Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

LUO Hua,HU Guang-min,YAO Xing-miao

2007-01-01

Journal of Computer Applications

Abstract:Due to the invisibility and distributivity characteristics of Distributed Denial of Service (DDoS) attack, a new DDoS detection method based on global network was presented in this paper. Our method detects DDoS by analyzing OD traffic matrix, whereas the traditional methods detect it on single link or victim network. This method was carried out as follows: First, we need to get network traffic matrix in order to obtain the correlation character of attack traffic among multiple links. Then, traffic matrix was divided into normal space and abnormal space by K-L transformation. Finally, the correlation of abnormal space was achieved to detect DDoS attack. The simulation result shows that this proposed method is more accurate and faster than traditional methods. It is in favor of earlier detection of DDoS attack.

Peng Xiao,Wenyu Qu,Heng Qi,Zhiyang Li

DOI: https://doi.org/10.1016/j.comcom.2015.06.012

IF: 5.047

2015-01-01

Computer Communications

Abstract:Distributed denial-of-service (DDoS) attacks pose a great threat to the data center, and many defense mechanisms have been proposed to detect it. On one hand, many services deployed in data center can easily lead to corresponding DDoS attacks. On the other hand, attackers constantly modify their tools to bypass these existing mechanisms, and researchers in turn modify their approaches to handle new attacks. Thus, the DDoS against data center is becoming more and more complex. In this paper, we first analyze the correlation information of flows in data center. Second, we present an effective detection approach based on CKNN (K-nearest neighbors traffic classification with correlation analysis) to detect DDoS attacks. The approach exploits correlation information of training data to improve the classification accuracy and reduce the overhead caused by the density of training data. Aiming at solving the huge cost, we also present a grid-based method named r-polling method for reducing training data involved in the calculation. Finally, we evaluate our approach with the Internet traffic and data center traffic trace. Compared with the traditional methods, our approach is good at detecting abnormal traffic with high efficiency, low cost and wide detection range.

Qiang Liu,Jian-ping Yin,Zhi-ping Cai,Ming Zhu

DOI: https://doi.org/10.1109/NSS.2010.52

2010-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of main threats to Internet security. Due to the spatio-temporal properties of the attack, it is possible to detect the attack at its early stage. In this paper, we propose a novel method of DDoS threat assessment based on network vulnerability analysis. Both the multi-phase character in the temporal dimension and the impacts in the spatial dimension are concerned in our method. We use three metrics to assess threat, namely the ratio of progress, botnet size, and bots distribution. Experimental results show that our method is sensitive to the changes of attack states, and is easy to be implemented in an early warning system because of its simplicity.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Theerasak Thapngam,Shui Yu,Wanlei Zhou,S. Kami Makki

DOI: https://doi.org/10.1007/s12083-012-0173-3

2012-10-25

Abstract:In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

computer science, information systems,telecommunications

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Luo Hua,Guang-Min Hu,Xing-Miao Yao

DOI: https://doi.org/10.1109/icccas.2007.6251606

2007-01-01

Abstract:Due to the complicated and distributed characters of DDoS attack, a novel detection DDoS method based on global network is presented in this paper. Our method detects DDoS by analyzing network-wide traffic, whereas the traditional methods detect it on single link or victim network, they can only detect the DDoS which show large scope. Our method was carried out as follows: First, we get network traffic matrix. Then we diagnose DDoS in time domain and frequency domain by K-L transformation and computing correlation coefficient. K-L divides time domain and frequency domain sequence into normal space and abnormal space and then we compute the abnormal space's correlation coefficient. Finally, we set threshold to detect DDoS attack. The simulation result shows that some DDoS could be detected in time domain but others could only be detected in frequency domain. This method is more accurate and faster than traditional ones. It is well suited for detecting earlier DDoS attack.

