F-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management

Mahsa Nooribakhsh, M. Mollamotalebi
{"title":"F-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management","authors":"Mahsa Nooribakhsh, M. Mollamotalebi","doi":"10.22042/ISECURE.2020.167450.453","DOIUrl":null,"url":null,"abstract":"Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate.","PeriodicalId":436674,"journal":{"name":"ISC Int. J. Inf. Secur.","volume":"101 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ISC Int. J. Inf. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.22042/ISECURE.2020.167450.453","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate.
F-STONE:一种基于改进历史内存管理的快速实时DDOS攻击检测方法
分布式拒绝服务攻击(Distributed Denial of Service, DDoS)是近年来常见的一种攻击方式,它通过大量发送报文来耗尽受害节点的带宽。根据攻击的流量类型、流量大小以及被攻击对象利用的漏洞,DDoS攻击可以分为容量攻击、协议攻击和应用攻击三种类型。容量攻击是最常见的DDoS攻击类型,本文提出的方法试图检测容量攻击。本文的目的是利用基于数据流算法的混合结构来减少DDoS攻击实时检测的延迟。所提出的数据结构(BHM)改进了STONE方法的数据存储机制,从而缩短了检测时间。STONE通过将业务的正常网络流量聚合成共同的IP地址前缀,并在聚合后的流量偏离正常时检测攻击行为,从而将业务的正常网络流量特征化。在BHM中,历史是指从每个监控周期中获得的输出流量信息,以形成参考配置文件。引用配置文件是利用历史信息创建的,只包含正常的流量信息。在STONE中,由于每个监控周期间隔较长,DDoS攻击检测的延迟会增加。基于攻击检测时间、预期配置文件更新时间(EPUT)和攻击检测率,将本文提出的方法(F-STONE)与STONE进行比较。评价结果表明,该方法在EPUT、攻击检测加速和误报率降低等方面均有显著提高。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信