Dual-Level Attack Detection and Characterization for Networks under DDoS

DDoS attacks aim to deny legitimate users of the services. In this paper, we introduce novel dual - level attack detection (D-LAD) scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors (MaLAD) attempt to detect congestion inducing attacks which cause apparent slowdown in network functionality. The large volumes attacks are detected early at border routers in transit network before they converge at the victim. At lower and fine level, the microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and stealth attacks that remain undetected in transit domain and do not impact the victim. These attacks have dramatic impact on victim and are detected at border routers in stub domain near the victim. We employ the concepts of varying threshold and change point detection on entropy to enhance the detection rate. Honeypots help achieve high filtering accuracy. Results demonstrate that in addition to being competitive than other techniques with respect to detection rate and false alarm rate, our scheme is very effective and works well in the presence of different DDoS attacks. The proposed technique provides the quite demanded solution to the DDoS problem.

[1]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[2]  Ratul Mahajan,et al.  Controlling high-bandwidth flows at the congested router , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[3]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[4]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[5]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[6]  Kotagiri Ramamohanarao,et al.  Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs , 2003, ACISP.

[7]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[8]  István Vajda,et al.  Protection against DDoS Attacks Based on Traffic Level Measurements , 2004 .

[9]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[10]  KesidisGeorge,et al.  Denial-of-Service Attack-Detection Techniques , 2006 .

[11]  Oliver Heckmann,et al.  On realistic network topologies for simulation , 2003, MoMeTools '03.

[12]  Ellen W. Zegura,et al.  A quantitative comparison of graph-based models for Internet topology , 1997, TNET.

[13]  Ellen W. Zegura,et al.  How to model an internetwork , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[14]  Tai-hoon Kim,et al.  Deciding Optimal Entropic Thresholds to Calibrate the Detection Mechanism for Variable Rate DDoS Attacks in ISP Domain , 2008 .

[15]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[16]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[17]  Ramesh Chandra Joshi,et al.  Detection and Honeypot Based Redirection to Counter DDoS Attacks in ISP Domain , 2007, Third International Symposium on Information Assurance and Security.

[18]  Tzi-cker Chiueh,et al.  Automatic Patch Generation for Buffer Overflow Attacks , 2007 .