Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Jieren Cheng,Ruomeng Xu,Xiangyan Tang,Victor S. Sheng,Canting Cai

DOI: https://doi.org/10.3970/cmc.2018.055.095

2018-01-01

Abstract:Distributed denial-of-service (DDoS) is a rapidly growing problem with the fast development of the Internet. There're multitude DDoS detection approaches, however, three major problems about DDoS attack detection appear in the big data environment. Firstly, to shorten the respond time of the DDoS attack detector, secondly, to reduce the required compute resources, and lastly, to achieve a high detection rate with low false alarm rate. In the paper, we propose an abnormal network flow feature sequence prediction approach which could fit to be used as a DDoS attack detector in the big data environment and solve aforementioned problems. We define a network flow abnormal index as PDRA with the percentage of old IP addresses, the increment of the new IP addresses, the ratio of new IP addresses to the old IP addresses and average accessing rate of each new IP address. We design an IP address database using sequential storage model which has a constant time complexity. The autoregressive integrated moving average (ARIMA) trending prediction module will be started if and only if the number of continuous PDRA sequence value, which all exceed an PDRA abnormal threshold (PAT), reaches a certain preset threshold. And then calculate the probability that is the percentage of forecasting PDRA sequence value which exceed the PAT. Finally we identify the DDoS attack based on the abnormal probability of the forecasting PDRA sequence. Both theorem and experiment show that the method we proposed can effectively reduce the compute resources consumption, identify DDoS attack at its initial stage with higher detection rate and lower false alarm rate.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Jieren Cheng,Jianping Yin,Yun Liu,Zhiping Cai,Min Li

DOI: https://doi.org/10.1007/978-3-642-02270-8_22

2009-01-01

Abstract:Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. After analyzing the characteristics of DDoS attacks and the existing Algorithms to detect DDoS attacks, this paper proposes a novel detecting algorithm for DDoS attacks based on IP address features value (IAFV). IAFV is designed to reflect the essential DDoS attacks characteristics, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. IAFV time series can be used to characterize the essential change features of network flows. Furthermore, a trained support vector machine (SVM) classifier is applied to identify the DDoS attacks. The experimental results on the MIT data set show that our algorithm can detect DDoS attacks accurately and reduce the false alarm rate drastically.

H. P. Yao,Y. Q. Liu,C. Fang

DOI: https://doi.org/10.15837/ijccc.2016.4.2315

IF: 2.635

2016-01-01

International Journal of Computers Communications & Control

Abstract:Anomaly network detection is a very important way to analyze and detect malicious behavior in network. How to effectively detect anomaly network flow under the pressure of big data is a very important area, which has attracted more and more researchers' attention. In this paper, we propose a new model based on big data analysis, which can avoid the influence brought by adjustment of network traffic distribution, increase detection accuracy and reduce the false negative rate. Simulation results reveal that, compared with k-means, decision tree and random forest algorithms, the proposed model has a much better performance, which can achieve a detection rate of 95.4% on normal data, 98.6% on DoS attack, 93.9% on Probe attack, 56.1% on U2R attack, and 77.2% on R2L attack.

JieRen Cheng,Tang, Xiangyan,Zhu, Xinghui,Jianping Yin

DOI: https://doi.org/10.1109/ICEBEG.2011.5882342

2011-01-01

Abstract:Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. It is challenging to detect DDoS attacks accurately and quickly. We propose a novel IP Flow Interaction Feature algorithm (FIF) based on multiple features of DDoS attack flows via IP addresses and ports. To increase the detection accuracy in various conditions, we describe the state characteristics of network flows using FIF time series, and a simple but efficient FIF-based DDoS attack detection model (FDAD) is proposed by associating with contextual information in observed FIF time series. Finally, we present a simple alarm evaluation mechanism based on the alarm frequency and time interval. Our analysis and experiment results demonstrate that FIF can well reflect the characteristics of DDoS attack flow and normal flow and can distinguish normal flow from attack flow effectively. FDAD can identify normal flow and abnormal flow with DDoS attack flow quickly, accurately, and reduce false alarm rate drastically.

