Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.

Lightweight DDoS flooding attack detection using NOX/OpenFlow

Information communications technology systems are facing an increasing number of cyber security threats, the majority of which are originated by insiders. As insiders reside behind the enterprise-level security defence mechanisms and often have privileged access to the network, detecting and preventing insider threats is a complex and challenging problem. In fact, many schemes and systems have been proposed to address insider threats from different perspectives, such as intent, type of threat, or available audit data source. This survey attempts to line up these works together with only three most common types of insider namely traitor, masquerader, and unintentional perpetrator, while reviewing the countermeasures from a data analytics perspective. Uniquely, this survey takes into account the early stage threats which may lead to a malicious insider rising up. When direct and indirect threats are put on the same page, all the relevant works can be categorised as host, network, or contextual data-based according to audit data source and each work is reviewed for its capability against insider threats, how the information is extracted from the engaged data sources, and what the decision-making algorithm is. The works are also compared and contrasted. Finally, some issues are raised based on the observations from the reviewed works and new research gaps and challenges identified.

Detecting and Preventing Cyber Insider Threats: A Survey

Review: Divergence measures for statistical data processing-An annotated bibliography

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

/pdf/an-entropy-based-network-anomaly-detection-method-v19rpy9cnu.pdf

An Entropy-Based Network Anomaly Detection Method

Distributed denial-of-service is one kind of the most highlighted and most important attacks of today’s cyberworld. With simple but extremely powerful attack mechanisms, it introduces an immense th...

A survey of distributed denial-of-service attack, prevention, and mitigation techniques:

A low-rate distributed denial of service (DDoS) attack has significant ability of concealing its traffic because it is very much like normal traffic. It has the capacity to elude the current anomaly-based detection schemes. An information metric can quantify the differences of network traffic with various probability distributions. In this paper, we innovatively propose using two new information metrics such as the generalized entropy metric and the information distance metric to detect low-rate DDoS attacks by measuring the difference between legitimate traffic and attack traffic. The proposed generalized entropy metric can detect attacks several hops earlier (three hops earlier while the order α = 10 ) than the traditional Shannon metric. The proposed information distance metric outperforms (six hops earlier while the order α = 10) the popular Kullback-Leibler divergence approach as it can clearly enlarge the adjudication distance and then obtain the optimal detection sensitivity. The experimental results show that the proposed information metrics can effectively detect low-rate DDoS attacks and clearly reduce the false positive rate. Furthermore, the proposed IP traceback algorithm can find all attacks as well as attackers from their own local area networks (LANs) and discard attack traffic.

Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

/pdf/distinguishing-ddos-attacks-from-flash-crowds-using-59qhvvrw46.pdf

Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics

In information theory, entropies make up of the basis for distance and divergence measures among various probability densities In this paper we propose a novel metric to detect DDoS attacks in networks by using the function of order *** of the generalized (Renyi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively Our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order *** =2, and two hops earlier to detect attacks while order *** =10) but also reduce both the false positive rate and the false negative rate clearly compared with the traditional Shannon entropy metric approach

Effective DDoS Attacks Detection Using Generalized Entropy Metric

Face recognition is an important technique which can be used in many applications. In recent years, face recognition has
attracted large amount of research interest. Many recognition methods have been proposed, however, most of them are
not able to make use of local salient features to effectively capture the face information. Recently, SIFT has been
proposed for object matching in image retrieval area, and it proves to be a powerful matching tool. In this paper, we
applied and studied SIFT method on face recognition, and compared it with the well known face recognition methods in
literature, i.e., PCA and 2DPCA. Rigorous tests were carried out on 3 major face databases. Our results show SIFT has
significant advantages over both PCA and 2DPCA in terms of recognition rate and number of training samples. This
paper also points out some shortcomings of classic experiment method to recognize faces and improve them.

Evaluation of face recognition techniques

In information theory, the relative entropy (or information divergence or information distance) quantifies the difference between information flows with various probability distributions. In this study, the authors first resolve the asymmetric property of Renyi divergence and Kullback-Leibler divergence and convert the divergence measures into proper metrics. Then the authors propose an effective metric to detect distributed denial-of-service attacks effectively using the Renyi divergence to measure the difference between legitimate flows and attack flows in a network. With the proposed metric, the authors can obtain the optimal detection sensitivity and the optimal information distance between attack flows and legitimate flows by adjusting the orderacutes value of the Renyi divergence. The experimental results show that the proposed metric can clearly enlarge the adjudication distance, therefore it not only can detect attacks early but also can reduce the false positive rate sharply compared with the use of the traditional Kullback-Leibler divergence and distance approaches.

Ke Li

Papers

Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics

Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics

Effective DDoS Attacks Detection Using Generalized Entropy Metric

Evaluation of face recognition techniques

Effective metric for detecting distributed denial-of-service attacks based on information divergence