Adaptive distributed mechanism against flooding network attacks based on machine learning

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Adaptive distributed mechanism against flooding network attacks based on machine learning

Full text

Pdf (265 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 1st ACM workshop on Workshop on AISec table of contents

Alexandria, Virginia, USA

SESSION: Network security table of contents

Pages 43-50

Year of Publication: 2008

ISBN:978-1-60558-291-7

Authors

Josep L. Berral	Technical University of Catalonia (UPC), Barcelona, Spain
Nicolas Poggi	Technical University of Catalonia (UPC), Barcelona, Spain
Javier Alonso	Barcelona Supercomputing Center (BSC) - Technical University of Catalonia (UPC), Barcelona, Spain
Ricard Gavaldà	Technical University of Catalonia (UPC), Barcelona, Spain
Jordi Torres	Barcelona Supercomputing Center (BSC) - Technical University of Catalonia (UPC), Barcelona, Spain
Manish Parashar	Rutgers University, New Jersey, NJ, USA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 9, Downloads (12 Months): 123, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456377.1456389 What is a DOI?

ABSTRACT

Adaptive techniques based on machine learning and data mining are gaining relevance in self-management and self-defense for networks and distributed systems. In this paper, we focus on early detection and stopping of distributed flooding attacks and network abuses. We extend the framework proposed by Zhang and Parashar (2006) to cooperatively detect and react to abnormal behaviors before the target machine collapses and network performance degrades. In this framework, nodes in an intermediate network share information about their local traffic observations, improving their global traffic perspective. In our proposal, we add to each node the ability of learning independently, therefore reacting differently according to its situation in the network and local traffic conditions. In particular, this frees the administrator from having to guess and manually set the parameters distinguishing attacks from non-attacks: now such thresholds are learned and set from experience or past data. We expect that our framework provides a faster detection and more accuracy in front of distributed flooding attacks than if static filters or single-machine adaptive mechanisms are used. We show simulations where indeed we observe a high rate of stopped attacks with minimum disturbance to the legitimate users.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	N. S. A. Quiroz, M. Parashar. Decentralized clustering analysis and online anomaly detection for peer grid systems. Technical Report, CAIP Rutgers, 2006, 2006.
	2	D. Dittrich. The dos project's trinoo distributed denial of service attack tool, October 1999.
	3	Thomer M. Gil , Massimiliano Poletto, MULTOPS: a data-structure for bandwidth attack detection, Proceedings of the 10th conference on USENIX Security Symposium, p.3-3, August 13-17, 2001, Washington, D.C.
	4	Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
	5	Frank Kargl , Joern Maier , Michael Weber, Protecting web servers from distributed denial of service attacks, Proceedings of the 10th international conference on World Wide Web, p.514-524, May 01-05, 2001, Hong Kong, Hong Kong [doi>10.1145/371920.372148]
	6	A. Keromytis, V. Misra, and D. Rubenstein. Using overlays to improve network security. In Proceedings of SPIE ITCom Conference on Scalability and Traffic Control in IP Networks II 2002, 2002.
	7	Y. W. M.S. Srivastava. Comparison of ewma, cusum and shiryayev-roberts procedures for detecting a shift in the mean. Annals of Statistics, 21:645--670, 1993.
	8	S. Noh, C. Lee, K. Choi, and G. Jung. Detecting distributed denial of service (ddos) attacks through inductive learning. In IDEAL, pages 286--295, 2003.
	9	R. Nou, J. Guitart, V. Beltran, D. Carrera, L. Montero, J. Torres, and E. Ayguade. Simulating complex systems with a low-detail model. In Proceedings of the 16th Paralelism Meeting 2005, Spain, 2005.
	10	Nicolas Poggi , Toni Moreno , Josep Lluis Berral , Ricard Gavaldà , Jordi Torres, Web Customer Modeling for Automated Session Prioritization on High Traffic Sites, Proceedings of the 11th international conference on User Modeling, July 25-29, 2007, Corfu, Greece [doi>10.1007/978-3-540-73078-1_63]
	11	K. Rieck and P. Laskov. Language models for detection of unknown attacks in network traffic. Journal in Computer Virology, 2(4):243--256, 2007.
	12	W. W. Streilein, D. J. Fried, and R. K. Cunningham. Detecting flood-based denial-of-service attacks with snmp/rmon. In Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Fairfax, Virginia, USA, 2003.
	13	A. Varga. The omnet++ discrete event simulation system. In Proceedings of the European Simulation Multiconference, pages 319--324, Prague, Czech Republic, June 2001. SCS -European Publishing House.
	14	H. Wang, D. Zhang, and K. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM 2002, 2002.
	15	S. Williams, B. Parry, and M. Schlup. Quality control: an application of the CUSUM. British Medical Journal, 1992.
	16	G. Zhang and M. Parashar. Cooperative defense against ddos attacks. Journal of Research and Practice in Information Technology (JRPIT), Australian Computer Society Inc., February 2006