KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A DoS Detection Method Based on Composition Self-Similarity

  • Jian-Qi, Zhu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University) ;
  • Feng, Fu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University) ;
  • Kim, Chong-Kwon (School of Computer Science and Engineering, Seoul National University) ;
  • Ke-Xin, Yin (College of Software, Changchun University of Technology) ;
  • Yan-Heng, Liu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University)
  • Received : 2012.02.03
  • Accepted : 2012.05.07
  • Published : 2012.05.30
Download PDF
⟨ Previous Next ⟩

Abstract

Based on the theory of local-world network, the composition self-similarity (CSS) of network traffic is presented for the first time in this paper for the study of DoS detection. We propose the concept of composition distribution graph and design the relative operations. The $(R/S)^d$ algorithm is designed for calculating the Hurst parameter. Based on composition distribution graph and Kullback Leibler (KL) divergence, we propose the composition self-similarity anomaly detection (CSSD) method for the detection of DoS attacks. We evaluate the effectiveness of the proposed method. Compared to other entropy based anomaly detection methods, our method is more accurate and with higher sensitivity in the detection of DoS attacks.

Keywords

References

  1. J Mirkovic and P Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communications Review, vol.34, no.2, pp.39-53, Apr.2004. https://doi.org/10.1145/997150.997156
  2. S.Kumar and E.H.Spafford, "A software architecture to support misuse intrusion detection," in Proc. of 18th National Information Security Conference , pp.194-204, Oct.1995.
  3. K.Ilgun, R.A.Kemmerer and P.A. Porras, "State transition analysis: a rule-based intrusion detection approach," IEEE transactions on software engineering, vol.21, no.3, pp.181-199, Mar.1995. https://doi.org/10.1109/32.372146
  4. T.Lunt, A.Tamaru, F.Gilham, R.Jagannathan, P.Neumann, H.Javitz, A.Valdes and T.Garvey, "A real-time intrusion detection expert system (IDES)-final technical report," Computer science library, SRI International, Menlo Park, California, Feb.1992.
  5. Leland et al., "On the self-similar nature of Ethernet traffic (extended version)," IEEE/ACM Transactions of Networking, vol.2, no.1, pp.1-15, Feb.1994. https://doi.org/10.1109/90.282603
  6. W.H. Allen and G.A. Marin, "The loss technique for detecting new Denial of Service attacks," in Proc. of Southeast Conference, pp.302-309, Mar.2004.
  7. Y. Xiang, Y. Lin, W.L. Lei and S.J. Huang, "Detecting DDoS attack based on network self-similarity," in Proc. of IEEE Communications, vol.151, no.3, pp.292-295, Jun.2004. https://doi.org/10.1049/ip-com:20040526
  8. Ming Li, "Change trend of averaged Hurst parameter of traffic under DDoS flood attacks," Computers & Security, vol.25, no.3, pp.213-220, May.2006. https://doi.org/10.1016/j.cose.2005.11.007
  9. Lawniczak AT, Wu H and Di Stefan BN, "Detection of anomalous packet traffic via entropy," in Proc. of 22nd IEEE Canadian Conference on Electrical and Computer Engineering, pp.137-141, May.2009.
  10. Lakhina A, Crovella M and Diot C, "Mining anomalies using traffic feature distributions," Computer Communication Review, vol.35, no.4, pp.217-228, Oct.2005. https://doi.org/10.1145/1090191.1080118
  11. E. Earl Eiland and Lorie M. Liebrock, "An application of information theory to intrusion detection," in Proc. of 4th IEEE International Workshop on Information Assurance, pp.119-134, Apr. 2006.
  12. Nychis G, Sekar V and Andersen DG, "An empirical evaluation of entropy-based traffic anomaly detection," in Proc. of 8th ACM SIGCOMM Internet Measurement Conference, pp.151-156, 2008.
  13. Rahmani H, Sahli N and Kammoun F, "Joint entropy analysis model for DDoS attack Detection," in Proc. of 5th International Conference on Information Assurance and Security, pp.267-271, Aug.2009.
  14. Thomas M and Joy A, Elements of Information Theory, John Wiley & Sons Inc., New York, 2006.
  15. Xiang Li and G. Chen, "A local-world evolving network model," Physical A, vol.328, no.1-2, pp.274-286, Oct.2003. https://doi.org/10.1016/S0378-4371(03)00604-6
  16. Park C, Hernandez-Campos F and Le L, et al, "Long-range dependence analysis of Internet traffic," Journal of Applied Statistics, vol.38, no.7, pp.1407-1433, 2011. https://doi.org/10.1080/02664763.2010.505949

Cited by

  1. Impact Evaluation of DDoS Attacks on DNS Cache Server Using Queuing Model vol.7, pp.4, 2013, https://doi.org/10.3837/tiis.2013.04.017
  2. Anomaly Detection Based on LRD Behavior Analysis of Decomposed Control and Data Planes Network Traffic Using SOSS and FARIMA Models vol.5, pp.None, 2012, https://doi.org/10.1109/access.2017.2689001