T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/3-540-45067-X_19

2003-01-01

Abstract:We propose a distributed approach to detect distributed denial of service attacks by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change-point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. In a multi-agent scenario, we show that by sharing the distributed beliefs, we can improve the detection efficiency.

Wei,Feng Chen,Yingjie Xia,Guang Jin

DOI: https://doi.org/10.1109/lcomm.2012.121912.122257

IF: 3.5529

2013-01-01

IEEE Communications Letters

Abstract:DDoS presents a serious threat to the Internet since its inception, where lots of controlled hosts flood the victim site with massive packets. Moreover, in Distributed Reflection DoS (DRDoS), attackers fool innocent servers (reflectors) into flushing packets to the victim. But most of current DRDoS detection mechanisms are associated with specific protocols and cannot be used for unknown protocols. It is found that because of being stimulated by the same attacking flow, the responsive flows from reflectors have inherent relations: the packet rate of one converged responsive flow may have linear relationships with another. Based on this observation, the Rank Correlation based Detection (RCD) algorithm is proposed. The preliminary simulations indicate that RCD can differentiate reflection flows from legitimate ones efficiently and effectively, thus can be used as a useable indicator for DRDoS.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Omer Elsier Tayfour,Muhammad Nadzir Marsono

DOI: https://doi.org/10.1007/s11036-020-01552-0

2020-06-04

Mobile Networks and Applications

Abstract:This paper presents a collaborative technique to detect and mitigate Distributed Denial-of-Service (DDoS) flooding attacks on Software-Defined Network (SDN). This technique integrates sflow-RT application and Snort rules for the detection of DDoS traffic flows in an SDN controller. Redis Simple Message Queue (RSMQ) acts as a mechanism to share DDoS detection and mitigation rules among multiple Ryus SDN controllers. The rule-sharing allows a reduction of the controller's overhead for processing DDoS detection and mitigation. The experimental results show that using the RSMQ mechanism can significantly detect and prevent DDoS attacks detection across multi-controller domains. It also provides early detection and mitigation of DDoS at lower controller overhead.

computer science, information systems,telecommunications, hardware & architecture

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Bingshuang Liu,Skyler Berg,Jun Li,Tao Wei,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1109/ICCCN.2014.6911808

2014-01-01

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS. By leveraging peer-to-peer (P2P) file-sharing networks, SF-DRDoS becomes more surreptitious and powerful than traditional DRDoS. An attacker can store carefully prepared data on reflector nodes before the flooding phase to greatly increase the amplification factor of an attack. We implemented a prototype of SF-DRDoS on Kad, a popular Kademlia-based P2P file-sharing network. With real-world experiments, this attack achieved an amplification factor of 2400 on average, with the upper bound of attack bandwidth at 670 Gbps in Kad. Finally, we discuss possible defenses to mitigate the threat of SF-DRDoS.

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Junteng Yao,Tuo Wu,Qi Zhang,Jiayin Qin

DOI: https://doi.org/10.1109/LCOMM.2020.3001255

IF: 3.5529

2020-01-01

IEEE Communications Letters

Abstract:To monitor wireless suspicious transmissions, we propose an intelligent reflecting surface enabled legitimate monitoring system. In the system, the monitor employs the passive reflection for constructive or destructive signal forwarding. For constructive passive reflection, we maximize the average monitoring rate by approximating the cumulative distribution function of outage probability at the suspicious destination, i.e., the Marcum Q-function, by a closed-form expression. For destructive passive reflection, we derive the optimal transmission rate of the suspicious source. Furthermore, we propose to obtain the locally optimal reflection coefficients by the alternating direction method of multipliers (ADMM). Numerical results demonstrate that our proposed ADMM-based passive reflection scheme achieves almost the same average monitoring rate as the upper bound.

Yan Chen,Aaron Beach,Jason Skicewicz

2004-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today’s networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a distributed IDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of three common types of intrusions: DoS attacks, port scanning and virus/worm infection; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP addresses in scans. We further propose load-aware node bootstrapping to distribute the alarms more evenly across the fusion centers. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 Worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. Open questions on querying and attack-resilience of CDDHT are also discussed.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Xin Xu,Yongqiang Sun,Zunguo Huang

DOI: https://doi.org/10.1007/978-3-540-71549-8_17

2007-01-01

Abstract:In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

Quanbing Li,Yilun Ma,Yuanming Wu

DOI: https://doi.org/10.1016/j.engappai.2023.107122

IF: 8

2023-01-01

Engineering Applications of Artificial Intelligence

Abstract:Malicious nodes launching selective forwarding attacks jeopardize network reliability in event-driven wireless sensor networks. Swift detection and exclusion of these nodes are vital, especially in harsh environments where normal nodes also suffer from decreased forwarding rates due to poor channel conditions. To solve this problem, this paper proposes a deep belief network (DBN) and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) based detection scheme against selective forwarding attacks under harsh environments. The DBN algorithm extracts and analyzes behavior features of nodes, while the DBSCAN clustering algorithm effectively distinguishes between malicious and normal nodes during selective forwarding attacks. Simulation results demonstrate the scheme's effectiveness with a missed detection rate (MDR) of approximately 2% and a false detection rate (FDR) below 5% in harsh environments, providing a robust solution for ensuring the integrity and efficiency of data transmission in event-driven wireless sensor networks.

LIU Yuan,GU Xiao-qing

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.09.039

2006-01-01

Abstract:Distributed Denial of Service(DDoS) attack is among the hardest network problems.Distributed Reflection Denial of Service(DRDoS) attack develops from DDoS attack and it makes use of reflector to harm the network system more severely.One promising solution to reconstruct attack paths,Probabilistic Pipelined Packet Marking(PPPM),has proposed first by Duwairi,however it cannot work against reflector attack.In this paper,a new scheme extended PPPM is giving,which reduce the number of packets needed for a victim to reconstruct the attack paths.

Et al. Jaideep Gera

DOI: https://doi.org/10.17762/ijritcc.v11i9.9574

2023-11-05

International Journal on Recent and Innovation Trends in Computing and Communication

Abstract:In the contemporary digital world, cyber space is growing continuously witnessing amalgamation of different technologies associated with telecommunications, networking and sensing to mention few. This has enabled Service Oriented Architecture (SOA) to realize distributed applications that cater to the needs of enterprises in the real world. With the advantages of such environments, there has been increased number of instances of cyber-attacks. Distributed Denial of Service (DDoS) is the large-scale attack targeting critical digital infrastructure to make it useless for certain amount of time. Such attacks have several implications and lead to collapse of businesses unless there are countermeasures to detect it and handle it properly. Distributed Reflection Denial of Service (DRDoS) is a variant of such attacks which is more destructive in nature. It is more so in the presence of Internet of Things (IoT) devices deployed in cyber space in large scale. The existing DDoS countermeasures do not work to solve the problem of DRDoS directly. We propose an Artificial Intelligence (AI) framework for detection of DRDoS attacks. We propose an algorithm known as Machine Learning based DRDoS Attack Detection (ML-DAD) for effective detection of attacks. The prototype service built in Python monitors such attacks and take necessary steps to defeat it. The empirical results revealed that the proposed framework has superior performance improvement over the stat of the art. The research in this paper leads to new ideas in the area of detection and prevention of DRDoS attacks.

Tao Peng,Christopher Leckie,Kotagiri Ramamohanarao

2002-01-01

Abstract: In this paper, we introduce a router-based system to defendagainst Distributed Denial of Service (DDoS) attacks. DDoS attacks aretreated as a congestion-control problem. The main issue is to identify thecongestion and then pushback a packet filter to the router closest to thesource that causes congestion. Unlike previous approaches, we proposean anomaly detection scheme using source information. Since the sourceIP address is not trustable, we obtain source information by...

B. B. Gupta,R. C. Joshi,Manoj Misra

DOI: https://doi.org/10.1145/1523103.1523203

2012-04-25

Abstract:In this paper, an analytical model for DDoS attacks detection is proposed, in which propagation of abrupt traffic changes inside public domain is monitored to detect a wide range of DDoS attacks. Although, various statistical measures can be used to construct profile of the traffic normally seen in the network to identify anomalies whenever traffic goes out of profile, we have selected volume and flow measure. Consideration of varying tolerance factors make proposed detection system scalable to the varying network conditions and attack loads in real time. NS-2 network simulator on Linux platform is used as simulation testbed. Simulation results show that our proposed solution gives a drastic improvement in terms of detection rate and false positive rate. However, the mammoth volume generated by DDoS attacks pose the biggest challenge in terms of memory and computational overheads as far as monitoring and analysis of traffic at single point connecting victim is concerned. To address this problem, a distributed cooperative technique is proposed that distributes memory and computational overheads to all edge routers for detecting a wide range of DDoS attacks at early stage.

Cryptography and Security

Li Li,Huan Yang,Yuanqing Xia,Cui Zhu

DOI: https://doi.org/10.1109/TCNS.2021.3089146

IF: 4.347

2021-12-01

IEEE Transactions on Control of Network Systems

Abstract:In this article, a secure distributed filtering problem is investigated for a state-saturated system subject to random occurring nonlinearities and deception attack. To resist the hostile attack from a malicious attacker who can modify the data of the transmission module according to a certain probability, an attack detector with a dynamic threshold is designed for each sensor to decide whether to broadcast the current measurement innovation to neighbors. A distributed filtering algorithm is proposed to estimate system state, and a sufficient condition is established to guarantee mean-square boundedness of the estimation error. Moreover, a critical attack probability above which the steady-state estimation error covariance will exceed a preset value is found. In addition, a minimum attack magnitude is given to ensure that the attack signal is able to be completely detected. A numerical example is carried out to testify the validity of the proposed results.

Engineering,Computer Science

Basheer Husham Ali,Nasri Sulaiman,Syed Abdul Rahman Al-Haddad,Rodziah Atan,Siti Lailatul Mohd Hassan,Mokhalad Alghrairi

DOI: https://doi.org/10.3390/s21196453

2021-09-27

Abstract:One of the most dangerous kinds of attacks affecting computers is a distributed denial of services (DDoS) attack. The main goal of this attack is to bring the targeted machine down and make their services unavailable to legal users. This can be accomplished mainly by directing many machines to send a very large number of packets toward the specified machine to consume its resources and stop it from working. We implemented a method using Java based on entropy and sequential probabilities ratio test (ESPRT) methods to identify malicious flows and their switch interfaces that aid them in passing through. Entropy (E) is the first technique, and the sequential probabilities ratio test (SPRT) is the second technique. The entropy method alone compares its results with a certain threshold in order to make a decision. The accuracy and F-scores for entropy results thus changed when the threshold values changed. Using both entropy and SPRT removed the uncertainty associated with the entropy threshold. The false positive rate was also reduced when combining both techniques. Entropy-based detection methods divide incoming traffic into groups of traffic that have the same size. The size of these groups is determined by a parameter called window size. The Defense Advanced Research Projects Agency (DARPA) 1998, DARPA2000, and Canadian Institute for Cybersecurity (CIC-DDoS2019) databases were used to evaluate the implementation of this method. The metric of a confusion matrix was used to compare the ESPRT results with the results of other methods. The accuracy and f-scores for the DARPA 1998 dataset were 0.995 and 0.997, respectively, for the ESPRT method when the window size was set at 50 and 75 packets. The detection rate of ESPRT for the same dataset was 0.995 when the window size was set to 10 packets. The average accuracy for the DARPA 2000 dataset for ESPRT was 0.905, and the detection rate was 0.929. Finally, ESPRT was scalable to a multiple domain topology application.

Xiaoyu Guo,Zhen Dong,Chenliang Wang,Zhengtao Ding

DOI: https://doi.org/10.1109/tcns.2022.3203903

IF: 4.347

2022-01-01

IEEE Transactions on Control of Network Systems

Abstract:Networked cyberphysical systems are prone to various types of cyberattacks and disturbances. An event-based distributed estimation approach is introduced to deal with the joint influence of Denial-of-Service (DoS) and deception attacks under disturbances. A distributed event-based communication scheme is proposed to guarantee estimation performance in the presence of aperiodic DoS attacks and simultaneously reduce the data transmission burden. A novel adaptive observer is constructed to compensate for deception attacks. Moreover, a distributed disturbance observer is proposed for disturbance rejection. Sufficient conditions for the estimator design are given, which take the joint effects of DoS attacks and deception attacks into account. The proposed estimation approach is capable of attack-resilient state estimation subject to both DoS and deception attacks under disturbances and precludes Zeno phenomenon. Finally, a simulation example on an IEEE four-bus power grid demonstrates the feasibility and effectiveness of the proposed approach.

Peng Xiao,Zhiyang Li,Heng Qi,Wenyu Qu,Haisheng Yu

DOI: https://doi.org/10.1109/trustcom.2016.0038

2016-01-01

Abstract:Distributed Denial of Service (DDoS) attacks are becoming one of the major threats in the distributed data center networks which are loosely connected. Recent work has found new ways to attack network link instead of network servers. However, existing methods have limitations when detecting the link attacks, particularly in data store. To address this issue, in this paper, we propose an attack detection system that can deal with the link flooding attacks. Our method is based on Bloom Filter and Software-Defined Networking (SDN). We propose a real-time link attack detection system and define a two-module detection framework to detect the attacks. Then we apply our strategy in SDN. Extensive experiments on different settings have been performed, showing that our method is good at detecting the link flooding attack with high detection rates and low overhead.