Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning
In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.
KeywordsCommunication Cost Intrusion Detection Anomaly Detection Observation Sequence Normal Traffic
Unable to display preview. Download preview PDF.
- 2.Lee, W.K., Stolfo, S.J.: A Data Mining Framework for Building Intrusion Detection Model. In: Gong, L., Reiter, M.K. (eds.) Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 120–132. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
- 5.Feinstein, L., Schnackenberg, D.: Statistical Approaches to DDoS Attack Detection and Response. In: Proceedings of the DARPA Information Survivability Conference and Expostion(DISCEX’03), pp. 303–314 (2003)Google Scholar
- 6.Noh, S., et al.: Using Inductive Learning for the Detection of Distributed Denial of Service Attacks. In: Liu, J., Cheung, Y.-m., Yin, H. (eds.) IDEAL 2003. LNCS, vol. 2690, pp. 286–295. Springer, Heidelberg (2003)Google Scholar
- 7.Jin, S., Yeung, D.S.: A Covariance Analysis Model for DDoS Attack Detection. In: Proc. of the Int’l Conf. on Communications, pp. 1882–1886. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
- 9.Seo, J., Lee, C., Moon, J.: Defending DDoS Attacks Using Network Traffic Analysis and Probabilistic Packet Drop. In: Jin, H., et al. (eds.) GCC 2004. LNCS, vol. 3252, pp. 390–397. Springer, Heidelberg (2004)Google Scholar
- 10.Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the Source. In: Proceedings of International Conference on Network Protocols, Paris, France, pp. 312–321 (2002)Google Scholar
- 11.Peng, T., Leckie, C., Kotagiri, R.: Proactively Detecting Distributed Denial of Service Attacks Using Source IP Ad-dress Monitoring. In: Mitrou, N.M., et al. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 771–782. Springer, Heidelberg (2004)Google Scholar
- 15.Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: Proceeding of 11th Word Wide Web conference, Honolulu, Hawaii, USA (2002)Google Scholar
- 16.Sutton, R., Barto, A.G.: Reinforcement Learning: An Introduction. MIT Press, Cambridge (1998)Google Scholar
- 17.Hu, J., Wellman, M.P.: Multiagent Reinforcement Learning: Theoretical Framework and an Algorithm. In: 15th Intl Conference on Machine Learning, pp. 242–250 (1998)Google Scholar