DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

Cheng, Jieren; Zhang, Boyun; Yin, Jianping; Liu, Yun; Cai, Zhiping

doi:10.1007/978-3-642-10847-1_22

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

Jieren Cheng^5,6,
Boyun Zhang⁷,
Jianping Yin⁵,
Yun Liu⁵ &
…
Zhiping Cai⁵

Conference paper

798 Accesses
2 Citations

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 58))

Abstract

It is challenging to accurately detect Distributed denial of service (DDoS) attack quickly. We propose a novel IP Flow Interaction Behavior Feature (IFF) algorithm based on IP Flow Interaction via IP addresses and ports. IFF can be designed to provide normal profiles for normal flow and reflect the essential features created by different types of DDoS attacks. We define the network flow states into three states as the health state, quasi health state, and abnormal state by Using IFF. Based on former three state partition of network flow states, we present a simple and efficient DDoS attack detection method via self-adapting dual threshold and alarm evaluation mechanism (DASA). Our experiment results demonstrate that IFF can be used as a general DDoS attack diagnosis feature, and DASA can effectively detect abnormal flows containing DDoS attack flow with more accuracy and lower false alarm rate in a short detection time.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Handley, M.: DoS-resistant Internet subgroup report. Internet Architecture WG (2005)
Google Scholar
Kumar, V., Jayalekshmy, P., Patra, G., et al.: On Remote Exploitation of TCP Sender for Low-Rate Flooding Denial-of-Service Attack. IEEE Communications Letters (2009)
Google Scholar
Cheng, C., Kung, H., Tan, K.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM (2002)
Google Scholar
Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-Wide Traffic Anomalies. In: Proceedings of ACM SIGCOMM, Portland, Oregon, USA (2004)
Google Scholar
Abdelsayed, S., Glimsholt, D., Leckie, C., et al.: An efficient filter for denial-of service bandwidth attacks. In: Proceedings of the 46th IEEE GLOBECOM (2003)
Google Scholar
Mirkovic, J., Reiher, P.: D-WARD: A Source-End Defense Against Flooding Denial-of-ServiceAttacks. IEEE Trans. on Dependable and Secure Computing (2005)
Google Scholar
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA (2005)
Google Scholar
Peng, T., Leckie, C., Kotagiri, R.: Proactively detecting distributed denial of service attacks using source ip address monitoring. In: Proceedings of the Third International IFFP-TC6 Networking Conference (2004)
Google Scholar
Forrest, S., Hofmeyr, S.: Architecture for an artificial immune system. Evolution. Computat. 7(1), 45–68 (1999)
Article Google Scholar
Vitaly, S., Ming, W.: Security against probe-response attacks in collaborative intrusion detection. In: Proceedings of ACM SIGCOMM (2007)
Google Scholar
Cheng, J., Yin, J., Liu, Y., et al.: Detecting Distributed Denial of Service Attack Based on Address Correlation Value. Journal of Computer Research and Development (2009)
Google Scholar
Cheng, J., Yin, J., Liu, Y., et al.: DDoS attack detection Algorithm using IP Address Features. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598. Springer, Heidelberg (2009)
Google Scholar
Cheng, J., Yin, J., Wu, C., et al.: DDoS Attack Detection Method Based on Linear Prediction Model. In: Huang, D.-S., et al. (eds.) ICIC 2009. LNCS, vol. 5754, pp. 1004–1013. Springer, Heidelberg (2009)
Google Scholar
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html

Download references

Author information

Authors and Affiliations

School of Computer, National University of Defense Technology, 410073, Changsha, China
Jieren Cheng, Jianping Yin, Yun Liu & Zhiping Cai
Department of Mathematics, Xiangnan University, 423000, Chenzhou, China
Jieren Cheng
School of Information Science and Engineering, Central South University, Changsha, 410083, China
Boyun Zhang

Authors

Jieren Cheng
View author publications
You can also search for this author in PubMed Google Scholar
Boyun Zhang
View author publications
You can also search for this author in PubMed Google Scholar
Jianping Yin
View author publications
You can also search for this author in PubMed Google Scholar
Yun Liu
View author publications
You can also search for this author in PubMed Google Scholar
Zhiping Cai
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

University of Warsaw & Infobright Inc.,, Poland
Dominik Ślęzak
Hannam University, 306-791, Daejeon, South Korea
Tai-hoon Kim
National Chiao Tung University, Hsinchu, Taiwan
Wai-Chi Fang
Mississippi State University, Mississippi State MS, USA
Kirk P. Arnett

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Cheng, J., Zhang, B., Yin, J., Liu, Y., Cai, Z. (2009). DDoS Attack Detection Using Three-State Partition Based on Flow Interaction. In: Ślęzak, D., Kim, Th., Fang, WC., Arnett, K.P. (eds) Security Technology. SecTech 2009. Communications in Computer and Information Science, vol 58. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10847-1_22

Download citation

DOI: https://doi.org/10.1007/978-3-642-10847-1_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10846-4
Online ISBN: 978-3-642-10847-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics