A comprehensive approach to discriminate DDoS attacks from flash events. (February 2016)
- Record Type:
- Journal Article
- Title:
- A comprehensive approach to discriminate DDoS attacks from flash events. (February 2016)
- Main Title:
- A comprehensive approach to discriminate DDoS attacks from flash events
- Authors:
- Sachdeva, Monika
Kumar, Krishan
Singh, Gurvinder - Abstract:
- Abstract: Most of the business applications on the Internet are dependent on web services for their transactions. Distributed denial of service (DDoS) attacks either degrade or completely disrupt web services by sending a flood of packets in the form of legitimate looking requests towards the victim web servers. Flash event (FE), which is an overload condition caused by a large number of legitimate requests, has similar characteristics as that of DDoS attacks. Therefore, detection of DDoS attacks with FE as background traffic is one of the hardest problems confronted by the network security researchers. Moreover, DDoS attacks and FEs require altogether different handling procedures. In this paper, traffic cluster entropy is derived from source address entropy and their combination is used not only to detect various types of DDoS attacks against web services but also to distinguish DDoS attacks from FEs. Optimal thresholds for traffic cluster entropy are calibrated through receiver operating characteristic curve (ROC). Proposed detection approach can operate in one of the defence modes: naive, normal or best, based on attack detection sensitivity requirements. Sensitivity of detection metric is tested using multiple simulation scenarios with different types of DDoS attacks along with variation in origins of attack and FE traffic. Detection of a variety of DDoS attacks like high rate skewed DDoS attacks, low rate isotropic attacks, subnet spoofed DDoS attacks and sophisticatedAbstract: Most of the business applications on the Internet are dependent on web services for their transactions. Distributed denial of service (DDoS) attacks either degrade or completely disrupt web services by sending a flood of packets in the form of legitimate looking requests towards the victim web servers. Flash event (FE), which is an overload condition caused by a large number of legitimate requests, has similar characteristics as that of DDoS attacks. Therefore, detection of DDoS attacks with FE as background traffic is one of the hardest problems confronted by the network security researchers. Moreover, DDoS attacks and FEs require altogether different handling procedures. In this paper, traffic cluster entropy is derived from source address entropy and their combination is used not only to detect various types of DDoS attacks against web services but also to distinguish DDoS attacks from FEs. Optimal thresholds for traffic cluster entropy are calibrated through receiver operating characteristic curve (ROC). Proposed detection approach can operate in one of the defence modes: naive, normal or best, based on attack detection sensitivity requirements. Sensitivity of detection metric is tested using multiple simulation scenarios with different types of DDoS attacks along with variation in origins of attack and FE traffic. Detection of a variety of DDoS attacks like high rate skewed DDoS attacks, low rate isotropic attacks, subnet spoofed DDoS attacks and sophisticated DDoS attacks has been demonstrated. The effectiveness of the proposed approach in terms of false positive rate, detection rate and classification rate is validated through simulations carried out using NS-2 on a Linux platform. … (more)
- Is Part Of:
- Journal of information security and applications. Volume 26(2016)
- Journal:
- Journal of information security and applications
- Issue:
- Volume 26(2016)
- Issue Display:
- Volume 26, Issue 2016 (2016)
- Year:
- 2016
- Volume:
- 26
- Issue:
- 2016
- Issue Sort Value:
- 2016-0026-2016-0000
- Page Start:
- 8
- Page End:
- 22
- Publication Date:
- 2016-02
- Subjects:
- Distributed denial of service (DDoS) -- Flash event (FE) -- Entropy -- Receiver operating characteristic curve (ROC)
Computer security -- Periodicals
Information technology -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.jisa.2015.11.001 ↗
- Languages:
- English
- ISSNs:
- 2214-2126
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 19400.xml