Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Luo Hua,Guang-Min Hu,Xing-Miao Yao

DOI: https://doi.org/10.1109/icccas.2007.6251606

2007-01-01

Abstract:Due to the complicated and distributed characters of DDoS attack, a novel detection DDoS method based on global network is presented in this paper. Our method detects DDoS by analyzing network-wide traffic, whereas the traditional methods detect it on single link or victim network, they can only detect the DDoS which show large scope. Our method was carried out as follows: First, we get network traffic matrix. Then we diagnose DDoS in time domain and frequency domain by K-L transformation and computing correlation coefficient. K-L divides time domain and frequency domain sequence into normal space and abnormal space and then we compute the abnormal space's correlation coefficient. Finally, we set threshold to detect DDoS attack. The simulation result shows that some DDoS could be detected in time domain but others could only be detected in frequency domain. This method is more accurate and faster than traditional ones. It is well suited for detecting earlier DDoS attack.

李宗林,胡光岷,杨丹,姚兴苗

DOI: https://doi.org/10.1109/iscc.2008.4625614

2009-01-01

Journal of Computer Applications

Abstract:Distributed detection mechanism of DDoS (distributed denial of service) attack is often achieved by the corporation between many detection nodes, its final detection result largely depends on the judgements of local nodes. While DDoS attack flows are distributed enough in many links, itpsilas hard to derive exact judgement for every node only by the information collecting from local, consequently impact the performance of whole detection system. Despite DDoS attack could be unaware in local, the inherent dependency among attack flows transiting in many links do exists. This paper proposes an abnormal correlation analysis method from a global perspective for DDoS attack detection deploying in the backbone network, via extracting anomalous space from network-wide traffic, analyzing the correlation across them, revealing attacks through the change of correlation. Analyzing the network-wide traffic simultaneously helps to discover attacks indistinctive in single node; moreover, utilizing the correlation between attacks, rather than the volume of attack purely, makes our method can overcome the difficulties in detecting relatively small attacks comparing to the tremendous traffic in backbone network. Simulations demonstrate that our method has benefit of detecting DDoS attacks while they are small in single link and is superior to other methods proposed in present literatures.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

JianQi Zhu,Feng Fu,KeXin Yin,Haizhen Li,Yanheng Liu

2013-01-01

Journal of Computational Information Systems

Abstract:This paper presents a novel network-wide PCA based detecting method (WPCAD) for detecting the increasing serious Distributed Denial-of-Service (DDoS) attack. Due to the correlation changes of traffic caused by DDoS attack, we construct a model of origin-destination (OD) traffic input matrix from the point of network-wide and analyze the correlations of multiple links with the same destination. We validate our method by applying it to real network traffic with well known and identified anomalies. The experiment shows that the presented method is effective in detecting DDoS attack and has a higher detection rate compared to the current abnormal traffic attacking detection methods. Copyright © 2013 Binary Information Press.

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Theerasak Thapngam,Shui Yu,Wanlei Zhou,S. Kami Makki

DOI: https://doi.org/10.1007/s12083-012-0173-3

2012-10-25

Abstract:In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

computer science, information systems,telecommunications

Peng Xiao,Wenyu Qu,Heng Qi,Zhiyang Li

DOI: https://doi.org/10.1016/j.comcom.2015.06.012

IF: 5.047

2015-01-01

Computer Communications

Abstract:Distributed denial-of-service (DDoS) attacks pose a great threat to the data center, and many defense mechanisms have been proposed to detect it. On one hand, many services deployed in data center can easily lead to corresponding DDoS attacks. On the other hand, attackers constantly modify their tools to bypass these existing mechanisms, and researchers in turn modify their approaches to handle new attacks. Thus, the DDoS against data center is becoming more and more complex. In this paper, we first analyze the correlation information of flows in data center. Second, we present an effective detection approach based on CKNN (K-nearest neighbors traffic classification with correlation analysis) to detect DDoS attacks. The approach exploits correlation information of training data to improve the classification accuracy and reduce the overhead caused by the density of training data. Aiming at solving the huge cost, we also present a grid-based method named r-polling method for reducing training data involved in the calculation. Finally, we evaluate our approach with the Internet traffic and data center traffic trace. Compared with the traditional methods, our approach is good at detecting abnormal traffic with high efficiency, low cost and wide detection range.

Qian-yi Dai,Bin Zhang,Shu-qin Dong

DOI: https://doi.org/10.1155/2022/5692820

IF: 1.968

2022-05-05

Security and Communication Networks

Abstract:By nature, a traditional attack method, denial-of-service (DDoS) attack poses a considerable threat to the security of the blockchain network layer. This paper proposes a distributed DDoS-attack traffic detection method based on a cross multilayer convolutional neural network model in the blockchain network layer. The method resolves the low generalisation, high misreporting rate, and low detection efficiency problems of the existing detection methods, which are caused by nondistinctive core features and the high complexity of robust features when detecting DDoS attacks transmitted by mixed protocols on a blockchain network layer. First, the model performs a convolution operation on preprocessed traffic on the blockchain network layer using a cross-layer method based on L2 regularisation. After this operation, the model can perceive the detailed features of attack traffic from multiple levels while enhancing the representational performance of key features; specifically, the parameters with high-variance terms are penalised to limit changes in the model's weight parameters. The highly robust abstract features of attack traffic are extracted, thereby increasing the generalisation ability and reducing the misreporting rate of the model. Second, parametric encoding of the abstract features is performed by a stacked sparse autoencoder based on Kullback–Leibler divergence, and the sparsity of the model is adjusted to reduce the redundant data and the coupling between abstract features. The outputs of the encoded features are then effectively categorised. Finally, the global optimisation of parameters is performed by an improved random gradient-descent algorithm, which prevents oscillation of the training parameters and accelerates the model convergence. In an experimental evaluation, the proposed method achieved satisfactory binary- and multiclass detection of DDoS-attack traffic on both CSE-CIC-IDS 2018 on the AWS dataset and on the real mixed data of a blockchain network layer.

computer science, information systems,telecommunications

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Xinqian Liu,Jiadong Ren,Haitao He,Qian Wang,Chen Song

DOI: https://doi.org/10.1016/j.cose.2020.102107

2021-01-01

Abstract:<p>Distributed denial of service (DDoS) attacks have been a typical and extremely destructive threat to the Internet. DDoS attack detections suffer from the nonnegligible high complexity of massive traffic flow storage in the high-speed network. Besides, hidden low-rate DDoS (LDDoS) attacks evade the existing detection methods due to the similarity between LDDoS attack traffic and normal traffic. Focusing on these problems, this paper proposes a new <strong>l</strong>ow-rate <strong>D</strong>DoS attack <strong>d</strong>etection <strong>m</strong>ethod (LDDM) by designing the multidimensional sketch structure and novel measurement methods on network flows. First, the multidimensional sketch structure is designed to aggregate and compress network flows, which contributes to reduce the cost of data storage and enhance detection performance. Then, the improved behavior divergence measurement method based on daub 4 wavelet transform is proposed to calculate the energy percentage of each sketch divergence. This method obtains effective results in distinguishing the normal traffic and attack traffic. Furthermore, a modified weighted exponential moving average method is designed to construct the dynamic threshold of normal network. Meanwhile, a traffic freezing mechanism is proposed to ensure the standardization of the dynamic threshold. Finally, the effectiveness of the LDDM is evaluated using several real low-rate DDoS attack datasets. The comparisons with other methods illustrate our method has a lower false positive rate and false negative rate, as well as higher accuracy in the detection of stealthy low-rate DDoS attacks.</p>

computer science, information systems

SUN Hong-jie,FANG Bin-xing,ZHANG Hong-li

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.02.014

2007-01-01

Journal of Communications

Abstract:A new method based on link character was proposed for DDoS attacks detection.Maximum likelihood estima-tion was used to estimate the distribution of link character.SOM neural network is used for link activity profile learning and anomaly link detection.Experiment results indicate that the technique is effective and of a definite practicability.It has a further develop potential for DDoS attacks detection.