Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Zhenpeng Liu,Yihang Wang,Fan Feng,Yifan Liu,Zelin Li,Yawei Shan

DOI: https://doi.org/10.3390/s23136176

IF: 3.9

2023-07-06

Sensors

Abstract:Distributed denial-of-service (DDoS) attacks pose a significant cybersecurity threat to software-defined networks (SDNs). This paper proposes a feature-engineering- and machine-learning-based approach to detect DDoS attacks in SDNs. First, the CSE-CIC-IDS2018 dataset was cleaned and normalized, and the optimal feature subset was found using an improved binary grey wolf optimization algorithm. Next, the optimal feature subset was trained and tested in Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbor (k-NN), Decision Tree, and XGBoost machine learning algorithms, from which the best classifier was selected for DDoS attack detection and deployed in the SDN controller. The results show that RF performs best when compared across several performance metrics (e.g., accuracy, precision, recall, F1 and AUC values). We also explore the comparison between different models and algorithms. The results show that our proposed method performed the best and can effectively detect and identify DDoS attacks in SDNs, providing a new idea and solution for the security of SDNs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Junjiang He,Wenbo Fang,Xiaolong Lan,Geying Yang,Ziyu Chen,Yang Chen,Tao Li,Jiangchuan Chen

DOI: https://doi.org/10.1155/2024/9044391

IF: 8.993

2024-11-02

International Journal of Intelligent Systems

Abstract:Application‐layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application‐layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application‐layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application‐layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application‐layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.

computer science, artificial intelligence

Yantian Luo,Xu Chen,Ning Ge,Jianhua Lu

DOI: https://doi.org/10.1109/globecom46510.2021.9685728

2021-01-01

Abstract:With the rapid development of 5G networks, a great amount of Internet of Things (IoT) devices are connected to the Internet. Most of these devices are cost limited and thus are easily compromised by attackers to launch distributed denial of service (DDoS) attacks. The traditional DDoS defense methods at server side can not adapt to this new challenge, thus access-side DDoS detection architecture is urgently needed. In this paper, we propose a deep learning (DL) based IoT device classification method to support fine-grained behavior modeling of malicious traffic and thus enable access-side DDoS detection. Different from traditional studies based on machine learning (ML) which need expertise feature engineering, we propose a time characteristics extraction method based on 1-D convolutional neural network to capture high level time series features automatically for better classification performance. To avoid the feature loss problem, we propose a feature enhancement method based on residual connection module. Experimental results verify the effectiveness of our method, which offers a meaningful gain in terms of both accuracy and macro F1 score over existing approaches.

Kun Wang,Yu Fu,Xueyuan Duan,Taotao Liu

DOI: https://doi.org/10.1038/s41598-024-66907-z

2024-07-16

Abstract:Due to the large computational overhead, underutilization of features, and high bandwidth consumption in traditional SDN environments for DDoS attack detection and mitigation methods, this paper proposes a two-stage detection and mitigation method for DDoS attacks in SDN based on multi-dimensional characteristics. Firstly, an analysis of the traffic statistics from the SDN switch ports is performed, which aids in conducting a coarse-grained detection of DDoS attacks within the network. Subsequently, a Multi-Dimensional Deep Convolutional Classifier (MDDCC) is constructed using wavelet decomposition and convolutional neural networks to extract multi-dimensional characteristics from the traffic data passing through suspicious switches. Based on these extracted multi-dimensional characteristics, a simple classifier can be employed to accurately detect attack samples. Finally, by integrating graph theory with restrictive strategies, the source of attacks in SDN networks can be effectively traced and isolated. The experimental results indicate that the proposed method, which utilizes a minimal amount of statistical information, can quickly and accurately detect attacks within the SDN network. It demonstrates superior accuracy and generalization capabilities compared to traditional detection methods, especially when tested on both simulated and public datasets. Furthermore, by isolating the affected nodes, the method effectively mitigates the impact of the attacks, ensuring the normal transmission of legitimate traffic during network attacks. This approach not only enhances the detection capabilities but also provides a robust mechanism for containing the spread of cyber threats, thereby safeguarding the integrity and performance of the network.

Michael Siracusano,Stavros Shiaeles,Bogdan Ghita

DOI: https://doi.org/10.1109/GIIS.2018.8635701

2019-03-13

Abstract:Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and k-NN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.

