Citation Context

...tion of DDoS attacks and also can detect other attacks the distance between legitimate traffic and attack traffic. The generalized entropy metric is more effective than the traditional Shannon metric =-=[49]-=-. In addition, the information distance metric outperforms the popular Kullback–Leibler divergence approach. Francois et al. [50] present a method called FireCol based on information theory for early ...

Citation Context

...re clustered based on the k-means clustering algorithm to build initial threshold values for network traffic. All captured packets are used to build the packet protocol status model using the Apriori =-=[54]-=- and fuzzy c-means (FCM) [55] algorithms. Whenever the current network traffic is over the threshold value, the network packet protocol status is checked to detect abnormal packets. If there are no ab...

Citation Context

...eans clustering algorithm to build initial threshold values for network traffic. All captured packets are used to build the packet protocol status model using the Apriori [54] and fuzzy c-means (FCM) =-=[55]-=- algorithms. Whenever the current network traffic is over the threshold value, the network packet protocol status is checked to detect abnormal packets. If there are no abnormal packets, the current n...

Citation Context

...s given in [7] without any possible solutions for DDoS attacks. In contrast, we present a list of methods, tools, possible solutions and future research directions for DDoS attacks in detail. (vi) In =-=[2]-=-, the authors present several anomaly detection techniques w.r.t. diverse domains but our work is mainly focused on DDoS attack detection architectures, methods and tools. Our survey begins in Section...

Citation Context

...chanisms, attack taxonomies, attack launching mechanisms and their pros and cons. However, our survey differs significantly from them in the following ways. (i) We present an attack taxonomy based on =-=[10]-=-. However, in our taxonomy there are seven distinct possibilities in which an intruder can attempt to launch DDoS attacks. Unlike [10], we include a detailed discussion of various DDoS defense mechani...

Citation Context

...tage automated system is proposed in [56] to detect DoS attacks in network traffic. It combines the traditional change point detection approach with a novel one based on continuous wavelet transforms =-=[57]-=-. The authors test the system using a set of publicly available attack-free traffic traces superimposed with anomaly profiles. In [58], Li and Lee present a systematic wavelet-based method for DDoS at...

Citation Context

... uses the traffic change patterns detected at attack-transit routers to construct the CATs, which represent the attack flow pattern. A very well-known DDoS defense scheme called DWARD is presented in =-=[20]-=-. D-WARD identifies an attack based on continuous monitoring of bidirectional traffic flows between the network and the rest of the Internet and by periodic deviation analysis with the normal flow pat...

Citation Context

...lated to identify actual occurrences of attacks. Examples of knowledge-based approaches include expert systems, signature analysis, self-organizing maps and state transition analysis. Gil and Poletto =-=[37]-=- introduce a heuristic along with a data structure called MUltiLevel Tree for Online Packet Statistics (MULTOPS) that monitors certain traffic characteristics which can be used by network devices such...

Citation Context

...74] • Conducts covert exercises to hide itself from intrusion detection systems • Can forge packets that appear to come from neighboring machines • Provides other options such as TARGA and MIX attack =-=[75]-=- Stacheldraht [76] • Based on early versions of TFN and eliminates some of its weak points by combining features of Trinoo TCP, UDP, ICMP TCP SYN flood, UDP flood, ICMP echo request flood• Performs up...

Citation Context

... now employ a large number of these vulnerable hosts to launch an attack instead of using a single server, an approach which is not very effective and detected easily. A distributed DoS (DDoS) attack =-=[1, 6]-=- is a large-scale, coordinated attack on the availability of services of a victim system or network resources, launched indirectly through many compromised computers on the Internet. The first well-do...

Citation Context

...sets that have been used for evaluating performance of detection methods. We also briefly introduce DDoS tools. 4.1. DDoS tools There are many tools available to launch DDoS attacks in the literature =-=[44, 68]-=-. The architectures are almost always the same. Some are made by the attackers with slightly modifying others. Table 6 presents some of the tools with brief descriptions. 4.2. Datasets After a new or ...

