Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

LUO Hua,HU Guang-min,YAO Xing-miao

2007-01-01

Journal of Computer Applications

Abstract:Due to the invisibility and distributivity characteristics of Distributed Denial of Service (DDoS) attack, a new DDoS detection method based on global network was presented in this paper. Our method detects DDoS by analyzing OD traffic matrix, whereas the traditional methods detect it on single link or victim network. This method was carried out as follows: First, we need to get network traffic matrix in order to obtain the correlation character of attack traffic among multiple links. Then, traffic matrix was divided into normal space and abnormal space by K-L transformation. Finally, the correlation of abnormal space was achieved to detect DDoS attack. The simulation result shows that this proposed method is more accurate and faster than traditional methods. It is in favor of earlier detection of DDoS attack.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

李宗林,胡光岷,杨丹,姚兴苗

DOI: https://doi.org/10.1109/iscc.2008.4625614

2009-01-01

Journal of Computer Applications

Abstract:Distributed detection mechanism of DDoS (distributed denial of service) attack is often achieved by the corporation between many detection nodes, its final detection result largely depends on the judgements of local nodes. While DDoS attack flows are distributed enough in many links, itpsilas hard to derive exact judgement for every node only by the information collecting from local, consequently impact the performance of whole detection system. Despite DDoS attack could be unaware in local, the inherent dependency among attack flows transiting in many links do exists. This paper proposes an abnormal correlation analysis method from a global perspective for DDoS attack detection deploying in the backbone network, via extracting anomalous space from network-wide traffic, analyzing the correlation across them, revealing attacks through the change of correlation. Analyzing the network-wide traffic simultaneously helps to discover attacks indistinctive in single node; moreover, utilizing the correlation between attacks, rather than the volume of attack purely, makes our method can overcome the difficulties in detecting relatively small attacks comparing to the tremendous traffic in backbone network. Simulations demonstrate that our method has benefit of detecting DDoS attacks while they are small in single link and is superior to other methods proposed in present literatures.

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

孙钦东,张德运,郑卫斌,胡国栋

DOI: https://doi.org/10.3321/j.issn:0253-987X.2004.12.010

2004-01-01

Abstract:Based on the analysis of distributed denial of service (DDoS) attacks, the flow connection density (FCD) is defined and the characteristic of non-stationary of FCD time series is proved. A new method to detect DDoS attacks is proposed based on the time-frequency analysis of FCD. The proposed method detects DDoS attacks by transforming the time series of FCD with smooth Winger-Ville distribution, to obtain the energy distribution of the time series in two-dimensional space and suppress the effect of the quadratic cross term, and then identifying DDoS by using the K-nearest neighbor classifier trained by samples. The experimental results show that the developed approach can detect DDoS attacks correctly, and identification errors mainly present to the switching stage of the network with little influence on the identification of DDoS attacks. Compared with the theoretic value, the identification error ratio is only 4.26%.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Qian Xie,Zheng Huang,Jie Guo,Weidong Qiu

DOI: https://doi.org/10.1007/978-3-030-62223-7_13

2020-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks disrupts the availability of essential services, which are one of the most harmful threats in today’s Internet. Many DDoS detection algorithms based on machine learning technology have emerged in recent years, for example, the LUCID algorithm, GNN model. But considering that DDoS attacks are based on both time and space, these algorithms only considered time and ignored space. Besides, by piece network traffic data is often difficult to obtain. The model we used in this paper is based on the Spatio-Temporal Graph Convolutional Network (STGCN) proposed by Yu B. et al. And on this basis, the model is improved for the unique characteristics of DDoS attacks. By considering the time-dependence of the network topology and network traffic, this model has a good recognition rate on the online DDoS data set, and can achieve detection of DDoS attacks under the premise of using only two-way traffic information.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

GU Xiaoqing,WANG Hongyuan,NI Tongguang,DING Hui

DOI: https://doi.org/10.3724/sp.j.1087.2013.02228

2013-01-01

Journal of Computer Applications

Abstract:According to the difference between normal users' visiting patterns and abnormal ones,a new method to detect application-layer Distributed Denial of Service(DDoS) attack was proposed based on IP Service Request Entropy(SRE) time series.By approximating the Adaptive AutoRegressive(AAR) model,the SRE time series was transformed into a multidimensional vector series regarded as a description of current users' visiting patterns.Furthermore,a Support Vector Machine(SVM) classifier was applied to classify vector series and identify the attacks.The simulation results show that this approach not only can distinguish between normal traffic and DDoS attack traffic,but also is suitable to detect DDoS attack against the large scale network traffic,which does not arouse the sharp changes of the network traffic.

Wu Qing-tao,Shao Zhi-qing

DOI: https://doi.org/10.1007/bf02831726

2006-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent non-overlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be determined. The experimental results in a test environment are illustrated to justify our method.

