Source-Side Detection of DRDoS Attack Request with Traffic-Aware Adaptive Threshold

Nguyen, Sinh Ngoc; Nguyen, Van Quyet; Nguyen, Giang T.; Kim, Jeong Nyeo; Kim, Kyungbaek

doi:10.1587/transinf.2018edl8020

Cited by 5 publications

(5 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The one of method of a source-side DoS attack detection mechanism is predicting the volume of normal network traffic. The volume of network traffic observed in the source-side network is relatively small, and more accurate prediction of network traffic is required in order to adjust threshold in a fine-tuned manner [3], [4].…”

Section: Related Workmentioning

confidence: 99%

“…network, the normal traffic can be easily mixed with attack traffic. To separate a relatively small volume of attack traffic, an adaptive threshold method using the observed traffic volume was studied [3]. However, if the observed traffic is mixed with the attack traffic, the adaptive threshold method should separate the attack traffic from the observed traffic to calculate the next threshold.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

LSTM-Based Collaborative Source-Side DDoS Attack Detection

2022

Self Cite

View full text Add to dashboard Cite

As denial of service attacks become more sophisticated, the source-side detection techniques are being studied to solve the limitations of target-side detection techniques such as delayed detection and difficulty in tracking attackers. Recently, some source-side detection techniques are being studied to use an adaptive attack detection threshold considering seasonal behavior of network traffic. However, because patterns of network traffic usage have become irregular with increased randomness and explosive traffic, the performance of the adaptive threshold technique has deteriorated. In addition, by limitations of the local view of a single site, distributed attacks from multiple sites may not be detected. In this paper, we propose a LSTM (Long Short Term Memory) based collaborative source-side DDoS (Distributed Denial of Service) attack detection framework which provides the attack detection result of a collaboration network in a global view. The proposed framework applies LSTM-based adaptive thresholds to each source-side network to mitigate performance degradation caused by irregular network traffic behavior. Also, in order to overcome the limitation of performance caused by the local view of single source-side network, the proposed framework constructs a collaborative network through multiple detection sites and aggregates feedback from each site, such as detection rates, local traffic patterns, and timestamp. The collaborative attack detection technique uses the aggregated feedback to determine whether the attack is finally detected and shares the finial detection results with multiple sites. Depending on this final detection result, the adaptive thresholds of each site are reset. Through extensive evaluation of actual network traffic data, the proposed collaborative source-side attack detection technique shows around 15% lower false positive rate than the single source-side attack detection technique while maintaining a high detection rate.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

LSTM-Based Collaborative Source-Side DDoS Attack Detection

2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…Consequently, this subtle attack traffic could cause some problems for machine learning based methods [5]. Up to date, our former work [16] has proposed establishing an adaptive threshold for detecting the subtle DoS attack based on the observed traffic over continuous periods. However, the drawback of this method is high false positive.…”

Section: Related Workmentioning

confidence: 99%

“…OTAT algorithm means using the traffic volume aware adaptive threshold establishment without help of seasonality aware threshold adjustment, and OTAT is analogous to the previous approach in [16]. In OTAT, when attack is detected at a time window, it keeps the threshold value because it cannot guarantee how much portion of observed traffic is legitimate traffic.…”

Section: Attack Emulationmentioning

confidence: 99%

See 1 more Smart Citation

Traffic Seasonality aware Threshold Adjustment for Effective Source-side DoS Attack Detection

2019

KSII TIIS

View full text Add to dashboard Cite

In order to detect Denial of Service (DoS) attacks, victim-side detection methods are used popularly such as static threshold-based method and machine learning-based method. However, as DoS attacking methods become more sophisticated, these methods reveal some natural disadvantages such as the late detection and the difficulty of tracing back attackers. Recently, in order to mitigate these drawbacks, source-side DoS detection methods have been researched. But, the source-side DoS detection methods have limitations if the volume of attack traffic is relatively very small and it is blended into legitimate traffic. Especially, with the subtle attack traffic, DoS detection methods may suffer from high false positive, considering legitimate traffic as attack traffic. In this paper, we propose an effective source-side DoS detection method with traffic seasonality aware adaptive threshold. The threshold of detecting DoS attack is adjusted adaptively to the fluctuated legitimate traffic in order to detect subtle attack traffic. Moreover, by understanding the seasonality of legitimate traffic, the threshold can be updated more carefully even though subtle attack happens and it helps to achieve low false positive. The extensive evaluation with the real traffic logs presents that the proposed method achieves very high detection rate over 90% with low false positive rate down to 5%.

show abstract