Global abnormal correlation analysis for DDoS attack detection

Distributed detection mechanism of DDoS (distributed denial of service) attack is often achieved by the corporation between many detection nodes, its final detection result largely depends on the judgements of local nodes. While DDoS attack flows are distributed enough in many links, itpsilas hard to derive exact judgement for every node only by the information collecting from local, consequently impact the performance of whole detection system. Despite DDoS attack could be unaware in local, the inherent dependency among attack flows transiting in many links do exists. This paper proposes an abnormal correlation analysis method from a global perspective for DDoS attack detection deploying in the backbone network, via extracting anomalous space from network-wide traffic, analyzing the correlation across them, revealing attacks through the change of correlation. Analyzing the network-wide traffic simultaneously helps to discover attacks indistinctive in single node; moreover, utilizing the correlation between attacks, rather than the volume of attack purely, makes our method can overcome the difficulties in detecting relatively small attacks comparing to the tremendous traffic in backbone network. Simulations demonstrate that our method has benefit of detecting DDoS attacks while they are small in single link and is superior to other methods proposed in present literatures.

[1]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[2]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[3]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[4]  Konstantina Papagiannaki,et al.  Long-term forecasting of Internet backbone traffic: observations and initial models , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[5]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[6]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[7]  Nick Feamster,et al.  Diagnosing network disruptions with network-wide analysis , 2007, SIGMETRICS '07.

[8]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[9]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[10]  Konstantina Papagiannaki,et al.  Long-term forecasting of Internet backbone traffic , 2005, IEEE Transactions on Neural Networks.

[11]  Vyas Sekar,et al.  LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[12]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.