Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Junjiang He,Wenbo Fang,Xiaolong Lan,Geying Yang,Ziyu Chen,Yang Chen,Tao Li,Jiangchuan Chen

DOI: https://doi.org/10.1155/2024/9044391

IF: 8.993

2024-11-02

International Journal of Intelligent Systems

Abstract:Application‐layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application‐layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application‐layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application‐layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application‐layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.

computer science, artificial intelligence

Liguo Chen,Yuedong Zhang,Qi Zhao,Guanggang Geng,Zhiwei Yan

DOI: https://doi.org/10.1016/j.procs.2018.07.177

2018-01-01

Procedia Computer Science

Abstract:Domain Name System(DNS) is one of the most foundational and essential services on the Internet, the security and robustness of DNS are of great significance. However, the stable operation of DNS has been threatened by Distributed Denial of Service(DDoS) for quite a long time, especially when the number of registered names of. CN are over 20 million on November 11, 2016. According to our observation, the frequency of volume-based DDoS attacks increased rapidly in recent years, and when the attack happened, not only the authoritative servers were affected, servers of Top Level Domain(TLD) also suffered a lot. In this paper, a model based on Random Forest[1] is applied to traffic classification with an accuracy of 99.2% on Spark. The result shows that the model could be used to deal with large-scale DNS query flows, which is fast enough to be used in practice.

CHEN Shiwen,WU Jiangxing,HUANG Wanwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.1302-0182

2013-01-01

Abstract:The traditional detection methods for DDoS attacks have low accuracy and high false alarms rate because those means are only based on one of such flow features as burst feature,dispersed source IP address,asymmetry flow and etc.This paper uses conditional random field to integrate many pattern match rules for DDoS attack detection.The feature vector includes one way connection density,source IP entropy,destination IP entropy,destination port entropy and protocol entropy.The simulation results show that the proposed method outperforms other well-known methods such as na ve Bayes and SVM.The detection accuracy rate reaches 99.82% and the false alarm rate is less than 0.6%.The method is robustness under strong interference traffic noise.

Shi-Wen Chen,Jiang-xing Wu,Xiao-long Ye,Tong Guo

DOI: https://doi.org/10.4304/jnw.8.4.858-865

2013-01-01

Abstract:In order to detect distributed denial of service (DDoS) attacks accurately and efficiently, a new detection model based on conditional random fields (CRF) was proposed. The CRF based model incorporates the signature-based and anomaly-based detection methods to a hybrid system. The selected features include source IP entropy, destination IP entropy, source port entropy, destination port entropy, protocol number and etc. The CRF based model combines these IP flow entropies and other fingerprints into a normalize entropy as the feature vectors to depict the states of the monitoring traffic. The training method of the detection model uses the L-BFGS algorithm. And the model only needs to inspect the IP header fields of each packet, which makes it possible for real-time implementation even on real time network traffic. The CRF based model may have the ability to detect new form of forthcoming attacks, because it is independent from any specific DDoS flooding attack tools. The experiment results show that the CRF based method has higher detection accuracy and sensitivity as well as lower false positive alarms. Experiment with KDD CUP1999, DARPA 2000 and generated attack datasets, the CRF based model outperforms other well-known detection methods such as Naive Bayes, KNN, SVM and etc. The accuracy goes beyond 95.0% and the false alarm rate is less than 5.0%. Meanwhile, the CRF based model is robust under massive background network traffic.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Yan-Bo Zhang,Ming Li

2005-01-01

Abstract:Distributed Denial of Service (DDoS) flood attacks remain an immense threat to the Internet. The research about it gains much more attentions [1-7]. There are many detection mechanisms of DDoS flood attacks, including our early work [2, 5-7]. However, it is not enough only to report signs of DDoS attacks because efficient prevention needs classifying attack packets. To this end, this paper proposes a new classification scheme of attack packets. It is a threshold-based classification. The main aim of this classification is to give more useful information to Information Body by fuzzy classification, through which Information Body can both detect and react against ongoing attacks. The classification rules are selected to highlight important features of blended attacks. The proposed classification can be used to classify not only the existing attacks but also innovated ones. A case study is given to interpret the classification under dynamic threshold.

Zhen Liu,Changzhen Hu,Chun Shan

DOI: https://doi.org/10.1016/j.cose.2021.102392

IF: 5.105

2021-01-01

Computers & Security

Abstract:The means to achieve DDoS (distributed denial of service) attacks are becoming increasingly automated and diverse. A problem that automated attack tools cannot address, at least for now, is the inevitable repetitive or periodic nature of traffic data, which are important features for the effective detection of DDoS attacks. Some researchers have proposed to detect DDoS attacks by analyzing the frequency domain information or information entropy of network communication signals or network packets. However, they still suffer from insufficient accuracy and slow response time when dealing with large-scale attack data and multiple-packet types of attacks. Therefore, we hope to develop a detection method that can detect large-scale and multiple types of DDoS. This paper proposes a new DDoS detection method based on fast Fourier transform (FFT) and information entropy. This method (FFT and entropy-based DDoS detection method [FEDDM]) focuses on the periodicity of DDoS network traffic. First, we consider each piece of network traffic data as a network behavior. Then, we prove that the network traffic data conforms to the Riemann flow structure. We define the concept of work of stream data and treat it as a feature. The effect of stream data on the communication capacity can be considered as the work performed by the stream data on the channel. In addition, to improve the efficiency and accuracy of detection, we use the FFT coefficients and information entropy of work as features to train the neural network (NN) to detect DDoS attacks. This method is lightweight, faster, and more generally applicable. The experiment proved the advantage of this method using the latest CICDDoS2019 dataset. In the simulation, the detection accuracy of NetBIOS, SNMP, syn, and WebDDoS is more than 99.99%, which proves our method. (c) 2021 Elsevier Ltd. All rights reserved.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Ahmad Hamarshe,Huthaifa I. Ashqar,Mohammad Hamarsheh

DOI: https://doi.org/10.48550/arXiv.2303.06513

IF: 5.414

2023-03-11

Machine Learning

Abstract:The concept of Software Defined Networking (SDN) represents a modern approach to networking that separates the control plane from the data plane through network abstraction, resulting in a flexible, programmable and dynamic architecture compared to traditional networks. The separation of control and data planes has led to a high degree of network resilience, but has also given rise to new security risks, including the threat of distributed denial-of-service (DDoS) attacks, which pose a new challenge in the SDN environment. In this paper, the effectiveness of using machine learning algorithms to detect distributed denial-of-service (DDoS) attacks in software-defined networking (SDN) environments is investigated. Four algorithms, including Random Forest, Decision Tree, Support Vector Machine, and XGBoost, were tested on the CICDDoS2019 dataset, with the timestamp feature dropped among others. Performance was assessed by measures of accuracy, recall, accuracy, and F1 score, with the Random Forest algorithm having the highest accuracy, at 68.9%. The results indicate that ML-based detection is a more accurate and effective method for identifying DDoS attacks in SDN, despite the computational requirements of non-parametric algorithms.

Zhenpeng Liu,Yihang Wang,Fan Feng,Yifan Liu,Zelin Li,Yawei Shan

DOI: https://doi.org/10.3390/s23136176

IF: 3.9

2023-07-06

Sensors

Abstract:Distributed denial-of-service (DDoS) attacks pose a significant cybersecurity threat to software-defined networks (SDNs). This paper proposes a feature-engineering- and machine-learning-based approach to detect DDoS attacks in SDNs. First, the CSE-CIC-IDS2018 dataset was cleaned and normalized, and the optimal feature subset was found using an improved binary grey wolf optimization algorithm. Next, the optimal feature subset was trained and tested in Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbor (k-NN), Decision Tree, and XGBoost machine learning algorithms, from which the best classifier was selected for DDoS attack detection and deployed in the SDN controller. The results show that RF performs best when compared across several performance metrics (e.g., accuracy, precision, recall, F1 and AUC values). We also explore the comparison between different models and algorithms. The results show that our proposed method performed the best and can effectively detect and identify DDoS attacks in SDNs, providing a new idea and solution for the security of SDNs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Jiewen Mao,Weijun Deng,Fuke Shen

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00045

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attacks are still considered as severe threats to the Internet. Previous works have used information entropy to detect DDoS flooding attacks. However, these methods usually only used source address as the feature of packets, and ignored other features. Besides, the entropy with single variable also has restricts in abnormal detection. In this paper, we propose a new joint-entropy-based DDoS detection solution with multiple features of packets. We choose flow duration, packet length, source address and destination port as the key features to detect different types of DDoS flooding attacks. We carry out the experiments with simulated campus network based on Software-defined Networking (SDN) architecture. The results show that our proposed method can effectively detect attacks of both forged and non-forged source address, and outperforms the previous single-entropy methods in terms of accuracy and false positive rate.

Xia, Zhengmin,Lu, Songnian,Li, Jianhua

DOI: https://doi.org/10.1109/WiCOM.2012.6478475

2012-01-01

Abstract:Distributed denial-of-service (DDoS) flood attack is one of the most popular techniques taken by the hackers to threaten the availability and stability of the Internet. To ensure network usability and reliability, accurate detection of this kind of attack is critical. In this paper, we propose a statistical DDoS flood attack detection method by passively monitoring the abrupt change of network traffic fractal parameters: fractal dimension D and Hurst parameter H. Specifically, we use an autoregressive system to estimate the parameters D and H of normal traffic which are slow changing. If the actual parameters D and H vary significantly from the estimation ones, we assume DDoS flood attack happens. Meanwhile, we propose a maximum likelihood estimate-based detection method to determine the change point of parameters D and H that indicate the occurrence of DDoS flood attack. The test results based on the DARPA intrusion detection evaluation data sets show that both the parameters D and H can indicate the DDoS flood attack effectively. © 2012 IEEE.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

Zhenping Shi,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/globecom38437.2019.9013186

2019-01-01

Abstract:Highly efficient and dependable large-scale DDoS attack detection scheme is critical for network anomaly detection. Typical machine learning algorithms such as Decision Tree and Adaboost work well on flow level analysis but cannot perform fine- grained detection of packet levels. Since these algorithms require more packets information for detection, resulting in higher detection delay and relatively lower accuracy. To address the problem, we propose DeepDDoS which is a deep learning method focusing on both period- wise and packetwise attack detection. First, the network packets are modeled in time dimension to discover the potential abnormal time period. Second, the network packets are grouped by 5 tuples (flow), the packets inside the group are sorted according to their arrival time. Then the data packet level sequence modeling is performed in each group. Comprehensive performance evaluation shows that the detection accuracy of DeepDDoS reach 99%. Furthermore, only 5 consecutive packets are needed for packet-wise detection, greatly reducing detection delay and computational overhead. Comparative experiments show that DeepDDoS outperforms existing typical attack detection methods