Distributed Data Aggregation Technology for Real-Time DDoS Attacks Detection

The information technology has revolutionized almost every facet of our lives. Government, commercial, and educational organizations depend on computers and Internet to such an extent that day-to-day operations are significantly hindered when the networks are “down” (Gordon, Loeb, Lucyshyn & Richardson, 2005). The prosperity of the Internet also attracted abusers and attackers motivated for personal, financial, or even political reasons. What attackers aim at currently is beyond obtaining unauthorized network accesses or stealing private information, there have been attacks on Internet infrastructures (Chakrabarti & Manimaran, 2002; Moore, Voelker & Savage, 2001; Naoumov & Ross, 2006). Distributed Denial of Services (DDoS) attacks is one of such attacks that can lead to enormous destruction, as different infrastructure components of the Internet have implicit trust relationship with each other (Mirkovic & Reiher, 2004; Specht & Lee, 2004). The DDoS attacker often exploits the huge resource asymmetry between the Internet and the victim systems (Chen, Hwang & Ku, 2007; Douligeris & Mitrokosta, 2003). A comprehensive solution to DDoS attacks requires covering global effects over a wide area of autonomous system (AS) domains on the Internet (Mirkovic & Reiher, 2005). Timely detection of the ongoing attacks is the prerequisite of any effective defense scheme (Carl, Kesidis, Brooks & Rai, 2006). It is highly desirable to detect DDoS attacks at very early stage, instead of waiting for the flood to become widespread. It is mandatory for the detection systems to collect real time traffic data from widely deployed traffic monitors and construct the spatiotemporal pattern of anomaly propagation inside the network. This chapter will introduce a novel distributed real time data aggregation technique named Change Aggregation Tree (CAT). The CAT system adopts a hierarchical architecture to simplify the alert correlation and global detection procedures. At intra-domain level, each individual router, which plays the role of traffic monitor, periodically report the local traffic status to the CAT server in the AS. At the inter-domain layer, CAT servers share local detected anomaly patterns with peers located in other ASes, where the potential attack victim is located.

[1]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[2]  Xinghua Fan A Method of Recognizing Entity and Relation , 2005, Encyclopedia of Data Warehousing and Mining.

[3]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[4]  Jianping Pan,et al.  WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation , 2007, IEEE Transactions on Dependable and Secure Computing.

[5]  John Wang,et al.  Data Warehousing and Mining: Concepts, Methodologies, Tools, and Applications , 2008 .

[6]  Deborah Estrin,et al.  Computing aggregates for monitoring wireless sensor networks , 2003, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003..

[7]  John W. Lockwood,et al.  A framework for rule processing in reconfigurable network systems , 2005, 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'05).

[8]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[9]  Keith W. Ross,et al.  Exploiting P2P systems for DDoS attacks , 2006, InfoScale '06.

[10]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[11]  Giorgio Terracina,et al.  Interscheme Properties' Role in Data Warehouses , 2005 .

[12]  Alfredo Cuzzocrea,et al.  Intelligent Techniques for Warehousing and Mining Sensor Network Data , 2009 .

[13]  Michalis Faloutsos,et al.  Power laws and the AS-level internet topology , 2003, TNET.

[14]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[15]  Philip Calvert,et al.  Encyclopedia of Data Warehousing and Mining , 2006 .

[16]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[17]  Claudio Sartori,et al.  Peer-to-Peer Data Clustering in Self-Organizing Sensor Networks , 2010 .