DDoS detection and traceback with decision tree and grey relational analysis

In Distributed Denial-of-Service (DDoS) Attack, an attacker breaks into many innocent computers (called zombies). Then, the attacker sends a large number of packets from zombies to a server, to prevent the server from conducting normal business operations. We design a DDoS-detection system based on a decision-tree technique and, after detecting an attack, to trace back to the attacker's locations with a traffic-flow pattern-matching technique. Our system could detect DDoS attacks with the false positive ratio about 1.2-2.4%, false negative ratio about 2-10%, and find the attack paths in traceback with the false negative rate 8-12% and false positive rate 12-14%.

[1]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[2]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[3]  Dongho Kim,et al.  Experience with DETER: a testbed for security research , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[4]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[5]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[6]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[7]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[8]  Jordi Torres,et al.  Adaptive distributed mechanism against flooding network attacks based on machine learning , 2008, AISec '08.

[9]  Ahmed Helmy,et al.  SWAT: small world-based attacker traceback in ad-hoc networks , 2005, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services.

[10]  José Carlos Brustoloni,et al.  Sentinel: Hardware-Accelerated Mitigation of Bot-Based DDoS Attacks , 2008, 2008 Proceedings of 17th International Conference on Computer Communications and Networks.

[11]  Nei Kato,et al.  Towards trapping wily intruders in the large , 2000, Recent Advances in Intrusion Detection.

[12]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[13]  Dongdai Lin,et al.  A Packet Marking Scheme for IP Traceback , 2005, ICN.

[14]  Mehran S. Fallah A Puzzle-Based Defense Strategy Against Flooding Attacks Using Game Theory , 2010, IEEE Transactions on Dependable and Secure Computing.

[15]  M.F.A. Rasid,et al.  Accurate ICMP TraceBack Model under DoS/DDoS Attack , 2007, 15th International Conference on Advanced Computing and Communications (ADCOM 2007).

[16]  Yi Lin,et al.  A historical introduction to grey systems theory , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[17]  C.W. Chan,et al.  Applying A Machine Intelligence Algorithm for Prediction , 2006, 2006 International Conference on Computational Intelligence and Security.

[18]  Md. Safi Uddin,et al.  Statistical-Based SYN-Flooding Detection Using Programmable Network Processor , 2005, Third International Conference on Information Technology and Applications (ICITA'05).

[19]  Jelena Mirkovic,et al.  Source-end DDoS defense , 2003, Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003..

[20]  Lior Rokach,et al.  Top-down induction of decision trees classifiers - a survey , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[21]  Sanguk Noh,et al.  Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning , 2003, IDEAL.

[22]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[23]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[24]  Paul Barford,et al.  Harpoon: a flow-level traffic generator for router and network tests , 2004, SIGMETRICS '04/Performance '04.

[25]  BERNARD M. WAXMAN,et al.  Routing of multipoint connections , 1988, IEEE J. Sel. Areas Commun..

[26]  J. Deng,et al.  Introduction to Grey system theory , 1989 .

[27]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.