Detecting High and Low Intensity Distributed Denial of Service (DDoS) Attacks

Ddos Attacks ◽

Low Intensity ◽

Ddos Attack ◽

<p>High and low-intensity attacks are two common Distributed Denial of Service (DDoS) attacks that disrupt Internet users and their daily operations. Detecting these attacks is important to ensure that communication, business operations, and education facilities can run smoothly. Many DDoS attack detection systems have been proposed in the past but still lack performance, scalability, and information sharing ability to detect both high and low-intensity DDoS attacks accurately and early. To combat these issues, this thesis studies the use of Software-Defined Networking technology, entropy-based features, and machine learning classifiers to develop three useful components, namely a good system architecture, a useful set of features, and an accurate and generalised traffic classification scheme. The findings from the experimental analysis and evaluation results of the three components provide important insights for researchers to improve the overall performance, scalability, and information sharing ability for building an accurate and early DDoS attack detection system.</p>

On the use of information theory metrics for detecting DDoS attacks and flash events: an empirical analysis, comparison, and future directions

Kuwait Journal of Science ◽

10.48129/kjs.v48i4.10612 ◽

2021 ◽

Vol 48 (4) ◽

Author(s):

Jagdeep Singh ◽

◽

Navjot Jyoti ◽

Sunny Behal ◽

◽

...

Keyword(s):

Information Theory ◽

Detection System ◽

Denial Of Service ◽

Attack Detection ◽

High Rate ◽

Ddos Attacks ◽

Operating Characteristics ◽

Classification Rate ◽

Ddos Attack ◽

A Distributed Denial of Service (DDoS) attack is one of the lethal threats that can cripple down the computing and communication resources of a web server hosting Internet-based services and applications. It has motivated the researchers over the years to find diversified and robust solutions to combat against DDoS attacks and characterization of flash events (a sudden surge in the legitimate traffic) from HR-DDoS (High-Rate DDoS) attacks. In recent times, the volume of legitimate traffic has also magnified manifolds. It results in behavioral similarities of attack traffic and legitimate traffic that make it very difficult and crucial to differentiate between the two. Predominantly, Netflow-based techniques are in use for detecting and differentiating legitimate and attack traffic flows. Over the last decade, fellow researchers have extensively used distinct information theory metrics for Netflow-based DDoS defense solutions. However, a comprehensive analysis and comparison of these diversified information theory metrics used for particularly DDoS attack detection are needed for a better understanding of the defense systems based on information theory. This paper elucidates the efficacy and effectiveness of information theory-based various entropy and divergence measures in the field of DDoS attack detection. As part of the work, a generalized NetFlow-based methodology has been proposed. The proposed detection methodology has been validated using the traffic traces of various real benchmarked datasets on a set of detection system evaluation metrics such as Detection rate (Recall), Precision, F-Measure, FPR, Classification rate, and Receiver-Operating Characteristics (ROC) curves. It has concluded that generalized divergence-based information theory metrics produce more accuracy in detecting different types of attack flows in contrast to entropy-based information theory metrics.

Adaptive DDoS Attack Detection Method Based on Multiple-Kernel Learning

Security and Communication Networks ◽

10.1155/2018/5198685 ◽

2018 ◽

Vol 2018 ◽

pp. 1-19 ◽

Cited By ~ 8

Author(s):

Jieren Cheng ◽

Chen Zhang ◽

Xiangyan Tang ◽

Victor S. Sheng ◽

Zhe Dong ◽

...

Keyword(s):

Detection Method ◽

Denial Of Service ◽

Multiple Kernel Learning ◽

Attack Detection ◽

Kernel Learning ◽

Economic Losses ◽

Ddos Attacks ◽

Ddos Attack ◽

Multiple Kernel ◽

Distributed denial of service (DDoS) attacks has caused huge economic losses to society. They have become one of the main threats to Internet security. Most of the current detection methods based on a single feature and fixed model parameters cannot effectively detect early DDoS attacks in cloud and big data environment. In this paper, an adaptive DDoS attack detection method (ADADM) based on multiple-kernel learning (MKL) is proposed. Based on the burstiness of DDoS attack flow, the distribution of addresses, and the interactivity of communication, we define five features to describe the network flow characteristic. Based on the ensemble learning framework, the weight of each dimension is adaptively adjusted by increasing the interclass mean with a gradient ascent and reducing the intraclass variance with a gradient descent, and the classifier is established to identify an early DDoS attack by training simple multiple-kernel learning (SMKL) models with two characteristics including interclass mean squared difference growth (M-SMKL) and intraclass variance descent (S-SMKL). The sliding window mechanism is used to coordinate the S-SMKL and M-SMKL to detect the early DDoS attack. The experimental results indicate that this method can detect DDoS attacks early and accurately.

