The Community for Technology Leaders
RSS Icon
Issue No.06 - June (2012 vol.23)
pp: 1073-1080
Shui Yu , Deakin University, Victoria
Wanlei Zhou , Deakin University, Victoria
Weijia Jia , City University of Hong Kong, Hong Kong
Song Guo , The University of Aizu, Aizu-Wakamatsu City
Yong Xiang , Deakin University, Victoria
Feilong Tang , Shanghai Jiao Tong University, Shanghai
Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice.
DDoS attacks, flash crowds, similarity, discrimination.
Shui Yu, Wanlei Zhou, Weijia Jia, Song Guo, Yong Xiang, Feilong Tang, "Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient", IEEE Transactions on Parallel & Distributed Systems, vol.23, no. 6, pp. 1073-1080, June 2012, doi:10.1109/TPDS.2011.262
[1] Arbor, "IP Flow-Based Technology," http:/www.arbornetworks. com, 2011.
[2] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your Botnet Is My Botnet: Analysis of a Botnet Takeover," Proc. ACM Conf. Computer Comm. Security, 2009.
[3] N. Ianelli and A. Hackworth, "Botnets as Vehicle for Online Crime," Proc. 18th Ann. First Conf., 2006.
[4] C.Y. Cho, J. Caballero, C. Grier, V. Paxson, and D. Song, "Insights from the Inside: A View of Botnet Management from Infiltration," Proc. Third USENIX Conf. Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (USENIX LEET), 2010.
[5] V.L.L. Thing, M. Sloman, and N. Dulay, "A Survey of Bots Used for Distributed Denial of Service Attacks," Proc. SEC, pp. 229-240, 2007.
[6] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F.C. Freiling, "Measurements and Mitigation of Peer-to-Peer-Based Botnets: A Case Study on Storm Worm," Proc. First Usenix Workshop Large-Scale Exploits and Emergent Threats (LEET), 2008.
[7] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, "A Survey of Botnet Technology and Defenses," Proc. Cybersecurity Applications and Technology Conf. for Homeland Security, 2009.
[8] J. Jung, B. Krishnamurthy, and M. Rabinovich, "Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites," Proc. 11th Int'l Conf. World Wide Web (WWW), pp. 252-262, 2002.
[9] A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, and P. Abry, "Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies," IEEE Trans. Dependable Secure Computing, vol. 4, no. 1, pp. 56-70, Jan.-Mar. 2007.
[10] G. Carl, G. Kesidis, R. Brooks, and S. Rai, "Denial-of-Service Attack-Detection Techniques," IEEE Internet Computing, vol. 10, no. 1, pp. 82-89, Jan./Feb. 2006.
[11] Y. Chen and K. Hwang, "Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analysis," J. Parallel Distributed Computing, vol. 66, no. 9, pp. 1137-1151, 2006.
[12] S. Kandula, D. Katabi, M. Jacob, and A. Berger, "Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds (Awarded Best Student Paper)," Proc. Second Symp. Networked Systems Design and Implementation (NSDI '05), 2005.
[13] Y. Xie and S.-Z. Yu, "A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors," IEEE/ACM Trans. Networking, vol. 17, no. 1, pp. 54-65, Feb. 2009.
[14] Y. Xie and S.-Z. Yu, "Monitoring the Application-Layer DDoS Attacks for Popular Websites," IEEE/ACM Trans. Networking, vol. 17, no. 1, pp. 15-25, Feb. 2009.
[15] G. Oikonomou and J. Mirkovic, "Modeling Human Behavior for Defense against Flash-Crowd Attacks," Proc. IEEE Int'l Conf. Comm., 2009.
[16] C. Patrikakis, M. Masikos, and O. Zouraraki, "Distributed Denial of Service Attacks," The Internet Protocol J., vol. 7, no. 4, pp. 13-35, 2004.
[17] T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems," ACM Computing Survey, vol. 39, no. 1, pp. 123-128, 2007.
[18] D. Dagon, C. Zou, and W. Lee, "Modeling Botnet Propagation Using Time Zones," Proc. 13th Network and Distributed System Security Symp. (NDSS), 2006.
[19] P. Wang, S. Sparks, and C.C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet," IEEE Trans. Dependable and Secure Computing, vol. 7, no. 2, pp. 113-127, Apr.-June 2010.
[20] M.A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "My Botnet is Bigger than Yours (Maybe, Better than Yours): Why Size Estimates Remain Challenging," Proc. First Conf. First Workshop Hot Topics in Understanding Botnets (HotBots '07), 2007.
[21] WorldCup98, html . 2011.
[22] V. Paxson and S. Floyd, "Wide Area Traffic: The Failure of Poisson Modeling," IEEE/ACM Trans. Networking, vol. 3, no. 3, pp. 226-244, June 1995.
[23] M.E. Crovella and A. Bestavros, "Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes," IEEE/ACM Trans. Networking, vol. 5, no. 6, pp. 835-846, Dec. 1997.
[24] G. Cheng, "Malware FAQ: Analysis on DDoS Tool Stacheldraht v1.666," Stacheldraht.php. 2011.
[25] D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," ACM Trans. Computer Systems, vol. 24, no. 2, pp. 115-139, 2006.
30 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool