WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

Li He,Shunzheng Yu,Min Li

DOI: https://doi.org/10.1109/NPC.2008.85

2008-01-01

Abstract:Identifying anomaly detection such as failure and attacks rapidly and accurately over the Internet holds interest of both network operators and researchers. Network behavior analysis (NBA) system is usually disposed over an intranet, passively collects SNMP data or flow data, and uses signature and anomaly mechanisms to identify and analyze interesting network activities, including traffic anomaly. In order to discover the anomalies of networks outside manageable areas, we need to use active probing techniques. In this paper we first present PQLink, a tool that allows end users to accurately measure the available bandwidth (AB) of arbitrary links on a network. PQLink uses a novel probing technique called trains of packet-quartets and only needs a single end point. Then we propose a novel approach for anomaly detection based on PQLink, which keeps monitoring the AB of vital links. Simulations validate the efficiency of PQLink and our anomaly detection approach.

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Wei-Zhou Lu,Wei-Xuan Gu,Shun-Zheng Yu

DOI: https://doi.org/10.1016/j.jnca.2008.02.018

IF: 7.574

2009-01-01

Journal of Network and Computer Applications

Abstract:This paper presents a novel approach to measure and estimate end-to-end one-way queuing delay in a network, which carries information about traffic characteristics and congestion properties. The measurement results can be used to describe the normal behavior of the network and detect distributed denial-of-service attacks (DDoS attacks). The measurement does not require any synchronization between the two measurement ends. Pairs of probe packets are sent from the source to the destination and intra-gaps between the probes are separately measured at the two ends. By performing an iterative Fourier-to-time reconstruction algorithm on the measured intra-gaps, distribution of the end-to-end one-way queuing delay is estimated. The packet loss rate and delay jitter are simultaneously measured as well. The simulations and experiments are conducted to validate the approach.

He Li,Yu Shunzheng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2008.08.016

2008-01-01

Abstract:Availabale bandwidth(AB) measurement is important for many Internet applications, such as network behavior analysis, QoS verification, high-speed grid computing, overlay routing, server selection, and so on, and locating the bottleneck link can further aid network operations and troubleshooting. This paper surveys the state of art in the fields of AB measurement techniques and bottleneck link localization methods, analyzes their principles, and discusses new potential research problems. Based on the analysis about the limitation of the popularly used packet-pairs or packet trains with equal sizes, this paper introduces a novel probing technique using not-equal packets.

T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/978-3-540-24693-0_63

2004-01-01

Abstract:In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

WANG Feng-Yu,CAO Shou-Feng,XIAO Jun,YUN Xiao-Chun,GONG Bin

DOI: https://doi.org/10.3724/sp.j.1001.2013.04274

2014-01-01

Journal of Software

Abstract:Distributed denial of service(DDoS) attacks have become more and more difficult to detect due to various hiding techniques that have been adopted.Application-Layer the DDoS attack is becoming a major threat to the current network.This paper analyzes the stability of out-linking behavior on the level of Web community and proposes an approach for detecting application-layer DDoS aimed at Web server.CUSUM is used to detect the offset of out-linking parameters and determine the attack occurring.Rather than the individual behavior,out-linking parameters are about the group behavior of Web community,so it is difficult to circumvent detecting by simulating normal accesses.This approach can not only detect the anomaly of accessing behavior,but can also distinguish flash crowd and application-layer DDoS.The results of simulated experiments show that this approach can detect various types of DDoS attacks aiming at Web servers effectively.

Xin Wang,Xiaobo Ma,Jian Qu

DOI: https://doi.org/10.1109/dsa52907.2021.00026

2021-01-01

Abstract:In recent years, a new type of DDoS attacks against backbone routing links have appeared. They paralyze the communication network of a large area by directly congesting the key routing links concerning the network accessibility of the area. This new type of DDoS attacks make it difficult for traditional countermeasures to take effect. This paper proposes and implements an attack detection method based on non-cooperative active measurement. Experiments show that our detection method can efficiently perceive changes of network link performance and assist in identifying such new DDoS attacks. In our testbed, the network anomaly detection accuracy can reach 93.7%.

张长旺,殷建平,蔡志平,祝恩,程杰仁

DOI: https://doi.org/10.3969/j.issn.1007-130x.2010.07.014

2010-01-01

Abstract:Distributed Low-rate Denial-of-Service attacks (DLDoS) exploit the vulnerability of the adaptive behaviours exhibited by network protocols and network services.Its attack efficiency and ability of concealment are far higher than the traditional flooding-based DDoS attacks,thus it is harder to detect and defense.In this paper,we first model and formalize the DLDoS attacks,and then propose an approach of detecting DLDoS based on the congestion participation rate (CPR).Experiments and analysis demonstrate that the approach can detect the DLDoS attacks accurately and reduce the false alarm rate drastically.

