Mark-aided distributed filtering by using neural network for DDoS defense

Currently distributed denial of service (DDoS) attacks have been identified as one of the most serious problems on the Internet. The aim of DDoS attacks is to prevent legitimate users from accessing desired resources, such as network bandwidth. Hence the immediate task of DDoS defense is to provide as much resources as possible to legitimate users when there is an attack. Unfortunately most current defense approaches can not efficiently detect and filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them. The marks in the IP header that are generated by a group of IP traceback schemes, deterministic packet marking (DPM)/flexible deterministic packet marking (FDPM), assist this process of identifying attack packets. The experimental results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks' characteristic of starting from multiple sources to a single victim. According to results, we find the marks in IP headers can enhance the sensitivity and accuracy of detection, thus improve the legitimate traffic throughput and reduce attack traffic throughput. Therefore, it can perform well in filtering DDoS attack traffic precisely and effectively.

[1]  Zheng Zhang,et al.  Detecting denial-of-service attacks through feature cross-correlation , 2004, 2004 IEEE/Sarnoff Symposium on Advances in Wired and Wireless Communications.

[2]  Jiannong Cao,et al.  Decision Analysis of Statistically Detecting Distributed Denial-of-Service Flooding Attacks , 2003, Int. J. Inf. Technol. Decis. Mak..

[3]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[4]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[5]  M. Pollak Optimal Detection of a Change in Distribution , 1985 .

[6]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[7]  Francis L. Merat,et al.  Defeating distributed denial-of-service attack with deterministic bit marking , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[8]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[9]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[10]  G.A. Marin,et al.  The LoSS Technique for Detecting New Denial of Service Attacks , 2004, IEEE SoutheastCon, 2004. Proceedings..

[11]  J. M. Pullen,et al.  Countering denial-of-service attacks using congestion triggered packet sampling and filtering , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[12]  Daniel S. Yeung,et al.  A covariance analysis model for DDoS attack detection , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[13]  S. Hyakin,et al.  Neural Networks: A Comprehensive Foundation , 1994 .

[14]  Hyeong-Ah Choi,et al.  Packet filtering for congestion control under DoS attacks , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[15]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[16]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[17]  Dirk Fox Computer Emergency Response Team (CERT) , 2002, Datenschutz und Datensicherheit.

[18]  J. Nazuno Haykin, Simon. Neural networks: A comprehensive foundation, Prentice Hall, Inc. Segunda Edición, 1999 , 2000 .

[19]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[20]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[21]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[22]  Wanlei Zhou,et al.  Trace IP packets by flexible deterministic packet marking (FDPM) , 2004, 2004 IEEE International Workshop on IP Operations and Management.

[23]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[24]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.