Browse > Article
http://dx.doi.org/10.3837/tiis.2012.05.012

A DoS Detection Method Based on Composition Self-Similarity  

Jian-Qi, Zhu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University)
Feng, Fu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University)
Kim, Chong-Kwon (School of Computer Science and Engineering, Seoul National University)
Ke-Xin, Yin (College of Software, Changchun University of Technology)
Yan-Heng, Liu (College of Computer Science and Technology, Key Laboratory of Symbolic Computation and Knowledge Engineering of Ministry of Education, Jilin University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.6, no.5, 2012 , pp. 1463-1478 More about this Journal
Abstract
Based on the theory of local-world network, the composition self-similarity (CSS) of network traffic is presented for the first time in this paper for the study of DoS detection. We propose the concept of composition distribution graph and design the relative operations. The $(R/S)^d$ algorithm is designed for calculating the Hurst parameter. Based on composition distribution graph and Kullback Leibler (KL) divergence, we propose the composition self-similarity anomaly detection (CSSD) method for the detection of DoS attacks. We evaluate the effectiveness of the proposed method. Compared to other entropy based anomaly detection methods, our method is more accurate and with higher sensitivity in the detection of DoS attacks.
Keywords
DoS detection; composition self-similarity; composition distribution graph; Kullback-Leibler divergence;
Citations & Related Records

Times Cited By Web Of Science : 0  (Related Records In Web of Science)
연도 인용수 순위
  • Reference
1 J Mirkovic and P Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communications Review, vol.34, no.2, pp.39-53, Apr.2004.   DOI   ScienceOn
2 S.Kumar and E.H.Spafford, "A software architecture to support misuse intrusion detection," in Proc. of 18th National Information Security Conference , pp.194-204, Oct.1995.
3 K.Ilgun, R.A.Kemmerer and P.A. Porras, "State transition analysis: a rule-based intrusion detection approach," IEEE transactions on software engineering, vol.21, no.3, pp.181-199, Mar.1995.   DOI   ScienceOn
4 T.Lunt, A.Tamaru, F.Gilham, R.Jagannathan, P.Neumann, H.Javitz, A.Valdes and T.Garvey, "A real-time intrusion detection expert system (IDES)-final technical report," Computer science library, SRI International, Menlo Park, California, Feb.1992.
5 Leland et al., "On the self-similar nature of Ethernet traffic (extended version)," IEEE/ACM Transactions of Networking, vol.2, no.1, pp.1-15, Feb.1994.   DOI   ScienceOn
6 W.H. Allen and G.A. Marin, "The loss technique for detecting new Denial of Service attacks," in Proc. of Southeast Conference, pp.302-309, Mar.2004.
7 Y. Xiang, Y. Lin, W.L. Lei and S.J. Huang, "Detecting DDoS attack based on network self-similarity," in Proc. of IEEE Communications, vol.151, no.3, pp.292-295, Jun.2004.   DOI   ScienceOn
8 Ming Li, "Change trend of averaged Hurst parameter of traffic under DDoS flood attacks," Computers & Security, vol.25, no.3, pp.213-220, May.2006.   DOI   ScienceOn
9 Lawniczak AT, Wu H and Di Stefan BN, "Detection of anomalous packet traffic via entropy," in Proc. of 22nd IEEE Canadian Conference on Electrical and Computer Engineering, pp.137-141, May.2009.
10 Lakhina A, Crovella M and Diot C, "Mining anomalies using traffic feature distributions," Computer Communication Review, vol.35, no.4, pp.217-228, Oct.2005.   DOI   ScienceOn
11 E. Earl Eiland and Lorie M. Liebrock, "An application of information theory to intrusion detection," in Proc. of 4th IEEE International Workshop on Information Assurance, pp.119-134, Apr. 2006.
12 Nychis G, Sekar V and Andersen DG, "An empirical evaluation of entropy-based traffic anomaly detection," in Proc. of 8th ACM SIGCOMM Internet Measurement Conference, pp.151-156, 2008.
13 Rahmani H, Sahli N and Kammoun F, "Joint entropy analysis model for DDoS attack Detection," in Proc. of 5th International Conference on Information Assurance and Security, pp.267-271, Aug.2009.
14 Thomas M and Joy A, Elements of Information Theory, John Wiley & Sons Inc., New York, 2006.
15 Xiang Li and G. Chen, "A local-world evolving network model," Physical A, vol.328, no.1-2, pp.274-286, Oct.2003.   DOI   ScienceOn
16 Park C, Hernandez-Campos F and Le L, et al, "Long-range dependence analysis of Internet traffic," Journal of Applied Statistics, vol.38, no.7, pp.1407-1433, 2011.   DOI   ScienceOn