Lifting the Smokescreen: Detecting Underlying Anomalies During a DDoS Attack

While DDoS attacks have become an ever-growing threat in the last decade, a new variation is taking root in which the DDoS is used as a distraction or smokescreen to hide other malicious activity. This variation, which we call DDoS as a Smokescreen (DaaSS), often result in data theft and financial loss, and often are only detected because the theft is discovered independently, long after the attack has ceased. In this work, we set out to describe these attacks and present a novel approach to detect them using real-world network trace data. We present experimental results showing promise that DaaSS attacks can be detected in a manner conducive to practical deployment.

[1]  Nora Cuppens-Boulahia,et al.  Situation Calculus and Graph Based Defensive Modeling of Simultaneous Attacks , 2013, CSS.

[2]  Joshua Zhexue Huang,et al.  Extensions to the k-Means Algorithm for Clustering Large Data Sets with Categorical Values , 1998, Data Mining and Knowledge Discovery.

[3]  Xin Xu,et al.  Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning , 2007, PAISI.

[4]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[5]  Patrick Tague,et al.  Isolation of Multiple Anonymous Attackers in Mobile Networks , 2015, NSS.

[6]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[7]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[8]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[9]  Jeff Ahrenholz Comparison of CORE network emulation platforms , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[10]  Christopher Leckie,et al.  Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters , 2005, ACSC.

[11]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[12]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  Zhexue Huang,et al.  CLUSTERING LARGE DATA SETS WITH MIXED NUMERIC AND CATEGORICAL VALUES , 1997 .

[14]  Norbert Pohlmann,et al.  CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis , 2013, Comput. Networks.

[15]  Jiye Liang,et al.  A new initialization method for categorical data clustering , 2009, Expert Syst. Appl..

[16]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[17]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[18]  Damon McCoy,et al.  Understanding the Emerging Threat of DDoS-as-a-Service , 2013, LEET.

[19]  Bhavani M. Thuraisingham,et al.  Large-Scale Realistic Network Data Generation on a Budget , 2018, 2018 IEEE International Conference on Information Reuse and Integration (IRI).