Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Dan Tang,Yudong Yan,Siqi Zhang,Jingwen Chen,Zheng Qin

DOI: https://doi.org/10.1109/jsac.2021.3126053

IF: 16.4

2022-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-Defined Networking (SDN) is an emerging network architecture. The decoupled data and control plane provides programmability for efficient network management. However, the centralized control mode of SDN also exposes unique vulnerabilities. Low-rate Denial of Service (LDoS) has a lower attack rate than ordinary DDoS attacks with the characteristics of periodicity and concealment, which is among one of the severe threats to SDN. In this paper, we propose a lightweight, real-time framework Performance and Features (P&F) to detect and mitigate LDoS attacks with SDN. We implement LDoS attacks in SDN, extract traffic features with OpenFlow, and classify the features into two categories. By analyzing the performance (P) of normal traffic under attack state, P&F determines whether LDoS attacks take effect based on machine learning. Meanwhile, P&F tries to locate attack sources and victims according to flow features (F) of LDoS attacks based on time-frequency analysis. According to detection and locating results, P&F sets corresponding mitigation schemes. Experimental results show that P&F has a high detection rate and low false positive rate for detecting LDoS attacks. P&F can deploy on controllers to achieve real-time attack detection and mitigation with low system cost, which can defend against LDoS attacks effectively.

telecommunications,engineering, electrical & electronic

Zixu Huang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831333

2022-01-01

Abstract:Software-Defined Networking (SDN) is a new and highly flexible network architecture, but the bottleneck between the control plane and the data plane makes it vulnerable to the control plane saturation DoS attacks. When the attack happens, traditional schemes in DoS scrubbing agent use a binary classification and a First In First Out (FIFO) queue to filter attack flows. However, this scheme is inimical to the end-to-end latency of benign traffic. To tackle this issue, we propose LLDM, leveraging a dynamic priority scheme and a priority queue to detect, mitigate the attacks while ensuring low latency for benign traffic. After detecting the attack, LLDM leverages a two-phase scheme for mitigation. First, LLDM marks packets from the ports under attack as suspicious and migrates them to the mitigation agent. Then, the dynamic priority manager assigns each packet a priority corresponding to its legality, which is used in the priority queue for DoS scrubbing. We evaluate LLDM in a simulation SDN environment. The experimental results show that LLDM can reduce 90.4% of the queuing delay compared with the traditional scheme under a 5000 Packets Per Second (PPS) attack, and it is also resistant to more sophisticated attacks. Under the high rate attack of 50000 PPS, LLDM installs a flow rule for legitimate traffic in 0.2 seconds. Moreover, for benign HTTP requests, LLDM can keep the request time at 1.39 seconds.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Dan Tang,Siyuan Wang,Boru Liu,Wenqiang Jin,Jiliang Zhang

DOI: https://doi.org/10.1109/tsc.2023.3266757

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Software defined networking (SDN), a highly regarded architecture, enhances the programmability and manageability of the network by decoupling the data plane and the control plane. It has emerged to bring more possibilities to the Internet, but at the same time, its inherent shortcomings have become a pool for malicious attackers. Low-rate denial of service (LDoS) attacks, a variant of denial of service attacks, also pose a threat to the SDN architecture. In this article, we replicate LDoS attacks for the SDN data plane and propose a detection and mitigation framework called GASF-IPP based on multiple traffic and IP-port data by analyzing the network anomalies. By leveraging the OpenFlow protocol, the traffic of switches is monitored. We use Gramian angular summation field (GASF) transformation based on timing analysis to analyze the traffic and combine it with other features to determine whether an attack has occurred. By locating the attacker and the victim, flow rules can be constructed for mitigation. Experiments prove that our proposed framework is correct and effective, the detection and mitigation module can perform real-time work with a low false positive rate (FPR) and respond in average 6.77 s.

Muhammad Aslam,Dengpan Ye,Aqil Tariq,Muhammad Asad,Muhammad Hanif,David Ndzi,Samia Allaoua Chelloug,Mohamed Abd Elaziz,Mohammed A A Al-Qaness,Syeda Fizzah Jilani

