar works, the proposed detection system has a better performance in terms of detection rate, false positive rate, precision and overall accuracy.

computer science, information systems

WANG Feng-Yu,CAO Shou-Feng,XIAO Jun,YUN Xiao-Chun,GONG Bin

DOI: https://doi.org/10.3724/sp.j.1001.2013.04274

2014-01-01

Journal of Software

Abstract:Distributed denial of service(DDoS) attacks have become more and more difficult to detect due to various hiding techniques that have been adopted.Application-Layer the DDoS attack is becoming a major threat to the current network.This paper analyzes the stability of out-linking behavior on the level of Web community and proposes an approach for detecting application-layer DDoS aimed at Web server.CUSUM is used to detect the offset of out-linking parameters and determine the attack occurring.Rather than the individual behavior,out-linking parameters are about the group behavior of Web community,so it is difficult to circumvent detecting by simulating normal accesses.This approach can not only detect the anomaly of accessing behavior,but can also distinguish flash crowd and application-layer DDoS.The results of simulated experiments show that this approach can detect various types of DDoS attacks aiming at Web servers effectively.