DDoS Attack Detection Method Based on Linear Prediction Model

Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. The IP Flow feature value (FFV) algorithm is proposed based on the essential features of DDoS attacks, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. Using linear prediction technique, a simple and efficient ARMA prediction model is established for normal network flow. Then a DDoS attack detection scheme based on anomaly detection techniques and linear prediction model (DDAP) is designed. Furthermore, an alert evaluation mechanism is developed to reduce the false positives due to prediction error and flow noise. The experiment results demonstrate that DDAP is an efficient DDoS attacks detection scheme with more accuracy and lower false alarm rate.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  Rogério de Lemos,et al.  Software Engineering for Self-Adaptive Systems [outcome of a Dagstuhl Seminar] , 2009, Software Engineering for Self-Adaptive Systems.

[3]  Gabriel Maciá-Fernández,et al.  Evaluation of a low-rate DoS attack against application servers , 2008, Comput. Secur..

[4]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[5]  Sanguk Noh,et al.  Compiling network traffic into rules using soft computing methods for the detection of flooding attacks , 2008, Appl. Soft Comput..

[6]  Jianping Yin,et al.  DDoS Attack Detection Algorithm Using IP Address Features , 2009, FAW.

[7]  Lennart Ljung,et al.  System Identification: Theory for the User , 1987 .

[8]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, TNET.

[9]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[10]  Gabriel Maciá-Fernández,et al.  Evaluation of a low-rate DoS attack against iterative servers , 2007, Comput. Networks.

[11]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[12]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[13]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[14]  Christopher Leckie,et al.  An efficient filter for denial-of-service bandwidth attacks , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[15]  V. Anil Kumar,et al.  On remote exploitation of TCP sender for low-rate flooding denial-of-service attack , 2009, IEEE Communications Letters.