Browse > Article
http://dx.doi.org/10.3837/tiis.2010.06.014

Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router  

Yan, Ruo-Yu (Department of Computer Science and Technology, MOE KLINNS, Xi’n Jiaotong University)
Zheng, Qing-Hua (Department of Computer Science and Technology, MOE KLINNS, Xi’n Jiaotong University)
Li, Hai-Fei (Department of Computer Science, Union University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.4, no.3, 2010 , pp. 428-451 More about this Journal
Abstract
Traffic matrix-based anomaly detection and DDoS attacks detection in networks are research focus in the network security and traffic measurement community. In this paper, firstly, a new type of unidirectional flow called IF flow is proposed. Merits and features of IF flows are analyzed in detail and then two efficient methods are introduced in our DDoS attacks detection and evaluation scheme. The first method uses residual variance ratio to detect DDoS attacks after Recursive Least Square (RLS) filter is applied to predict IF flows. The second method uses generalized likelihood ratio (GLR) statistical test to detect DDoS attacks after a Kalman filter is applied to estimate IF flows. Based on the two complementary methods, an evaluation formula is proposed to assess the seriousness of current DDoS attacks on router ports. Furthermore, the sensitivity of three types of traffic (IF flow, input link and output link) to DDoS attacks is analyzed and compared. Experiments show that IF flow has more power to expose anomaly than the other two types of traffic. Finally, two proposed methods are compared in terms of detection rate, processing speed, etc., and also compared in detail with Principal Component Analysis (PCA) and Cumulative Sum (CUSUM) methods. The results demonstrate that adaptive filter methods have higher detection rate, lower false alarm rate and smaller detection lag time.
Keywords
Anomaly detection; distributed denial of service; Kalman filter; recursive least square; router-wide traffic analysis;
Citations & Related Records

Times Cited By Web Of Science : 0  (Related Records In Web of Science)
Times Cited By SCOPUS : 3
연도 인용수 순위
  • Reference
1 R. H. Shmway, D. S. Stoffer, "Dynamic Linear Models with Switching," Journal of the American Statistical Association, vol. 86, no. 415, pp. 763-769, 1991.   DOI   ScienceOn
2 S. Kim, A. Reddy, and M. Vannucci, "Detecting Traffic Anomalies at the Source through Aggregate Analysis of Packet Header Data," in Proc. of Networking, 2004.
3 Tao Qin. Xiaohong Guan, Wei Li and Pinghui Wang, "Dynamic Features Measurement and Analysis for Large-Scale Networks," in Proc. of ICC2008, CSIM workshop, pp. 212-216, 2008.
4 T. M. Gil, and M. Poletto, "Multops: a data-structure for bandwidth attack detection," in Proc. of the 10th USENIX Security Symposium, 2001.
5 V. D. Gligor, "A note on denial-of-service in operating systems," IEEE Trans. Softw. Eng., vol. 10, no. 3, pp. 320-324, 1984.
6 Computer Crime Research Center, 2004 CSI/FBI Computer Crime and Security Survey, http://www.crime-research.org/news/11.06.2004/423/
7 Anukool Lakhina, Mark Crovella, Christophe Diot, "Mining anomalies using traffic feature distributions," in Proc. of SIGCOMM'05, Philadelphia, Pennsylvania, USA, pp. 217-228, 2005.
8 P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic Anomalies," in Proc. of Internet Measurement Workshop, 2002.
9 Hao Jiang, Constantinos Dovrolis, "Why Is the Internet Traffic Bursty in Short Time Scales," in Proc. of ACM SIG METRICS '05, pp. 241-252, June 2005.
10 J. Jung, B. Krishnamurthy and M. Rabinovich. "Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites," in Proc. of World Wide Web Conference, Hawaii, USA, 2002.
11 Cisco NetFlow Performance Analysis White Papers, http://www.cisco.com/en/US/technologies/tk543/tk812/technologies_white_paper0900aecd802a0eb9_ps6601_Products_White_Paper.html, 2007
12 V. Digalakis, J. Rohlicek, M. Ostendorf, "ML Estimation of a Stochastic Linear System with the EM Algorithm and Its Application to Speech Recognition," IEEE Trans. On Speech and Audio Processing, vol. 1, no. 4, pp. 431-441, 1993.   DOI   ScienceOn
13 Douglas M. Hawkins, Peihua Qiu, Chang Wook Kang, "The changepoint model for statistical process control," Journal of Quality Technology, vol. 35, no. 4, pp. 355-366, 2003.
14 D. Moore, G. M. Voelker, S. Savage, "Inferring internet Denial-of-Service activity," in Proc. of the 10th USENIX Security Symposium, pp. 9-22, 2001.
15 Cisco IOS NetFlow White Papers, http://www.cisco.com/en/US/products/ps6601/prod_white_papers _list.html.
16 Simon Haykin, "Adaptive Filter Theory," Beijing: Publishing House of Electronics Industry, 2002.
17 V. Paxson, "Bro: A System for Detecting Network Intruders in Real-time," Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, 1999.   DOI   ScienceOn
18 Brett Ninness, Stuart Gibson, "The EM algorithm for Multivariable Dynamic System Estimation," Technical Report EE200101, 2001.
19 David K. Y. Yau, John C. S. Lui, Feng Liang, and Yeung Yam, "Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles," IEEE/ACM TRANSACTIONS ON NETWORKING, vol. 13, no. 1, pp. 29-42, Feb. 2005.   DOI
20 Anukool Lakhina, Konstantina Papagiannaki, Mark Crovella, Christophe Diot, Eric D.Kolaczyk, and Nina Taft, "Structural Analysis of Network Traffic Flows," in Proc. of SIGMETRICS/Performance, New York, USA, pp. 61-72, 2004.
21 Yu Chen, Kai Hwang, Wei-Shinn Ku, "Collaborative Detection of DDoS Attacks over Multiple Network Domains," IEEE Trans. On Parallel and Distributed Systmes, vol. 18, no. 12, pp. 1649-1662, Dec. 2007.   DOI
22 Sun Zhi-Xin, Tang Yi-Wei, Cheng Yuan, "Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms," Journal of Software, vol. 16, no. 12, pp. 2117-2123, 2005.   DOI   ScienceOn
23 Ruoyu Yan and Qinghua Zheng, "Using Renyi Cross Entropy to Analyze Traffic Matrix and Detect DDoS attack", Information Technology Journal, vol. 8, no. 8, pp. 1180-1188, 2009.   DOI
24 Krishan Kumar, R.C Joshi, Kuldip Singh, "A Distributed Approach using Entropy to Detect DDoS attacks in ISP Domain," in Proc. of International Conference on Signal Processing, Communications and Networking , pp. 331-337, 2007.
25 Amit Kulkarni and Stephen Bush, "Detecting distributed denial-of-service attacks using kolmogorov complexity metrics," Journal of Network and Systems Management, vol. 14, no. 1, pp. 69-80, Mar. 2006.   DOI   ScienceOn
26 Peng Tao, C. Leckie and K. Ramamohanarao, "Protection from distributed denial of service attacks using history-based IP filtering," in Proc. of ICC'03, pp. 482-486, 2003.
27 Haakon Ringberg, Augustin Soule, Jennifer Rexford, Christophe Diot, "Sensitivity of PCA for Traffic Anomaly Detection," in Proc. of SIGMETRICS'07,USA, pp. 109-120, June 2007.
28 A. Medina, C. Fraleigh, N. Taft, S. Bhattacharyya, C. Diot, "A Taxonomy of IP Traffic Matrices" , in Proc. of Scalability and Traffic Control in IP Networks II, Boston, USA, pp. 200-213, 2003.
29 T. M. Gil and M. Poletto, "MULTOPS: A data-structure for bandwidth attack detection," in Proc. of the 10th USENIX Security Symposium, 2001.
30 H. Wang, D. Zhang and K. G. Shin, "Detecting SYN flooding attacks," in Proc. of IEEE INFOCOM, pp. 1530-1539, 2002.
31 Anukool Lakhina, Mark Crovella, Christophe Diot, "Diagnosing Network-wide Traffic Anomalies," in Proc. of SIGCOMM'04, Portland, Oregon,USA, pp. 219-230, 2004.
32 Augustin Soule, Kave Salamatian, Nina Taft, "Combining Filtering and Statistical Methods for Anomaly Detection," in Proc. of Internet Measurement Conference, pp. 331-344, 2005.