ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
Computer Networks
Volume 51, Issue 18, 19 December 2007, Pages 5036-5056
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (1564 K)

  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (0)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.comnet.2007.08.008    How to Cite or Link Using DOI (Opens New Window)
Copyright © 2007 Elsevier B.V. All rights reserved.

Robust and efficient detection of DDoS attacks for large-scale internet

Kejie Lua, E-mail The Corresponding Author, Dapeng Wub, Corresponding Author Contact Information, E-mail The Corresponding Author, E-mail The Corresponding Author, Jieyan Fanb, E-mail The Corresponding Author, Sinisa Todorovicc, E-mail The Corresponding Author and Antonio Nuccid

aDepartment of Electrical and Computer Engineering at the University of Puerto Rico at Mayagüez, Mayagüez, PR 00681, United States bDepartment of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, United States cComputer Vision and Robotics Laboratory, University of Illinois at Urbana-Champaign, Urbana, IL 61801, United States dNarus, Inc., 500 Logue Avenue, Mountain View, CA 94043, United States

Received 15 November 2006; 
revised 21 May 2007; 
accepted 31 August 2007. 
Responsible Editor: R. Molva. 
Available online 10 September 2007.

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Abstract

In recent years, distributed denial of service (DDoS) attacks have become a major security threat to Internet services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we propose a novel framework to robustly and efficiently detect DDoS attacks and identify attack packets. The key idea of our framework is to exploit spatial and temporal correlation of DDoS attack traffic. In this framework, we design a perimeter-based anti-DDoS system, in which traffic is analyzed only at the edge routers of an internet service provider (ISP) network. Our framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. The novelties of our framework are (1) temporal-correlation based feature extraction and (2) spatial-correlation based detection. With these techniques, our scheme can accurately detect DDoS attacks and identify attack packets without modifying existing IP forwarding mechanisms at routers. Our simulation results show that the proposed framework can detect DDoS attacks even if the volume of attack traffic on each link is extremely small. Especially, for the same false alarm probability, our scheme has a detection probability of 0.97, while the existing scheme has a detection probability of 0.17, which demonstrates the superior performance of our scheme.

Keywords: Distributed denial of service (DDoS) attacks; Detection; Machine learning; Spatial correlation

Article Outline

1. Introduction
2. Related work
2.1. Feature extraction
2.2. Detection
3. Framework for detecting DDoS attacks
3.1. Traffic monitor
3.2. Local analyzer
3.3. Global analyzer
4. Feature generation
4.1. Feature extraction module
4.1.1. Feature extraction in a traffic monitor
4.1.2. Feature extraction in a local analyzer
4.1.3. Feature extraction in a global analyzer
4.2. Implementation of 2D matching feature extraction
4.2.1. Implementation at a traffic monitor
4.2.2. Implementation at a local analyzer
5. Machine learning algorithm for detection
5.1. Outline of our detection approach
5.2. Formulation of the detection problem
5.3. Machine learning algorithm for network-state estimation
5.3.1. Irregular tree
5.3.2. Inference of the irregular tree
6. Discussion on detection algorithms
6.1. Performance metrics
6.2. Threshold-based algorithm
6.3. Change-point algorithm
7. Simulation results
7.1. Experiment setting
7.1.1. Network
7.1.2. Traffic
7.1.3. Feature
7.2. Performance comparison
7.3. Discussion
8. Conclusion
Acknowledgements
References
Vitae


















Computer Networks
Volume 51, Issue 18, 19 December 2007, Pages 5036-5056
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.