article

A change-point DDoS attack detection method based on half interaction anomaly degree

International Journal of Autonomous and Adaptive Communications Systems, Volume 10, Issue 1

Pages 38 - 54

https://doi.org/10.1504/IJAACS.2017.082737

Published: 01 January 2017 Publication History

Abstract

We propose a change-point DDoS attack detection method based on half interaction anomaly degree. For large-scale DDoS attacks, some key routing devices will route a large volume of converged DDoS attack flows, and at the same time, the normal traffic routed by those devices is also large. As a result, the current methods will be largely affected by large volume of normal flows, which will lead to high false positive rate and false negative rate. This paper proposes the concept of IP flow address half interaction anomaly degree HIAD. We extract HIAD from abnormal flows in the network, then transform the HIAD time series into CSTS by an improved cumulative sum CUSUM algorithm, and propose a CSTS-based DDoS attack detection CDAD method. Experiments show that the CDAD method can extract features of DDoS attack flows from abnormal flows and recognise the DDoS attack rapidly and effectively.

References

[1]

Abdelsayed, S., Glimsholt, D., Leckie, C. et al. (2003) 'An efficient filter for denial-of service bandwidth attacks', in Proceedings of the 46th IEEE GLOBECOM, pp. 1353-1357.

[2]

Abramov, R. and Herzberg, A. (2013) 'TCP Ack storm DoS attacks', Computers & Security, Special Issue of the International Conference on Availability, Reliability and Security (ARES), Vol. 33, pp. 12-27.

[3]

Cheng, C.M., Kung, H.T. and Tan, K.S. (2002) 'Use of spectral analysis in defense against DoS attacks', in Proceedings of IEEE GLOBECOM 2002, pp. 2143-2148.

[4]

Cheng, J., Yin, J., Liu, Y. et al. (2009a) 'DDoS attack detection method based on linear prediction model', in Proceedings of FAW, LNCS, Vol. 5598.

[5]

Cheng, J., Yin, J., Liu, Y. et al. (2009b) 'Detecting distributed denial of service attack based on address correlation value', Journal of Computer Research and Development, Vol. 46, No. 8, pp. 1334-1440.

[6]

Cheng, J., Yin, J., Wu, C. et al. (2009c) 'DDoS attack detection method based on linear prediction model', in Proceedings of ICIC, LNCS, Vol. 5754.

[7]

Chonka, A., Xiang, Y. and Zhou, W. (2011) 'Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks', Journal of Network and Computer Applications, Vol. 34, No. 4, pp. 1097-1107.

Digital Library

[8]

Forrest, S. and Hofmeyr, S. (1997) 'Architecture for an artificial immune system', Evolution. Computat. J., Vol. 7, No. 1, pp. 45-68.

[9]

Gil, T. and Poletto, M. (2001) 'MULTOPS: a data-structure for bandwidth attack detection', in Proceedings of the 10th USENIX Security Symposium.

[10]

Lakhina, A., Crovella, M. and Diot, C. (2004) 'Diagnosing network-wide traffic anomalies', in Proceedings of ACM SIGCOMM, Portland, Oregon, USA, August.

Digital Library

[11]

Lakhina, A., Crovella, M. and Diot, C. (2005) 'Mining anomalies using traffic feature distributions', in Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA.

Digital Library

[12]

Lam, H., Li, C., Chanson, S. et al. (2006) A Coordinated Detection and Response Scheme for Distributed Denial-of-Service Attacks, Department of Computer Science, Hong Kong University of Science and Technology, Tech. Rep. Technical Report HKUST-CS06-01, March.

[13]

Lonea, A.M., Popescu, D.E. and Tianfield, H. (2013) 'Detecting DDoS attacks in cloud computing environment', International Journal of Computers, Communications & Control, Vol. 8, No. 1, pp. 70-78.

[14]

Manikopoulos, C. and Papavassiliou, S. (2002) 'Network intrusion and fault detection: a statistical anomaly approach', IEEE Commun. Mag., Vol. 40, No. 10, pp. 76-82.

Digital Library

[15]

Mirkovic, J. and Reiher, P. (2005) 'D-WARD: a source-end defense against flooding denial-of-service attacks', IEEE Trans. on Dependable and Secure Computing, July, Vol. 2, No. 3, pp. 216-232.

Digital Library

[16]

Mirkovic, J., Wang, M. and Reither, P. et al. (2002) 'Save: source address validity enforcement protocol', in Proceedings of IEEE INFOCOM 2002, pp. 1557-1566.

[17]

Peng, T., Leckie, C. and Kotagiri, R. (2004) 'Proactively detecting distributed denial of service attacks using source ip address monitoring', in Proceedings of the Third International AHIVPTC6 Networking Conference, pp. 771-782.

[18]

Sanguk, N., Gihyun, J., Kyunghee, C. et al. (2008) 'Compiling network traffic into rules using soft computing methods for the detection of flooding attacks', Applied Soft Computing, Vol. 8, No. 3, pp. 1200-1210.