DOI: https://doi.org/10.3390/s22072697

2022-03-31

Abstract:The development of smart network infrastructure of the Internet of Things (IoT) faces the immense threat of sophisticated Distributed Denial-of-Services (DDoS) security attacks. The existing network security solutions of enterprise networks are significantly expensive and unscalable for IoT. The integration of recently developed Software Defined Networking (SDN) reduces a significant amount of computational overhead for IoT network devices and enables additional security measurements. At the prelude stage of SDN-enabled IoT network infrastructure, the sampling based security approach currently results in low accuracy and low DDoS attack detection. In this paper, we propose an Adaptive Machine Learning based SDN-enabled Distributed Denial-of-Services attacks Detection and Mitigation (AMLSDM) framework. The proposed AMLSDM framework develops an SDN-enabled security mechanism for IoT devices with the support of an adaptive machine learning classification model to achieve the successful detection and mitigation of DDoS attacks. The proposed framework utilizes machine learning algorithms in an adaptive multilayered feed-forwarding scheme to successfully detect the DDoS attacks by examining the static features of the inspected network traffic. In the proposed adaptive multilayered feed-forwarding framework, the first layer utilizes Support Vector Machine (SVM), Naive Bayes (NB), Random Forest (RF), k-Nearest Neighbor (kNN), and Logistic Regression (LR) classifiers to build a model for detecting DDoS attacks from the training and testing environment-specific datasets. The output of the first layer passes to an Ensemble Voting (EV) algorithm, which accumulates the performance of the first layer classifiers. In the third layer, the adaptive frameworks measures the real-time live network traffic to detect the DDoS attacks in the network traffic. The proposed framework utilizes a remote SDN controller to mitigate the detected DDoS attacks over Open Flow (OF) switches and reconfigures the network resources for legitimate network hosts. The experimental results show the better performance of the proposed framework as compared to existing state-of-the art solutions in terms of higher accuracy of DDoS detection and low false alarm rate.

Dan Tang,Siqi Zhang,Yudong Yan,Jingwen Chen,Zheng Qin

DOI: https://doi.org/10.1109/tsc.2021.3102046

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:The software-defined network (SDN) has created the conditions for the optimization and development of network structures. However, its architecture is still not sufficient to resist or identify all denial of service (DoS) attacks, such as low-rate DoS (LDoS) attacks. Due to their low transporting rate and flash-crowd-like nature, LDoS attacks are well hidden in the background traffic and difficult to identify by anti-DoS mechanisms in the SDN. By implementing LDoS attacks in the SDN, we confirm that they can severely degrade the quality of service. We further propose a framework based on the histogram-based gradient boosting and finding peaks (HGB-FP) algorithm to detect LDoS attacks and mitigate their influence in the SDN in real-time. The histogram-based gradient boosting (HGB) algorithm, an ensemble learning with high quality and low complexity, can identify LDoS attacks quickly and accurately. The finding peaks (FP) algorithm locates the attacker via peak properties of the flow and installs flow rules on the switches to drop the attack flows. Experiments prove that our framework has higher accuracy and F-measure in identifying LDoS attacks than other machine learning approaches and mitigates the impact of LDoS attacks on bottleneck links in the SDN within seconds on average.

Dan Tang,Liu Tang,Rui Dai,Jingwen Chen,Xiong Li,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1016/j.future.2019.12.034

2020-01-01

Abstract:A low-rate denial of service (LDoS) attack is a precise network attack that aims at reducing the quality of the network service. Many networks do not have an effective mechanism for defending against LDoS attacks, including the emerging Internet of Things. In this paper, we propose an LDoS attack detection method that is based on multiple features of network traffic and an improved Adaboost algorithm (MF-Adaboost). Based on an analysis of the network traffic, we construct a network feature set that is used for feature calculation and feature selection of network traffic data. Feature calculation can extract the most useful information from the network traffic data and reduce the scale of the network data. Feature selection is used to select the optimal classification features to ensure that the detection algorithm can be effectively trained. This method utilizes the Adaboost algorithm, which is a classification algorithm in the field of machine learning. The well-trained Adaboost algorithm can effectively identify LDoS attack traffic. We improve the Adaboost algorithm to alleviate the imbalance of the sample weights. Experiments are conducted on the NS2 simulation platform and a test-bed platform to evaluate the performance of our method. The experimental results demonstrate that our method can detect LDoS attacks effectively.

Dan Tang,Siyuan Wang,Siqi Zhang,Zheng Qin,Wei Liang,Sheng Xiao

DOI: https://doi.org/10.1109/tccn.2023.3306358

IF: 6.359

2023-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Slow-rate denial-of-service (SDoS) attacks are a type of denial-of-service (DoS) attacks with a low attack rate. They have a flash-crowd nature and can be well concealed in legitimate traffic, so it is difficult to identify them by anti-DoS mechanisms. Existing solutions have drawbacks such as difficult deployment, poor real-time performance, and poor scalability. We propose a scheme for real-time monitoring and mitigation of SDoS attacks on the basis of a software-defined network (SDN) and new traffic metrics. The new traffic metrics are the coefficient of fluctuation (CoF) and pulse period coefficient (PPC), which can help us identify SDoS attacks in the network and locate the attackers quickly and accurately. Based on the two metrics, the scheme uses a Gaussian mixture model (GMM) to predict and cluster network traffic and obtain attacker IPs. The mitigation module installs flow rules to discard attacking flows. With blacklisting and weighted IPs, the mitigation module reduces the probability of dropping legitimate flows in case of false positives. Experiments show that our scheme is inexpensive to deploy and can identify attacks and locate attackers quickly and accurately. The mitigation strategy can mitigate SDoS attacks within 4 to 6 seconds with high probability.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Dan Tang,Hongbo Cao,Jiliang Zhang,Zheng Qin,Wei Liang,Xiaopu Ma

DOI: https://doi.org/10.1016/j.comnet.2024.110666

IF: 5.493

2024-01-01

Computer Networks

Abstract:The SDN architecture decouples control plane from data plane, making it more susceptible to various abnormal traffic and network attacks, with LDoS attack being one of them. LDoS attackers periodically send short- duration pulses with high rate to bottleneck links to preempt legitimate TCP traffic bandwidth, severely disrupting the transmission of TCP traffic. Current researches on LDoS attacks are mostly implemented in SDN environments, making them exhibit poor portability during deployment and unavoidable time delays. This paper proposes EXCLF, a LDoS attack detection and mitigation model fully deployed on programmable data plane. To identify LDoS attacks, the model gathers features of the traffic going through the switch and feeds them into a decision tree. Once LDoS attack happens, the model collects data at flow level to pinpoint the attacker and initiates corresponding mitigation measures. Extensive experiments were conducted to evaluate the proposed model, and the results indicate that EXCLF achieves a correct rate of 96.39%, with false positive and false negative rates both below 3%. Additionally, the model demonstrates low detection latency and can quickly respond to attacks. The model proves to be an attack detection and mitigation method with good portability and efficiency.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Dan Tang,Hongbo Cao,Jiliang Zhang,Zheng Qin,Wei Liang,Xiaopu Ma

DOI: https://doi.org/10.1016/j.comnet.2024.110666

2024-01-01

Abstract:The SDN architecture decouples control plane from data plane, making it more susceptible to various abnormal traffic and network attacks, with LDoS attack being one of them. LDoS attackers periodically send short-duration pulses with high rate to bottleneck links to preempt legitimate TCP traffic bandwidth, severely disrupting the transmission of TCP traffic. Current researches on LDoS attacks are mostly implemented in SDN environments, making them exhibit poor portability during deployment and unavoidable time delays. This paper proposes EXCLF, a LDoS attack detection and mitigation model fully deployed on programmable data plane. To identify LDoS attacks, the model gathers features of the traffic going through the switch and feeds them into a decision tree. Once LDoS attack happens, the model collects data at flow level to pinpoint the attacker and initiates corresponding mitigation measures. Extensive experiments were conducted to evaluate the proposed model, and the results indicate that EXCLF achieves a correct rate of 96.39%, with false positive and false negative rates both below 3%. Additionally, the model demonstrates low detection latency and can quickly respond to attacks. The model proves to be an attack detection and mitigation method with good portability and efficiency.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Tao Wang,Hongchang Chen,Guozhen Cheng,Yulin Lu

DOI: https://doi.org/10.1155/2018/7545079

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software-Defined Networking (SDN) has quickly emerged as a promising technology for future networks and gained much attention. However, the centralized nature of SDN makes the system vulnerable to denial-of-services (DoS) attacks, especially for the currently widely deployed multicontroller system. Due to DoS attacks, SDN multicontroller model may additionally face the risk of the cascading failures of controllers. In this paper, we propose SDNManager, a lightweight and fast denial-of-service detection and mitigation system for SDN. It has five components: monitor, forecast engine, checker, updater, and storage service. It typically follows a control loop of reading flow statistics, forecasting flow bandwidth changes based on the statistics, and accordingly updating the network. It is worth noting that the forecast engine employs a novel dynamic time-series (DTS) model which greatly improves bandwidth prediction accuracy. What is more, to further optimize the defense effect, we also propose a controller dynamic scheduling strategy to ensure the global network state optimization and improve the defense efficiency. We evaluate SDNManager through a prototype implementation tested in a real SDN network environment. The results show that SDNManager is effective with adding only a minor overhead into the entire SDN/OpenFlow infrastructure.

Hao Wu,Aiqin Hou,Weike Nie,Chase Wu

DOI: https://doi.org/10.1109/icnc57223.2023.10074226

2023-01-01

Abstract:As a new network paradigm, software-defined networking (SDN) technology has been increasingly adopted. Unfortunately, SDN-enabled networks are more prone to threats from DDoS attacks than traditional networks due to the nature of centralized management. We propose an integrated defense framework to detect and mitigate various types of DDoS attacks in SDN-enabled networks. The proposed framework deploys two technical modules in the control plane of SDN for defending against high-rate and low-rate DDoS attacks, respectively. The former module consists of three components, which watch out for suspicious traffic, detect attacks using ensemble learning, and intercept malicious packets, respectively. The latter module is designed specifically to defend against the Slow Ternary Content Addressable Memory (TCAM) exhaustion attack (Slow-TCAM) using a new Alleviative Threat for TCAM (ATFT) algorithm. The proposed framework is implemented and tested in simulated networks using Mininet and further evaluated on the CICDDoS2019 dataset. Experimental results illustrate the superior performance of the proposed framework in defending against different types of DDoS attacks in comparison with other state-of-the-art algorithms.

Sijia Zhan,Dan Tang,Jianping Man,Rui Dai,Xiyin Wang

DOI: https://doi.org/10.3390/s20010189

IF: 3.9

2019-12-29

Sensors

Abstract:Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation