A TRAFFIC COHERENCE ANALYSIS MODEL FOR DDOS ATTACK DETECTION

Hamza Rahmani, Nabil Sahli, Farouk Kamoun

2009

Abstract

Distributed Denial of Service (DDoS) attack is a critical threat to the Internet by severely degrading its performance. DDoS attack can be considered a system anomaly or misuse from which abnormal behaviour is imposed on network traffic. Network traffic characterization with behaviour modelling could be a good indication of attack detection witch can be performed via abnormal behaviour identification. In this paper, we will focus on the design and evaluation of the statistically automated attack detection. Our key idea is that contrary to DDoS traffic, flash crowd is characterized by a large increase not only in the number of packets but also in the number of IP connexions. The joint probability between the packet arrival process and the number of IP connexions process presents a good estimation of the degree of coherence between these two processes. Statistical distances between an observation and a reference time windows are computed for joint probability values. We show and illustrate that anomalously large values observed on these distances betray major changes in the statistics of Internet time series and correspond to the occurrences of illegitimate anomalies.

References

  1. D. Dittrich, "Distributed denial of service attacks/tools page" , http://staff.washington.edu/dittrich/misc/ddos/ L. Feinstein, D. Schnackenberg, April 2003. "DDoS Tolerant Network”. Proceedings of the DARPA Information Survivability Conference and Exposition.
  2. C. Manikopoulos, S. Papavassiliou, October 2002. "Network Intrusion and Fault Detection: A Statistical Anomaly Approach". IEEE Communication Magazine.
  3. R. B. Blazek, H. Kim, B. Rozovskii, A. Tartakovsky, June 2002. "A Novel Approach to Detection of Denial of Service Attacks Via Adaptive Sequential and BatchSequential Change-Point Detection Methods". Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection.
  4. N. Ye, June 2000. “A markov chain model of temporal behavior for anomaly detection”. Workshop on Information Assurance and Security, West Point, NY.
  5. J. Yuan and K. Mills, 2004.” DDoS attack detection and wavelets”. Technical report, National Institute of Standards and Technology.
  6. A. Hussain, J. Heidemann, 2003, and C. Papadopoulos, “A framework for classifying denial of service attacks,” Proc. ACM SIGCOMM.
  7. L. Li et G. Lee, August 2003. “DDoS attack detection and wavelets”. International Conference on computer communications and networks.
  8. A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, P. Abry, January-March, 2007. “Non Gaussian and long memory statistical characterization of Internet traffic with anomalies”. IEEE Transaction on Dependable and Secure Computing, Vol. 4, No. 1, pp 56-70, S. Kim, J. Y. Lee, and D. K. Sung, Mar 2003. "A shifted gamma distribution model for long-range dependent internet traffic". IEEE Communication. Letters. vol. 7, pp. 124--126.
  9. Z. Liu, J. Almhana, V. Choulakian, and R. McGorman, Aug. 2006 “A Long-Range Dependent Model for Internet Traffic with Power Transformation”. IEEE Communication Letters, vol. 10, no. 8, pp. 632-634.
  10. M. Basseville, 1989. Distance measures for signal processing and pattern recognition. Signal Processing, 18 :349-369.
  11. Zhenhai Duan, Xin Yuan, and Jaideep Chandrashekar, January-March 2008. "Controlling IP Spoofing Through Inter-Domain Packet Filters", IEEE Transactions on Dependable and Secure Computing (TDSC). Volume 5, Number 1 pp 22 - 36.
  12. https://data.caida.org/datasets/security/backscatter-2007/ https://data.caida.org/datasets/passive-2008/ https://data.caida.org/datasets/security/backscatter-2008/ https://data.caida.org/datasets/passive-2007/
Download


Paper Citation


in Harvard Style

Rahmani H., Sahli N. and Kamoun F. (2009). A TRAFFIC COHERENCE ANALYSIS MODEL FOR DDOS ATTACK DETECTION . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 148-154. DOI: 10.5220/0002231901480154


in Bibtex Style

@conference{secrypt09,
author={Hamza Rahmani and Nabil Sahli and Farouk Kamoun},
title={A TRAFFIC COHERENCE ANALYSIS MODEL FOR DDOS ATTACK DETECTION},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={148-154},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002231901480154},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - A TRAFFIC COHERENCE ANALYSIS MODEL FOR DDOS ATTACK DETECTION
SN - 978-989-674-005-4
AU - Rahmani H.
AU - Sahli N.
AU - Kamoun F.
PY - 2009
SP - 148
EP - 154
DO - 10.5220/0002231901480154