A comprehensive approach to discriminate DDoS attacks from flash events

Sachdeva, Monika; Kumar, Krishan; Singh, Gurvinder

doi:10.1016/j.jisa.2015.11.001

Cited by 39 publications

(19 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Particularly in the case of lowrate DDoS attacks, attack traffics exhibit specific anomaly characteristics, such as the number of flows and packets that present differences in distributions or statistics compared with those of legitimate traffics. For example, an anomaly characteristic of low-rate DDoS attacks is that every single packet forwarded in the network is legitimate since the packet's head information fulfills all legal requirements of the network-transmission protocols; however, the intentional aggregation of these packets at victim hosts by attackers exhibits abnormal statistical deviations [12]. In addition, as the low-rate DDoS packets are purposely created by prebuilt programs, the features of these packets are highly similar [13,14].…”

Section: Detection Algorithmmentioning

confidence: 99%

Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Liao

Cao

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

Low-rate Distributed Denial-of-Service (low-rate DDoS) attacks are a new challenge to cyberspace, as the attackers send a large amount of attack packets similar to normal traffic, to throttle legitimate flows. In this paper, we propose a measurement-expectation of packet size-that is based on the distribution difference of the packet size to distinguish two typical low-rate DDoS attacks, the constant attack and the pulsing attack, from legitimate traffic. The experimental results, obtained using a series of real datasets with different times and different tolerance factors, are presented to demonstrate the effectiveness of the proposed measurement. In addition, extensive experiments are performed to show that the proposed measurement can detect the low-rate DDoS attacks not only in the short and long terms but also for low packet rates and high packet rates. Furthermore, the false-negative rates and the adjudication distance can be adjusted based on the detection sensitivity requirements.

show abstract

Section: Detection Algorithmmentioning

confidence: 99%

Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Liao

Cao

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Source IP address entropy, its standard deviation with respect to traffic cluster entropy are computed without attack. The experimental results are compared with the work influenced by [20] which is our prior work. The existing system is our own simulation whose results are compared with the proposed system.…”

Section: Resultsmentioning

confidence: 99%

“…Sachdeva et al [20] employed optimal thresholds for traffic cluster entropy and utilized receiver operating characteristic curve (ROC), detection rates and false positive rates for evaluating their method. Their method was meant for discriminating DDoS attack from flash events.…”

Section: Related Workmentioning

confidence: 99%

Detection of spoofed and non-spoofed DDoS attacks and discriminating them from flash crowds

Gera

Battula

2018

EURASIP J. on Info. Security

View full text Add to dashboard Cite

Distributed computing technology is widely used by Internet-based business applications. Supply chain management (SCM), customer relationship management (CRM), e-Commerce, and banking are some of the applications employing distributed computing. These applications are the main target to massive attacks known as distributed denial-of-service (DDoS) that cause a denial of service or degradation of services being rendered. The servers that provide reliable services to genuine users in a distributed environment are victims of such attacks that flood fake requests that appear genuine. Flash crowd, on the other hand, is the huge amount of traffic caused by certain flash events (FEs) that mimics DDoS attacks. Detection of DDoS attacks in the wake of flash crowds is a challenging problem to be addressed. The existing solutions are generally meant for either flash crowds or DDoS attacks and more research is needed to have a comprehensive approach for catering to the needs of detection of spoofed and non-spoofed variants of DDoS attacks. This paper proposes a methodology that can detect aforementioned DDoS attacks and differentiate them from flash crowds. NS-2 simulations are carried out on Ubuntu platform for validating the effectiveness of the proposed methodology.

show abstract

“…They used the FIFA World Cup dataset (http://ita.ee.lbl.gov/html/contrib/WorldCup.html) dataset for representing FE traffic and the CAIDA dataset to represent DDoS attacks. Sachdeva et al [13] used cluster entropy in combination with source IP entropy to discriminate DDoS attacks from FEs. They observed that the traffic cluster entropy drops dramatically during FEs because most of the traffic is generated from already-visited source networks, whereas the traffic cluster entropy increases in HR-DDoS attacks.…”

Section: Related Workmentioning

confidence: 99%

“…Yu et al [10,11] used Shannon entropy to detect HR-DDoS attacks and FEs based on packet size and ID, but their proposed system did not consider the detection of different types of DDoS attacks. Sachdeva et al [13] computed Shannon's entropy metric to detect FEs and HR-DDoS attack traffic. However, we obtained a better TPR (95%) in case of GID metric than in their proposed scheme (82%).…”

Section: Comparison With Existing Workmentioning

confidence: 99%

A generalized detection system to detect distributed denial of service attacks and flash events for information theory metrics

Behal¹,

Kumar²,

Sachdeva³

2018

Turk J Elec Eng & Comp Sci

Self Cite

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attacks pose a severe threat to extensively used web-based services and applications. Many detection approaches have been proposed in the literature, but ensuring the security and availability of data, resources, and services to end users remains an ongoing research challenge. Nowadays, the traffic volume of legitimate users has also increased manifold. A flash event (FE) is a high-rate legitimate traffic situation wherein millions of legitimate users start accessing a particular network resource, such as a web server, simultaneously. The detection of DDoS attacks becomes more challenging when DDoS attacks are launched during behaviorally similar FEs. This research paper proposes a generalized detection system for metrics, based on information theory, capable of detecting different types of DDoS attacks and FEs. We used publically available MIT Lincoln, CAIDA, and FIFA datasets along with a synthetically generated DDoSTB dataset to validate the proposed detection algorithm in terms of various detection system evaluation metrics such as false positive rate, false negative rate, classification rate, and detection accuracy. Such a generalized detection system would be useful to researchers for validating and comparing various information theory metrics based solutions.

show abstract

A comprehensive approach to discriminate DDoS attacks from flash events

Cited by 39 publications

References 16 publications

Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Detection of spoofed and non-spoofed DDoS attacks and discriminating them from flash crowds

A generalized detection system to detect distributed denial of service attacks and flash events for information theory metrics

Contact Info

Product

Resources

About