Probabilistic Neural Network based attack traffic classification

This paper surveys with the emerging research on various methods to identify the legitimate/illegitimate traffic on the network. Here, the focus is on the effective early detection scheme for distinguishing Distributed Denial of Service (DDoS) attack traffic from normal flash crowd traffic. The basic characteristics used to distinguish Distributed Denial of Service (DDoS) attacks from flash crowds are access intents, client request rates, cluster overlap, distribution of source IP address, distribution of clients and speed of traffic. Various techniques related to these metrics are clearly illustrated and corresponding limitations are listed out with their justification. A new method is proposed in this paper which builds a reliable identification model for flash crowd and DDoS attacks. The proposed Probabilistic Neural Network based traffic pattern classification method is used for effective classification of attack traffic from legitimate traffic. The proposed technique uses the normal traffic profile for their classification process which consists of single and joint distribution of various packet attributes. The normal profile contains uniqueness in traffic distribution and also hard for the attackers to mimic as legitimate flow. The proposed method achieves highest classification accuracy for DDoS flooding attacks with less than 1% of false positive rate.

[1]  Wanlei Zhou,et al.  Discriminating DDoS Flows from Flash Crowds Using Information Distance , 2009, 2009 Third International Conference on Network and System Security.

[2]  Meng Joo Er,et al.  High-speed face recognition based on discrete cosine transform and RBF neural networks , 2005, IEEE Transactions on Neural Networks.

[3]  Kathleen M. Carley,et al.  Characterization of defense mechanisms against distributed denial of service attacks , 2004, Comput. Secur..

[4]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[5]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[6]  Jiang Feng,et al.  The Research of DDoS Attack Detecting Algorithm Based on the Feature of the Traffic , 2009, 2009 5th International Conference on Wireless Communications, Networking and Mobile Computing.

[7]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[8]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[9]  Wanlei Zhou,et al.  CALD: Surviving Various Application-Layer DDoS Attacks That Mimic Flash Crowd , 2010, 2010 Fourth International Conference on Network and System Security.

[10]  Bo Yang,et al.  Traffic classification using probabilistic neural networks , 2010, 2010 Sixth International Conference on Natural Computation.

[11]  Wanlei Zhou,et al.  Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics , 2009, 2009 Third International Conference on Network and System Security.

[12]  George M. Mohay,et al.  Use of IP Addresses for High Rate Flooding Attack Detection , 2010, SEC.

[13]  Mohammad Zulkernine,et al.  Detecting Flooding-Based DDoS Attacks , 2007, 2007 IEEE International Conference on Communications.

[14]  Ying Huang,et al.  The Early Detection of DDoS Based on the Persistent Increment Feature of the Traffic Volume , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[15]  Yuting Zhang,et al.  Reduction of quality (RoQ) attacks on Internet end-systems , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[16]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[17]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[18]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[19]  Timothy A. Gonsalves,et al.  Detection of Syn Flooding Attacks using Linear Prediction Analysis , 2006, 2006 14th IEEE International Conference on Networks.

[20]  Jie Zhang,et al.  An advanced entropy-based DDOS detection scheme , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[21]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[22]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[23]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[24]  Kai Hwang,et al.  Spectral Analysis of TCP Flows for Defense Against Reduction-of-Quality Attacks , 2007, 2007 IEEE International Conference on Communications.

[25]  Martine Bellaïche,et al.  SYN Flooding Attack Detection Based on Entropy Computing , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[26]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[27]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.