A Novel Multi Scale Approach for Detecting High Bandwidth Aggregates in Network Trafﬁc

Kaur, Gagandeep; Saxena, Vikas; Gupta, J. P.

doi:10.14257/ijsia.2013.7.5.07

Cited by 9 publications

(4 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mahajan et al introduced in [40] due to a congestion in some network links, some legitimate traffic could be dropped resulting in a degrading performance of the network, figure 12 shows a clear case of this situation. Since link L0 is congested due to DDoS attack, so good traffic coming from link L1 may be dropped before reaching its destination's D. So, if the attack traffic could be filtered one level up, i.e.…”

Section: Pushback Technique Applicabilitymentioning

confidence: 99%

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

Fadel

2021

MEJ. Mansoura Engineering Journal

View full text Add to dashboard Cite

I-INTRODUCTIONhere is no doubt that many DDoS attacks have been reported daily all over the world, these attacks aim to hinder legitimate users from accessing a corporation services or resources, resulting in a revenue loss. The attackers rely on the fact that Internet routing infrastructure is mainly concerned by scalability rather security, since routers neither validate source IP address nor log information regarding the forwarded packets [1]. DDoS attack methods could be classified according to the number of attacking packets into flooding and vulnerability attack [2, 3]. In flooding attack, which is the most common, the attacker sends a huge number

show abstract

Section: Pushback Technique Applicabilitymentioning

confidence: 99%

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

Fadel

2021

MEJ. Mansoura Engineering Journal

View full text Add to dashboard Cite

show abstract

“…Similarly, the detection of anomalies, particularly DDoS attacks, presented in Nurohman et al 25 is done through the use of Kolmogorov-Smirnov test and H parameter estimation, which can distinguish abnormalities among the traffic by testing the self-similarity condition. A slightly different perspective was wavelets-based analysis presented in Kaur et al 26 The test of selfsimilarity is conducted to differentiate between legitimate flash events and expanding DDoS attacks. In the same manner, another wavelet-based method for detecting outliers, such as DDoS attacks, in regards to LRD behavior of network traffic is presented in Zhang et al 27 In Jian-Qi et al, 28 the composition self-similarity anomaly detection (CSSD) of network traffic is presented for the detection of DoS attacks.…”

Section: Literature Reviewmentioning

confidence: 99%

Network anomaly detection using a cross‐correlation‐based long‐range dependence analysis

et al. 2020

View full text Add to dashboard Cite

The detection of anomalies in network traffic is an important task in today's Internet. Among various anomaly detection methods, the techniques based on examination of the long-range dependence (LRD) behavior of network traffic stands out to be powerful. In this paper, we reveal anomalies in aggregated network traffic by examining the LRD behavior based on the cross-correlation function of the bidirectional control and data planes traffic. Specifically, observing that the conventional cross-correlation function has a low measure of dissimilarity between the two planes, which leads to a reduced anomaly detection performance, we propose a modification of the cross-correlation function to mitigate this issue. The performance of the proposed method is analyzed using a relatively recent Internet traffic captured at King Saud University. The results demonstrate that using the modified cross-correlation function has the ability to detect low volume and short duration attacks. It also compensates for some misdetections exhibited by using the autocorrelation structures of the bidirectional traffic of the control, data, and WHOLE (combined control and data) planes traffic. 1 | INTRODUCTION Internet services have been rapidly evolving due to continuous emergence of new technologies and high bandwidth applications. According to Cisco, the annual global IP traffic is expected to reach 3.30 Zettabyte by 2021. 1 This growth has introduced many challenges in terms of securing information, reliability of data transfer, and detection of traffic anomalies and attacks. Anomalies are patterns of data that deviate from normal behavior. A broad variety of such patterns in Internet traffic are frequently faced by network operators. These patterns could represent genuine abnormalities induced by physical or technical issues, such as high-rate flows, network outage, and sudden changes due to flash crowds. 2 However, such patterns could also be generated by malicious activities such as cyber intrusions, distributed denial of service (DDoS) attacks, port scanning, and worm propagation. 3,4 This type of malicious activities could likely introduce disastrous effects on the proper operation of networks. The mentioned malicious activities are considerably growing with time. According to the worldwide infrastructure security report, 5 it is evident that the volume of these attacks on data centers, networks infrastructures, and

show abstract

“…Similarly, in [7], comparable observations are presented based on the analysis of the impact of DoS attacks on traffic spectral density. Conversely, in [20] a wavelet-based estimation of LRD is used to differentiate between flash crowds and pulsating distributed denial of service attacks. It is also presented in [20] that DDoS attacks and their detection are short-range phenomena; therefore, they change the LRD nature of the traffic.…”

Section: Introductionmentioning

confidence: 99%

“…Conversely, in [20] a wavelet-based estimation of LRD is used to differentiate between flash crowds and pulsating distributed denial of service attacks. It is also presented in [20] that DDoS attacks and their detection are short-range phenomena; therefore, they change the LRD nature of the traffic. Furthermore, for early detection of network abnormalities caused by DDoS attack, Liu et al [21] use the autocorrelation and LRD parameter measurements.…”

Section: Introductionmentioning

confidence: 99%

Anomaly detection using Wavelet-based estimation of LRD in packet and byte count of control traffic

Zeb

AsSadhan

Al‐Muhtadi

et al. 2016

2016 7th International Conference on Information and Communication Systems (ICICS)

View full text Add to dashboard Cite

The detection of anomalous behavior such as low volume attacks and abnormalities in today's large volume of Internet traffic has become a challenging problem in the network community. An efficient and real-time detection of anomaly traffic is crucial in order to rapidly diagnose and mitigate the anomaly, and to recover the resulting malfunction. In this paper, we present an efficient anomaly detection method based on the estimation of long-range dependence (LRD) behavior in packet and byte count of the aggregated control traffic. This method surrogates Internet aggregated whole traffic (i.e., control plus data) by the aggregated control traffic and detects anomaly traffic through the waveletbased estimation of LRD behavior in the corresponding control traffic. Since Internet traffic exhibits LRD behavior during benign normal condition, deviation from this behavior can indicate an anomalous behavior. Experiments on the KSU dataset demonstrate that this method not only significantly improves the process of anomaly detection by considerably reducing the largevolume of traffic to be processed but also achieves a high detection effect. Because the control traffic constitute a small fraction of the whole traffic, and usually most of the attacks are manifested and carried out in the control traffic; therefore, surrogating the whole traffic by the control traffic increases the detection efficacy.

show abstract

A Novel Multi Scale Approach for Detecting High Bandwidth Aggregates in Network Trafﬁc

Cited by 9 publications

References 35 publications

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

Network anomaly detection using a cross‐correlation‐based long‐range dependence analysis

Anomaly detection using Wavelet-based estimation of LRD in packet and byte count of control traffic

Contact Info

Product

Resources

About