Detecting Incoming and Outgoing DDoS Attacks at the Edge Using a Single Set of Network Characteristics

Quantified Score

Visualization

Abstract

Detection of Distributed Denial of Service attacks should ideally take place near their sources, at edge networks, where countermeasures are most effective. DDoS detection by monitoring an over-provisioned backbone link either near the source or the victim is challenging because congestion isnýt the identifying anomaly signature. Most research efforts try to identify a single detection metric that can reliably detect DDoS attacks. On the contrary, we use multiple metrics to successfully detect flooding attacks at the edge and classify them as incoming or outgoing attacks with an Artificial Neural Network (ANN). We explore the DDoS detection ability of Multi-Layer Perceptrons (MLP) as classifiers we can teach by example. The inputs of the MLP are metrics coming from different types of passive measurements that are available today to network administrators. We use these metrics to feed our MLP, train it and evaluate its performance in terms of ýfalse positiveý and ýtrue positiveý rates in the face of new data. Our analysis is based on data from several experiments that were conducted with the use of common DDoS tools in the production network of a university network. We show that the MLP is capable of classifying the state of the monitored edge network as "DDoS source", "DDoS victim" or "normal". This way an edge network can use a single mechanism to protect itself from incoming DDoS attacks and at the same time protect the rest of the network from outgoing attacks.