Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Xinmeng Li,Kai Zheng,Dan Tang,Zheng Qin,Zhiqing Zheng,Shihan Zhang

DOI: https://doi.org/10.1109/wcnc49053.2021.9417400

2021-01-01

Abstract:Low-rate denial of service (LDoS) attack is a derivative denial of service (DoS) attack, which reduces the quality of service in the network in the means of sending high-strength and instantaneous streams of data in cycles. Based on the above attack, we proposed a method based on adaptive shared nearest neighbor clustering and outlier factor analysis (ASNNC-OFA) to detect it, whose core idea is to calculate the traffic characteristics of network. We divide these traffic characteristic data based on shared neighbor clustering, and use the outlier factor algorithm to perform anomaly analysis on the divided data by training threshold. The experiments were carried out on NS2 and test-bed respectively, the results of them show that the detection method we proposed has low false negative rate and false positive rate, so it can effectively detect LDoS attacks.

Dan Tang,Siqi Zhang,Yudong Yan,Jingwen Chen,Zheng Qin

DOI: https://doi.org/10.1109/tsc.2021.3102046

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:The software-defined network (SDN) has created the conditions for the optimization and development of network structures. However, its architecture is still not sufficient to resist or identify all denial of service (DoS) attacks, such as low-rate DoS (LDoS) attacks. Due to their low transporting rate and flash-crowd-like nature, LDoS attacks are well hidden in the background traffic and difficult to identify by anti-DoS mechanisms in the SDN. By implementing LDoS attacks in the SDN, we confirm that they can severely degrade the quality of service. We further propose a framework based on the histogram-based gradient boosting and finding peaks (HGB-FP) algorithm to detect LDoS attacks and mitigate their influence in the SDN in real-time. The histogram-based gradient boosting (HGB) algorithm, an ensemble learning with high quality and low complexity, can identify LDoS attacks quickly and accurately. The finding peaks (FP) algorithm locates the attacker via peak properties of the flow and installs flow rules on the switches to drop the attack flows. Experiments prove that our framework has higher accuracy and F-measure in identifying LDoS attacks than other machine learning approaches and mitigates the impact of LDoS attacks on bottleneck links in the SDN within seconds on average.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Wenwen Sun,Shaopeng Guan,Peng Wang,Qingyu Wu

DOI: https://doi.org/10.1002/ett.4443

IF: 3.6

2022-01-18

Transactions on Emerging Telecommunications Technologies

Abstract:The low‐rate DoS (LDoS) attack is a new kind of network attack which has the characteristics such as low speed and good concealment. The software defined network, as a new type of network architecture, also faces the threat from LDoS attacks. In this article, we propose a detection method of LDoS attacks based on a hybrid deep learning model CNN‐GRU: the convolutional neural network (CNN) and the gated recurrent unit (GRU). First, we extract field values such as n_packets and n_bytes, from the flow rule, and construct the average numbers of packets and bytes as the input data of the hybrid model. Then, to enhance the detection performance of the hybrid model, we improve the sailfish algorithm to optimize the hyperparameters of CNN and GRU automatically in the training process. Finally, we adopt hyperparameter optimized CNN and GRU to extract deeper spatial and temporal features of input data, respectively, which achieves accurate detection of the LDoS attack. The experimental results demonstrate that the proposed hybrid deep learning model‐based method outperforms other traditional machine learning algorithms in terms of detection efficiency and accuracy. A hybrid deep learning model based on the convolutional neural network and the gated recurrent unit is designed to detect the low‐rate DoS attack in software defined networks.

telecommunications

Dan Tang,Ye Feng,Siqi Zhang,Zheng Qin

DOI: https://doi.org/10.1109/tr.2020.3023257

IF: 5.883

2021-01-01

IEEE Transactions on Reliability

Abstract:The low-rate denial of service (LDoS) attack mainly exploits security vulnerabilities of adaptive mechanisms in network protocols and application services. The high-rate attack pulses within a short time interval are sent periodically, which will result in the degradation of service quality. The attack traffic is similar to normal traffic from legitimate users in the network, consequently, it is easy to escape the traditional detection methods because of its intermittence. Research works have demonstrated that there are fractal characteristics (self-similarity) of the network traffic over the large scale of time. Although the fractal characteristics of the network traffic will be changed under the LDoS attack, the variations of the fractal characteristics in some network states are not apparent in real-time detection. Based on the fractal characteristics, the fractal residual of the network traffic is analyzed through the Hurst parameters calculating process by R/S algorithm in this article. It can be found that the fractal residual of the network traffic can better reflect the different states of the LDoS attack. Combining the idea behind the sliding window, a novel fractal residual based real-time detection (FR-RED) method of the LDoS attack is proposed. The effectiveness of the method in this article is verified by performing some experiments on two platforms, the NS2 and test-bed. The results manifest the beginning and end of the LDoS attack can be estimated in real-time with high detection accuracy.

Dan Tang,Xiyin Wang,Yudong Yan,Dongshuo Zhang,Huan Zhao

DOI: https://doi.org/10.1016/j.comcom.2021.10.007

IF: 5.047

2022-01-01

Computer Communications

Abstract:Low-rate Denial of Service (LDoS) attacks cause severe destructiveness to network security. Consequently, the implementation of detection and defense against them is a concern among the research communities. But it is formidable to deploy extension modules to detect and mitigate attacks online in traditional networks, because devices are deficient of flexibility and scalability. To address the problem, we design and implement an online attack detection and mitigation system (ADMS) framework via the scalable and programmable Software Defined Networking (SDN). ADMS is installed on SDN controllers and conforms to the OpenFlow policy without extra devices. ADMS consists of two modules: the two-phase detection module and the mitigation module. The two-phase detection module combines the new port traffic feature and the Lightgbm classifier based on flow table statistics traffic to precisely detect LDoS attacks. The mitigation module utilizes the novel Sequence Matching based Dynamic Series Analysing (SMDSA) algorithm to locate the attacker, and efficiently mitigates attack traffic by packet filter. The SMDSA algorithm distinguishes the victim port from benign ports by calculating the anomaly score of each port. Our evaluation on a prototype implementation of ADMS shows that the framework is able to precisely identify and efficiently mitigate LDoS attacks in real-time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sijia Zhan,Dan Tang,Jianping Man,Rui Dai,Xiyin Wang

