Browse > Article
http://dx.doi.org/10.3837/tiis.2019.05.023

Traffic Seasonality aware Threshold Adjustment for Effective Source-side DoS Attack Detection  

Nguyen, Giang-Truong (Department of Electronics and Computer Engineering, Chonnam National University)
Nguyen, Van-Quyet (Department of Electronics and Computer Engineering, Chonnam National University)
Nguyen, Sinh-Ngoc (Department of Electronics and Computer Engineering, Chonnam National University)
Kim, Kyungbaek (Department of Electronics and Computer Engineering, Chonnam National University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.13, no.5, 2019 , pp. 2651-2673 More about this Journal
Abstract
In order to detect Denial of Service (DoS) attacks, victim-side detection methods are used popularly such as static threshold-based method and machine learning-based method. However, as DoS attacking methods become more sophisticated, these methods reveal some natural disadvantages such as the late detection and the difficulty of tracing back attackers. Recently, in order to mitigate these drawbacks, source-side DoS detection methods have been researched. But, the source-side DoS detection methods have limitations if the volume of attack traffic is relatively very small and it is blended into legitimate traffic. Especially, with the subtle attack traffic, DoS detection methods may suffer from high false positive, considering legitimate traffic as attack traffic. In this paper, we propose an effective source-side DoS detection method with traffic seasonality aware adaptive threshold. The threshold of detecting DoS attack is adjusted adaptively to the fluctuated legitimate traffic in order to detect subtle attack traffic. Moreover, by understanding the seasonality of legitimate traffic, the threshold can be updated more carefully even though subtle attack happens and it helps to achieve low false positive. The extensive evaluation with the real traffic logs presents that the proposed method achieves very high detection rate over 90% with low false positive rate down to 5%.
Keywords
DoS attack; DoS detection; source-side detection; adaptive threshold; traffic seasonality;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Hakem Beitollahi and Geert Deconinck, "Analyzing well-known countermeasures against distributed denial of service attacks," Computer Communications, vol. 35, no. 11, pp. 1312-1332, June, 2012.   DOI
2 Hiroshi Tsunoda, Kohei Ohta, Atsunori Yamamoto, Nirwan Ansari, Yuji Waizumi and Yoshiaki Nemoto, "Detecting DRDoS attacks by a simple response packet confirmation mechanism," Computer Communications, vol. 31, no. 14, pp. 3299-3306, September, 2008.   DOI
3 Junjie Zhang, Xiapu Luo, Roberto Perdisci, Guofei Gu, Wenke Lee and Nick Feamster, "Boosting the scalability of botnet detection using adaptive traffic sampling," in Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 124-134, March 22-24, 2011.
4 Dimitris Gavrilis and Evangelos Dermatas, "Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features," Computer Networks, vol. 48, no. 2, pp. 235-245, June, 2005.   DOI
5 Simple exponential smoothing.
6 Gavrilis Dimitris, Tsoulos Ioannis and Dermatas Evangelos, "Feature selection for robust detection of distributed denial-of-service attacks using genetic algorithms," in Proc. of Hellenic Conference on Artificial Intelligence (SETN 2004), pp. 276-281, 2004.
7 Sinh-Ngoc Nguyen, Jintae Choi and Kyungbaek Kim, "Suspicious traffic detection based on edge gateway sampling method," in Proc. of the 19th Asia-Pacific Network Operations and Management Symposium, pp. 243-246, September 27-29, 2017.
8 Sinh-Ngoc Nguyen, Van-Quyet Nguyen, Giang-Truong Nguyen, JeongNyeo Kim and Kyungbaek Kim, "Source-Side Detection of DRDoS Attack Request with Traffic-Aware Adaptive Threshold," IEICE Transactions on Information and Systems, vol. E101.D, no. 6, pp. 1686-1690, June, 2018.   DOI
9 About DNS-STATS:Hedgehog.
10 Domain Name System Operations Analysis and Research Center.
11 Enzo Baccarelli, Nicola Cordeschi, Alessandro Mei, Massimo Panella, Mohammad Shojafar and Julinda Stefa, "Energy-efficient dynamic traffic offloading and reconfiguration of networked data centers for big data stream mobile computing: review, challenges, and a case study," IEEE Network, vol. 30, no. 2, pp. 54-61, March, 2016.   DOI
12 Peng Xiao, Wenyu Qu, Heng Qi and Zhiyang Li, "Detecting DDoS attacks against data center with correlation analysis," Computer Communications, vol. 67, pp. 66-74, August, 2015.   DOI
13 Quamar Niyaz, Weiqing Sun and Ahmad Y. Javaid, "A deep learning based DDoS detection system in software-defined networking (SDN)," EAI Endorsed Transactions on Security and Safety, vol. 4, no. 12, December, 2017.
14 D. Senie and P. Ferguson, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing," RFC 2267, January, 1998.
15 Ryoichi Kawahara, Tatsuya Mori, Noriaki Kamiyama, Shigeaki Harada and Shoichiro Asano, "A study on detecting network anomalies using sampled flow statistics," in Proc. of 2007 International Symposium on Applications and the Internet Workshops, pp. 81, January 15-19, 2007.
16 Zecheng He, Tianwei Zhang and Ruby B. Lee, "Machine Learning Based DDoS Attack Detection from Source Side in Cloud," in Proc. of 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing, pp. 114-120, June 26-28, 2017.
17 N. Levy, D. Smith, and J. Schiel, "Operationalizing ISP cooperation during DDoS attacks," in Proc. of North American Network Operators' Group Meeting 71, October 2-4, 2017.
18 Katerina Argyraki and David R. Cheriton, "Scalable Network-Layer Defense Against Internet Bandwidth-Flooding Attacks," IEEE/ACM Transactions on Networking, vol. 17, no. 4, pp. 1284-1297, August, 2009.   DOI
19 Jelena Mirkovic and Peter Reiher, "D-WARD: a source-end defense against flooding denial-of-service attacks," IEEE transactions on Dependable and Secure Computing, vol. 2, no. 3, pp. 216-232, September, 2005.   DOI
20 Min Suk Kang, "Revisiting Source-end DDoS Filtering in the New Age," in the 45th Asia-Pacific Advanced Network Meeting, March 25-29, 2018.
21 Jelena Mirkovic, Gregory Prier, and Peter Reiher, "Attacking DDoS at the source," in Proc. of the 10th IEEE International Conference on Network Protocols, pp. 312-321, November 12-15, 2002.
22 C. Morrow and R. Dobbins, "DDoS Open Threat Signaling (DOTS) Working Group Operational Requirements," Active Internet-Draft, Last updated 2018-11-23
23 F. J. Ryba, M. Orlinski, M. Wahlisch, C. Rossow and T. C. Schmidt, "Amplification and DRDoS Attack Defense--A Survey and New Perspectives," arXiv:1505.07892, 2015.
24 Rup Kumar Deka, Kausthav Pratim Kalita, D.K. Bhattacharya and Jugal K. Kalita, "Network defense: Approaches, methods and techniques," Journal of Network and Computer Applications, vol. 57, pp. 71-84, November, 2015.   DOI
25 Adrian Lara, Anisha Kolasani, and Byrav Ramamurthy, "Network innovation using openflow: A survey," IEEE communications surveys & tutorials, vol. 16, no. 1, pp. 493-512, 2014.   DOI
26 Chu YuHunag, Tseng MinChi, Chen YaoTing, Chou YuChieh and Chen YanRen, "A novel design for future on-demand service and security," in Proc. of 2010 12th IEEE International Conference on Communication Technology, pp. 385-388, November 11-14, 2010.