A Recurrence Quantification Analytical Approach to Detect DDoS Attacks
07 Oct 2011-pp 58-62
TL;DR: A mathematical model called Recurrence Quantification Analysis (RQA) is proposed for detecting the DDoS attacks by computing entropy and determinism of selected packet attributes and to detect the anomalies and check the performance.
Abstract: Distributed Denial of Service (DDoS) is a type of attack in the application layer initiated from the various hosts to a single web server. The aim of this attack is to consume all the resources of the targeted system by exploiting the vulnerability. We proposed a mathematical model called Recurrence Quantification Analysis (RQA) for detecting the DDoS attacks by computing entropy and determinism of selected packet attributes. To detect the anomalies and check the performance we considered the live traffic traces from the network and various RQA parameters like entropy, laminarity and determinism were used to determine the uncertainty or randomness in the dataset.
Citations
More filters
TL;DR: Different type of possible network attacks and detection mechanisms proposed by various researchers that are capable of detecting such attacks are reviewed.
Abstract: With the development of large open networks, security threats for the network have increased significantly in the past few years. Different types of attacks possess different types of threats to network and network resources. Many different detection mechanisms have been proposed by various researchers. This paper reviews different type of possible network attacks and detection mechanisms proposed by various researchers that are capable of detecting such attacks. General Terms Network resources, open network, security threats for network
16 citations
Cites background from "A Recurrence Quantification Analyti..."
...Jeyanthi N, et al, [8] proposed a mathematical model for detecting the DDoS attacks by computing entropy and determinism of attributes of selected packets....
[...]
TL;DR: A Recurrence Quantification based approach to detect and prevent VoIP from a DDoS attack, which detects the attack at an earlier stage and also helps to prevent from further attacks.
Abstract: Voice over Internet Protocol VoIP is a family of technologies for the transmission of voice over Internet. Voice is converted into digital signals and transmitted as data packets. The Session Initiation Protocol SIP is an IETF protocol for VoIP and other multimedia. SIP is an application layer protocol for creating, modifying and terminating sessions in VoIP communications. Since SIP is a more flexible and simple protocol, it is quite easy to add features to it. Distributed Denial of Service Attack DDoS floods the server with numerous requests from various hosts. Hence, the legitimate clients will not be able to get their intended services. A major concern in VoIP and almost in all network domains is availability rather than data consistency. Most of the surviving techniques could prevent VoIP network only after collision. This paper proposes a Recurrence Quantification based approach to detect and prevent VoIP from a DDoS attack. This model detects the attack at an earlier stage and also helps to prevent from further attacks. In addition, this techniques enables the efficient utilization of resources. QUALNET has been used to simulate the operation of the proposed technology.
9 citations
TL;DR: In this article, the authors present a classification approach for existing DoS/DDoS models in different kinds of networks; traditional networks, Software Defined Networks (SDN) and virtual networks.
9 citations
01 Jan 2018
TL;DR: This work proposes a new method, called DDoS by RQA, which uses the Recurrence Quantification Analysis (RQA) based on the extraction of network traffic dynamic features and the combination with an Adaptive Clustering Algorithm (A-Kmeans) to detect DDoS attacks.
Abstract: The high number of Distributed Denial of Service (DDoS) attacks executed against a lot of nations has demanded innovative solutions to guarantee reliability and availability of internet services in the cyberspace. In this sense, different methods have been used to analyze network traffic for denial of service attacks, such as statistical analysis, data mining, machine learning and others. However, few of them explore hidden recurrence patterns in nonlinear network traffic and none of them explores it together with the Adaptive Clustering. This work proposes a new method, called DDoSbyRQA, which uses the Recurrence Quantification Analysis (RQA) based on the extraction of network traffic dynamic features and the combination with an Adaptive Clustering Algorithm (A-Kmeans) to detect DDoS attacks. The experiments were made by using the CAIDA and UCLA databases and it has demonstrated the ability of the method to increase the accuracy of DDoS detection and to real-time applicability. Keywords— DDoS, RQA, Adaptive Clustering, A-Kmeans.
2 citations
Cites background or methods from "A Recurrence Quantification Analyti..."
...In [8] the authors extend the work performed in [7] to demonstrate that RQA can be applied to detect DDoS on VoIP networks but they maintain the empirical analysis based on visual tools of Recurrence Plots (RP)....
[...]
...In the network security field, RQA already has been applied in other works [3, 7, 8]....
[...]
