Zhichun Li,Yan Chen,Aaron Beach

DOI: https://doi.org/10.1145/1162666.1162669

2006-01-01

Abstract:Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

WU Ji-yi,PING Ling-di,FAN Rong,Zhijie Lin

2008-01-01

Abstract:With the increasing demand of computer networks security,the distributed intrusion detection technology becomes an important research area.However,the traditional distributed intrusion detection systems have some shortcomings in certain aspects,such as distributivity,flexibility,interoperability,detecting efficiency,and insider threat avoidance etc.To deal with the insider threat more effectively,P2P overlay IDS based on an adaptive trust alert correlation was proposed.Under JXTA P2P framework,a P2P overlay IDS prototype system was implemented,and its effectiveness to prevent the spread of a real Internet worm was evaluated over an emulated network.The experiment results show the P2P overlay IDS significantly increases the overall survival rate of vulnerable peers in network.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Kai Hwang,Ying Chen,Hua Liu

DOI: https://doi.org/10.1109/IPDPS.2005.160

2005-01-01

Abstract:Network security breaches hinder the application of distributed computing systems manifested as the Grids, clusters, intranets, extranets, or P2P systems. A new integrated approach is presented for building future, network-based intrusion detection systems (NIDS). We integrate the Snort (a NIDS) with a custom-designed anomaly detection system (ADS) to yield a powerful cyber defense system, called CAIDS. This system detects known attacks through signature matching and reveals network anomalies by Internet traffic datamining. The CAIDS design integrates two different detection engines for alert correlation between intrusions and anomalies. We aim to automate signature generation into Snort database. The system was tested over an Internet trace of 24 millions of packets containing 200 attacks. Our simulation experiments result in a 75% detection rate on all attacks with a low 5% false alarm rate. The system generates alerts on both intrusive attacks to distributed resources and anomalies detected in the Internet, intranet, and extranet connections.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Youqiong Zhuang,Hua Wu,Songtao Liu,Guang Cheng,Xiaoyan Hu

DOI: https://doi.org/10.23919/apnoms56106.2022.9919987

2022-01-01

Abstract:As the scale of Distributed Denial of Service (DDoS) flooding attacks has increased significantly, many detection methods have applied sketch data structures to compress the IP traffic for storage saving. However, due to the large IP address space, these methods need to flush the sketch frequently to reduce the hash collisions. Besides, few of them can be applied to detect attacks in the high-speed network where sampling is usually adopted. This paper proposes a hierarchical system named HDS for efficient and continuous DDoS flooding attack detection in high-speed networks. Rather than directly processing the IP traffic, HDS uses sketches to track sampled traffic at different levels of aggregation: interface level, area level, and host level. Then traffic classifiers are trained for each level for attack detection. The main advantage of our approach is that each detection level only tracks a small set of traffic, which can identify the attack victim fastly and hardly causes hash collisions. Experimental results on the real-world 10Gbps network traffic datasets show that HDS can effectively detect various DDoS flooding attacks with high accuracy and identify the victim within an average of 10s when the sampling rate exceeds 1/2048.

Shuang Wei,Yijing Ding,Xinhui Han

DOI: https://doi.org/10.1109/dsn-w.2017.11

2017-01-01

Abstract:Distributed Denial-of-Service(DDoS) attack continues to be one of the most serious problems in the Internet. Without advance warning, DDoS attack can knock down the targeted server in a short period of time by exhausting the computing and communicating resources of the victim. In this paper, we propose a two-stage DDoS detection and defense system called TDSC. In the first stage, we divide the input flows into 4 parts and use the cluster size distribution analysis to detect the attack. Since we use cluster analysis as the basic detection algorithm, TDSC can separate the DDoS attacks from the legitimate flash crowd easily. In the first stage, we also extract traffic features of the attack from the cluster containing most of the DDoS traffic. With the DDoS attack features output by the first stage, TDSC can filter the attack traffic out in the second stage. We test the effectiveness of TDSC on the MIT Lincoln Laboratory 2000 LLS DDOS 1.0 Dataset(a.k.a. MIT LLS DDOS 1.0 Dataset). Results show that TDSC can detect the DDoS attack in 6 seconds and extract the features which can describe the attack traffic accurately. And with the traffic features calculated by the first stage, TDSC can filter out 99.89% of the attack traffic in the second stage.

