Visible to the public Distributed Denial of Service Attack Detection 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Distributed Denial of Service Attack Detection



Distributed Denial of Service Attacks (DDoS) continue to be among the most prolific forms of attack against information systems. According to the NSFOCUS DDoS Threat Report 2013 released on March 25, 2014, DDoS attacks occur at the rate of 28 per hour. (See: Research into methods of response and mitigation is also substantial, as the articles presented here show. This work was presented in 2015.

Saboor, A.; Aslam, B., “Analyses of Flow Based Techniques to Detect Distributed Denial of Service Attacks,” in Applied Sciences and Technology (IBCAST), 2015 12th International Bhurban Conference on, vol., no., pp. 354–362, 13–17 Jan. 2015. doi:10.1109/IBCAST.2015.7058529
Abstract: Distributed Denial of Service (DDoS) attacks comprise of sending huge network traffic to a victim system using multiple systems. Detecting such attacks has gained much attention in current literature. Studies have shown that flow-based anomaly detection mechanisms give promising results as compared to typical signature based attack detection mechanisms which have not been able to detect such attacks effectively. For this purpose, a variety of flow-based DDoS detection algorithms have been put forward. We have divided the flow-based DDoS attack detection techniques broadly into two categories namely, packet header based and mathematical formulation based. Analyses has been done for two techniques one belonging to each category. The paper has analyzed and evaluated these with respect to their detection accuracy and capability. Finally, we have suggested improvements that can be helpful to give results better than both the previously proposed algorithms. Furthermore, our findings can be applied to DDoS detection systems for refining their detection capability.
Keywords: computer network security; mathematical analysis; telecommunication traffic; flow-based anomaly detection mechanisms; flow-based distributed denial of service attack detection techniques; mathematical formulation; multiple systems; network traffic; packet header; signature based attack detection mechanisms; victim system; Correlation; Correlation coefficient; IP networks; Distributed Denial of Service Attack; Exploitation Tools; Flow-based attack detection; Intrusion Detection; cyber security (ID#: 16-9083)


Katkar, V.; Zinjade, A.; Dalvi, S.; Bafna, T.; Mahajan, R., “Detection of DoS/DDoS Attack Against HTTP Servers Using Naive Bayesian,” in Computing Communication Control and Automation (ICCUBEA), 2015 International Conference on, vol., no.,
pp. 280–285, 26–27 Feb. 2015. doi:10.1109/ICCUBEA.2015.60
Abstract: With a growth of E-commerce and availability of resources over internet number of attacks on servers providing these services, resources are also increased. Denial of service and Distributed Denial of Service are most widely launched attacks against these servers for preventing legitimate users from accessing these services. This paper presents architecture of offline Signature based Network Intrusion Detection System for detection of Denial/Distributed Denial of Service attacks against HTTP servers using distributed processing and Naïve Bayesian classifier. Experimental results are provided to prove the efficiency of proposed architecture.
Keywords: Bayes methods; Internet; computer network security; digital signatures; file servers; pattern classification; transport protocols; DoS-DDoS attack detection; HTTP servers; Naïve Bayesian classifier; denial of service attack; distributed denial of service attack; distributed processing; e-commerce; offline signature based network intrusion detection system; Accuracy; Computer crime; Intrusion detection; Telecommunication traffic; Web servers; Denial of service attack; Naive Bayesian; Network Intrusion Detection System (ID#: 16-9084)


Nurohman, H.; Purwanto, Y.; Hafidudin, “Traffic Anomaly Based Detection: Anomaly Detection by Self-Similar Analysis,”
in Control, Electronics, Renewable Energy and Communications (ICCEREC), 2015 International Conference on, vol., no.,
pp. 1–6, 27–29 Aug. 2015. doi:10.1109/ICCEREC.2015.7337024
Abstract: Denial of Service (DoS) is a hot topic phenomenon lately. The intensity of DoS attacks increasing every day with the discovery of a new attack with the same type which is Distributed Denial of Service (DDoS). Both, attack the victims by flooding a lot of packet to the traffic channels at a time. This makes the flow of packets to the victim’s becomes choked and victim do not get the desired package because the density of traffic on its network. Traffic anomaly based is a good technique to detect DDoS attack. Traffic anomaly can be used by several method. One of them is self-similarity. Self-Similarity methods is suitable to the network traffic behaviour. Self-Similarity is a scale of invariant which always have the same. Today, self-similarity has been a dominant framework for modelling network traffic. It will show a plot of the traffic will have in common, even though it has a different time. For the result we use kolmogorv-smirnov to differentiate the anomaly and normal condition in each step of self-similarity. In normal condition Kolmogorov-smirnov test always give 0 and for anomaly condition give 1 for each step. 0 means that data were analysed didn’t have a large difference. Otherwise data have a large difference. Hurst estimator provide 0,645 for normal condition. For anomaly condition, hurst estimator provide 1,443. This is compatible with previous research which states that the hurst exponent from nomal traffic will provide value between 0,5<;H<;1. And the anomaly traffic is outside the range.
Keywords: computer network security; statistical testing; telecommunication traffic; DDoS attack detection; Hurst estimator; Kolmogorv-Smirnov test; anomaly condition; distributed denial of service; network traffic behaviour; network traffic modelling; packets flow; self-similar analysis; self-similarity methods; traffic anomaly based detection; traffic channels; Computer crime; Computers; Estimation; Internet; Mathematical model; Renewable energy sources; Telecommunication traffic; Anomaly; DDoS; Self-Similarity; burstiness (ID#: 16-9085)


