DDoS Attack Detection Using Flow Entropy and Clustering Technique

Qin, Xi; Xu, Tongge; Wang, Chao

doi:10.1109/cis.2015.105

Cited by 42 publications

(22 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…K‐means clustering is one of the most used applied techniques within anomaly intrusion detection. Qin et al used an entropy‐based approach to identify values which then are used to model normal traffic flow through a k‐means clustering technique . Euclidean distance is used to identify the similarity between two entropy vectors and the weighted average radius of clusters is used to identify the number of required clusters.…”

Section: Related Workmentioning

confidence: 99%

“…DF rate is defined as the detection rate divided by the false positive rate. This technique managed at best to achieve a DF rate of 7 …”

Section: Related Workmentioning

confidence: 99%

“…The distance ranges from 2 0 to 2 31 . Formally this distance measurement can be defined as:

△ Xor ({IP}_{i}, {IP}_{j}) = 2^{⌊ \log_{2} ({IP}_{i} \oplus {IP}_{j}) ⌋} .

Clustering approaches within anomaly intrusion detection rely on IP and TCP header fields to model the normal traffic behaviour and create meaningful clusters . Advancements within this field have been accomplished by using different clustering mechanisms or by trying to select relevant attributes to base the clustering on.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Mitigating DDoS using weight‐based geographical clustering

Kongshavn¹,

Haugerud

Yazidi

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attacks have for the last two decades been among the greatest threats facing the internet infrastructure. Mitigating DDoS attacks is a particularly challenging task as an attacker tries to conceal a huge amount of traffic inside a legitimate traffic flow. This article proposes to use data mining approaches to find unique hidden data structures which are able to characterize the normal traffic flow. This will serve as a mean for filtering illegitimate traffic under DDoS attacks. In this endeavor, we devise three algorithms built on previously uncharted areas within mitigation techniques where clustering techniques are used to create geographical clusters in regions which are likely to contain legitimate traffic. We argue through extensive experimental results that establishing clusters around this narrative is a superior solution to clustering algorithms which rely on bitwise distances between IP addresses. In addition, the DDoS filtering algorithm is deployed in a virtual Linux environment using Nfqueue and tested in a simulated real-life DDoS attack.

show abstract

Section: Related Workmentioning

confidence: 99%

“…DF rate is defined as the detection rate divided by the false positive rate. This technique managed at best to achieve a DF rate of 7 …”

Section: Related Workmentioning

confidence: 99%

“…The distance ranges from 2 0 to 2 31 . Formally this distance measurement can be defined as:

△ Xor ({IP}_{i}, {IP}_{j}) = 2^{⌊ \log_{2} ({IP}_{i} \oplus {IP}_{j}) ⌋} .

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Mitigating DDoS using weight‐based geographical clustering

Kongshavn¹,

Haugerud

Yazidi

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…Qin et al [8] identified a new approach for entropy-based DDoS attack detection. This method is divided into two parts.…”

Section: Related Workmentioning

confidence: 99%

Threshold-based distributed DDoS attack detection in ISP networks

Singh¹,

Dhindsa

Hushan³

2018

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

show abstract

“…However, signature methods are typically used for a limited number of protocols and do not allow real-time operation, which is critical when preparing un-targeted attacks. DDOS attack detection mechanisms based on machine learning use various classifiers [29,30] and deep neural networks [31] while analyzing various parameters, such as the distance between IP addresses [32], traffic entropy [33], intensity stream [34], and others. Machine learning methods tend to have high accuracy in detecting attacks.…”

mentioning

confidence: 99%

Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering

et al. 2019

View full text Add to dashboard Cite

The paper suggests a method of early detection of cyber-attacks by using DDoS attacks as an example) using the method of extreme filtering in a mode close real time. The process of decomposition of the total signal (additive superposition of attacking and legitimate effects) and its decomposition using the method of extreme filtering is simulated. A profile model of a stochastic network is proposed. This allows to specify the influence of the intruder on the network using probabilistic-time characteristics. Experimental evaluation of metrics characterizing the cyber-attack is given. It is demonstrated how obtained values of metrics confirm the process of attack preparation, for instance the large-scaled telecommunication network, which includes the proposed method for early detection of attacks, has a recovery time of no more than 9 s, and the parameters of quality of service remain in an acceptable range.Keywords: DDoS; detection of cyber-attacks; extreme filtering; signal decomposition; stochastic network conversion method IntroductionFor the period from 2019 to 2024, one of the national projects in Russia was the "Digital Economy" project, the main tasks of which were to ensure information security in the transmission, processing, and storage of data [1]. This task was fully valid for modern power supply systems and grids, especially in modern conditions, where smart electronic devices and software-defined networks are embedded in energy power infrastructures [2,3].This fact confirms the relevance of information security and the need for diverse solutions in this area. References [4][5][6][7][8][9][10][11][12][13][14][15] describe the most common types of attacks, especially DDOS attacks. According to the Kaspersky Lab, in 2019 the total number of attacks and the number of smart attacks (i.e., attacks which require more thorough preparation and are directed on the most vulnerable network element) were increased. Moreover, despite a decrease in the average duration of DDOS attacks, the duration of smart attacks increased. The longest attacks that were employed lasted 509 h. The dynamics of the distribution of the total duration of attacks during the year had not changed much: those attacks that lasted no more than 4 hours dominate. At the same time, the cost of DDOS attacks was reduced due to their simple implementation [16]. However, if we take into account the fact that each year the implementation time of the longest attacks significantly increases (329 h in 2018 and 509 in 2019), the ever-increasing influence of these attacks on various organizations becomes obvious. Thus, the negative effect of attacks increases. Therefore, the issue of timely detection of such actions

show abstract

DDoS Attack Detection Using Flow Entropy and Clustering Technique

Cited by 42 publications

References 8 publications

Mitigating DDoS using weight‐based geographical clustering

Mitigating DDoS using weight‐based geographical clustering

Threshold-based distributed DDoS attack detection in ISP networks

Method of Early Detection of Cyber-Attacks on Telecommunication Networks Based on Traffic Analysis by Extreme Filtering

Contact Info

Product

Resources

About