One step ahead to multisensor data fusion for DDoS detection

Journal of Computer Security

Volumn 13, Issue 5, 2005, Pages 779-806

  Siaterlis, Christos ^a   Maglaris, Vasilis ^a  

^a NATIONAL TECHNICAL UNIVERSITY OF ATHENS   (Greece)

Author keywords

Anomaly detection; Data fusion; Denial of Service attacks; Security

Indexed keywords

BANDWIDTH; COMPUTER CRIME; EXPERT SYSTEMS; NEURAL NETWORKS; SECURITY OF DATA; TELECOMMUNICATION LINKS; TELECOMMUNICATION TRAFFIC;

ANOMALY DETECTION; DATA FUSION; DDOS DETECTION; DENIAL OF SERVICE ATTACKS;

SENSOR DATA FUSION;

EID: 28844473551     PISSN: 0926227X     EISSN: None     Source Type: Journal    
DOI: 10.3233/JCS-2005-13505     Document Type: Conference Paper

References (69)

1. Y. Afek Riverhead, R. Brooks Cisco and N. Fischbach, MPLS-based synchronous traffic shunt, Presentation at 28th NANOG Meeting, 2003.
2. A. Akella, A. Bharambe, M. Reiter and S. Seshan, Detecting DDoS attacks on ISP networks, in: ACM SIGMOD/PODS Workshop on Management and Processing of Data Streams [MPDS], 2003.
3. S.C. Byun, D.B. Choi and B.H. Ahn, Traffic incident detection using evidential reasoning based data fusion, in: Proceeding of the 6th World Congress on Intelligent Transport Systems, Toronto, Canada, 1999.
4. Arbor Networks, The peakflow platform, http://www.arbornetworks.com.
5. P. Barford, J. Kline, D. Plonka and A. Ron, A signal analysis of network traffic anomalies, in: Internet Measurement Workshop, 2002.
6. P. Barford and D. Plonka, Characteristics of network traffic flow anomalies, in: Proceedings of the First ACM SIGCOMM Internet Measurement Workshop, New York, ACM Press, 2001, pp. 69-74.
7. J. Barlow and W. Thrower, TFN2K - an analysis, March 2000, http://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt.
8. T. Bass, Intrusion detection systems and multisensor data fusion. Communications of the ACM 43(4) (2000), 99-105.
9. M. Behringer, Tracing DoS attacks, in: Hi Tech 2002 Workshop, Limmerick, IE, 2002.
10. S. Bellovin, M. Leech and T. Taylor, The ICMP traceback message, Oct. 2001.
11. R. Blazek, H. Kim, B. Rozovskii and A. Tartakovsky, A novel approach to detection of denial of service attacks via adaptive sequential and batch-sequential change-point detection methods, in: IEEE Workshop on Information Assurance and Security, 2001, pp. 220-226.
12. Broadbandreports.com, Osirusoft MlA? Spammers cripple popular blacklist, http://www. broadbandreports.com/shownews/31856.
13. C. Morrow, T. Battles and D. McPherson, Customer-triggered real time blackhole, Presentation at 30th NANOG Meeting, 2004.
14. J.B.D. Cabrera, L. Lewis, X. Qin, W. Lee, R.K. Prasanth, B. Ravichandran and R.K. Mehra, Proactive detection of distributed denial of service attacks using MIB traffic variables - A feasibility study, in: Proceedings of International Symposium on Integrated Network Management, 2001.
15. B. Caswell and M. Roesch, Snort: The open source network intrusion detection system, http://www.snort.org.
16. CERT/CC, Cert advisory ca-2003-20 w32/blaster worm, August 2003, http://www.cert.org/advisories/CA-2003-20.html.
17. I. Charitakis, D. Pnevmatikatos, E. Markatos and K. Anagnostakis, S2I: a tool for automatic rule match compilation for the IXP network processor, in: Proceedings of the 7th International Workshop on Software and Compilers for Embedded Systems (SCOPES 2003), Vienna, 2003.
18. C.-M. Cheng, H. Kung and K.-S. Tan, Use of spectral analysis in defense against DoS attacks, in: Proceedings of IEEE GLOBECOM, Division of Engineering and Applied Science Harvard University, 2002.
19. CISCO, Netflow, http://www.cisco.com/go/netflow.
20. CISCO, Remote triggered black hole filtering, ftp://ftp-eng.cisco.com/ cons/isp/security/.
21. CISCO, Unicast reverse path forwarding enhancements for the ISP-ISP edge, ftp://ftp-eng.dsco.com/cons/isp/security/URPF-ISP.pdf.