Shuang Wei,Shuaifu Dai,Xinfeng Wu,Xinhui Han

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00059

2018-01-01

Abstract:DDoS has now become the most severe security problem of the Internet. Without in time report, DDoS attack can knock down the victim in no time by exhausting the victim's computing and communicating resources. In this paper we propose STDC-a DDoS defense system. STDC is a two-stage system based on clustering. In the first stage STDC leverage the benefit of SDN and NFV to apply flow-based detection method. STDC use the flow information gathered to do clustering. Since we use cluster analysis as the basic detection algorithm, STDC can separate the DDoS attacks from the legitimate flush crowd easily. In the second stage, we extract attack traffic pattern from the clustering result of the first stage to make blocking rules and use the structure of SDN to quickly dispatch them to achieve effictive and efficient DDoS mitigation. We test STDC using public DDoS dataset and the traffic captured through the gateway. Both of the experiments achieve good detection percision and high filtering ratio.

Wei Guo,Jin Xu,Yukui Pei,Liuguo Yin,Chunxiao Jiang,Ning Ge

DOI: https://doi.org/10.1109/jiot.2022.3176121

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Satellite Internet (SI) dramatically expanded the ground-based Internet, and it is also the future direction of 6G. However, due to limited computing power and bandwidth resources, Distributed Denial-of-Service (DDoS) attacks can cause more severe damage to SI, and even paralysis of the entire network. Current DDoS defense mechanisms are built on abundant computing power and bandwidth resources, making applying in the SI scenario challenging. Aiming at protecting SI from DDoS attacks, a blockchain-based distributed collaborative entrance defense (DCED) framework is proposed, in which network traffic characteristics can be recorded and aggregated at the entrances of SI. The proposed framework consists of a distributed detection digesting procedure, a digest virtual aggregation procedure, and an entrance control strategy. The former procedure detects and extracts multidimensional characteristics of DDoS attacks and pushes them onto the blockchain. The latter procedure collects block data and aggregates attack features using the MapReduce algorithm and then compares them with baseline and gives an alert. The strategy completes the filtering and interception of traffic. Experiments use the IXIA platform to generate malicious traffic, and results show that the framework can accurately identify attack traffic within 1500 ms, reaching an area of 0.99 under the receiver operating characteristic curve. The proposed framework is more effective than other similar DDoS methods, protecting the precious SI bandwidth resources.

T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/3-540-45067-X_19

2003-01-01

Abstract:We propose a distributed approach to detect distributed denial of service attacks by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change-point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. In a multi-agent scenario, we show that by sharing the distributed beliefs, we can improve the detection efficiency.

Lihua Miao,Wei Ding,Jian Gong

DOI: https://doi.org/10.1109/LANMAN.2015.7114740

2015-01-01

Abstract:Reports show that DDoS attacks are ubiquitous on the Internet and may jeopardize networks' stable operation. In order to understand the nature of this threat and further to enable effective control and management, a whole picture of the Internet-wide attacks is a necessity. Traditional methods use darknets to this end. However, with the IPv4 address space exhaustion, darknets become hard to acquire. In this paper, we seek to detect Internet-wide attacks using a live network. In particular, we focus on the most prevalent SYN flooding attacks. First, a complete attack scenario model is introduced according to the positions of the attacker, the victim and the attacking address. Then, after discussing the features of all scenarios, an algorithm named WSAND is proposed to detect Internet-wide SYN flooding attacks using Netflow data. In order to evaluate it, the algorithm is deployed at 28 main PoPs (Points of Presence) of the China Education and Research Network (CERNET) and the total internal address space is up to 200/16 blocks. A large quantity of Internet-wide SYN flooding attacks detected in March 2014 is discussed in detail. With the help of the detected attacks, a case study of detecting an internal zombie is presented.

