Professional Documents
Culture Documents
ports can be used for sending commands to the agents. machine learning methods. We also include a list
This makes DDoS command packets more untraceable. of practical issues and research challenges, which is
Moreover, it is easier for an attacker to hide his presence not available in [10].
in an IRC channel as such channels tend to have large • Like [1], we report and analyze a large number
volumes of traffic. A recent attacking tool by Anony- of defense mechanisms, architectures, methods,
mous based on the IRC protocol is LOIC (Low Orbit tools and solutions countering Denial of Service
Ion Cannon) [8]. It includes three primary methods of attacks. However, unlike [1], we include recent
of attacks for TCP, UDP, HTTP and is found in two defense solutions and tools and discuss latest DDoS
versions: binary and web-based. It allows clients to con- attack strategies. Also, unlike [1], we attempt to
nect remotely via the IRC protocol and to be a part of provide a possible solution to counter the attacks
a system of compromised hosts. The bigger the size in the context of latest DDoS attack scenarios.
of compromised hosts, the more powerful the attack is. • Unlike [3], our survey is focused on DDoS attack
Between these two architectures, the agent handler ar- detection methods, tools and research directions.
chitecture is commonly found in use in the literature. In [3], a major portion is dedicated to DoS research
Along with the evolution of new DDoS attack solutions only and that too for a period upto 2009.
tools, many DDoS defense mechanisms have also Also, unlike [3], we present several research issues
been proposed. These approaches are of three types and open challenges from a more practical point of
depending on their locality of deployment: source- view, considering the latest DDoS attack scenarios.
end approach, victim-end approach and in-network • Like [6], we present possible solutions for DDoS
approach. Detecting any DDoS attack at the victim attacks in detail and with a practical viewpoint.
end is easy, but often not useful after legitimate clients Also, we broadly categorize the detection methods
have been denied access. Source-end detection is a very as statistical, knowledge based, soft computing,
challenging task. Detection approaches used include data mining and other machine learning. We also
statistical, soft-computing, clustering, knowledge-based include tools related to DDoS attacks.
and classifiers. These approaches can also be classified • Only a brief overview of DDoS taxonomies, tools
as supervised or unsupervised [9]. and countermeasures is given in [7] without any
Statistical techniques fit a statistical model to the possible solutions for DDoS attacks. In contrast,
given data and then apply a statistical inference test we present a list of methods, tools, possible
on an unseen instance to determine if it belongs to this solutions and future research directions for DDoS
model. In knowledge-based methods, predefined rules attacks in detail.
or patterns of attack are checked against connection • In [2], the authors present several anomaly
events to test their legitimacy. Soft Computing detection techniques w.r.t. diverse domains but our
techniques apply problem solving technologies such as work is mainly focused on DDoS attack detection
fuzzy logic, probabilistic reasoning, neural networks architectures, methods, and tools.
and genetic algorithms. Clustering is a data mining
Our survey begins in Section 2 with the introduction
technique, which is also known as unsupervised
of DDoS attacks and generic architectures of DDoS
classification. It does not need to be trained with
defense mechanisms classified with their locality of
a training dataset and the strength of clustering lies
deployment. Section 3 discusses various methods for
within the algorithm itself. Hence, it is very popular.
DDoS attack detection. Different strategies to evaluate
Classifiers such as SVM and HMM are also used in
performance of DDoS attack detection methods are
many detection approaches. Detailed discussion of
described in Section 4. The challenges faced by
these approaches can be found in [9].
DDoS defenders are reported in Section 5 followed by
In the past few years, several significant surveys concluding remarks in Section 7.
have been published [1, 2, 3, 6, 7, 10, 11] to
highlight the architectures and methods developed
2. DDOS ATTACKS AND THEIR ARCHI-
for network defense mechanisms, attack taxonomies,
TECTURES
attack launching mechanisms, and their pros and cons.
However, our survey differs significantly from them in As stated in [12], a DDoS attack can be defined as
the following ways. an attack which uses a large number of computers
to launch a coordinated DoS attack against a
• We present an attack taxonomy based on [10]. single machine or multiple victim machines. Using
However, in our taxonomy there are seven distinct client/server technology, the perpetrator is able to
possibilities in which an intruder can attempt to multiply the effectiveness of the DoS attack significantly
launch DDoS attacks. Unlike [10], we include by harnessing the resources of multiple unwitting
a detailed discussion of various DDoS defense accomplice computers, which serve as attack platforms.
mechanisms and their architectures and methods Approximate attack statistics for DDoS [11] for the
under the broad categories of statistical, knowledge year 2011 are shown in Figure 1. A DDoS attacker
based, soft computing, data mining, and other is considered more intelligent than a DoS attacker. It is
distinguished from other attacks by its ability to deploy 1. Selection of agents. The attacker chooses the
its weapons in a “distributed” way over the Internet and agents that will perform the attack. Based on the
to aggregate these forces to create lethal traffic. Rather nature of vulnerabilities present, some machines
than breaking the victim’s defense system for fun or are compromised to use as agents. Attackers
to show prowess, a DDoS attack aims to cause damage victimize these machines, which have abundant
on a victim either for personal reasons, material gain, resources, so that a powerful attack stream can
or for popularity. A taxonomy of DDoS attacks based be generated. In early years, the attackers
on [10] is given in Figure 2. We see in the taxonomy attempted to acquire control of these machines
that intruders attempt to launch DDoS attacks based on manually. However, with the development of
exploitation of various means (shown in the left column) advanced security tool(s), it has become easier
and their resultant effects can be observed at various to identify these machines automatically and
levels or magnitudes. instantly.
DDoS attacks mainly take advantage of the
architecture of the Internet and this is what makes 2. Compromise. The attacker exploits security holes
them powerful. While designing the Internet, the prime and vulnerabilities of the agent machines and
concern was to provide for functionality, not security. plants the attack code. Not only that, the attacker
As a result, many security issues have been raised, also takes necessary steps to protect the planted
which are exploited by attackers. Some of the issues code from identification and deactivation. As
are given below. per the direct DDoS attack strategy, shown in
Figure 3, the compromised nodes, i.e., zombies
• Internet security is highly interdependent. No between the attacker and victim are recruited
matter how secure a victim’s system may be, unwitting accomplice hosts from a large number of
whether or not this system will be a DDoS victim unprotected hosts connected through the Internet
depends on the rest of the global Internet [13, 14]. in high bandwidth. On the other hand, the DDoS
• Internet resources are limited. Every Internet host attack strategy shown in Figure 4 is more complex
has limited resources that sooner or later can be due to inclusion of intermediate layer(s) between
exhausted by a sufficiently large number of users. the zombies and victim(s). It further complicates
• Many against a few: If the resources of the the traceback mostly due to (i) complexity in
attackers are greater than the resources of the untangling the traceback information (partial)
victims, the success of the attack is almost definite. with reference to multiple sources, and/or (ii)
• Intelligence and resources are not collocated. Most having to connect a large number of routers or
intelligence needed for service guarantees is located servers. Self-propagating tools such as the Ramen
at end hosts. At the same time high band-width worm [15] and Code Red [16] automate this phase.
pathways needed for large throughput are situated Unless a sophisticated defense mechanism is used,
in the intermediate network. Such abundant it is usually difficult for the users and owners of the
resources present in unwitting parts of the network agent systems to realize that they have become a
are exploited by the attacker to launch a successful part of a DDoS attack system. Another important
flooding attack. feature of such an agent system is that the agent
• The handlers or the masters, which are compro- programs are very cost effective both in terms of
mised hosts with special programs running on memory and bandwidth. Hence they affect the
them, are capable of controlling multiple agents. performance of the system minimally.
