Cheolho Lee

Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning

As the complexity of Internet is scaled up, it is likely for the Internet resources to be exposed to Distributed Denial of Service (DDoS) flooding attacks on TCP-based Web servers. There has been a lot of related work which focuses on analyzing the pattern of the DDoS attacks to protect users from them. However, none of these studies takes all the flags within TCP header into account, nor do they analyze relationship between the flags and the TCP packets. To analyze the features of the DDoS attacks, therefore, this paper presents a network traffic analysis mechanism which computes the ratio of the number of TCP flags to the total number of TCP packets. Based upon the calculation of TCP flag rates, we compile a pair of the TCP flag rates and the presence (or absence) of the DDoS attack into state-action rules using machine learning algorithms. We endow alarming agents with a tapestry of the compiled rules. The agents can then detect network flooding attacks against a Web server. We validate our framework with experimental results in a simulated TCP-based network setting. The experimental results show a distinctive and predictive pattern of the DDoS attacks, and our alarming agents can successfully detect various DDoS attacks.

Compiling network traffic into rules using soft computing methods for the detection of flooding attacks

The ability to dynamically collect and analyze network traffic and to accurately report the current network status is critical in the face of large-scale intrusions, and enables networks to continually function despite of traffic fluctuations. The paper presents a network traffic model that represents a specific network pattern and a methodology that compiles the network traffic into a set of rules using soft computing methods. This methodology based upon the network traffic model can be used to detect large-scale flooding attacks, for example, a distributed denial-of-service (DDoS) attack. We report experimental results that demonstrate the distinctive and predictive patterns of flooding attacks in simulated network settings, and show the potential of soft computing methods for the successful detection of large-scale flooding attacks.

A new DDoS detection model using multiple SVMs and TRA

Recently, many attack detection methods adopts machine learning algorithm to improve attack detection accuracy and automatically react to the attacks. However, the previous mechanisms based on machine learning have some disadvantages such as high false positive rate and computing overhead. In this paper, we propose a new DDoS detection model based on multiple SVMs (Support Vector Machine) in order to reduce the false positive rate. We employ TRA (Traffic Rate Analysis) to analyze the characteristics of network traffic for DDoS attacks. Experimental results show that the proposed model is a highly useful classifier for detecting DDoS attacks.

Defending DDoS attacks using network traffic analysis and probabilistic packet drop

This research presents Traffic Rate Analysis (TRA) to efficiently analyze network traffic and a defense mechanism for DDoS attacks. TRA is defined as the ratio of a specific type of packets among the total amount of network packets, and divided into TCP flag rate and Protocol rate. By using the TRA for the network traffic, the normal and abnormal network traffic can be obviously distinguished from each other. Furthermore, to defense DDoS attacks, we probabilistically drop the network packets if their occurrence rates exceed the normal traffic rates. We expect that our proposed mechanism for analyzing network traffic and defending DDoS attacks will be very useful to early detect DDoS attacks and to protect TCP-based servers (e.g. Web servers) against DDoS attacks.

SVM approach with CTNT to detect DDoS attacks in grid computing

In the last several years, DDoS attack methods become more sophisticated and effective. Hence, it is more difficult to detect the DDoS attack. In order to cope with these problems, there have been many researches on DDoS detection mechanism. However, the common shortcoming of the previous detection mechanisms is that they cannot detect new attacks. In this paper, we propose a new DDoS detection model based on Support Vector Machine (SVM). The proposed model uses SVM to automatically detect new DDoS attacks and uses Concentration Tendency of Network Traffic (CTNT) to analyze the characteristics of network traffic for DDoS attacks. Experimental results show that the proposed model can be a highly useful to detect various DDoS attacks.

Detecting worm propagation using traffic concentration analysis and inductive learning

As a vast number of services have been flooding into the Internet, it is more likely for the Internet resources to be exposed to various hacking activities such as Code Red and SQL Slammer worm. Since various worms quickly spread over the Internet using self-propagation mechanism, it is crucial to detect worm propagation and protect them for secure network infrastructure. In this paper, we propose a mechanism to detect worm propagation using the computation of entropy of network traffic and the compilation of network traffic. In experiments, we tested our framework in simulated network settings and could successfully detect worm propagation.

Preventing ID Mapping Attacks on DHT Networks through Non-Voluntary Node Locating

DHT(Distributed Hash Table) networks such as Kademlia are vulnerable to the ID mapping attack caused by the voluntary DHT mapping structure where the location of a node is solely determined by itself on the network topology. This causes security problems such as eclipse, DRDoS and botnet C&C on DHT networks. To prevent ID mapping attacks, we propose a non-voluntary DHT mapping scheme and perform analysis on NAT compatibility, attack resistance, and network dynamicity. Analysis results show that our approach may have an equivalent level of attack resistance comparing with other defense mechanisms and overcome their limitations including NAT compatibility and network dynamicity.

Probabilistic packet filtering model to protect web server from DDoS attacks

We present a probabilistic packet filtering (PPF) mechanism to defend the Web server against Distributed Denial-of-Service (DDoS) attacks. To distinguish abnormal traffics from normal ones, we use Traffic Rate Analysis (TRA). If the TRA mechanism detects DDoS attacks, the proposed model probabilistically filters the packets related to the attacks. The simulation results demonstrate that it is useful to early detect DDoS attacks and effective to protect the Web servers from DDoS attacks.

PPF model with CTNT to defend web server from DDoS attack

We present a probabilistic packet filtering (PPF) model to defend the Web server against Distributed Denial-of-Service (DDoS) attacks. To distinguish abnormal traffics from normal ones, we used Concentration Tendency of Network Traffic (CTNT). The CTNT mechanism computes the ratio of a specific type of packets among the total amount of network packet, and detects abnormal traffic if and only if the computed ratio exceeds the ratio in normal situation. If the CTNT mechanism detects DDoS attacks, the proposed model probabilistically filters the packets related to these. The simulation results demonstrate it is useful to early detect DDoS attacks. Furthermore, it is effective to protect the Web servers from DDoS attacks.