Rui Wang; Zhiping Jia; Lei Ju, “An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking,” in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, no., pp. 310–317, 20–22 Aug. 2015. doi:10.1109/Trustcom.2015.389
Abstract: Software-Defined Networking (SDN) and OpenFlow (OF) protocol have brought a promising architecture for the future networks. However, the centralized control and programmable characteristics also bring a lot of security challenges. Distributed denial-of-service (DDoS) attack is still a security threat to SDN. To detect the DDoS attack in SDN, many researches collect the flow tables from the switch and do the anomaly detection in the controller. But in the large scale network, the collecting process burdens the communication overload between the switches and the controller. Sampling technology may relieve this overload, but it brings a new tradeoff between sampling rate and detection accuracy. In this paper, we first extend a copy of the packet number counter of the flow entry in the OpenFlow table. Based on the flow-based nature of SDN, we design a flow statistics process in the switch. Then, we propose an entropy-based lightweight DDoS flooding attack detection model running in the OF edge switch. This achieves a distributed anomaly detection in SDN and reduces the flow collection overload to the controller. We also give the detailed algorithm which has a small calculation overload and can be easily implemented in SDN software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results show that our detection mechanism can detect the attack quickly and achieve a high detection accuracy with a low false positive rate.
Keywords: computer network security; protocols; software defined networking; DDoS attack; NetFPGA; OF edge switch; OF protocol; Open vSwitch; OpenFlow table; SDN; SDN software; anomaly detection; centralized control; communication overload; distributed DDoS detection mechanism; distributed anomaly detection; distributed denial-of-service; flow collection overload; flow statistics process; flow tables; large scale network; lightweight DDoS flooding attack detection model; packet number counter; programmable characteristics; programmable switch; sampling technology; security threat; software-defined networking; Computer architecture; Computer crime; Image edge detection; Radiation detectors; Switches; DDoS; Entropy; OpenFlow (ID#: 16-9086)


Sharma, S.; Sahu, S.K.; Jena, S.K., “On Selection of Attributes for Entropy Based Detection of DDoS,” in Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, vol., no., pp. 1096–1100, 10–13 Aug. 2015. doi:10.1109/ICACCI.2015.7275756
Abstract: Distributed Denial of service (DDoS) attack is an attempt to prevent the legitimate users from using services provided by service providers. This is done through flooding their server with the unnecessary traffic. These attacks are performed on some prestigious web sites like Yahoo, Amazon and on various cloud service providers. The severity of the attack is very high, as a result the server goes down for the indefinite period of time. To detect such attempts, various methods were proposed. In this paper, an entropy-based approach is used to detect the DDoS attack. We have analyzed the effect on the entropy of all the useful packet attributes during DDoS attack and tested their usefulness against famous types of distributed denial of service attacks. During analysis, we have explained the proper choice of attributes one should make to get a better threshold during DDoS detection.
Keywords: computer network security; entropy; Amazon; DDoS attack; Web sites; Yahoo; attribute selection; cloud service providers; distributed denial of service attack; entropy based detection; Computer crime; Entropy; Floods; IP networks; Ports (Computers); Protocols; Servers; Attributes Selection; DDoS; SYN Flood (ID#: 16-9087)


Yadav, S.; Selvakumar, S., “Detection of Application Layer DDoS Attack by Modeling User Behavior Using Logistic Regression,” in Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions), 2015 4th International Conference on, vol., no., pp. 1–6, 2–4 Sept. 2015. doi:10.1109/ICRITO.2015.7359289
Abstract: DDoS attack has been a threat to network security since a decade and it will continue to be so in the near future also. Now a days application layer DDoS attack poses a major challenge to Web servers. The main objective of Web server is to offer an uninterrupted application layer services to its benign users. But, the application layer DDoS attack blocks the services of the web server to its legitimate clients which can cause immense financial losses. Moreover, it requires very less amount of resources to perform the application layer DDoS attack. The solutions available to detect application layer DDoS attack, detect only limited number of application layer DDoS attacks. The solutions that detect all types of application layer DDoS attacks have huge complexity. To find an effective solution for the detection of application layer DDoS attack the normal user browsing behavior has to be modeled in such a way that normal user and attacker can be differentiated. In this paper, we propose a method using feature construction and logistic regression to model normal Web user browsing behavior to detect application layer DDoS attacks. The performance of the proposed method was evaluated in terms of the metrics such as total accuracy, false positive rate, and detection rate. Comparison of the proposed solution with the existing methods reveals that the proposed method performs better than the existing methods.
Keywords: computer network security; online front-ends; regression analysis; Web server services; application layer DDoS attack detection; detection rate metric; false positive rate metric; feature construction; financial losses; logistic regression; network security; normal Web user browsing behavior; performance evaluation; total accuracy metric; uninterrupted application layer services; user behavior modeling; Authentication; Computer crime; Feature extraction; Measurement; Pattern recognition; Web servers; Application Layer DDoS Attack; DDoS; Feature Construction; Logistic Regression; User Behavior (ID#: 16-9088)