• The attack daemon agents or zombie hosts are
3. Communication. The attacker communicates with
compromised hosts that are running a special
any number of handlers to identify which agents are
program each and are responsible for generating
up and running, when to schedule attacks, or when
a stream of packets towards the intended victim.
to upgrade agents. Such communications among
These machines are commonly external to the
the attackers and handlers can be via various
victim’s own network to disable efficient response
protocols, such as ICMP, TCP, or UDP. Based
from the victim, and external to the network of the
on configuration of the attack network, agents can
attacker to forswear liability if the attack is traced
communicate with a single handler or multiple
back.
handlers.
2.1. DDoS Strategy 4. Attack. The attacker initiates the attack. The
victim, the duration of the attack as well as special
A Distributed Denial of Service (DDoS) attack is features of the attack such as the type, length,
composed of several elements as shown in Figures 3 and TTL, and port numbers can be adjusted. If
4. there are substantial variations in the properties
There are several steps in launching a DDoS attack. of attack packets, it is beneficial to the attacker,
These are shown in Figure 5. since it complicates detection.
reconfiguring all the routers on the Internet. not conform to the learnt model, based on the applied
test statistics, are classified as anomalies. Chen et al.
3. EXISTING METHODS FOR DDOS AT- [19] develop a distributed change point (DCP) detection
TACK DETECTION architecture using change aggregation trees (CATs).
The non-parametric CUSUM approach was adapted to
In this section, we present a summary of existing describe the distribution of pre-change or post-change
literature on DDoS attack detection methods. These network traffic. When a DDoS flooding attack is being
methods are based on the architectures discussed launched, the cumulative deviation is noticeably higher
above namely, victim-end, source-end and in-network. than random fluctuations. The CAT mechanism is
We discuss these schemes without considering their designed to work at the router level to detect abrupt
practical deployability in real networks. Recent trends changes in traffic flows. The domain server uses
show that soft computing approaches have been used the traffic change patterns detected at attack-transit
heavily for DDoS attack detection. Ensembles of routers to construct the CATs, which represent the
classifiers have also performed satisfactorily with high attack flow pattern. A very well-known DDoS defense
detection rates. We classify methods for DDoS attack scheme called D-WARD is presented in [20]. D-WARD
detection into four major classes as shown in Figure 9. identifies an attack based on continuous monitoring of
bidirectional traffic flows between the network and the
3.1. Statistical methods rest of the Internet and by periodic deviation analysis
with the normal flow patterns. Mismatched flows are
Statistical properties of normal and attack patterns can
rate limited in proportion to their aggressiveness. D-
be exploited for detection of DDoS attacks. Generally
WARD not only offers a good detection rate but also
a statistical model for normal traffic is fitted and then
reduces DDoS attack traffic significantly. It uses a
a statistical inference test is applied to determine if a
predefined model for normal traffic to detect anomalies
new instance belongs to this model. Instances that do
FIGURE 8. Generic architecture for intermediate network based DDoS defense mechanism
at the router), and (3) be cost effective in terms of either a DDoS attack or normal.
memory consumption and per packet computation. In Karimazad and Faraahi [30] propose an anomaly-
addition, ISP routers exchange information with each based DDoS detection method based on features of
other to increase confidence in their detection decisions. attack packets, analyzing them using Radial Basis
A router gathers responses from all other routers Function (RBF) neural networks. The method can be
regarding suspicions and based on them decides whether applied to edge routers of victim networks. Vectors
a traffic aggregate is an attack or is normal. The initial with seven features are used to activate an RBF neural
results show that individual router profiles capture network at each time window. The RBF neural
key characteristics of the traffic effectively and identify network is applied to classify data to normal and attack
anomalies with low false positive and false negative categories. If the incoming traffic is recognized as attack
rates. Peng et al. [25] describe a novel approach to traffic, the source IP addresses of the attack packets
detect bandwidth attacks by monitoring the arrival rate are sent to the Filtering Module and the Attack Alarm
of new source IP addresses. The detection scheme is Module for further actions. Otherwise, if the traffic
based on an advanced non-parametric change detection is normal, it is sent to the destination. RBF neural
scheme, CUSUM. Cheng et al. [26] propose the IP Flow network training can be performed as an off-line process
Feature Value (FFV) algorithm based on the essential but it is used in real time to detect attacks faster.
features of DDoS attacks, such as abrupt traffic change, Gavrilis and Dermatas [31] also present a detector for
flow dissymmetry, distributed source IP addresses and DDoS attacks in public networks based on statistical
concentrated target IP addresses. Using a linear features estimated in short-time window analysis of
prediction technique, a simple and efficient ARMA incoming data packets. A small number of statistical
prediction model is established for normal network descriptors are used to describe the behavior of the
flow. Then a DDoS attack detection scheme based DDoS attacks. An accurate classification is achieved
on anomaly detection techniques and linear prediction using Radial Basis Function neural networks. Wu et
model (DDAP) is used. Udhayan and Hamsapriya al. [32] propose to detect DDoS attacks using decision
[27] present a Statistical Segregation Method (SSM), trees and grey relational analysis. The detection of
which samples the flow in consecutive intervals and the attack from the normal situation is viewed as a
compares the samples against the attack state condition classification problem. They use 15 attributes, which
and sorts them with the mean as the parameter. Then not only monitor the incoming/outgoing packet/byte
correlation analysis is performed to segregate attack rate, but also compile the TCP, SYN, and ACK flag
flows from legitimate flows. The authors compare SSM rates, to describe the traffic flow pattern. The decision
against various other methods and identify a blend of tree technique is applied to develop a classifier to detect
segregation methods for alleviating false detections. abnormal traffic flow. They also use a novel traffic
In [28], the authors introduce a generic DoS detection pattern matching procedure to identify traffic flow
scheme based on maximum likelihood criterion with similar to the attack flow and to trace back the origin
random neural networks (RNN). The method initially of an attack based on this similarity. Nguyen and Choi
selects a set of traffic features in offline mode to obtain [33] develop a method for proactive detection of DDoS
pdf estimates and to evaluate the likelihood ratios. attacks by classifying the network status. They break
During decision making, it measures the features of a DDoS attack into phases and select features based
incoming traffic and attempts to decide according to on an investigation of DDoS attacks. Finally, they
each feature. Finally, it obtains an overall decision apply the k-nearest neighbor (KNN) method to classify
using both feed-forward and recurrent architectures of the network status in each phase of DDoS attack. A
the RNN. A brief summary of these methods is given method presented in [34] detects DDoS attacks based on
in Table 1 a fuzzy estimator using mean packet inter-arrival times.