Citation Context

...ert exercises to hide itself from intrusion detection systems • Can forge packets that appear to come from neighboring machines • Provides other options such as TARGA and MIX attack [75] Stacheldraht =-=[76]-=- • Based on early versions of TFN and eliminates some of its weak points by combining features of Trinoo TCP, UDP, ICMP TCP SYN flood, UDP flood, ICMP echo request flood• Performs updates on the agent...

Citation Context

...n below. (i) Internet security is highly interdependent. No matter how secure a victim’s system may be, whether or not this system will become a DDoS victim depends on the rest of the global Internet =-=[13, 14]-=-. (ii) Internet resources are limited. Every Internet host has limited resources that sooner or later can be exhausted by a sufficiently large number of users. (iii) Many against a few: If the resourc...

Citation Context

...ood, ICMP flood • Adds encrypted messaging among all of the attack components [73] • Communications between real attacker and control master program are encrypted using a key-based CAST-256 algorithm =-=[74]-=- • Conducts covert exercises to hide itself from intrusion detection systems • Can forge packets that appear to come from neighboring machines • Provides other options such as TARGA and MIX attack [75...

Citation Context

...P addresses • Fixed-size UDP packets are sent to the victim machine’s random ports • Does not spoof source addresses • Implements UDP flood attacks against the target victim Tribe flood network (TFN) =-=[71]-=- • Able to wage both bandwidth depletion and resource depletion attacks UDP, ICMP, TCP TCP SYN flood, ICMP flood, smurf• Uses a command line interface to communicate between the attacker and the contr...

Citation Context

...State U niversity on M arch 6, 2016 http://comjnl.oxfordjournals.org/ D ow nloaded from Detecting DDoS Attacks 15 TABLE 6. DDoS tools and description. Name and ref. Description Protocol Attack Trinoo =-=[69, 70]-=- • Widely used by the attackers as well as research community UDP UDP flood • A bandwidth depletion attack tool, used to launch coordinated UDP flood attacks against one or many IP addresses • Fixed-s...

Citation Context

...nt IP addresses • Routers return ‘ICMP unreachable’ causing more bandwidth starvation • Possesses very limited control features and can spoof by randomizing all 32 bits of the source IP address Shaft =-=[78]-=- • A successor of Trinoo TCP, UDP, ICMP TCP/UDP/ICMP flood• Uses UDP communication between handlers and agents • Shaft provides UDP/ICMP/TCP flooding attack options; it randomizes source IP address an...

Citation Context

...ificantly (see footnote 1). DDoS attack networks follow two types of architectures: the agent–handler architecture and the Internet Relay Chat (IRC)- based architecture as discussed by Specht and Lee =-=[7]-=-. The agent–handler architecture for DDoS attacks is composed of clients, handlers and agents. The attacker communicates with the rest of the DDoS attack system at the client systems. The handlers are...

Citation Context

...ific featurebased DDoS attack detection mechanism is introduced in [5]. It identifies a most relevant subset of features using correlation and can detect DDoS attacks with high detection accuracy. In =-=[64]-=-, a mathematical model is presented to provide gross evaluation of the benefits of DDoS defence based on dropping of attack traffic. Simulation results and testbed experiments are used to validate the...

Citation Context

...ion project. They also suggest an overall system architecture to improve the situational awareness of field commanders by providing an option to fuse and compose information services in real time. In =-=[66]-=-, Gelenbe describes an approach to develop self-aware networks to provide end users the option to explore the state of the network to find the best ways to meet their communication needs. In [67], a m...

Citation Context

...improve the performance of the base classifier. The proposed classification algorithm, RBPBoost combines the output of the ensemble of classifier outputs and Neyman Pearson cost minimization strategy =-=[36]-=-, for final classification decision. Table 2 presents a brief summary of the soft computing methods presented in this section. 3.3. Knowledge-based methods In knowledge-based approaches, network event...

