One step ahead to multisensor data fusion for DDoS detection

Authors:
Christos Siaterlis;Vasilis Maglaris
Affiliations:
Network Management and Optimal Design Lab, National Technical University of Athens, Greece;Network Management and Optimal Design Lab, National Technical University of Athens, Greece
Venue:
Journal of Computer Security - Special issue on security track at ACM symposium on applied computing 2004
Year:
2005

Citing 24
Cited 2

Application of sampling methodologies to network traffic characterization

SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Intrusion detection systems and multisensor data fusion

Communications of the ACM
Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Characteristics of network traffic flow anomalies

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
An algebraic approach to IP traceback

ACM Transactions on Information and System Security (TISSEC)
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites

Proceedings of the 11th international conference on World Wide Web
Mathematical Techniques in Multisensor Data Fusion

Mathematical Techniques in Multisensor Data Fusion
Controlling high bandwidth aggregates in the network

ACM SIGCOMM Computer Communication Review
Multisensor Data Fusion

Multisensor Data Fusion
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Attacking DDoS at the Source

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A framework for classifying denial of service attacks

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Towards multisensor data fusion for DoS detection

Proceedings of the 2004 ACM symposium on Applied computing
Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction

Journal of Network and Systems Management
A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Computer Communication Review
The OSU Flow-tools Package and CISCO NetFlow Logs

LISA '00 Proceedings of the 14th USENIX conference on System administration
Detecting Incoming and Outgoing DDoS Attacks at the Edge Using a Single Set of Network Characteristics

ISCC '05 Proceedings of the 10th IEEE Symposium on Computers and Communications
Detecting DDoS attacks with passive measurement based heuristics

ISCC '04 Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC"04) - Volume 02
MULTOPS: a data-structure for bandwidth attack detection

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting distributed denial of service attacks by sharing distributed beliefs

ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Network intrusion and fault detection: a statistical anomaly approach

IEEE Communications Magazine

Multisensor message exchange mechanism

International Journal of Electronic Security and Digital Forensics
Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

This work introduces the use of data fusion in the field of DDoS anomaly detection. We present Dempster-Shafer Theory of Evidence (D-S), the mathematical foundation for the development of a novel DDoS detection engine. Based on a data fusion paradigm, we combine evidence generated from multiple simple metrics to feed our D-S inference engine and detect attacks on a single network element (high bandwidth link).The main advantages of our approach are the modeling power of the Theory of Evidence in expressing beliefs in some hypotheses, its flexibility to handle uncertainty and ignorance and its ability to provide quantitative measurement of the belief and plausibility in our detection results. Furthermore we propose a system that can be trained (supervised learning) with minimum human effort, using in parallel expert knowledge about each metric detection ability.We evaluate our detection engine prototype through an extensive set of experiments on an operational network using real network traffic, with the use of a popular DDoS attack generator. Based on these results we discuss the performance of our D-S scheme in contrast to simple thresholds on single metrics, as well as against an alternative data fusion technique based on an Artificial Neural Network. We conclude that our data fusion is a promising approach that significantly increases the DDOS detection rate (true positives) while keeping the false positive alarm rate low.