Yanan Zhang,Jingru Xing,Yaozong Xu,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/978-981-97-5606-3_22

2024-01-01

Abstract:Named Data Networking (NDN) is one of the potential Future Internet Architectures, shifting from the traditional host-centric architecture to a data-centric one. Collusion Interest Flooding Attacks (CIFAs) is a new type of attack that intermittently sending malicious Interests to overwhelm the Pending Interest Table (PIT). Collusive producers working with the attackers respond to these malicious Interest packets just before they expire in the PIT, thereby disguising their attacks as legitimate, which makes detection methods against Interest Flooding Attacks (IFAs) unable to identify CIFAs. This paper proposes the DM-CIFA scheme, which aggregates decision tree and K-means algorithm for effective detection and mitigation of CIFAs. Firstly, a decision tree is trained to monitor the number of entries in the PIT, and the throughput of Interest and Data packets of the router for attack detection. Then the malicious prefix identification algorithm, based on the K-means algorithm, is activated after an attack is detected. Additionally, the bottleneck router mitigating CIFAs by informing the next hop router with a signed Interest packet (SIP) that carry the malicious prefixes to pinpoint attackers and reject forwarding malicious Interests. The simulation results demonstrate the proposed DM-CIFA has high sensitivity towards CIFAs and the capability to effectively mitigate the attack's effects on the NDN.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Na Xing,Shuai Zhao,Yuehai Wang,Keqing Ning,Xiufeng Liu

DOI: https://doi.org/10.14569/ijacsa.2023.0140743

2023-01-01

Abstract:recent years, deep learning-based network intrusion detection systems (IDS) have shown impressive results in detecting attacks. However, most existing IDS can only recognize known attacks that were included in their training data. When faced with unknown attacks, these systems are often unable to take appropriate actions and incorrectly classify them into known categories, leading to reduced detection performance. Furthermore, as the number and types of network attacks continue to increase, it becomes challenging for these IDS to update their model parameters promptly and adapt to new attack scenarios. To address these issues, this paper introduces a dynamic intrusion detection system, Dynamic Unknown Attack Intrusion Detection System (DUA-IDS). This system aims to learn and detect unknown attacks effectively. DUA-IDS comprises three components: Feature Extractor: This component employs CNN and Transformer models to extract data features from various perspectives. Threshold-Based Classifier: The second part utilizes the nearest mean rule of samples to classify known and unknown attacks, enabling the distinction between them. Dynamic Learning Module: The third part incorporates data playback and knowledge distillation techniques to retain existing category knowledge while continuously learning new attack categories. To assess the effectiveness of DUA-IDS, this paper conducted experiments using the UNSW-NB15 public dataset. The experimental results show that DUA-IDS improves the classification accuracy of flow network data with unknown traffic attacks. Can accurately distinguish unknown traffic and correctly classify known traffic. When dynamically learning unknown traffic, the classification accuracy of previously learned known traffic is less affected. This indicates the advantages of DUA-IDS in detecting unknown attacks and learning new attack categories.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Lu Zhou,Ye Zhu,Tianrui Zong,Yong Xiang

DOI: https://doi.org/10.1016/j.future.2022.02.006

IF: 7.307

2022-07-01

Future Generation Computer Systems

Abstract:Distributed Denial of Service (DDoS) attacks still be a great threat to the availability of online servers. To defend against attacks, the challenge is not only detecting DDoS attacks as they occur but also identifying, and thus blocking the attack flows. However, existing classification methods cannot accurately and efficiently differentiate between attack flows and benign flows. In this paper, we propose a DDoS attack flow classification system, named SAFE, to accurately and quickly identify attack flows in network layer. First, SAFE chooses the optimal features by removing the redundant features and selecting the most informative features. Second, a threshold tuning method is proposed to identify the best threshold for each feature. Finally, an aggregated feature-based linear classifier is proposed to weight the selected features for classification. Since the proposed method monitors the flows in network layer, it can detect the traditional DDoS attack flows as well as the attack flows launched by Internet of Thing (IoT) devices. Comprehensive experiments are carried out on one IoT and two sophisticated DDoS attacks to evaluate the classification performance of the proposed method. The comparison results show that SAFE can achieve better classification performance than the state-of-the-art methods in terms of classification accuracy and efficiency.