It detects the suspected host and traces the IP address
3.2. Soft computing methods to drop packets within 3 second detection windows.
Lately ensembles of classifiers have been used for
Learning paradigms, such as neural networks, radial DDoS attack detection. The use of an ensemble
basis functions and genetic algorithms are increasingly reduces the bias of existing individual classifiers. An
used in DDoS attack detection because of their ability to ensemble of classifiers has been used by [35] for this
classify intelligently and automatically. Soft computing purpose where a Resilient Back Propagation (RBP)
is a general term for describing a set of optimization and neural network is chosen as the base classifier. The
processing techniques that are tolerant of imprecision main focus of this paper is to improve the performance
and uncertainty. Jalili et al. [29] introduce a DDoS of the base classifier. The proposed classification
attack detection system called SPUNNID based on algorithm, RBPBoost combines the output of the
a statistical pre-processor and unsupervised artificial ensemble of classifier outputs and Neyman Pearson
neural nets. They use statistical pre-processing to cost minimization strategy [36], for final classification
extract features from the traffic, and an unsupervised decision. Table 2 presents a brief summary of the soft
neural net to analyze and classify traffic patterns as computing methods presented in this section.
defense called NetBouncer and claim it to be a practical crowd. Lu et al. [42] describe a perimeter-based anti-
approach with high performance. Their approach relies DDoS system, in which the traffic is analyzed only at
on distinguishing legitimate and illegitimate use and the edge routers of an Internet Service Provider (ISP)
ensuring that resources are made available only for network. The anti-DDoS system consists of two ma-
legitimate use. NetBouncer allows traffic to flow with jor components: (1) temporal-correlation based feature
reference to a long list of proven legitimate clients. extraction and (2) spatial-correlation based detection.
If packets are received from a client (source) not on The scheme can accurately detect DDoS attacks and
the legitimate list, a NetBouncer device proceeds to identify attack packets without modifying existing IP
administer a variety of legitimacy tests to challenge the forwarding mechanisms at routers. A brief summary of
client to prove its legitimacy. If a client can pass these these knowledge based methods is given in Table 3.
tests, it is added to the legitimacy list and subsequent
packets from the client are accepted until a certain 3.4. Other data mining and machine learning
legitimacy window expires. methods
Wang et al. [39] present a formal and methodical way
of modelling DDoS attacks using Augmented Attack An effective defense system to protect network servers,
Tree (AAT), and discuss an AAT-based attack detection network routers, and client hosts from becoming
algorithm. This model explicitly captures the particular handlers, zombies, and victims of DDoS flood attacks
subtle incidents triggered by a DDoS attack and the is presented in [43]. The NetShield system protects
corresponding state transitions from the view of the any IP-based public network on the Internet. It
network traffic transmission on the primary victim uses preventive and deterrent controls to remove
server. Two major contributions of this paper are: (1) system vulnerabilities on target machines. Adaptation
an AAT-based DDoS model (ADDoSAT), developed techniques are used to launch protocol anomaly
to assess potential threat from malicious packets detection and provide corrective intrusion responses.
on the primary victim server and to facilitate the The NetShield system enforces dynamic security
detection of such attacks; (2) an AAT-based bottom- policies. NetShield is especially tailored for protecting
up detection algorithm proposed to detect all kinds network resources against DDoS flood attacks. Chen
of attacks based on AAT modelling. Compared with et al. [44] present a comprehensive framework for
the conventional attack tree modelling method, AAT DDoS attack detection known as DDoS Container. It
is advanced because it provides additional information, uses a network based detection method to overcome
especially about the state transition process. As complex and evasive types of DDoS attacks. It works
a result, it overcomes the shortcomings of CAT in inline mode to inspect and manipulate ongoing
modelling. There is currently no established AAT-based traffic in real time. By continuous monitoring of
bottom up procedure for detecting network intrusions. both DDoS attacks and legitimate applications, DDoS
Limwiwatkul and Rungsawang [40] propose to discover Container covers stateful inspection on data streams
DDoS attack signatures by analyzing the TCP/IP and correlates events among different sessions. It
packet header against well-defined rules and conditions, proactively terminates the session when it detects
and distinguishing the difference between normal and an attack. Lee et al. [45] propose a method for
abnormal traffic. The authors mainly focus on ICMP, proactive detection of DDoS attacks by exploiting
TCP and UDP flooding attacks. an architecture consisting of a selection of handlers
Zhang and Parashar [41] propose a distributed ap- and agents that communicate, compromise and attack.
proach to defend against DDoS attacks by coordinating The method performs cluster analysis. The authors
across the Internet. Unlike traditional IDS, it detects experiment with the DARPA 2000 Intrusion Detection
and stops DDoS attacks within the intermediate net- Scenario Specific Dataset to evaluate the method. The
work. In the proposed approach, DDoS defence systems results show that each phase of the attack scenario
are deployed in the network to detect DDoS attacks is partitioned well and can detect precursors of a
independently. A gossip based communication mecha- DDoS attack as well as the attack itself. Sekar et al.
nism is used to exchange information about network at- [46] investigate the design space for in-network DDoS
tacks between these independent detection nodes to ag- detection and propose a triggered, multi-stage approach
gregate information about the overall network attacks. that addresses both scalability and accuracy. Their
Using the aggregated information, individual defence contribution is the design and implementation of LADS
nodes obtain approximate information about global net- (Large-scale Automated DDoS detection System). The
work attacks and can stop them more effectively and ac- system makes effective use of the data (such as NetFlow
curately. For faster and reliable dissemination of attack and SNMP feeds from routers) readily available to
information, the network grows as a peer-to-peer over- an ISP. Rahmani et al. [47] discuss a joint entropy
lay network on top of the Internet. Previously proposed analysis of multiple traffic distributions for DDoS attack
approaches rely on monitoring the volume of traffic that detection. They observe that the time series of IP-
is received by the victim. Most such approaches are in- flow numbers and aggregate traffic sizes are strongly
capable of differentiating a DDoS attack from a flash statistically dependant. The occurrence of an attack
affects this dependence and causes a rupture in the time current network traffic is clustered again by the k-means
series for joint entropy values. Experimental results module to build a new threshold value model.
show that this method could lead to more accurate and
effective DDoS detection. A two-stage automated system is proposed in [56]
to detect DoS attacks in network traffic. It combines
A low-rate DDoS attack has significant ability the traditional change point detection approach with a
to conceal its traffic because of its similarity with novel one based on continuous wavelet transforms [57].
normal traffic. Xiang et al. [48] propose two new The authors test the system using a set of publicly
information metrics: (i) generalized entropy metric available attack-free traffic traces superimposed with
and (ii) information distance metric, to detect low- anomaly profiles. In [58], Li and Lee present a
rate DDoS attacks. They identify the attack by systematic wavelet based method for DDoS attack
measuring the distance between legitimate traffic and detection. They use energy distribution based on
attack traffic. The generalized entropy metric is wavelet analysis to detect DDoS attack traffic. Energy
more effective than the traditional Shannon metric distribution over time has limited variation if the traffic
[49]. In addition, the information distance metric keeps its behavior over time. Gupta et al. [59] use ANN
outperforms the popular Kullback-Leibler divergence to estimate the number of zombies in a DDoS attack.
approach. Francois et al. [50] present a method called They use sample data to train a feed-forward neural
FireCol based on information theory for early detection network generated using the NS-2 network simulator.
of flooding DDoS attacks. FireCol is comprised of The generalization capacity of the trained network is
an intrusion prevention system (IPS) located at the promising and the network is able to predict the number
Internet service provider (ISP) level. The IPSs form of zoombies involved in a DDoS attack with test error.
virtual protection rings around the hosts to defend and A port-to-port specific traffic in a router, called IF
collaborate by exchanging selected traffic information. flow is introduced in [60]. An important feature of
The approach reported in [51] analyzes DDoS and IF is that it can amplify the attack to normal traffic
flash crowd characteristics and provides an effective ratio. An RLS (recursive least square) filter is used
way to distinguish between the two in VoIP networks. to predict IF flows. Next, a statistical method using
The authors validate the method by simulation. A a residual filtered process is used to detect anomalies.