22. CISCO, Using CAR during DoS attacks, http://www.cisco.com/warp/public/63/ car_rate_limit_icmp.html.
23. J. Coppens, E. Markatos, J. Novotny, M. Polychronakis, V. Smotlacha and S. Ubik, Scampi - a scaleable monitoring platform for the Internet, in: 2nd International Workshop on Inter-Domain Performance and Simulation (IPS 2004), Budapest, Hungary, 2004.
24. Cs3. Inc., MANAnet DDoS white papers, http://www.cs3-inc.com/mananet. html.
25. D.A. Curry and H. Debar, Intrusion detection message exchange format data model and extensible markup language (XML) document type definition. Internet Draft draft-ietf-idwg-requirements10.txt, Nov. 2002. Work-in-progress.
26. D. Dean, M. Franklin and A. Stubblefield, An algebraic approach to IP traceback, ACM Transactions on Information and System Security 5(2) (2002), 119-137.
27. C. Estan, S. Savage and G. Varghese, Automatically inferring patterns of resource consumption in network traffic, in : Proceedings of the ACM SIGCOMM Conference, Karlsruhe, Germany, 2003.
28. B.S. Feinstein, G.A. Matthews and J.C.C. White, The intrusion detection exchange protocol (IDXP). Internet Draft draft-ietf-idwg-beep-idxp-07.txt, Oct. 2002, Work-in-progress.
29. P. Ferguson and D. Senie, RFC2827 network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, May 2000.
30. T.M. Gil and M. Poletto, MULTOPS: A data-structure for bandwidth attack detection, in: Proceedings of the 10th USENIX Security Symposium, 2001, USENIX, ed., Washington, DC, USA, Berkeley, CA, USA, USENIX, 2001.
31. A. Habib, M. Hefeeda and B. Bhargava, Detecting service violations and DoS attacks, in: Network and Distributed System Security Symposium Conference Proceedings, Internet Society, 2003.
32. M.T. Hagan and M. Menhaj, Training feedforward networks with the Marquardt algorithm, IEEE Transactions on Neural Networks 5(6) (1994), 989-993.
33. D. Hall, Mathematical Techniques in Multisensor Data Fusion, Artech House, Norwood, MA, 1992.
34. A. Hussain, J. Heidemann and C. Papadopoulos, Identification of repeated attack scenarios using network traffic forensics, Technical Report ISI-TR-2003-577, USC/Information Sciences Institute, August 2003.
35. A. Hussain, C. Papadopoulos and J. Heidemann, A framework for classifying denial of service attacks, in: Proceedings of ACM SIGCOMM 2003, 2003.
36. J. Ioannidis and S.M. Bellovin, Implementing pushback: Router-based defense against DDoS attacks, in: Proceedings of Network and Distributed System Security Symposium, San Diego, California, The Internet Society, 2002.
37. J. Ioannidis, R. Mahajan, S. Floyd, S. Shenker, S.M. Bellovin and V. Paxson, Controlling high bandwidth aggregates in the network, Computer Communications Review 32(3) (2002), 62-73.
38. ISC/UMD/Cogent, Operational report: Events of 21-oct-2002, http://d.root-servers.org/october21.txt.
39. ITworld.com, Al-Jazeera hobbled by DDoS attack, http://www.itworld.com/ Sec/3834/030327aljazeera/.
40. J. Jiang and S. Papavassiliou, Detecting network attacks in the internet via statistical network traffic normality prediction, Journal of Network and Systems Management 12 (March) (2004), 51-72. Special Issue: Security and Management.
41. J. Llinas and E. Waltz, Multisensor Data Fusion, Artech House, Norwood, MA, 1990.
42. J. Jung, B. Krishnamurthy and M. Rabinovich, Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites, in: Proceedings of the International World Wide Web Conference, IEEE, 2002, pp. 252-262.
43. J. Kohlas and P. Monney, Theory of evidence - a survey of its mathematical foundations, applications and computational analysis, ZOR - Mathematical Methods of Operations Research 39 (1994), 35-68.
44. A. Kukarni, S. Bush and S. Evans, Detecting distributed denial-of-service attacks using Kolmogorov complexity metrics, GE CRD Technical Report 2001 CRD176, Dec. 2001.
45. H. Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, in: Proceedings of ACM SIGCOMM 2001, 2001.
46. L. Li and G. Lee, DDoS attack detection and wavelets, in: 12th International conference on Computer Communications and Networks (ICCCN), Dallas, TX, USA, 2003.
47. C. Lund, M. Thorup and N. Duffield, Properties and prediction of flow statistics, in: Internet Measurement Workshop 2002, 2002.
48. C. Manikopoulos and S. Papavassiliou, Network intrusion and fault detection: a statistical anomaly approach, IEEE Communications Magazine 40 (Oct.) (2002), 76-82. Issue: 10, ISSN: 0163-6804.
49. Mazu Networks, White papers, http://www.mazunetworks.com/solutions/ white_papers/.
50. J. Mirkovic, G. Prier and P. Reiher, Attacking DDoS at the source, in: Proceedings of ICNP, Paris, France, 2002, pp. 312-321.
51. J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communications Review 34 (Apr.) (2004).
52. S. Mohiuddin, S. Hershkop, R. Bhan and S.J. Stolfo, Defending against a large scale DoS attack, in: Proceedings of the 3rd Annual IEEE Information Assurance Workshop, 2002.
53. D. Moore, G.M. Voelker and S. Savage, Inferring internet Denial-of-Service activity, in: 10th USENIX Security Symposium, 2001, pp. 9-22.
54. T. Oetiker, About RRDtool, http://people.ee.ethz.ch/oetiker/webtools/ rrdtool.
55. T. Peng, C. Leckie and R. Kotagiri, Proactively detecting DDoS attack using source IP address monitoring, in: Networking 2004, Athens, Greece, 2004.
56. T. Peng, C. Leckie and K. Ramamohanarao, Detecting distributed denial of service attacks by sharing distributed beliefs, in: 8th Australasian Conference on Information Security and Privacy, Wollongong, Australia, 2003.
57. G.C. Polyzos, H. Werner Braun and K.C. Claffy, Application of sampling methodologies to network traffic characterization, in: ACM SIGCOMM, 1993, pp. 194-203.
58. A. Ramanarran, WADES: A tool for Distributed Denial of Service attack detection, 2002.
59. S. Romig, M. Fullmer and R. Luman, The OSU Flow-tools package and CISCO NetFlow logs, in: Proceedings of 14th Systems Administmtion Conference (LISA 2000), 2000, pp. 291-303.
60. S. Savage, D. Wetherall, A. Karlin and T. Anderson, Practical network support for IP traceback, in: Proceedings of the 2000 ACM SIGCOMM Conference, 2000.
61. G. Shafer, A Mathematical Theory of Evidence, Princeton University Press, Princeton, 1976.
62. C. Siaterlis and B. Maglaris, Detecting DDoS attacks with passive measurement based heuristics, in: Proceedings of the 9th IEEE Symposium on Computers and Communications (ISCC'2004), Alexandria, Egypt, 2004.
63. C. Siaterlis and B. Maglaris, Towards multisensor data fusion for DoS detection, in: Proceedings of ACM SAC '04, Nicosia, Cyprus, 2004.
64. C. Siaterlis and B. Maglaris, Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics, in: Proceedings of the 10th IEEE Symposium on Computers and Communications, 2005.
65. A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent and W.T. Stayer, Hash-based IP traceback, in: Proceedings of the ACM SIGCOMM 2001 Conference, Volume 31, 4 of Computer Communication Review, New York, ACM Press, 2001, pp. 3-14.
66. D.X. Song and A. Perrig, Advanced and authenticated marking schemes for IP traceback, in: Proceedings of the Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM-01), Los Alamitos, CA, IEEE Computer Society, 2001, pp. 878-886.
67. K. Tomsovic and B. Baer, Fuzzy information approaches to equipment condition monitoring and diagnosis, Electric Power Applications of Fuzzy Systems, IEEE Press, 1998, pp. 59-84.
68. H. Wang, D. Zhang and K.G. Shin, Detecting SYN flooding attacks, in: Proceedings of the 21st Annual Joint Conference of the IEEE Computer and Communications Society, Volume 3 of Proceedings IEEE INFOCOM 2002, Piscataway, NJ, USA, 2002, pp. 1530-1539.
69. H. Wu, M. Siegel, R. Stiefelhagen and J. Yang, Sensor fusion using Dempster-Shafer theory, in: Proceedings of IEEE Instrumentation and Measurement Technology Conference, Anchorage, AK, USA, IEEE, 2002.