Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Zhenyu Yin,Shang Liu,Guangyuan Xu

2024-09-18

Abstract:The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at <a class="link-external link-https" href="https://github.com/liuup/DrLLM" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Qianru Zhou,Rongzhen Li,Lei Xu,Arumugam Nallanathan,Jian Yang,Anmin Fu

DOI: https://doi.org/10.1007/s42979-023-02383-y

2022-08-16

Abstract:The Internet is the most complex machine humankind has ever built, and how to defense it from intrusions is even more complex. With the ever increasing of new intrusions, intrusion detection task rely on Artificial Intelligence more and more. Interpretability and transparency of the machine learning model is the foundation of trust in AI-driven intrusion detection results. Current interpretation Artificial Intelligence technologies in intrusion detection are heuristic, which is neither accurate nor sufficient. This paper proposed a rigorous interpretable Artificial Intelligence driven intrusion detection approach, based on artificial immune system. Details of rigorous interpretation calculation process for a decision tree model is presented. Prime implicant explanation for benign traffic flow are given in detail as rule for negative selection of the cyber immune system. Experiments are carried out in real-life traffic.

Artificial Intelligence,Cryptography and Security,Networking and Internet Architecture

Tongze Wang,Xiaohui Xie,Lei Zhang,Chuyi Wang,Liang Zhang,Yong Cui

DOI: https://doi.org/10.1145/3663408.3663424

2024-01-01

Abstract:The constantly evolving Distributed Denial of Service (DDoS) attacks pose a significant threat to the cyber realm, which underscores the importance of DDoS mitigation as a pivotal area of research. While existing AI-driven approaches, including deep neural networks, show promise in detecting DDoS attacks, their inability to elucidate prediction rationales and provide actionable mitigation measures limits their practical utility. The advent of large language models (LLMs) offers a novel avenue to overcome these limitations. In this work, we introduce ShieldGPT, a comprehensive DDoS mitigation framework that harnesses the power of LLMs. ShieldGPT comprises four components: attack detection, traffic representation, domain-knowledge injection and role representation. To bridge the gap between the natural language processing capabilities of LLMs and the intricacies of network traffic, we develop a representation scheme that captures both global and local traffic features. Furthermore, we explore prompt engineering specific to the network domain and design two prompt templates that leverage LLMs to produce traffic-specific, comprehensible explanations and mitigation instructions. Our preliminary experiments and case studies validate the effectiveness and applicability of ShieldGPT, demonstrating its potential to enhance DDoS mitigation efforts with nuanced insights and tailored strategies.

Thanh-Lam Nguyen,Hao Kao,Thanh-Tuan Nguyen,Mong-Fong Horng,Chin-Shiuh Shieh

DOI: https://doi.org/10.32604/cmc.2024.047387

2024-01-01

Abstract:Since its inception, the Internet has been rapidly evolving. With the advancement of science and technology and the explosive growth of the population, the demand for the Internet has been on the rise. Many applications in education, healthcare, entertainment, science, and more are being increasingly deployed based on the internet. Concurrently, malicious threats on the internet are on the rise as well. Distributed Denial of Service (DDoS) attacks are among the most common and dangerous threats on the internet today. The scale and complexity of DDoS attacks are constantly growing. Intrusion Detection Systems (IDS) have been deployed and have demonstrated their effectiveness in defense against those threats. In addition, the research of Machine Learning (ML) and Deep Learning (DL) in IDS has gained effective results and significant attention. However, one of the challenges when applying ML and DL techniques in intrusion detection is the identification of unknown attacks. These attacks, which are not encountered during the system’s training, can lead to misclassification with significant errors. In this research, we focused on addressing the issue of Unknown Attack Detection, combining two methods: Spatial Location Constraint Prototype Loss (SLCPL) and Fuzzy C-Means (FCM). With the proposed method, we achieved promising results compared to traditional methods. The proposed method demonstrates a very high accuracy of up to 99.8% with a low false positive rate for known attacks on the Intrusion Detection Evaluation Dataset (CICIDS2017) dataset. Particularly, the accuracy is also very high, reaching 99.7%, and the precision goes up to 99.9% for unknown DDoS attacks on the DDoS Evaluation Dataset (CICDDoS2019) dataset. The success of the proposed method is due to the combination of SLCPL, an advanced Open-Set Recognition (OSR) technique, and FCM, a traditional yet highly applicable clustering technique. This has yielded a novel method in the field of unknown attack detection. This further expands the trend of applying DL and ML techniques in the development of intrusion detection systems and cybersecurity. Finally, implementing the proposed method in real-world systems can enhance the security capabilities against increasingly complex threats on computer networks.