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

李宗林,胡光岷,杨丹,姚兴苗

DOI: https://doi.org/10.1109/iscc.2008.4625614

2009-01-01

Journal of Computer Applications

Abstract:Distributed detection mechanism of DDoS (distributed denial of service) attack is often achieved by the corporation between many detection nodes, its final detection result largely depends on the judgements of local nodes. While DDoS attack flows are distributed enough in many links, itpsilas hard to derive exact judgement for every node only by the information collecting from local, consequently impact the performance of whole detection system. Despite DDoS attack could be unaware in local, the inherent dependency among attack flows transiting in many links do exists. This paper proposes an abnormal correlation analysis method from a global perspective for DDoS attack detection deploying in the backbone network, via extracting anomalous space from network-wide traffic, analyzing the correlation across them, revealing attacks through the change of correlation. Analyzing the network-wide traffic simultaneously helps to discover attacks indistinctive in single node; moreover, utilizing the correlation between attacks, rather than the volume of attack purely, makes our method can overcome the difficulties in detecting relatively small attacks comparing to the tremendous traffic in backbone network. Simulations demonstrate that our method has benefit of detecting DDoS attacks while they are small in single link and is superior to other methods proposed in present literatures.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

LI Mu-hai,LI Ming,WU Xin-xing,LI Xu-hong

DOI: https://doi.org/10.3969/j.issn.1002-137X.2009.01.073

2009-01-01

Computer Science

Abstract:This paper presented a run-time model that can efficiently detect network attacks.The model resolves the problem that classic method can’t distinguish anomalies from attacks.Combining the characteristics of normal traffic,an efficient measure and algorithm which can detect DDoS attacks were given.The algorithm not only has simple structure,high speed to meet the needs of real-time detection,but also can take full advantage of known information,and has more strong anti-jamming capability.The actual test results indicate that this model can be used to achieve real-time detection of DDoS attacks.

Jiahui Jiao,Benjun Ye,Yue Zhao,Rebecca J. Stones,Gang Wang,Xiaoguang Liu,Shaoyan Wang,Guangjun Xie

DOI: https://doi.org/10.1109/srds.2017.37

2017-01-01

Abstract:Cloud computing data centers have become one of the most important infrastructures in the big-data era. When considering the security of data centers, distributed denial of service (DDoS) attacks are one of the most serious problems. Here we consider DDoS attacks leveraging TCP traffic, which are increasingly rampant but are difficult to detect. To detect DDoS attacks, we identify two attack modes: fixed source IP attacks (FSIA) and random source IP attacks (RSIA), based on the source IP address used by attackers. We also propose a real-time TCP-based DDoS detection approach, which extracts effective features of TCP traffic and distinguishes malicious traffic from normal traffic by two decision tree classifiers. We evaluate the proposed approach using a simulated dataset and real datasets, including the ISCX IDS dataset, the CAIDA DDoS Attack 2007 dataset, and a Baidu Cloud Computing Platform dataset. Experimental results show that the proposed approach can achieve attack detection rate higher than 99% with a false alarm rate less than 1%. This approach will be deployed to the victim-end DDoS defense system in Baidu cloud computing data center.

Cheng Huang,Ping Yi,Futai Zou,Yao,Wei Wang,Ting Zhu

DOI: https://doi.org/10.1155/2019/6705347

2019-01-01

Wireless Communications and Mobile Computing

Abstract:This study presents a new method for detecting Shrew DDoS (Distributed Denial of Service) attacks and analyzes the characteristics of the Shrew DDoS attack. Shrew DDoS is periodic to be suitable for the server’s TCP (Transmission Control Protocol) timer. It has lower maximum to bypass peak detection. This periodicity makes it distinguishable from normal data packets. By proposing the CCID (Cross-Correlation Identity Distinction) method to distinguish the flow properties, it quantifies the difference between a normal flow and an attack flow. Simultaneously, we calculated the cross-correlation between the attack flow and the normal flow in three different situations. The server can use its own TCP flow timer to construct a periodic attack flow. The cross-correlation between Gaussian white noise and simulated attack flow is less than 0.3. The cross-correlation between single-door function and simulated attack flow is 0.28. The cross-correlation between actual attack flow and simulated attack flow is more than 0.8. This shows that we can quantitatively distinguish the attack effects of different signals. By testing 4 million data, we can prove that it has a certain effect in practice.