Detection of the botnets’ low-rate DDoS attacks based on self-similarity

An article presents the approach for the botnets’ low-rate a DDoS-attacks detection based on the botnet’s behavior in the network. Detection process involves the analysis of the network traffic, generated by the botnets’ low-rate DDoS attack. Proposed technique is the part of botnets detection system – BotGRABBER system. The novelty of the paper is that the low-rate DDoS-attacks detection involves not only the network features, inherent to the botnets, but also network traffic self-similarity analysis, which is defined with the use of Hurst coefficient. Detection process consists of the knowledge formation based on the features that may indicate low-rate DDoS attack performed by a botnet; network monitoring, which analyzes information obtained from the network and making conclusion about possible DDoS attack in the network; and the appliance of the security scenario for the corporate area network’s infrastructure in the situation of low-rate attacks.

Download Full-text

Implementasi Iptables Firewall dan Intrusion Detection System Untuk Mencegah Serangan DDoS Pada Linux Server

MEANS (Media Informasi Analisa dan Sistem) ◽

10.54367/means.v6i1.1231 ◽

2021 ◽

pp. 19-23

Author(s):

Theodorus Kristian Widianto ◽

Wiwin Sulistyo

Keyword(s):

Intrusion Detection ◽

Computer Networks ◽

Intrusion Detection System ◽

Detection System ◽

Ddos Attacks ◽

Server Side ◽

Ddos Attack ◽

Internet Users ◽

Data Theft ◽

Server Computer

Security on computer networks is currently a matter that must be considered especially for internet users because many risks must be borne if this is negligent of attention. Data theft, system destruction, and so on are threats to users, especially on the server-side. DDoS is a method of attack that is quite popular and is often used to bring down servers. This method runs by consuming resources on the server computer so that it can no longer serve requests from the user side. With this problem, security is needed to prevent the DDoS attack, one of which is using iptables that has been provided by Linux. Implementing iptables can prevent or stop external DDoS attacks aimed at the server.

Download Full-text

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Security and Communication Networks ◽

10.1155/2018/1263123 ◽

2018 ◽

Vol 2018 ◽

pp. 1-13 ◽

Cited By ~ 14

Author(s):

Mohamed Idhammad ◽

Karim Afdel ◽

Mustapha Belouch

Keyword(s):

Random Forest ◽

Network Traffic ◽

Learning Algorithm ◽

Detection System ◽

Cloud Services ◽

Detection Accuracy ◽

Cloud Environment ◽

Ddos Attacks ◽

Information Theoretic ◽

Computing Services

Cloud Computing services are often delivered through HTTP protocol. This facilitates access to services and reduces costs for both providers and end-users. However, this increases the vulnerabilities of the Cloud services face to HTTP DDoS attacks. HTTP request methods are often used to address web servers’ vulnerabilities and create multiple scenarios of HTTP DDoS attack such as Low and Slow or Flooding attacks. Existing HTTP DDoS detection systems are challenged by the big amounts of network traffic generated by these attacks, low detection accuracy, and high false positive rates. In this paper we present a detection system of HTTP DDoS attacks in a Cloud environment based on Information Theoretic Entropy and Random Forest ensemble learning algorithm. A time-based sliding window algorithm is used to estimate the entropy of the network header features of the incoming network traffic. When the estimated entropy exceeds its normal range the preprocessing and the classification tasks are triggered. To assess the proposed approach various experiments were performed on the CIDDS-001 public dataset. The proposed approach achieves satisfactory results with an accuracy of 99.54%, a FPR of 0.4%, and a running time of 18.5s.

Download Full-text

Self-similarity Analysis and Application of Network Traffic

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering - Mobile Computing, Applications, and Services ◽

10.1007/978-3-030-28468-8_9 ◽

2019 ◽

pp. 112-125

Author(s):

Yan Xu ◽

Qianmu Li ◽

Shunmei Meng

Keyword(s):

Network Traffic ◽

Similarity Analysis ◽

Self Similarity

Download Full-text

Evaluation of Takagi-Sugeno-Kang fuzzy method in entropy-based detection of DDoS attacks

Computer Science and Information Systems ◽

10.2298/csis160905039p ◽

2018 ◽

Vol 15 (1) ◽

pp. 139-162 ◽

Cited By ~ 2

Author(s):

Miodrag Petkovic ◽

Ilija Basicevic ◽

Dragan Kukolj ◽

Miroslav Popovic

Keyword(s):

