Top

Peer-to-Peer Networking and Applications

Published in:

01-12-2014

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

Authors: Theerasak Thapngam, Shui Yu, Wanlei Zhou, S. Kami Makki

Published in: Peer-to-Peer Networking and Applications | Issue 4/2014

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

previous article A D-S evidence theory based fuzzy trust model in file-sharing P2P networks

next article Hierarchical architectures in structured peer-to-peer overlay networks

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

MIT Lincoln Laboratory, “Lincoln Laboratory Scenario (DDoS) 1.0,” Massachusetts Institute of Technology (MIT), 1999. Available: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_1.0.html

US CERT 04, “W32/MyDoom.B Virus,” United States Computer Emergency Readiness Team, Available: http://www.us-cert.gov/cas/techalerts/TA04-028A.html, 2 Febuary 2004

Rajab MA, Zarfoss J, Monrose F and Terzis A (2006) “A multifaceted approach to understanding the Botnet Phenomenon.” In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 41–52, October 2006

Oikonomou G and Mirkovic J (2009) “Modeling human behavior for defense against flash-crowd attacks.” In: Proceedings of IEEE International Conference on Communications 2009 (ICC’09), pp. 1–6, 11 August 2009

Xie Y, Yu SZ (2009) A large-scale hidden Semi-Markov model for anomaly detection on user browsing behaviors networking. IEEE/ACM Trans Networking 17(1):54–65

Xie Y, Yu SZ (2009) Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans Networking 17(1):15–25

Yi F, Yu S, Zhou W, Hai J, Bonti A (2008) Source-based filtering scheme against DDOS attacks. Int J Database Theory Appl 1(1):9–22

Feinstein L, Schnackenberg D, Balupari R and Kindred D (2003) “Statistical approaches to DDoS attack detection and response.” In: Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1, IEEE CS Press, 22–24 April 2003, pp. 303–314

Khan L, Awad M and Thuraisingham B (2007) “A new intrusion detection system using support vector machines and hierarchical clustering.” The International Journal on Very Large Data Bases (The VLDB Journal), vol. 16, no. 4, pp. 507–521, Springer-Verlag, New York, October 2007

10.

Yu S, Thapngam T, Liu J, Wei S and Zhou W (2009) “Discriminating DDoS flows from flash crowds using information distance.” In: Proceedings of the 3rd IEEE International Conference on Network and System Security (NSS’09), 18–21 October 2009

11.

Chonka A, Singh J, Zhou W (2009) Chaos theory based detection against network mimicking DDoS attacks. IEEE Commun Lett 13:717–719

12.

Carlinet Y, Cherkaoui O, Dressler F, Ehinger C, Fadlallah A, Muenz G, Mußner M, Paul O, Serhrouchni A, Sloman M, and Yusuf S (2004) “Distributed adaptive security by Programmable Firewall,” DIADEM Firewall Consortium, retrieved 6 September 2008, Available: http://www.diadem-firewall.org/documents/Diadem%20Firewall%20-%20D3%20-%20Attack%20Requirements%20Specification.pdf, June 2004

13.

Chen Y, Hwang K (2006) Collaborative detection and filtering of shrew DDoS attacks using spectral analysis. J Parallel Distr Com 66(9):1137–1151MATH

14.

Tuncer T and Tatar Y (2008) “Detection SYN Flooding Attacks Using Fuzzy Logic.” In: Proceedings of International Conference on Information Security and Assurance (ISA’08), pp. 321–325, 24–26 April 2008

15.

Kuzmanovic A and Knightly E (2003) “Low-Rate TCP –Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants).” In: Proceedings of ACM SIGCOMM 2003, Kalrushe, Germany, pp. 75–86, August 2003

16.

Chen Y and Hwang K (2007) “Spectral analysis of TCP flows for defense against reduction-of-quality attacks.” In: Proceedings of the 2007 IEEE International Conference on Communications (ICC’07), pp. 1203–1210, June 2007

17.

Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense mechanisms: Classification and state of the art. Comput Netw 44(5):643–666

18.

Peng T, Leckie C and Ramamohanarao K (2007) “Survey of network-based defense mechanisms countering the DoS and DDoS problems.” In: ACM Computing Surveys, Vol. 39, No. 1, April 2007

19.

Mirkovic J, Reiher P (2004) A Taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev 34(2):39–53

20.

Kreyszig E (2006) Advanced Engineering Mathematics, 9th edn. Wiley, Singapore

21.

M. Arlitt and T. Jin “1998 World Cup Web Site Access Logs,” August 1998. Available: http://www.acm.org/sigcomm/ITA/

Title: Distributed Denial of Service (DDoS) detection by traffic pattern analysis
Authors: Theerasak Thapngam
Shui Yu
Wanlei Zhou
S. Kami Makki
Publication date: 01-12-2014
Publisher: Springer US
Published in: Peer-to-Peer Networking and Applications / Issue 4/2014
Print ISSN: 1936-6442
Electronic ISSN: 1936-6450
DOI: https://doi.org/10.1007/s12083-012-0173-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2014

Detecting P2P botnets by discovering flow dependency in C&C traffic

Hybrid fluid modeling approach for performance analysis of P2P live video streaming systems

Editor’s Note: Special issue on Technologies and Theories in P2P Converged Ubiquitous Networks

Hierarchical architectures in structured peer-to-peer overlay networks

Securing one-way hash chain based incentive mechanism for vehicular ad hoc networks

Exposing mobile malware from the inside (or what is your mobile app really doing?)

Premium Partner