Article

Towards multisensor data fusion for DoS detection

Authors:

Christos Siaterlis,

Basil MaglarisAuthors Info & Claims

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Pages 439 - 446

https://doi.org/10.1145/967900.967992

Published: 14 March 2004 Publication History

Abstract

In our present work we introduce the use of data fusion in the field of DoS anomaly detection. We present Dempster-Shafer's Theory of Evidence (D-S) as the mathematical foundation for the development of a novel DoS detection engine. Based on a data fusion paradigm, we combine multiple evidence generated from simple heuristics to feed our D-S inference engine and attempt to detect flooding attacks.Our approach has as its main advantages the modeling power of Theory of Evidence in expressing beliefs in some hypotheses, the ability to add the notions of uncertainty and ignorance in the system and the quantitative measurement of the belief and plausibility in our detection results.We evaluate our detection engine prototype through a set of experiments, that were conducted with real network traffic and with the use of common DDoS tools. We conclude that data fusion is a promising approach that could increase the DoS detection rate and decrease the false alarm rate.

References

[1]

B. Ahn and S. Byun and D. B. Choi. Traffic incident detection using evidential reasoning based data fusion. In Proceeding of the 6th World Congress on Intelligent Transport Systems, Toronto, Canada, 1999.

[2]

P. Barford and D. Plonka. Characteristics of network traffic flow anomalies. In Proceedings of the First ACM SIGCOMM Internet Measurement Workshop, pages 69--74, New York, Nov. 1--2 2001. ACM Press.

Digital Library

[3]

J. Barlow and W. Thrower. TFN2K - an analysis, March 2000. http://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt.

[4]

T. Bass. Intrusion detection systems and multisensor data fusion. Communications of the ACM, 43(4):99--105, Apr. 2000.

Digital Library

[5]

Broadbandreports.com. Osirusoft MIA? Spammers cripple popular blacklist. http://www.broadbandreports.com/shownews/31856.

[6]

Snort: The open source network intrusion detection system. http://www.snort.org.

[7]

CERT/CC advisory w32/blaster worm, Aug. 2003. http://www.cert.org/advisories/CA-2003--20.html.

[8]

CISCO. Netflow. http://www.cisco.com/go/netflow.

[9]

CISCO. Remote triggered black hole filtering. ftp://ftp-eng.cisco.com/cons/isp/security/.

[10]

CISCO. Unicast reverse path forwarding enhancements for the ISP-ISP edge. ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf.

[11]

CISCO. Using CAR during DoS attacks. http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html.

[12]

D. A. Curry and H. Debar. Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Internet Draft, Nov. 2002. Work-in-progress.

[13]

L. Deri. Passively monitoring networks at gigabit speeds using commodity hardware and open source software. In Passive and Active Measurement Workshop 2003. NLANR/MNA, April 2003.

[14]

D. Dittrich. The Stacheldraht distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.

[15]

B. S. Feinstein, G. A. Matthews, and J. C. C. White. The intrusion detection exchange protocol (IDXP). Internet Draft, Oct. 2002. Work-in-progress.

[16]

Ferguson and Senie. RFC2827 network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, May 2000.

Digital Library

[17]

A. Habib, M. Hefeeda, and B. Bhargava. Detecting service violations and DoS attacks. In NDSS Conference Proceedings. Internet Society, 2003.

[18]

D. Hall. Mathematical Techniques in Multisensor Data Fusion. Artech House, Norwood, Massachusetts, 1992.

Digital Library

[19]

ISC/UMD/Cogent Events of 21-Oct-2002 http://d.root-servers.org/october21.txt.

[20]

J. Ioannidis and S. M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proceedings of NDSS Symposium, San Diego, California, February 2002. The Internet Society.

[21]

J.Llinas and E. Waltz. Multisensor Data Fusion. Artech House, Norwood, Massachusetts, 1990.

Digital Library

[22]

J. Kohlas and P. Monney. Theory of evidence - a survey of its mathematical foundations, applications and computational analysis. ZOR- Mathematical Methods of Operations Research, 39:35--68, 1994.

[23]

J. Mirkovic, J. Martin, and P. Reiher. A taxonomy of DDoS attacks and DDoS defense mechanisms. Technical report 020018. Computer Science Dept., University of California, Los Angeles.

[24]

J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the source. In Proceedings of ICNP 2002, pages 312--321, Paris, France, November 2002.

Digital Library

[25]

S. Mohiuddin, S. Hershkop, R. Bhan, and S. J. Stolfo. Defending against a large scale DoS attack. Proceedings of the 3rd Annual IEEE Information Assurance Workshop, June 2002.

[26]

ITworld. Al-Jazeera hobbled by DDoS attack. http://www.itworld.com/Sec/3834/030327aljazeera.

[27]

T. Oetiker. About RRDtool. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool.

[28]

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for IP traceback. In Proceedings of the 2000 ACM SIGCOMM Conference.

Digital Library

[29]

G. Shafer. A Mathematical Theory of Evidence. Princeton University Press, Princeton, 1976.

[30]

K. Tomsovic and B. Baer. Fuzzy information approaches to equipment condition monitoring and diagnosis. Electric Power Applications of Fuzzy Systems, IEEE Press, pages 59--84, 1998.

[31]

H. Wu, M. Siegel, R. Stiefelhagen, and J. Yang. Sensor fusion using Dempster-Shafer theory. In Proceedings of IEEE Instrumentation and Measurement Technology Conference, Anchorage, AK, USA, 2002.

