Hybrid DDoS Detection Framework Using Matching Pursuit Algorithm

Although a considerable amount of research has been done on DDoS attacks, it still poses a severe threat to many businesses and internet service providers. DDoS attacks commonly generate a high amount of network traffic. However, the resource depletion DDoS attacks can deny the target service, although it generates much less traffic than legitimate traffic. We propose a novel DDoS detection framework using the Matching Pursuit algorithm to detect resource depletion type DDoS attacks. We use multiple characteristics of network traffic simultaneously in order to detect low-density DDoS attacks efficiently. The proposed method uses the dictionary produced from the parameters of the network traffic using the K-SVD algorithm.Dictionary generation using network traffic, provides legitimate and attack traffic models, and adds adaptability of the proposed method to network traffic. We also implement DDoS detection approaches that use Matching Pursuit and Wavelet techniques and compare them using two different data sets. Additionally, we offer a hybrid DDoS detection framework that combines these approaches with a decision-making mechanism using an artificial neural network. We evaluate the proposed methods with two different data sets. The proposed approaches perform over 99% true positive rate with a false positive rate lower than 0.7% with a low-density DDoS attack dataset. In the hybrid intrusion detection system with more than one attack, the detection performances of other methods have decreased, while the proposed approach achieves true positive rates higher than 99% with a false positive rate lower than 0.7%.

[1]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[2]  Kailas Devadkar,et al.  Understanding DDoS Attack & its Effect in Cloud Environment , 2015 .

[3]  Zubair A. Baig,et al.  Stealthy Denial of Service (DoS) attack modelling and detection for HTTP/2 services , 2017, J. Netw. Comput. Appl..

[4]  Ebrahim A. Gharavol,et al.  A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model and Chaotic System in Computer Networks , 2016, IEEE Communications Letters.

[5]  Günes Karabulut-Kurt,et al.  Effect of DDoS attacks on traffic features , 2013, 2013 21st Signal Processing and Communications Applications Conference (SIU).

[6]  A. Grossmann,et al.  DECOMPOSITION OF FUNCTIONS INTO WAVELETS OF CONSTANT SHAPE, AND RELATED TRANSFORMS , 1985 .

[7]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[8]  Emin Anarim,et al.  An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks , 2005, Expert Syst. Appl..

[9]  Jisa David,et al.  Efficient DDoS flood attack detection using dynamic thresholding on flow-based network traffic , 2019, Comput. Secur..

[10]  M. Elad,et al.  $rm K$-SVD: An Algorithm for Designing Overcomplete Dictionaries for Sparse Representation , 2006, IEEE Transactions on Signal Processing.

[11]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[12]  W. Holubowicz,et al.  Intrusion Detection System Based on Matching Pursuit , 2008, 2008 First International Conference on Intelligent Networks and Intelligent Systems.

[13]  Emin Anarım,et al.  Clustering Based DDoS Attack Detection Using The Relationship Between Packet Headers , 2019, 2019 Innovations in Intelligent Systems and Applications Conference (ASYU).

[14]  Tomasz Andrysiak,et al.  DDoS Attacks Detection by Means of Greedy Algorithms , 2012, IP&C.

[15]  Sean Carlisto de Alvarenga,et al.  A survey of intrusion detection in Internet of Things , 2017, J. Netw. Comput. Appl..

[16]  O. Boyar,et al.  Detection of Denial-of-Service Attacks with SNMP/RMON , 2018, 2018 IEEE 22nd International Conference on Intelligent Engineering Systems (INES).

[17]  Michael Elad,et al.  Analysis K-SVD: A Dictionary-Learning Algorithm for the Analysis Sparse Model , 2013, IEEE Transactions on Signal Processing.

[18]  Lukasz Saganowski,et al.  Statistical and signal‐based network traffic recognition for anomaly detection , 2012, Expert Syst. J. Knowl. Eng..

[19]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[20]  Günes Karabulut-Kurt,et al.  DDoS attack detection using matching pursuit algorithm , 2016, 2016 24th Signal Processing and Communication Application Conference (SIU).

[21]  Emin Anarim,et al.  Graph–Based Anomaly Detection Using Fuzzy Clustering , 2019, Intelligent and Fuzzy Techniques in Big Data Analytics and Decision Making.

[22]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[23]  Lukasz Saganowski,et al.  A Novel Signal-Based Approach to Anomaly Detection in IDS Systems , 2009, ICANNGA.

[24]  Tomasz Andrysiak,et al.  Anomaly detection system based on sparse signal representation , 2011 .

[25]  L. Cohen,et al.  Time-frequency distributions-a review , 1989, Proc. IEEE.

[26]  T. Oo,et al.  A Statistical Approach to Classify and Identify DDoS Attacks using UCLA Dataset , 2013 .

[27]  A. Bruckstein,et al.  K-SVD : An Algorithm for Designing of Overcomplete Dictionaries for Sparse Representation , 2005 .

[28]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[29]  Feng Liu,et al.  Modeling Connections Behavior for Web-Based Bots Detection , 2010, 2010 2nd International Conference on E-business and Information System Security.

[30]  Ender M. Eksioglu,et al.  K-SVD Meets Transform Learning: Transform K-SVD , 2014, IEEE Signal Processing Letters.

[31]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[32]  Marek Amanowicz,et al.  Intrusion Detection in Software Defined Networks with Self-organized Maps , 2015 .

[33]  Emin Anarim,et al.  A New Network Anomaly Detection Method Based on Header Information Using Greedy Algorithm , 2019, 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT).

[34]  Stephen D. Bay,et al.  The UCI KDD archive of large data sets for data mining research and experimentation , 2000, SKDD.

[35]  Paul Barford,et al.  BasisDetect: a model-based network event detection framework , 2010, IMC '10.

[36]  Rafał Renk,et al.  Signal-based Approach to Anomaly Detection in IDS Systems , 2009 .

[37]  Matthew Roughan,et al.  A BasisEvolution framework for network traffic anomaly detection , 2018, Comput. Networks.

[38]  Emin Anarim,et al.  DDoS Attack Detection Using Greedy Algorithm and Frequency Modulation , 2019, 2019 27th Signal Processing and Communications Applications Conference (SIU).

[39]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[40]  Sukumar Nandi,et al.  ML-Based Approach to Detect DDoS Attack in V2I Communication Under SDN Architecture , 2018, TENCON 2018 - 2018 IEEE Region 10 Conference.

[41]  Mounir Ghogho,et al.  Deep learning approach for Network Intrusion Detection in Software Defined Networking , 2016, 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM).

[42]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[43]  Emin Anarim,et al.  Network Anomaly Detection Using Header Information With Greedy Algorithm , 2019, 2019 27th Signal Processing and Communications Applications Conference (SIU).

[44]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).