Detection and trace back of low and high volume of distributed denial‐of‐service attack based on statistical measures

Thangavel, Subburaj; Kannan, S.

doi:10.1002/cpe.5428

Cited by 9 publications

(6 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Heavy traffics generated using botnets or by distributed systems encounter HVAs. These attacks include the variants of Dos/DDoS attacks [36,[47][48][49], where adversaries either try to overflow the objective services or exploit a vulnerability in the software of the server to exhaust system resources and make it inaccessible for the legitimate users. Techniques of performing these types of attacks can be either traffic-based, bandwidth-based or applicationbased.…”

Section: Case 1: Zero-day High Volume Attacks (Hva)mentioning

confidence: 99%

See 1 more Smart Citation

A robust intelligent zero-day cyber-attack detection technique

Kumar

Sinha

2021

Complex Intell. Syst.

View full text Add to dashboard Cite

With the introduction of the Internet to the mainstream like e-commerce, online banking, health system and other day-to-day essentials, risk of being exposed to various are increasing exponentially. Zero-day attack(s) targeting unknown vulnerabilities of a software or system opens up further research direction in the field of cyber-attacks. Existing approaches either uses ML/DNN or anomaly-based approach to protect against these attacks. Detecting zero-day attacks through these techniques miss several parameters like frequency of particular byte streams in network traffic and their correlation. Covering attacks that produce lower traffic is difficult through neural network models because it requires higher traffic for correct prediction. This paper proposes a novel robust and intelligent cyber-attack detection model to cover the issues mentioned above using the concept of heavy-hitter and graph technique to detect zero-day attacks. The proposed work consists of two phases (a) Signature generation and (b) Evaluation phase. This model evaluates the performance using generated signatures at the training phase. The result analysis of the proposed zero-day attack detection shows higher performance for accuracy of 91.33% for the binary classification and accuracy of 90.35% for multi-class classification on real-time attack data. The performance against benchmark data set CICIDS18 shows a promising result of 91.62% for binary-class classification on this model. Thus, the proposed approach shows an encouraging result to detect zero-day attacks.

show abstract

Section: Case 1: Zero-day High Volume Attacks (Hva)mentioning

confidence: 99%

“…This phase consists of two modules where module 1 shows the signature generation for high volume attacks (HVA), i.e., variants of DoS/DDoS attack [36,[47][48][49] and module 2 shows the signature generation for low volume attacks (LVA) [56]. LVAs include variants of service scanning, data theft, OS fingerprinting etc.…”

Section: Signature Generation Phasementioning

confidence: 99%

A robust intelligent zero-day cyber-attack detection technique

Kumar

Sinha

2021

Complex Intell. Syst.

View full text Add to dashboard Cite

show abstract

“…LDoS attack flow has a lower average rate than the traditional DoS attack flow, which makes it more insidious and difficult to be detected [21]. LDoS attacks send periodical packet bursts with model as shown in Figure 1 [22].…”

Section: Characteristics Of Ldos Attacksmentioning

confidence: 99%

Low-Rate DoS Attacks Detection Based on MAF-ADM

Zhan¹,

Tang²,

Man³

et al. 2019

Sensors

View full text Add to dashboard Cite

Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

show abstract

“…A denial of service (DoS) attack can be described as an explicit attempt to render a server or network incapable of providing normal service to its users. DoS attacks often rely on continuously and excessively consuming limited resources such as bandwidth, memory, storage, and CPU, which are vital to the well‐functioning of the targeted service .…”

Section: Introductionmentioning

confidence: 99%

Mitigating DDoS using weight‐based geographical clustering

Kongshavn¹,

Haugerud

Yazidi

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attacks have for the last two decades been among the greatest threats facing the internet infrastructure. Mitigating DDoS attacks is a particularly challenging task as an attacker tries to conceal a huge amount of traffic inside a legitimate traffic flow. This article proposes to use data mining approaches to find unique hidden data structures which are able to characterize the normal traffic flow. This will serve as a mean for filtering illegitimate traffic under DDoS attacks. In this endeavor, we devise three algorithms built on previously uncharted areas within mitigation techniques where clustering techniques are used to create geographical clusters in regions which are likely to contain legitimate traffic. We argue through extensive experimental results that establishing clusters around this narrative is a superior solution to clustering algorithms which rely on bitwise distances between IP addresses. In addition, the DDoS filtering algorithm is deployed in a virtual Linux environment using Nfqueue and tested in a simulated real-life DDoS attack.

show abstract

Detection and trace back of low and high volume of distributed denial‐of‐service attack based on statistical measures

Cited by 9 publications

References 22 publications

A robust intelligent zero-day cyber-attack detection technique

A robust intelligent zero-day cyber-attack detection technique

Low-Rate DoS Attacks Detection Based on MAF-ADM

Mitigating DDoS using weight‐based geographical clustering

Contact Info

Product

Resources

About