Citation Context

...l. The initial results show that individual router profiles capture key characteristics of the traffic effectively and identify anomalies with low false positive and false negative rates. Peng et al. =-=[25]-=- describe a novel approach to detect bandwidth attacks by monitoring the arrival rate of new source internet protocol (IP) addresses. The detection scheme is based on an advanced non-parametric change...

Citation Context

...cific Dataset to evaluate the method. The results show that each phase of the attack scenario is partitioned well and can detect precursors of a DDoS attack as well as the attack itself. Sekar et al. =-=[46]-=- investigate the design space for in-network DDoS detection and propose a triggered, multistage approach that addresses both scalability and accuracy. Their contribution is the design and implementati...

Citation Context

...ack detection and gets a high DR The Computer Journal, 2013sat Pennsylvania State U niversity on M arch 6, 2016 http://comjnl.oxfordjournals.org/ D ow nloaded from 10 M.H. Bhuyan et al. Thomas et al. =-=[38]-=- present an approach to DDoS defense called NetBouncer and claim it to be a practical approach with high performance. Their approach relies on distinguishing legitimate and illegitimate use and ensuri...

Citation Context

...d• Performs updates on the agents automatically • Provides a secure telnet connection via symmetric key encryption among the attackers and handlers • Communicates through TCP and ICMP packets mstream =-=[77]-=- • Uses spoofed TCP packets with the ACK flag set to attack the target TCP, UDP TCP ACK flood • A simple point-to-point TCP ACK flooding tool to overwhelm the tables used by fast routing routines in s...

Citation Context

...d networking buffer. Based on the prediction, they use abnormal detection technology to analyze the consumption of server resources to predict whether the server is under a DDoS attack. Akella et al. =-=[24]-=- explore key challenges in helping an Internet service provider (ISP) network detect attacks on itself or attacks on external sites which use the ISP network. They propose a detection mechanism where ...

Citation Context

...if the traffic is normal, it is sent to the destination. RBF neural network training can be performed as an offline process but it is used in real time to detect attacks faster. Gavrilis and Dermatas =-=[31]-=- also present a detector for DDoS attacks in public networks based on statistical features estimated in short-time window analysis of incoming data packets. A small number of statistical descriptors a...

Citation Context

... approach with a novel one based on continuous wavelet transforms [57]. The authors test the system using a set of publicly available attack-free traffic traces superimposed with anomaly profiles. In =-=[58]-=-, Li and Lee present a systematic wavelet-based method for DDoS attack detection. They use energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time ha...

Citation Context

...ns and tools and discuss latest DDoS attack strategies. Also, unlike [1], we attempt to provide a possible solution to counter the attacks in the context of latest DDoS attack scenarios. (iii) Unlike =-=[3]-=-, our survey is focused on DDoS attack detection methods, tools and research directions. In [3], a major portion is dedicated to DoS research solutions only and that too for a period upto 2009.Also, u...

Citation Context

...comparing with stored normal profiles. Detection and traceback of attack sources are easy in this approach due to collaborative operation. Routers can form an overlay mesh to share their observations =-=[18]-=-. The main difficulty with this approach is deployability. To achieve full detection accuracy, all routers on the Internet will have to employ this detection scheme, because unavailability of this sch...

Citation Context

...ate applications, DDoS Container covers stateful inspection on data streams and correlates events among different sessions. It proactively terminates the session when it detects an attack. Lee et al. =-=[45]-=- propose a method for proactive detection of DDoS attacks by exploiting an architecture consisting of a selection of handlers and agents that communicate, compromise and attack. The method performs cl...

Citation Context

...hod could lead to more accurate and effective DDoS detection. A low-rate DDoS (LDDoS) attack has significant ability to conceal its traffic because of its similarity with normal traffic. Xiang et al. =-=[48]-=- propose two new information metrics: (i) generalized entropy metric and (ii) information distance metric, to detect LDDoS attacks. They identify the attack by measuring The Computer Journal, 2013sat ...

