Detection and classification of DDoS attacks using fuzzy inference system

Abstract

A DDoS attack saturates a network by overwhelming the network resources with an immense volume of traffic that prevent the normal users from accessing the network resources. When Intrusion Detection Systems are used, a huge number of alerts will be generated and these alerts consist of both False Positives and True Positives. Due to huge volume of attack traffic, there is a possibility of occurring more False Positives than True Positives which is difficult for the network analyst to classify the original attack and take remedial action. This paper focuses on development of alert classification system to classify False Positives and True Positives related to DDoS attacks. It consists of five phases : Attack Generation, Alert Collection, Alert Fusion, Alert Generalization and Alert classification. In Attack Generation, DDoS attacks are generated in experimental testbed. In Alert Collection, snort IDS will be used to generate alerts for the generated traffic in testbed and alerts are collected. In Alert Fusion, the repeated alerts will be fused together to form meta alerts. In Alerts Generalization, the alerts indicating traffic towards the servers will be taken for further analysis. In Alert Classification, using fuzzy inference system the alerts will be classified as True Positives and False Positives. This reduces the difficulty of the network analyst by eliminating the false positives. This system is tested using an experimental testbed. © 2010 Springer-Verlag Berlin Heidelberg.