Bound Maxima as a Traffic Feature under DDOS Flood Attacks

This paper gives a novel traffic feature for identifying abnormal variation of traffic under DDOS flood attacks. It is the histogram of the maxima of the bounded traffic rate on an interval-by-interval basis. We use it to experiment on the traffic data provided by MIT Lincoln Laboratory under Defense Advanced Research Projects Agency (DARPA) in 1999. The experimental results profitably enhance the evidences that traffic rate under DDOS attacks is statistically higher than that of normal traffic considerably. They show that the pattern of the histogram of the maxima of bounded rate of attack-contained traffic greatly differs from that of attack-free traffic. Besides, the present traffic feature is simple in mathematics and easy to use in practice.

[1]  Ming Li,et al.  Simulation Study of Flood Attacking of DDOS , 2008, 2008 International Conference on Internet Computing in Science and Engineering.

[2]  M. Basseville Distance measures for signal processing and pattern recognition , 1989 .

[3]  Ming Li,et al.  A Model to Partly but Reliably Distinguish DDOS Flood Traffic from Aggregated One , 2012 .

[4]  Riccardo Bettati,et al.  Providing absolute differentiated services for real-time applications in static-priority scheduling networks , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[5]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.

[6]  Jean-Yves Le Boudec,et al.  Network Calculus: A Theory of Deterministic Queuing Systems for the Internet , 2001 .

[7]  Fengmin Gong,et al.  Deciphering Detection Techniques: Part III Denial of Service Detection , 2003 .

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  Ming Li,et al.  Modeling network traffic using generalized Cauchy process , 2008 .

[10]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[11]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[12]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[13]  King-Sun Fu,et al.  Digital pattern recognition , 1976, Communication and cybernetics.

[14]  Ming Li,et al.  Representation of a Stochastic Traffic Bound , 2010, IEEE Transactions on Parallel and Distributed Systems.

[15]  E. Eugene Schultz,et al.  Representing information security fairly and accurately , 2006, Comput. Secur..

[16]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[17]  Ming Li,et al.  An iteration method to adjusting random loading for a laboratory fatigue test , 2005 .

[18]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[19]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[20]  Linda Dailey Paulson Exploring the Wireless LANscape , 2000, Computer.

[21]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[22]  Ming Li Modeling autocorrelation functions of long-range dependent teletraffic series based on optimal approximation in Hilbert space—A further study , 2007 .

[23]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[24]  John Leach TBSE - an engineering approach to the design of accurate and reliable security systems , 2004, Comput. Secur..

[25]  Rene L. Cruz,et al.  A calculus for network delay, Part I: Network elements in isolation , 1991, IEEE Trans. Inf. Theory.

[26]  Ming Li,et al.  Asymptotic Identity in Min-Plus Algebra: A Report on CPNS , 2011, Comput. Math. Methods Medicine.

[27]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[28]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[29]  Alefiya Hussain,et al.  Measurement and spectral analysis of denial of service attacks , 2005 .

[30]  Sung-Bae Cho,et al.  Efficient anomaly detection by modeling privilege flows using hidden Markov model , 2003, Comput. Secur..

[31]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[32]  Sung Deok Cha,et al.  SAD: web session anomaly detection based on parameter estimation , 2004, Comput. Secur..

[33]  Riccardo Bettati,et al.  Real-time Intrusion Detection and Suppression in ATM Networks , 1999, Workshop on Intrusion Detection and Network Monitoring.

[34]  H. Michiel,et al.  Teletraffic engineering in a broad-band era , 1997, Proc. IEEE.

[35]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[36]  Won Suk Lee,et al.  An anomaly intrusion detection method by clustering normal user behavior , 2003, Comput. Secur..

[37]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[38]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[39]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[40]  Ming Li,et al.  An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition , 2004, Comput. Secur..

[41]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[42]  E. Eugene Schultz Intrusion prevention , 2004, Comput. Secur..

[43]  Ming Li,et al.  Detection of Variations of Local Irregularity of Traffic under DDOS Flood Attack , 2008 .

[44]  E. Amoroso Intrusion Detection , 1999 .

[45]  N.D. Georganas,et al.  Self-Similar Processes in Communications Networks , 1998, IEEE Trans. Inf. Theory.