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

Haitao Zhao,Jibo Wei,Shan Wang,Yong Xi

DOI: https://doi.org/10.5772/13110

2011-01-01

Abstract:Wireless ad hoc networks provide quick and easy networking in circumstances that require temporary network services or when cabling is difficult. With the widespread use of multimedia applications that require Quality of Service (QoS) guarantees, research in providing QoS support in wireless ad hoc networks has received much attention recently (Nafaa, 2007). The term QoS gathers several concepts. Some efforts, like admission control, intend to offer guarantees to the applications on the transmission characteristics, for instance bandwidth, delay, delay jitter, or packet loss. Other solutions, like QoS routing, only select the best path among all possible choices regarding the same criteria. In both cases, an accurate evaluation of the amount of resources available (i.e., available bandwidth) on a given path is necessary. Therefore, obtaining accurate information of available bandwidth is a crucial basis for QoS-aware controls in wireless ad hoc networks. In the followed analysis, the term available bandwidth will be denoted by “AB” for brevity. Since the IEEE 802.11 Distributed Coordination Function (DCF), based on Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), is the most popular MAC protocol used in ad hoc networks, the AB estimation problem in 802.11-based ad hoc networks has been a focus of recent research. Some approaches that used to be applied in wired networks have been adopted in wireless scenario, e.g., (Hu & Steenkiste, 2003; Jain & Dovrolis, 2003; Melander, Bjorkman et al., 2000; Ribeiro, Riedi et al., 2003; Strauss, Katabi et al., 2003). Meanwhile, some new proposed approaches that specialize for wireless networks have been proposed, e.g., (de Renesse, Friderikos et al., 2007; Sarr, Chaudet et al., 2008; Wu, Wang et al., 2005). So far, however, there is neither consensus on how to precisely measure the AB in ad hoc networks nor a practical approach that has been widely adopted, which makes all these approaches on the stage of experiment or simulation and no standard is agreed yet. So it’s time to rethink the AB estimation in ad hoc networks, and find out the challenges that make it so difficult to arrive at an agreement. In this chapter we’ll review the existing approaches for AB estimation, presenting the efforts and challenges to AB estimation in 802.11 or 802.11-alike ad hoc networks, and we will also give some proposals to tackle these challenges. Analyzing these problems will help to not only develop an accurate AB estimation approach but also design QoS support schemes in ad hoc networks. This chapter is based on our work that previously, in parts, have been published in (Zhao, Garcia-Palacios et al., 2009; Zhao, Wang et al., 2009; Zhao, Wang et al., 2010). And the rest of

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Lihua Miao,Wei Ding,Jian Gong

DOI: https://doi.org/10.1109/LANMAN.2015.7114740

2015-01-01

Abstract:Reports show that DDoS attacks are ubiquitous on the Internet and may jeopardize networks' stable operation. In order to understand the nature of this threat and further to enable effective control and management, a whole picture of the Internet-wide attacks is a necessity. Traditional methods use darknets to this end. However, with the IPv4 address space exhaustion, darknets become hard to acquire. In this paper, we seek to detect Internet-wide attacks using a live network. In particular, we focus on the most prevalent SYN flooding attacks. First, a complete attack scenario model is introduced according to the positions of the attacker, the victim and the attacking address. Then, after discussing the features of all scenarios, an algorithm named WSAND is proposed to detect Internet-wide SYN flooding attacks using Netflow data. In order to evaluate it, the algorithm is deployed at 28 main PoPs (Points of Presence) of the China Education and Research Network (CERNET) and the total internal address space is up to 200/16 blocks. A large quantity of Internet-wide SYN flooding attacks detected in March 2014 is discussed in detail. With the help of the detected attacks, a case study of detecting an internal zombie is presented.

T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/3-540-45067-X_19

2003-01-01

Abstract:We propose a distributed approach to detect distributed denial of service attacks by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change-point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. In a multi-agent scenario, we show that by sharing the distributed beliefs, we can improve the detection efficiency.

Xinqian Liu,Jiadong Ren,Haitao He,Qian Wang,Chen Song

DOI: https://doi.org/10.1016/j.cose.2020.102107

2021-01-01

Abstract:<p>Distributed denial of service (DDoS) attacks have been a typical and extremely destructive threat to the Internet. DDoS attack detections suffer from the nonnegligible high complexity of massive traffic flow storage in the high-speed network. Besides, hidden low-rate DDoS (LDDoS) attacks evade the existing detection methods due to the similarity between LDDoS attack traffic and normal traffic. Focusing on these problems, this paper proposes a new <strong>l</strong>ow-rate <strong>D</strong>DoS attack <strong>d</strong>etection <strong>m</strong>ethod (LDDM) by designing the multidimensional sketch structure and novel measurement methods on network flows. First, the multidimensional sketch structure is designed to aggregate and compress network flows, which contributes to reduce the cost of data storage and enhance detection performance. Then, the improved behavior divergence measurement method based on daub 4 wavelet transform is proposed to calculate the energy percentage of each sketch divergence. This method obtains effective results in distinguishing the normal traffic and attack traffic. Furthermore, a modified weighted exponential moving average method is designed to construct the dynamic threshold of normal network. Meanwhile, a traffic freezing mechanism is proposed to ensure the standardization of the dynamic threshold. Finally, the effectiveness of the LDDM is evaluated using several real low-rate DDoS attack datasets. The comparisons with other methods illustrate our method has a lower false positive rate and false negative rate, as well as higher accuracy in the detection of stealthy low-rate DDoS attacks.</p>

computer science, information systems