CUSUM算法在DDoS源端检测中的应用

在深入分析了DDoS源端检测的特点和难点的基础上，引入统计学中非参数改变点检测方法，应用非参数化递归CUSUM（Cumulative Sum）算法对代表性的源端检测系统D-WARD进行了改进。经实验验证，应用CUSUM算法的检测系统具有更低的误报率和漏报率，能够适应更复杂的网络检测环境。     

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.     

神经网络和IP标记在DDoS攻击防御中的应用

DDoS(Distributed Denial of Service)攻击是在传统的DoS攻击上产生的新的网络攻击方式,是Internet面临的最严峻威胁之一,这种攻击带来巨大的网络资源消耗,影响正常的网络访问.DDoS具有分布式特征,攻击源隐蔽,而且该类攻击采用IP伪造技术,不易追踪和辨别.任何网络攻击都会产生异常流量,DDoS也不例外,分布式攻击导致这种现象更加明显.主要研究利用神经网络技术并借助IP标记辅助来甄别异常流量中的网络数据包,方法是:基于DDoS攻击总是通过多源头发起对单一目标攻击的特点,通过IP标记技术对路由器上网路包进行标记,获得反映网络流量的标记参数,作为神经网络的输入参数相量;再对BP神经网络进行训练,使其能识别DDoS攻击引起的异常流量;最后,训练成熟的神经网络即可在运行时有效地甄别并防御DDoS攻击,提高网络资源的使用效率.通过实验证明了神经网络技术防御DDoS攻击是可行和高效的.     

一种IPv6环境下实时DDoS防御方法

现有的DDoS防御方法大多是针对传统IPv4网络提出的,而且它们的防御实时性还有待进一步提高。针对这种情况,提出了一种IPv6环境下实时防御DDoS的新方法,其核心思想是首先在受害者自治系统内建立决策判据树,然后依据决策判据1和2对该树进行实时监控,如果发现攻击,就发送过滤消息通知有关实体在受害端和源端一起对攻击包进行过滤,从而保护受害者。实验证明,该方法能够在秒钟数量级检测到攻击并且对攻击包进行过滤,能有效地防范多个DDoS攻击源。另外,该方法还能准确地区分攻击流和高业务流,可以在不恢复攻击路径的情况下直接追踪到攻击源所在的自治系统（甚至是子网）。     

基于Kaufman算法提高D-WARD系统检测精度.

深入分析了具有代表性的DDoS源端检测系统D-WARD的检测算法,在使用非参数化递归CUSUM算法改进D-WARD的基础上,借鉴负载平衡中Load-Shedding的思想,应用Kaufman算法动态调整和更新阈值Threshold,并对检测性能进行详细比较。经实验验证,改进的系统具有更低的误报率和漏报率,能够适应更复杂的网络检测环境。     

多数据中心基于流量感知的DDoS攻击消除策略

多数据中心DDoS攻击频发,现有攻击消除方式虽能阻拦攻击流量,但难以避免对合法流量的干扰。在服务功能链的基础上结合流量感知技术,提出一种针对多数据中心的DDoS攻击消除策略。通过在数据中心入口部署感知组件,感知异常流量并与控制器交互,将DDoS攻击消除工作放在数据中心外的清洗域,避免干扰合法流量。同时在清洗域提出一种负载均衡算法,为多数据中心提供足够的处理能力。最后搭建原型系统,通过实验对比验证策略的可行性。     

Characterizing DDoS attacks and flash events: Review,research gaps and future directions

A Distributed Denial of Service (DDoS) attack is an austere menace to network security. Nowadays in a technological era, DDoS attacks pose a severe threat to widely used Internet-based services and applications. Disruption of these services even for a fraction of time lead to huge financial losses. A Flash event (FE) is similar to a DDoS attack wherein a large number of legitimate users starts accessing a particular service concurrently leading to the denial of service. Both of these events cause overloading of network resources such as bandwidth, CPU, Memory to legitimate users and result in limited accessibility. Nowadays most of the DDoS attacks use the logical semantics of HTTP protocol to launch a similar kind of attack traffic as that of legitimate traffic which makes the distinction between the two very challenging. Many researchers have tried to discriminate these two types of traffic, but none of them has been able to provide any effective solution yet. This paper systematically reviews 40 such prominent research papers from 2002 to till date for providing insight into the problem of discriminating DDoS and FEs. This article dowries and deliberates the list of traffic feature rationales and detection metrics used by the fellow researchers at both macro and micro level. Such a pragmatic list of rationales would surely be helpful to provide more robust and efficient solutions. The paper also highlights open issues, research challenges and future directions in this area.     