Peng Xiao,Wenyu Qu,Heng Qi,Zhiyang Li

DOI: https://doi.org/10.1016/j.comcom.2015.06.012

IF: 5.047

2015-01-01

Computer Communications

Abstract:Distributed denial-of-service (DDoS) attacks pose a great threat to the data center, and many defense mechanisms have been proposed to detect it. On one hand, many services deployed in data center can easily lead to corresponding DDoS attacks. On the other hand, attackers constantly modify their tools to bypass these existing mechanisms, and researchers in turn modify their approaches to handle new attacks. Thus, the DDoS against data center is becoming more and more complex. In this paper, we first analyze the correlation information of flows in data center. Second, we present an effective detection approach based on CKNN (K-nearest neighbors traffic classification with correlation analysis) to detect DDoS attacks. The approach exploits correlation information of training data to improve the classification accuracy and reduce the overhead caused by the density of training data. Aiming at solving the huge cost, we also present a grid-based method named r-polling method for reducing training data involved in the calculation. Finally, we evaluate our approach with the Internet traffic and data center traffic trace. Compared with the traditional methods, our approach is good at detecting abnormal traffic with high efficiency, low cost and wide detection range.

Kun Ding,Lin Liu,Yun Liu

DOI: https://doi.org/10.1007/978-94-007-7262-5_100

2013-01-01

Abstract:Low-rate Denial of Service (LDoS) attack is a new type of Denial of Service attack, which is difficult for the router and victim site to detect because the attack packets are as many as the valid packets. In consideration of the fact that the features in time domain between attack traffic and valid traffic are different, we present a method to identify such kind of attack and try to trace the potential location of the attacker. We also carry out a simulation to illustrate the usability of this method.

JianQi Zhu,Feng Fu,KeXin Yin,Haizhen Li,Yanheng Liu

2013-01-01

Journal of Computational Information Systems

Abstract:This paper presents a novel network-wide PCA based detecting method (WPCAD) for detecting the increasing serious Distributed Denial-of-Service (DDoS) attack. Due to the correlation changes of traffic caused by DDoS attack, we construct a model of origin-destination (OD) traffic input matrix from the point of network-wide and analyze the correlations of multiple links with the same destination. We validate our method by applying it to real network traffic with well known and identified anomalies. The experiment shows that the presented method is effective in detecting DDoS attack and has a higher detection rate compared to the current abnormal traffic attacking detection methods. Copyright © 2013 Binary Information Press.

Xinqian Liu,Jiadong Ren,Haitao He,Qian Wang,Chen Song

DOI: https://doi.org/10.1016/j.cose.2020.102107

2021-01-01

Abstract:<p>Distributed denial of service (DDoS) attacks have been a typical and extremely destructive threat to the Internet. DDoS attack detections suffer from the nonnegligible high complexity of massive traffic flow storage in the high-speed network. Besides, hidden low-rate DDoS (LDDoS) attacks evade the existing detection methods due to the similarity between LDDoS attack traffic and normal traffic. Focusing on these problems, this paper proposes a new <strong>l</strong>ow-rate <strong>D</strong>DoS attack <strong>d</strong>etection <strong>m</strong>ethod (LDDM) by designing the multidimensional sketch structure and novel measurement methods on network flows. First, the multidimensional sketch structure is designed to aggregate and compress network flows, which contributes to reduce the cost of data storage and enhance detection performance. Then, the improved behavior divergence measurement method based on daub 4 wavelet transform is proposed to calculate the energy percentage of each sketch divergence. This method obtains effective results in distinguishing the normal traffic and attack traffic. Furthermore, a modified weighted exponential moving average method is designed to construct the dynamic threshold of normal network. Meanwhile, a traffic freezing mechanism is proposed to ensure the standardization of the dynamic threshold. Finally, the effectiveness of the LDDM is evaluated using several real low-rate DDoS attack datasets. The comparisons with other methods illustrate our method has a lower false positive rate and false negative rate, as well as higher accuracy in the detection of stealthy low-rate DDoS attacks.</p>

computer science, information systems

严芬,陈轶群,黄皓,殷新春

DOI: https://doi.org/10.3321/j.issn:1000-436x.2008.06.020

2008-01-01

Abstract:An effective DDoS attack detection method on target-end network was proposed.The main goal was to detect attack in early stages with few expenditure,and record the suspicious packets in the same time.For DDoS attacks which based on TCP,many unacknowledged segments will be observed in victim end.In every time period ? t,calculated the ratio of the number of unacknowledged segments and the number of all segments.Then,the statistical sequence based on time came into being.After that,an improved non-parameter recursive CUSUM algorithm was used to detect attack effi-ciently on line.In this procedure,the suspicious packets were also recorded.Experiments prove that this algorithm is fast and efficient.It has low false-positive rate and could adapt to more complex network environments.In addition,it is helpful to attack analysis and tracing.

Xia, Zhengmin,Lu, Songnian,Li, Jianhua

DOI: https://doi.org/10.1109/WiCOM.2012.6478475

2012-01-01

Abstract:Distributed denial-of-service (DDoS) flood attack is one of the most popular techniques taken by the hackers to threaten the availability and stability of the Internet. To ensure network usability and reliability, accurate detection of this kind of attack is critical. In this paper, we propose a statistical DDoS flood attack detection method by passively monitoring the abrupt change of network traffic fractal parameters: fractal dimension D and Hurst parameter H. Specifically, we use an autoregressive system to estimate the parameters D and H of normal traffic which are slow changing. If the actual parameters D and H vary significantly from the estimation ones, we assume DDoS flood attack happens. Meanwhile, we propose a maximum likelihood estimate-based detection method to determine the change point of parameters D and H that indicate the occurrence of DDoS flood attack. The test results based on the DARPA intrusion detection evaluation data sets show that both the parameters D and H can indicate the DDoS flood attack effectively. © 2012 IEEE.