A Method to Detect DOS and DDOS Attacks based on Generalized Likelihood Ratio Test

Denial of service (DOS) and distributed DOS (DDOS) continue to be a significant concern in internet and networking systems. This paper targets to develop an anomaly detection mechanism based on the generalized likelihood ratio (GLR) scheme to detect TCP and ICMPv6 based DOS/DDOS attacks. The anomaly detection problem is addressed as a hypothesis testing problem. The proposed approach uses GLR test to monitor internet traffic for better detecting potential cyber- attacks. The decision threshold of GLR approach has been computed non parametrically based on kernel density estimation. To evaluate the performance of this approach, two network traffic datasets have been used namely the DARPA99 and ICMPv6 datasets. Results highlight the efficiency of the proposed method.

[1]  Frank Kargl,et al.  An SDN-based Approach For Defending Against Reflective DDoS Attacks , 2018, 2018 IEEE 43rd Conference on Local Computer Networks (LCN).

[2]  Fouzi Harrou,et al.  Anomaly detection/detectability for a linear model with a bounded nuisance parameter , 2014, Annu. Rev. Control..

[3]  Stephen E. Deering,et al.  Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) , 1995, RFC.

[4]  Ebrahim A. Gharavol,et al.  A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model and Chaotic System in Computer Networks , 2016, IEEE Communications Letters.

[5]  Bahari Belaton,et al.  ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review , 2017 .

[6]  W. Eddy Defenses Against TCP SYN Flooding Attacks , 2007 .

[7]  Fouzi Harrou,et al.  Detection of smurf flooding attacks using Kullback-Leibler-based scheme , 2018, 2018 4th International Conference on Computer and Technology Applications (ICCTA).

[8]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[9]  S. Sahib,et al.  A Framework of Features Selection for IPv 6 Network Attacks Detection , 2015 .

[10]  Jun Bi,et al.  FloodShield: Securing the SDN Infrastructure Against Denial-of-Service Attacks , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[11]  Fouzi Harrou,et al.  Statistical detection of abnormal ozone measurements based on Constrained Generalized Likelihood Ratio test , 2013, 52nd IEEE Conference on Decision and Control.

[12]  Fouzi Harrou,et al.  Detecting SYN flood attacks via statistical monitoring charts: A comparative study , 2017, 2017 5th International Conference on Electrical Engineering - Boumerdes (ICEE-B).

[13]  Bülent Sankur,et al.  An intelligent cyber security system against DDoS attacks in SIP networks , 2018, Comput. Networks.

[14]  Mayank Dave,et al.  Proactive DDoS attack detection and isolation , 2017, 2017 International Conference on Computer, Communications and Electronics (Comptelix).

[15]  Chang-Soo Kim,et al.  Design of TCP SYN Flood DDoS attack detection using artificial immune systems , 2016, 2016 6th International Conference on System Engineering and Technology (ICSET).

[16]  Timothy A. Gonsalves,et al.  Detection of Syn Flooding Attacks using Linear Prediction Analysis , 2006, 2006 14th IEEE International Conference on Networks.

[17]  Ying Sun,et al.  Traffic congestion detection based on hybrid observer and GLR test , 2018, 2018 Annual American Control Conference (ACC).

[18]  Sajal Bhatia,et al.  Ensemble-based model for DDoS attack detection and flash event separation , 2016, 2016 Future Technologies Conference (FTC).

[19]  Y. Tatar,et al.  Detection SYN Flooding Attacks Using Fuzzy Logic , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).