wavelet transformation and probability theory based Finally, the authors applied the method to three types
network anomaly detection approach is proposed in of traffic: IF flows, input links and output links within
[52]. The approach is able to identify known as well as a router, and compare the anomaly detection results
unknown attacks. Zhong and Yue [53] present a DDoS using ROC curves. Results show that IF flows are
attack detection model that extracts a network traffic more powerful than input links and output links for
model and a network packet protocol status model and DDoS attack detection. Cheng et al. [61] propose
sets the threshold for the detection model. Captured the IAI (IP Address Interaction Feature) algorithm
network traffic values are clustered based on the k- considering interactions among addresses, abrupt traffic
means clustering algorithm to build initial threshold changes, many-to-one asymmetries among addresses,
values for network traffic. All captured packets are distributed source IP addresses and concentrated target
used to build the packet protocol status model using addresses [61]. The IAI algorithm is designed to
the Apriori [54] and FCM [55] algorithms. Whenever describe the essential characteristics of network flow
the current network traffic is over the threshold value, states. Furthermore, a support vector machine (SVM)
the network packet protocol status is checked to detect classifier, which is trained by an IAI time series from
abnormal packets. If there are no abnormal packets, the normal flow and attack flow, is applied to classify the
state of current network flows and identify the DDoS 3.5. Discussion
attacks. Experimental results show that the IAI-based
Exact comparison of DDoS attack detection schemes
detection scheme can distinguish between normal flows
is not feasible because some papers do not specify
and abnormal flows with DDoS attacks effectively, and
their results clearly, whereas others evaluate their
help identify fast and accurate attack flows when the
schemes using different datasets or in different testing
attacking traffic is hidden among a relatively large
conditions. A comparison (as shown in Table 5)
volume of normal flows or close to the attacking sources.
establishes that most papers do not consider all the
In addition, it has higher detection and lower false alarm
issues that are pertinent. For example, the Distributed
rates compared to competing techniques.
Change Point detection method [19] performs well for
The method presented in [62] can identify flooding TCP SYN attacks, but its performance degrades for
attacks in real time and also can assess the intensity UDP attacks with large packet sizes. D-WARD [20] fails
of the attackers based on fuzzy reasoning. The to detect pulsing attacks, especially when the inactive
process consists of two stages: (i) statistical analysis period is large. For NetBouncer [38], the legitimacy
of the network traffic time series using discrete wavelet tests may not be exhaustive and certain illegitimate
transform and Schwarz information criterion (SIC) clients may also pass the test. In addition, Netbouncer
to find the change point of the Hurst parameters is overwhelmed by flash crowds. Moreover, the delay
resulting from DDoS flood attack, and then (ii) introduced by the test affects new legitimate clients.
identification and assessment of the intensity of the The DDoS Detection system based on K-means and
DDoS attack adaptively based on an intelligent fuzzy FCM clustering [53] performs well for unknown attacks,
reasoning mechanism. Test results by ns2 based but the trade-off between detection accuracy and speed
simulation with various network traffic characteristics is high. Detection using RBF Neural Networks and
and attack intensities demonstrate that the method statistical features [31] performs well for known attacks,
could detect DDoS flood attack timely, effectively but no dynamic modification can be performed easily
and intelligently. Zhang et al. [63] present a CPR for unknown attacks.
(Congestion Participation Rate) based approach to
detect low-rate DDoS (LDDoS) attacks using flow level 4. PERFORMANCE EVALUATION
network traffic. A flow with higher CPR value leads to
LDDoS and consequent dropping of the packets. The Performance evaluation is important for any DDoS
authors evaluate the mechanism using ns2 simulation, attack defense system. Performance evaluation is
testbed experiments and Internet traffic trace and claim highly dependent on (i) the approach (ii) deployment
that the method can detect LDDoS flows effectively. status and (iii) whether there is facility for dynamic
Another protocol specific feature based DDoS attack updation of profiles. While designing a DDoS attack
detection mechanism is introduced in [5]. It identifies defense scheme, these parameters should be taken into
a most relevant subset of features using correlation and consideration. In this section, we primarily discuss the
can detect DDoS attacks with high detection accuracy. datasets that have been used for evaluating performance
of detection methods. We also briefly introduce DDoS
In [64], a mathematical model is presented to provide tools.
gross evaluation of the benefits of DDoS defence based
on dropping of attack traffic. Simulation results and
testbed experiments are used to validate the model. In 4.1. DDoS tools
the same work, the authors also consider an autonomic There are many tools available to launch DDoS attacks
defence mechanism based on CPN (Cognitive Packet in the literature [68, 44]. The architectures are almost
Network) protocol and establish it to be capable of always the same. Some are made by the attackers with
tracing back flows coming into a node automatically. slightly modifying others. Table 6 presents some of the
Ghanea-Hercock et al. [65] provide a survey of the tools with brief descriptions.
techniques within the Hyperion project. They also
suggest an overall system architecture to improve the
4.2. Datasets
situational awareness of field commanders by providing
an option to fuse and compose information services in After a new or enhanced detection mechanism is
real time. In [66], Gelenbe describes an approach to developed, it needs to be validated with proper datasets
develop a self-aware networks to provide end users the before deployment in a real life network. This is because
option to explore the state of the network to find the evaluation in real traffic is extremely difficult or not
best ways to meet their communication needs. In [67], possible because of non-availability of capturing tools
a model is introduced for searching by N agents in an from a high speed network. The proper choice of
unbounded random environment. The model allows for network intrusion datasets plays a vital role during
the loss or destruction of searchers and finite lifetime. evaluation of any computer attack detection method.
A summarized presentation of these methods in this First, the dataset should contain correctly captured real
category is given in Table 4. network traffic. Second, it should be unbiased. Only
TABLE 4. Data mining and machine learning based DDoS attack detection methods
Reference Objective Deployment Mode of Trainable Remarks
working
Hwang et al. Attack preven- Victim side Centralized Yes Protects network servers, routers and clients from DDoS
[43] tion attacks using protocol anomaly detection technique.
Li and Lee [58] Attack detec- Victim end Centralized No An energy distribution based wavelet analysis technique for
tion the detection of DDoS traffic.
Sekar et al. Attack detec- Source side Distributed Yes A triggered multi-stage approach for both scalability and
[46] tion accuracy for DDoS attack detection.
Gelenbe and Attacks defense Victim end Centralized Yes Detects attack by tracing back flows automatically.
Loukas [64] using packet
dropping
Lee et al. [45] Attack detec- Source side Centralized Yes Detects DDoS attack proactively based on cluster analysis
tion with agent handler architecture.
Rahmani et al. Attack detec- Victim side Distributed No A joint entropy analysis of multiple traffic distributions for
[47] tion DDoS attack detection.
Li and Li [52] Detections of Victim end Centralized No A DDoS attack detection model based on wavelet transfor-
DDoS attacks mation and probability theory.
automatically
Dainotti et al. Detection of Victim end Centralized Yes Detects attacks correctly using combination of traditional
[56] DoS attack change point detection and continuous wavelet transforma-
anomalies tion.
Zhong and Attack detec- Victim side Centralized Yes Uses fuzzy c-means clustering and Apriori techniques to build
Yue [53] tion a model and detect unknown DDoS attacks.