DOI: https://doi.org/10.3390/s20010189

IF: 3.9

2019-12-29

Sensors

Abstract:Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Dan Tang,Yudong Yan,Rui Dai,Zheng Qin,Jingwen Chen,Dongshuo Zhang

DOI: https://doi.org/10.1007/s10586-022-03537-y

2022-01-01

Cluster Computing

Abstract:In network security, Low-rate Denial of Service (LDoS) attacks can severely degrade the quality of the network service by sending attacking pulses intermittently with a low-rate behavior. It is hard to accurately detect this attack because of its low-rate nature and stealth. By combining the discrete Fourier transform (DFT) and discrete wavelet transform (DWT) with autoencoder-based anomaly detection, we put forward a novel LDoS attack detection method. According to the approximate coefficients (NAC), the normalized amplitude spectrum of network traffic (NAS) and the normalized reconstruction signal according to the approximate coefficients (NAC) have a significant difference between normal and LDoS conditions. The proposed detection method consists of two detection models, one is NAS–AE that takes the normalized amplitude spectrum (NAS) of network traffic as the input of the autoencoder, and the other is the NAC–AE that employs the normalized reconstruction signal as the input of the autoencoder. The reconstruction error of the network signal is represented as the difference between the autoencoder input and output. Network traffic without LDoS attacks can be reconstructed well by the autoencoder trained with normal network traffic, while the network traffic under LDoS conditions will be failed to do so, resulting in an anomaly of the reconstruction error. The reconstruction anomaly indicates that the network is under LDoS conditions. Experiments performed in NS2 and test-bed networking prove that the method put forward by us can detect LDoS attacks accurately.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.1504/ijcse.2020.110182

2020-01-01

International Journal of Computational Science and Engineering

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Ping Dong,Xiaojiang Du,Hongke Zhang,Tong Xu

DOI: https://doi.org/10.1109/ICC.2016.7510992

2016-01-01

Abstract:A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.

Jie Dong,Wenyu Fang,Wanling Zheng,Jinkun Liu,Yanhua Liu

DOI: https://doi.org/10.1109/icnc-fskd64080.2024.10702252

2024-01-01

Abstract:In order to achieve more efficient and accurate DDoS detection while ensuring data privacy, this paper proposes a DDoS detection method based on FLAD. Firstly, this paper uses the FLAD algorithm to train a global DDoS detection model without leaving local traffic data, protecting the privacy and security of traffic data between different hosts, and improving aggregation efficiency by dynamically adjusting the aggregation weights to adapt to different sub-dataset increments. Secondly, a DDoS traffic detection method based on the integration of LSTM and CNN is proposed, which extracts and analyzes the temporal correlation of traffic data by calculating the statistical characteristics of traffic data within a time period, to achieve real-time detection of traffic feature data. Again, combined with the concept of SDN, real-time defense against DDoS based on ODL-API is implemented, and precise matching of DDoS detection results with network entity information is achieved, realizing the technology of real-time and precise issuance of multiple flow rules, effectively blocking DDoS malicious attack traffic, protecting important entities in the topology, and maintaining stable traffic in the topology. This paper focuses on solving the detection problem of DDoS traffic data increments and uneven data distribution through the FLAD algorithm. Experimental results show that the proposed method improves the accuracy of DDoS attack detection by more than 4% and the F1 Score by more than 7% compared to the FedAvg aggregation algorithm.

LI Lijuan,LI Man,BI Hongjun,ZHOU Huachun

DOI: https://doi.org/10.11959/j.issn.2096-109x.2022001

2022-01-01

Abstract:Low-Rate distributed denial of service (DDoS) attack attacks the vulnerabilities in the adaptive mechanism of network protocols, posing a huge threat to the quality of network services. Low-Rate DDoS attack was characterized by high secrecy, low attack rate, and periodicity. Existing detection methods have the problems of single detection type and low identification accuracy. In order to solve them, a multi-type low-rate DDoS attack detection method based on hybrid deep learning was proposed. Different types of low-rate DDoS attacks and normal traffic in different scenarios under 5G environment were simulated. Traffic was collected at the network entrance and its traffic characteristic information was extracted to obtain multiple types of low-rate DDoS attack data sets. From the perspective of statistical threshold and feature engineering, the characteristics of different types of low-rate DDoS attacks were analyzed respectively, and the effective feature set of 40-dimension low-rate DDoS attacks was obtained. CNN-RF hybrid deep learning algorithm was used for offline training based on the effective feature set, and the performance of this algorithm was compared with LSTM-Light GBM and LSTM-RF algorithms. The CNN-RF detection model was deployed on the gateway to realize the online detection of multiple types of low-rate DDoS attacks, and the performance was evaluated by using the newly defined error interception rate and malicious traffic detection rate indexes. The results show that the proposed method can detect four types of low-rate DDoS attacks online, including Slow Headers attack, Slow Body attack, Slow Read attack and Shrew attack, and the error interception rate reaches 11.03% in 120 s time window. The detection rate of malicious traffic reaches 96.22%. It can be judged by the results that the proposed method can significantly reduce the intensity of low-rate DDoS attack traffic at the network entrance, and can be deployed and applied in the actual environment.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection