DOI QR코드

DOI QR Code

Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router

  • Yan, Ruo-Yu (Department of Computer Science and Technology, MOE KLINNS, Xi’n Jiaotong University) ;
  • Zheng, Qing-Hua (Department of Computer Science and Technology, MOE KLINNS, Xi’n Jiaotong University) ;
  • Li, Hai-Fei (Department of Computer Science, Union University)
  • Received : 2010.02.03
  • Accepted : 2010.04.29
  • Published : 2010.06.30

Abstract

Traffic matrix-based anomaly detection and DDoS attacks detection in networks are research focus in the network security and traffic measurement community. In this paper, firstly, a new type of unidirectional flow called IF flow is proposed. Merits and features of IF flows are analyzed in detail and then two efficient methods are introduced in our DDoS attacks detection and evaluation scheme. The first method uses residual variance ratio to detect DDoS attacks after Recursive Least Square (RLS) filter is applied to predict IF flows. The second method uses generalized likelihood ratio (GLR) statistical test to detect DDoS attacks after a Kalman filter is applied to estimate IF flows. Based on the two complementary methods, an evaluation formula is proposed to assess the seriousness of current DDoS attacks on router ports. Furthermore, the sensitivity of three types of traffic (IF flow, input link and output link) to DDoS attacks is analyzed and compared. Experiments show that IF flow has more power to expose anomaly than the other two types of traffic. Finally, two proposed methods are compared in terms of detection rate, processing speed, etc., and also compared in detail with Principal Component Analysis (PCA) and Cumulative Sum (CUSUM) methods. The results demonstrate that adaptive filter methods have higher detection rate, lower false alarm rate and smaller detection lag time.

