DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis

As modern life becomes increasingly closely bound to the Internet, network security becomes increasingly important. Like it or not, we all live under the shadow of network threats. The threats could cause leakage of privacy and/or economic loss. Among network attacks, the DDoS (distributed denial-of-service) attack is one of the most frequent and serious. In a DDoS attack, an attacker first breaks into many innocent computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities in the software. Then the attacker sends a large number of packets from these already-captured zombies to a server. These packets either occupy a major portion of the server's network bandwidth or they consume much of the server's time. The server is then prevented from conducting normal business operations.In order to mitigate the DDoS threat, we design a system to detect DDoS attacks based on a decision-tree technique and, after detecting an attack, to trace back to the approximate locations of the attacker with a traffic-flow pattern-matching technique. We conduct our experiment on the DETER system. According to our experiment results, our system could detect the DDoS attack with the false positive ratio about 1.2% - 2.4%, false negative ratio about 2% - 10% with different kind of attack, attack sending rate and find the attack path in trace back with the false negative rate 8% - 12% and false positive rate 12% - 14%.

[1]  Lior Rokach,et al.  Top-down induction of decision trees classifiers - a survey , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[2]  BERNARD M. WAXMAN,et al.  Routing of multipoint connections , 1988, IEEE J. Sel. Areas Commun..

[3]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[4]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[5]  Alberto Maria Segre,et al.  Programs for Machine Learning , 1994 .

[6]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[7]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[8]  Ahmed Helmy,et al.  SWAT: small world-based attacker traceback in ad-hoc networks , 2005, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services.

[9]  Md. Safi Uddin,et al.  Statistical-Based SYN-Flooding Detection Using Programmable Network Processor , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[10]  Yacine Bouzida,et al.  Neural networks vs . decision trees for intrusion detection , 2006 .

[11]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[12]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[13]  José Carlos Brustoloni,et al.  Sentinel: Hardware-Accelerated Mitigation of Bot-Based DDoS Attacks , 2008, 2008 Proceedings of 17th International Conference on Computer Communications and Networks.

[14]  Yi Lin,et al.  A historical introduction to grey systems theory , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[15]  Jelena Mirkovic,et al.  Source-end DDoS defense , 2003, Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003..

[16]  Dongdai Lin,et al.  A Packet Marking Scheme for IP Traceback , 2005, ICN.

[17]  C.W. Chan,et al.  Applying A Machine Intelligence Algorithm for Prediction , 2006, 2006 International Conference on Computational Intelligence and Security.

[18]  Calvin Ko,et al.  SEER: A Security Experimentation EnviRonment for DETER , 2007, DETER.

[19]  Debdeep Mukhopadhyay,et al.  Preventing the Side-Channel Leakage of Masked AES S-Box , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[20]  Paul Barford,et al.  Harpoon: a flow-level traffic generator for router and network tests , 2004, SIGMETRICS '04/Performance '04.

[21]  Jordi Torres,et al.  Adaptive distributed mechanism against flooding network attacks based on machine learning , 2008, AISec '08.

[22]  Mehran S. Fallah A Puzzle-Based Defense Strategy Against Flooding Attacks Using Game Theory , 2010, IEEE Transactions on Dependable and Secure Computing.

[23]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[24]  Sanguk Noh,et al.  Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning , 2003, IDEAL.

[25]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[26]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[27]  J. Deng,et al.  Introduction to Grey system theory , 1989 .

[28]  M.F.A. Rasid,et al.  Accurate ICMP TraceBack Model under DoS/DDoS Attack , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[29]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[30]  Nei Kato,et al.  Towards trapping wily intruders in the large , 2000, Recent Advances in Intrusion Detection.

[31]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[32]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[33]  Puneet Zaroo,et al.  A Survey of DDoS attacks and some DDoS defense mechanisms , 2022 .

[34]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.