Ensemble-based model for DDoS attack detection and flash event separation

Distributed Denial-of-Service (DDoS) attacks continue to constitute a pernicious threat to the delivery of services within the Internet domain. These attacks harness the power of thousands, and sometimes tens or hundreds of thousands of compromised computers to attack web-services and online trading sites, resulting in significant down-time and financial loss. The problem of detecting DDoS attacks is complicated by Flash Events (FEs), which share some characteristics with DDoS attacks, and which occur when a server experiences an unexpected surge in requests from legitimate clients. This paper presents the design and implementation of an ensemble-based DDoS attack detection and FE separation model, which combines two orthogonal anomaly-based attack detection strategies viz., network traffic analysis and server-load analysis. Using an Exponentially Weighted Moving Average (EWMA) technique, changes in individual network and server load metrics are first detected and then correlated to identify a variety of DDoS attacks, both at the network and the application layer, and to differentiate them from FE and normal traffic scenarios.

[1]  George M. Mohay,et al.  Modelling Web-server Flash Events , 2012, 2012 IEEE 11th International Symposium on Network Computing and Applications.

[2]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[3]  Myung-Sup Kim,et al.  Design and Implementation of an SNMP-Based Traffic Flooding Attack Detection System , 2008, APNOMS.

[4]  George M. Mohay,et al.  Use of IP Addresses for High Rate Flooding Attack Detection , 2010, SEC.

[5]  Martin F. Arlitt,et al.  Web server workload characterization: the search for invariants , 1996, SIGMETRICS '96.

[6]  M. Zhanikeev,et al.  Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks , 2007, 2007 Next Generation Internet Networks.

[7]  Myung-Sup Kim,et al.  Design and Implementation of an SNMP-Based Traffic Flooding Attack Detection System , 2009 .

[8]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[9]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[10]  Wenke Lee,et al.  Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management , 2002, Journal of Network and Systems Management.

[11]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[12]  Wanlei Zhou,et al.  Discriminating DDoS Flows from Flash Crowds Using Information Distance , 2009, 2009 Third International Conference on Network and System Security.

[13]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[14]  George M. Mohay,et al.  Parametric Differences between a Real-world Distributed Denial-of-Service Attack and a Flash Event , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[15]  Fred Spiring,et al.  Introduction to Statistical Quality Control , 2007, Technometrics.

[16]  Sin Yin Teh,et al.  A Study on the False Alarm Rates of X , EWMA and CUSUM Control Charts when Parameters are Estimated , .

[17]  Jianping Yin,et al.  DDoS Attack Detection Algorithm Using IP Address Features , 2009, FAW.

[18]  Olivier Paul,et al.  Improving web servers focused DoS attacks detection , 2006 .