Girma, A.; Garuba, M.; Jiang Li; Chunmei Liu, “Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment,” in Information Technology – New Generations (ITNG), 2015 12th International Conference on, vol., no., pp. 212–217, 13–15 April 2015. doi:10.1109/ITNG.2015.40
Abstract: Cloud service availability has been one of the major concerns of cloud service providers (CSP), while hosting different cloud based information technology services by managing different resources on the internet. The vulnerability of internet, the distribute nature of cloud computing, various security issues related to cloud computing service models, and cloud’s main attributes contribute to its susceptibility of security threats associated with cloud service availability. One of the major sophisticated threats that happen to be very difficult and challenging to counter due to its distributed nature and resulted in cloud service disruption is Distributed Denial of Service (DDoS) attacks. Even though there are number of intrusion detection solutions proposed by different research groups, and cloud service providers (CSP) are currently using different detection solutions by promising that their product is well secured, there is no such a perfect solution that prevents the DDoS attack. The characteristics of DDoS attack, i.e., Having different appearance with different scenarios, make it difficult to detect. This paper will review and analyze different existing DDoS detecting techniques against different parameters, discusses their advantage and disadvantages, and propose a hybrid statistical model that could significantly mitigate these attacks and be a better alternative solution for current detection problems.
Keywords: cloud computing; computer network security; statistical analysis; CSP; DDoS attack analysis; DDoS attack detection; Internet; cloud based information technology services; cloud computing environment; cloud computing service model; cloud main attributes; cloud service availability; cloud service disruption; cloud service providers; hybrid statistical model; intrusion detection solutions; security issues; Cloud computing; Computer crime; Covariance matrices; Entropy; Hidden Markov models; Servers; Cloud Security; Cloud Service Availability; Co-Variance Matrix; DDoS attacks (ID#: 16-9089)


Ndibwile, J.D.; Govardhan, A.; Okada, K.; Kadobayashi, Y., “Web Server Protection Against Application Layer DDoS Attacks Using Machine Learning and Traffic Authentication,” in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3, no., pp. 261–267, 1–5 July 2015. doi:10.1109/COMPSAC.2015.240
Abstract: Application layer Distributed Denial of Service (DDoS) attacks are among the deadliest kinds of attacks that have significant impact on destination servers and networks due to their ability to be launched with minimal computational resources to cause an effect of high magnitude. Commercial and government Web servers have become the primary target of these kinds of attacks, with the recent mitigation efforts struggling to deaden the problem efficiently. Most application layer DDoS attacks can successfully mimic legitimate traffic without being detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDSs and IPSs can also mistake a normal and legitimate activity for a malicious one, producing a False Positive (FP) that affects Web users if it is ignored or dropped. False positives in a large and complex network topology can potentially be dangerous as they may cause IDS/IPS to block the user’s benign traffic. Our focus and contributions in this paper are first, to mitigate the undetected malicious traffic mimicking legitimate traffic and developing a special anti-DDoS module for general and specific DDoS tools attacks by using a trained classifier in a random tree machine-learning algorithm. We use labeled datasets to generate rules to incorporate and fine-tune existing IDS/IPS such as Snort. Secondly, we further assist IDS/IPS by processing traffic that is classified as malicious by the IDS/IPS in order to identify FPs and route them to their intended destinations. To achieve this, our approach uses active authentication of traffic source of both legitimate and malicious traffic at the Bait and Decoy server respectively before destined to the Web server.
Keywords: Internet; computer network security; file servers; learning (artificial intelligence); pattern classification; telecommunication traffic; FP; IDS; IPS; Web server protection; Web users; application layer DDoS attacks; bait-and-decoy server; destination servers; distributed denial of service; false positive; government Web servers; intrusion detection systems; intrusion prevention systems; legitimate traffic; malicious traffic; minimal computational resources; mitigation efforts; random tree machine-learning algorithm; traffic authentication; traffic source active authentication; trained classifier; Authentication; Computer crime; Logic gates; Training; Web servers; DDoS Mitigation; False Positives; IDS/IPS; Java Script; Machine Learning (ID#: 16-9090)


Olabelurin, A.; Veluru, S.; Healing, A.; Rajarajan, M., “Entropy Clustering Approach for Improving Forecasting in DDoS Attacks,” in Networking, Sensing and Control (ICNSC), 2015 IEEE 12th International Conference on, vol., no., pp. 315–320,
9–11 April 2015. doi:10.1109/ICNSC.2015.7116055
Abstract: Volume anomaly such as distributed denial-of-service (DDoS) has been around for ages but with advancement in technologies, they have become stronger, shorter and weapon of choice for attackers. Digital forensic analysis of intrusions using alerts generated by existing intrusion detection system (IDS) faces major challenges, especially for IDS deployed in large networks. In this paper, the concept of automatically sifting through a huge volume of alerts to distinguish the different stages of a DDoS attack is developed. The proposed novel framework is purpose-built to analyze multiple logs from the network for proactive forecast and timely detection of DDoS attacks, through a combined approach of Shannon-entropy concept and clustering algorithm of relevant feature variables. Experimental studies on a cyber-range simulation dataset from the project industrial partners show that the technique is able to distinguish precursor alerts for DDoS attacks, as well as the attack itself with a very low false positive rate (FPR) of 22.5%. Application of this technique greatly assists security experts in network analysis to combat DDoS attacks.
Keywords: computer network security; digital forensics; entropy; forecasting theory; pattern clustering; DDoS attacks; FPR; IDS; Shannon-entropy concept; clustering algorithm; cyber-range simulation dataset; digital forensic analysis; distributed denial-of-service; entropy clustering approach; false positive rate; forecasting; intrusion detection system; network analysis; proactive forecast; project industrial partner; volume anomaly; Algorithm design and analysis; Clustering algorithms; Computer crime; Entropy; Feature extraction; Ports (Computers); Shannon entropy; alert management; distributed denial-of-service (DDoS) detection; k-means clustering analysis; network security; online anomaly detection (ID#: 16-9091)


Mousavi, S.M.; St-Hilaire, M., “Early Detection of DDoS Attacks Against SDN Controllers,” in Computing, Networking and Communications (ICNC), 2015 International Conference on, vol., no., pp. 77–81, 16–19 Feb. 2015. doi:10.1109/ICCNC.2015.7069319
Abstract: A Software Defined Network (SDN) is a new network architecture that provides central control over the network. Although central control is the major advantage of SDN, it is also a single point of failure if it is made unreachable by a Distributed Denial of Service (DDoS) Attack. To mitigate this threat, this paper proposes to use the central control of SDN for attack detection and introduces a solution that is effective and lightweight in terms of the resources that it uses. More precisely, this paper shows how DDoS attacks can exhaust controller resources and provides a solution to detect such attacks based on the entropy variation of the destination IP address. This method is able to detect DDoS within the first five hundred packets of the attack traffic.
Keywords: IP networks; computer network security; software defined networking; telecommunication traffic; DDoS attacks; Distributed Denial Of Service attack; IP address destination; SDN controllers; attack detection; attack traffic; central control; entropy variation; exhaust controller resources; network architecture; software defined network; Computer architecture; Computer crime; Control systems; Entropy; Monitoring; Process control; Controller; DDoS attack; SDN (ID#: 16-9092)


Satrya, G.B.; Chandra, R.L.; Yulianto, F.A., “The Detection of DDOS Flooding Attack Using Hybrid Analysis in IPv6 Networks,” in Information and Communication Technology (ICoICT ), 2015 3rd International Conference on, vol., no., pp. 240–244, 27–29 May 2015. doi:10.1109/ICoICT.2015.7231429
Abstract: DDOS attack is very popular used by attacker to disrupt a computer network. The evolution of attack and the increase of vulnerable hosts on the Internet, have made its improvement more varied and difficult to be detected in real time. Today’s popular IP protocol development is IPv6. IPv6 provides a new technology including vulnerabilities and allows the attacker to attack the system. This issue may be the obstacle to make a DDOS attack detection algorithm more efficient and accurate. Due to that fact, this paper will discuss the development of prototype to detect DDOS attack using source addresses analytical methods and analysis of network flow. This prototype can detect DDOS attacks on IPv6 with 85% accuracy for the most severe test scenarios. For the detection time, the prototype can recognize DDOS within 2 minutes 56 seconds.
Keywords: IP networks; computer network security; DDOS flooding attack detection; Distributed Denial of Service flooding attack detection; IPv6 network; Internet; computer network; network flow analysis; source addresses analytical method; Computer crime; Floods; Protocols; Prototypes; DDOS detection; IPv6; hybrid; network flow; source address analysis (ID#: 16-9093)


Mizukoshi, M.; Munetomo, M., “Distributed Denial of Services Attack Protection System with Genetic Algorithms on Hadoop Cluster Computing Framework,” in Evolutionary Computation (CEC), 2015 IEEE Congress on, vol., no., pp. 1575–1580, 25–28 May 2015. doi:10.1109/CEC.2015.7257075
Abstract: DDoS attacks become serious as one of the menaces of the Internet security. It is difficult to prevent because DDoS attacker send spoofing packets to victim which makes the identification of the origin of attacks very difficult. A series of techniques have been studied such as pattern matching by learning the attack pattern and abnormal traffic detection. However, pattern matching approach is not reliable because attackers always set attacks of different traffic patterns and pattern matching approach only learns from the past DDoS data. Therefore, a reliable system has to watch what kind of attacks are carried out now and investigate how to prevent those attacks. Moreover, the amount of traffic flowing through the Internet increase rapidly and thus packet analysis should be done within considerable amount of time. This paper proposes a scalable, real-time traffic pattern analysis based on genetic algorithm to detect and prevent DDoS attacks on Hadoop distributed processing infrastructure. Experimental results demonstrate the effectiveness of our scalable DDoS protection system.
Keywords: computer network security; data handling; genetic algorithms; parallel processing; telecommunication traffic; DDoS attack prevention; Hadoop cluster computing framework; Hadoop distributed processing infrastructure; Internet security; distributed denial-of-service attack protection system; genetic algorithms; scalable DDoS protection system; spoofing packets; traffic pattern analysis; Accuracy; Computer crime; Distributed processing; Genetic algorithms; Genetics; IP networks; Sparks; DDoS attack; Genetic Algorithm; Hadoop (ID#: 16-9094)


Zheludev, M.; Nagradov, E., “Traffic Anomaly Detection and DDOS Attack Recognition Using Diffusion Map Technologies,” in Computer Science and Information Technologies (CSIT), 2015, vol., no., pp. 128–132, Sept. 28 2015–Oct. 2 2015. doi:10.1109/CSITechnol.2015.7358265
Abstract: This paper provides a method of mathematical representation of the traffic flow of network states. Anomalous behavior in this model is represented as a point, not grouped in clusters allocated by the “alpha-stream” process.
Keywords: computer network security; telecommunication traffic; DDOS attack recognition; diffusion map technology; mathematical representation; network state; traffic anomaly detection; traffic flow; Classification algorithms; Clustering algorithms; Computer crime; Geometry; Measurement; Telecommunication traffic; Training; Kernel methods; data analysis; diffusion maps
(ID#: 16-9095)


Singh, K.J.; De, T., “DDOS Attack Detection and Mitigation Technique Based on Http Count and Verification Using CAPTCHA,” in Computational Intelligence and Networks (CINE), 2015 International Conference on, vol., no., pp. 196–197,
12–13 Jan. 2015. doi:10.1109/CINE.2015.47
Abstract: With the rapid development of internet, the number of people who are online also increases tremendously. But now a day’s we find not only growing positive use of internet but also the negative use of it. The misuse and abuse of internet is growing at an alarming rate. There are large cases of virus and worms infecting our systems having the software vulnerability. These systems can even become the clients for the bot herders. These infected system aid in launching the DDoS attack to a target server. In this paper we introduced the concept of IP blacklisting which will blocked the entire blacklisted IP address, http count filter will enable us to detect the normal and the suspected IP addresses and the CAPTCHA technique to counter check whether these suspected IP address are in control by human or botnet.
Keywords: Internet; client-server systems; computer network security; computer viruses; transport protocols; CAPTCHA; DDOS attack detection; DDOS attack mitigation technique; HTTP count filter; HTTP verification; IP address; IP blacklisting; botnet; software vulnerability; target server; virus; worms; CAPTCHAs; Computer crime; IP networks; Radiation detectors; Servers; bot; botnets; captcha; filter; http; mitigation (ID#: 16-9096)


Osanaiye, O.A., “Short Paper: IP Spoofing Detection for Preventing DDoS Attack in Cloud Computing,” in Intelligence
in Next Generation Networks (ICIN), 2015 18th International Conference on
, vol., no., pp. 139–141, 17–19 Feb. 2015. doi:10.1109/ICIN.2015.7073820
Abstract: Distributed Denial of Service (DDoS) attack has been identified as the biggest security threat to service availability in Cloud Computing. It prevents legitimate Cloud Users from accessing pool of resources provided by Cloud Providers by flooding and consuming network bandwidth to exhaust servers and computing resources. A major attribute of a DDoS attack is spoofing of IP address that hides the identity of the attacker. This paper discusses different methods for detecting spoofed IP packet in Cloud Computing and proposes Host-Based Operating System (OS) fingerprinting that uses both passive and active method to match the Operating System of incoming packet from its database. Additionally, how the proposed technique can be implemented was demonstrated in Cloud Computing environment.
Keywords: IP networks; cloud computing; computer network security; operating systems (computers); resource allocation; DDoS attack prevention; IP spoofing detection; active method; cloud providers; cloud users; computing resources; distributed denial of service attack; host-based OS fingerprinting; host-based operating system fingerprinting; network bandwidth flooding; passive method; security threat; service availability; spoofed IP packet detection; Cloud computing; Computer crime; Databases; Fingerprint recognition; IP networks; Probes; Cloud Computing; DDoS attack; IP Spoofing; OS Fingerprinting (ID#: 16-9097)


Bongiovanni, W.; Guelfi, A.E.; Pontes, E.; Silva, A.A.A.; Fen Zhou; Kofuji, S.T., “Viterbi Algorithm for Detecting DDoS Attacks,” in Local Computer Networks (LCN), 2015 IEEE 40th Conference on, vol., no., pp. 209–212, 26–29 Oct. 2015. doi:10.1109/LCN.2015.7366308
Abstract: Distributed denial of service attacks aim at making a given computational resource unavailable to users. A substantial portion of commercial Intrusion Detection Systems operates only with detection techniques based on rules for the recognition of pre-established behavioral patterns (called signatures) that can be used to identify these types of attacks. However, the characteristics of these attacks are adaptable, compromising thus the efficiency of IDS mechanisms. Thus, the goal of this paper is to evaluate the feasibility of using the Hidden Markov Model based on Viterbi algorithm to detect distributed denial of service attacks in data communication networks. Two main contributions of this work can be described: the ability to identify anomalous behavior patterns in the data traffic with the Viterbi algorithm, as well as, to obtain feasible levels of accuracy in the detection of distributed denial of service attacks.
Keywords: Viterbi detection; computer network security; data communication; hidden Markov models; DDoS attack detection; IDS mechanism; Viterbi algorithm; anomalous behavior pattern identification; attack identification; computational resource; data communication network; data traffic; distributed denial of service attack; hidden Markov model; intrusion detection system; signature recognition; Computer crime; Computer networks; Hidden Markov models; Intrusion detection; Markov processes; Protocols
(ID#: 16-9098)


Hong Jiang; Shuqiao Chen; Hongchao Hu; Mingming Zhang, “Superpoint-Based Detection Against Distributed Denial of Service (DDoS) Flooding Attacks,” in Local and Metropolitan Area Networks (LANMAN 2015), The 21st IEEE International Workshop on, vol., no., pp. 1–6, 22–24 April 2015. doi:10.1109/LANMAN.2015.7114724
Abstract: DDoS flooding attack is a critical threat to the normal operation of network. However, current feature-based detection methods are cheated by hackers easily and most of these mechanisms do not differentiate between DDoS flooding attacks and legitimate random flash crowds with feature independent and location extended. To address the challenges, we propose a two-stage detection strategy by combining superpoints and flow similarity measurement. To locate the suspicious flows, polymerization degree of destination superpoints is introduced in a moving time window mechanism. Based on the suspicious flows, a sliding-detection algorithm is presented for distinguishing flooding attacks from flash crowds with similarity metrics. Computer simulation results indicate that our detection approach can detect DDoS flooding attacks efficiently and Total Variation Distance (TVD) is the most suitable metric for discriminating DDoS flooding attack flows from flash crowds. Built on flow arrivals, the proposed mechanism is practical for the attack detection on high speed links.
Keywords: computer network security; DDoS flooding attack;TVD; distributed denial of service flooding attacks; feature independent; location extended; moving time window mechanism; sliding-detection algorithm; superpoint-based detection; total variation distance; two-stage detection strategy; Computer crime; Computer hacking; Feature extraction; Floods; IP networks; Measurement; Polymers; DDoS flooding attacks; detection strategy; flow similarity measurement; superpoints (ID#: 16-9099)


Bhuyan, M.H.; Kalwar, A.; Goswami, A.; Bhattacharyya, D.K.; Kalita, J.K., “Low-Rate and High-Rate Distributed DoS Attack Detection Using Partial Rank Correlation,” in Communication Systems and Network Technologies (CSNT), 2015 Fifth International Conference on, vol., no., pp. 706–710, 4–6 April 2015. doi:10.1109/CSNT.2015.24
Abstract: Distributed Denial of Service (DDoS) attacks pose a serious threat to efficient and uninterrupted Internet services. During Distributed Denial of Service (DDoS), attackers make fool of innocent servers (i.e., Slave) into reddening packets to the victim. Most low-rate DDoS attack detection mechanisms are associated with specific protocols used by the attacks. Due to the use of slave, it has been found that the traffic flow for such an attack and their response flow to the victim may have linear relationships with another. Based on this observation, we propose the Partial Rank Correlation-based Detection (PRCD) scheme to detect both low-rate and high-rate DDoS attacks. Our experimental results confirm theoretical analysis and demonstrate the effectiveness of the proposed scheme in practice.
Keywords: computer network security; protocols; PRCD scheme; high-rate distributed denial of service attacks; low-rate DDoS attack detection mechanisms; partial rank correlation; partial rank correlation-based detection scheme; protocols; traffic flow; uninterrupted Internet services; Accuracy; Bandwidth; Computer crime; Correlation; Entropy; Internet; Servers; DDoS; attack; high-rate; low-rate; network traffic; rank correlation (ID#: 16-9100)


Pandiaraja, P.; Manikandan, J., “Web Proxy Based Detection and Protection Mechanisms Against Client Based HTTP Attacks,” in Circuit, Power and Computing Technologies (ICCPCT), 2015 International Conference on, vol., no., pp. 1–6, 19–20 March 2015. doi:10.1109/ICCPCT.2015.7159344
Abstract: A server side protection from client based DDoS attacks on multilevel proxy. DDoS attacks are continuously sent the threat to the network applications. Such attacks are created by some set of attackers. They create a huge the whole sum of traffic and forces it to the network. Which induces significant injury to the victim server. In a computer network client sent an HTTP request to the server for seeking application resources through a proxy server. The proxy has protected, filter, monitoring the applications against such DDoS attacks. But the client can access the server through different web proxies to seeking application resource. A web server have not at all any technique to identifying malicious client and users of the client. For the reason that considering a proxy to server traffic, proxy conceals the client information and server knows only the information of proxy. Here Hidden semi-Markov Model (HsMM) proposed to describe the time varying traffic behaviors and special behavior of the traffic. An existing system, discovery of attacks is based only the proxy server and client system behavior rather than the actual client user. In such cases, an innocent web proxy or a whole client system may blocked. So this case may affect the many innocent users on the client system. To avoid this problem, a user based approach is employed for finding locality behaviors of the user’s system with enhanced http protocol. To add a custom header in the HTTP protocol for detecting actual attacking user of the client. And also proposed a threshold based algorithm (TBAD) with encryption, decryption algorithms for reshaping the suspicious request to normal request. This method can protect the Qos of the legitimate users of client system.
Keywords: computer network security; cryptography; hidden Markov models; hypermedia; telecommunication traffic; transport protocols; HTTP attacks; HTTP protocol; HTTP request; HsMM; QoS; TBAD; Web proxies; Web proxy based detection mechanism; Web proxy based protection mechanism; Web server; attack discovery; client based DDoS attacks; client system behavior; computer network; decryption algorithm; encryption algorithm; hidden semiMarkov model; locality behaviors; multilevel proxy; proxy server; server side protection; threshold based algorithm; time varying traffic behaviors; user based approach; Computer crime; Computers; Floods; IP networks; Protocols; Web servers; Data Extraction; Threshold value; attack discovery; distributed denial of service attack; traffic modeling (ID#: 16-9101)


Tang, C.; Tang, A.; Lee, E.; Lixin Tao, “Mitigating HTTP Flooding Attacks with Meta-data Analysis,” in 2015 IEEE 17th International Conference on High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), and 2015 IEEE 12th International Conference on Embedded Software and Systems (ICESS),  vol., no., pp. 1406–1411, 24–26 Aug. 2015. doi:10.1109/HPCC-CSS-ICESS.2015.203
Abstract: The rise of Distributed Denial of Service (DDoS) attacks has posed a dire threat to cloud computing services in recent years. First, it is getting increasingly difficult to discriminate legitimate traffic from malicious traffic since both are legal at the application-protocol level. Second, DDoS attacks have tremendous impacts on virtual machine performance due to the over-subscribed sharing nature of a cloud data center. To prevent the most serious HTTP GET flooding attacks, we propose a meta-data based monitoring approach, in which the behavior of malicious HTTP requests is captured through real-time and big-data analysis. The proposed DDoS defense system can provide continued service to legitimate clients even when the attacking line-rate is as high as 9 Gbps. An intelligent probe is first used to extract the meta-data about an HTTP connection, which can be thought of as (IP, URL) (Uniform Resource Locators). Then, a real-time big-data analyzing technique is applied on top of the meta-data to identify the IP addresses whose HTTP request frequency significantly surpasses the norm. The blacklist, consisting of these IP addresses, is further aggregated, enabling inline devices (firewalls and load balancers) to apply rate-limiting rules to mitigate the attacks. Our findings show that the performance of the meta-data based detection system is one order of magnitude better than the previous approach.
Keywords: Big Data; cloud computing; computer centres; data analysis; firewalls; meta data; telecommunication traffic; transport protocols; virtual machines; Big-Data analysis; DDoS attack; DDoS defense system; HTTP GET flooding attack mitigation; HTTP connection; HTTP request frequency; IP address; application-protocol level; cloud computing services; cloud data center; distributed denial of service attack; firewall; inline devices; intelligent probe; legitimate traffic; load balancer; malicious HTTP request; malicious traffic; meta-data analysis; meta-data based detection system; meta-data based monitoring approach; rate-limiting rule; virtual machine performance; Computer crime; Floods; IP networks; Protocols; Real-time systems; Servers; Uniform resource locators; DDoS; HTTP GET flooding; network protocol parser (ID#: 16-9102)


Godefroy, E.; Totel, E.; Hurfin, M.; Majorczyk, F., “Generation and Assessment of Correlation Rules to Detect Complex Attack Scenarios,” in Communications and Network Security (CNS), 2015 IEEE Conference on, vol., no., pp. 707–708, 28–30 Sept. 2015. doi:10.1109/CNS.2015.7346896
Abstract: Information systems can be targeted by different types of attacks. Some of them are easily detected (like a DDOS targeting the system) while others are more stealthy and consist in successive attacks steps that compromise different parts of the targeted system. The alarm referring to detected attack steps are often hidden in a tremendous amount of notifications that include false alarms. Alert correlators use correlation rules (that can be explicit, implicit or semi-explicit [3]) in order to solve this problem by extracting complex relationships between the different generated events and alerts. On the other hand, providing maintainable, complete and accurate correlation rules specifically adapted to an information system is a very difficult work. We propose an approach that, given proper input information, can build a complete and system dependent set of correlation rules derived from a high level attack scenario. We then evaluate the applicability of this method by applying it to a real system and assessing the fault tolerance in a simulated environment in a second phase.
Keywords: computer network security; fault tolerance; information systems; complex attack detection; correlation rule assessment; false alarm; fault tolerance; high level attack scenario; information system; Correlation; Correlators; Intrusion detection; Knowledge based systems; Observers; Sensors; Software; Alert correlation; Intrusion detection; Security and protection (ID#: 16-9103)


Jog, M.; Natu, M.; Shelke, S., “Distributed Capabilities-Based DDoS Defense,” in Pervasive Computing (ICPC), 2015 International Conference on, vol., no., pp. 1–6, 8–10 Jan. 2015. doi:10.1109/PERVASIVE.2015.7086993
Abstract: Existing strategies against DDoS are implemented as single-point solutions at different network locations. Our understanding is that, no single network location can cater to the needs of a full-proof defense solution, given the nature of DDoS and activities for its mitigation. This paper gives collective information about some important defense mechanisms discussing their advantages and limitations. Based on our understanding, we propose distribution of DDoS defense which uses improved techniques for capabilities-based traffic differentiation and scheduling-based rate-limiting. Additionally, we propose a novel approach for prediction of attack to determine the prospective attackers as well as the time-to-saturation of victim. We present two algorithms for this distribution of defense. The proposed distributed approach built with these incremental improvements in the defense activities is expected to provide better solution against the DDoS problem.
Keywords: computer network security; DDoS defense; capabilities-based traffic differentiation; distributed denial-of-service; incremental improvements; scheduling-based rate-limiting; single-point solutions; Aggregates; Bandwidth; Computer crime; Filtering; Floods; IP networks; Limiting; Attack detection; Distributed Denial-of-Service; Distributed defense; Network security; Rate-limiting; Traffic differentiation (ID#: 16-9104)


Bazm, M.; Khatoun, R.; Begriche, Y.; Khoukhi, L.; Xiuzhen Chen; Serhrouchni, A., “Malicious Virtual Machines Detection Through a Clustering Approach,” in Cloud Technologies and Applications (CloudTech), 2015 International Conference on, vol., no., pp. 1–8, 2–4 June 2015. doi:10.1109/CloudTech.2015.7336986
Abstract: Cloud computing aims to provide enormous resources and services, parallel processing and reliable access for users on the networks. The flexible resources of clouds could be used by malicious actors to attack other infrastructures. Cloud can be used as a platform to perform these attacks, a virtual machine (VM) in the Cloud can play the role of a malicious VM belonging to a Botnet and sends a heavy traffic to the victim. For cloud service providers, preventing their infrastructure from being turned into an attack platform is very challenging since it requires detecting attacks at the source, in a highly dynamic and heterogeneous environment. In this paper, an approach to detect these malicious behaviors in the Cloud based on the analysis of network parameters is proposed. This approach is a source-based attack detection, which applies both Entropy and clustering methods on network parameters. The environment of Cloud is simulated on Cloudsim. The data clustering allows achieving high performance, with a high percentage of correctly clustered VMs.
Keywords: cloud computing; entropy; invasive software; pattern clustering; virtual machines; Botnet; Cloudsim; attack platform; cloud resources; cloud service providers; cloud services; clustering method; data clustering; highly dynamic heterogeneous environment; malicious actors; malicious behavior detection; malicious virtual machine detection; network parameter analysis; parallel processing; source-based attack detection; Cloud computing; Computer crime; Entropy; Monitoring; Principal component analysis; Scalability; Servers; DDoS; clustering; detection  (ID#: 16-9105)


Pramana, M.I.W.; Purwanto, Y.; Suratman, F.Y., “DDoS Detection using Modified K-Means Clustering with Chain Initialization over Landmark Window,” in Control, Electronics, Renewable Energy and Communications (ICCEREC), 2015 International Conference on, vol., no., pp. 7–11, 27–29 Aug. 2015. doi:10.1109/ICCEREC.2015.7337056
Abstract: Denial-of-service is a common form of network attack that affect user access right by preventing legitimate user from accessing certain information, thus giving great, disadvantage to the user and service provider. This paper present a method of denial-of-service detection using clustering technique with k-means algorithm which available to be modified and developed in many possible way. K-means algorithm used in this paper is modified using chain initialization over landmark window approach to process large amount of data and the result evaluated with detection rate, accuracy, and false positive rate. This method has been proven effective in detecting denial-of-service traffic using DARPA 98 dataset with satisfying result.
Keywords: authorisation; computer network security; pattern clustering; DARPA 98 dataset; DDoS detection; chain initialization over landmark window approach; denial-of-service network attack; modified K-means clustering; user access right; Algorithm design and analysis; Clustering algorithms; Computer crime; Convergence; Data mining; IP networks; Signal processing algorithms; Chain Initialization; Clustering; DDoS; Landmark Window; Modified K-Means (ID#: 16-9106)


Maiti, Sumana; Garai, Chandan; Dasgupta, Ranjan, “A Detection Mechanism of DoS Attack Using Adaptive NSA Algorithm in Cloud Environment,” in Computing, Communication and Security (ICCCS), 2015 International Conference on, vol., no., pp. 1–7,
4–5 Dec. 2015. doi:10.1109/CCCS.2015.7374128
Abstract: Security of any distributed system is not only complex in nature, it also needs much more attention as most of the applications being used and developed in recent past are on distributed platform. Denial of Service (DoS) attack causes drop in quality of service and may also reach to entire absence of service for some “real” users. Identifying some users as attackers also need appropriate algorithm. Negative selection algorithm (NSA) is a very effective approach in identifying some user as attacker. However declaring some “real” user as an attacker is a very common limitation of these types of algorithms unless and until the mechanism of detection is updated at regular intervals. In this research work we have modified NSA algorithm to take into account the necessity of updating the detector set from time to time. We have introduced a second detection module to accommodate the updation. Both the algorithms are implemented on common data set and comparative study is presented. Our proposed algorithm comes out with much improved results and significantly reduces false positive (false alarm) cases.
Keywords: Computer crime; Computers; Feature extraction; Floods; IP networks; Ports (Computers); Traffic control; DDoS; Feature Vector; IP Spoofing; NSA (ID#: 16-9107)


Hurtik, P.; Hodakova, P.; Perfilieva, I.; Liberts, M.; Asmuss, J., “Network Attack Detection and Classification by the F-Transform,” in Fuzzy Systems (FUZZ-IEEE), 2015 IEEE International Conference on, vol., no., pp. 1–6, 2–5 Aug. 2015. doi:10.1109/FUZZ-IEEE.2015.7337991
Abstract: We solve the problem of network attack detection and classification. We discuss the way of generation and simulation of an artificial network traffic data. We propose an efficient algorithm for data classification that is based on the F-transform technique. The algorithm successfully passed all tests and moreover, it showed ability to perform classification in an on-line regime.
Keywords: computer network security; pattern classification; telecommunication traffic; transforms; DDoS detection; F-transform technique; artificial network traffic data generation; artificial network traffic data simulation; data classification; distributed denial-of-service attack; network attack classification; network attack detection; Computer crime; Databases; Mathematical model; Monitoring; Polynomials; Time series analysis; Transforms (ID#: 16-9108)


Ghafir, I.; Prenosil, V., “Blacklist-Based Malicious IP Traffic Detection,” in Communication Technologies (GCCT), 2015 Global Conference on, vol., no., pp. 229–233, 23–24 April 2015. doi:10.1109/GCCT.2015.7342657
Abstract: At present malicious software or malware has increased considerably to form a serious threat to Internet infrastructure. It becomes the major source of most malicious activities on the Internet such as direct attacks, (distributed) denial-of-service (DOS) activities and scanning. Infected machines may join a botnet and can be used as remote attack tools to perform malicious activities controlled by the botmaster. In this paper we present our methodology for detecting any connection to or from malicious IP address which is expected to be command and control (C&C) server. Our detection method is based on a blacklist of malicious IPs. This blacklist is formed based on different intelligence feeds at once. We process the network traffic and match the source and destination IP addresses of each connection with IP blacklist. The intelligence feeds are automatically updated each day and the detection is in the real time.
Keywords: IP networks; Internet; computer network security; invasive software; C&C server; DDOS; Internet infrastructure; blacklist-based malicious IP traffic detection; command and control server; distributed denial-of-service; malicious software; malware; Electronic mail; Feeds; IP networks; Malware; Monitoring; Servers; Cyber attacks; botnet; intrusion detection system; malicious IP (ID#: 16-9109)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.