Distance measures for signal processing and pattern recognition
Signal Processing
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
A pragmatic definition of elephants in internet backbone traffic
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
D-WARD: A Source-End Defense against Flooding Denial-of-Service Attacks
IEEE Transactions on Dependable and Secure Computing
Denial-of-Service Attack-Detection Techniques
IEEE Internet Computing
An Application of Information Theory to Intrusion Detection
IWIA '06 Proceedings of the Fourth IEEE International Workshop on Information Assurance
Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics
Journal of Network and Systems Management
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing)
Collaborative Change Detection of DDoS Attacks on Community and ISP Networks
CTS '06 Proceedings of the International Symposium on Collaborative Technologies and Systems
Survey of network-based defense mechanisms countering the DoS and DDoS problems
ACM Computing Surveys (CSUR)
Collaborative detection and filtering of shrew DDoS attacks using spectral analysis
Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
Defense against spoofed IP traffic using hop-count filtering
IEEE/ACM Transactions on Networking (TON)
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting Denial-of-Service attacks using the wavelet transform
Computer Communications
Analysis of internet backbone traffic and header anomalies observed
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Robust and efficient detection of DDoS attacks for large-scale internet
Computer Networks: The International Journal of Computer and Telecommunications Networking
Controlling IP Spoofing through Interdomain Packet Filters
IEEE Transactions on Dependable and Secure Computing
Detecting VoIP Floods Using the Hellinger Distance
IEEE Transactions on Parallel and Distributed Systems
Analysis of UDP Traffic Usage on Internet Backbone Links
SAINT '09 Proceedings of the 2009 Ninth Annual International Symposium on Applications and the Internet
Discriminating DDoS Flows from Flash Crowds Using Information Distance
NSS '09 Proceedings of the 2009 Third International Conference on Network and System Security
A measurement study on video acceleration service
CCNC'09 Proceedings of the 6th IEEE Conference on Consumer Communications and Networking Conference
Detecting VoIP-specific denial-of-service using change-point method
ICACT'09 Proceedings of the 11th international conference on Advanced Communication Technology - Volume 2
Fast classification and estimation of internet traffic flows
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Hi-index | 0.24 |
The nature of the threats carried by Distributed Denial of Service (DDoS) attack requires effective detection as well as efficient response methods. However, feature-based schemes are unsuitable for real-time detection due to their complicated calculations and most of the statistical-based schemes do not distinguish DDoS attacks from legitimate changes. Besides, it is impossible to set a threshold that takes into account both false positives and false negatives. A hard threshold reduces the risk of false negatives but significantly increases the rate of false positives. In contrast, a soft threshold can easily be exploited by attackers to insert a malicious traffic that respects the conduct of good flow. To avoid these defects, we suggest a two-stage approach based on the detection of breaks in the distribution of connections size. A connection is defined as the aggregate traffic between two IP addresses, where one address belongs to the police address set, and the other is a foreign address. The connection size is measured in number of packets. To achieve our goal, we employ Total Variation Distance (TVD) to measure horizontal and vertical similarity among flows. We investigate a class of intelligent denial of service attacks which, unlike high-rate attacks, are difficult for other's schemes to detect. The experimental results indicate that our scheme can detect DDoS flooding attacks accurately. The effectiveness of our approach, even against intelligent attacks, is around 90%.