scispace - formally typeset

Proceedings ArticleDOI

A Recurrence Quantification Analytical Approach to Detect DDoS Attacks

07 Oct 2011-pp 58-62

TL;DR: A mathematical model called Recurrence Quantification Analysis (RQA) is proposed for detecting the DDoS attacks by computing entropy and determinism of selected packet attributes and to detect the anomalies and check the performance.
Abstract: Distributed Denial of Service (DDoS) is a type of attack in the application layer initiated from the various hosts to a single web server. The aim of this attack is to consume all the resources of the targeted system by exploiting the vulnerability. We proposed a mathematical model called Recurrence Quantification Analysis (RQA) for detecting the DDoS attacks by computing entropy and determinism of selected packet attributes. To detect the anomalies and check the performance we considered the live traffic traces from the network and various RQA parameters like entropy, laminarity and determinism were used to determine the uncertainty or randomness in the dataset.
Topics: Denial-of-service attack (50%)
Citations
More filters

Journal ArticleDOI
TL;DR: Different type of possible network attacks and detection mechanisms proposed by various researchers that are capable of detecting such attacks are reviewed.
Abstract: With the development of large open networks, security threats for the network have increased significantly in the past few years. Different types of attacks possess different types of threats to network and network resources. Many different detection mechanisms have been proposed by various researchers. This paper reviews different type of possible network attacks and detection mechanisms proposed by various researchers that are capable of detecting such attacks. General Terms Network resources, open network, security threats for network

11 citations


Cites background from "A Recurrence Quantification Analyti..."

  • ...Jeyanthi N, et al, [8] proposed a mathematical model for detecting the DDoS attacks by computing entropy and determinism of attributes of selected packets....

    [...]


Journal ArticleDOI
TL;DR: A Recurrence Quantification based approach to detect and prevent VoIP from a DDoS attack, which detects the attack at an earlier stage and also helps to prevent from further attacks.
Abstract: Voice over Internet Protocol VoIP is a family of technologies for the transmission of voice over Internet. Voice is converted into digital signals and transmitted as data packets. The Session Initiation Protocol SIP is an IETF protocol for VoIP and other multimedia. SIP is an application layer protocol for creating, modifying and terminating sessions in VoIP communications. Since SIP is a more flexible and simple protocol, it is quite easy to add features to it. Distributed Denial of Service Attack DDoS floods the server with numerous requests from various hosts. Hence, the legitimate clients will not be able to get their intended services. A major concern in VoIP and almost in all network domains is availability rather than data consistency. Most of the surviving techniques could prevent VoIP network only after collision. This paper proposes a Recurrence Quantification based approach to detect and prevent VoIP from a DDoS attack. This model detects the attack at an earlier stage and also helps to prevent from further attacks. In addition, this techniques enables the efficient utilization of resources. QUALNET has been used to simulate the operation of the proposed technology.

9 citations


Journal ArticleDOI
TL;DR: A new reputation-based framework for mitigating the DDoS in cloud by classifying the users into three categories as well- reputed, reputed and ill-reputed based on credits is proposed, expected to take the edge off DDoS off in a cloud environment and ensures full security to cloud resources.
Abstract: The latest trend in the field of computing is the migration of organizations and offloading the tasks to cloud. The security concerns hinder the widespread acceptance of cloud. Of various, the DDoS in cloud is found to be the most dangerous. Various approaches are there to defend DDoS in cloud, but have lots of pitfalls. This paper proposes a new reputation-based framework for mitigating the DDoS in cloud by classifying the users into three categories as well-reputed, reputed and ill-reputed based on credits. The fact that attack is fired by malicious programs installed by the attackers in the compromised systems and they exhibit similar characteristics used for discriminating the DDoS traffic from flash crowds. Credits of clients who show signs of similarity are decremented. This reduces the computational and storage overhead. This proposed method is expected to take the edge off DDoS in a cloud environment and ensures full security to cloud resources. CloudSim simulation results also proved that the deployment of this approach improved the resource utilization with reduced cost.

2 citations


01 Jan 2018-
TL;DR: This work proposes a new method, called DDoS by RQA, which uses the Recurrence Quantification Analysis (RQA) based on the extraction of network traffic dynamic features and the combination with an Adaptive Clustering Algorithm (A-Kmeans) to detect DDoS attacks.
Abstract: The high number of Distributed Denial of Service (DDoS) attacks executed against a lot of nations has demanded innovative solutions to guarantee reliability and availability of internet services in the cyberspace. In this sense, different methods have been used to analyze network traffic for denial of service attacks, such as statistical analysis, data mining, machine learning and others. However, few of them explore hidden recurrence patterns in nonlinear network traffic and none of them explores it together with the Adaptive Clustering. This work proposes a new method, called DDoSbyRQA, which uses the Recurrence Quantification Analysis (RQA) based on the extraction of network traffic dynamic features and the combination with an Adaptive Clustering Algorithm (A-Kmeans) to detect DDoS attacks. The experiments were made by using the CAIDA and UCLA databases and it has demonstrated the ability of the method to increase the accuracy of DDoS detection and to real-time applicability. Keywords— DDoS, RQA, Adaptive Clustering, A-Kmeans.

