Improving Performance of Collaborative Source-Side DDoS Attack Detection

Yeom, Sungwoong; Kim, Kyungbaek

doi:10.23919/apnoms50412.2020.9237014

Cited by 10 publications

(4 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At this time, in order to reduce computing resources in IDRS, it is necessary to use the network traffic volume instead of packet sampling for detecting DDoS attacks. Yeom et al proposed a collaborative source-side attack detection method to more accurately detect DDoS attack in multiple networks, taking into account the detection performance in different time zones [23]. This method detects DoS attacks by applying a margin to the adaptive threshold at each source-side, and shares the detection results and the weights which represent the performance of each source-side attack detection.…”

Section: Related Workmentioning

confidence: 99%

“…Also, the performance of source-side attack detection methods may be different depending on the network characteristics located on multiple regions [18], [19]. In order to improve the performance of source-side attack detection method, the collaborative attack detection methods which share attack detection result between source-side network of multiple regions are studied [20]- [23]. These methods calculate value that represent the performance of each site and these values are used to determine whether the attack is detected with the detection results of each site.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

LSTM-Based Collaborative Source-Side DDoS Attack Detection

2022

Self Cite

View full text Add to dashboard Cite

As denial of service attacks become more sophisticated, the source-side detection techniques are being studied to solve the limitations of target-side detection techniques such as delayed detection and difficulty in tracking attackers. Recently, some source-side detection techniques are being studied to use an adaptive attack detection threshold considering seasonal behavior of network traffic. However, because patterns of network traffic usage have become irregular with increased randomness and explosive traffic, the performance of the adaptive threshold technique has deteriorated. In addition, by limitations of the local view of a single site, distributed attacks from multiple sites may not be detected. In this paper, we propose a LSTM (Long Short Term Memory) based collaborative source-side DDoS (Distributed Denial of Service) attack detection framework which provides the attack detection result of a collaboration network in a global view. The proposed framework applies LSTM-based adaptive thresholds to each source-side network to mitigate performance degradation caused by irregular network traffic behavior. Also, in order to overcome the limitation of performance caused by the local view of single source-side network, the proposed framework constructs a collaborative network through multiple detection sites and aggregates feedback from each site, such as detection rates, local traffic patterns, and timestamp. The collaborative attack detection technique uses the aggregated feedback to determine whether the attack is finally detected and shares the finial detection results with multiple sites. Depending on this final detection result, the adaptive thresholds of each site are reset. Through extensive evaluation of actual network traffic data, the proposed collaborative source-side attack detection technique shows around 15% lower false positive rate than the single source-side attack detection technique while maintaining a high detection rate.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

LSTM-Based Collaborative Source-Side DDoS Attack Detection

2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…In addition, to analyze the classification of online detection, new evaluation indicators are defined: false intervention degree and malicious congestion revealing degree used to evaluate an online detection of normal and malicious traffic, respectively. Among them, the false interception rate represents the proportion of misjudging regular traffic as diverse kinds of minimal-degree DDoS assaults, and the calculation is shown in (1); the malicious traffic detection rate represents the proportion of detected malicious traffic to the overall count of negative traffic samples, and the calculation is shown in formula (2).…”

Section: Evaluation Indicatorsmentioning

confidence: 99%

“…ere are low-rate/ minimal DDoS assaults of many protocols in the network environment as well as periodic and aperiodic attack methods [1]. As a result, effectively identifying many forms of minimal DDoS assault traffic is an important challenge that must be addressed.…”

Section: Introductionmentioning

confidence: 99%

Light Weighted CNN Model to Detect DDoS Attack over Distributed Scenario

Kumar

Aoudni

Ortiz

et al. 2022

Security and Communication Networks

View full text Add to dashboard Cite

The minimal-degree distributed denial-of-service attack takes advantage of flaws in the adaptive mechanisms of network protocols, which could have a big impact on network service quality. It is very hard to find, has a low attack rate, and comes at a set time. Detection methods that have been used before have problems because they only use one type of detection and are not very good at identifying the object. In the end, a way to detect many sorts of minimal DDoS assaults that use deep hybrid learning is suggested. To construct multi-type limited DDoS threat data sets and mimic diverse sorts DDoS assaults and legitimate traffic in varying situations in the 5G setting, collect congestion at the networking entry and extract flow feature info are considered. From a statistical threshold and feature engineering point of view, these data sets show how many sorts of minimal DDoS assaults are there. This study aims to develop a deep hybrid learning-based multi-type low-rate DDoS attack detection solution for 5G networks which is the novel model that is recently deployed, and a hybrid deep learning algorithm was used to train the algorithm offline, and the algorithm’s performance was compared to that of the LSTM-Light GBM and LSTM-RF algorithms. The CNN-RF revealing model was then used to detect minimal DDoS assaults at the gateway, so that multiple attacks could be detected at the same time. It can identify 4 sorts of low-rate DDoS assaults like Slow-Headers, Slow-Body, Slow-Read, and Shrew assaults, in a 120-second window. The false intercept rate is 11.03 percent. This means that 96.22 percent of traffic could be found. Using the strategy suggested can help cut down on the traffic concentration of minimal DDoS attacks at the net ingress. It can also be used in real-world situations.

show abstract