A detection system for distributed DoS attacks based on automatic extraction of normal mode and its performance evaluation

Abstract

Distributed DoS (Denial-of-Service) attacks, or say DDoS attacks, have reportedly caused the most serious losses in recent years and such attacks are getting worse. How to efficiently detect DDoS attacks has naturally become one of the hottest topics in the cyber security community and many approaches have been proposed. The existing detection technologies, however, have their own weak points. For example, methods based on information theory must choose an information theoretic measures carefully which play an essential role on the detection performance and such methods are efficient only when there are a significantly large number of anomalies present in the data; signature-based methods can not deal with new kinds of attacks and new variants of existing attacks, and so on. The behavior-based ones have been thought to be promising. However, they often need some parameters to define the normal nodes and such parameters cannot be determined easily in advance in many actual situations. In our previous work, an algorithm without parameters was proposed for extracting normal nodes from the historic traffic data. In this paper, we will explain a practical off-line detection system for DDoS attacks that we developed based on that algorithm in a project called PRACTICE (Proactive Response Against Cyber-attacks Through International Collaborative Exchange). The general flow of our detection system and the main specific technologies are explained in details and its detection performance is also verified by several actual examples.