Network Traffic ◽

Fuzzy System ◽

False Positive Rate ◽

Denial Of Service ◽

Sudden Change ◽

Change Point Detection ◽

Statistical Characteristics ◽

Ddos Attacks ◽

Detection Process ◽

Takagi Sugeno

The detection of distributed denial of service (DDoS) attacks based on internet traffic anomalies is a method which is general in nature and can detect unknown or zero-day attacks. One of the statistical characteristics used for this purpose is network traffic entropy: a sudden change in entropy may indicate a DDoS attack. However, this approach often gives false positives, and this is the main obstacle to its wider deployment within network security equipment. In this paper, we propose a new, two-step method for detection of DDoS attacks. This method combines the approaches of network traffic entropy and the Takagi-Sugeno-Kang fuzzy system. In the first step, the detection process calculates the entropy distribution of the network packets. In the second step, the Takagi-Sugeno-Kang fuzzy system (TSK-FS) method is applied to these entropy values. The performance of the TSK-FS method is compared with that of the typically used approach, in which cumulative sum (CUSUM) change point detection is applied directly to entropy time series. The results show that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process, achieving a high true-positive detection rate and a very low false-positive rate. As it is based on entropy, this combined method retains its generality and is capable of detecting various types of attack.

Download Full-text

Cluster-Based Countermeasures for DDoS Attacks

Network Security Attacks and Countermeasures - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-8761-5.ch008 ◽

2016 ◽

pp. 206-227

Author(s):

Mohammad Jabed Morshed Chowdhury ◽

Dileep Kumar G

Keyword(s):

Unsupervised Learning ◽

Network Traffic ◽

Denial Of Service ◽

Security Threats ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Ddos Attack ◽

Real Progress ◽

Bandwidth Capacity

Distributed Denial of Service (DDoS) attack is considered one of the major security threats in the current Internet. Although many solutions have been suggested for the DDoS defense, real progress in fighting those attacks is still missing. In this chapter, the authors analyze and experiment with cluster-based filtering for DDoS defense. In cluster-based filtering, unsupervised learning is used to create profile of the network traffic. Then the profiled traffic is passed through the filters of different capacity to the servers. After applying this mechanism, the legitimate traffic will get better bandwidth capacity than the malicious traffic. Thus the effect of bad or malicious traffic will be lesser in the network. Before describing the proposed solutions, a detail survey of the different DDoS countermeasures have been presented in the chapter.

Download Full-text

Detection of Low-rate DDoS Attack Based on Self-Similarity

2010 Second International Workshop on Education Technology and Computer Science ◽

10.1109/etcs.2010.476 ◽

2010 ◽

Cited By ~ 5

Author(s):

Zhang Sheng ◽

Zhang Qifei ◽

Pan Xuezeng ◽

Zhu Xuhui

Keyword(s):

Self Similarity ◽

Ddos Attack ◽

Low Rate

Download Full-text

Detecting High and Low Intensity Distributed Denial of Service (DDoS) Attacks

10.26686/wgtn.17135222.v1 ◽

2021 ◽

Author(s):

◽

Abigail Koay

Keyword(s):

Information Sharing ◽

Detection System ◽

Denial Of Service ◽

Attack Detection ◽

Traffic Classification ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Low Intensity ◽

Ddos Attack ◽

Ddos Attack Detection

<p>High and low-intensity attacks are two common Distributed Denial of Service (DDoS) attacks that disrupt Internet users and their daily operations. Detecting these attacks is important to ensure that communication, business operations, and education facilities can run smoothly. Many DDoS attack detection systems have been proposed in the past but still lack performance, scalability, and information sharing ability to detect both high and low-intensity DDoS attacks accurately and early. To combat these issues, this thesis studies the use of Software-Defined Networking technology, entropy-based features, and machine learning classifiers to develop three useful components, namely a good system architecture, a useful set of features, and an accurate and generalised traffic classification scheme. The findings from the experimental analysis and evaluation results of the three components provide important insights for researchers to improve the overall performance, scalability, and information sharing ability for building an accurate and early DDoS attack detection system.</p>

Download Full-text

On the use of information theory metrics for detecting DDoS attacks and flash events: an empirical analysis, comparison, and future directions

Kuwait Journal of Science ◽

10.48129/kjs.v48i4.10612 ◽

2021 ◽

Vol 48 (4) ◽

Author(s):

Jagdeep Singh ◽

◽

Navjot Jyoti ◽

Sunny Behal ◽

◽

...

Keyword(s):

