Abstract
This paper presents an adaptive large-scale monitoring system to detect Distributed Denial of Service (DDoS) attacks whose backscatter packets are observed on the darknet (i.e., unused IP space). To classify DDoS backscatter, 17 features of darknet traffic are defined from IPs/ports information for source and destination hosts. To adapt to the change of DDoS attacks, we newly implement an online learning function in the proposed monitoring system, where an SVM classifier is continuously trained with darknet features transformed from packets during a certain period. In the performance evaluation, we use the MWS Dataset 2014 that consists of darknet packets collected from 1st January 2014 to 28th February 2014 (8 weeks). We demonstrate that the proposed system keeps good test performance in the detection of DDoS backscatter (0.98 in F-measure).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Wang, H., Zhang, D., Shin, K.: Detecting SYN floodingattacks. In: Proceedings of the 21st Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 1530–1539 (2002)
Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense - a survey and new perspectives. CoRR, vol. abs/1505.07892 (2015)
Bardas, A.G., Zomlot, L., Sundaramurthy, S.C., Ou, X., Rajagopalan, S.R., Eisenbarth, M.R.: Classification of UDP traffic for DDoS detection. In: The 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor - a distributed blackhole monitoring system. In: NDSS (2005)
Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Behavior analysis of long-term cyber attacks in the darknet. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012, Part V. LNCS, vol. 7667, pp. 620–628. Springer, Heidelberg (2012)
Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electron. Notes Theor. Comput. Sci. 151(3), 47–59 (2006)
Benson, K., Dainotti, A., Claffy, K., Aben, E.: Gaining insight into as-level outages through analysis of internet background radiation. In: IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 447–452 (2013)
Van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9, 2579–2605 (2008)
Furutani, N., Ban, T., Nakazato, J., Shimamura, J., Kitazono, J., Ozawa, S.: Detection of DDoS backscatter based on traffic features of darknet TCP packets. In: 2014 Ninth Asia Joint Conference on Information Security, pp. 39–43 (2014)
Vapnik, V.N.: Statistical Learning Theory, vol. 1. Wiley, New York (1998)
Hsu, C.W., Chang, C.C., Lin, C.J.: A practical guide to support vector classification. Technical report, Department of Computer Science, National Taiwan University (2003)
Kohavi, R.: A study of cross-validation and bootstrap for accuracy estimation and model selection. In: International Joint Conference on Artificial Intelligence, vol. 14, issue 2 (1995)
Kamizono, M.: Datasets for Anti-Malware Research (MWS Datasets 2014) (2014)
Nakazato, J., Shimamura, J., Eto, M., Inoue, D., Nakao, K.: Backscatter analysis toward clear categorization of DoS attacks. In: The 30th Symposium on Cryptography and Information Security (2013) (in Jananese)
Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Furutani, N., Kitazono, J., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J. (2015). Adaptive DDoS-Event Detection from Big Darknet Traffic Data. In: Arik, S., Huang, T., Lai, W., Liu, Q. (eds) Neural Information Processing. ICONIP 2015. Lecture Notes in Computer Science(), vol 9492. Springer, Cham. https://doi.org/10.1007/978-3-319-26561-2_45
Download citation
DOI: https://doi.org/10.1007/978-3-319-26561-2_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26560-5
Online ISBN: 978-3-319-26561-2
eBook Packages: Computer ScienceComputer Science (R0)