Digital Library

[19]

Sérgio, S.C., Rodrigo, M.P., Raquel, C.G. et al. (2013) 'Botnets: a survey', Computer Networks, Vol. 57, No. 2, pp. 378-403.

Digital Library

[20]

Wang, F., Wang, H., Wang, X. and Su, J. (2012) 'A new multistage approach to detect subtle DDoS attacks', Mathematical and Computer Modelling, Vol. 55, No. 1, pp. 198-213.

[21]

Wang, H., Zhang, D. and Shin, K.G. (2002) 'Detecting SYN flooding attacks', in Proceedings of IEEE INFOCOM 2002, PP. 1530-1539.

[22]

Wang, H., Zhang, D. and Shin, K.G. (2004) 'Change-point monitoring for the detection of DoS attacks', IEEE T. Depen. Secur. Comput., Vol. 1, No. 4, pp. 193-208.

Digital Library

[23]

Zhou, C.V., Leckie, C. and Karunasekera, S (2009) 'Decentralized multi-dimensional alert correlation for collaborative intrusion detection', Journal of Network and Computer Applications, Vol. 32, No. 5, pp. 1106-1123.

Digital Library

Cited By

Cheng JLi MTang XSheng VLiu YGuo WQi L(2018)Flow Correlation Degree Optimization Driven Random Forest for Detecting DDoS Attacks in Cloud ComputingSecurity and Communication Networks10.1155/2018/64593262018Online publication date: 19-Nov-2018
https://dl.acm.org/doi/10.1155/2018/6459326
Cheng JZhang CTang XSheng VDong ZLi JQi L(2018)Adaptive DDoS Attack Detection Method Based on Multiple-Kernel LearningSecurity and Communication Networks10.1155/2018/51986852018Online publication date: 16-Oct-2018
https://dl.acm.org/doi/10.1155/2018/5198685
Kolandaisamy RMd Noor RAhmedy IAhmad IReza Z’aba MImran MAlnuem M(2018)A Multivariant Stream Analysis Approach to Detect and Mitigate DDoS Attacks in Vehicular Ad Hoc NetworksWireless Communications & Mobile Computing10.1155/2018/28745092018Online publication date: 20-May-2018
https://dl.acm.org/doi/10.1155/2018/2874509

Index Terms

A change-point DDoS attack detection method based on half interaction anomaly degree
1. Networks
  1. Network services
    1. Network monitoring
2. Security and privacy

Index terms have been assigned to the content through auto-classification.

Recommendations

Distributed change-point detection of DDoS attacks: experimental results on DETER testbed
DETER: Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007

It is highly desired to detect the DDoS flooding attacks at an early stage in order to launch effective countermeasures timely. We have developed a distributed change-point detection scheme to detect flooding type DDoS attacks over multiple network ...
Detecting TCP SYN Flood Attack Based on Anomaly Detection
NETAPPS '10: Proceedings of the 2010 Second International Conference on Network Applications, Protocols and Services

Transmission Control Protocol (TCP) Synchronized (SYN) Flood has become a problem to the network management to defend the network server from being attacked by the malicious attackers. The malicious attackers can easily exploit the TCP three-way ...
DDoS Attack Detection Using IP Address Feature Interaction
INCOS '09: Proceedings of the 2009 International Conference on Intelligent Networking and Collaborative Systems

Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different ...

Comments

Information & Contributors

Information

Published In

cover image International Journal of Autonomous and Adaptive Communications Systems

International Journal of Autonomous and Adaptive Communications Systems Volume 10, Issue 1

January 2017

138 pages

ISSN:1754-8632

EISSN:1754-8640

Issue’s Table of Contents

Publisher

Inderscience Publishers

Geneva 15, Switzerland

Publication History

Published: 01 January 2017

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cheng JLi MTang XSheng VLiu YGuo WQi L(2018)Flow Correlation Degree Optimization Driven Random Forest for Detecting DDoS Attacks in Cloud ComputingSecurity and Communication Networks10.1155/2018/64593262018Online publication date: 19-Nov-2018
https://dl.acm.org/doi/10.1155/2018/6459326
Cheng JZhang CTang XSheng VDong ZLi JQi L(2018)Adaptive DDoS Attack Detection Method Based on Multiple-Kernel LearningSecurity and Communication Networks10.1155/2018/51986852018Online publication date: 16-Oct-2018
https://dl.acm.org/doi/10.1155/2018/5198685
Kolandaisamy RMd Noor RAhmedy IAhmad IReza Z’aba MImran MAlnuem M(2018)A Multivariant Stream Analysis Approach to Detect and Mitigate DDoS Attacks in Vehicular Ad Hoc NetworksWireless Communications & Mobile Computing10.1155/2018/28745092018Online publication date: 20-May-2018
https://dl.acm.org/doi/10.1155/2018/2874509

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents