On the Detection of Low-Rate Denial of Service Attacks at Transport and Application Layers

Vasudha Vedula; Palden Lama; Rajendra V. Boppana; Luis A. Trejo

doi:10.3390/electronics10172105

On the Detection of Low-Rate Denial of Service Attacks at Transport and Application Layers

Electronics ◽

10.3390/electronics10172105 ◽

2021 ◽

Vol 10 (17) ◽

pp. 2105

Author(s):

Vasudha Vedula ◽

Palden Lama ◽

Rajendra V. Boppana ◽

Luis A. Trejo

Keyword(s):

Network Traffic ◽

Short Term Memory ◽

Transmission Control Protocol ◽

Denial Of Service ◽

Detection Methods ◽

Support Vector ◽

Detection Accuracy ◽

Ddos Attacks ◽

Network Bandwidth ◽

Low Rate

Distributed denial of service (DDoS) attacks aim to deplete the network bandwidth and computing resources of targeted victims. Low-rate DDoS attacks exploit protocol features such as the transmission control protocol (TCP) three-way handshake mechanism for connection establishment and the TCP congestion-control induced backoffs to attack at a much lower rate and still effectively bring down the targeted network and computer systems. Most of the statistical and machine/deep learning-based detection methods proposed in the literature require keeping track of packets by flows and have high processing overheads for feature extraction. This paper presents a novel two-stage model that uses Long Short-Term Memory (LSTM) and Random Forest (RF) to detect the presence of attack flows in a group of flows. This model has a very low data processing overhead; it uses only two features and does not require keeping track of packets by flows, making it suitable for continuous monitoring of network traffic and on-the-fly detection. The paper also presents an LSTM Autoencoder to detect individual attack flows with high detection accuracy using only two features. Additionally, the paper presents an analysis of a support vector machine (SVM) model that detects attack flows in slices of network traffic collected for short durations. The low-rate attack dataset used in this study is made available to the research community through GitHub.

Download Full-text

DDoS Defense Method in Software-Defined Space-Air-Ground Network from Dynamic Bayesian Game Perspective

Security and Communication Networks ◽

10.1155/2022/1886516 ◽

2022 ◽

Vol 2022 ◽

pp. 1-13

Author(s):

Zhaobin Li ◽

Bin Yang ◽

Xinyu Zhang ◽

Chao Guo

Keyword(s):

Dynamic Balance ◽

Denial Of Service ◽

Detection Methods ◽

Support Vector ◽

Detection Accuracy ◽

Real Time Control ◽

Bayesian Game ◽

Integrated Networks ◽

Time Control ◽

Attack And Defense

The centralized management of Software-Defined Network (SDN) brings convenience to Space-Air-Ground Integrated Networks (SAGIN), which also makes it vulnerable to Distributed Denial of Service (DDoS). At present, the popular detection methods are based on machine learning, but most of them are fixed detection strategies with high overhead and real-time control, so the efficiency is not high. This paper designs different defense methods for different DDoS attacks and constructs a multitype DDoS defense model based on a dynamic Bayesian game in the Software-Defined Space-Air-Ground Integrated Networks (SD-SAGIN). The proposed game model’s Nash equilibrium is solved based on the different costs and payoffs of each method. We simulated the attack and defense of DDoS in Ryu controller and Mininet. The results show that, under our model, the attacker and defender’s strategies are in a dynamic balance, and the controller can effectively reduce the defense cost while ensuring detection accuracy. Compared with the existing traditional Support Vector Machine (SVM) defense method, the performance of the proposed method is better, and it provides one of the references for DDoS defense in SD-SAGIN.

Download Full-text

Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

Journal of Sensors ◽

10.1155/2015/465402 ◽

2015 ◽

Vol 2015 ◽

pp. 1-11 ◽

Cited By ~ 1

Author(s):

Jian Kang ◽

Mei Yang ◽

Junyao Zhang

Keyword(s):

Network Traffic ◽

False Positive Rate ◽

Denial Of Service ◽

Threshold Value ◽

Detection Accuracy ◽

Packet Header ◽

Positive Rate ◽

Spectrum Density ◽

Microscopic Feature ◽

Low Rate

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we chooseF featurein TCP packet header as a microscopic feature and,P featureandD featureof network traffic as macroscopic features. Based on these features, we establishmultistream fused hidden Markov model(MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

Download Full-text

Hybrid Intrusion Detection System for DDoS Attacks

Journal of Electrical and Computer Engineering ◽

10.1155/2016/1075648 ◽

2016 ◽

Vol 2016 ◽

pp. 1-8 ◽

Cited By ~ 17

Author(s):

Özge Cepheli ◽

Saliha Büyükçorak ◽

Güneş Karabulut Kurt

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

Denial Of Service ◽

Detection Methods ◽

Detection Accuracy ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Hybrid Detection ◽

Security Problem

Distributed denial-of-service (DDoS) attacks are one of the major threats and possibly the hardest security problem for today’s Internet. In this paper we propose a hybrid detection system, referred to as hybrid intrusion detection system (H-IDS), for detection of DDoS attacks. Our proposed detection system makes use of both anomaly-based and signature-based detection methods separately but in an integrated fashion and combines the outcomes of both detectors to enhance the overall detection accuracy. We apply two distinct datasets to our proposed system in order to test the detection performance of H-IDS and conclude that the proposed hybrid system gives better results than the systems based on nonhybrid detection.

Download Full-text

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Security and Communication Networks ◽

10.1155/2018/1263123 ◽

2018 ◽

Vol 2018 ◽

pp. 1-13 ◽

Cited By ~ 14

Author(s):

Mohamed Idhammad ◽

Karim Afdel ◽

Mustapha Belouch

Keyword(s):

Random Forest ◽

Network Traffic ◽

Learning Algorithm ◽

Detection System ◽

Cloud Services ◽

Detection Accuracy ◽

Cloud Environment ◽

Ddos Attacks ◽

Information Theoretic ◽

Computing Services

Cloud Computing services are often delivered through HTTP protocol. This facilitates access to services and reduces costs for both providers and end-users. However, this increases the vulnerabilities of the Cloud services face to HTTP DDoS attacks. HTTP request methods are often used to address web servers’ vulnerabilities and create multiple scenarios of HTTP DDoS attack such as Low and Slow or Flooding attacks. Existing HTTP DDoS detection systems are challenged by the big amounts of network traffic generated by these attacks, low detection accuracy, and high false positive rates. In this paper we present a detection system of HTTP DDoS attacks in a Cloud environment based on Information Theoretic Entropy and Random Forest ensemble learning algorithm. A time-based sliding window algorithm is used to estimate the entropy of the network header features of the incoming network traffic. When the estimated entropy exceeds its normal range the preprocessing and the classification tasks are triggered. To assess the proposed approach various experiments were performed on the CIDDS-001 public dataset. The proposed approach achieves satisfactory results with an accuracy of 99.54%, a FPR of 0.4%, and a running time of 18.5s.

Download Full-text

Evaluation of Takagi-Sugeno-Kang fuzzy method in entropy-based detection of DDoS attacks

Computer Science and Information Systems ◽

10.2298/csis160905039p ◽

2018 ◽

Vol 15 (1) ◽

pp. 139-162 ◽

Cited By ~ 2

Author(s):

Miodrag Petkovic ◽

Ilija Basicevic ◽

Dragan Kukolj ◽

Miroslav Popovic

Keyword(s):

Network Traffic ◽

Fuzzy System ◽

False Positive Rate ◽

Denial Of Service ◽

Sudden Change ◽

Change Point Detection ◽

Statistical Characteristics ◽

Ddos Attacks ◽

Detection Process ◽

Takagi Sugeno

The detection of distributed denial of service (DDoS) attacks based on internet traffic anomalies is a method which is general in nature and can detect unknown or zero-day attacks. One of the statistical characteristics used for this purpose is network traffic entropy: a sudden change in entropy may indicate a DDoS attack. However, this approach often gives false positives, and this is the main obstacle to its wider deployment within network security equipment. In this paper, we propose a new, two-step method for detection of DDoS attacks. This method combines the approaches of network traffic entropy and the Takagi-Sugeno-Kang fuzzy system. In the first step, the detection process calculates the entropy distribution of the network packets. In the second step, the Takagi-Sugeno-Kang fuzzy system (TSK-FS) method is applied to these entropy values. The performance of the TSK-FS method is compared with that of the typically used approach, in which cumulative sum (CUSUM) change point detection is applied directly to entropy time series. The results show that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process, achieving a high true-positive detection rate and a very low false-positive rate. As it is based on entropy, this combined method retains its generality and is capable of detecting various types of attack.

Download Full-text

SOFT COMPUTING BASED AUTONOMOUS LOW RATE DDOS ATTACK DETECTION AND SECURITY FOR CLOUD COMPUTING

Journal of Soft Computing Paradigm - September 2019 ◽

10.36548/jscp.2019.2.003 ◽

2019 ◽

Vol 2019 (2) ◽

pp. 80-90 ◽

Cited By ~ 4

Author(s):

Mugunthan S. R.

Keyword(s):

Cloud Computing ◽

Soft Computing ◽

High Speed ◽

Denial Of Service ◽

Attack Detection ◽

Ddos Attacks ◽

Counter Measures ◽

Cloud Architecture ◽

Ddos Attack Detection ◽

Low Rate

The fundamental advantage of the cloud environment is its instant scalability in rendering the service according to the various demands. The recent technological growth in the cloud computing makes it accessible to people from everywhere at any time. Multitudes of user utilizes the cloud platform for their various needs and store their complete details that are personnel as well as confidential in the cloud architecture. The storage of the confidential information makes the cloud architecture attractive to its hackers, who aim in misusing the confidential/secret information’s. The misuse of the services and the resources of the cloud architecture has become a common issue in the day to day usage due to the DDOS (distributed denial of service) attacks. The DDOS attacks are highly mature and continue to grow at a high speed making the detecting and the counter measures a challenging task. So the paper uses the soft computing based autonomous detection for the Low rate-DDOS attacks in the cloud architecture. The proposed method utilizes the hidden Markov Model for observing the flow in the network and the Random forest in classifying the detected attacks from the normal flow. The proffered method is evaluated to measure the performance improvement attained in terms of the Recall, Precision, specificity, accuracy and F-measure.

Download Full-text

A Mass Spectrometric Analysis Method Based on PPCA and SVM for Early Detection of Ovarian Cancer

Computational and Mathematical Methods in Medicine ◽

10.1155/2016/6169249 ◽

2016 ◽

Vol 2016 ◽

pp. 1-6 ◽

Cited By ~ 3

Author(s):

Jiang Wu ◽

Yanju Ji ◽

Ling Zhao ◽

Mengying Ji ◽

Zhuang Ye ◽

...

Keyword(s):

Ovarian Cancer ◽

Cancer Detection ◽

Detection Methods ◽

Support Vector ◽

Detection Accuracy ◽

Analysis Method ◽

Data Set ◽

Specificity And Sensitivity ◽

Svm Model ◽

Tof Ms

Background. Surfaced-enhanced laser desorption-ionization-time of flight mass spectrometry (SELDI-TOF-MS) technology plays an important role in the early diagnosis of ovarian cancer. However, the raw MS data is highly dimensional and redundant. Therefore, it is necessary to study rapid and accurate detection methods from the massive MS data.Methods. The clinical data set used in the experiments for early cancer detection consisted of 216 SELDI-TOF-MS samples. An MS analysis method based on probabilistic principal components analysis (PPCA) and support vector machine (SVM) was proposed and applied to the ovarian cancer early classification in the data set. Additionally, by the same data set, we also established a traditional PCA-SVM model. Finally we compared the two models in detection accuracy, specificity, and sensitivity.Results. Using independent training and testing experiments 10 times to evaluate the ovarian cancer detection models, the average prediction accuracy, sensitivity, and specificity of the PCA-SVM model were 83.34%, 82.70%, and 83.88%, respectively. In contrast, those of the PPCA-SVM model were 90.80%, 92.98%, and 88.97%, respectively.Conclusions. The PPCA-SVM model had better detection performance. And the model combined with the SELDI-TOF-MS technology had a prospect in early clinical detection and diagnosis of ovarian cancer.