云环境下一种基于信任的加密流量DDoS发现方法

针对云环境下分布式拒绝服务(distributed denial-of-service,DDoS)攻击加密攻击流量隐蔽性更强、更容易发起、规模更大的问题,提出了一种云环境下基于信任的加密流量DDoS发现方法TruCTCloud.该方法在现有基于机器学习的DDoS攻击检测中引入信任的思想,结合云服务自身的安全认证,融入基于签名和环境因素的信任评估机制过滤合法租户的显然非攻击流量,在无需对加密流量解密的前提下保障合法租户流量中包含的敏感信息.其后,对于其他加密流量和非加密流量,引入流包数中位值、流字节数中位值、对流比、端口增速、源IP增速这5种特征,基于特征构建Ball-tree并提出基于k近邻(k-nearest neighbors,k NN)的流量分类算法.最后,在OpenStack云环境下检测了提出方法的效果,实验表明TruCTCloud方法能快速发现异常流量和识别DDoS攻击的早期流量,同时,能够有效保护合法用户的敏感流量信息.     

基于源的DDoS攻击的检测与防御技术

介绍了DDoS的攻击原理,提出了基于源端的DDoS攻击的检测和防御技术,详细讨论了此技术的构架及其关键技术乳检测源端是否发出攻击流技术、防御技术即在源头截断攻击流,通过如检测源端是否发出攻击流技术、防御技术即在源头截断攻击流,通过具体的实验确定流量检测中的闽值。     

Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach

High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.     

Building an Identity Management Infrastructure for Today…and Tomorrow

ABSTRACT

The basis of denial of service (DoS)/distributed DoS (DDoS) attacks lies in overwhelming a victim's computer resources by flooding them with enormous traffic. This is done by compromising multiple systems that send a high volume of traffic. The traffic is often formulated in such a way that it consumes finite resources at abnormal rates either at victim or network level. In addition, spoofing of source addresses makes it difficult to combat such attacks. This paper adopts a twofold collaborative mechanism, wherein the intermediate routers are engaged in markings and the victim uses these markings for detecting and filtering the flooding attacks. The markings are used to distinguish the legitimate network traffic from the attack so as to enable the routers near the victim to filter the attack packets. The marked packets are also helpful to backtrack the true origin of the spoofed traffic, thus dropping them at the source rather than allowing them to traverse the network. To further aid in the detection of spoofed traffic, Time to Live (TTL) in the IP header is used. The mappings between the IP addresses and the markings along with the TTLs are used to find the spurious traffic. We provide numerical and simulated experimental results to show the effectiveness of the proposed system in distinguishing the legitimate traffic from the spoofed. We also give a statistical report showing the performance of our system.     

An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently

Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection methods rely on passively sniffing an attacking signature and are inaccurate in the early stages of an attack. Current counteractions such as traffic filter or rate-limit methods do not accurately distinguish between legitimate and illegitimate traffic and are difficult to deploy. This work seeks to provide a method that detects SYN flooding attacks in a timely fashion and that responds accurately and independently on the victim side. We use the knowledge of network traffic delay distribution and apply an active probing technique (DARB) to identify half-open connections that, suspiciously, may not arise from normal network congestion. This method is suitable for large network areas and is capable of handling bursts of traffic flowing into a victim server. Accurate filtering is ensured by a counteraction method using IP address and time-to-live(TTL) fields. Simulation results show that our active detection method can detect SYN flooding attacks accurately and promptly and that the proposed rate-limit counteraction scheme can efficiently minimize the damage caused by DDoS attacks and guarantee constant services to legitimate users.     

IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks

Distributed Denial of Service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that, while an attacker will have all the edges on its path marked as "infected," edges on the path of a legitimate client will mostly be "clean". By preferentially filtering out packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies all demonstrate that the proposed technique can improve the throughput of legitimate traffic by three to seven times during DDoS attacks.     

DDoS放大攻击原理及防护

分布式拒绝服务攻击（DDoS）是一种攻击强度大、危害比较严重的网络攻击。 DDoS放大攻击利用放大器对网络流量具有放大作用的技术,向被攻击目标发送大量的网络数据包,造成被攻击的目标网络资源和带宽被耗尽,使得正常的请求无法得到及时有效的响应。简单介绍DDoS放大攻击的原理,分析DDoS放大攻击的防护方法,从攻击源头、放大器、被攻击目标等三个方面采取防护措施,从而达到比较有效的防护效果。     

基于混合深度学习的多类型低速率DDoS攻击检测方法

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点.现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDoS攻击检测方法.模拟不同类型的低速率DDoS攻击和5G环境下不同场景的正常流量,在网络入...     

Monitoring the macroscopic effect of DDoS flooding attacks

Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network.     

An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

Distributed Denial of Service (DDoS) attacks generate flooding traffic from multiple sources towards selected nodes. Diluted low rate attacks lead to graceful degradation while concentrated high rate attacks leave the network functionally unstable. Previous approaches to such attacks have reached to a level where survivable systems effort to mitigate the effects of these attacks. However, even with such reactive mitigation approaches in place, network under DDoS attack becomes unstable and legitimate users in the network suffer in terms of increased response times and frequent network failures. Moreover, the Internet is dynamic in nature and the topic of automated responses to attacks has not received much attention.In this paper, we propose a proactive approach to DDoS in form of integrated auto-responsive framework that aims to restrict attack flow reach target and maintain stable network functionality even under attacked network. It combines detection and characterization with attack isolation and mitigation to recover networks from DDoS attacks. As first line of defense, our method uses high level specifications of entropy variations for legitimate interactions between clients and servers. The network generates optimized entropic detectors that monitor the behavior of flows to identify significant deviations. As the second line of defense, malicious flows are identified and directed to isolated zone of honeypots where they cannot cause any further damage to the network and legitimate flows are directed to a randomly selected server from pool of replicated servers. This approach leads the attacker to believe that they are succeeding in their attack, whereas in reality they are simply wasting time and resources.Service replication and attack isolation alone are not sufficient to mitigate the attacks. Limited network resources must be judiciously used when an attack is underway. Further, as third line of defense, we propose a Dynamic Honeypot Engine (DHE) modeled as a part of Honeypot Controller (HC) module that triggers the automatic generation of adequate nodes to service client requests and required number of honeypots that interact with attackers in contained manner. This load balancing in the network makes it attack tolerant. Legitimate clients, depending upon their trust levels built according to their monitored statistics, can track the actual servers for certain time period. Attack flows reaching honeypots are logged by Honeypot Data Repository (HDR). Most severe flows are punished by starting honeypot back propagation sessions and filtering them at the source as the last line of defense. The data collected on honeypots are used to isolate and filter present attack, if any and as an insight into future attack trends. The judicious mixture and self organization of servers and honeypots at different time intervals also guaranties promised QoS.We present the exhaustive parametric dependencies at various phases of attack and their regulation in real time to make the service network DDoS attack tolerant and insensitive to attack load. Results show that this auto-responsive network has the potential to maintain stable network functionality and guaranteed QoS even under attacks. It can be fine tuned according to the dynamically changing network conditions. We validate the effectiveness of the approach with analytical modeling on Internet type topology and simulation in ns-2 on a Linux platform.     

RMCARTAM For DDoS Attack Mitigation in SDN Using Machine Learning

The impact of a Distributed Denial of Service (DDoS) attack on Software Defined Networks (SDN) is briefly analyzed. Many approaches to detecting DDoS attacks exist, varying on the feature being considered and the method used. Still, the methods have a deficiency in the performance of detecting DDoS attacks and mitigating them. To improve the performance of SDN, an efficient Real-time Multi-Constrained Adaptive Replication and Traffic Approximation Model (RMCARTAM) is sketched in this article. The RMCARTAM considers different parameters or constraints in running different controllers responsible for handling incoming packets. The model is designed with multiple controllers to handle network traffic but can turn the controllers according to requirements. The multi-constraint adaptive replication model monitors different features of network traffic like rate of packet reception, class-based packet reception and target-specific reception. According to these features, the method estimates the Replication Turning Weight (RTW) based on which triggering controllers are performed. Similarly, the method applies Traffic Approximation (TA) in the detection of DDoS attacks. The detection of a DDoS attack is performed by approximating the incoming traffic to any service and using various features like hop count, payload, service frequency, and malformed frequency to compute various support measures on bandwidth access, data support, frequency support, malformed support, route support, and so on. Using all these support measures, the method computes the value of legitimate weight to conclude the behavior of any source in identifying the malicious node. Identified node details are used in the mitigation of DDoS attacks. The method stimulates the network performance by reducing the power factor by switching the controller according to different factors, which also reduces the cost. In the same way, the proposed model improves the accuracy of detecting DDoS attacks by estimating the features of incoming traffic in different corners.     

Distributed Denial of Service Attacks: A Threat or Challenge

In today’s cyber world, the Internet has become a vital resource for providing a plethora of services. Unavailability of these services due to any reason leads to huge financial implications or even consequences on society. Distributed Denial of Service (DDoS) attacks have emerged as one of the most serious threats to the Internet whose aim is to completely deny the availability of different Internet based services to legitimate users. The attackers compromise a large number of Internet enabled devices and gain malicious control over them by exploiting their vulnerabilities. Simplicity of launching, traffic variety, IP spoofing, high volume traffic, involvement of numerous agent machines, and weak spots in Internet topology are important characteristics of DDoS attacks and makes its defense very challenging. This article provides a survey with the enhanced taxonomies of DDoS attacks and defense mechanisms. Additionally, we describe the timeline of DDoS attacks to date and attempt to discuss its impact according to various motivations. We highlighted the general issues, challenges, and current trends of DDoS attack technology. The aim of the article is to provide complete knowledge of DDoS attacks and defense mechanisms to the research community. This will, in turn, help to develop a powerful, effective, and efficient defense mechanism by filling the various research gaps addressed in already proposed defense mechanisms.     

应用层洪泛攻击的异常检测

从近年的发展趋势看, 分布式拒绝服务攻击已经从原来的低层逐渐向应用层发展, 它比传统的攻击更加有效且更具隐蔽性. 为检测利用合法应用层HTTP请求发动的洪泛攻击, 本文把应用层洪泛攻击视为一种异常的用户访问行为, 从用户浏览行为的角度实现攻击检测. 基于实际网络流的试验表明,该模型可以有效测量Web用户的访问行为正常度并实现应用层的DDoS洪泛攻击检测.