Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics

Author

Li, Ke ; Zhou, Wanlei ; Li, Ping ; Hai, Jing ; Liu, Jianwen

Author_Institution

Sch. of Eng. & Inf. Technol., Deakin Univ., Melbourn, VIC, Australia

fYear

2009

fDate

19-21 Oct. 2009

Firstpage

9

Lastpage

17

Abstract

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of Internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to Internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these methods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

Keywords

Internet; probability; telecommunication security; telecommunication traffic; Internet security; Internet stability; Internet traffic; distributed denial-of-service attack; flash crowd; normal network flow; probability metrics; Algorithm design and analysis; Computer crime; Detection algorithms; Floods; Information security; Information technology; Internet; Probability distribution; Telecommunication traffic; Traffic control; DDoS; Flash crowd; Probability metrics;

fLanguage

English

Publisher

ieee

Conference_Titel

Network and System Security, 2009. NSS '09. Third International Conference on

Conference_Location

Gold Coast, QLD

Print_ISBN

978-1-4244-5087-9

Electronic_ISBN

978-0-7695-3838-9

Type

conf

DOI

10.1109/NSS.2009.35

Filename

5319006