DDoS attack detection and wavelets

Lan Li, Kyung Ho Lee

Research output: Contribution to journalArticle

41 Citations (Scopus)

Abstract

This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a "spike" when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.

Original languageEnglish
Pages (from-to)435-451
Number of pages17
JournalTelecommunication Systems
Volume28
Issue number3-4
DOIs
Publication statusPublished - 2005 Mar 1
Externally publishedYes

Fingerprint

Wavelet analysis
Computational complexity
Internet

Keywords

  • Attack detection
  • Distributed denial of service
  • Energy distribution
  • Traffic characterization
  • Wavelet analysis

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

DDoS attack detection and wavelets. / Li, Lan; Lee, Kyung Ho.

In: Telecommunication Systems, Vol. 28, No. 3-4, 01.03.2005, p. 435-451.

Research output: Contribution to journalArticle

Li, Lan ; Lee, Kyung Ho. / DDoS attack detection and wavelets. In: Telecommunication Systems. 2005 ; Vol. 28, No. 3-4. pp. 435-451.
@article{0d34193479fd4715b41fb1898205b72f,
title = "DDoS attack detection and wavelets",
abstract = "This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a {"}spike{"} when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.",
keywords = "Attack detection, Distributed denial of service, Energy distribution, Traffic characterization, Wavelet analysis",
author = "Lan Li and Lee, {Kyung Ho}",
year = "2005",
month = "3",
day = "1",
doi = "10.1007/s11235-004-5581-0",
language = "English",
volume = "28",
pages = "435--451",
journal = "Telecommunication Systems",
issn = "1018-4864",
publisher = "Springer Netherlands",
number = "3-4",

}

TY - JOUR

T1 - DDoS attack detection and wavelets

AU - Li, Lan

AU - Lee, Kyung Ho

PY - 2005/3/1

Y1 - 2005/3/1

N2 - This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a "spike" when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.

AB - This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a "spike" when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.

KW - Attack detection

KW - Distributed denial of service

KW - Energy distribution

KW - Traffic characterization

KW - Wavelet analysis

UR - http://www.scopus.com/inward/record.url?scp=17444397467&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=17444397467&partnerID=8YFLogxK

U2 - 10.1007/s11235-004-5581-0

DO - 10.1007/s11235-004-5581-0

M3 - Article

AN - SCOPUS:17444397467

VL - 28

SP - 435

EP - 451

JO - Telecommunication Systems

JF - Telecommunication Systems

SN - 1018-4864

IS - 3-4

ER -