Skip to main content
SpringerLink
Log in

Anomaly Detection Techniques for Different DDoS Attack Types

  • Conference paper
  • First Online:
New Advances in Dependability of Networks and Systems (DepCoS-RELCOMEX 2022)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 484))

Included in the following conference series:

Abstract

Malicious activities in computer network systems often generate patterns in network data that do not conform to normal behaviour. Since the nature of such anomalies may be different for different types of attacks, detection of these is not trivial and may require specific anomaly detection techniques. In this work, we focus on anomaly or outlier detection techniques for DDoS attacks on computer networks. Our main goal is to find such techniques that prove most appropriate for different types of attacks. We restrict our research to fully unsupervised methods, because, in real world scenarios, it is difficult to obtain examples of all possible anomalies, especially that the set of those is constantly growing. To the best of our knowledge, our work is the first that utilizes time-related features in a purely unsupervised manner and that provides a fair comparison between widely known outlier detection methods. We evaluate clustering, autoencoder and LSTM-based techniques on commonly used datasets, i.e. DARPA1998, ISCXIDS2012, CICDDOS2019. Moreover, we propose IQRPACF method that combines IQR with partial autocorrelation function. The proposed method not only does not require to be trained, but also, in most cases, outperforms the other solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Arbitrarily set to 5 min, so the network has a chance to detect anomalies correlated with time.

References

  1. The 1998 DARPA intrusion detection evaluation dataset. https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset. Accessed 10 May 2022

  2. DDoS evaluation dataset (CICDDoS2019). https://www.unb.ca/cic/datasets/ddos-2019.html. Accessed 10 May 2022

  3. Intrusion detection evaluation dataset (ISCXIDS2012). https://www.unb.ca/cic/datasets/ids.html. Accessed 10 May 2022

  4. Behal, S., Kumar, K.: Detection of DDoS attacks and flash events using information theory metrics-an empirical investigation. Comput. Commun. 103, 18–28 (2017). https://doi.org/10.1016/j.comcom.2017.02.003. http://www.sciencedirect.com/science/article/pii/S0140366417301718

    Article  Google Scholar 

  5. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1–58 (2009)

    Article  Google Scholar 

  6. Chen, Z., Yeo, C.K., Lee, B.S., Lau, C.T.: Autoencoder-based network anomaly detection. In: 2018 Wireless Telecommunications Symposium (WTS), pp. 1–5 (2018). https://doi.org/10.1109/WTS.2018.8363930

  7. Elsayed, M.S., Le-Khac, N.A., Dev, S., Jurcut, A.D.: DDoSNet: a deep-learning model for detecting network attacks. In: 2020 IEEE 21st International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), pp. 391–396. IEEE (2020)

    Google Scholar 

  8. Gniewkowski, M.: An overview of DoS and DDoS attack detection techniques. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) DepCoS-RELCOMEX 2020. AISC, vol. 1173, pp. 233–241. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-48256-5_23

    Chapter  Google Scholar 

  9. Gogoi, P., Bhattacharyya, D., Borah, B., Kalita, J.K.: A survey of outlier detection methods in network anomaly identification. Comput. J. 54(4), 570–588 (2011)

    Article  Google Scholar 

  10. Goldstein, M., Uchida, S.: A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PLoS One 11(4), e0152173 (2016)

    Article  Google Scholar 

  11. Gu, Y., Li, K., Guo, Z., Wang, Y.: Semi-supervised K-means DDoS detection method using hybrid feature selection algorithm. IEEE Access 7, 64351–64365 (2019)

    Google Scholar 

  12. Hendrycks, D., Mazeika, M., Dietterich, T.: Deep anomaly detection with outlier exposure. arXiv preprint arXiv:1812.04606 (2018)

  13. Kwon, D., Kim, H., Kim, J., Suh, S.C., Kim, I., Kim, K.J.: A survey of deep learning-based network anomaly detection. Clust. Comput. 22(1), 949–961 (2017). https://doi.org/10.1007/s10586-017-1117-8

  14. Li, Y., Zha, D., Zou, N., Hu, X.: PyODDS: An end-to-end outlier detection system (2019)

    Google Scholar 

  15. Lippmann, R.P., et al.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In: Proceedings DARPA Information Survivability Conference and Exposition. DISCEX 2000, vol. 2, pp. 12–26. IEEE (2000)

    Google Scholar 

  16. Liu, Y., Yin, J., Cheng, J., Zhang, B.: Detecting DDoS attacks using conditional entropy. In: 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), vol. 13, p. V13-278. IEEE (2010)

    Google Scholar 

  17. Ma, X., Chen, Y.: Ddos detection method based on chaos analysis of network traffic entropy. IEEE Commun. Lett. 18(1), 114–117 (2014). https://doi.org/10.1109/LCOMM.2013.112613.132275

  18. Malhotra, P., Ramakrishnan, A., Anand, G., Vig, L., Agarwal, P., Shroff, G.: LSTM-based encoder-decoder for multi-sensor anomaly detection. arXiv preprint arXiv:1607.00148 (2016)

  19. Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)

    Google Scholar 

  20. Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A.: Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8 (2019). https://doi.org/10.1109/CCST.2019.8888419

  21. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012). https://doi.org/10.1016/j.cose.2011.12.012

  22. Tabatabaie Nezhad, S.M., Nazari, M., Gharavol, E.A.: A novel DoS and DDoS attacks detection algorithm using ARIMA time series model and chaotic system in computer networks. IEEE Commun. Lett. 20(4), 700–703 (2016). https://doi.org/10.1109/LCOMM.2016.2517622

  23. Yuan, X., Li, C., Li, X.: DeepDefense: identifying DDoS attack via deep learning. In: 2017 IEEE International Conference on Smart Computing (SMARTCOMP), pp. 1–8. IEEE (2017)

    Google Scholar 

  24. Zhang, J., Zulkernine, M.: Anomaly based network intrusion detection with unsupervised outlier detection. In: 2006 IEEE International Conference on Communications, vol. 5, pp. 2388–2393. IEEE (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Information and Communication Technology, Wroclaw University of Science and Technology, Wrocław, Poland

    Mateusz Gniewkowski, Henryk Maciejewski & Tomasz Surmacz

Authors
  1. Mateusz Gniewkowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henryk Maciejewski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tomasz Surmacz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mateusz Gniewkowski .

Editor information

Editors and Affiliations

  1. Wrocław University of Science and Technology, Wrocław, Poland

    Wojciech Zamojski

  2. Wrocław University of Science and Technology, Wrocław, Poland

    Jacek Mazurkiewicz

  3. Wrocław University of Science and Technology, Wrocław, Poland

    Jarosław Sugier

  4. Wrocław University of Science and Technology, Wrocław, Poland

    Tomasz Walkowiak

  5. Polish Academy of Sciences, Systems Research Institute, Warsaw, Poland

    Janusz Kacprzyk

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gniewkowski, M., Maciejewski, H., Surmacz, T. (2022). Anomaly Detection Techniques for Different DDoS Attack Types. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds) New Advances in Dependability of Networks and Systems. DepCoS-RELCOMEX 2022. Lecture Notes in Networks and Systems, vol 484. Springer, Cham. https://doi.org/10.1007/978-3-031-06746-4_7

Download citation

Publish with us

Policies and ethics

Search

Navigation