Evaluation of Takagi-Sugeno-Kang fuzzy method in entropy-based detection of DDoS attacks

The detection of distributed denial of service (DDoS) attacks based on internet traffic anomalies is a method which is general in nature and can detect unknown or zero-day attacks. One of the statistical characteristics used for this purpose is network traffic entropy: a sudden change in entropy may indicate a DDoS attack. However, this approach often gives false positives, and this is the main obstacle to its wider deployment within network security equipment. In this paper, we propose a new, two-step method for detection of DDoS attacks. This method combines the approaches of network traffic entropy and the Takagi-Sugeno-Kang fuzzy system. In the first step, the detection process calculates the entropy distribution of the network packets. In the second step, the Takagi-Sugeno-Kang fuzzy system (TSK-FS) method is applied to these entropy values. The performance of the TSK-FS method is compared with that of the typically used approach, in which cumulative sum (CUSUM) change point detection is applied directly to entropy time series. The results show that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process, achieving a high true-positive detection rate and a very low false-positive rate. As it is based on entropy, this combined method retains its generality and is capable of detecting various types of attack.

Download Full-text

Cluster-Based Countermeasures for DDoS Attacks

Network Security Attacks and Countermeasures - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-8761-5.ch008 ◽

2016 ◽

pp. 206-227

Author(s):

Mohammad Jabed Morshed Chowdhury ◽

Dileep Kumar G

Keyword(s):

Unsupervised Learning ◽

Network Traffic ◽

Denial Of Service ◽

Security Threats ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Ddos Attack ◽

Real Progress ◽

Bandwidth Capacity

Distributed Denial of Service (DDoS) attack is considered one of the major security threats in the current Internet. Although many solutions have been suggested for the DDoS defense, real progress in fighting those attacks is still missing. In this chapter, the authors analyze and experiment with cluster-based filtering for DDoS defense. In cluster-based filtering, unsupervised learning is used to create profile of the network traffic. Then the profiled traffic is passed through the filters of different capacity to the servers. After applying this mechanism, the legitimate traffic will get better bandwidth capacity than the malicious traffic. Thus the effect of bad or malicious traffic will be lesser in the network. Before describing the proposed solutions, a detail survey of the different DDoS countermeasures have been presented in the chapter.

Download Full-text

Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

Journal of Sensors ◽

10.1155/2015/465402 ◽

2015 ◽

Vol 2015 ◽

pp. 1-11 ◽

Cited By ~ 1

Author(s):

Jian Kang ◽

Mei Yang ◽

Junyao Zhang

Keyword(s):

Network Traffic ◽

False Positive Rate ◽

Denial Of Service ◽

Threshold Value ◽

Detection Accuracy ◽

Packet Header ◽

Positive Rate ◽

Spectrum Density ◽

Microscopic Feature ◽

Low Rate

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we chooseF featurein TCP packet header as a microscopic feature and,P featureandD featureof network traffic as macroscopic features. Based on these features, we establishmultistream fused hidden Markov model(MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

Download Full-text

On the Detection of Low-Rate Denial of Service Attacks at Transport and Application Layers

Electronics ◽

10.3390/electronics10172105 ◽

2021 ◽

Vol 10 (17) ◽

pp. 2105

Author(s):

Vasudha Vedula ◽

Palden Lama ◽

Rajendra V. Boppana ◽

Luis A. Trejo

Keyword(s):

Network Traffic ◽

Short Term Memory ◽

Transmission Control Protocol ◽

Denial Of Service ◽

Detection Methods ◽

Support Vector ◽

Detection Accuracy ◽

Ddos Attacks ◽

Network Bandwidth ◽

Low Rate

Distributed denial of service (DDoS) attacks aim to deplete the network bandwidth and computing resources of targeted victims. Low-rate DDoS attacks exploit protocol features such as the transmission control protocol (TCP) three-way handshake mechanism for connection establishment and the TCP congestion-control induced backoffs to attack at a much lower rate and still effectively bring down the targeted network and computer systems. Most of the statistical and machine/deep learning-based detection methods proposed in the literature require keeping track of packets by flows and have high processing overheads for feature extraction. This paper presents a novel two-stage model that uses Long Short-Term Memory (LSTM) and Random Forest (RF) to detect the presence of attack flows in a group of flows. This model has a very low data processing overhead; it uses only two features and does not require keeping track of packets by flows, making it suitable for continuous monitoring of network traffic and on-the-fly detection. The paper also presents an LSTM Autoencoder to detect individual attack flows with high detection accuracy using only two features. Additionally, the paper presents an analysis of a support vector machine (SVM) model that detects attack flows in slices of network traffic collected for short durations. The low-rate attack dataset used in this study is made available to the research community through GitHub.

Download Full-text

Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Network Forensics

Bulletin of Electrical Engineering and Informatics ◽

10.11591/eei.v6i2.605 ◽

2017 ◽

Vol 6 (2) ◽

pp. 140-148 ◽

Cited By ~ 2

Author(s):

Abdul Fadlil ◽

Imam Riadi ◽

Sukma Aji

Keyword(s):

Network Traffic ◽

Naive Bayes ◽

Detection System ◽

Denial Of Service ◽

Naïve Bayes ◽

Attack Detection ◽

Ddos Attacks ◽

Great Loss ◽

New Approach ◽

Internet Users

Distributed Denial of Service (DDoS) is a type of attack using the volume, intensity, and more costs mitigation to increase in this era. Attackers used many zombie computers to exhaust the resources available to a network, application or service so that authorize users cannot gain access or the network service is down, and it is a great loss for Internet users in computer networks affected by DDoS attacks. In the Network Forensic, a crime that occurs in the system network services can be sued in the court and the attackers will be punished in accordance with law. This research has the goal to develop a new approach to detect DDoS attacks based on network traffic activity were statistically analyzed using Naive Bayes method. Data were taken from the training and testing of network traffic in a core router in Master of Information Technology Research Laboratory University of Ahmad Dahlan Yogyakarta. The new approach in detecting DDoS attacks is expected to be a relation with Intrusion Detection System (IDS) to predict the existence of DDoS attacks.

Download Full-text

Detection of the botnets’ low-rate DDoS attacks based on self-similarity

International Journal of Electrical and Computer Engineering (IJECE) ◽

10.11591/ijece.v10i4.pp3651-3659 ◽

2020 ◽

Vol 10 (4) ◽

pp. 3651

Author(s):

Sergii Lysenko ◽

Kira Bobrovnikova ◽

Serhii Matiukh ◽

Ivan Hurman ◽

Oleg Savenko

Keyword(s):

Network Traffic ◽

Detection System ◽

Similarity Analysis ◽

Ddos Attacks ◽

Self Similarity ◽

Detection Process ◽

Ddos Attack ◽

Knowledge Formation ◽

Hurst Coefficient ◽

Low Rate

An article presents the approach for the botnets’ low-rate a DDoS-attacks detection based on the botnet’s behavior in the network. Detection process involves the analysis of the network traffic, generated by the botnets’ low-rate DDoS attack. Proposed technique is the part of botnets detection system – BotGRABBER system. The novelty of the paper is that the low-rate DDoS-attacks detection involves not only the network features, inherent to the botnets, but also network traffic self-similarity analysis, which is defined with the use of Hurst coefficient. Detection process consists of the knowledge formation based on the features that may indicate low-rate DDoS attack performed by a botnet; network monitoring, which analyzes information obtained from the network and making conclusion about possible DDoS attack in the network; and the appliance of the security scenario for the corporate area network’s infrastructure in the situation of low-rate attacks.

Download Full-text

IoT DoS and DDoS Attack Detection using ResNet

10.21203/rs.3.rs-120303/v1 ◽

2020 ◽

Author(s):

Faisal Hussain ◽

Syed Ghazanfar Abbas ◽

Muhammad Husnain ◽

Ubaid U. Fayyaz ◽

Farrukh Shahzad ◽

...

Keyword(s):

Network Traffic ◽

State Of The Art ◽

Binary Classification ◽

Denial Of Service ◽

Attack Detection ◽

Ddos Attacks ◽

Detection Systems ◽

Ddos Attack ◽

Attack Patterns ◽

Iot Devices

Abstract The network attacks are increasing both in frequency and intensity with the rapid growth of internet of things (IoT) devices. Recently, denial of service (DoS) and distributed denial of service (DDoS) attacks are reported as the most frequent attacks in IoT networks. The traditional security solutions like firewalls, intrusion detection systems, etc., are unable to detect the complex DoS and DDoS attacks since most of them filter the normal and attack traffic based upon the static predefined rules. However, these solutions can become reliable and effective when integrated with artificial intelligence (AI) based techniques. During the last few years, deep learning models especially convolutional neural networks achieved high significance due to their outstanding performance in the image processing field. The potential of these convolutional neural network (CNN) models can be used to efficiently detect the complex DoS and DDoS by converting the network traffic dataset into images. Therefore, in this work, we proposed a methodology to convert the network traffic data into image form and trained a state-of-the-art CNN model, i.e., ResNet over the converted data. The proposed methodology accomplished 99.99\% accuracy for detecting the DoS and DDoS in case of binary classification. Furthermore, the proposed methodology achieved 87\% average precision for recognizing eleven types of DoS and DDoS attack patterns which is 9\% higher as compared to the state-of-the-art.

Download Full-text

A Multi-Criteria based Software Defined Networking System Architecture for DDoS-Attack Mitigation

REV Journal on Electronics and Communications ◽

10.21553/rev-jec.123 ◽

2017 ◽

Author(s):

Tuyen Dang-Van ◽

Huong Truong-Thu

Keyword(s):

Network Architecture ◽

False Positive Rate ◽

Denial Of Service ◽

Software Defined Networking ◽

Buffer Size ◽

Ddos Attacks ◽

Control Plane ◽

Network Resource ◽

Attack Mitigation ◽

Sdn Controller

Nowadays, Software-Defined Networking (SDN) has become a promising network architecture in which network devices are controlled in a separate Control Plane (i.e., SDN controller). In a specific aspect, employing SDN in a network offers an attractive network security solution due to its flexibility in building and adding more new software security rules. From another perspective, attack prediction and mitigation, especially for Distributed Denial of Service (DDoS) attacks, are still challenges in SDN environments since a SDN control system works probably slower than a non-SDN one and theSDN controller can become a target of attacks. In this article, at first, we analyze a real traffic use case in order to derive DDoS indicators and thresholds. Secondly, we design an Openflow/SDN-based Attack Mitigation Architecture that is able to quickly mitigate DDoS attacks on the fly. The design solves the existing problems of the Openflow protocol, reducing the traffic volume traversing over the interface between the data plane (switch) and the control plane (SDN controller) and decreasing the buffer size at the Openflow switch. Applying our proposed Fuzzy Logic-based DDoS Mitigation algorithm that deploys multiple criteria for DDoS detection - FDDoM, the system demonstrates the ability to detect and filter 97% of attack flows and reach a False Positive Rate of 5% that are acceptable figures in real system management. The results also show that the network resource which is required to cope and maintain flow entries is 50% reduced during attack time.

Download Full-text

Distributed Denial-of-Service Prediction on IoT Framework by Learning Techniques

Open Computer Science ◽

10.1515/comp-2020-0009 ◽

2020 ◽

Vol 10 (1) ◽

pp. 220-230

Author(s):

Shubhra Dwivedi ◽

Manu Vardhan ◽

Sarsij Tripathi

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Information Gain ◽

Learning Algorithm ◽

Detection System ◽

False Positive Rate ◽

Denial Of Service ◽

Support Vector ◽

Distributed Denial Of Service ◽

Ddos Attacks

AbstractDistributed denial-of-service (DDoS) attacks on the Internet of Things (IoT) pose a serious threat to several web-based networks. The intruder’s ability to deal with the power of various cooperating devices to instigate an attack makes its administration even more multifaceted. This complexity can be further increased while lots of intruders attempt to overload an attack against a device. To counter and defend against modern DDoS attacks, several effective and powerful techniques have been used in the literature, such as data mining and artificial intelligence for the intrusion detection system (IDS), but they have some limitations. To overcome the existing limitations, in this study, we propose an intrusion detection mechanism that is an integration of a filter-based selection technique and a machine learning algorithm, called information gain-based intrusion detection system (IGIDS). In addition, IGIDS selects the most relevant features from the original IDS datasets that can help to distinguish typical low-speed DDoS attacks and, then, the selected features are passed on to the classifiers, i.e. support vector machine (SVM), decision tree (C4.5), naïve Bayes (NB) and multilayer perceptron (MLP) to detect attacks. The publicly available datasets as KDD Cup 99, CAIDA DDOS Attack 2007, CONFICKER worm, and UNINA traffic traces, are used for our experimental study. From the results of the simulation, it is clear that IGIDS with C4.5 acquires high detection and accuracy with a low false-positive rate.

Download Full-text

HULK and DDoS Attacks in Web Applications with Detection Mechanism

International Journal of Emerging Research in Management and Technology ◽

10.23956/ijermt.v6i6.268 ◽

2018 ◽

Vol 6 (6) ◽

pp. 192

Author(s):

Amit Sharma

Keyword(s):

Web Applications ◽

Denial Of Service ◽

Single Server ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Application Layer ◽

Detection Mechanism ◽

Plan Execution ◽

Social Affair ◽

Server Application

Distributed Denial of Service attacks are significant dangers these days over web applications and web administrations. These assaults pushing ahead towards application layer to procure furthermore, squander most extreme CPU cycles. By asking for assets from web benefits in gigantic sum utilizing quick fire of solicitations, assailant robotized programs use all the capacity of handling of single server application or circulated environment application. The periods of the plan execution is client conduct checking and identification. In to beginning with stage by social affair the data of client conduct and computing individual user’s trust score will happen and Entropy of a similar client will be ascertained. HTTP Unbearable Load King (HULK) attacks are also evaluated. In light of first stage, in recognition stage, variety in entropy will be watched and malevolent clients will be recognized. Rate limiter is additionally acquainted with stop or downsize serving the noxious clients. This paper introduces the FAÇADE layer for discovery also, hindering the unapproved client from assaulting the framework.

Download Full-text

Understanding the CoVID-19 pandemic Curve through statistical approach (Preprint)

10.2196/preprints.22675 ◽

2020 ◽

Author(s):

Ibrar Ul Hassan Akhtar

Keyword(s):

Probability Density ◽

Change Point ◽

Statistical Approach ◽

Sudden Change ◽

Global Scale ◽

Change Point Detection ◽

Segment Length ◽

Infected Population ◽

The Mean ◽

Point Detection

UNSTRUCTURED Current research is an attempt to understand the CoVID-19 pandemic curve through statistical approach of probability density function with associated skewness and kurtosis measures, change point detection and polynomial fitting to estimate infected population along with 30 days projection. The pandemic curve has been explored for above average affected countries, six regions and global scale during 64 days of 22nd January to 24th March, 2020. The global cases infection as well as recovery rate curves remained in the ranged of 0 ‒ 9.89 and 0 ‒ 8.89%, respectively. The confirmed cases probability density curve is high positive skewed and leptokurtic with mean global infected daily population of 6620. The recovered cases showed bimodal positive skewed curve of leptokurtic type with daily recovery of 1708. The change point detection helped to understand the CoVID-19 curve in term of sudden change in term of mean or mean with variance. This pointed out disease curve is consist of three phases and last segment that varies in term of day lengths. The mean with variance based change detection is better in differentiating phases and associated segment length as compared to mean. Global infected population might rise in the range of 0.750 to 4.680 million by 24th April 2020, depending upon the pandemic curve progress beyond 24th March, 2020. Expected most affected countries will be USA, Italy, China, Spain, Germany, France, Switzerland, Iran and UK with at least infected population of over 0.100 million. Infected population polynomial projection errors remained in the range of -78.8 to 49.0%.

Download Full-text