Citation Context

...ery challenging task. Detection approaches used include statistical, soft computing, clustering, knowledge-based and classifiers. These approaches can also be classified as supervised or unsupervised =-=[9]-=-. Statistical techniques fit a statistical model to the given data and then apply a statistical inference test on an unseen instance to determine if it belongs to this model. In knowledgebased methods...

Citation Context

...s performed to segregate attack flows from legitimate flows. The authors compare the SSM against various other methods and identify a blend of segregation methods for alleviating false detections. In =-=[28]-=-, the authors introduce a generic DoS detection scheme based on maximum likelihood criterion with random neural networks (RNNs). The method initially selects a set of traffic features in the offline m...

Citation Context

...assify intelligently and automatically. Soft computing is a general term for describing a set of optimization and processing techniques that are tolerant of imprecision and uncertainty. Jalili et al. =-=[29]-=- introduce a DDoS attack detection system called SPUNNID based on a statistical preprocessor and unsupervised artificial neural nets (ANNs). They use statistical preprocessing to extract features from...

Citation Context

...ition process. As a result, it overcomes the shortcomings of CAT modeling. There is currently no established AAT-based bottom-up procedure for detecting network intrusions. Limwiwatkul and Rungsawang =-=[40]-=- propose to discover DDoS attack signatures by analyzing the TCP/IP packet header against well-defined rules and conditions, and distinguishing the difference between normal and abnormal traffic. The ...

Citation Context

... methods are described in Section 4. The challenges faced by DDoS defenders are reported in Section 5 followed by concluding remarks in Section 7. 2. DDoS ATTACKS AND THEIR ARCHITECTURES As stated in =-=[12]-=-, a DDoS attack can be defined as an attack which uses a large number of computers to launch a coordinated DoS attack against a single machine or multiple victim machines. Using client/server technolo...

Citation Context

...eviously proposed approaches rely on monitoring the volume of traffic that is received by the victim. Most such approaches are incapable of differentiating a DDoS attack from a flash crowd. Lu et al. =-=[42]-=- describe a perimeter-based anti-DDoS system, in which the traffic is analyzed only at the edge routers of an ISP network. The anti-DDoS system consists of two major components: (1) temporal correlati...

Citation Context

...o prove its legitimacy. If a client can pass these tests, it is added to the legitimacy list and subsequent packets from the client are accepted until a certain legitimacy window expires. Wang et al. =-=[39]-=- present a formal and methodical way of modeling DDoS attacks using an augmented attack tree (AAT), and discuss an AAT-based attack detection algorithm. This model explicitly captures the particular s...

Citation Context

...ween the attacker and the control master program • Offers no encryption between agents and handlers or between handlers and the attacker • Allows TCP SYN and ICMP flood as well as smurf attacks TFN2K =-=[72]-=- • Developed using the TFN DDoS attack tool TCP, UDP, ICMP smurf, SYN flood, UDP flood, ICMP flood • Adds encrypted messaging among all of the attack components [73] • Communications between real atta...

Citation Context

...test is applied to determine if a new instance belongs to this model. Instances that do not conform to the learnt model, based on the applied test statistics, are classified as anomalies. Chen et al. =-=[19]-=- develop a distributed change point (DCP) detection architecture using change aggregation trees (CATs). The non-parametric cumulative sum (CUSUM) approach was adapted to describe the distribution of p...

Citation Context

...e handler’s IP address and port in real time during the attack • Able to switch control master servers and ports in real time, hence making detection by intrusion detection tools difficult Trinity v3 =-=[79]-=- • Various TCP floods are used by randomizing all 32-bits of the source IP address, such as TCP fragment floods, TCP established floods, TCP RST packet floods and TCP random flag packet floods TCP, UD...