Xia et al. [62] Detects flood Victim end Centralized Yes A method to detect DDoS flooding attack using fuzzy logic.
attack and its
intensity
Xiang et al. Detects low rate Victim end Centralized No Detects low-rate DDoS flooding attacks using new informa-
[48] flooding attacks tion metrics effectively.
Gupta et al. Number of Victim end Distributed Yes Uses ANN to estimate the number of zombies in a DDoS
[59] zombies identifi- attack.
cation
Francois et al. DDoS flooding Source end Distributed No A complete DDoS flooding attack detection technique. Also
[50] attack detection support incremental deployment in real network.
Jeyanthi and Distinguishing Victim end Centralized No Detects DDoS attacks using entropy based analysis.
Iyengar [51] DDoS attacks
from Flash
crowds
datasets fulfilling these two requirements should be detection method is to create a real network
considered for evaluation of a new scheme. Otherwise a testbed with a large number of host and network
scheme that performs well for a fixed dataset may not components. Then one can generate normal as
perform the same when deployed in a real network. The well as attack traffic and capture them using
following are the types of datasets used for evaluating standard tools, used for high speed networks.
DDoS attack detection methods. After capture, one preprocesses the raw data and
extracts features in a distributed manner and
(i) Benchmark datasets: Benchmark datasets are
finally correlates each feature to create a complete
prepared using an enterprise network and with
dataset. After necessary labelling, it should be
proper labels such as normal or attack. Only
useful to test any intrusion detection system.
a few benchmark intrusion datasets are publicly
available but they are not for DDoS attacks. The
KDDcup99 intrusion dataset is the most popular 5. OPEN ISSUES AND CHALLENGES
intrusion dataset publicly available but it is not Many methods for DDoS detection have been reported
suitable for DDoS attacks. in the literature, but only a few of them have been
(ii) Simulated datasets: Another alternative for evalu- applied in a real network environment and work
ating DDoS attack detection methods is to simu- effectively. Designing and implementing an ideal and
late the environment using available tools such as practical DDoS defense system is really difficult. The
ns22 , Qualnet3 , and OMNeT++4 . These simula- main challenges that any DDoS defense scheme must
tors generally generate traffic statistics randomly overcome to become ideally usable are presented below.
and sometimes use statistical distributions. But
it is difficult to ensure that the generated traffic (i) In a DDoS attack, attackers try to make a service
correlates well with real network traffic. unavailable to its legitimate clients and launch the
attack using a large number of zombies distributed
(iii) Private datasets: The best approach for testing in different networks. It takes only a few seconds
any intrusion detection system or DDoS attack to exhaust the bandwidth and other resources of
2 http://www.isi.edu/nsnam/ns/ the victim. A faster detection scheme usually
3 http://www.qualnet.ca consumes higher processing power and at the same
4 http://www.omnetpp.org/ time, it adversely affects detection accuracy. An
TABLE 5. A general comparison of DDoS Attack Detection methods. Column 4 in the table represents if the method can
be used real-time (R) or non-real time (N). The Detection rate (DR) and False Alarm Rate (FAR) are given in column 8 and
column 9, respectively.
Scheme Approach Architecture/ R/N Scalability Unknown Dynamic DR with FAR with
Method attack signature dataset used dataset used
detection updation
DCD approach [19] statistical DCP / Change ag- R Yes Yes No 98% (flooding < 1% (flood-
gregation tree attacks) ing attacks)
Weighted fair statistical Weight Fair Throt- R Yes Yes No - -
model [21] tling
SPUNNID model statistical SPUNNID system / R Yes Yes Yes 94.9% (flood- 5% (flooding
[29] unsupervised neu- ing attacks) attacks)
ral network
D-WARD system knowledge Self regulating re- R No Yes No (flooding at- 0.5% (flood-
[20] based verse feedback sys- tacks) ing attacks)
tem / rate limited
MULTOPS system knowledge Multi-level tree N Yes Yes No (IP spoofing -
[37] based based method attacks)
NetBouncer model knowledge Packet filtering R Yes Yes No (real-time -
[38] based method data)
Decision tree model knowledge Decision tree based R yes No No 98% (flooding 2.4% (flood-
[32] based method attacks) ing attacks)
Clustering model statistical Data mining based N Yes No No 98.65% (real- 1.12% (real-
[53] method time) time)
RBF neural net soft com- RBF system / Ra- R No No No 98.2% (UCLA 0.01%
model [30] puting dial basis function data) (UCLA
data)
RBF neural net soft com- Radial-basis- R Yes No No 98%-100% 0% (real-
model [31] puting function based (real-time) time)
method
T-test model [22] statistical t-test based R No No No 98%-100% 5%-7%
method (flooding (flooding
attacks) attacks)
ARIMA based statistical Prediction based R No No yes (ns2 simula- 1%-3% (ns2
model [23] method tion) simulation)
Attack tree model knowledge AATBD system / R No No No (flooding at- -
[39] based Tree based tacks)
Signature discovery knowledge Traffic statistics R No No No (flooding at- -
approach [40] based based method tacks)
Profile based ap- statistical Stream sampling R No No No (IP spoofing 2% (IP
proach [24] based method attacks) spoofing
attacks)
Cooperative model knowledge RL-DDoS system R No No No (Emulab sim- 7%-12%
[41] based / Gossip-based ulation) (Emulab
scheme simulation)
Sequential non- knowledge Nonparametric R yes yes No 90%-100% -
parametric change based CPD method (Aucland
point method [25] traces)
Perimeter based knowledge Spatial correlation R Yes No No 93.0% (IP 0.05% (IP
anti-DDoS system based based method spoofing spoofing
[42] attacks) attacks)
K-NN classifier ap- statistical Nearest neighbour R No No No 91.88% 8.11%
proach [33] based method (DARPA (DARPA
2000 DDoS 2000 DDoS
data) data)
Change point de- Soft com- Fuzzy logic based R No No No (ns2 simula- -
tect by fuzzy logic puting method tion)
[62]
Linear prediction statistical Linear prediction R Yes No No 96.1% (DDoS 0.8% (DDoS
model [26] based method flow data, LL- flow data,
DoS 2.0.2) LLDoS
2.0.2)
SSM method [27] statistical Statistical segrega- R No No No (CAIDA 1.2%
tion based method data) (CAIDA
data)
Ensemble of neural soft com- RBPBoost system / N Yes Yes Yes 99.4% 3.7%
net model [35] puting Ensemble of neural (DARPA (DARPA
net based classifiers 2000 DDoS 2000 DDoS
data) data)
Autonomic mathe- Machine CPN based method R Yes No No (ns2 simula- -
matical model [64] learning tion)
offline classification scheme generally ensures good clients has no use. So, emphasis should be given
performance as classification can be performed in more to speed over accuracy of detection for a
a more sophisticated manner in comparison to practical DDoS defense mechanism.
real time detection. But accurately detecting all
attacks after interrupting services to legitimate (ii) Real-time detection of low-rate DDoS attack with
high detection accuracy and low false alarm is
a challenging task, since such traffic follows the (iii) A DDoS defense mechanism cannot simply be
normal traffic distribution. judged based on its performance with a standard
fixed dataset containing normal and a few attack
packets. It must be scalable to real networks (viii) Real time updation of network statistics and fast
for actual deployment. In a real application, a identification of randomized spoofed IP addresses
defense scheme should be able to capture, process are challenges.
and classify incoming packets in real time. It
cannot just expect to store captured packets and (ix) In DDoS attacks with a large number of agents,
analyze them later, obviously increasing the time attack behavior often conforms well with normal
lag between the occurrence of an event and its behavior. In such a situation, for a DDoS defense
subsequent detection. Particularly, in the case of mechanism aiming to provide a near real time
DDoS attacks, the problem would become more solution may have to be based on an incremental
acute, as all resources will be exhausted. So all clustering algorithm to segregate the attack from
phases of detection should run in a parallel manner normal traffic. This requires an appropriate
in real time. Generally, real time DDoS detection proximity measure that works sensibly, quickly
systems are expected to be scalable for use in high and reliably.
speed real networks. (x) The detection method should be dependent on
(iv) With the continuing progress in Internet technolo- a minimum number of input parameters if not
gies, attackers are developing and launching new independent of parameters and should also be
attacks with greater sophistication day by day. So, based on a minimum number of traffic parameters
detection of new attacks is a challenge for any de- or features.
fense system. In supervised learning, the classifier
needs to be trained with a proper minimum train- 6. POSSIBLE SOLUTIONS AGAINST DDOS
ing dataset, not biased towards any attack. This ATTACKS
means that it cannot detect unknown attacks, par-
DDoS defense schemes are of three types based on their
ticularly those with behavior very different from
deployment: source-end, victim-end and intermediate
existing attack classes. Unsupervised approaches
router defense mechanisms. Among these three,
are appropriate for detecting unknown attacks.
most researchers are in favor of using the victim-
However, these methods are usually not suitable
end approach. However, a common disadvantage of
from real time performance. Hence, developing
this scheme is the consumption of a huge amount
a combined approach based on both supervised
of resources to provide fast detection response. In
and unsupervised approaches with the capability
the latest DDoS attacks scenarios, once the attackers
of detecting both known and unknown attacks real
gain access, they can increase the attack intensity
time or near real time is of utmost necessity.
instantly, and after acquiring a majority of available
(v) Accurate segregation of high-rate DDoS attack resources, they can launch attacks without spoofing IPs
traffic from normal flash crowds with minimum and they may extend activities to complex database
resource consumption or low false alarm rate in query transactions also. Generally, segregation of such
real-time or near real-time is a challenging task. transactions from the legitimate queries is a difficult
task.
(vi) Transparency to existing Internet infrastructure
Current DDoS attacking tools are capable of
is very important in terms of deployment. It
launching attacks in different modes [20] such as
should not be allowed to slow down the processing
increasing rate, constant rate, pulsing (attack rate
of normal packets from legitimate clients, which
oscillates between maximum to 0) and gradual pulsing
itself is denial of service. Moreover, the defense
(e.g., attack rate achieves a maximum in 20 seconds
system itself should not be vulnerable to attacks,
and reduces to 0 in 10 seconds). These various
creating unavoidable breakdown of service. Most
forms of attacks may involve single as well as multiple
importantly, a DDoS defense scheme should be
attack sources, that too using single as well as
deployable in real networks.
multiple source addresses. Defenders are interested in
(vii) High speed traffic analysis for detecting DDoS providing a semi-automatic solution with an objective
attacks is a challenging task. A defense scheme of achieving reduced false alarm with minimum resource
can get overwhelmed in real networks, particularly consumption. A solution we propose at a high level is
at the time of a DDoS attack. So, the defense based on an ensemble approach working in a distributed
scheme should be able to handle the crowd and framework using appropriate fusion techniques for
still function properly. A defense scheme capable making decision. Protocol specific feature extraction
of real time detection should perform well with in a distributed environment involving multiple sensors
high speed traffic. Offline schemes suffer in high and detecting DDoS attacks based on a class-specific
speed traffic because of the overhead created by subset of features at the individual level will provide the
processing delay, which can slow down detection base for the underlying layer of the proposed solution.
speed further or can cause total breakdown in Finally, the individual decisions can be combined using
extreme cases. an appropriate combination rule at the upper layer
at any of the participating nodes in the distributed International Conference on Computational Science,
framework for the final inference. Once the attack Engineering and Information Technology, Coimbatore,
occurrence is confirmed, the next task is to limit the India, 26-28 October, pp. 194–200. ACM.
attack rate instantly in a selective manner without [6] Lin, S. and Chiueh, T. C. (2006) A survey on
affecting service to legitimate users, so that subsequent solutions to distributed denial of service attacks.
damage can be minimized immediately. However, for Technical Report TR201. Department of Computer
Science, State University of New York, Stony Brook,
significant reduction of the false alarm rate, involvement
http://www.ecsl.cs.sunysb.edu/tr/TR201.pdf.
of human experts is often useful. Especially, in the case
[7] Specht, S. M. and Lee, R. B. (2004) Distributed
of low-rate DDoS attacks, an appropriate diagnosis of denial of service: Taxonomies of attacks, tools, and
false alarms with the help of human analysts, and then countermeasures. Proceedings of the ISCA 17th
providing feedback to the detecting sensors, are very International Conference on Parallel and Distributed
essential. The three major advantages of our solution Computing Systems, San Francisco, California, USA,
are : (i) it helps achieve an unbiased and high detection 15-17 September, pp. 543–550. ISCA.
rate at reduced false alarms, (ii) it minimizes resource [8] Batishchev, A. M. (2004). LOIC(Low Orbit Ion
consumption by sharing the computation cost and (iii) Cannon). http://sourceforge.net/projects/loic/.
it achieves a scalable, real-time detection performance. [9] Gogoi, P., Bhattacharyya, D. K., Borah, B., and Kalita,
J. K. (2011) A survey of outlier detection methods in
network anomaly identification. Comp. J., 54, 570–
7. CONCLUSION
588.
While developing a DDoS defense scheme, the issues [10] Mirkovic, J. and Reiher, P. (2004) A taxonomy of
discussed in this paper need to be deliberated and DDoS attack and DDoS defense mechanisms. ACM
considered with due seriousness. In this paper, SIGCOMM Computer Communication Review, 34, 39–
we have presented an overview of DDoS attacks, 53.
detection schemes and finally research issues and [11] Kaspersky (2012). Kaspersky Internet Security &
challenges. In addition, we provide a comparison among Anti-virus. http://www.kaspersky.com/. Russian
Federation.
current detection methods. Practically designing and
[12] Stein, L. D. and Stewart, J. N. (2002). The
implementing a DDoS defense is very difficult. The
world wide websecurity FAQ, version 3.1.2.
comparison of the existing detection mechanisms shows
http://www.w3.org/Security/Faq. Cold Spring
that most schemes are not capable of fulfilling all the Harbor, NY.
requirements for real time network defense. Different [13] Houle, K. J. and Weaver, G. M. (2001) Trends in denial
performance parameters need to be balanced against of service attack technology. Technical Report v1.0.
each other delicately and appropriately. A possible CERT and CERT coordination center, Carnegie Mellon
solution to counter DDoS attacks is also briefly outlined University, Pittsburgh, PA.
in this paper. [14] Wong, T. Y., Law, K. T., Lui, J. C. S., and Wong, M. H.
(2006) An efficient distributed algorithm to identify and
ACKNOWLEDGMENT traceback DDoS traffic. Comp. J., 49, 418–442.
[15] Collins, J. R. (2000). RAMEN - A Linux
This work is supported by the Department of Worm. http://www.giac.org/paper/gsec/505/ramen-
Information Technology and the Council of Scientific & linux-worm/101193. SANS Institute, Maryland, USA.