Networking and Internet Architecture,Machine Learning

Yi-Wen Chen,Jang-Ping Sheu,Yung-Ching Kuo,Nguyen Van Cuong

DOI: https://doi.org/10.1109/eucnc48522.2020.9200909

2020-01-01

Abstract:DDoS attacks often happen in cloud servers and cause a devastating problem. However, an increasing number of Internet of Things (IoT) devices makes us not ignore the influence of large-scale DDoS attacks from IoT devices. In this paper, we propose a machine learning-based on a multi-layer IoT DDoS attack detection system, including IoT devices, IoT gateways, SDN switches, and cloud servers. Firstly, we build eight smart poles with various sensors on our campus and collect sensor data as our datasets through wireless networks or wired networks. Next, we extract the features based on DDoS attack types. The feature selection can result in high accuracy DDoS attack detection in the real IoT environment. The experimental results show that our multi-layer DDoS detection system can accurately detect DDoS attacks. And the SDN controller can block venomous devices effectively according to blacklists from the results of our IoT DDoS attacks detection system.

Raja Giryes,Lior Shafir,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.2405.07232

2024-05-12

Abstract:Distributed Denial of Service (DDoS) attacks are getting increasingly harmful to the Internet, showing no signs of slowing down. Developing an accurate detection mechanism to thwart DDoS attacks is still a big challenge due to the rich variety of these attacks and the emergence of new attack vectors. In this paper, we propose a new tree-based DDoS detection approach that operates on a flow as a stream structure, rather than the traditional fixed-size record structure containing aggregated flow statistics. Although aggregated flow records have gained popularity over the past decade, providing an effective means for flow-based intrusion detection by inspecting only a fraction of the total traffic volume, they are inherently constrained. Their detection precision is limited not only by the lack of packet payloads, but also by their structure, which is unable to model fine-grained inter-packet relations, such as packet order and temporal relations. Additionally, inferring aggregated flow statistics must wait for the complete flow to end. Here we show that considering flow inputs as variable-length streams composed of their associated packet headers, allows for very accurate and fast detection of malicious flows. We evaluate our proposed strategy on the CICDDoS2019 and CICIDS2017 datasets, which contain a comprehensive variety of DDoS attacks. Our approach matches or exceeds existing machine learning techniques' accuracy, including state-of-the-art deep learning methods. Furthermore, our method achieves significantly earlier detection, e.g., with CICDDoS2019 detection based on the first 2 packets, which corresponds to an average time-saving of 99.79% and uses only 4--6% of the traffic volume.

Cryptography and Security

Dawei Wang,Longtao He,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CCIS.2012.6664254

2012-01-01

Abstract:DoS is still one of the most serious attacks on the Internet. Payload-based approaches are effective to known DOS attacks but are unable to be deployed on high-speed networks. To address this issue, flow-based DOS detection schemes have been proposed for highspeed networks as an effective supplement of payload-based solutions. However, existing flow-based solutions have serious limitations in detecting unknown attacks and efficiently identifying real attack flows buried in the background traffic. In addition, existing solutions also have difficulty to adapt to attack dynamics. To address these issues, this paper proposes a flow-based DOS detection scheme based on Artificial Immune systems. We adopt a tree structure to store flow information such that we can effectively extract useful features from flow information for better detecting DoS attacks. We employ Neighborhood Negative Selection (NNS) as the detection algorithm to detect unknown DoS attacks, and identify attack flows from massive traffic. Because the strong tolerance of NNS, the proposed solution is able to quickly adapt attack dynamics. The experimental results show that this solution is able to effectively detect unknown DoS attack flows and identify attack flows from background traffic. Meanwhile, the theoretical analysis demonstrates that this system can extract flow features more effectively.

Wu Zhijun,Duan Haixin,Li Xing

DOI: https://doi.org/10.1007/s11767-005-0027-8

2006-01-01

Journal of Electronics (China)

Abstract:An approach of defending against Distributed Denial of Service (DDoS) attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Yen-Hung Chen,Yuan-Cheng Lai,Kai-Zhong Zhou

DOI: https://doi.org/10.3390/mi12091019

2021-08-26

Abstract:The Deterministic Network (DetNet) is becoming a major feature for 5G and 6G networks to cope with the issue that conventional IT infrastructure cannot efficiently handle latency-sensitive data. The DetNet applies flow virtualization to satisfy time-critical flow requirements, but inevitably, DetNet flows and conventional flows interact/interfere with each other when sharing the same physical resources. This subsequently raises the hybrid DDoS security issue that high malicious traffic not only attacks the DetNet centralized controller itself but also attacks the links that DetNet flows pass through. Previous research focused on either the DDoS type of the centralized controller side or the link side. As DDoS attack techniques are evolving, Hybrid DDoS attacks can attack multiple targets (controllers or links) simultaneously, which are difficultly detected by previous DDoS detection methodologies. This study, therefore, proposes a Flow Differentiation Detector (FDD), a novel approach to detect Hybrid DDoS attacks. The FDD first applies a fuzzy-based mechanism, Target Link Selection, to determine the most valuable links for the DDoS link/server attacker and then statistically evaluates the traffic pattern flowing through these links. Furthermore, the contribution of this study is to deploy the FDD in the SDN controller OpenDayLight to implement a Hybrid DDoS attack detection system. The experimental results show that the FDD has superior detection accuracy (above 90%) than traditional methods under the situation of different ratios of Hybrid DDoS attacks and different types and scales of topology.