Download Full-text

Cluster-Based Countermeasures for DDoS Attacks

Network Security Attacks and Countermeasures - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-8761-5.ch008 ◽

2016 ◽

pp. 206-227

Author(s):

Mohammad Jabed Morshed Chowdhury ◽

Dileep Kumar G

Keyword(s):

Unsupervised Learning ◽

Network Traffic ◽

Denial Of Service ◽

Security Threats ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Ddos Attack ◽

Real Progress ◽

Bandwidth Capacity

Distributed Denial of Service (DDoS) attack is considered one of the major security threats in the current Internet. Although many solutions have been suggested for the DDoS defense, real progress in fighting those attacks is still missing. In this chapter, the authors analyze and experiment with cluster-based filtering for DDoS defense. In cluster-based filtering, unsupervised learning is used to create profile of the network traffic. Then the profiled traffic is passed through the filters of different capacity to the servers. After applying this mechanism, the legitimate traffic will get better bandwidth capacity than the malicious traffic. Thus the effect of bad or malicious traffic will be lesser in the network. Before describing the proposed solutions, a detail survey of the different DDoS countermeasures have been presented in the chapter.

Download Full-text

Multi-Aspect DDOS Detection System for Securing Cloud Network

Cloud Security ◽

10.4018/978-1-5225-8176-5.ch096 ◽

2019 ◽

pp. 1952-1983

Author(s):

Pourya Shamsolmoali ◽

Masoumeh Zareapoor ◽

M.Afshar Alam

Keyword(s):

Cloud Computing ◽

Detection System ◽

Denial Of Service ◽

Complex Form ◽

Internet Security ◽

Detection Methods ◽

Ddos Attacks ◽

Dos Attacks ◽

Ddos Detection ◽

Cloud Network

Distributed Denial of Service (DDoS) attacks have become a serious attack for internet security and Cloud Computing environment. This kind of attacks is the most complex form of DoS (Denial of Service) attacks. This type of attack can simply duplicate its source address, such as spoofing attack, which defending methods do not able to disguises the real location of the attack. Therefore, DDoS attack is the most significant challenge for network. In this chapter we present different aspect of security in Cloud Computing, mostly we concentrated on DDOS Attacks. The Authors illustrated all types of Dos Attacks and discussed the most effective detection methods.

Download Full-text

Prediction, Detection, and Mitigation of DDoS Attacks Using HPCs

Handbook of Research on Cyber Crime and Information Privacy - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-5728-0.ch025 ◽

2021 ◽

pp. 523-538

Author(s):

Pablo Pessoa Do Nascimento ◽

Isac F. A. F. Colares ◽

Ronierison Maciel ◽

Humberto Caetano Da Silva ◽

Paulo Maciel

Keyword(s):

Web Service ◽

Denial Of Service ◽

Intrusion Detection Systems ◽

Detection Accuracy ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Intrusion Prevention ◽

Detection Systems ◽

Use Of Data ◽

Adaptive Architecture

Web service interruptions caused by DDoS (distributed denial of service) attacks have increased considerably over the years, and intrusion detection systems (IDS) are not enough to detect threats on the network, even when used together with intrusion prevention systems (IPS), taking into account the increase of assets in the traffic path, where it creates unique points of failure in the system, and also taking into account the use of data that contains information about normal traffic situations and attacks, where this comparison and analysis can cost a significant amount of host resources, to try to guarantee the prediction, detection, and mitigation of attacks in real-time or in time between detection and mitigation, being crucial in harm reduction. This chapter presents an adaptive architecture that combines techniques, methods, and tools from different segments to improve detection accuracy as well as the prediction and mitigation of these threats and to show that it is capable of implementing a powerful architecture against this type of threat, DDoS attacks.

Download Full-text