2010 2nd International Conference on Information and Multimedia Technology (ICIMT 2010)

Detecting a Wide Range of Flooding DDoS Attacks using Linear Prediction Model
1,2
B. B. Gupta, 2R. C. Joshi, 2M. Misra, 3D. L. Meena, 4G. Shrivastava, 4K. Sharma

1
Department of Computer Science & Engineering
Graphic Era University, Dehradun, India
gupta.brij@gmail.com
2
Department of Electronics and Computer Engineering
Indian Institute of Technology Roorkee, India
3
Department of computer Application, MITS, Gwalior, India
4
G.G.S.I.P. University, New Delhi

Abstract— Disruption from service caused by DDoS attacks is
an immense threat to Internet today. These attacks can
disrupt the availability of Internet services completely, by
eating either computational or communication resources
through sheer volume of packets sent from distributed
locations in a coordinated manner or graceful degradation of
network performance by sending attack traffic at low rate. In
this paper, linear prediction model, which is a commonly used
statistical modeling technique for financial time series, is
proposed as a new technique for detecting flooding DDoS
attacks. Linear prediction model is a fast and effective method
to detect variety of DDoS flooding attacks. Entropy is used as
parameter to detect DDoS attacks. ns-2 network simulator is
used to generate data set comprises of network trace data. The
abnormal traffic is generated with different attack rates
starting from 10Mbps to 100Mbps. For each time slot, entropy
of incoming packets is calculated. We see that time series
modeling of DDoS attacks does show a lot of promise. By
modeling the entropy of incoming traffic, we are successfully
able to detect an attack within short delays.
Key Words- DDoS attacks, Intrusion detection Linear
prediction, False positives, False negatives.
I. INTRODUCTION
Denial-of-Service (DoS) attacks are a major threat to
the Internet. DoS attacks are commonly characterized as
events where legitimate users or organizations are deprived
of certain services like web, e-mail or network connectivity
that they normally expect to have [1]. The main aim of such
attacks is to prevent the victim either from the benefit of a
particular service (in case of client being victim) or from
providing its services to others (in case of server being
victim).
DDoS (Distributed Denial of Service) attacks are
amplified form of DoS attacks where attackers direct
hundred or even more zombie machines against a single
target. Intruder can perform DDoS attacks either as brute
force attacks or as logical attacks [2]. In brute force DDoS
attacks, legitimate looking but error data packets are sent to
victim as much as possible, thus reducing legitimate user’s
bandwidth and preventing access to a service. Logical
attacks exploit a specific feature or implementation bug of
some protocol or application installed at the target machine
in order to consume excess amount of its resources. Series
of DDoS attacks that shut down some high profile websites
have demonstrated the severe consequences of these attacks
[3]. As per computer crime and security survey conducted
by FBI/CSI in the United States for the year 2004 [4], DoS
attacks are the second most widely detected outsider attack
types in computer networks immediately after virus
infections. A computer crime and security survey conducted
in Australia for the year 2004 [5] shows similar results.
Linear prediction (LP) is a mathematical concept in which
the future values of a discrete-time signal are estimated as a
linear function of past outputs and inputs. In the past, LP
analysis has been successfully used to detect faults in a
network [6].
In this paper, Linear Prediction analysis of traffic is
used as a new approach to detect flooding DDoS attacks.
Proposed system can easily detect low intensity attacks
(attacks with low flooding rate, but which is still able to
bring down a service) too. Entropy is used as parameter to
detect DDoS attacks. ns-2 network simulator [7] is used to
generate data set comprises of network trace data. The
abnormal traffic is generated with different attack rates
starting from 10Mbps to 100Mbps. For each time slot,
entropy of incoming packets is calculated. We see that time
series modeling of DDoS attacks does show a lot of
promise. By modeling the entropy of incoming traffic, we
are successfully able to detect an attack within short delays.
The rest of the paper is organized as follows. Section 2
discusses related work. Parameters used for modeling and
the issues of detection near to the source of attack are
discussed in section 3. Section 4 details detection using LP
analysis. Performance evaluation is discussed in section 5.
Finally, concluding remarks are drawn in section 6.
II. RELATED WORK
This section charts out the overview on a plethora of
existing DDoS detection schemes proposed in the literature.
Attack detection aims to detect an ongoing attack and to