computer science, information systems,materials science, multidisciplinary

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

Li Yijie,Zhai Shang,Chen Mingrui

DOI: https://doi.org/10.48550/arXiv.1903.07889

2019-03-19

Abstract:Distributed Denial of Service (DDOS) attack is one of the most common network attacks. DDoS attacks are becoming more and more diverse, which makes it difficult for some DDoS attack detection methods based on single network flow characteristics to detect various types of DDoS attacks, while the detection methods of multi-feature DDoS attacks have a certain lag due to the complexity of the algorithm. Therefore, it is necessary and urgent to monitor the trend of traffic change and identify DDoS attacks timely and accurately. In this paper, a method of DDoS attack detection based on deep belief network feature extraction and LSTM model is proposed. This method uses deep belief network to extract the features of IP packets, and identifies DDoS attacks based on LSTM model. This scheme is suitable for DDoS attack detection technology. The model can accurately predict the trend of normal network traffic, identify the anomalies caused by DDoS attacks, and apply to solve more detection methods about DDoS attacks in the future.

Cryptography and Security

Zhenping Shi,Jie Li,Chentao Wu

DOI: https://doi.org/10.1109/globecom38437.2019.9013186

2019-01-01

Abstract:Highly efficient and dependable large-scale DDoS attack detection scheme is critical for network anomaly detection. Typical machine learning algorithms such as Decision Tree and Adaboost work well on flow level analysis but cannot perform fine- grained detection of packet levels. Since these algorithms require more packets information for detection, resulting in higher detection delay and relatively lower accuracy. To address the problem, we propose DeepDDoS which is a deep learning method focusing on both period- wise and packetwise attack detection. First, the network packets are modeled in time dimension to discover the potential abnormal time period. Second, the network packets are grouped by 5 tuples (flow), the packets inside the group are sorted according to their arrival time. Then the data packet level sequence modeling is performed in each group. Comprehensive performance evaluation shows that the detection accuracy of DeepDDoS reach 99%. Furthermore, only 5 consecutive packets are needed for packet-wise detection, greatly reducing detection delay and computational overhead. Comparative experiments show that DeepDDoS outperforms existing typical attack detection methods

Ziming Zhao,Zhaoxuan Li,Zhihao Zhou,Jiongchi Yu,Zhuoxue Song,Xiaofei Xie,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103663

IF: 5.105

2023-12-21

Computers & Security

Abstract:Distributed Denial of Service (DDoS) defense is a profound research problem. In recent years, adversaries tend to complicate their attack strategies by crafting vast DDoS variants. On the one hand, this trend exacerbates both extremes of classification granularity ( i.e. , binary and attack level) in existing machine learning methods. On the other hand, massive attack categories make the filter rule table bulky, as well as cause problems of slow reaction presented in the recent state-of-the-art DDoS mitigation system. Therefore, we propose the concept of a DDoS family to reconcile/cope with these issues. The specific technical roadmap includes traffic pattern characterization, attack fingerprint production, and cross-executed family partition by community detection. Through extensive evaluations, we demonstrate the benefits of the proposal in terms of portraying similarities, guiding model classification/unknown attack detection, optimizing defense strategies, and speeding filtering reactions. For instance, our results show that using only one rule can defend 15 types of attacks due to their homogeneous behavioral representation. Particularly, we find the interesting observation that counting the backward packet is more efficient and robust against some attacks ( e.g. , Tor's Hammer Attack), which is very different from previous solutions.

computer science, information systems

Bangli Wang,Yuxuan Jiang,You Liao,Zhen Li

DOI: https://doi.org/10.1049/2024/1056705

2024-09-19

IET Information Security

Abstract:Distributed denial‐of‐service (DDoS) attacks pose a significant threat to network security due to their widespread impact and detrimental consequences. Currently, deep learning methods are widely applied in DDoS anomaly traffic detection. However, they often lack the ability to collectively model both local and global traffic features, which presents challenges in improving performance. In order to provide an effective method for detecting abnormal traffic, this paper proposes a novel network architecture called DDoS‐MSCT, which combines a multiscale convolutional neural network and transformer. The DDoS‐MSCT architecture introduces the DDoS‐MSCT block, which consists of a local feature extraction module (LFEM) and a global feature extraction module (GFEM). The LFEM employs convolutional kernels of different sizes, accompanied by dilated convolutions, with the aim of enhancing the receptive field and capturing multiscale features simultaneously. On the other hand, the GFEM is utilized to capture long‐range dependencies for attending to global features. Furthermore, with the increase in network depth, DDoS‐MSCT facilitates the integration of multiscale local and global contextual information of traffic features, thereby improving detection performance. Our experiments are conducted on the CIC‐DDoS2019 dataset, and also the CIC‐IDS2017 dataset, which is introduced as a supplement to address the issue of sample imbalance. Experimental results on the hybrid dataset show that DDoS‐MSCT achieves accuracy, recall, F1 score, and precision of 99.94%, 99.95%, 99.95%, and 99.97%, respectively. Compared to the state of the art methods, the DDoS‐MSCT model achieves a good performance for detecting the DDoS attack to provide the protecting ability for network security.

computer science, information systems, theory & methods

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Paul R. B. Houssel,Priyanka Singh,Siamak Layeghy,Marius Portmann

