Application of sampling methodologies to network traffic characterization
SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Intrusion detection systems and multisensor data fusion
Communications of the ACM
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
An algebraic approach to IP traceback
ACM Transactions on Information and System Security (TISSEC)
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
Mathematical Techniques in Multisensor Data Fusion
Mathematical Techniques in Multisensor Data Fusion
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
Multisensor Data Fusion
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Automatically inferring patterns of resource consumption in network traffic
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Towards multisensor data fusion for DoS detection
Proceedings of the 2004 ACM symposium on Applied computing
Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction
Journal of Network and Systems Management
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
The OSU Flow-tools Package and CISCO NetFlow Logs
LISA '00 Proceedings of the 14th USENIX conference on System administration
ISCC '05 Proceedings of the 10th IEEE Symposium on Computers and Communications
Detecting DDoS attacks with passive measurement based heuristics
ISCC '04 Proceedings of the Ninth International Symposium on Computers and Communications 2004 Volume 2 (ISCC"04) - Volume 02
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Detecting distributed denial of service attacks by sharing distributed beliefs
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Network intrusion and fault detection: a statistical anomaly approach
IEEE Communications Magazine
Multisensor message exchange mechanism
International Journal of Electronic Security and Digital Forensics
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
This work introduces the use of data fusion in the field of DDoS anomaly detection. We present Dempster-Shafer Theory of Evidence (D-S), the mathematical foundation for the development of a novel DDoS detection engine. Based on a data fusion paradigm, we combine evidence generated from multiple simple metrics to feed our D-S inference engine and detect attacks on a single network element (high bandwidth link).The main advantages of our approach are the modeling power of the Theory of Evidence in expressing beliefs in some hypotheses, its flexibility to handle uncertainty and ignorance and its ability to provide quantitative measurement of the belief and plausibility in our detection results. Furthermore we propose a system that can be trained (supervised learning) with minimum human effort, using in parallel expert knowledge about each metric detection ability.We evaluate our detection engine prototype through an extensive set of experiments on an operational network using real network traffic, with the use of a popular DDoS attack generator. Based on these results we discuss the performance of our D-S scheme in contrast to simple thresholds on single metrics, as well as against an alternative data fusion technique based on an Artificial Neural Network. We conclude that our data fusion is a promising approach that significantly increases the DDOS detection rate (true positives) while keeping the false positive alarm rate low.