Information theory based detection against network behavior mimicking DDoS attacks

DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:IEEE communications letters Ročník 12; číslo 4; s. 318 - 321
Hlavní autoři: Shui Yu, Wanlei Zhou, Doss, R.
Médium: Journal Article
Jazyk:angličtina
Vydáno: New York, NY IEEE 01.04.2008
Institute of Electrical and Electronics Engineers
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Témata:
Algorithms
Applied sciences
Communication system traffic control
Computer crime
Denial of service attacks
Detection algorithms
Detectors
Entropy
Exact sciences and technology
Flooding
Floods
Games
Information theory
Information, signal and communications theory
Mathematical analysis
Networks
Operation, maintenance, reliability of teleprocessing networks
Packages
Packaging
Pumps
Secret
Servers
Surges
Systems, networks and services of telecommunications
Telecommunication traffic
Telecommunications
Telecommunications and information theory
Teleprocessing networks. Isdn
Teletraffic
DDoS detection
Traffic management
Teletraffic
Denial of service
Distributed system
distribution distance
Algorithm
Traffic congestion
Telecommunication security
Information theory
ISSN:1089-7798, 1558-2558
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed that the zombies use controlled function(s) to pump attack packages to the victim, therefore, the attack flows to the victim are always share some properties, e.g. packages distribution behaviors, which are not possessed by legitimate flows in a short time period. Based on this observation, once there appear suspicious flows to a server, we start to calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. Our analysis and the preliminary experiments indicate that the proposed method- can discriminate mimicking flooding attacks from legitimate accessing efficiently and effectively.
Bibliografie:ObjectType-Article-2
SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
content type line 23
ISSN:1089-7798
1558-2558
DOI:10.1109/LCOMM.2008.072049