2024-08-08

Abstract:Large Language Models (LLMs) have revolutionised natural language processing tasks, particularly as chat agents. However, their applicability to threat detection problems remains unclear. This paper examines the feasibility of employing LLMs as a Network Intrusion Detection System (NIDS), despite their high computational requirements, primarily for the sake of explainability. Furthermore, considerable resources have been invested in developing LLMs, and they may offer utility for NIDS. Current state-of-the-art NIDS rely on artificial benchmarking datasets, resulting in skewed performance when applied to real-world networking environments. Therefore, we compare the GPT-4 and LLama3 models against traditional architectures and transformer-based models to assess their ability to detect malicious NetFlows without depending on artificially skewed datasets, but solely on their vast pre-trained acquired knowledge. Our results reveal that, although LLMs struggle with precise attack detection, they hold significant potential for a path towards explainable NIDS. Our preliminary exploration shows that LLMs are unfit for the detection of Malicious NetFlows. Most promisingly, however, these exhibit significant potential as complementary agents in NIDS, particularly in providing explanations and aiding in threat response when integrated with Retrieval Augmented Generation (RAG) and function calling capabilities.

Cryptography and Security,Artificial Intelligence,Networking and Internet Architecture

Mahmoud Said Elsayed,Nhien-An Le-Khac,Soumyabrata Dev,Anca Delia Jurcut

DOI: https://doi.org/10.48550/arXiv.2006.13981

2020-06-25

Abstract:Software-Defined Networking (SDN) is an emerging paradigm, which evolved in recent years to address the weaknesses in traditional networks. The significant feature of the SDN, which is achieved by disassociating the control plane from the data plane, facilitates network management and allows the network to be efficiently programmable. However, the new architecture can be susceptible to several attacks that lead to resource exhaustion and prevent the SDN controller from supporting legitimate users. One of these attacks, which nowadays is growing significantly, is the Distributed Denial of Service (DDoS) attack. DDoS attack has a high impact on crashing the network resources, making the target servers unable to support the valid users. The current methods deploy Machine Learning (ML) for intrusion detection against DDoS attacks in the SDN network using the standard datasets. However, these methods suffer several drawbacks, and the used datasets do not contain the most recent attack patterns - hence, lacking in attack diversity. In this paper, we propose DDoSNet, an intrusion detection system against DDoS attacks in SDN environments. Our method is based on Deep Learning (DL) technique, combining the Recurrent Neural Network (RNN) with autoencoder. We evaluate our model using the newly released dataset CICDDoS2019, which contains a comprehensive variety of DDoS attacks and addresses the gaps of the existing current datasets. We obtain a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our model provides great confidence in securing these networks.

Cryptography and Security

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Shui Yu,Wanlei Zhou,Weijia Jia,Song Guo,Yong Xiang,Feilong Tang

DOI: https://doi.org/10.1109/tpds.2011.262

IF: 5.3

2012-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice.

Zhaohui Ma,Jialiang Huang

DOI: https://doi.org/10.1007/978-981-15-2767-8_33

2020-01-01

Abstract:The seperation of control layer from data layer through SDN (software defined network) enables network administrators to plan the network programmatically without changing network devices, realizing flexible configuration of network devices and fast forwarding of data flows. However, due to its construction, SDN is vulnerable to be attacked by Distributed Denial of Service (DDoS) attack. So it is important to detect DDoS attack in SDN network. This paper presents a DDoS detection scheme based on the machine learning method of SVM (support vector machine) support vector machine in SDN environment. By extracting the flow table information features in SDN network, the data is detected and the data model of DDoS traffic can be trained, and the purpose of DDoS abnormal traffic identification is finally realized.

Siyu Cheng,Dong Jin,Yuanyi Ma,Shuangwu Chen,Huasen He,Jian Yang

DOI: https://doi.org/10.1109/tnse.2024.3393513

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Link Flooding Attack (LFA) is a new genre of DDoS attacks that aims to isolate the target area by paralyzing the critical links. To defend against LFA, we propose a novel LFA detection and mitigation system named LinkGuard using SDN. The changes in link state generally follow certain spatio-temporal patterns, whereas LFA is usually an unexpected or abrupt action that may break the normal traffic pattern. Based on this idea, we conceive an LFA detection method using an attention-based spatio-temporal graph convolutional network, which can infer the abnormal performance degradation induced by LFA. However, it is hard to get enough attack data for model training in reality. To tackle this difficulty, we propose an extreme value theory based model to estimate the probability that the performance degradation is caused by an extreme LFA event. In this way, the detection model can work without any prior knowledge of LFA. We further propose a mitigation method based on traffic rerouting and filtering to purify the LFA. We construct a test bed using a cluster of virtual machines and real network traffic to evaluate the performance. Extensive experiments demonstrate that LinkGuard can accurately detect LFA attacks and can effectively relieve the performance degradation caused by LFA.