Citation Context

...s of classifiers have been used for DDoS attack detection. The use of an ensemble reduces the bias of existing individual classifiers. An ensemble of classifiers has been used by Kumar and Selvakumar =-=[35]-=- for this purpose where a resilient back propagation (RBP) neural network is chosen as the base classifier. The main focus of this paper is to improve the performance of the base classifier. The propo...

Citation Context

.... In [66], Gelenbe describes an approach to develop self-aware networks to provide end users the option to explore the state of the network to find the best ways to meet their communication needs. In =-=[67]-=-, a model is introduced for searching by N agents in an unbounded random environment. The model allows for the loss or destruction of searchers and finite lifetime. A summarized presentation of these ...

Citation Context

... flow. They also use a novel traffic pattern matching procedure to identify traffic flow similar to the attack flow and to trace back the origin of an attack based on this similarity. Nguyen and Choi =-=[33]-=- develop a method for proactive detection of DDoS attacks by classifying the network status. They break a DDoS attack into phases and select features based on an investigation of DDoS attacks. Finally...

Citation Context

... ns2based simulation with various network traffic characteristics and attack intensities demonstrate that the method could detect DDoS flood attack timely, effectively and intelligently. Zhang et al. =-=[63]-=- present a Congestion Participation Rate (CPR)- based approach to detect LDDoS attacks using flow level network traffic. A flow with higher CPR value leads to LDDoS and consequent dropping of the pack...

Citation Context

...nsider an autonomic defence mechanism based on the cognitive packet network (CPN) protocol and establish it to be capable of tracing back flows coming into a node automatically. Ghanea-Hercock et al. =-=[65]-=- provide a survey of the techniques within the Hyperion project. They also suggest an overall system architecture to improve the situational awareness of field commanders by providing an option to fus...

Citation Context

...hieved using RBF neural The Computer Journal, 2013sat Pennsylvania State U niversity on M arch 6, 2016 http://comjnl.oxfordjournals.org/ D ow nloaded from Detecting DDoS Attacks 9 networks. Wu et al. =-=[32]-=- propose to detect DDoS attacks using decision trees and gray relational analysis. The detection of the attack from the normal situation is viewed as a classification problem. They use 15 attributes, ...

Citation Context

...ormal packets. If there are no abnormal packets, the current network traffic is clustered again by the k-means module to build a new threshold value model. A two-stage automated system is proposed in =-=[56]-=- to detect DoS attacks in network traffic. It combines the traditional change point detection approach with a novel one based on continuous wavelet transforms [57]. The authors test the system using a...

Citation Context

...estbed experiments and Internet traffic trace and claims so that the method can detect LDDoS flows effectively. Another protocol specific featurebased DDoS attack detection mechanism is introduced in =-=[5]-=-. It identifies a most relevant subset of features using correlation and can detect DDoS attacks with high detection accuracy. In [64], a mathematical model is presented to provide gross evaluation of...

Citation Context

... now employ a large number of these vulnerable hosts to launch an attack instead of using a single server, an approach which is not very effective and detected easily. A distributed DoS (DDoS) attack =-=[1, 6]-=- is a large-scale, coordinated attack on the availability of services of a victim system or network resources, launched indirectly through many compromised computers on the Internet. The first well-do...

Citation Context

...n below. (i) Internet security is highly interdependent. No matter how secure a victim’s system may be, whether or not this system will become a DDoS victim depends on the rest of the global Internet =-=[13, 14]-=-. (ii) Internet resources are limited. Every Internet host has limited resources that sooner or later can be exhausted by a sufficiently large number of users. (iii) Many against a few: If the resourc...

Citation Context

...traceback information (partial) with reference to multiple sources, and/or (ii) having to connect a large number of routers or servers. Self-propagating tools such as the Ramen worm [15] and Code Red =-=[16]-=- automate this phase. Unless a sophisticated defense mechanism is used, it is usually difficult for the users and owners of the agent systems to realize that they have become a part of a DDoS attack s...

