{"title":"一种基于用户流量行为的DDoS和Flash人群洪水区分方法","authors":"Degang Sun, Kun Yang, Zhixin Shi, Yan Wang","doi":"10.1109/Trustcom/BigDataSE/ICESS.2017.221","DOIUrl":null,"url":null,"abstract":"Discriminating Distributed Denial of Service (DDoS) from Flash Crowds (FC) is a tough and challenging problem, because there are many similarities between each other existed in network layer. In this paper, according to an extensive analysis of user traffic behavior of DDoS and FC, it can be found that some traffic abnormalities are existed between Bots and legitimate users. So a behavior-based method employed Data Mining isproposed to distinguish each other, and two public real-world datasets are used to evaluate the method. What's more, simulated traffic are produced to evaluate the method further, which is based on statistical parameters took from the two datasets and combined with two popular and common distributions together, Gaussian Distribution and Pareto Distribution. And two types of simulations are considered: Novice Simulation and Veteran Simulation. The result in Novice Simulation has almost 100% accuracy, while in Veteran Simulation, the result has a more than 98% accuracy, less than 15% FRP and 3% FNR, all of them show the proposed method could have a good accuracy and robustness. In addition, compared it with traditional methods-Entropy and Threshold methods in Veteran Simulation, the results indicate that both of them could hardly distinguish DDoS and FC, whilethe proposed method could achieve a better distinguished effect.","PeriodicalId":170253,"journal":{"name":"2017 IEEE Trustcom/BigDataSE/ICESS","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"A Distinction Method of Flooding DDoS and Flash Crowds Based on User Traffic Behavior\",\"authors\":\"Degang Sun, Kun Yang, Zhixin Shi, Yan Wang\",\"doi\":\"10.1109/Trustcom/BigDataSE/ICESS.2017.221\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Discriminating Distributed Denial of Service (DDoS) from Flash Crowds (FC) is a tough and challenging problem, because there are many similarities between each other existed in network layer. In this paper, according to an extensive analysis of user traffic behavior of DDoS and FC, it can be found that some traffic abnormalities are existed between Bots and legitimate users. So a behavior-based method employed Data Mining isproposed to distinguish each other, and two public real-world datasets are used to evaluate the method. What's more, simulated traffic are produced to evaluate the method further, which is based on statistical parameters took from the two datasets and combined with two popular and common distributions together, Gaussian Distribution and Pareto Distribution. And two types of simulations are considered: Novice Simulation and Veteran Simulation. The result in Novice Simulation has almost 100% accuracy, while in Veteran Simulation, the result has a more than 98% accuracy, less than 15% FRP and 3% FNR, all of them show the proposed method could have a good accuracy and robustness. In addition, compared it with traditional methods-Entropy and Threshold methods in Veteran Simulation, the results indicate that both of them could hardly distinguish DDoS and FC, whilethe proposed method could achieve a better distinguished effect.\",\"PeriodicalId\":170253,\"journal\":{\"name\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"volume\":\"35 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.221\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Trustcom/BigDataSE/ICESS","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.221","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Distinction Method of Flooding DDoS and Flash Crowds Based on User Traffic Behavior
Discriminating Distributed Denial of Service (DDoS) from Flash Crowds (FC) is a tough and challenging problem, because there are many similarities between each other existed in network layer. In this paper, according to an extensive analysis of user traffic behavior of DDoS and FC, it can be found that some traffic abnormalities are existed between Bots and legitimate users. So a behavior-based method employed Data Mining isproposed to distinguish each other, and two public real-world datasets are used to evaluate the method. What's more, simulated traffic are produced to evaluate the method further, which is based on statistical parameters took from the two datasets and combined with two popular and common distributions together, Gaussian Distribution and Pareto Distribution. And two types of simulations are considered: Novice Simulation and Veteran Simulation. The result in Novice Simulation has almost 100% accuracy, while in Veteran Simulation, the result has a more than 98% accuracy, less than 15% FRP and 3% FNR, all of them show the proposed method could have a good accuracy and robustness. In addition, compared it with traditional methods-Entropy and Threshold methods in Veteran Simulation, the results indicate that both of them could hardly distinguish DDoS and FC, whilethe proposed method could achieve a better distinguished effect.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
