Effectively detecting and preventing Distributed Denial of Service (DDoS) attacks is getting more and more important for internet service quality. Due to computer limitations for counting the number of flows present in network traffic, earlier work on DDoS detection has either focused on offline analysis of log data or ranged in a small number of potential victim destinations. However, those methods are not sufficient for detecting possible DDoS activity in real time over large networks. This paper proposes novel data-streaming algorithms for real-time detection of DDoS activity in large networks. The key idea is a hash-based synopsis data structure for sampling network data streams. This structure can efficiently track, guarantees small space, and offers accurate synopses. It also presents an algorithm for counting the number of potentially malicious (e.g., “half-open”) connections from the network streams. Moreover, the algorithm focuses on counting the distinct destination or source IP by distinguishing difference connection types.
Arbor Networks, Inc. Worldwide Infrastructure Security Report, Volume XI, 2015.
2.
BroderA. and MitzenmacherM., Network applications of bloom filters: A survey, Internet Mathematics1(4) (2004), 485–509.
3.
Carl, et al., Denial-of-service attack detection techniques, IEEE Internet Computing10(1) (2006), 82–89.
4.
CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack.
5.
CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks.
6.
CarlG., BrookR.R. and RaiS., Wavelet based denial-of-Service detection, Computers & Security25 (2006), 600–615.
7.
2013 Cost of Cyber Crime Study: United States. http://media.scmagazine.com/documents/54/2013_us_ccc_report_final_6-1_13455.pdf, 2013. Last Accessed November 10, 2014.
8.
SunC., HuC., TangY. and LiuB., More Accurate and Fast SYN Flood Detection, h International Conference on Computer Communications and Networks (ICCCN), 2009.
9.
ClaiseB., SadasivanG., ValluriV. and DjernaesM., Cisco Systems NetFlow Services Export Version 9, RFC 3954 (Informational), 2004.
10.
EddyW., TCP SYN Flooding Attacks and Common Mitigations, Internet-Draft (work in progress), draft-ietf-tcpm-syn-flood-00, 2006.
11.
EstanC. and VargheseG., New directions in traffic measurement and accounting. In ACM SIGCOMM, 2002.
12.
EstanC., VargheseG. and FiskM., Bitmap Algorithms for Counting Active Flows on High-Speed Links. In ACM SIGCOMM Internet Measurement Workshop, 2003.
13.
FosnockC., Computer Worms: Past, Present and Future. East Carolina University, 2005.
14.
ForoushaniV.A. and NurA., Zincir-Heywood, TDFA: Traceback-based defense against DDoS flooding attacks, Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on IEEE, 2014.
15.
FanL., et al., Summary cache: A scalable wide-area web cache sharing protocol, ACM SIGCOMM Computer Communication Review28(4), ACM, 1998.
16.
GangulyS., et al., Streaming algorithms for robust, real-time detection of ddos attacks, Distributed Computing Systems, 2007, ICDCS’07 27th International Conference on IEEE, 2007.
17.
GrestyD.W., ShiQ. and MerabtiM., Requirements for a General Framework for Response to Distributed Denial-of-Service, Computer Security Applications Conference, 2001, pp. 422–429.
18.
NgJ., JoshiD. and BanikS.M., Applying Data Mining Techniques to Intrusion Detection, Information Technology-New Generations (ITNG), 2015 12th International Conference on IEEE, 2015.
19.
DokasP., et al., Data mining for network intrusion detection, Proc NSF Workshop on Next Generation Data Mining, 2002.
20.
LiM., An approach to reliably identifying signs of DDoS flood attacks based on LRD traffic pattern recognition, Computers & Security23 (2004), 549–558.
21.
LiM., Change trend of averaged Hurst parameter of traffic under DDoS flood attacks, Computers & Security25(3) (2006), 213–220.
22.
LuY., MontanariA., PrabhakarB., DharmapurikarS. and KabbaniA., Counter Braids: A Novel Counter Architecture for Per-Flow Measurement, Proceedings of the 2008 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS), 2008.
23.
MiaoL., DingW. and GongJ., A real-time method for detecting internet-wide SYN flooding attacks, Local and Metropolitan Area Networks (LANMAN), 2015 IEEE International Workshop on IEEE, 2015.
24.
LingY., GuY. and WeiG., Detect SYN Flooding attack in edge routers, Int J Secur Appl3 (2009), 31–45.
25.
MannaM.E. and AmphawanA., Review of syn-flooding attack detection mechanism. arXiv preprint arXiv:1202.1761, 2012.
26.
MinB. and VaradharajanV., Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT), Engineering of Complex Computer Systems (ICECCS), 2015 20th International Conference on IEEE, 2015.
27.
PhaalP., PanchenS. and McKeeN., InMon corporation’s sFlow: A method for monitoring traffic in switched and routed networks. No. RFC 3176, 2001.
28.
RamabhadranS. and VargheseG., Efficient implementation of a statistics counter architecture, Proc ACM SIGMETRICS, 2003, p. 261iV271.
29.
ShahD., IyerS., PrabhakarB. and McKeownN., Analysis of a statistics counter architecture, Proc IEEE HotI 9, Stanford, 2001.
30.
WeaverN., StanifordS. and PaxsonV., Very Fast Containment of Scanning Worms. In USENIX, 2004.
31.
WangH., ZhangD. and ShinK.G., Detecting SYN Flooding Attacks, IEEE INFOCOM, 2002.
32.
YangJ., MaH., ZhangB. and ChenP., An Efficient Approach for Analyzing Multidimensional Network Traffic, APNOMS 2008, LNCS 5297, 2008, pp. 227–235.
33.
ZargarS.T., JoshiJ. and TipperD., A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks, Communications Surveys & Tutorials, IEEE15(4) (2013), 2046–2069.
34.
ZhaoQ.G., XuJ.J. and LiuZ., Design of a novel statistics counter architecture with optimal space and time efficiency. SIGMetrics/Performance, 2006.