Industrial Research (CSIR), Government of India. The [16] CERT (2001). CERT coordination center, CERT
authors are thankful to the funding agencies. advisory CA-2001-19 ‘code red’ worm exploit-
ing buffer overflow in IIS indexing service DLL.
REFERENCES http://www.cert.org/adviso-ries/CA-2001-19.html.
Carnegie Mellon Software Engineering Institute,
[1] Peng, T., Leckie, C., and Ramamohanarao, K. Pittsburgh, USA.
(2007) Survey of network-based defense mechanisms [17] Loon, R. V. and Lo, J. (2004). An IRC tutorial.
countering the DoS and DDoS problems. ACM http://www.irchelp.org/irchelp/irctutorial.html.
Computing Survey, 39, 3:1–3:42. [18] Yu, S., Zhou, W., Doss, R., and Jia, W. (2011)
[2] Chandola, V., Banerjee, A., and Kumar, V. (2009) Traceback of DDoS attacks using entropy variations.
Anomaly detection: A survey. ACM Computing IEEE Transaction on Parallel Distributed Systems, 22,
Survey, 41, 15:1–15:58. 412–425.
[3] Loukas, G. and Öke, G. (2010) Protection against [19] Chen, Y., Hwang, K., and Ku, W. S. (2006)
denial of service attacks: A survey. Comp. J., 53, Distributed change-point detection of DDoS attacks
1020–1037. over multiple network domains. Proceedings of
[4] Bhuyan, M. H., Bhattacharyya, D. K., and Kalita, the IEEE International Symposium on Collaborative
J. K. (2011) Surveying port scans and their detection Technologies and Systems, Las Vegas, NV, 14-17 May,
methodologies. Comp. J., 54, 1565–1581. pp. 543–550. IEEE CS.
[5] Kashyap, H. J. and Bhattacharyya, D. K. (2012) A [20] Mirkoviac, J., Prier, G., and Reiher, P. (2002)
DDoS attack detection mechanism based on protocol Attacking DDoS at the source. Proceedings of the 10th
specific traffic features. Proceedings of the Second IEEE International Conference on Network Protocols,
Paris, France, 12-15 November, pp. 1092–1648. IEEE [33] Nguyen, H.-V. and Choi, Y. (2010) Proactive detection
CS. of DDoS attacks utilizing k-NN classifier in an Anti-
[21] Saifullah, A. M. (2009) Defending against distributed DDoS framework. International Journal of Electrical,
denial-of-service attacks with weight-fair router throt- Computer, and Systems Engineering, 4, 247–252.
tling. Technical Report 2009-7. Computer Science and [34] Shiaeles, S. N., Katos, V., Karakos, A. S., and
Engineering, Washington University, St. Louis, USA. Papadopoulos, B. K. (2012) Real time DDoS detection
[22] Chen, C. L. (2009) A new detection method for using fuzzy estimators. Computers & Security, 31,
distributed denial-of-service attack traffic based on 782–790.
statistical test. Journal of Universal Computer Science, [35] Kumar, P. A. R. and Selvakumar, S. (2011) Distributed
15, 488–504. denial of service attack detection using an ensemble of
[23] Zhang, G., Jiang, S., Wei, G., and Guan, Q. (2009) neural classifier. Computer Communication, 34, 1328–
A prediction-based detection algorithm against dis- 1341.
tributed denial-of-service attacks. Proceedings of the [36] Scott, C. and Nowak, R. (2005) A neyman-pearson
International Conference on Wireless Communications approach to statistical learning. IEEE Transaction on
and Mobile Computing: Connecting the World Wire- Information Theory, 51, 3806–3819.
lessly, Leipzig, Germany, 21-24 June, pp. 106–110. [37] Gil, T. M. and Poletto, M. (2001) MULTOPS: a data-
ACM. structure for bandwidth attack detection. Proceedings
[24] Akella, A., Bharambe, A., Reiter, M., and Seshan, of the 10th conference on USENIX Security Symposium
S. (2003) Detecting DDoS attacks on ISP networks. - Volume 10, Berkeley, CA, USA, 13-17 August 3.
Proceedings of the Workshop on Management and USENIX Association Berkeley.
Processing of Data Streams, San Diego, CA, 8 June, [38] Thomas, R., Mark, B., Johnson, T., and Croall,
pp. 1–2. ACM. J. (2003) NetBouncer: Client-legitimacy-based high-
[25] Peng, T., Leckie, C., and Ramamohanarao, K. (2004) performance DDoS filtering. Proceedings of the
Detecting distributed denial of service attacks using 3rd DARPA Information Survivability Conference and
source IP address monitoring. Proceedings of the Exposition, Washington, DC, 22-24 April, pp. 111–113.
3rd International IFIP-TC6 Networking Conference, IEEE CS, USA.
Athens, Greece, 9-14 May, pp. 771–782. Springer- [39] Wang, J., Phan, R. C. W., Whitley, J. N., and
verlag. Parish, D. J. (2010) Augmented attack tree modeling
[26] Cheng, J., Yin, J., Wu, C., Zhang, B., and Li, of distributed denial of services and tree based
Y. (2009) DDoS attack detection method based attack detection method. Proceedings of the 10th
on linear prediction model. Proceedings of the IEEE International Conference on Computer and
5th international conference on Emerging intelligent Information Technology, Bradford, UK, 29 June-1 July,
computing technology and applications, Ulsan, South pp. 1009–1014. IEEE CS.
Korea, 16-19 September, pp. 1004–1013. Springer- [40] Limwiwatkul, L. and Rungsawang, A. (2004) Dis-
Verlag. tributed denial of service detection using TCP/IP
[27] Udhayan, J. and Hamsapriya, T. (2011) Statistical header and traffic measurement analysis. Proceedings
segregation method to minimize the false detections of the IEEE International Symposium Communications
during DDoS attacks. International Journal of and Information Technology, Sapporo, Japan, 26-29
Network Security, 13, 152–160. October, pp. 605–610. IEEE CS.
[28] Öke, G. and Loukas, G. (2007) A denial of service [41] Zhang, G. and Parashar, M. (2006) Cooperative defence
detector based on maximum likelihood detection and against DDoS attacks. Journal of Research and
the random neural network. Comp. J., 50, 717–727. Practice in Information Technology, 38, 1–14.
[29] Jalili, R., Imani-Mehr, F., Amini, M., and Shahriari, [42] Lu, K., Wu, D., Fan, J., Todorovic, S., and Nucci, A.
H. R. (2005) Detection of distributed denial of (2007) Robust and efficient detection of DDoS attacks
service attacks using statistical pre-processor and for large-scale internet. Computer Networks, 51, 5036–
unsupervised neural networks. Proceedings of the 5056.
Internationational conference on information security [43] Hwang, K., Dave, P., and Tanachaiwiwat, S.
practice and experience, Singapore, 11-14 April, pp. (2003) NetShield: Protocol anomaly detection with
192–203. Springer-verlag. datamining against DDoS attacks. Proceedings of the
[30] Karimazad, R. and Faraahi, A. (2011) An anomaly- 6th International Symposium on Recent Advances in
based method for DDoS attacks detection using rbf Intrusion Detection, Pittsburgh, PA, 8-10 September,
neural networks. Proceedings of the International pp. 8–10. Springer-verlag.
Conference on Network and Electronics Engineering, [44] Chen, Z., Chen, Z., and Delis, A. (2007) An inline
Singapore, pp. 44–48. IACSIT Press. detection and prevention framework for distributed
[31] Gavrilis, D. and Dermatas, E. (2005) Real-time denial of service attacks. Comp. J., 50, 7–40.
detection of distributed denial-of-service attacks using [45] Lee, K., Kim, J., Kwon, K. H., Han, Y., and Kim,
RBF networks and statistical features. Computer S. (2008) DDoS attack detection method using cluster
Networks and ISDN Systems, 48, 235–245. analysis. Expert Systems with Applications, 34, 1659–
[32] Wu, Y. C., Tseng, H. R., Yang, W., and Jan, R. H. 1665.
(2011) DDoS detection and traceback with decision tree [46] Sekar, V., Duffield, N., Spatscheck, O., van der Merwe,
and grey relational analysis. International Journal of J., and Zhang, H. (2006) LADS: large-scale automated
Ad Hoc and Ubiquitous Computing, 7, 121–136. DDoS detection system. Proceedings of the annual
conference on USENIX Annual Technical Conference, [61] Cheng, J., Yin, J., Liu, Y., Cai, Z., and Wu,
Boston, MA, 30 May-3 June, pp. 16–29. USENIX C. (2009) DDoS attack detection using IP address
Association. feature interaction. Proceedings of the 1st International
[47] Rahmani, H., Sahli, N., and Kammoun, F. (2009) Joint Conference on Intelligent Networking and Collaborative
entropy analysis model for DDoS attack detection. Systems, Barcelona, Spain, 4-6 November, pp. 113–118.
Proceedings of the 5th International Conference on IEEE CS.
Information Assurance and Security - Volume 02, Xian, [62] Xia, Z., Lu, S., Li, J., and Tang, J. (2010) Enhancing
China, 18-20 August, pp. 267–271. IEEE CS. DDoS flood attack detection via intelligent fuzzy logic.
[48] Xiang, Y., Li, K., and Zhou, W. (2011) Low- Informatica (Slovenia), 34, 497–507.
rate DDoS attacks detection and traceback by using [63] Zhang, C., Cai, Z., Chen, W., Luo, X., and Yin, J.
new information metrics. IEEE Transactions on (2012) Flow level detection and filtering of low-rate
Information Forensics and Security, 6, 426–437. DDoS. Computer Networks, 56, 3417–3431.
[64] Gelenbe, E. and Loukas, G. (2007) A self-aware
[49] Shannon, C. E. (1948) A mathematical theory of
approach to denial of service defence. Computer
communication. Bell system technical journal, 27, 397–
Networks, 51, 1299–1314.
423.
[65] Ghanea-Hercock, R. A., Gelenbe, E., Jennings, N. R.,
[50] Francois, J., Aib, I., and Boutaba, R. (2012) FireCol:
Smith, O., Allsopp, D. N., Healing, A., Duman, H.,
A collaborative protection network for the detection of
Sparks, S., Karunatillake, N. C., and Vytelingum,
flooding DDoS attacks. IEEE/ACM Transaction on
P. (2007) Hyperion - Next-Generation Battlespace
Networking, 20, 1828–1841.
Information Services. Comp. J., 50, 632–645.
[51] Jeyanthi, N. and Iyengar, N. C. S. N. (2012) An entropy [66] Gelenbe, E. (2009) Steps toward self-aware networks.
based approach to detect and distinguish DDoS attacks Communication of the ACM, 52, 66–75.
from flash crowds in VoIP networks. International [67] Gelenbe, E. (2011) Search in unknown random
Journal of Network Security, 14, 257–269. environments. Physical Review, 82, 061112.
[52] Li, M. and Li, M. (2009) A new approach for detecting [68] Douligeris, C. and Mitrokotsa, A. (2004) DDoS attacks
DDoS attacks based on wavelet analysis. Proceedings and defense mechanisms: classification and state-of-
of the 2nd International Congress on Image and Signal the-art. Computer Networks, 44, 643–666.
Processing, Tianjin, China, 17-19 October, pp. 1–5. [69] Criscuolo, P. J. (2000) Distributed Denial of Ser-
IEEE. vice Trinoo, Tribe Flood Network, Tribe Flood
[53] Zhong, R. and Yue, G. (2010) DDoS detection system Network 2000, and Stacheld-raht CIAC-2319,
based on data mining. Proceedings of the 2nd Department of Energy Computer Incident Advi-
International Symposium on Networking and Network sory (CIAC). Rev. 1 UCRL-ID-136939. Lawrence
Security, Jinggangshan, China, 2-4 April, pp. 062–065. Livermore National Laboratory, Livermore, CA,
Academy Publisher. http://ftp.se.kde.org/pub/security/csir/ciac/ciacdocs/
[54] Agrawal, R. and Srikant, R. (1994) Fast algorithms for ciac2319.txt.
mining association rules in large databases. Proceedings [70] Dittrich, D. (1999) The DoS project’s “trinoo”
of the 20th International Conference on Very Large distributed denial of service attack tool. Technical
Data Bases, Santiago de Chile, Chile, 12-15 September, report. University of Washington, Seatlle, USA,
pp. 487–499. Morgan Kaufmann. http://staff.washington.edu/dittrich/misc/trinoo.
[55] Dunn, J. C. (1973) A Fuzzy Relative of the ISODATA analysis.txt.
Process and Its Use in Detecting Compact Well- [71] Dittrich, D. (1999) The tribe flood network dis-
Separated Clusters. Journal of Cybernetics, 3, 32–57. tributed denial of service attack tool. Technical
report. University of Washington, Seatlle, USA,
[56] Dainotti, A., Pescapé, A., and Ventre, G. (2009) A
http://staff.washington.edu/dittrich/misc/trinoo.
cascade architecture for DoS attacks detection based on
analysis.txt.
the wavelet transform. Journal of Computer Security,
[72] Barlow, J. and Thrower, W.
17, 945–968.
(2000). TFN2K an analysis.
[57] Haar, A. (1910) Zur Theorie der orthogonalen
http://packetstormsecurity.org/files/10135/TFN2k
Funktionensysteme. Mathematische Annalen, 69, 331–
Analysis-1.3.txt.html. AXENT Security Team.
371.
[73] CERT (1999) CERT coordination center, center ad-
[58] Li, L. and Lee, G. (2003) DDoS attack detection and visory CA-1999-17 denial of service tools. Techni-
wavelets. Proceedings. of the 12th International Con- cal Report CA-1999-17. Carnegie Mellon University,
ference on Computer Communications and Networks, Pittsburgh, USA, http://www.cert.org/advisories/CA-
Dallas, Texas, USA, October 20-22, pp. 421–427. IEEE. 1999-17.html.
[59] Gupta, B. B., Joshi, R. C., and Misra, M. (2012) ANN [74] Adams, C. and Gilchrist, J. (1999) The CAST-
based scheme to predict number of zombies in DDoS 256 encryption algorithm. Technical Report RFC
attack. International Journal of Network Security, 14, 2612. Ohio State University, Cleveland, USA,
36–45. http://www.cis.ohio-state.edu/htbin/rfc/rfc2612.html.
[60] Yan, R., Zheng, Q., Niu, G., and Gao, S. (2008) A [75] Bellovin, S. (2000) The ICMP trace-
new way to detect DDoS attacks within single router. back message. Technical report. Network
Proccedings of the 11th IEEE Singapore International Working Group, Internet Draft, Canada,
Conference on Communication Systems, Guangzhou, http://www.research.att.com/ smb/papers/draft-
China, 19-21 November, pp. 1192–1196. IEEE CS. bellovin-itrace-00.txt.