Raja Giryes,Lior Shafir,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.2405.07232

2024-05-12

Abstract:Distributed Denial of Service (DDoS) attacks are getting increasingly harmful to the Internet, showing no signs of slowing down. Developing an accurate detection mechanism to thwart DDoS attacks is still a big challenge due to the rich variety of these attacks and the emergence of new attack vectors. In this paper, we propose a new tree-based DDoS detection approach that operates on a flow as a stream structure, rather than the traditional fixed-size record structure containing aggregated flow statistics. Although aggregated flow records have gained popularity over the past decade, providing an effective means for flow-based intrusion detection by inspecting only a fraction of the total traffic volume, they are inherently constrained. Their detection precision is limited not only by the lack of packet payloads, but also by their structure, which is unable to model fine-grained inter-packet relations, such as packet order and temporal relations. Additionally, inferring aggregated flow statistics must wait for the complete flow to end. Here we show that considering flow inputs as variable-length streams composed of their associated packet headers, allows for very accurate and fast detection of malicious flows. We evaluate our proposed strategy on the CICDDoS2019 and CICIDS2017 datasets, which contain a comprehensive variety of DDoS attacks. Our approach matches or exceeds existing machine learning techniques' accuracy, including state-of-the-art deep learning methods. Furthermore, our method achieves significantly earlier detection, e.g., with CICDDoS2019 detection based on the first 2 packets, which corresponds to an average time-saving of 99.79% and uses only 4--6% of the traffic volume.

Cryptography and Security

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3934/mbe.2024185

2024-01-01

Mathematical Biosciences and Engineering

Abstract:Low rate distributed denial of service attack (LR-DDoS) is a special type of distributed denial of service (DDoS) attack, which uses the vulnerability of HTTP protocol to send HTTP requests to applications or servers at a slow speed, resulting in long-term occupation of server threads and affecting the normal access of legitimate users. Since LR-DDoS attacks do not need to send flooding or a large number of HTTP requests, it is difficult for traditional intrusion detection methods to detect such attacks, especially when HTTP traffic is encrypted. To overcome the above problems, we proposed an encrypted LR-DDoS attack detection and mitigation method based on the multi-granularity feature fusion (MFFLR-DDoS) for software defined networking (SDN). This method analyzes the encrypted session flow from the time sequence of packets and the spatiality of session flow and uses different deep learning methods to extract features, to obtain more effective features for abnormal traffic detection. In addition, we used the advantages of SDN architecture to perform real-time defense against LR-DDoS attacks by the way of SDN controller issuing flow rules. The experimental results showed that the MFFLR-DDoS model had a higher detection rate than advanced methods, and could mitigate LR-DDoS attack traffic online and in real-time.

mathematical & computational biology

CHEN Shiwen,WU Jiangxing,HUANG Wanwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.1302-0182

2013-01-01

Abstract:The traditional detection methods for DDoS attacks have low accuracy and high false alarms rate because those means are only based on one of such flow features as burst feature,dispersed source IP address,asymmetry flow and etc.This paper uses conditional random field to integrate many pattern match rules for DDoS attack detection.The feature vector includes one way connection density,source IP entropy,destination IP entropy,destination port entropy and protocol entropy.The simulation results show that the proposed method outperforms other well-known methods such as na ve Bayes and SVM.The detection accuracy rate reaches 99.82% and the false alarm rate is less than 0.6%.The method is robustness under strong interference traffic noise.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Haibin Li,Yi Zhao,Wenbing Yao,Ke Xu,Qi Li

DOI: https://doi.org/10.1007/s11432-021-3545-0

2023-01-01

Science China Information Sciences

Abstract:Distributed denial of service (DDoS) detection is still an open and challenging problem. In particular, sophisticated attacks, e.g., attacks that disguise attack packets as benign traffic always appear, which can easily evade traditional signature-based methods. Due to the low requirements for computing resources compared to deep learning, many machine learning (ML)-based methods have been realistically deployed to address this issue. However, most existing ML-based DDoS detection methods are highly dependent on the features extracted from each flow, which incur remarkable detection delay and computation overhead. This article investigates the limitations of typical ML-based DDoS detection methods caused by the extraction of flow-level features. Moreover, we develop a cost-efficient window-based method that extracts features from a fixed number of packets periodically, instead of per flow, aiming to reduce the detection delay and computation overhead. The newly proposed window-based method has the advantages of well-controlled overhead and wide support of common routers due to its simplicity and high efficiency by design. Through extensive experiments on real datasets, we evaluate the performance of flow-based and window-based methods. The experimental results demonstrate that our proposed window-based method can significantly reduce the detection delay and computation overhead while ensuring detection accuracy.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Dawei Wang,Longtao He,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CCIS.2012.6664254

2012-01-01

Abstract:DoS is still one of the most serious attacks on the Internet. Payload-based approaches are effective to known DOS attacks but are unable to be deployed on high-speed networks. To address this issue, flow-based DOS detection schemes have been proposed for highspeed networks as an effective supplement of payload-based solutions. However, existing flow-based solutions have serious limitations in detecting unknown attacks and efficiently identifying real attack flows buried in the background traffic. In addition, existing solutions also have difficulty to adapt to attack dynamics. To address these issues, this paper proposes a flow-based DOS detection scheme based on Artificial Immune systems. We adopt a tree structure to store flow information such that we can effectively extract useful features from flow information for better detecting DoS attacks. We employ Neighborhood Negative Selection (NNS) as the detection algorithm to detect unknown DoS attacks, and identify attack flows from massive traffic. Because the strong tolerance of NNS, the proposed solution is able to quickly adapt attack dynamics. The experimental results show that this solution is able to effectively detect unknown DoS attack flows and identify attack flows from background traffic. Meanwhile, the theoretical analysis demonstrates that this system can extract flow features more effectively.

Li Yijie,Zhai Shang,Chen Mingrui

DOI: https://doi.org/10.48550/arXiv.1903.07889

2019-03-19

Abstract:Distributed Denial of Service (DDOS) attack is one of the most common network attacks. DDoS attacks are becoming more and more diverse, which makes it difficult for some DDoS attack detection methods based on single network flow characteristics to detect various types of DDoS attacks, while the detection methods of multi-feature DDoS attacks have a certain lag due to the complexity of the algorithm. Therefore, it is necessary and urgent to monitor the trend of traffic change and identify DDoS attacks timely and accurately. In this paper, a method of DDoS attack detection based on deep belief network feature extraction and LSTM model is proposed. This method uses deep belief network to extract the features of IP packets, and identifies DDoS attacks based on LSTM model. This scheme is suitable for DDoS attack detection technology. The model can accurately predict the trend of normal network traffic, identify the anomalies caused by DDoS attacks, and apply to solve more detection methods about DDoS attacks in the future.

Cryptography and Security

Chenyang Qiu,Yingsheng Geng,Junrui Lu,Kaida Chen,Shitong Zhu,Ya Su,Guoshun Nan,Can Zhang,Junsong Fu,Qimei Cui,Xiaofeng Tao

DOI: https://doi.org/10.1145/3580305.3599238

2023-07-02

Abstract:Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS by a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Social and Information Networks

Xiangyan Tang,Yiyang Zhang,Jieren Cheng,Jinying Xu,Hui Li

DOI: https://doi.org/10.1007/978-3-030-37352-8_5

2019-01-01

Abstract:The existing DDOS detection methods have the problems of single acquisition node and low detection rate. A multi-source DDOS information fusion model (HRM) based on hierarchical representation learning network and a FlowMerge algorithm based on three network flow merging modes are proposed. Firstly, the network traffic is transformed into triples, and the dimensionality reduction of Tsne algorithm is used to transform it into network IP topology structure graph. Then, the network flow is merged by FlowMerge algorithm, which is decomposed into a series of smaller and approximate coarse-grained topology structure graphs. Then, the features are embedded into more fine-grained graphs iteratively, and the HRM model is established. The experimental results show that the model can better reflect the temporal and spatial characteristics of network traffic, improve the detection accuracy, and have better robustness.