Detection of DDoS Backscatter Based on Traffic Features of Darknet TCP Packets

In this work, we propose a method to discriminate backscatter caused by DDoS attacks from normal traffic. Since DDoS attacks are imminent threats which could give serious economic damages to private companies and public organizations, it is quite important to detect DDoS backscatter as early as possible. To do this, 11 features of port/IP information are defined for network packets which are sent within a short time, and these features of packet traffic are classified by Suppurt Vector Machine (SVM). In the experiments, we use TCP packets for the evaluation because they include control flags (e.g. SYN-ACK, RST-ACK, RST, ACK) which can give label information (i.e. Backscatter or non-backscatter). We confirm that the proposed method can discriminate DDoS backscatter correctly from unknown dark net TCP packets with more than 90% accuracy.

[1]  Jim Kurose,et al.  Computer Networking: A Top-Down Approach , 1999 .

[2]  David G. Stork,et al.  Pattern classification, 2nd Edition , 2000 .

[3]  Chih-Jen Lin,et al.  Training and Testing Low-degree Polynomial Data Mappings via Linear SVM , 2010, J. Mach. Learn. Res..

[4]  Jun Zhang,et al.  Unsupervised traffic classification using flow statistical properties and IP packet payload , 2013, J. Comput. Syst. Sci..

[5]  Lars-Åke Larzon,et al.  UDP lite for real time multimedia applications , 1999 .

[6]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[7]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[8]  Phurivit Sangkatsanee,et al.  Practical real-time intrusion detection using machine learning approaches , 2011, Comput. Commun..

[9]  S. Selvakumar,et al.  Distributed Denial-of-Service (DDoS) Threat in Collaborative Environment - A Survey on DDoS Attack Tools and Traceback Mechanisms , 2009, 2009 IEEE International Advance Computing Conference.

[10]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[11]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  David G. Stork,et al.  Pattern Classification , 1973 .

[13]  Sally Floyd,et al.  On inferring TCP behavior , 2001, SIGCOMM.

[14]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[15]  Koji Nakao,et al.  Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring , 2009, IEICE Trans. Inf. Syst..

[16]  Chih-Jen Lin,et al.  A Practical Guide to Support Vector Classication , 2008 .

[17]  Guangxue Yue,et al.  DDoS Detection System Based on Data Mining , 2010 .

[18]  Carl Gold,et al.  Model selection for support vector machine classification , 2002, Neurocomputing.

[19]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[20]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[21]  K. Claffy,et al.  Trends in wide area IP traffic patterns - A view from Ames Internet Exchange , 2000 .

[22]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[23]  Kouichi Sakurai,et al.  Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic , 2012, CSS.