A practical approach to detection of distributed denial-of-service attacks using a hybrid detection method

https://doi.org/10.1016/j.compeleceng.2018.11.004Get rights and content

Abstract

This paper presents a hybrid method for the detection of distributed denial-of-service (DDoS) attacks that combines feature-based and volume-based detection. Our approach is based on an exponential moving average algorithm for decision-making, applied to both entropy and packet number time series. The approach has been tested by performing a controlled DDoS experiment in a real academic network. The network setup and test scenarios including both high-rate and low-rate attacks are described in the paper. The performance of the proposed method is compared to the performance of two methods that are already known in the literature. One is based on the counting of SYN packets and is used for detection of SYN flood attacks, while the other is based on a CUSUM algorithm applied to the entropy time series. The results show the advantage of our approach compared to methods that are based on either entropy or number of packets only.

Introduction

Modern technological society is greatly dependent on Internet technology and online services. Internet services have ecome a non-exclusive part of everyday routine. Many of us check our e-mail as the first thing we do in the morning. This kind of service dependence has made room for a new kind of manipulation and has introduced attacks on network services. Denial of Service (DoS) attacks are among these attacks. Their goal is to make a targeted service unavailable by overloading service provider resources with false requests. With resources depleted, the service provider is not able to serve legitimate users. Nowadays, DoS is a commonly-used attacking method which inflicts significant financial loss on its targets [1]. According to [2], [3] there are different types of DoS attacks. At the application level, attack detection is usually done by pattern recognition in the content of received packets. When a malicious pattern is detected, DoS prevention is achieved by blacklisting the IP address of the sender. To bypass this protection and to increase the efficiency of such attacks, attackers usually use distributed attacks (DDoS) by sending malicious packets from different source IP addresses, computers, networks or even continents. At present, detection of application-based attacks is very inefficient as a large number of packets has to be deeply inspected to recognize an attack pattern. We are tackling this problem at a much lower, network (or in some cases transport) layer, where deep packet analysis is not required.

The motivation for this paper is twofold. On one hand, our goal is to propose an efficient method that combines the advantages of both feature based and volume based detection methods. On the other hand, we wanted to avoid the shortcomings of available datasets (see Section 2), and that is why we decided to make a controlled DDoS experiment.

DDoS attacks are very simple to implement, which is the main reason why there is a wide spectrum of attacks in this category. Some of the most common DDoS attacks are ICMP flood [4], SYN flood [5], DNS amplification attacks and the earlier Smurf Attack [6] and Fraggle Attack [6]. Most of these attacks aim to deplete either network or server resources.

In the following sections, we will describe the proposed detection method and the results of its evaluation. Section 2 describes the background of DDoS attacks and the related work in the area of DDoS attack detection. Section 3 describes the proposed detection method. Section 4 describes the testing scenario in which a real academic network is used. Section 5 compares the results for different detection methods in the case of high-rate and low-rate DDoS attacks with best-case optimization for each method.

Section snippets

Related work

Mathematical modeling of a DDoS attack that would result in a practical, usable model (used for the provision of resources, etc.), is still an open issue, as DDoS attacks are changing. There are several approaches and we will mention only some of them. In [7], Wang et al. model the system under SYN flood DDoS attack as a two-dimensional queuing model with N servers, two arrival processes and two service times with different distributions. Both the arrival of regular request packets and the

The proposed detection method

To be able to detect different types of DDoS attack we must focus on finding the common attributes of these attacks. One of these attributes is the diversity of source IP addresses that the attack packets come from. But relying on changes in diversity only can be misleading, as there are cases of legitimate use that result in such change. Typically, that is the case of short communications with multiple connections. Examples are a web page with a large number of external sources, and mail

Test scenario

Simulation of computer networks reproduces specific scenarios of network operation. Usually, these scenarios are based on a particular case and evaluation is thus limited to that specific case. The most important challenge for any method is to be tested in a real-life situation where traffic is more unpredictable.

Our method has been tested in a real-life computer network environment (Fig. 5). For testing, we used an academic computer network which included about 300 students, professors and

Discussion of results

Most high-rate DDoS attacks, e.g., ICMP or UDP flood attacks aim to deplete the serverâs network resources by sending a large number of packets. These types of attacks can be detected even with a packet rate indicator as a detection mechanism. On the other hand, regular traffic can have the same fingerprint, e.g., a server with Internet radio content that generates a large number of small UDP packets, or a server that provides a huge number of images for an image gallery. Combining entropy

Conclusion

The contribution of this paper is twofold. Firstly, a hybrid approach for detection of distributed denial-of-service attacks is proposed. Secondly, the performance of the proposed approach has been evaluated and compared to two existing methods. Therefore, a controlled DoS experiment in a real network has been realized to generate the data sets used for evaluation. The experiment included two types of attacks: an ICMP flood attack, representing a high-rate attack and a TCP SYN flood attack,

Acknowledgements

This research was financially supported by the Ministry of Education, Science and Technological Development of the Republic of Serbia through Projects No. III 45003 and III 44009-2.

Petar D. Bojovic has graduated with Master degree on Faculty of Computer science on Union University Belgrade in 2008. In June 2008, he joins Faculty of Computer science as Lecturer in the department of computer networks. Presently he works as Associate Professor at Faculty of Computer science on teachings and research. His interest includes Computer networks and Security of computer networks.

References (23)

  • C. Douligeris et al.

    DDoS attacks and defense mechanisms: classification and state-of-the-art

    Comput Netw

    (2004)
  • R.V. Deshmukh et al.

    Understanding DDoS attack & its effect in cloud environment

    Procedia Comput Sci

    (2015)
  • Y. Wang et al.

    A queueing analysis for the denial of service (DoS) attacks in computer networks

    Comput Netw

    (2007)
  • Sachdeva M, Saluja K, Singh G, Singh K. Performance Analysis of Web Service under DDoS Attacks. 2009. 1002–1007....
  • J. Mirkovic et al.

    A taxonomy of DDoS attack and DDoS defense mechanisms

    ACM SIGCOMM Comput Commun Rev

    (2004)
  • Lau F, Rubin SH, Smith MH, Trajkovic L. Distributed denial of service attacks. 2000;3:2275–2280....
  • Schuba CL, Krsul IV, Kuhn M, Spafford E, Sundaram A, Zamboni D. Analysis of a denial of service attack on TCP....
  • D. Boteanu et al.

    A comprehensive study of queue management as a DoS counter-measure

    Int J Inf Secur

    (2013)
  • [dataset] the caida “ddos attack2007” dataset. https://www.caida.org/data/passive/ddos-20070804_dataset.xml; [Online;...
  • [dataset] packet traces from wide backbone. http://mawi.wide.ad.jp/mawi/ [Online; accessed...
  • [dataset] 1999 darpa intrusion detection evaluation data set. https://www.ll.mit.edu/ideval/data/1999data.html [Online;...
  • Cited by (48)

    • Distributed denial of service attack detection in E-government cloud via data clustering

      2022, Array
      Citation Excerpt :

      Here, the purpose of feature selection usage is to remove redundant features, choose the most important features from them, and reduce the search space. Also, in the existing works, the DDoS attacks were detected using network traffic parameters, such as IP address, TCP flags, etc. separately [14]. Web traffic-specific features, such as IP addresses and TCP flags, contain low information to detect such types of attacks.

    • The detection of low-rate DoS attacks using the SADBSCAN algorithm

      2021, Information Sciences
      Citation Excerpt :

      Since then, their team has also worked on a detection algorithm combining the Smith-Waterman algorithm and k-means clustering [34]. Bojović et al. provided a method to detect whether a sequence contains low-rate DoS attacks using the exponential moving average (EMA) and Shannon entropy [35]. The above statistical analysis-based detection methods are typically simpler to implement and less complex, but both have higher false positives and false negatives than the other two types of methods and cannot be applied to big data environments and different network scenarios.

    • Distributed denial of service attacks in cloud: State-of-the-art of scientific and commercial solutions

      2021, Computer Science Review
      Citation Excerpt :

      Classifiers like PART, RF, NB and Ripper were compared with proposed system and the results showed that the proposed model has better results in terms of accuracy and processing time. A scheme which combines feature based and volume based detection to shield against DDoS attacks has been presented [110]. The proposed scheme applies Exponential Moving Average (EMA) to two time series, one having entropy scores and the other having amount of received packets.

    • Real-Time Monitoring and Mitigation of SDoS Attacks Using the SDN and New Metrics

      2023, IEEE Transactions on Cognitive Communications and Networking
    View all citing articles on Scopus

    Petar D. Bojovic has graduated with Master degree on Faculty of Computer science on Union University Belgrade in 2008. In June 2008, he joins Faculty of Computer science as Lecturer in the department of computer networks. Presently he works as Associate Professor at Faculty of Computer science on teachings and research. His interest includes Computer networks and Security of computer networks.

    Ilija Basicevic received Dipl. Eng. M.Sc, and Ph.D. degrees from the University of Novi Sad. Currently, he is the associate professor at the University of Novi Sad, teaching courses on computer networks. His research interests are in the areas of Internet protocols and network security. He has authored or co-authored more than 45 scientific papers and one textbook.

    Stanislav Ocovaj received his B.Sc. degree in electrical and computer engineering in 2004, and his M.Sc. degree in 2010 from the Faculty of Technical Sciences at the University of Novi Sad, Serbia.

    Miroslav V. Popovic received his Dipl. Eng., M.Sc., and Ph.D. degrees from the University of Novi Sad, Serbia. Currently, he is the full professor at the University of Novi Sad. His research interests are system programming, distributed systems, and security. He has published about 20 journal papers, more than 120 conference papers and the book Communication protocol engineering (CRC Press).

    Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. G. Martinez Perez.

    View full text