Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/IMSCCS.2006.159

2006-01-01

Abstract:Countering Distributed Denial of Service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. DDoS attacks are typically carried out at the network layer. However, there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones. In this paper, we consider sophisticated attacks that utilize legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server. Since the attack signature of each application layer DDoS is represented in abnormal user behavior, we propose a countermechanism based on Web user browsing behavior to protect the servers from these attacks. In contrast to prior works, we explore Hidden semi-Markov Model to describe the browsing behaviors of Web users and apply it to implement the anomaly detection for the application layer DDoS attacks which simulate the Web request behaviors of browser and use HTTP requests to launch attacks. By conducting an experiment with a real traffic data, the model shows that it is effective in measuring the user behaviors and detecting the application layer DDoS attacks.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

LI Mu-hai,LI Ming,WU Xin-xing,LI Xu-hong

DOI: https://doi.org/10.3969/j.issn.1002-137X.2009.01.073

2009-01-01

Computer Science

Abstract:This paper presented a run-time model that can efficiently detect network attacks.The model resolves the problem that classic method can’t distinguish anomalies from attacks.Combining the characteristics of normal traffic,an efficient measure and algorithm which can detect DDoS attacks were given.The algorithm not only has simple structure,high speed to meet the needs of real-time detection,but also can take full advantage of known information,and has more strong anti-jamming capability.The actual test results indicate that this model can be used to achieve real-time detection of DDoS attacks.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

GU Xiaoqing,WANG Hongyuan,NI Tongguang,DING Hui

DOI: https://doi.org/10.3724/sp.j.1087.2013.02228

2013-01-01

Journal of Computer Applications

Abstract:According to the difference between normal users' visiting patterns and abnormal ones,a new method to detect application-layer Distributed Denial of Service(DDoS) attack was proposed based on IP Service Request Entropy(SRE) time series.By approximating the Adaptive AutoRegressive(AAR) model,the SRE time series was transformed into a multidimensional vector series regarded as a description of current users' visiting patterns.Furthermore,a Support Vector Machine(SVM) classifier was applied to classify vector series and identify the attacks.The simulation results show that this approach not only can distinguish between normal traffic and DDoS attack traffic,but also is suitable to detect DDoS attack against the large scale network traffic,which does not arouse the sharp changes of the network traffic.

XIE Yi,YU Shun-Zheng

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.08.029

2007-01-01

Computer Science

Abstract:Distributed Denial of Service(DDoS)attacks are typically carried out at the network layer.However,there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones.A sophisticated attack using legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server is discussed.A counter-mechanism based on Web user browsing behavior is proposed to protect the servers from these attacks.In contrast to prior works,Hidden semi-Markov Model is explored to describe the browsing behaviors of Web users and to implement the anomaly detection for the application layer flooding attacks.By conducting an experiment with a real traffic data,the model shows that it is effective in measuring the user behaviors and detecting the application layer flooding attacks.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Zhu Jian-Qi,Fu Feng,Yin Ke-xin,Liu Yan-Heng

DOI: https://doi.org/10.1016/j.compeleceng.2013.05.003

IF: 4.152

2013-01-01

Computers & Electrical Engineering

Abstract:Denial of Service (DoS) attack poses a severe threat to the Internet. Entropy-based methods have been successfully used to detect specific types of malicious traffic. This paper presents a novel dynamic entropy-based model for the detection of DoS attack. Based on the theory of alive communication, the dynamic entropy model is constructed by combining the information entropy as well as the feature of netflow conversation correlation. This is the first application of the theory of alive communication in the network anomalies detection. To evaluate the performance of the dynamic entropy model, we compare it with the traditional information entropy model. The experiment results demonstrate the presence of traffic’s dynamic entropy and show that the dynamic entropy keeps stable under normal traffic. By contrast, it fluctuates significantly when the network subjects to DoS attacks. Moreover, the detection rate of dynamic entropy-based model is higher and can detect unknown DoS attacks effectively.