Jieren Cheng,Jianping Yin,Yun Liu,Zhiping Cai,Chengkun Wu

DOI: https://doi.org/10.1109/incos.2009.34

2009-01-01

Abstract:Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different characteristics on IP addresses and ports. IAI (IP Address Interaction Feature) algorithm is proposed based on the addresses interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses. The IAI is designed to describe the essential characteristics of network flow states. Furthermore, a support vector machine (SVM) classifier, which is trained by IAI time series from normal flow and attack flow, is applied to classify the state of current network flows and identify the DDoS attacks. The experiment results show that, IAI can reflect the different characteristics of DDoS attack flows and normal flows; the IAI-based detection scheme can distinguish between normal flows and abnormal flows with DDoS attack flows effectively, and help to identify fast and accurate attack flows when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and it has higher detection and lower false alarm rate compared with related works.

Jieren Cheng,Jianping Yin,Chengkun Wu,Boyun Zhang,Yun Liu

2009-01-01

Abstract:Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. The IP Flow feature value (FFV) algorithm is proposed based on the essential features of DDoS attacks, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. Using linear prediction technique, a simple and efficient ARMA prediction model is established for normal network flow. Then a DDoS attack detection scheme based on anomaly detection techniques and linear prediction model (DDAP) is designed. Furthermore, an alert evaluation mechanism is developed to reduce the false positives due to prediction error and flow noise. The experiment results demonstrate that DDAP is an efficient DDoS attacks detection scheme with more accuracy and lower false alarm rate.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Yini Chen,Jun Hou,Qianmu Li,Huaqiu Long

DOI: https://doi.org/10.1109/PIC50277.2020.9350788

2020-01-01

Abstract:With the development of network technology, distributed denial of service (DDoS) attacks have increasingly become an important security risk that endangers the network. It uses common protocols and services when attacking, so it is difficult to detect through traditional methods. Based on the idea of rational thinking, DDoS attack detection can be simulated as a classification problem that distinguishes between "rational" and "irrational" network flow states. This article analyzes the common TCP flood attacks, UDP flood attacks, and ICMP flood attacks in detail. Define the characteristics of data stream information entropy (DSIE) to characterize attack behavior. A DDoS attack detection method based on random forest classification (RFC) model is proposed. Establish classification models for the above three types of typical attack methods. Through training and learning, it is finally predicted whether the network traffic is normal. Experimental results show that the RFC model can more accurately distinguish between normal traffic and attack traffic, with a higher detection rate and a lower false alarm rate.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2009.35

2009-01-01

Abstract:The Distributed Denial of Service attacks (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. The current detection schemes are sensitive to the number of attackers and may lead to a high false positive probability especially for largescale networks with huge number of attackers. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many flooding sources to make the detection more difficult. In this paper we propose a more efficient detection scheme for Web Service DDoS attackers. The proposed scheme is based on the number of incoming requests to the server with the consideration of the clients activity (Active and Non-Active clients during the detection time). To make our scheme scalable to large-Scale networks, the non-adaptive group testing theory is applied to detect attackers using low state overhead. Extensive tracedriven simulation has been conducted on real Web trace to demonstrate the efficiency of the proposed scheme in terms of its false positive, false negative probabilities and also detection time.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

LUO Hua,HU Guang-min,YAO Xing-miao

2007-01-01

Journal of Computer Applications

Abstract:Due to the invisibility and distributivity characteristics of Distributed Denial of Service (DDoS) attack, a new DDoS detection method based on global network was presented in this paper. Our method detects DDoS by analyzing OD traffic matrix, whereas the traditional methods detect it on single link or victim network. This method was carried out as follows: First, we need to get network traffic matrix in order to obtain the correlation character of attack traffic among multiple links. Then, traffic matrix was divided into normal space and abnormal space by K-L transformation. Finally, the correlation of abnormal space was achieved to detect DDoS attack. The simulation result shows that this proposed method is more accurate and faster than traditional methods. It is in favor of earlier detection of DDoS attack.