Developments in Information Security and Cybernetic Wars - Advances in Information Security, Privacy, and Ethics ◽

Detecting DDoS Attacks on Multiple Network Hosts

10.4018/978-1-5225-8304-2.ch006 ◽

2019 ◽

pp. 121-139 ◽

Cited By ~ 1

Author(s):

Konstantinos F. Xylogiannopoulos ◽

Panagiotis Karampelas ◽

Reda Alhajj

Keyword(s):

Denial Of Service ◽

Attack Detection ◽

Detection Methods ◽

Secondary Sources ◽

Ddos Attack ◽

Timely Fashion ◽

Multiple Network ◽

Ddos Attack Detection ◽

Low Traffic

The proliferation of low security internet of things devices has widened the range of weapons that malevolent users can utilize in order to attack legitimate services in new ways. In the recent years, apart from very large volumetric distributed denial of service attacks, low and slow attacks initiated from intelligent bot networks have been detected to target multiple hosts in a network in a timely fashion. However, even if the attacks seem to be “innocent” at the beginning, they generate huge traffic in the network without practically been detected by the traditional DDoS attack detection methods. In this chapter, an advanced pattern detection method is presented that is able to collect and classify in real time all the incoming traffic and detect a developing slow and low DDoS attack by monitoring the traffic in all the hosts of the network. The experimental analysis on a real dataset provides useful insights about the effectiveness of the method by identifying not only the main source of attack but also secondary sources that produce low traffic, targeting though multiple hosts.

DoS and DDoS Attack Detection Using Deep Learning and IDS

The International Arab Journal of Information Technology ◽

10.34028/iajit/17/4a/10 ◽

2020 ◽

Vol 17 (4A) ◽

pp. 655-661

Author(s):

Mohammad Shurman ◽

Rami Khrais ◽

Abdulrahman Yateem

Keyword(s):

Deep Learning ◽

Short Term Memory ◽

Detection System ◽

Denial Of Service ◽

Attack Detection ◽

Target System ◽

Online Systems ◽

Ddos Attack ◽

Long Short Term Memory ◽

In the recent years, Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack has spread greatly and attackers make online systems unavailable to legitimate users by sending huge number of packets to the target system. In this paper, we proposed two methodologies to detect Distributed Reflection Denial of Service (DrDoS) attacks in IoT. The first methodology uses hybrid Intrusion Detection System (IDS) to detect IoT-DoS attack. The second methodology uses deep learning models, based on Long Short-Term Memory (LSTM) trained with latest dataset for such kinds of DrDoS. Our experimental results demonstrate that using the proposed methodologies can detect bad behaviour making the IoT network safe of Dos and DDoS attacks

Intelligent Traffic Classification for Detecting DDoS Attacks using SDN/OpenFlow

10.26686/wgtn.17064107.v1 ◽

2021 ◽

Author(s):

◽

Jarrod Bakker

Keyword(s):

Denial Of Service ◽

Network Control ◽

Traffic Classification ◽

Ddos Attacks ◽

Network Information ◽

Ddos Attack ◽

Machine Learning Methods ◽

Attack Scenario ◽

And Control

<p>Distributed denial of service (DDoS) attacks utilise many attacking entities to prevent legitimate use of a resource via consumption. Detecting these attacks is often difficult when using a traditional networking paradigm as network information and control are not centralised. Software-Defined Networking is a recent paradigm that centralises network control, thus improving the ability to gather network information. Traffic classification techniques can leverage the gathered data to detect DDoS attacks.This thesis utilises nmeta2, a SDN-based traffic classification architecture, to study the effectiveness of machine learning methods to detect DDoS attacks. These methods are evaluated on a physical network testbed to demonstrate their application during a DDoS attack scenario.</p>

Improving Distributed Denial of Service (DDOS) Detection using Entropy Method in Software Defined Network (SDN)

ComTech Computer Mathematics and Engineering Applications ◽

10.21512/comtech.v8i4.3902 ◽

2017 ◽

Vol 8 (4) ◽

pp. 215

Author(s):

Maman Abdurohman ◽

Dani Prasetiawan ◽

Fazmah Arif Yulianto

Keyword(s):

Denial Of Service ◽

Entropy Method ◽

Attack Detection ◽

New Method ◽

Sudden Increase ◽

Software Defined Network ◽

Ddos Attack ◽

Ddos Detection ◽

This research proposed a new method to enhance Distributed Denial of Service (DDoS) detection attack on Software Defined Network (SDN) environment. This research utilized the OpenFlow controller of SDN for DDoS attack detection using modified method and regarding entropy value. The new method would check whether the traffic was a normal traffic or DDoS attack by measuring the randomness of the packets. This method consisted of two steps, detecting attack and checking the entropy. The result shows that the new method can reduce false positive when there is a temporary and sudden increase in normal traffic. The new method succeeds in not detecting this as a DDoS attack. Compared to previous methods, this proposed method can enhance DDoS attack detection on SDN environment.

DDoS detection and prevention based on artificial intelligence techniques

Scientific Bulletin of Naval Academy ◽

10.21279/1454-864x-19-i1-018 ◽

2019 ◽

Vol XXII (1) ◽

pp. 134-143

Author(s):

Glăvan D.

Keyword(s):

Artificial Intelligence ◽

Denial Of Service ◽

Attack Detection ◽

Machine Learning Algorithms ◽

Ddos Attacks ◽

Great Loss ◽

Artificial Intelligence Techniques ◽

Ddos Attack ◽

Random Forest Tree ◽

Distributed Denial of Service (DDoS) attacks have been the major threats for the Internet and can bring great loss to companies and governments. With the development of emerging technologies, such as cloud computing, Internet of Things (IoT), artificial intelligence techniques, attackers can launch a huge volume of DDoS attacks with a lower cost, and it is much harder to detect and prevent DDoS attacks, because DDoS traffic is similar to normal traffic. Some artificial intelligence techniques like machine learning algorithms have been used to classify DDoS attack traffic and detect DDoS attacks, such as Naive Bayes and Random forest tree. In the paper, we survey on the latest progress on the DDoS attack detection using artificial intelligence techniques and give recommendations on artificial intelligence techniques to be used in DDoS attack detection and prevention.

Asset Analytics - Performance Management of Integrated Systems and its Applications in Software Engineering ◽

Real-Time Distributed Denial-of-Service (DDoS) Attack Detection Using Decision Trees for Server Performance Maintenance

10.1007/978-981-13-8253-6_1 ◽

2019 ◽

pp. 1-9 ◽

Cited By ~ 1

Author(s):

Mrunmayee Khare ◽

Rajvardhan Oak

Keyword(s):

Decision Trees ◽

Real Time ◽

Denial Of Service ◽

Attack Detection ◽

Ddos Attack ◽

Comparative Study on TCP SYN Flood DDoS Attack Detection: A Machine Learning Algorithm Based Approach

WSEAS TRANSACTIONS ON SYSTEMS AND CONTROL ◽

10.37394/23203.2021.16.54 ◽

2021 ◽

Vol 16 ◽

pp. 584-591

Author(s):

S. Sumathi ◽

R. Rajesh

Keyword(s):

Machine Learning ◽

Learning Algorithm ◽

Denial Of Service ◽

Attack Detection ◽

Machine Learning Algorithm ◽

Ddos Attack ◽

Research Goal ◽

Ddos Attack Detection ◽

F Measure

A most common attack on the internet network is a Distributed Denial of Service (DDoS) attack, which involves occupying computational resources and bandwidth to suppress services to potential clients. The attack scenario is to massively flood the packets. The attack is called a denial of service (DoS) if the attack originates from a single server, and a distributed denial of service (DDoS) if the attack originates from multiple servers. Control and mitigation of DDoS attacks have been a research goal for many scholars for over a decade, and they have achieved in delivering a few major DDoS detection and protection techniques. In the current state of internet use, how quickly and early a DDoS attack can be detected in broadcasting network transactions remains a key research goal. After the development of a machine learning algorithm, many potential methods of DDoS attack detection have been developed. The work presents the results of various experiments carried out using data mining and machine learning algorithms as well as a combination of these algorithms on the commonly available dataset named CAIDA for TCP SYN flood attack detection. Also, this work analysis the various performance metrics such as false positive rate, precision, recall, F-measure and receiver operating characteristic (ROC) using various machine learning algorithm. One-R(OR) with an ideal FPR value of 0.05 and recall value of 0.95,decision stump(DS) with an ideal precision value of o.93,PART with an excellent F-measure value of 0.91 are some of the performance metric values while performing TCP SYN flood attack detection.