Xie Yi,Yu Shunzheng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2007.01.023

2007-01-01

Abstract:Distributed denial of service (DDoS) attacks bring a very serious threat to the stability of Internet. DDoS attack methods and tools are becoming more sophisticated, effective and also more difficult to be traced. New forms of DDoS attacks on application layer cause current defense technologies working on TCP or IP level unable to withstand them, which makes a new challenge to the traditional anomaly detection techniques. In this paper, we discuss the rationale of application layer DDoS attacks and the disadvantages of current DDoS detection schemes in dealing with such attacks. At last, a new detection scheme focusing on application layer DDoS attacks defense based on user behavior is proposed. Filtering and blocking are also carried out for the malicious HTTP requests over the application level and TCP level.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/TNET.2008.923716

2009-01-01

IEEE/ACM Transactions on Networking

Abstract:Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extend...

Jie Yu,Zhoujun Li,Huowang Chen,Xiaoming Chen

DOI: https://doi.org/10.1109/icns.2007.5

2007-01-01

Abstract:Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

Xin Xu,Yongqiang Sun,Zunguo Huang

DOI: https://doi.org/10.1007/978-3-540-71549-8_17

2007-01-01

Abstract:In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

Chuibi Huang,Jinlin Wang,Gang Wu,Jun Chen

DOI: https://doi.org/10.4304/jsw.9.4.985-990

2014-01-01

Journal of Software

Abstract:Distributed Denial of Service (DDoS) attacks have caused continuous critical threats to the Internet services. DDoS attacks are generally conducted at the network layer. Many DDoS attack detection methods are focused on the IP and TCP layers. However, they are not suitable for detecting the application layer DDoS attacks. In this paper, we propose a scheme based on web user browsing behaviors to detect the application layer DDoS attacks (app-DDoS). A clustering method is applied to extract the access features of the web objects. Based on the access features, an extended hidden semi-Markov model is proposed to describe the browsing behaviors of web user. The deviation from the entropy of the training data set fitting to the hidden semi-Markov model can be considered as the abnormality of the observed data set. Finally experiments are conducted to demonstrate the effectiveness of our model and algorithm.

Tongguang Ni,Xiaoqing Gu,Hongyuan Wang,Yu Li

DOI: https://doi.org/10.1155/2013/821315

2013-01-01

Journal of Control Science and Engineering

Abstract:Distributed denial of service (DDoS) attacks are one of the major threats to the current Internet, and application-layer DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. Consequently, neither intrusion detection systems (IDS) nor victim server can detect malicious packets. In this paper, a novel approach to detect application-layer DDoS attack is proposed based on entropy of HTTP GET requests per source IP address (HRPI). By approximating the adaptive autoregressive (AAR) model, the HRPI time series is transformed into a multidimensional vector series. Then, a trained support vector machine (SVM) classifier is applied to identify the attacks. The experiments with several databases are performed and results show that this approach can detect application-layer DDoS attacks effectively.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

Muhai Li,Ming Li

DOI: https://doi.org/10.1155/2010/570940

IF: 1.43

2010-01-01

Mathematical Problems in Engineering

Abstract:In various network attacks, the Distributed Denial-of-Service (DDoS) attack is a severe threat. In order to deal with this kind of attack in time, it is necessary to establish a special type of defense system to change strategy dynamically against attacks. In this paper, we introduce an adaptive approach, which is used for defending against DDoS attacks, based on normal traffic analysis. The approach can check DDoS attacks and adaptively adjust its configurations according to the network condition and attack severity. In order to insure the common users to visit the victim server that is being attacked, we provide a nonlinear traffic control formula for the system. Our simulation test indicates that the nonlinear control approach can prevent the malicious attack packets effectively while making legitimate traffic flows arrive at the victim.

WANG Feng-Yu,CAO Shou-Feng,XIAO Jun,YUN Xiao-Chun,GONG Bin

DOI: https://doi.org/10.3724/sp.j.1001.2013.04274

2014-01-01

Journal of Software

Abstract:Distributed denial of service(DDoS) attacks have become more and more difficult to detect due to various hiding techniques that have been adopted.Application-Layer the DDoS attack is becoming a major threat to the current network.This paper analyzes the stability of out-linking behavior on the level of Web community and proposes an approach for detecting application-layer DDoS aimed at Web server.CUSUM is used to detect the offset of out-linking parameters and determine the attack occurring.Rather than the individual behavior,out-linking parameters are about the group behavior of Web community,so it is difficult to circumvent detecting by simulating normal accesses.This approach can not only detect the anomaly of accessing behavior,but can also distinguish flash crowd and application-layer DDoS.The results of simulated experiments show that this approach can detect various types of DDoS attacks aiming at Web servers effectively.