Cited By

Guhathakurta DAggarwal PNagar SArora RZhou BPasquale LTreude C(2022)Utilizing persistence for post facto suppression of invalid anomalies using system logsProceedings of the ACM/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results10.1145/3510455.3512774(121-125)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510455.3512774
Guhathakurta DAggarwal PNagar SArora RZhou B(2022)Utilizing Persistence for Post Facto Suppression of Invalid Anomalies Using System Logs2022 IEEE/ACM 44th International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)10.1109/ICSE-NIER55298.2022.9793537(121-125)Online publication date: May-2022
https://doi.org/10.1109/ICSE-NIER55298.2022.9793537
Nagar SSamanta SMohapatra PKar D(2022)Building Golden Signal Based Signatures for Log Anomaly Detection2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00040(203-208)Online publication date: Jul-2022
https://doi.org/10.1109/CLOUD55607.2022.00040
Show More Cited By

Index Terms

Towards multisensor data fusion for DoS detection
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

One step ahead to multisensor data fusion for DDoS detection
Special issue on security track at ACM symposium on applied computing 2004

This work introduces the use of data fusion in the field of DDoS anomaly detection. We present Dempster-Shafer Theory of Evidence (D-S), the mathematical foundation for the development of a novel DDoS detection engine. Based on a data fusion paradigm, ...
Detection and classification of slow DoS attacks targeting network servers
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Low-rate denial of service attacks are considered a serious threat for network systems. In this paper, we investigate such topic, by proposing a novel anomaly-based intrusion detection system. We validate the proposed system and report the weaknesses we ...
Research on DoS attack and detection programming
IITA'09: Proceedings of the 3rd international conference on Intelligent information technology application

The DoS attack is the most popular attack in the network security with the development of network and internet. In this paper, the DoS attack principle is discussed and some DoS attack methods are deeply analyzed. The DoS attack detection technologies ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

March 2004

1733 pages

ISBN:1581138121

DOI:10.1145/967900

Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Program Chairs:
Andrea Omicini
Università degli Studi di Bologna a Cesena
,
Roger L. Wainwright
University of Tulsa
,
Publications Chair:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC04

Sponsor:

SIGAPP

SAC04: The 2004 ACM Symposium on Applied Computing

March 14 - 17, 2004

Nicosia, Cyprus

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
1,911
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Guhathakurta DAggarwal PNagar SArora RZhou BPasquale LTreude C(2022)Utilizing persistence for post facto suppression of invalid anomalies using system logsProceedings of the ACM/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results10.1145/3510455.3512774(121-125)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510455.3512774
Guhathakurta DAggarwal PNagar SArora RZhou B(2022)Utilizing Persistence for Post Facto Suppression of Invalid Anomalies Using System Logs2022 IEEE/ACM 44th International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)10.1109/ICSE-NIER55298.2022.9793537(121-125)Online publication date: May-2022
https://doi.org/10.1109/ICSE-NIER55298.2022.9793537
Nagar SSamanta SMohapatra PKar D(2022)Building Golden Signal Based Signatures for Log Anomaly Detection2022 IEEE 15th International Conference on Cloud Computing (CLOUD)10.1109/CLOUD55607.2022.00040(203-208)Online publication date: Jul-2022
https://doi.org/10.1109/CLOUD55607.2022.00040
Cho ILee YBaek S(2020)Real-Time Inter-Vehicle Data Fusion Based on a New Metric for Evidence Distance in Autonomous Vehicle SystemsApplied Sciences10.3390/app1019683410:19(6834)Online publication date: 29-Sep-2020
https://doi.org/10.3390/app10196834
Lakshmi KNeema NMohammed Muddasir NPrashanth M(2020)Anomaly Detection Techniques in Data Mining—A ReviewInventive Communication and Computational Technologies10.1007/978-981-15-0146-3_76(799-804)Online publication date: 30-Jan-2020
https://doi.org/10.1007/978-981-15-0146-3_76
Polhul TYarovyi A(2019)Development of a method for fraud detection in heterogeneous data during installation of mobile applicationsEastern-European Journal of Enterprise Technologies10.15587/1729-4061.2019.1550601:2(65-75)Online publication date: 24-Jan-2019
https://doi.org/10.15587/1729-4061.2019.155060
Dou SYang KPoor H(2019) PC 2 A: Predicting Collective Contextual Anomalies via LSTM With Deep Generative Model IEEE Internet of Things Journal10.1109/JIOT.2019.29302026:6(9645-9655)Online publication date: Dec-2019
https://doi.org/10.1109/JIOT.2019.2930202
Polhul TYarovyi A(2019)Method of Fraudster Fingerprint Formation During Mobile Application Installations2019 10th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS)10.1109/IDAACS.2019.8924369(1099-1103)Online publication date: 18-Sep-2019
https://dl.acm.org/doi/10.1109/IDAACS.2019.8924369
Hamdani FSiddiqui F(2019)Detection of DDOS Attacks in Cloud Computing Environment2019 International Conference on Intelligent Computing and Control Systems (ICCS)10.1109/ICCS45141.2019.9065429(83-87)Online publication date: May-2019
https://doi.org/10.1109/ICCS45141.2019.9065429
Lv HZhang YLi HChang WLiu K(2019)Hierarchical WLAN Security Risk Assessment Based on D-S Evidence Theory2019 International Conference on Computer Network, Electronic and Automation (ICCNEA)10.1109/ICCNEA.2019.00055(245-250)Online publication date: Oct-2019
https://doi.org/10.1109/ICCNEA.2019.00055
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents