[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Springer Nature Link
Log in

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. MIT Lincoln Laboratory, “Lincoln Laboratory Scenario (DDoS) 1.0,” Massachusetts Institute of Technology (MIT), 1999. Available: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_1.0.html

  2. US CERT 04, “W32/MyDoom.B Virus,” United States Computer Emergency Readiness Team, Available: http://www.us-cert.gov/cas/techalerts/TA04-028A.html, 2 Febuary 2004

  3. Rajab MA, Zarfoss J, Monrose F and Terzis A (2006) “A multifaceted approach to understanding the Botnet Phenomenon.” In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 41–52, October 2006

  4. Oikonomou G and Mirkovic J (2009) “Modeling human behavior for defense against flash-crowd attacks.” In: Proceedings of IEEE International Conference on Communications 2009 (ICC’09), pp. 1–6, 11 August 2009

  5. Xie Y, Yu SZ (2009) A large-scale hidden Semi-Markov model for anomaly detection on user browsing behaviors networking. IEEE/ACM Trans Networking 17(1):54–65

    Google Scholar 

  6. Xie Y, Yu SZ (2009) Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans Networking 17(1):15–25

    Google Scholar 

  7. Yi F, Yu S, Zhou W, Hai J, Bonti A (2008) Source-based filtering scheme against DDOS attacks. Int J Database Theory Appl 1(1):9–22

    Google Scholar 

  8. Feinstein L, Schnackenberg D, Balupari R and Kindred D (2003) “Statistical approaches to DDoS attack detection and response.” In: Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1, IEEE CS Press, 22–24 April 2003, pp. 303–314

  9. Khan L, Awad M and Thuraisingham B (2007) “A new intrusion detection system using support vector machines and hierarchical clustering.” The International Journal on Very Large Data Bases (The VLDB Journal), vol. 16, no. 4, pp. 507–521, Springer-Verlag, New York, October 2007

  10. Yu S, Thapngam T, Liu J, Wei S and Zhou W (2009) “Discriminating DDoS flows from flash crowds using information distance.” In: Proceedings of the 3rd IEEE International Conference on Network and System Security (NSS’09), 1821 October 2009

  11. Chonka A, Singh J, Zhou W (2009) Chaos theory based detection against network mimicking DDoS attacks. IEEE Commun Lett 13:717–719

    Google Scholar 

  12. Carlinet Y, Cherkaoui O, Dressler F, Ehinger C, Fadlallah A, Muenz G, Mußner M, Paul O, Serhrouchni A, Sloman M, and Yusuf S (2004) “Distributed adaptive security by Programmable Firewall,” DIADEM Firewall Consortium, retrieved 6 September 2008, Available: http://www.diadem-firewall.org/documents/Diadem%20Firewall%20-%20D3%20-%20Attack%20Requirements%20Specification.pdf, June 2004

  13. Chen Y, Hwang K (2006) Collaborative detection and filtering of shrew DDoS attacks using spectral analysis. J Parallel Distr Com 66(9):1137–1151

    MATH  Google Scholar 

  14. Tuncer T and Tatar Y (2008) “Detection SYN Flooding Attacks Using Fuzzy Logic.” In: Proceedings of International Conference on Information Security and Assurance (ISA’08), pp. 321–325, 24–26 April 2008

  15. Kuzmanovic A and Knightly E (2003) “Low-Rate TCP –Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants).” In: Proceedings of ACM SIGCOMM 2003, Kalrushe, Germany, pp. 75–86, August 2003

  16. Chen Y and Hwang K (2007) “Spectral analysis of TCP flows for defense against reduction-of-quality attacks.” In: Proceedings of the 2007 IEEE International Conference on Communications (ICC’07), pp. 1203–1210, June 2007

  17. Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense mechanisms: Classification and state of the art. Comput Netw 44(5):643–666

    Google Scholar 

  18. Peng T, Leckie C and Ramamohanarao K (2007) “Survey of network-based defense mechanisms countering the DoS and DDoS problems.” In: ACM Computing Surveys, Vol. 39, No. 1, April 2007

  19. Mirkovic J, Reiher P (2004) A Taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev 34(2):39–53

    Google Scholar 

  20. Kreyszig E (2006) Advanced Engineering Mathematics, 9th edn. Wiley, Singapore

    Google Scholar 

  21. M. Arlitt and T. Jin “1998 World Cup Web Site Access Logs,” August 1998. Available: http://www.acm.org/sigcomm/ITA/

Download references

Author information

Authors and Affiliations

  1. School of Information Technology, Deakin University, Burwood, VIC, 3125, Australia

    Theerasak Thapngam, Shui Yu & Wanlei Zhou

  2. Department of Computer Science, Lamar University, 211 Red Bird Lane, P.O. Box 10056, Beaumont, TX, 77710, USA

    S. Kami Makki

Authors
  1. Theerasak Thapngam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shui Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wanlei Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. Kami Makki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Theerasak Thapngam.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Thapngam, T., Yu, S., Zhou, W. et al. Distributed Denial of Service (DDoS) detection by traffic pattern analysis. Peer-to-Peer Netw. Appl. 7, 346–358 (2014). https://doi.org/10.1007/s12083-012-0173-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-012-0173-3

Keywords

Search

Navigation