Although a considerable amount of research has been done on DDoS attacks, it still poses a severe threat to many businesses and internet service providers. DDoS attacks commonly generate a high amount of network traffic. However, the resource depletion DDoS attacks can deny the target service, although it generates much less traffic than legitimate traffic. We propose a novel DDoS detection framework using the Matching Pursuit algorithm to detect resource depletion type DDoS attacks. We use multiple characteristics of network traffic simultaneously in order to detect low-density DDoS attacks efficiently. The proposed method uses the dictionary produced from the parameters of the network traffic using the K-SVD algorithm. Dictionary generation using network traffic, provides legitimate and attack traffic models, and adds adaptability of the proposed method to network traffic. We also implement DDoS detection approaches that use Matching Pursuit and Wavelet techniques and compare them using two different data sets. Additionally, we offer a hybrid DDoS detection framework that combines these approaches with a decision-making mechanism using an artificial neural network. We evaluate the proposed methods with two different data sets. The proposed approaches perform over 99% true positive rate with a false positive rate lower than 0.7% with a low-density DDoS attack dataset. In the hybrid intrusion detection system with more than one attack, the detection performances of other methods have decreased, while the proposed approach achieves true positive rates higher than 99% with a false positive rate lower than 0.7%.
Distributed Denial of Service (DDoS) attacks is one of the most troublesome intrusions for online services on the internet. In general DDoS attacks are divided into two categories as bandwidth depletion and resource depletion attacks. We generate resource depletion-type DDoS attacks on the campus network of Boğaziçi University and recorded the ongoing traffic from the backbone router's mirrored port. We generate TCP SYN, and UDP flooding packets using Hping3 traffic generator software by flooding. This dataset includes attack-free user traffic and attack traffic, which is suitable for evaluating network-based DDoS detection methods. Attacks are towards one victim server connected to the backbone router of the campus. Attack packets have randomly generated spoofed source IP addresses. We removed payloads of packets and anonymized the source IP addresses of legitimate users for the confidentiality of legitimate users.
Özetçe -Dagıtık hizmet engelleme saldırıları günümüzde bilişim sistemleri için ciddi bir tehdit oluşturmaktadır. Bu çalışmada, dagıtık hizmet engelleme saldırılarından birisi olan veri iletim kontrolü protokolü senkronizasyon paketi baskını saldırılarının, eşleştime algoritması ile tespitini için yeni bir yöntem önerilmektedir. Bu yöntem, eşleştirme algoritması için kullanılacak sözlügün ag trafiginden K-SVD algoritması kullanılarak oluşturulmasını ve bu sözlügün test trafiginden elde edilen trafik öznitelik vektörlerini ifade edebilecegi varsayımına dayanmaktadır. Saldırı ve normal ag trafiginden oluşturulan iki sözlük kullanılarak,test ag trafiginden oluşturulan öznitelik vektörlerden eşleştirme algoritması kullanılarak elde edilen artıklar alarm üretmek için kullanılmıştır.Anahtar Kelimeler-DDoS , saldırı tespit, hizmet engelleme saldırıları, sinyal işleme, eşleştirme algoritması.Abstract-Distributed denial of service attacks pose an immense threat to the internet. In this work TCP SYN flood attacks are detected using matching pursuit algorithm. Dictionaries are generated using K-SVD algorithm from normal and attack traffic of training data. Using these dictionaries and applying matching pursuit algorithm detection of attacks are performed pursing resulting residuals of matching pursuit operation.
Özetçe -Dagıtık hizmet engelleme saldırıları günümüzde bilişim sistemleri için ciddi bir tehdit oluşturmaktadır. Bu çalışma dagıtık hizmet engelleme saldırılarından birisi olan veri iletim kontrolü protokolü senkronizasyon paketi baskını saldırılarının, ag trafigine ait çeşitli öznitelikler üzerindeki etkisini incelemektedir. Öznitelikler arasındaki ilinti katsayı matrisi ve bu özniteliklerden hesaplanan olagandışılık dizisi kullanılarak, tek boyutlu bir dizi olan saglık fonksiyonu hesaplanmıştır. Bu fonskiyon eşiklenerek saldırının başlangıç ve bitiş noktaları tespit edilmiştir. Bu yöntem DETER test ortamında yapılan benzetimlerden elde edilen verilerle test edilmiştir.Anahtar Kelimeler-DDoS , saldırı tespit, hizmet engelleme saldırıları, sinyal işleme.Abstract-Distributed denial of service attacks pose an immense threat to the internet. In this work the effect of TCP SYN flood attacks on traffic features are examined. Using traffic features and correlation coefficient matrix and anomaly vector obtained from these features; a network health function is calculated. Applying a threshold to network health function gives alarms that are used to detect beginning and end points of TCP SYN flood attacks. This method is tested using data obtained from experiments of DETER testbed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.