Change-point cloud DDoS detection using packet inter-arrival time

Notwithstanding the increased popularity of cloud computing, Distributed Denial of Service (DDoS) remains a threat to its adoption. In this paper, we propose the use of a change-point monitoring algorithm to detect DDoS flooding attacks against cloud services by examining the packet inter-arrival time (IAT). This method leverages on the fact that most DDoS attacks are automated and exhibit similar patterns. These patterns, when closely examined, can be distinguished from normal traffic patterns, and can therefore be tracked using a cumulative sum (CUSUM) algorithm. The proposed solution was validated by conducting a trace-driven simulation and empirical evaluation. The results demonstrated the efficiency and accuracy of this proposed solution.

[1]  Jugal K. Kalita,et al.  Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions , 2014, Comput. J..

[2]  Xi Chen,et al.  A Distributed Detection Scheme Based on Adaptive CUSUM and Weighted CAT Against DDoS Attacks , 2014 .

[3]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[4]  Ali Dehghantanha,et al.  Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing , 2016, EURASIP Journal on Wireless Communications and Networking.

[5]  Kim-Kwang Raymond Choo Cloud computing: Challenges and future directions , 2010 .

[6]  E. Ramaraj,et al.  Three Counter Defense Mechanism for TCP SYN Flooding Attacks , 2010 .

[7]  Hellinton H. Takada,et al.  Application and Analyses of Cumulative Sum to Detect Highly Distributed Denial of Service Attacks using Different Attack Traffic Patterns , 2004 .

[8]  Jie Xu,et al.  A novel intrusion severity analysis approach for Clouds , 2013, Future Gener. Comput. Syst..

[9]  Eimantas Garsva,et al.  Packet Inter-arrival Time Distribution in Academic Computer Network , 2014 .

[10]  Aleksey S. Polunchenko,et al.  State-of-the-Art in Sequential Change-Point Detection , 2011, 1109.2938.

[11]  Amparo Alonso-Betanzos,et al.  Stream change detection via passive-aggressive classification and Bernoulli CUSUM , 2015, Inf. Sci..

[12]  R. Khan,et al.  Sequential Tests of Statistical Hypotheses. , 1972 .

[13]  Yao Zheng,et al.  DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[14]  Alexander G. Tartakovsky,et al.  Efficient Computer Network Anomaly Detection by Changepoint Detection Methods , 2012, IEEE Journal of Selected Topics in Signal Processing.

[15]  Chadi Barakat,et al.  Can We Trust the Inter-Packet Time for Traffic Classification? , 2011, 2011 IEEE International Conference on Communications (ICC).

[16]  Qi Zhang,et al.  A cusum change-point detection algorithm for non-stationary sequences with application to data network surveillance , 2010, J. Syst. Softw..

[17]  Wanlei Zhou,et al.  Discriminating DDoS attack traffic from flash crowd through packet arrival patterns , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[18]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[19]  Kim-Kwang Raymond Choo,et al.  Cloud storage forensics: ownCloud as a case study , 2013, Digit. Investig..

[20]  Krishan Kumar,et al.  A comprehensive approach to discriminate DDoS attacks from flash events , 2016, J. Inf. Secur. Appl..

[21]  Alexandros G. Fragkiadakis,et al.  Anomaly-based intrusion detection of jamming attacks, local versus collaborative detection , 2015, Wirel. Commun. Mob. Comput..

[22]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[23]  Amir-Hossein Jahangir,et al.  On the TCP Flow Inter-arrival Times Dsitribution , 2011, 2011 UKSim 5th European Symposium on Computer Modeling and Simulation.

[24]  Wolfgang Schmid,et al.  On the run length of a Shewhart chart for correlated data , 1995 .

[25]  Marina Papatriantafilou,et al.  STONE: A streaming DDoS defense framework , 2015, Expert Syst. Appl..

[26]  Kim-Kwang Raymond Choo,et al.  Distributed denial of service (DDoS) resilience in cloud: Review and conceptual cloud DDoS mitigation framework , 2016, J. Netw. Comput. Appl..