Citation Context

...prediction model is established for normal network flow. Then a DDoS attack detection scheme based on anomaly detection techniques and a linear prediction model (DDAP) is used. Udhayan and Hamsapriya =-=[27]-=- present a statistical segregation method (SSM), which samples the flow in consecutive intervals and compares the samples against the attack state condition and sorts them with the mean as the paramet...

Citation Context

...and machine learning methods An effective defense system to protect network servers, network routers and client hosts from becoming handlers, zombies and victims of DDoS flood attacks is presented in =-=[43]-=-. The NetShield system protects any IP-based public network on the Internet. It uses preventive and deterrent controls to remove system vulnerabilities on target machines. Adaptation techniques are us...

Citation Context

...ely large volume of normal flows or close to the attacking sources. In addition, it has higher detection and lower false alarm rates (FARs) compared with competing techniques. The method presented in =-=[62]-=- can identify flooding attacks in real time and also can assess the intensity of the attackers based on fuzzy reasoning. The process consists of two stages: (i) statistical analysis of the network tra...

Citation Context

...State U niversity on M arch 6, 2016 http://comjnl.oxfordjournals.org/ D ow nloaded from Detecting DDoS Attacks 15 TABLE 6. DDoS tools and description. Name and ref. Description Protocol Attack Trinoo =-=[69, 70]-=- • Widely used by the attackers as well as research community UDP UDP flood • A bandwidth depletion attack tool, used to launch coordinated UDP flood attacks against one or many IP addresses • Fixed-s...

Citation Context

...ndwidth attacks by monitoring the arrival rate of new source internet protocol (IP) addresses. The detection scheme is based on an advanced non-parametric change detection scheme, CUSUM. Cheng et al. =-=[26]-=- propose the IP Flow Feature Value algorithm based on the essential features of DDoS attacks, such as abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target I...

Citation Context

...ey use statistical preprocessing to extract features from the traffic, and an unsupervised neural net to analyze and classify traffic patterns as either a DDoS attack or normal. Karimazad and Faraahi =-=[30]-=- propose an anomaly-based DDoS detection method based on features of attack packets, analyzing them using RBF neural networks. The method can be applied to edge routers of victim networks. Vectors wit...

Citation Context

...er against well-defined rules and conditions, and distinguishing the difference between normal and abnormal traffic. The authors mainly focus on ICMP, TCP and UDP flooding attacks. Zhang and Parashar =-=[41]-=- propose a distributed approach to defend against DDoS attacks by coordinating across the Internet. Unlike traditional IDS, it detects and stops DDoS attacks within the intermediate network. In the pr...

Citation Context

...ale automated DDoS detection System. The system makes effective use of the data (such as NetFlow and simple network management protocol feeds from routers) readily available to an ISP. Rahmani et al. =-=[47]-=- discuss a joint entropy analysis of multiple traffic distributions for DDoS attack detection. They observe that the time series of IP-flow numbers and aggregate traffic sizes are strongly statistical...

Citation Context

...to its child routers and eventually propagated downward to all routers, in the subsequent rounds of the algorithm with a view to converging the total server load to the tolerable capacity range. Chen =-=[22]-=- presents a new detection method for DDoS attack traffic based on the two-sample t-test. It first obtains statistics for the normal SYN arrival rate (SAR) and confirms that it follows the normal distr...

Citation Context

... contain different numbers of SYN and ACK packets by the two-sample t-test. If there is a significant difference, it recognizes that the attack traffic is mixed into the current traffic. Zhang et al. =-=[23]-=- propose a prediction method for the available service rate of a protected server by applying the Auto Regressive Integrated Moving Average (ARIMA) model. They use available service rates to qualify t...

Citation Context

...lect features based on an investigation of DDoS attacks. Finally, they apply the k-nearest neighbor (KNN) method to classify the network status in each phase of the DDoS attack. A method presented in =-=[34]-=- detects DDoS attacks based on a fuzzy estimator using mean packet inter-arrival times. It detects the suspected host and traces the IP address to drop packets within 3-s detection windows. Lately, en...