...In [7] the authors focus on demonstrating the visual analysis of Recurrence Quantification Measures (RQM) in Recurrence Plots (RP) and their power on detecting anomalies....
[...]
TL;DR: A new reputation-based framework for mitigating the DDoS in cloud by classifying the users into three categories as well- reputed, reputed and ill-reputed based on credits is proposed, expected to take the edge off DDoS off in a cloud environment and ensures full security to cloud resources.
Abstract: The latest trend in the field of computing is the migration of organizations and offloading the tasks to cloud. The security concerns hinder the widespread acceptance of cloud. Of various, the DDoS in cloud is found to be the most dangerous. Various approaches are there to defend DDoS in cloud, but have lots of pitfalls. This paper proposes a new reputation-based framework for mitigating the DDoS in cloud by classifying the users into three categories as well-reputed, reputed and ill-reputed based on credits. The fact that attack is fired by malicious programs installed by the attackers in the compromised systems and they exhibit similar characteristics used for discriminating the DDoS traffic from flash crowds. Credits of clients who show signs of similarity are decremented. This reduces the computational and storage overhead. This proposed method is expected to take the edge off DDoS in a cloud environment and ensures full security to cloud resources. CloudSim simulation results also proved that the deployment of this approach improved the resource utilization with reduced cost.
2 citations
References
More filters
22 Apr 2003
TL;DR: Methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes and how the detectors can be extended to make effective response decisions are presented.
Abstract: The nature of the threats posed by distributed denial of service (DDoS) attacks on large networks, such as the Internet, demands effective detection and response methods. These methods must be deployed not only at the edge but also at the core of the network This paper presents methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. The DDoS attacks show anomalies in the characteristics of the selected packet attributes. The detection accuracy and performance are analyzed using live traffic traces from a variety of network environments ranging from points in the core of the Internet to those inside an edge network The results indicate that these methods can be effective against current attacks and suggest directions for improving detection of more stealthy attacks. We also describe our detection-response prototype and how the detectors can be extended to make effective response decisions.
558 citations
"A Recurrence Quantification Analyti..." refers background in this paper
...It is done by filtering policy implemented in the server as shown below In Statistical Approaches [6] Detection and Response of identifying DDoS attacks is by computing entropy [22] and frequency based distributions [21] of selected packet attributes....
[...]
...In Statistical Approaches [6] Detection and Response of identifying DDoS attacks is by computing entropy [22] and frequency based distributions [21] of selected packet attributes....
[...]
11 May 2003
TL;DR: Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing.
Abstract: Distributed denial of service (DDoS) attacks continue to plague the Internet Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet's true origin We propose Pi (short for path identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing Pi features many unique properties It is a per-packet deterministic mechanism: each packet traveling along the same path carries the same identifier This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers' identifiers on a per packet basis The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking Pi marking and filtering are both extremely lightweight and require negligible state We use traceroute maps of real Internet topologies (eg CAIDA's Skitter (2000) and Burch and Cheswick's Internet Map (1999, 2002)) to simulate DDoS attacks and validate our design
446 citations
Proceedings Article•
01 Jan 2005
366 citations
02 May 2005
TL;DR: This work presents the design and implementation of Kill-Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds, and improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd.
Abstract: Recent denial of service attacks are mounted by professionals using Botnets of tens of thousands of compromised machines. To circumvent detection, attackers are increasingly moving away from bandwidth floods to attacks that mimic the Web browsing behavior of a large number of clients, and target expensive higher-layer resources such as CPU, database and disk bandwidth. The resulting attacks are hard to defend against using standard techniques, as the malicious requests differ from the legitimate ones in intent but not in content.We present the design and implementation of Kill-Bots, a kernel extension to protect Web servers against DDoS attacks that masquerade as flash crowds. Kill-Bots provides authentication using graphical tests but is different from other systems that use graphical tests. First, Kill-Bots uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the tests. These machines are bots because their intent is to congest the server. Once these machines are identified, Kill-Bots blocks their requests, turns the graphical tests off, and allows access to legitimate users who are unable or unwilling to solve graphical tests. Second, Kill-Bots sends a test and checks the client's answer without allowing unauthenticated clients access to sockets, TCBs, and worker processes. Thus, it protects the authentication mechanism from being DDoSed. Third, Kill-Bots combines authentication with admission control. As a result, it improves performance, regardless of whether the server overload is caused by DDoS or a true Flash Crowd.
352 citations
TL;DR: A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks of new application-layer DDoS attacks.
Abstract: Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.
256 citations