Authors: Jieren Cheng; Xiangyan Tang; Jianping Yin
Addresses: College of Information Science and Technology, Hainan University, Haikou, 570228, China; Department of Computing, Xiangnan University, Chenzhou, 423000, China ' College of Information Science and Technology, Hainan University, Haikou, 570228, China ' State Key Laboratory of High Performance Computing, National University of Defense Technology, Changsha, 410073, China
Abstract: We propose a change-point DDoS attack detection method based on half interaction anomaly degree. For large-scale DDoS attacks, some key routing devices will route a large volume of converged DDoS attack flows, and at the same time, the normal traffic routed by those devices is also large. As a result, the current methods will be largely affected by large volume of normal flows, which will lead to high false positive rate and false negative rate. This paper proposes the concept of IP flow address half interaction anomaly degree (HIAD). We extract HIAD from abnormal flows in the network, then transform the HIAD time series into CSTS by an improved cumulative sum (CUSUM) algorithm, and propose a CSTS-based DDoS attack detection (CDAD) method. Experiments show that the CDAD method can extract features of DDoS attack flows from abnormal flows and recognise the DDoS attack rapidly and effectively.
Keywords: denial of service; DDoS attacks; distributed DOS; abnormal flows; attack flows; attack detection; anomaly detection; intrusion detection; information security; network security; time series; change point; cumulative sum; CUSUM; feature extraction.
International Journal of Autonomous and Adaptive Communications Systems, 2017 Vol.10 No.1, pp.38 - 54
Received: 19 Sep 2013
Accepted: 12 Oct 2013
Published online: 09 Mar 2017 *