Abstract
It is challenging to accurately detect Distributed denial of service (DDoS) attack quickly. We propose a novel IP Flow Interaction Behavior Feature (IFF) algorithm based on IP Flow Interaction via IP addresses and ports. IFF can be designed to provide normal profiles for normal flow and reflect the essential features created by different types of DDoS attacks. We define the network flow states into three states as the health state, quasi health state, and abnormal state by Using IFF. Based on former three state partition of network flow states, we present a simple and efficient DDoS attack detection method via self-adapting dual threshold and alarm evaluation mechanism (DASA). Our experiment results demonstrate that IFF can be used as a general DDoS attack diagnosis feature, and DASA can effectively detect abnormal flows containing DDoS attack flow with more accuracy and lower false alarm rate in a short detection time.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Handley, M.: DoS-resistant Internet subgroup report. Internet Architecture WG (2005)
Kumar, V., Jayalekshmy, P., Patra, G., et al.: On Remote Exploitation of TCP Sender for Low-Rate Flooding Denial-of-Service Attack. IEEE Communications Letters (2009)
Cheng, C., Kung, H., Tan, K.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM (2002)
Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-Wide Traffic Anomalies. In: Proceedings of ACM SIGCOMM, Portland, Oregon, USA (2004)
Abdelsayed, S., Glimsholt, D., Leckie, C., et al.: An efficient filter for denial-of service bandwidth attacks. In: Proceedings of the 46th IEEE GLOBECOM (2003)
Mirkovic, J., Reiher, P.: D-WARD: A Source-End Defense Against Flooding Denial-of-ServiceAttacks. IEEE Trans. on Dependable and Secure Computing (2005)
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA (2005)
Peng, T., Leckie, C., Kotagiri, R.: Proactively detecting distributed denial of service attacks using source ip address monitoring. In: Proceedings of the Third International IFFP-TC6 Networking Conference (2004)
Forrest, S., Hofmeyr, S.: Architecture for an artificial immune system. Evolution. Computat. 7(1), 45–68 (1999)
Vitaly, S., Ming, W.: Security against probe-response attacks in collaborative intrusion detection. In: Proceedings of ACM SIGCOMM (2007)
Cheng, J., Yin, J., Liu, Y., et al.: Detecting Distributed Denial of Service Attack Based on Address Correlation Value. Journal of Computer Research and Development (2009)
Cheng, J., Yin, J., Liu, Y., et al.: DDoS attack detection Algorithm using IP Address Features. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598. Springer, Heidelberg (2009)
Cheng, J., Yin, J., Wu, C., et al.: DDoS Attack Detection Method Based on Linear Prediction Model. In: Huang, D.-S., et al. (eds.) ICIC 2009. LNCS, vol. 5754, pp. 1004–1013. Springer, Heidelberg (2009)
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cheng, J., Zhang, B., Yin, J., Liu, Y., Cai, Z. (2009). DDoS Attack Detection Using Three-State Partition Based on Flow Interaction. In: Ślęzak, D., Kim, Th., Fang, WC., Arnett, K.P. (eds) Security Technology. SecTech 2009. Communications in Computer and Information Science, vol 58. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10847-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-10847-1_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10846-4
Online ISBN: 978-3-642-10847-1
eBook Packages: Computer ScienceComputer Science (R0)