Abstract
Malicious activities in computer network systems often generate patterns in network data that do not conform to normal behaviour. Since the nature of such anomalies may be different for different types of attacks, detection of these is not trivial and may require specific anomaly detection techniques. In this work, we focus on anomaly or outlier detection techniques for DDoS attacks on computer networks. Our main goal is to find such techniques that prove most appropriate for different types of attacks. We restrict our research to fully unsupervised methods, because, in real world scenarios, it is difficult to obtain examples of all possible anomalies, especially that the set of those is constantly growing. To the best of our knowledge, our work is the first that utilizes time-related features in a purely unsupervised manner and that provides a fair comparison between widely known outlier detection methods. We evaluate clustering, autoencoder and LSTM-based techniques on commonly used datasets, i.e. DARPA1998, ISCXIDS2012, CICDDOS2019. Moreover, we propose IQRPACF method that combines IQR with partial autocorrelation function. The proposed method not only does not require to be trained, but also, in most cases, outperforms the other solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Arbitrarily set to 5 min, so the network has a chance to detect anomalies correlated with time.
References
The 1998 DARPA intrusion detection evaluation dataset. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset. Accessed 10 May 2022
DDoS evaluation dataset (CICDDoS2019). https://www.unb.ca/cic/datasets/ddos-2019.html. Accessed 10 May 2022
Intrusion detection evaluation dataset (ISCXIDS2012). https://www.unb.ca/cic/datasets/ids.html. Accessed 10 May 2022
Behal, S., Kumar, K.: Detection of DDoS attacks and flash events using information theory metrics-an empirical investigation. Comput. Commun. 103, 18–28 (2017). https://doi.org/10.1016/j.comcom.2017.02.003. http://www.sciencedirect.com/science/article/pii/S0140366417301718
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1–58 (2009)
Chen, Z., Yeo, C.K., Lee, B.S., Lau, C.T.: Autoencoder-based network anomaly detection. In: 2018 Wireless Telecommunications Symposium (WTS), pp. 1–5 (2018). https://doi.org/10.1109/WTS.2018.8363930
Elsayed, M.S., Le-Khac, N.A., Dev, S., Jurcut, A.D.: DDoSNet: a deep-learning model for detecting network attacks. In: 2020 IEEE 21st International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), pp. 391–396. IEEE (2020)
Gniewkowski, M.: An overview of DoS and DDoS attack detection techniques. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) DepCoS-RELCOMEX 2020. AISC, vol. 1173, pp. 233–241. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-48256-5_23
Gogoi, P., Bhattacharyya, D., Borah, B., Kalita, J.K.: A survey of outlier detection methods in network anomaly identification. Comput. J. 54(4), 570–588 (2011)
Goldstein, M., Uchida, S.: A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PLoS One 11(4), e0152173 (2016)
Gu, Y., Li, K., Guo, Z., Wang, Y.: Semi-supervised K-means DDoS detection method using hybrid feature selection algorithm. IEEE Access 7, 64351–64365 (2019)
Hendrycks, D., Mazeika, M., Dietterich, T.: Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606 (2018)
Kwon, D., Kim, H., Kim, J., Suh, S.C., Kim, I., Kim, K.J.: A survey of deep learning-based network anomaly detection. Clust. Comput. 22(1), 949–961 (2017). https://doi.org/10.1007/s10586-017-1117-8
Li, Y., Zha, D., Zou, N., Hu, X.: PyODDS: An end-to-end outlier detection system (2019)
Lippmann, R.P., et al.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proceedings DARPA Information Survivability Conference and Exposition. DISCEX 2000, vol. 2, pp. 12–26. IEEE (2000)
Liu, Y., Yin, J., Cheng, J., Zhang, B.: Detecting DDoS attacks using conditional entropy. In: 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), vol. 13, p. V13-278. IEEE (2010)
Ma, X., Chen, Y.: Ddos detection method based on chaos analysis of network traffic entropy. IEEE Commun. Lett. 18(1), 114–117 (2014). https://doi.org/10.1109/LCOMM.2013.112613.132275
Malhotra, P., Ramakrishnan, A., Anand, G., Vig, L., Agarwal, P., Shroff, G.: LSTM-based encoder-decoder for multi-sensor anomaly detection. arXiv preprint arXiv:1607.00148 (2016)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A.: Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8 (2019). https://doi.org/10.1109/CCST.2019.8888419
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012). https://doi.org/10.1016/j.cose.2011.12.012
Tabatabaie Nezhad, S.M., Nazari, M., Gharavol, E.A.: A novel DoS and DDoS attacks detection algorithm using ARIMA time series model and chaotic system in computer networks. IEEE Commun. Lett. 20(4), 700–703 (2016). https://doi.org/10.1109/LCOMM.2016.2517622
Yuan, X., Li, C., Li, X.: DeepDefense: identifying DDoS attack via deep learning. In: 2017 IEEE International Conference on Smart Computing (SMARTCOMP), pp. 1–8. IEEE (2017)
Zhang, J., Zulkernine, M.: Anomaly based network intrusion detection with unsupervised outlier detection. In: 2006 IEEE International Conference on Communications, vol. 5, pp. 2388–2393. IEEE (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gniewkowski, M., Maciejewski, H., Surmacz, T. (2022). Anomaly Detection Techniques for Different DDoS Attack Types. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) New Advances in Dependability of Networks and Systems. DepCoS-RELCOMEX 2022. Lecture Notes in Networks and Systems, vol 484. Springer, Cham. https://doi.org/10.1007/978-3-031-06746-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-06746-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06745-7
Online ISBN: 978-3-031-06746-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)