×

Note on studying change point of LRD traffic based on Li’s detection of DDoS flood attacking. (English) Zbl 1189.68024

Summary: Distributed denial-of-service (DDoS) flood attacks remain great threats to the Internet. To ensure network usability and reliability, accurate detection of these attacks is critical. Based on Li’s work on DDoS flood attack detection, we propose a DDoS detection method by monitoring the Hurst variation of long-range dependant traffic. Specifically, we use an autoregressive system to estimate the Hurst parameter of normal traffic. If the actual Hurst parameter varies significantly from the estimation, we assume that DDoS attack happens. Meanwhile, we propose two methods to determine the change point of Hurst parameter that indicates the occurrence of DDoS attacks. The detection rate associated with one method and false alarm rate for the other method are also derived. The test results on DARPA intrusion detection evaluation data show that the proposed approaches can achieve better detection performance than some well-known self-similarity-based detection methods.

MSC:

68M11 Internet topics
68M10 Network design and communication in computer systems
94A13 Detection theory in information and communication theory

Software:

longmemo
PDFBibTeX XMLCite
Full Text: DOI EuDML

References:

[1] W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, “On the self-similar nature of ethernet traffic (extended version),” IEEE/ACM Transactions on Networking, vol. 2, no. 1, pp. 1-15, 1994. · Zbl 01936506 · doi:10.1109/90.282603
[2] V. Paxson and S. Floyd, “Wide area traffic: the failure of Poisson modeling,” IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226-244, 1995. · doi:10.1109/90.392383
[3] O. Tickoo and B. Sikdar, “On the impact of IEEE 802.11 MAC on traffic characteristics,” IEEE Journal on Selected Areas in Communications, vol. 21, no. 2, pp. 189-203, 2003. · doi:10.1109/JSAC.2002.807346
[4] M. Li, “Fractal time series-a tutorial review,” Mathematical Problems in Engineering, vol. 2010, Article ID 157264, 26 pages, 2010. · Zbl 1191.37002 · doi:10.1155/2010/157264
[5] M. Li and W. Zhao, “Representation of a stochastic traffic bound,” IEEE Transactions on Parallel and Distributed Systems. In press.
[6] M. Li and S. C. Lim, “Modeling network traffic using generalized Cauchy process,” Physica A, vol. 387, no. 11, pp. 2584-2594, 2008. · doi:10.1016/j.physa.2008.01.026
[7] M. Li and W. Zhao, “Variance bound of ACF estimation of one block of fGn with LRD,” Mathematical Problems in Engineering, vol. 2010, Article ID 60429, 14 pages, 2010. · Zbl 1191.94042 · doi:10.1155/2010/560429
[8] W.-B. Gong, Y. Liu, V. Misra, and D. Towsley, “Self-similarity and long range dependence on the internet: a second look at the evidence, origins and implications,” Computer Networks, vol. 48, no. 3, pp. 377-399, 2005. · Zbl 02233038 · doi:10.1016/j.comnet.2004.11.026
[9] W. Schleifer and M. Männle, “Online error detection through observation of traffic self-similarity,” IEE Proceedings: Communications, vol. 148, no. 1, pp. 38-42, 2001. · doi:10.1049/ip-com:20010063
[10] J. T. Wang and G. Yang, “An intelligent method for real-time detection of DDoS attack based on fuzzy logic,” Journal of Electronics, vol. 25, no. 4, pp. 511-518, 2008. · doi:10.1007/s11767-007-0056-6
[11] M. Li, “Change trend of averaged Hurst parameter of traffic under DDOS flood attacks,” Computers and Security, vol. 25, no. 3, pp. 213-220, 2006. · doi:10.1016/j.cose.2005.11.007
[12] C. S. Sastry, S. Rawat, A. K. Pujari, and V. P. Gulati, “Network traffic analysis using singular value decomposition and multiscale transforms,” Information Sciences, vol. 177, no. 23, pp. 5275-5291, 2007. · Zbl 1126.68010 · doi:10.1016/j.ins.2006.07.007
[13] M. F. Rohani, M. A. Maarof, A. Selamat, and H. Kettani, “Continuous LoSS detection using iterative window based on SOSS model and MLS approach,” in Proceedings of the International Conference on Computer and Communication Engineering (ICCCE ’08), pp. 1005-1009, Kuala Lumpur, Malaysia, May 2008. · doi:10.1109/ICCCE.2008.4580759
[14] M. Li and W. Zhao, “Detection of variations of local irregularity of traffic under DDOS flood attack,” Mathematical Problems in Engineering, vol. 2008, Article ID 475878, 11 pages, 2008. · Zbl 1189.68114 · doi:10.1155/2008/475878
[15] M. Li, J. Li, and W. Zhao, “Experimental study of DDOS attacking of flood type based on NS2,” International Journal of Electronics and Computers, vol. 1, no. 2, pp. 143-152, 2009.
[16] M. Li, “An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition,” Computers and Security, vol. 23, no. 7, pp. 549-558, 2004. · doi:10.1016/j.cose.2004.04.005
[17] C. Cattani and A. Kudreyko, “On the discrete harmonic wavelet transform,” Mathematical Problems in Engineering, vol. 2008, Article ID 687318, 7 pages, 2008. · Zbl 1166.65404 · doi:10.1155/2008/687318
[18] C. Cattani and A. Kudreyko, “Application of periodized harmonic wavelets towards solution of eigenvalue problems for integral equations,” Mathematical Problems in Engineering, vol. 2010, Article ID 570136, 8 pages, 2010. · Zbl 1191.65175 · doi:10.1155/2010/570136
[19] C. Cattani, “Harmonic wavelet analysis of a localized fractal,” International Journal of Engineering and Interdisciplinary Mathematics, vol. 1, no. 1, pp. 35-44, 2009.
[20] E. G. Bakhoum and C. Toma, “Mathematical transform of traveling-wave equations and phase aspects of quantum interaction,” Mathematical Problems in Engineering, vol. 2010, Article ID 695208, 15 pages, 2010. · Zbl 1191.35220 · doi:10.1155/2010/695208
[21] G. Toma, “Specific differential equations for generating pulse sequences,” Mathematical Problems in Engineering, vol. 2010, Article ID 324818, 11 pages, 2010. · Zbl 1191.37052 · doi:10.1155/2010/324818
[22] S. Song, J. K. Y. Ng, and B. Tang, “Some results on the self-similarity property in communication networks,” IEEE Transactions on Communications, vol. 52, no. 10, pp. 1636-1642, 2004. · doi:10.1109/TCOMM.2004.833136
[23] J. Beran, Statistics for Long-Memory Processes, vol. 61 of Monographs on Statistics and Applied Probability, Chapman and Hall, New York, NY, USA, 1994. · Zbl 0869.60045
[24] D. He and H. Leung, “Network intrusion detection using CFAR abrupt-change detectors,” IEEE Transactions on Instrumentation and Measurement, vol. 57, no. 3, pp. 490-497, 2008. · doi:10.1109/TIM.2007.910108
[25] http://www.ll.mit.edu/mission/communications/ist/index.html.
[26] W. H. Allen and G. A. Marin, “The LoSS technique for detecting new denial of service attacks,” in Proceedings of IEEE South East Conference, pp. 302-309, Greensboro, NC, USA, March 2004.
[27] X. X. Ren, R. C. Wang, and H. Y. Wang, “Wavelet analysis method for detection of DDoS attack on the basis of self-similarity,” Frontiers of Electrical and Electronic Engineering in China, vol. 2, no. 1, pp. 73-77, 2007. · doi:10.1007/s11460-007-0013-z
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.