Keywords

References

  1. V. D. Gligor, "A note on denial-of-service in operating systems," IEEE Trans. Softw. Eng., vol. 10, no. 3, pp. 320-324, 1984.
  2. Computer Crime Research Center, 2004 CSI/FBI Computer Crime and Security Survey, http://www.crime-research.org/news/11.06.2004/423/
  3. P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic Anomalies," in Proc. of Internet Measurement Workshop, 2002.
  4. S. Kim, A. Reddy, and M. Vannucci, "Detecting Traffic Anomalies at the Source through Aggregate Analysis of Packet Header Data," in Proc. of Networking, 2004.
  5. Tao Qin. Xiaohong Guan, Wei Li and Pinghui Wang, "Dynamic Features Measurement and Analysis for Large-Scale Networks," in Proc. of ICC2008, CSIM workshop, pp. 212-216, 2008.
  6. T. M. Gil, and M. Poletto, "Multops: a data-structure for bandwidth attack detection," in Proc. of the 10th USENIX Security Symposium, 2001.
  7. Haakon Ringberg, Augustin Soule, Jennifer Rexford, Christophe Diot, "Sensitivity of PCA for Traffic Anomaly Detection," in Proc. of SIGMETRICS'07,USA, pp. 109-120, June 2007.
  8. Anukool Lakhina, Mark Crovella, Christophe Diot, "Diagnosing Network-wide Traffic Anomalies," in Proc. of SIGCOMM'04, Portland, Oregon,USA, pp. 219-230, 2004.
  9. Augustin Soule, Kave Salamatian, Nina Taft, "Combining Filtering and Statistical Methods for Anomaly Detection," in Proc. of Internet Measurement Conference, pp. 331-344, 2005.
  10. A. Medina, C. Fraleigh, N. Taft, S. Bhattacharyya, C. Diot, "A Taxonomy of IP Traffic Matrices" , in Proc. of Scalability and Traffic Control in IP Networks II, Boston, USA, pp. 200-213, 2003.
  11. T. M. Gil and M. Poletto, "MULTOPS: A data-structure for bandwidth attack detection," in Proc. of the 10th USENIX Security Symposium, 2001.
  12. H. Wang, D. Zhang and K. G. Shin, "Detecting SYN flooding attacks," in Proc. of IEEE INFOCOM, pp. 1530-1539, 2002.
  13. Amit Kulkarni and Stephen Bush, "Detecting distributed denial-of-service attacks using kolmogorov complexity metrics," Journal of Network and Systems Management, vol. 14, no. 1, pp. 69-80, Mar. 2006. https://doi.org/10.1007/s10922-005-9016-3
  14. Peng Tao, C. Leckie and K. Ramamohanarao, "Protection from distributed denial of service attacks using history-based IP filtering," in Proc. of ICC'03, pp. 482-486, 2003.
  15. Yu Chen, Kai Hwang, Wei-Shinn Ku, "Collaborative Detection of DDoS Attacks over Multiple Network Domains," IEEE Trans. On Parallel and Distributed Systmes, vol. 18, no. 12, pp. 1649-1662, Dec. 2007. https://doi.org/10.1109/TPDS.2007.1111
  16. Sun Zhi-Xin, Tang Yi-Wei, Cheng Yuan, "Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms," Journal of Software, vol. 16, no. 12, pp. 2117-2123, 2005. https://doi.org/10.1360/jos162117
  17. Ruoyu Yan and Qinghua Zheng, "Using Renyi Cross Entropy to Analyze Traffic Matrix and Detect DDoS attack", Information Technology Journal, vol. 8, no. 8, pp. 1180-1188, 2009. https://doi.org/10.3923/itj.2009.1180.1188
  18. Krishan Kumar, R.C Joshi, Kuldip Singh, "A Distributed Approach using Entropy to Detect DDoS attacks in ISP Domain," in Proc. of International Conference on Signal Processing, Communications and Networking , pp. 331-337, 2007.
  19. David K. Y. Yau, John C. S. Lui, Feng Liang, and Yeung Yam, "Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles," IEEE/ACM TRANSACTIONS ON NETWORKING, vol. 13, no. 1, pp. 29-42, Feb. 2005. https://doi.org/10.1109/TNET.2004.842221
  20. Anukool Lakhina, Konstantina Papagiannaki, Mark Crovella, Christophe Diot, Eric D.Kolaczyk, and Nina Taft, "Structural Analysis of Network Traffic Flows," in Proc. of SIGMETRICS/Performance, New York, USA, pp. 61-72, 2004.
  21. Cisco IOS NetFlow White Papers, http://www.cisco.com/en/US/products/ps6601/prod_white_papers _list.html.
  22. Cisco NetFlow Performance Analysis White Papers, http://www.cisco.com/en/US/technologies/tk543/tk812/technologies_white_paper0900aecd802a0eb9_ps6601_Products_White_Paper.html, 2007
  23. Simon Haykin, "Adaptive Filter Theory," Beijing: Publishing House of Electronics Industry, 2002.
  24. V. Paxson, "Bro: A System for Detecting Network Intruders in Real-time," Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, 1999. https://doi.org/10.1016/S1389-1286(99)00112-7
  25. Brett Ninness, Stuart Gibson, "The EM algorithm for Multivariable Dynamic System Estimation," Technical Report EE200101, 2001.
  26. R. H. Shmway, D. S. Stoffer, "Dynamic Linear Models with Switching," Journal of the American Statistical Association, vol. 86, no. 415, pp. 763-769, 1991. https://doi.org/10.2307/2290410
  27. V. Digalakis, J. Rohlicek, M. Ostendorf, "ML Estimation of a Stochastic Linear System with the EM Algorithm and Its Application to Speech Recognition," IEEE Trans. On Speech and Audio Processing, vol. 1, no. 4, pp. 431-441, 1993. https://doi.org/10.1109/89.242489
  28. Douglas M. Hawkins, Peihua Qiu, Chang Wook Kang, "The changepoint model for statistical process control," Journal of Quality Technology, vol. 35, no. 4, pp. 355-366, 2003.
  29. D. Moore, G. M. Voelker, S. Savage, "Inferring internet Denial-of-Service activity," in Proc. of the 10th USENIX Security Symposium, pp. 9-22, 2001.
  30. Hao Jiang, Constantinos Dovrolis, "Why Is the Internet Traffic Bursty in Short Time Scales," in Proc. of ACM SIG METRICS '05, pp. 241-252, June 2005.
  31. J. Jung, B. Krishnamurthy and M. Rabinovich. "Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites," in Proc. of World Wide Web Conference, Hawaii, USA, 2002.
  32. Anukool Lakhina, Mark Crovella, Christophe Diot, "Mining anomalies using traffic feature distributions," in Proc. of SIGCOMM'05, Philadelphia, Pennsylvania, USA, pp. 217-228, 2005.

Cited by

  1. Detecting LDoS Attacks based on Abnormal Network Traffic vol.6, pp.7, 2012, https://doi.org/10.3837/tiis.2012.07.007
  2. Real-Time Detection of Application-Layer DDoS Attack Using Time Series Analysis vol.2013, pp.None, 2010, https://doi.org/10.1155/2013/821315
  3. Impact Evaluation of DDoS Attacks on DNS Cache Server Using Queuing Model vol.7, pp.4, 2013, https://doi.org/10.3837/tiis.2013.04.017
  4. DDoS공격감지 및 방어를 위한 침입방지 시스템의 설계 vol.15, pp.11, 2010, https://doi.org/10.5762/kais.2014.15.11.6845