Detecting DDoS Attacks Based on Multi-stream Fused HMM in Source-End Network

  • Jian Kang
  • Yuan Zhang
  • Jiu-bin Ju
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4301)


DDoS (Distributed Denial-of-Service) attacks detection system deployed in source-end network is superior in detection and prevention than that in victim network, because it can perceive and throttle attacks before data flow to Internet. However, the current existed works in source-end network lead to a high false-positive rate and false-negative rate for the reason that they are based on single-feature, and they couldn’t synthesize multi-features simultaneously. This paper proposes a novel approach using Multi-stream Fused Hidden Markov Model (MF-HMM) on source-end DDoS detection for integrating multi-features simultaneously. The multi-features include the S-D-P feature, TCP header Flags, and IP header ID field. Through experiments, we compared our original approach based on multiple detection feature with other main algorithms (such as CUSUM and HMM) based on single-feature. The results present that our approach effectively reduces false-positive rate and false-negative rate, and improve the precision of detection.


Port Number Maximum Mutual Information Detection Information USENIX Security Symposium CUSUM Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jelena, M.: D-WARD. Source-End Defense Against Distributed Denial-of-Service Attacks, CSD of UCLA, pp. 101–125 (2003)Google Scholar
  2. 2.
    Kang, J., Zhang, Z., Ju, J.-b.: Protect e-commerce against DDoS attacks with improved D-WARD detection system. In: IEEE International Conference on e-Technology, e-Commerce and e-Service, Hong Kong (April 2005)Google Scholar
  3. 3.
    Peng, T., Leckie, C., Ramamohanarao, K.: Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In: Mitrou, N.M., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 771–782. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Zhou, D., Zhang, H.: A DDoS Attack Detection Method Based on Hidden Markov Model. Journal of Computer Research and Development 42, 1594–1599 (2005)CrossRefGoogle Scholar
  5. 5.
    Moore, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. In: The 10th USENIX Security Symposium, Washington (2001)Google Scholar
  6. 6.
    Chang-Han, J., Shiuh-Pyng, S.: Detecting Distributed DoS/Scanning by Anomaly Distribution of Packet Fields. In: International Computer Symposium 2002 (2002)Google Scholar
  7. 7.
    Zeng, Z., Tu, J.: Pianfetti: Audio-visual affect recognition through multi-stream fused HMM for HCI. In: IEEE Computer Society Conference on Computer Vision and Pattern Recognition (June 2005)Google Scholar
  8. 8.
    Pan, H., Levinson, S., Huang, T.S., Liang, Z.P.: A fused Hidden Markov Model With Application to Bimodal Speech Processing. IEEE Transaction on Signal Processing 52(3), 573–581 (2004)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Brand, M., Oliver, N.: Coupled hidden Markov models for complex action recognition. Computer Vision Pattern Recognition, 201–206 (1997)Google Scholar
  10. 10.
    Saul, L.K., Jordan, M.I.: Mixed memory Markov model: Decomposing complex stochastic processes as mixture of simpler ones. Machine Learning 37, 75–88 (1999)MATHCrossRefGoogle Scholar
  11. 11.
    Rabiner, L.R.: A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. Proceedings of IEEE 77(2) (February 1989)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jian Kang
    • 1
  • Yuan Zhang
    • 1
  • Jiu-bin Ju
    • 1
  1. 1.Department of Computer Science & TechnologyJilin UniversityChangchunChina

Personalised recommendations