978-1-4244-8882-7 /10/$26.00 C 2010 IEEE V2-535

 2010 2nd International Conference on Information and Multimedia Technology (ICIMT 2010)
discriminate malicious traffic from legitimate traffic.
Detection can be performed using database of known
signatures, by recognizing anomalies in system behaviors or
using third party [2]. Signature based approach employs a
priori knowledge of attack signatures. The signatures are
manually constructed by security experts analyzing
previous attacks and used to match with incoming traffic to
detect intrusions. SNORT [8] and Bro [9] are the two
widely used signature based detection approaches.
Signature based techniques are only effective in detecting
traffic of known DDoS attacks whereas new attacks or even
slight variations of old attacks go unnoticed. Anomaly
detection [10]-[17] relies on detecting behaviors that are
abnormal with respect to some normal standard. Detecting
DDoS attacks involves first knowing normal behavior of
our system and then to find deviations from that behavior.
Gil and Poletto [10] proposed a scheme called
MULTOPS to detect denial of service attacks by
monitoring the packet rate in both the up and down links.
MULTOPS assumes that packet rates between two hosts are
proportional during normal operation. A significant
disproportion between the packet rate going to and from a
host or subnet is a strong indication of a DoS attack. Blazek
et al. [11] proposed batch detection to detect DoS attacks by
monitoring statistical changes. Cheng et al. [12] proposed to
use spectral analysis to identify DoS attack flows. A
mechanism called congestion triggered packet sampling and
filtering is proposed by Huang et al. [13]. According to this
approach, a subset of dropped packets due to congestion is
selected for statistical analysis. If anomaly is indicated by
the statistical results, a signal is sent to the router to filter
the malicious packets. Mirkovic et al. [14] proposed D-
WARD defense system that does DDoS attack detection at
source, based on the idea that DDoS attacks should be
stopped as close to the source as possible. Bencsath et al.
[15] have given a traffic level measurement based approach,
in which incoming traffic is monitored continuously and
dangerous traffic intensity rises are detected. Chen et al. [16]
used distributed change-point detection (DCD) architecture
using change aggregation trees (CAT) to detect DDoS
attack over multiple network domains. Feinstein et al. [17]
focus their detection efforts on activity level and source
address distribution using entropy. Anomaly based
techniques can detect novel attacks; however, it may result
in higher false alarms. Mechanisms that deploy third-party
detection do not handle the detection process themselves,
but rely on an external third-party that signals the
occurrence of the attack.
V2-536
III. MODELING FLOODING ATTACKS
A. Stationarity
A stationary process has the characteristic that the
statistical properties i.e. mean, variance and autocorrelation
structure do not change over time. Stationarity can be
defined as a flat looking series, without trend, constant
variance over time, a constant autocorrelation structure over
time and no periodic fluctuations. A random process is
classified as first-order stationary if its first-order
probability density function remains constant regardless of
any shift in time to its origin.
If we let xt1 represent a given value at time t1, then we
define a first-order stationary as one that satisfies the
following equation:
f x ( xt1 ) = f x ( xt1 +τ ) (1)
The physical significance of this equation is that the
density function, f x ( xt1 ) is completely independent of t1
and thus any time shift, τ. The most important result of this
statement, and the identifying characteristic of any first-
order stationary process, is the fact that the mean is a
constant independent of any time shift. Below we show the
results for a random process, X, that are a discrete-time
signal x[n].
X = m x [n] (2)
= E[ x[ n]]
=constant (independent of n)
For a random process, if the first and second order
moment does not vary with time, it is termed as a wide
sense stationary (WSS) process. For the most practical
cases, WSS requirement is sufficient evidence of
stationarity. A common assumption in many time series
techniques is that the original series is stationary in nature.
Figure 1 shows a stationarity of the network data set. It
shows a snapshot of the data set (entropy of incoming
traffic vs polling interval) and three windows of it at
different time interval. It is seen that the mean (µ) and
standard deviation (σ) is almost constant throughout the
different window, signifying the fact that the data is wide
sense stationary (WSS).
 2010 2nd International Conference on Information and Multimedia Technology (ICIMT 2010)