Ying Gao,Hongrui Wu,Binjie Song,Yaqia Jin,Xiongwen Luo,Xing Zeng

DOI: https://doi.org/10.1109/access.2019.2948382

IF: 3.9

2019-01-01

IEEE Access

Abstract:Security assurance in Vehicular Ad hoc Network (VANET) is a crucial and challenging task due to the open-access medium. One great threat to VANETs is Distributed Denial-of-Service (DDoS) attack because the target of this attack is to prevent authorized nodes from accessing the services. To provide high availability of VANETs, a scalable, reliable and robust network intrusion detection system should be developed to efficiently mitigate DDoS. However, big data from VANETs poses serious challenges to DDoS attack detection since the detection system require scalable methods to capture, store and process the big data. To overcome these challenges, this paper proposes a distributed DDoS network intrusion detection system based on big data technology. The proposed detection system consists of two main components: real-time network traffic collection module and network traffic detection module. To build our proposed system, we use Spark to speed up data processing and use HDFS to store massive suspicious attacks. In the network collection module, micro-batch data processing model is used to improve the real-time performance of traffic feature collection. In the traffic detection module, the classification algorithm based on Random Forest (RF) is adopted. In order to evaluate the accuracy of detection, the algorithm was evaluated and compared in the datasets, containing NSL-KDD and UNSW-NB15. The experimental results show that the proposed detection algorithm reached the accuracy rate of 99.95% and 98.75%, and the false alarm rate (FAR) of 0.05% and 1.08%, respectively, in two datasets.

computer science, information systems,telecommunications,engineering, electrical & electronic

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.

Zhichun Li,Yan Gao,Yan Chen

2005-01-01

Abstract:Traffic anomalies and attacks are commonplace in to- day's networks, and identifying them rapidly and ac- curately is critical for large networks. With the rapid growth of network bandwidth and fast emergence of new attacks/worms, existing network intrusion detection sys- tems (IDS) are insufficient for the following two reasons. First, they are mostly host-based or located on low-end routers, and not scalable to high-speed networks. How- ever, it is crucial to identify fast propagation of worms in their early phases, which can only possibly be achieved by detection at high speed edge/backbone routers instead of at end hosts. Unfortunately, the existing schemes are not scalable to the link speeds and number of flows for high-speed networks. According to a recent research agenda (7) by DARPA, detection on edge networks is par- ticularly critical, powerful and efficient (without deploy- ing IDSs on all the edge hosts). Second, most of the existing approaches are signature based, which cannot detect unknown attacks. Statistical IDSs are therefore proposed to detect anomalies. Cur- rent systems are mostly designed to detect based on the overall traffic, thus they tend to be inaccurate or can- not find real attack flows for mitigation even when spot- ting anomalies. For instance, the state-of-the-art stateless router-based SYN flooding detection techniques, Change Point Monitoring (CPM), use the statistical behavior of SYN-FIN, or SYN-SYN/ACK packet pairs based on over- all traffic for detection (5). It detects well with pure SYN

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Wei Lin,Liu Xiang,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/FGCN.2008.67

2008-01-01

Abstract:In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs.

Muhammad Tahir,Mingchu Li,Naeem Ayoub,Usman Shehzaib,Atif Wagan

DOI: https://doi.org/10.14569/ijacsa.2018.090248

IF: 0.9

2018-01-01

International Journal of Advanced Computer Science and Applications

Abstract:In Today’s Digital World, the continuous interruption of users has affected Web Servers (WSVRs), through Distributed Denial-of-Service (DDoS) attacks. These attacks always remain a massive warning to the World Wide Web (WWW). These warnings can interrupt the accessibility of WSVRs, completely by disturbing each data processing before intercommunication properties over pure dimensions of Data-Driven Networks (DDN), management and cooperative communities on the Internet technology. The purpose of this research is to find, describe and test existing tools and features available in Linux-based solution lab design Availability Protection System (Linux-APS), for filtering malicious traffic flow of DDoS attacks. As source of malicious traffic flow taken most widely used DDoS attacks, targeting WSVRs. Synchronize (SYN), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) Flooding attacks are described and different variants of the mitigation techniques are explained. Available cooperative tools for manipulating with network traffic, like; Ebtables and Iptables tools are compared, based on each type of attacks. Specially created experimental network was used for testing purposes, configured filters servers and bridge. Inspected packets flow through Linux-kernel network stack along with tuning options serving for increasing filter server traffic throughput. In the part of contribution as an outcomes, Ebtables tool appears to be most productive, due to less resources it needed to process each packet (frame). Pointed out that separate detecting system is needed for this tool, in order to provide further filtering methods with data. As main conclusion, Linux-APS, solutions provide full functionality for filtering malicious traffic flow of DDoS attacks either in stand-alone state or combined with detecting systems.