Abstract
High-rate distributed denial of service (HDDoS) flooding attacks pose as a major threat to the Internet. Most present solutions based on machine learning approach are inept for detecting the attacks in real time due to high processing overhead. In this paper, we present a defense solution referred to as DyProSD that combines both the merits of feature-based and statistical approach to handle HDDoS flooding attacks. The statistical module marks the suspicious traffic and forwards to an ensemble of classifiers for ascertaining the traffic as malicious or normal. Our method filters the attack traffic protocol specifically by allocating various protocol specific filter engines dynamically. As and when DDoS attack occurs and the load of a filter engine reaches beyond its capable limit, a new filter engine is recruited dynamically from the idle resource pool for filtering, thus guaranteeing the quality of service for legitimate users concurrently. We establish the effectiveness of DyProSD through several experimental analysis and real-world dataset experiments and the results indicate enough confidence in favour of our solution.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ahmed E, Mohay G, Tickle A, Bhatia S (2010) Use of ip addresses for high rate flooding attack detection. Security and privacy—silver linings in the cloud. Springer, Berlin, pp 124–135
Basseville M (1989) Distance measures for signal processing and pattern recognition. Signal Process 18(4):349–369
Bhattacharyya D, Kalita J (2013) Network anomaly detection: a machine learning perspective. CRC Press, Boca Raton
Boro D, Bhattacharyya DK (2015) Particle swarm optimisation-based KNN for improving KNN and ensemble classification performance. Int J Innov Comput Appl IJICA 6(3/4):145–162
CAIDA (2007) The CAIDA DDoS Attack 2007 Dataset. In: CAIDA-Center for Applied Internet Data Analysis. http://www.caida.org
CAIDA (2013) The CAIDA Anonymized Internet Traces 2013 Dataset. In: CAIDA-Center for Applied Internet Data Analysis. http://www.caida.org
Chen SW, Wu JX, Ye XL, Guo T (2013) Distributed denial of service attacks detection method based on conditional random fields. J Netw 8(4):858–865
Chen Y, Das S, Dhar P, Saddik AE, Nayak A (2008) Detecting and preventing IP-spoofed distributed DoS attacks. Int J Netw Secur 7(1):70–81
Dietrich S, Goddard N, Long N (2000) Analyzing distributed denial of service tools: the Shaft case. Proc. USENIX LISA 2000:329–339
Highleyman WH (2012) Islamic Hacktivists attack U.S. Banks. In: Availability Digests. http://www.availabilitydigest.com/public_articles/0710/bank_attacks.pdf
Highleyman WH (2013a) History’s largest DDoS attack? In: Availability Digests. http://www.availabilitydigest.com/public_articles/0804/spamhaus.pdf
Highleyman WH (2013b) Surviving DNS DDoS attacks. In: Availability Digests. http://www.availabilitydigest.com/public_articles/0811/secure64.pdf
Jung J, Krishnamurthy B, Rabinovich M (2002) Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proc 11th Int Conf World Wide Web, ACM, pp 293–304
Liu H, Sun Y, Valgenti VC, Kim MS (2011) TrustGuard: a flow-level reputation-based DDoS defense system. In: IEEE consumer communications and networking conf. (CCNC), IEEE, pp 287–291
Liu J, Yang X, Ghaboosi K, Deng H, Zhang J (2009) Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP J Wirel Commun Netw 2009(9):1–11
MIT Lincoln Laboratory Datasets (1999) 1999 DARPA intrusion detection dataset. In: DARPA intrusion detection evaluation. https://www.ll.mit.edu/ideval/data/1999data.html
Opitz D, Maclin R (1999) Popular ensemble methods: an empirical study. J Art Intell Res 11:169–198
Paxson V (2001) An analysis of using reflectors for distributed denial-of-service attacks. SIGCOMM Comput Commun Rev 31(3):38–47
Polikar R (2006) Ensemble based systems in decision making. IEEE Circuits Syst Mag 6(3):21–45
Preetha G, Devi BSK, Shalinie SM (2014) Autonomous agent for DDoS attack detection and defense in an experimental testbed. Int J Fuzzy Syst 16(4):520–528
Puri R (2003) Bots and botnet: an overview. In: SANS Institute Information Security Reading Room
Rahmani H, Sahli N, Kamoun F (2012) DDoS flooding attack detection scheme based on F-divergence. Comput Commun 35(11):1380–1391
Rawal B, Ramcharan H, Tsetse A (2013) Emergence of DDoS resistant augmented Split architecture. In: 10th Int. Conf. high capacity optical networks and enabling technologies (HONET-CNS), IEEE, pp 37–43
Renyi A (1961) On measures of entropy and information. In: Proceedings of the 4th Berkeley symposium on mathematical statistics and probability, University of California Press, pp 547–561
Rokach L (2010) Ensemble-based classifiers. Art Intell Rev 33:1–39
Salem O, Makke A, Tajer J, Mehaoua A (2011) Flooding attacks detection in traffic of backbone networks. In: IEEE 36th conf. on local computer networks, IEEE, pp 441–449
Shannon CE (1948) A mathematical theory of communication. Bell Syst Tech J 27:379–423
Tang J, Cheng Y, Hao Y, Song W (2014) SIP flooding attack detection with a multi-dimensional sketch design. IEEE Trans Depend Secure Comput 11(6):582–595
Wolpert DH (1992) Stacked generalization. Neural Netw 5:241–259
Acknowledgments
This work is supported by Ministry of Human Resource and Development (MHRD), Government of India, under Frontier Areas of Science and Technology (FAST).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Boro, D., Bhattacharyya, D.K. DyProSD: a dynamic protocol specific defense for high-rate DDoS flooding attacks. Microsyst Technol 23, 593–611 (2017). https://doi.org/10.1007/s00542-016-2978-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00542-016-2978-0