Cites background or methods from "A Recurrence Quantification Analyti..."

  • ...In [8] the authors extend the work performed in [7] to demonstrate that RQA can be applied to detect DDoS on VoIP networks but they maintain the empirical analysis based on visual tools of Recurrence Plots (RP)....

    [...]

  • ...In the network security field, RQA already has been applied in other works [3, 7, 8]....

    [...]

  • ...In [7] the authors focus on demonstrating the visual analysis of Recurrence Quantification Measures (RQM) in Recurrence Plots (RP) and their power on detecting anomalies....

    [...]


Journal ArticleDOI
Abstract: Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks have been one of the biggest threats against communication networks and applications throughout the years. Modelling DoS/DDoS attacks is necessary to get a better understanding of their behaviour at each step of the attack process, from the Botnet recruitment up to the dynamics of the attack. A deeper understanding of DoS/DDoS attacks would lead to the development of more efficient solutions and countermeasures to mitigate their impact. In this survey, we present a classification approach for existing DoS/DDoS models in different kinds of networks; traditional networks, Software Defined Networks (SDN) and virtual networks. In addition, this article provides a thorough review and comparison of the existing attack models, in particular we explain, analyze and simulate different aspects of three prominent models; congestion window, queuing, and epidemic models (same model used for corona virus spread analysis). Furthermore, we quantify the damage of DoS/DDoS attacks at three different levels; protocol (Transmission Control Protocol-TCP), device’s resources (bandwidth, CPU, memory), and network (infection and recovery speed).

References
More filters

Journal ArticleDOI
Jelena Mirkovic1, Peter Reiher2Institutions (2)
01 Apr 2004-
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

1,747 citations


Journal ArticleDOI
Noga Alon1, Yossi Matias1, Mario Szegedy1Institutions (1)
Abstract: The frequency moments of a sequence containingmielements of typei, 1?i?n, are the numbersFk=?ni=1mki. We consider the space complexity of randomized algorithms that approximate the numbersFk, when the elements of the sequence are given one by one and cannot be stored. Surprisingly, it turns out that the numbersF0,F1, andF2can be approximated in logarithmic space, whereas the approximation ofFkfork?6 requiresn?(1)space. Applications to data bases are mentioned as well.

1,296 citations


"A Recurrence Quantification Analyti..." refers background in this paper

  • ...In Statistical Approaches [6] Detection and Response of identifying DDoS attacks is by computing entropy [22] and frequency based distributions [21] of selected packet attributes....

    [...]


Proceedings ArticleDOI
Noga Alon1, Yossi Matias2, Mario Szegedy2Institutions (2)
01 Jul 1996-
TL;DR: It turns out that the numbers F0;F1 and F2 can be approximated in logarithmic space, whereas the approximation of Fk for k 6 requires n (1) space.
Abstract: The frequency moments of a sequence containing mi elements of type i, for 1 i n, are the numbers Fk = P n=1 m k . We consider the space complexity of randomized algorithms that approximate the numbers Fk, when the elements of the sequence are given one by one and cannot be stored. Surprisingly, it turns out that the numbers F0;F1 and F2 can be approximated in logarithmic space, whereas the approximation of Fk for k 6 requires n (1) space. Applications to data bases are mentioned as well.

1,266 citations


Proceedings ArticleDOI
06 Nov 2002-
TL;DR: This paper reports results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures, and shows that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic.
Abstract: Identifying anomalies rapidly and accurately is critical to the efficient operation of large computer networks. Accurately characterizing important classes of anomalies greatly facilitates their identification; however, the subtleties and complexities of anomalous traffic can easily confound this process. In this paper we report results of signal analysis of four classes of network traffic anomalies: outages, flash crowds, attacks and measurement failures. Data for this study consists of IP flow and SNMP measurements collected over a six month period at the border router of a large university. Our results show that wavelet filters are quite effective at exposing the details of both ambient and anomalous traffic. Specifically, we show that a pseudo-spline filter tuned at specific aggregation levels will expose distinct characteristics of each class of anomaly. We show that an effective way of exposing anomalies is via the detection of a sharp increase in the local variance of the filtered data. We evaluate traffic anomaly signals at different points within a network based on topological distance from the anomaly source or destination. We show that anomalies can be exposed effectively even when aggregated with a large amount of additional traffic. We also compare the difference between the same traffic anomaly signals as seen in SNMP and IP flow data, and show that the more coarse-grained SNMP data can also be used to expose anomalies effectively.

891 citations


Journal ArticleDOI
TL;DR: This survey analyzes the design decisions in the Internet that have created the potential for denial of service attacks and the methods that have been proposed for defense against these attacks, and discusses potential countermeasures against each defense mechanism.
Abstract: This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.

710 citations


Performance
Metrics
No. of citations received by the Paper in previous years
YearCitations
20211
20181
20142
20131