Combining cross-correlation and fuzzy classification to detect distributed denial-of-service attacks

Authors:
Wei Wei;Yabo Dong;Dongming Lu;Guang Jin
Affiliations:
College of Compute Science and Technology, Zhejiang University, Hangzhou, P.R. China;College of Compute Science and Technology, Zhejiang University, Hangzhou, P.R. China;College of Compute Science and Technology, Zhejiang University, Hangzhou, P.R. China;College of Information Science and Engineering, Ningbo University, Ningbo, P.R. China
Venue:
ICCS'06 Proceedings of the 6th international conference on Computational Science - Volume Part IV
Year:
2006

Citing 3
Cited 0

Time Series Analysis: Forecasting and Control

Time Series Analysis: Forecasting and Control
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.