Flooding attacks detection in traffic of backbone networks

Internet services are vulnerable to flooding attacks that lead to denial of service. This paper proposes a new framework to detect anomalies and to provide early alerts for flooding attacks in backbone networks. Thus allow to quickly react in order to prevent the flooding attacks from strangling the victim server and its access network. The proposed detection scheme is based on the application of Least Mean Square (LMS) filter and Pearson Chi-square divergence on randomly aggregated flows in Sketch data structure. Instead of analyzing one time series for overall traffic, random aggregation of flows is used to investigate a fixed number of time series for grained analysis. Least mean square filter is used to predict the next value of the time series based on previous values, and Pearson Chi-square divergence is used to measure the deviations between the current and estimated probability distributions. We evaluate our approach using publicly available real IP traces (MAWI) collected from the WIDE backbone network, on trans-Pacific transit link between Japan and USA. Our experimental results show that the proposed approach outperforms existing techniques in terms of detection accuracy and false alarm rate. It is able to detect low intensity attacks covered by the large number of traffic in high speed network.

[1]  Divesh Srivastava,et al.  Diamond in the rough: finding Hierarchical Heavy Hitters in multi-dimensional data , 2004, SIGMOD '04.

[2]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[3]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  S. Haykin,et al.  Adaptive Filter Theory , 1986 .

[6]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[7]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[8]  Michel Broniatowski,et al.  An estimation method for the Neyman chi-square divergence with application to test of hypotheses , 2006 .

[9]  Sung-Hyuk Cha Comprehensive Survey on Distance/Similarity Measures between Probability Density Functions , 2007 .

[10]  Dong Il Kim,et al.  Network traffic anomalies detection and identification with flow monitoring , 2008, 2008 5th IFIP International Conference on Wireless and Optical Communications Networks (WOCN '08).

[11]  Ling Huang,et al.  Communication-Efficient Online Detection of Network-Wide Anomalies , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[12]  Qiang Chen,et al.  Computer intrusion detection through EWMA for autocorrelated and uncorrelated data , 2003, IEEE Trans. Reliab..

[13]  Ruth Mbabazi Mutebi,et al.  An Integrated Victim-based Approach against IP Packet Flooding Denial of Service , 2010 .

[14]  Chi Zhou,et al.  Sketch-Based SIP Flooding Detection Using Hellinger Distance , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[15]  Graham Cormode,et al.  What's new: finding significant differences in network data streams , 2004, IEEE/ACM Transactions on Networking.

[16]  Myung-Sup Kim,et al.  Traffic Flooding Attack Detection on SNMP MIB Using SVM , 2008 .

[17]  Nguyen Lu Dang Khoa,et al.  Network Anomaly Detection Using a Commute Distance Based Approach , 2010, 2010 IEEE International Conference on Data Mining Workshops.

[18]  I. J. Taneja Bounds On Triangular Discrimination, Harmonic Mean and Symmetric Chi-square Divergences , 2005, math/0505238.

[19]  Moses Charikar,et al.  Finding frequent items in data streams , 2002, Theor. Comput. Sci..

[20]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[21]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[22]  Yan Gao,et al.  HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency , 2010, Comput. Networks.

[23]  Supakit Siripanadorn,et al.  Anomaly detection in wireless sensor networks using self-organizing map and wavelets , 2010 .

[24]  Hong Zhou,et al.  Anomaly Network Traffic Detection Based on Auto-Adapted Parameters Method , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[25]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[26]  Rudolf B. Blazek,et al.  Detection of intrusions in information systems by sequential change-point methods , 2005 .

[27]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[28]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[29]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[30]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.