Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Hybrid Data Mining to Reduce False Positive and False Negative Prediction in Intrusion Detection System Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

Detecting Target-Area Link-Flooding DDoS Attacks Using Traffic Analysis and Supervised Learning

verfasst von : Mostafa Rezazad, Matthias R. Brust, Mohammad Akbari, Pascal Bouvry, Ngai-Man Cheung

Erschienen in: Advances in Information and Communication Networks

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

A novel class of extreme link-flooding DDoS (Distributed Denial of Service) attacks is designed to cut off entire geographical areas such as cities and even countries from the Internet by simultaneously targeting a selected set of network links. The Crossfire attack is a target-area link-flooding attack, which is orchestrated in three complex phases. The attack uses a massively distributed large-scale botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes detecting the Crossfire attack a serious challenge. In this paper, we present analytical and emulated results showing hitherto unidentified vulnerabilities in the execution of the attack, such as a correlation between coordination of the botnet traffic and the quality of the attack, and a correlation between the attack distribution and detectability of the attack. Additionally, we identified a warm-up period due to the bot synchronization. For attack detection, we report results of using two supervised machine learning approaches: Support Vector Machine (SVM) and Random Forest (RF) for classification of network traffic to normal and abnormal traffic, i.e, attack traffic. These machine learning models have been trained in various scenarios using the link volume as the main feature set.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Anonymization of System Logs for Preserving Privacy and Reducing Storage
Nächstes Kapitel Intrusion Detection System Based on a Deterministic Finite Automaton for Smart Grid Systems
Fußnoten
1
There are some technical settings that can be used to support the selection of the small parameters, such as, in a p2p platform (the most recent platform to synchronize botnets) peers usually contact each other in range of few minutes [11, 12], or Skype peers update only closer peers every 60 s [11].
 
2
l1-norm is used only for illustration purpose to preserve the level of the link utilization at each experiment.
 
Literatur
1.
Xue, L., Luo, X., Chan, E.W., Zhan, X.: Towards detecting target link flooding attack. In: LISA, pp. 81–96 (2014)
2.
Gkounis, D., Kotronis, V., Liaskos, C., Dimitropoulos, X.A.: On the interplay of link-flooding attacks and traffic engineering. Comput. Commun. Rev. 46, 5–11 (2016)CrossRef
3.
Gkounis, D., Kotronis, V., Dimitropoulos, X.: Towards defeating the crossfire attack using SDN. arXiv preprint arXiv:​1412.​2013 (2014)
4.
Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 127–141, May 2013
5.
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRef
6.
Ramazani, S., Kanno, J., Selmic, R.R., Brust, M.R.: Topological and combinatorial coverage hole detection in coordinate-free wireless sensor networks. Int. J. Sens. Netw. 21(1) (2016)
7.
Brust, M.R., Turgut, D., Ribeiro, C.H., Kaiser, M.: Is the clustering coefficient a measure for fault tolerance in wireless sensor networks? In: IEEE International Conference on Communications (ICC) (2012)
8.
Xue, L., Luo, X., Chan, E.W.W., Zhan, X.: Towards detecting target link flooding attack. In: 28th Large Installation System Administration Conference (LISA14), Seattle, WA, pp. 90–105 (2014)
9.
Botta, A., Dainotti, A., Pescapè, A.: A tool for the generation of realistic network workload for emerging networking scenarios. Comput. Netw. 56(15), 3531–3547 (2012)CrossRef
10.
11.
12.
Wu, C.-c., Chen, K.-t., Chang, Y.-c., Lei, C.-l.: Detecting peer-to-peer activity by signaling packet counting (2008)
13.
Ke, Y.-M., Chen, C.-W., Hsiao, H.-C., Perrig, A., Sekar, V.: CICADAS: congesting the internet with coordinated and decentralized pulsating attacks. In: Proceedings of the ACM Asia Conference on Computer and Communications Security, pp. 699–710. ACM, New York (2016)
14.
Liaskos, C., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9. IEEE (2016)
15.
Powers, D.M.: Evaluation: from precision, recall and f-measure to ROC, informedness, markedness and correlation (2011)
Metadaten
Titel
Detecting Target-Area Link-Flooding DDoS Attacks Using Traffic Analysis and Supervised Learning
verfasst von
Mostafa Rezazad
Matthias R. Brust
Mohammad Akbari
Pascal Bouvry
Ngai-Man Cheung
Copyright-Jahr
2019
Buch
Advances in Information and Communication Networks

Print ISBN: 978-3-030-03404-7

Electronic ISBN: 978-3-030-03405-4

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-030-03405-4_12

Neuer Inhalt

    Bildnachweise