8.490
8.480 8.480 WINDOW-II 8.480
WINDOW-I WINDOW-III
µ=8.43706 8.470
µ=8.43534
σ=0.01017 8.460 µ=8.43607
8.460 σ=0.01348 8.460
8.450 σ=0.01152

8.440 8.440
8.440
8.430
8.420
8.420
8.420 8.410
8.400
8.400

3 8 .5

3 9 .9

4 1 .3

4 2 .7

4 4 .1

4 5 .5

4 6 .9

4 8 .3

4 9 .7

5 1 .1

5 2 .5

5 3 .9

5 5 .3
8.400
24.5 26.9 29.3 31.7 34.1 36.5
10.1 12.5 14.9 17.3 19.7 22.1

8.500

8.480 µ=8.43329
σ=0.01317
8.460
E n t ro p y

8.440

8.420

8.400
1 .5

5 .9

1 0 .3

1 4 .7

1 9 .1

2 3 .5

2 7 .9

3 2 .3

3 6 .7

4 1 .1

4 5 .5

4 9 .9

5 4 .3

5 8 .7
Polling Interval

Figure 1. Evidence of stationarity

entropy on multiple features exposes unusual traffic

B. Choice of Parameter for modeling behavior.
The main factor that governs the effectiveness of a
modeling technique is the parameter used in modeling. C. Choice of polling interval
Many parameters have been proposed and studied. One of The choice of the polling interval also plays an
the most obvious parameter of choice is volume (number of important role in determining the time scale at which the
packets and byte count per unit time), as most of existing data can be modeled and how quickly can an attack be
solutions use volume based metrics (number of packets and detected. False positive alarm number increases steadily
byte count per unit time) to detect and characterize DDoS with increasing polling interval as shown in figure 2. Even
attacks. These suffer in the form large number of false false positive rate is minimum using polling interval 100ms
positives/negatives hence more collateral damage when but detection rate is very less i.e. 74 % using this value.
attack is carried at slow rate or when volume per attack Therefore, in our experiments, optimum value of the
flow is not so high as compared to legitimate flows. polling interval chosen is 200ms, as the typical domestic
Lakhina et al [18] observed that most of traffic anomalies Internet RTT is around 100ms and the average global
despite their diversity share a common characteristic: they Internet RTT is 140ms. Total false positive alarms are
induce a change in distributional aspects of packet header minimum with high detection rate using this value of
fields (i.e. source address, source port, destination address, polling interval. The chosen interval tends to keep up the
and destination port etc called traffic features). Our valance between both aspects.
hypothesis to detect and characterize attacks treats DDoS
anomalies as events that disturb the distribution of traffic
features. For example, a DoS attack, regardless of its
volume, will cause the distribution of by destination
address to be concentrated on the victim address. Similarly,
a scan for vulnerable port (network scan) will have a
dispersed distribution for destination addresses, and a
skewed distribution for destination ports that is
concentrated on the vulnerable port being scanned. The key
question here is to decide what metric to be used for
measuring distribution of traffic features. We have chosen
Entropy as a metric to model the flooding DDoS attacks.
Entropy captures in a single value the distributional
changes in traffic features, and observing the time series of Figure 2. Variation of false alarm rate using varying polling intervals

V2-537
 2010 2nd International Conference on Information and Multimedia Technology (ICIMT 2010)

9.0

8.8
Entropy (H)

8.6
8.4
8.2
8.0
7.8
0 10 20 30 40 50 60 70
Polling Interval (Seconds)

H(Normal) H(10M) H(15M) H(20M) H(25M) H(30M) H(35M)

H(40M) H(45M) H(50M) H(55M) H(60M) H(65M) H(70M)
H(75M) H(80M) H(85M) H(90M) H(95M) H(100M)

Figure 3. Entropy of incoming traffic Vs polling interval

D. Data set
B. Detection of flooding attacks
Data set comprises of network trace data generated
using simulations using NS-2 network simulator. The The error increases from normal to anomalous frames. It
abnormal traffic is generated with different attack rates returns to acceptable values when normal behavior resumes.
starting from 10Mbps to 100Mbps. For each time slot, Table 1 shows the mean error values using LP models
entropy of incoming packets is calculated. Since the data is averaged over 100 simulated attacks of each rate.
simulated, it can be labeled, that is the exact time at which The detection algorithm performs time series analysis
attack happen is known apriori. Hence the values in the on the input network traffic to detect any flooding attack. It
datasets constitute entropy of incoming traffic over 200ms uses LP model to detect attacks. We collected traces of
intervals. Figure 3 shows value of entropy in subsequent normal traffic from the simulations in ns-2 network
polling interval during normal and different attack scenarios. simulator to evaluate our proposed detection mechanism.
The abnormal traffic is generated with different attack
IV. DETECTION USING LP ANALYSIS strengths ranging from 10Mbps to 100Mbps. Detection rate
A. Linear Prediction Model and false positive rate for LP for various attack strengths
Linear prediction [19] is a type of autoregressive model. are shown in table 2, respectively.
It is a mathematical concept in which the future values of a The data sets consist of sample values corresponding to
discrete-time signal are estimated as a linear function of entropy of incoming traffic for consecutive polling interval
of 200ms. The data set is divided into overlapping frames of
past outputs and inputs. That is, a signal x n is considered to size 40. About 100 attacks pertaining to each rate were
be the output of a system with some unknown input simulated. Table 3 shows the detection delays using LP.
u n such that-
Table 1. Mean prediction error for LP
p q
xt = −∑ α k x n − k + G ∑ bl u n −l (3) Attack Strength LP
k =1 l =1 (Mbps)
Where b0=1, 1 ≤ k ≤ p , 1 ≤ i ≤ q and the gain G are the 10 0.0512
parameter of the system. For the systems where the input 20 0.0568
u n is unknown, the signal value can be predicted as the 30 0.0523
40 0.0576
summation of approximate weights of the past samples as 50 0.0584
shown- 60 0.0547
p
70 0.0542
xt = −∑ α k x n − k (4)
80 0.0534
k =1
90 0.0545
The parameters αk are obtained as a result of the 100 0.0528
minimization of the mean or total squared error with respect
to each of the parameters. Here p is termed as the order of
the linear prediction. Table 2. Detection rate and false positive rate for LP

V2-538
 2010 2nd International Conference on Information and Multimedia Technology (ICIMT 2010)

Attack Detection False Security Journal: A Global Perspective, vol. 18, number 5, Taylor &
Francis Group, UK, pp. 224-247, 2009.
Strength positive
[3] “DDoS attacks on Yahoo, Buy.com, eBay, Amazon, Datek,
(Mbps) rate rate E*Trade”. CNN Headline News, Feb. 7–11, 2000.
10 87.6 4.9364 [4] L. A. Gordon, M. P. Loeb, W. Lucyshyn, R. Richardson. “2005
20 89.2 5.6426 CSI/FBI computer crime and security survey”. Tech. Report,
Computer Security Institute, 2005. Available: www.GCSI.com.
30 91.7 5.2329
[5] AusCERT. “2005 Australian computer crime and security survey”.
40 92.5 6.3215 Tech. Report, Australian Computer Emergency Response Team,
50 92.9 6.8303 2005. Available: http://www.auscert.org.au/crimesurvey [accessed
60 94.0 7.8235 Jan. 4, 2006].
70 94.3 8.710 [6] A. Ramasamy, Hema A. Murthy, and Timothy A. Gonsalves, "Linear
Prediction For Traffic Management And Fault Detection," in
80 94.8 9.132 Proceedings of the International Conference on Information
90 94.8 9.132 Technology, ICIT 2000, Dec. 2000.
100 95.4 9.896 [7] NS Documentation. Available: http://www.isi.edu/ nsnam/ns.
[8] M. Roesch. “Snort-Lightweight Intrusion Detection for Networks”.
In Proceedings of the USENIX Systems Administration Conference
(LISA ’99), pp. 229-238, Nov.1999.
Table 3. Detection Delay in seconds using LP for flooding attacks
[9] V. Paxson. “Bro: A System for Detecting Network Intruders in Real-
Time”, International Journal of Computer and Telecommunication
Attack Best Avg. Worst Networking, 31 (24), pp. 2435-2463, 1999.
Strength [10] T. M. Gil, M. Poletto. “Multops: a data-structure for bandwidth
(Mbps) attack detection". In Proceedings of the 10th USENIX Security
10 0.0930 0.1528 0.2820 Symposium, Washington, DC, USA, pp. 23-38, 2001.
20 0.0930 0.1725 3.2650 [11] R. B. Blazek, H. Kim, B. Rozovskii, A. Tartakovsky. “A novel
approach to detection of denial-of-service attacks via adaptive
30 0.0930 0.1420 0.2480 sequential and batch sequential change-point detection methods". In
40 0.0910 0.1420 3.8130 Proceedings of IEEE Systems, Man and Cybernetics Information
50 0.0910 0.1545 0.2190 Assurance Workshop, pp. 220-226, 2001.
60 0.1010 0.1445 0.2480 [12] C. M. Cheng, H. T. Kung, K. S. Tan. “Use of spectral analysis in
defense against DoS attacks". In Proceedings of IEEE GLOBECOM
70 0.1010 0.1510 0.2820 2002, Taipei, Taiwan, pp. 2143-2148, 2002.
80 0.0930 0.1345 0.2480 [13] Y. Huang, J.M. Pullen. “Countering Denial of Service attacks using
90 0.9850 0.1265 0.2820 congestion triggered packet sampling and filtering”. In Proceedings
100 0.1010 0.1297 0.2820 of the 10th International Conference on Computer Communications
and Networks, pp. 490-494, Scottsdale, Arizona, 2001.
[14] J. Mirkovic, G. Prier, P. Reiher. “Attacking DDoS at the source”. In
Proceedings of ICNP-2002, Paris, France, pp. 312–321, 2002.
V. CONCLUSION [15] B. Bencsath, I. Vajda. “Protection against DDoS Attacks Based on
This paper highlighted some of the basic aspects of time Traffic Level Measurements”. In Proceedings of the Western
series modeling and shows application of LP model to Simulation Multi Conference. San Diego, California, pp. 22-28, 2004.
detect flooding DDoS attacks with very short detection [16] Y. Chen, K. Hwang, W. Ku. "Collaborative Detection of DDoS
delays. It also discussed the important concept of Attacks over Multiple Network Domains", IEEE Transaction on
stationarity which is the underlying assumption governing Parallel and Distributed Systems, TPDS-0228-0806, 18 (12), Dec.
2007.
time series model. Next, different aspects of linear
[17] L. Feinstein, D. Schnackenberg, R. Balupari, D. Kindred. “Statistical
prediction are analyzed in greater details. Approaches to DDoS Attack Detection and Response”. In
This paper contains few important results. First, LP can Proceedings of DISCEX’03, Washington, DC, USA, Vol. 1, pp. 303-
be used to analyze network traffic and detect DDoS attacks. 314, 2003.
It is able to detect low and high rate flooding DDoS attacks [18] Lakhina, A., Crovella, M., & Diot, C. (2005). Mining anomalies
successfully. Even though this chapter focused on detection using traffic feature distributions. In SIGCOMM’05, Pennsylvania,
of flooding DDoS attacks, it is evident that the same USA.
mechanism can be used to detect other DDoS attacks such [19] J. Makhoul, "Linear Prediction: A Tutorial Review," Proceedings of
the IEEE, vol. 63(4), pp. 561-580, 1975.
as TCP SYN flooding attacks, TCP RESET attacks, ICMP
flooding etc by choice of appropriate parameters.

REFERENCES
[1] B. B. Gupta, M. Misra, R. C. Joshi, “An ISP level Solution to
Combat DDoS attacks using Combined Statistical Based Approach,”
in International Journal of Information Assurance and Security
(JIAS), vol. 3, issue 2, Dynamic Publishers Inc., USA, pp. 102-110,
2008.
[2] B. B. Gupta, R. C. Joshi, M. Misra, “Defending against Distributed
Denial of Service Attacks: Issues and Challenges,” in Information

V2-539