LAS CUENTAS ANUALES

DDoS detection is usually the first step in the battle for DDoS attacks. Any DDoS detection technique always attempts to detect an attack by observing anomalous changes in IP attributes or traffic volume because there do not exist clear DDoS attack signatures. From a network topology point of view, DDoS attack traffic comes from a number of routers. It will definitely change the statistical distribution of the traffic topology. Traffic topology for a host is a map of upstream routers that are traversed by the traffic sent to the receiving host (victim). As mentioned in Section 1.3, a distance value of a packet is the number of hops the packet has traversed from one edge router to a victim host. We think that distance-based DDoS detction techniques can detect the anomalous changes of traffic topology led by DDoS attack traffic. For this propose, we propose two distance-based DDoS detection techniques: average distance estimation and distance-based traffic separation. The average distance estimation DDoS detection technique works on distance metric directly. It detects an attack based on the fact that the changes of traffic topology will lead to the changes of average distance values. The distance-based traffic separation DDoS detection technique uses distance metric indirectly. The technique needs to work on separated traffic based on distance values. It detects an attack based on the fact that the changes of separated traffic correlate to the changes of traffic topology. In the following two subsections, we analyze some current DDoS detection techniques based on IP attributes and traffic volume, and specify the improvements gained by our two distance-based detection techniques.

CHAPTER 3. RELATED WORK 22

3.1.1

IP Attributes-based DDoS Detection

A number of works treat anomalies as deviations in a number of IP attributes, e.g., source IP address [4], TTL [5], and the combination of multiple attributes [8]. In [4], a simple scheme is proposed to detect DDoS attacks by monitoring the increase of new IP addresses. TTL is used by Jung et al. for the analysis of Internet Website load performance [9]. A DDoS attack usually creates network congestion and changes the statistical distribution of the TTL attribute in traffic. Based on this idea, Tal- pade et al. [5] propose a TTL-based statistical model to detect anomalies created by DDoS attacks. Unfortunately, the technique’s performance is not satisfactory because the changes in final TTL values cannot reflect the anomalous changes in the traffic topology directly. In our distance-based techniques, we use TTL to compute distance value. We believe that the changes in distance values directly represent the changes of traffic topology when DDoS attacks happen.

To achieve better performance, some studies combine multiple IP attributes to- gether. In [8], Kim et al. construct a baseline profile on a number of attribute combinations, such as IP protocol-type and packet-size, source IP prefix and TTL values, as well as server port number and protocol-type, etc. However, these com- binations cannot improve performance if the combined attributes are not related to the anomalous changes created by the DDoS attacks. Moreover, a combination of the attributes definitely will make computation more complex and possibly increase the false positive rate. Feinstein et al. [10] design a DDoS detection technique by computing entropy and frequency-sorted distributions of the selected attributes in- stead of using IP attributes directly. However, this performance still depends on the attribute used for the computation of the entropy.

CHAPTER 3. RELATED WORK 23

We believe that the key issue is to identify an indicator which reflects anoma- lous changes very well. Distance is a relatively better choice based on our studies. Therefore, we construct our average estimation DDoS detection technique based on the distance values directly.

3.1.2

Traffic Volume-based DDoS Detection

A large number of traffic volume-based anomaly detection works exist in the literature. In [11], Gil and Poletto propose a heuristic data structure MULTOPS (Multi-Level Tree for Online Packet Statistics). They use a multi-level tree that keeps packet rate statistics for subnet prefixes at different aggregate levels. Normal traffic usually has a proportional rate to or from hosts and subnets. Therefore, an attack will be detected when MULTOPS observes a disproportional rate of traffic. To directly detect anomalies in traffic rate, Jiang et al. [12] develop an anomaly-tolerant nonstationary traffic prediction technique. Network anomalies can be detected as deviations in overall traffic volume. A similar idea is used by Lee et al. [13] except that they use the exponential smoothing technique to predict traffic rate and the mean absolute deviation (MAD) model to detect anomalous changes of traffic rate. Unfortunately, they do not get satisfactory results because the exponential smoothing technique is too simple to accurately predict complex and dynamic traffic rate.

On the other hand, some highly accurate prediction techniques are not suitable for real-time traffic volume prediction due to the high computational complexity. For ex- ample, FBM [18] and FARIMA [19] are not appropriate for this purpose because both include lots of complex calculation [24]. In contrast, the computational complexity of the Minimum Mean Square Error (MMSE) prediction technique is not very high.

CHAPTER 3. RELATED WORK 24

MMSE prediction technique predict the traffic volume using a linear combination of the current and previous values of traffic volume. In addition, the performance of MMSE is almost as good as FBM or FARIMA based on Wenyu et al. study in [24]. Therefore, we believe that the MMSE technique is very suitable for computing traffic volume in real-time.

Another problem with existing studies is that they apply their techniques for anomaly detection of aggregate traffic. However, it is very hard to detect the trivial anomalous changes of aggregate traffic rate during the early stages of a DDoS attack because the attack traffic is actually still a small partition of the entire traffic at the victim end. To deal with this situation, we propose a new strategy based on traffic separation, where traffic is categorized based on distance values. If we analyze each traffic flow separately, it is much easier to distinguish anomalous traffic from normal traffic. Gao et al. [24] show that MMSE is efficient traffic rate prediction technique. We use MMSE to predict the normal traffic rate on each separated traffic flow, and the MAD-based deviation model helps detect attacks. This distance-based separation strategy and its combination with the MAD-based deviation model is a unique feature of our distance-based traffic separation DDoS detection technique.