Information Theory ◽

Detection System ◽

Denial Of Service ◽

Attack Detection ◽

High Rate ◽

Ddos Attacks ◽

Operating Characteristics ◽

Classification Rate ◽

Ddos Attack ◽

Ddos Attack Detection

A Distributed Denial of Service (DDoS) attack is one of the lethal threats that can cripple down the computing and communication resources of a web server hosting Internet-based services and applications. It has motivated the researchers over the years to find diversified and robust solutions to combat against DDoS attacks and characterization of flash events (a sudden surge in the legitimate traffic) from HR-DDoS (High-Rate DDoS) attacks. In recent times, the volume of legitimate traffic has also magnified manifolds. It results in behavioral similarities of attack traffic and legitimate traffic that make it very difficult and crucial to differentiate between the two. Predominantly, Netflow-based techniques are in use for detecting and differentiating legitimate and attack traffic flows. Over the last decade, fellow researchers have extensively used distinct information theory metrics for Netflow-based DDoS defense solutions. However, a comprehensive analysis and comparison of these diversified information theory metrics used for particularly DDoS attack detection are needed for a better understanding of the defense systems based on information theory. This paper elucidates the efficacy and effectiveness of information theory-based various entropy and divergence measures in the field of DDoS attack detection. As part of the work, a generalized NetFlow-based methodology has been proposed. The proposed detection methodology has been validated using the traffic traces of various real benchmarked datasets on a set of detection system evaluation metrics such as Detection rate (Recall), Precision, F-Measure, FPR, Classification rate, and Receiver-Operating Characteristics (ROC) curves. It has concluded that generalized divergence-based information theory metrics produce more accuracy in detecting different types of attack flows in contrast to entropy-based information theory metrics.

Download Full-text

Information Theory-based Approaches to Detect DDoS Attacks on Software-defined Networking Controller a Review

International Journal of Education and Information Technologies ◽

10.46300/9109.2021.15.9 ◽

2021 ◽

Vol 15 ◽

pp. 83-94

Author(s):

Mohammad A. Aladaileh ◽

Mohammed Anbar ◽

Iznan H. Hasbullah ◽

Yousef K. Sanjalawe

Keyword(s):

Information Theory ◽

Flow Behavior ◽

Denial Of Service ◽

Software Defined Networking ◽

Attack Detection ◽

High Rate ◽

Ddos Attacks ◽

Ddos Attack ◽

Ddos Attack Detection ◽

Low Rate

The number of network users and devices has exponentially increased in the last few decades, giving rise to sophisticated security threats while processing users’ and devices’ network data. Software-Defined Networking (SDN) introduces many new features, but none is more revolutionary than separating the control plane from the data plane. The separation helps DDoS attack detection mechanisms by introducing novel features and functionalities. Since the controller is the most critical part of the SDN network, its ability to control and monitor network traffic flow behavior ensures the network functions properly and smoothly. However, the controller’s importance to the SDN network makes it an attractive target for attackers. Distributed Denial of Service (DDoS) attack is one of the major threats to network security. This paper presents a comprehensive review of information theory-based approaches to detect low-rate and high-rate DDoS attacks on SDN controllers. Additionally, this paper provides a qualitative comparison between this work and the existing reviews on DDoS attack detection approaches using various metrics to highlight this work’s uniqueness. Moreover, this paper provides in-depth discussion and insight into the existing DDoS attack detection approaches to point out their weaknesses that open the avenue for future research directions. Meanwhile, the finding of this paper can be used by other researchers to propose a new or enhanced approach to protect SDN controllers from the threats of DDoS attacks by accurately detecting both low-rate and high-rate DDoS attacks.

Download Full-text

Identifying Hybrid DDoS Attacks in Deterministic Machine-to-Machine Networks on a Per-Deterministic-Flow Basis

Micromachines ◽

10.3390/mi12091019 ◽

2021 ◽

Vol 12 (9) ◽

pp. 1019

Author(s):

Yen-Hung Chen ◽

Yuan-Cheng Lai ◽

Kai-Zhong Zhou

Keyword(s):

Detection System ◽

Attack Detection ◽

Detection Accuracy ◽

Ddos Attacks ◽

Security Issue ◽

Sensitive Data ◽

Traffic Pattern ◽

Ddos Attack ◽

Novel Approach ◽

Centralized Controller

The Deterministic Network (DetNet) is becoming a major feature for 5G and 6G networks to cope with the issue that conventional IT infrastructure cannot efficiently handle latency-sensitive data. The DetNet applies flow virtualization to satisfy time-critical flow requirements, but inevitably, DetNet flows and conventional flows interact/interfere with each other when sharing the same physical resources. This subsequently raises the hybrid DDoS security issue that high malicious traffic not only attacks the DetNet centralized controller itself but also attacks the links that DetNet flows pass through. Previous research focused on either the DDoS type of the centralized controller side or the link side. As DDoS attack techniques are evolving, Hybrid DDoS attacks can attack multiple targets (controllers or links) simultaneously, which are difficultly detected by previous DDoS detection methodologies. This study, therefore, proposes a Flow Differentiation Detector (FDD), a novel approach to detect Hybrid DDoS attacks. The FDD first applies a fuzzy-based mechanism, Target Link Selection, to determine the most valuable links for the DDoS link/server attacker and then statistically evaluates the traffic pattern flowing through these links. Furthermore, the contribution of this study is to deploy the FDD in the SDN controller OpenDayLight to implement a Hybrid DDoS attack detection system. The experimental results show that the FDD has superior detection accuracy (above 90%) than traditional methods under the situation of different ratios of Hybrid DDoS attacks and different types and scales of topology.

Download Full-text