Kishore Babu Dasari,Nagaraju Devarakonda

DOI: https://doi.org/10.18280/ria.360107

2022-02-28

Abstract:The Distributed Denial of Service (DDoS) attack is a serious cyber security attack that attempts to disrupt the availability security principle of computer networks and information systems. It's critical to detect DDoS attacks quickly and accurately while using as less computing power as possible in order to minimize damage and cost efficient. This research proposes a fast and high-accuracy detection approach by using features selected by proposed method for Exploitation-based DDoS attacks. Experiments are carried out on the CICDDoS2019 datasets Syn flood, UDP flood, and UDP-Lag, as well as customized dataset. In addition, experiments were also conducted on a customized dataset that was constructed by combining three CICDDoS2019 datasets. Pearson, Spearman, and Kendall correlation techniques have been used for datasets to find un-correlated feature subsets. Then, among three un-correlated feature subsets, choose the common un-correlated features. On the datasets, classification techniques are applied to these common un-correlated features. This research used conventional classifiers Logistic regression, Decision tree, KNN, Naive Bayes, bagging classifier Random forest, boosting classifiers Ada boost, Gradient boost, and neural network-based classifier Multilayer perceptron. The performance of these classification algorithms was also evaluated in terms of accuracy, precision, recall, F1-score, specificity, log loss, execution time, and K-fold cross-validation. Finally, classification techniques were tested on a customized dataset with common features that were common in all of the dataset’s common un-correlated feature sets.

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Marcos Aurélio Ribeiro,Mauro Sergio Pereira Fonseca,Juliana de Santi

DOI: https://doi.org/10.1016/j.cose.2023.103462

2023-09-06

Abstract:The Distributed Denial of Service (DDoS) coordinates synchronized attacks on systems on the Internet using a set of infected hosts (bots). Bots are programmed to attack a determined target by firing a lot of synchronized requests, causing slowness or unavailability of the service. This type of attack has recently grown in magnitude, diversity, and economic cost. Thus, this paper presents a DDoS detection and mitigation architecture based on Software Defined Networking (SDN). It considers the Moving Target Defense (MTD) approach, redirecting malicious floods to expendable low-capacity servers to protect the main server while discouraging the attacker. The redirecting decision is based on a sensor, that employs Machine Learning (ML) algorithms for flow classification. When malicious flows are detected, the sensor notifies the SDN controller to include them in the malicious hosts lists and to realize the redirection. The validation and evaluation of the proposed architecture are conducted by simulation. Results considering different classification models (probabilistic, linear model, neural networks, and trees) and attack types indicate that the proposed architecture is efficient in detecting and mitigating DDoS attacks in approximately 3 seconds.

computer science, information systems

Yawar Abbas Abid,Jinsong Wu,Guangquan Xu,Shihui Fu,Muhammad Waqas

DOI: https://doi.org/10.1109/jiot.2024.3376578

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the increasing rates of interconnected Internet of Things (IoT) devices within Software-Defined Networking (SDN) environments, distributed denial of service (DDoS) attacks have become increasingly common. As a result of this challenge, novel detection and classification methods must be developed based on the unique characteristics of SDN-supported IoT networks. This paper proposes a novel approach to detecting and categorizing DDoS attacks that has been optimized specifically for such environments. As part of our methodology, we integrate convolutional neural networks (CNN) and long-short-term memory (LSTM) models into a multilevel deep neural network architecture. With this hybrid architecture, complex spatial and temporal patterns can be automatically extracted from raw network traffic data to facilitate comprehensive analysis and accurate identification of DDoS attacks. We validate the efficacy and superiority of our proposed approach over traditional machine learning algorithms by conducting rigorous experiments on real-world datasets. Our findings underscore the potential of the multi-level deep neural network approach as a robust and scalable solution for mitigating DDoS attacks in SDN-supported IoT networks. By improving network security and resilience to evolving threats, our methodology contributes to safeguarding critical infrastructures in the era of interconnected IoT ecosystems.

computer science, information systems,telecommunications,engineering, electrical & electronic