DDoS attack detection method using cluster analysis

Distributed Denial of Service (DDoS) attacks generate enormous packets by a large number of agents and can easily exhaust the computing and communication resources of a victim within a short period of time. In this paper, we propose a method for proactive detection of DDoS attack by exploiting its architecture which consists of the selection of handlers and agents, the communication and compromise, and attack. We look into the procedures of DDoS attack and then select variables based on these features. After that, we perform cluster analysis for proactive detection of the attack. We experiment with 2000 DARPA Intrusion Detection Scenario Specific Data Set in order to evaluate our method. The results show that each phase of the attack scenario is partitioned well and we can detect precursors of DDoS attack as well as the attack itself.

[1]  Csilla Farkas,et al.  PAID: A Probabilistic Agent-Based Intrusion Detection system , 2005, Comput. Secur..

[2]  Hyunwoo Kim,et al.  An Effective DDoS Attack Detection and Packet-Filtering Scheme , 2006, IEICE Trans. Commun..

[3]  W. Streilein,et al.  Improved Detection of Low-Profile Probe and Denial-of-Service Attacks 1 , 2001 .

[4]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[5]  Srinivasan Seshan,et al.  Detecting DDoS Attacks on ISP Networks , 2003 .

[6]  Paul J Criscuolo,et al.  Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht CIAC-2319 , 2000 .

[7]  Margaret A. Nemeth,et al.  Applied Multivariate Methods for Data Analysis , 1998, Technometrics.

[8]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[9]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[10]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[11]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[12]  Shian-Shyong Tseng,et al.  Constructing detection knowledge for DDoS intrusion tolerance , 2004, Expert Syst. Appl..

[13]  Jun Xu,et al.  Sustaining Availability of Web Services under Distributed Denial of Service Attacks , 2003, IEEE Trans. Computers.

[14]  Simon Haykin,et al.  Neural Networks: A Comprehensive Foundation , 1998 .

[15]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[16]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[17]  Dimitris Gavrilis,et al.  Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features , 2005, Comput. Networks.

[18]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[19]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[20]  P. Rousseeuw,et al.  Wiley Series in Probability and Mathematical Statistics , 2005 .

[21]  Shiuh-Pyng Shieh,et al.  Defending against spoofed DDoS attacks with path fingerprint , 2005, Comput. Secur..

[22]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[23]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..