Zhenping Shi,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/globecom38437.2019.9013186

2019-01-01

Abstract:Highly efficient and dependable large-scale DDoS attack detection scheme is critical for network anomaly detection. Typical machine learning algorithms such as Decision Tree and Adaboost work well on flow level analysis but cannot perform fine- grained detection of packet levels. Since these algorithms require more packets information for detection, resulting in higher detection delay and relatively lower accuracy. To address the problem, we propose DeepDDoS which is a deep learning method focusing on both period- wise and packetwise attack detection. First, the network packets are modeled in time dimension to discover the potential abnormal time period. Second, the network packets are grouped by 5 tuples (flow), the packets inside the group are sorted according to their arrival time. Then the data packet level sequence modeling is performed in each group. Comprehensive performance evaluation shows that the detection accuracy of DeepDDoS reach 99%. Furthermore, only 5 consecutive packets are needed for packet-wise detection, greatly reducing detection delay and computational overhead. Comparative experiments show that DeepDDoS outperforms existing typical attack detection methods

Xinqian Liu,Jiadong Ren,Haitao He,Bing Zhang,Chen Song,Yunxue Wang

DOI: https://doi.org/10.1016/j.jnca.2021.103079

IF: 7.574

2021-07-01

Journal of Network and Computer Applications

Abstract:<p>DDoS attack detection methods play a very important role in protecting computer network security. However, the existing flow-based DDoS attack detection methods face the non-negligible time delay and are not general for different types of DDoS attacks at different rates. In order to fill this research gap, a <strong>f</strong>ast <strong>a</strong>ll-<strong>p</strong>ackets-based <strong>D</strong>DoS attack <strong>d</strong>etection approach (FAPDD) is proposed. The FAPDD firstly designs a new time series network graph model to effectively simplify the processing of network traffic handling compared with the flow-base detections. Furthermore, it is the first time that the directed Weisfeiler-Lehman graph kernel is introduced for measuring the divergence between the current network graph and the normalization network graphs. Due to the new graph model and kernel measurement method to judge network changes, the different types and rates of DDoS attacks can be detected especially. In addition, the dynamic threshold and freezing mechanism are constructed to display standard traffic changes and prevent the pollution of attack traffic to the standard network. Finally, a number of real DDoS attack datasets are applied to evaluate the effectiveness of the proposed method, as well as the overall time efficiency and detection effect. Compared with other methods, the FAPDD can better meet the real-time requirements and achieve good detection effects in different types of DDoS attacks with different attack rates.</p>

computer science, interdisciplinary applications, software engineering, hardware & architecture

Ma Zhao-hui,Zhao Gan-sen,Li Wei-wen,Mo Ze-feng,Wang Xin-ming,Chen Bing-chuan,Lin Cheng-chuang

DOI: https://doi.org/10.1109/iccbb.2018.8756439

2018-01-01

Abstract:Software Defined Network (SDN) is a new network construction. But due to its construction, SDN is vulnerable to be attacked by Distributed Denial of Service (DDoS) attack. So it is important to detect DDoS attack in SDN network. This paper presents a DDoS detection scheme based on k-means algorithm in SDN environment. The establishment of this scheme is based on the two hypotheses that the daily network works normally most of the time, and there is a significant difference between the data characteristics of normal situation and abnormal situation. At the same time, these two hypotheses are also true to the daily network condition. After demonstrating the validity of k-means clustering algorithm, the paper proposes 5 flow table features that can be used to detect DDoS attacks. Finally, the DDoS detection scheme was tested by simulation experiment. The test results showed that the method proposed by the author could effectively detect DDoS, with an average success rate of 97.78%.