Citation Context

...revention system (IPS) located at the ISP level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The approach reported in =-=[51]-=- analyzes DDoS and flash crowd characteristics and provides an effective way to distinguish between the two in VoIP networks. The authors validate the method by simulation. A wavelet transformation an...

Citation Context

...to distinguish between the two in VoIP networks. The authors validate the method by simulation. A wavelet transformation and probability theory-based network anomaly detection approach is proposed in =-=[52]-=-. The approach is able to identify known as well as unknown attacks. Zhong and Yue [53] present a DDoS attack detection model that extracts a network traffic model and a network packet protocol status...

Citation Context

...rties of attack packets, it is beneficial to the attacker, since it complicates detection. In the past decade, attackers and agents have started using a multiuser, online chatting system known as IRC =-=[17]-=-. This is because IRC chat networks allow users to create public, private and secret channels. An IRC-based DDoS attack network is similar to the agent–handler DDoS attack model except that instead of...

Citation Context

...vide corrective intrusion responses. The NetShield system enforces dynamic security policies. NetShield is especially tailored for protecting network resources against DDoS flood attacks. Chen et al. =-=[44]-=- present a comprehensive framework for DDoS attack detection known as DDoS Container. It uses a network-based detection method to overcome complex and evasive types of DDoS attacks. It works in an inl...

Citation Context

...d entropy metric is more effective than the traditional Shannon metric [49]. In addition, the information distance metric outperforms the popular Kullback–Leibler divergence approach. Francois et al. =-=[50]-=- present a method called FireCol based on information theory for early detection of flooding DDoS attacks. FireCol is composed of an intrusion prevention system (IPS) located at the ISP level. The IPS...

Citation Context

...ulation. A wavelet transformation and probability theory-based network anomaly detection approach is proposed in [52]. The approach is able to identify known as well as unknown attacks. Zhong and Yue =-=[53]-=- present a DDoS attack detection model that extracts a network traffic model and a network packet protocol status model and sets the threshold for the detection model. Captured network traffic values ...

Citation Context

...on. They use energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time has limited variation if the traffic keeps its behavior over time. Gupta et al. =-=[59]-=- use ANN to estimate the number of zombies in a DDoS attack. They use sample data to train a feed-forward neural network generated using the NS-2 network simulator. The generalization capacity of the ...

Citation Context

...d network is promising and the network is able to predict the number of zoombies involved in a DDoS attack with test error.A port-to-port specific traffic in a router, called IF flow is introduced in =-=[60]-=-. An important feature of IF is that it can amplify the attack to normal traffic ratio. An recursive least square filter is used to predict IF flows. Next, a statistical method using a residual filter...

Citation Context

...e the anomaly detection results using receiver operating characteristics curves. Results show that IF flows are more powerful than input links and output links for DDoS attack detection. Cheng et al. =-=[61]-=- propose the IP Address Interaction (IAI) Feature algorithm considering interactions among addresses, abrupt traffic changes, manyto-one asymmetries among addresses, distributed source IP addresses an...

Citation Context

...ood as well as smurf attacks TFN2K [72] • Developed using the TFN DDoS attack tool TCP, UDP, ICMP smurf, SYN flood, UDP flood, ICMP flood • Adds encrypted messaging among all of the attack components =-=[73]-=- • Communications between real attacker and control master program are encrypted using a key-based CAST-256 algorithm [74] • Conducts covert exercises to hide itself from intrusion detection systems •...

Citation Context

... 2013sat Pennsylvania State U niversity on M arch 6, 2016 http://comjnl.oxfordjournals.org/ D ow nloaded from 16 M.H. Bhuyan et al. TABLE 6. Continued Name and ref. Description Protocol Attack Knight =-=[80]-=- • A very lightweight yet powerful IRC-based attack tool TCP, UDP UDP, TCP flood, SYN and PUSH+ACH flood • Provides SYN attacks, UDP Flood attacks and an urgent pointer flooder [81] • Designed to run ...