• PDF / 356,918 Bytes
• 9 Pages / 439.37 x 666.142 pts Page_size
• 58 Downloads / 196 Views

DOWNLOAD

REPORT

A Distributed Detection Scheme Based on Adaptive CUSUM and Weighted CAT Against DDoS Attacks Zaihong Zhou, Xi Chen, Jiang Wang and Xueqiang Li

Abstract By designing a distributed hierarchical architecture, the detection task is distributed to the source end, the intermediate network, and the victim end over the Internet to implement the early detection against DDoS attacks. Based on the sensitivity of CUSUM algorithm to the slight change and the traffic characteristics at the source end and the intermediate network, the adaptive CUSUM on the estimation of both the mean value and the variance is adopted at the source end, which detects the outgoing traffic. And the adaptive CUSUM based on EWMA is adopted at the intermediate network, which detects the change and aggregation of the superflow. The detection at the victim end is based on the weighted CAT domain tree. Compared with DCD scheme, the detection rate of UDP attacks is raised from 72 % in DCD to 90 % in proposed scheme, and the detection rate of TCP attacks is improved too. Keywords DDoS attacks CUSUM

 Distributed detection  Weighted CAT  Adaptive

Z. Zhou (&)  J. Wang  X. Li School of Information Engineering, Guangdong Medical College, Dongguang, China e-mail: [email protected] Z. Zhou Songshan Lake Science and Technology Industry Park, Dongguan, GuangDong, China X. Chen School of Information Engineering and Automation, Kunming University of Science and Technology, Kunming, China

A. A. Farag et al. (eds.), Proceedings of the 3rd International Conference on Multimedia Technology (ICMT 2013), Lecture Notes in Electrical Engineering 278, DOI: 10.1007/978-3-642-41407-7_10,  Springer-Verlag Berlin Heidelberg 2014

97

98

Z. Zhou et al.

10.1 Introduction DDoS attacks are easy to launch, but they are difficult to detect. Many tools are available on the Internet that helps attackers setup DDoS attacks. Thus, it makes DDoS attacks widely popular in the Internet. The distributed problem should be resolved by distributed scheme. There are some methods and theories in distributed detection scheme [1–7]. Among them, Y. Chen’s schemes [6, 7] are very promising. A scheme for collaborative change detection of DDoS attacks on community and ISP networks was proposed at first [6]. But the scheme can only detect DDoS attacks in one AS collaboratively. To cope with the limitation of detection scope, the author proposed a new collaborative detection of DDoS attacks over multiple network domains-DCD (Distributed Change Detection) scheme [7]. The DCD scheme can collaboratively detect the DDoS attacks over multiple ISP domains. In addition, the superflow is considered as detection unit at the router. It enabled the detection against DDoS attacks effectively in real Internet environment. The hierarchical architecture and the detection implemented at the router and domain levels, respectively, simplified the alert correlation and global detection procedures and enabled the DCD system implementation in ISP networks. But, the DCD scheme has some disadvantages, such as hig

Recommend Documents

Information Theory-Based Defense Mechanism Against DDOS Attacks for WSAN

180 65 37MB

Motives Behind DDoS Attacks

199 94 6MB

DDOA: A Dirichlet-Based Detection Scheme for Opportunistic Attacks

160 52 5MB

SDNStat-Sec: A Statistical Defense Mechanism Against DDoS Attacks in SDN-Based VANET

182 70 23MB

Detection and Defense Against DDoS Attack on SDN Controller Based on Spatiotemporal Feature

152 35 67MB

Assessing Adaptive Attacks Against Trained JavaScript Classifiers

172 98 34MB

DHCD: Distributed Host-Based Collaborative Detection for FmDI Attacks

149 14 5MB

On defending against label flipping attacks on malware detection systems

171 50 2MB

Stronger Targeted Poisoning Attacks Against Malware Detection

175 82 25MB

DDoS Attack Mitigation Using Random and Flow-Based Scheme

151 13 425KB

DDoS Attack Detection Algorithms Based on Entropy Computing

174 104 650KB

DDoS Attack Detection Based on One-Class SVM in SDN

190 13 58MB