High Performance DDoS Attack Detection System Based on Distribution Statistics

Nowadays, web servers often face the threat of distributed denial of service attacks and their intrusion prevention systems cannot detect those attacks effectively. Many existing intrusion prevention systems detect attacks by the state of per-flow and current processing speed cannot fulfill the requirements of real-time detection due to the high speed traffic. In this paper, we propose a powerful system TreeSketchShield which can improve sketch data structure and detect attacks quickly. First, we discuss a novel structure TreeSketch to obtain statistics of network flow, which utilizes the stepped structure of binary tree to map the distribution and reduces the complexity of the statistic calculation. Second, we present a two-level detection scheme that could make a compromise between the detection speed and detection accuracy. Experimental results show that our method can process more than 100,000 records per second. The false alarm rate can achieve 2% to 25% performance improvement.

[1]  Kim-Kwang Raymond Choo,et al.  Distributed denial of service (DDoS) resilience in cloud: Review and conceptual cloud DDoS mitigation framework , 2016, J. Netw. Comput. Appl..

[2]  Xiapu Luo,et al.  SkyShield: A Sketch-Based Defense System Against Application Layer DDoS Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[3]  Farouk Kamoun,et al.  Joint Entropy Analysis Model for DDoS Attack Detection , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[4]  Wanlei Zhou,et al.  Chaos theory based detection against network mimicking DDoS attacks , 2009, IEEE Communications Letters.

[5]  Min Sik Kim,et al.  Fine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[6]  Sonia Fahmy,et al.  Pegasus: Precision hunting for icebergs and anomalies in network flows , 2013, 2013 Proceedings IEEE INFOCOM.

[7]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[8]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[9]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[10]  Jing Tao,et al.  A New Sketch Method for Measuring Host Connection Degree Distribution , 2014, IEEE Transactions on Information Forensics and Security.

[11]  Ming-Yang Kao,et al.  Reverse Hashing for High-Speed Network Monitoring: Algorithms, Evaluation, and Applications , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[12]  Yong Guan,et al.  A fast sketch for aggregate queries over high-speed network traffic , 2012, 2012 Proceedings IEEE INFOCOM.

[13]  Yu Cheng,et al.  SIP Flooding Attack Detection with a Multi-Dimensional Sketch Design , 2014, IEEE Transactions on Dependable and Secure Computing.

[14]  Anat Bremler-Barr,et al.  Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks , 2013, IEEE Transactions on Computers.