Avaliação da Sensibilidade de Preditores de Suavização Exponencial na Detecção de Ataques de Inundação
Abstract
This paper analyzes the sensitivity of typical exponential smoothing predictors used to detect Distributed Denial of Service (DDoS) flooding attacks. We compare two predictors (EWMA and Holt-Winters) and evaluate their detection accuracy within different settings and scenarios. The performance is investigated in terms of false positive and false negative ratios. We insert attacks on real IP traces (MAWILab) and on real traffic samples from RNP's WAN backbone to perform simulations with different levels of flooding. Simulations show that to optimize the parameters of predictors provide better results.
References
Ahnlab, INC. “Analytical report on 3.4 DDoS attack, White Paper”, (2011), http://www.ahnlab.com, April.
Feitosa, E. L., Souto E. J. P. e Sadok D. (2008) “Tráfego Internet não Desejado: Conceitos, Caracterização e Soluções”, Livro-Texto dos Minicursos do VIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, p. 91-137.
Castelúcio, A. O., Salles, R. M. e Ziviani, A. (2009) “An AS-Level Overlay Network for IP Traceback”, IEEE Network, Vol. 23, pp. 36-41.
Kaur, G., Saxena, V. e Gupta, J. P. (2010) “Anomaly Detection in network traffic and role of wavelets”, 2nd International Conference on Computer Engineering and Technology (ICCET), v.7, p.46-51.
Lakhina, A., Crovella, M. e Diot, C. (2005) “Mining anomalies using traffic feature distributions”, Proceedings of the ACM SIGCOMM'2005, Philadelphia, PA, USA.
Lucena, S. C. e Moura, A. S. (2008) “Detecção de Anomalias Baseada em Análise de Entropia no Tráfego da RNP”, XIII Workshop de Gerência e Operação de Redes e Serviços (WGRS), Rio de Janeiro. Anais do XIII Workshop de Gerência e Operação de Redes e Serviços, p. 163-176.
Park, K. e Lee, H. (2000) “A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering”, Technical Report CSD-TR-00-017, Purdue University, Dept. of Computer Sciences.
Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D. R. e Shenker S. (2010) “DDoS defense by offense”, ACM Transactions on Computer Systems (TOCS), Journal Vol. 28, Issue 1.
Feng, J. e Liu, Y. (2009) “The Research of DDoS Attack Detecting Algorithm Based on the Feature of the Traffic”, Networking and Mobile Computing 5th International Conference on Wireless Communications (WiCom'09).
Law, K. T., Lui, J. C. S. e Yau, D. K. Y. (2002) “An Effective Methodology to Traceback DDoS Attackers”, X IEEE Int'l Symp, MASCOTS'02.
Demir, O. e Khan, B. (2010) “Quantifying Distributed System Stability through Simulation: A Case Study of an Agent-Based System for Flow Reconstruction of DDoS Attacks”, IEEE, 2010 ISMS, Liverpool, England, January.
Chen, Y. e Hwang, K. (2006) “Collaborative Change Detection of DDoS Attacks on Community and ISP Networks”, IEEE Networks, pp. 401-410.
Lin, B. P. e Uddin M. S. (2005) “Synmon Architecture for Source-based SYN-flooding Defense on Network Processor”, IEEE, 2005 Asia-Pacific Conference on Communications, Perth, Western Australia.
Kline, J., Nam, S., Barford, P., Plonka, D. e Ron, A. (2008) “Traffic Anomaly Detection at Fine Time Scales with Bayes Nets”, The Third International Conference on Internet Monitoring and Protection, ICIMP'08, PP. 37-46.
Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A. e Govindan, R. (2003) “COSSACK: Coordinated Suppression of Simultaneous Attacks”, Proc. Third DARPA Information Survivability Conf. and Exposition (DISCEX-III’03), pp.2-13.
Mirkovic, J. e Reiher, P. (2005) “D-WARD: A Source-End Defense against Flooding DoS Attacks”, IEEE Trans. Dependable and Secure Computing, pp. 216-232.
Chen, Y., Hwang, K. e Ku, W. S. (2007) “Collaborative Detection of DDoS Attacks over Multiple Network Domains”, IEEE Transactions on Parallel and Distributed Systems, Vol. 18, Issue 12, pp. 1649 1662.
Xiang, Y., Li, K., e Zhou, W. (2011) “Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics”, IEEE Transactions on Information Forensics and Security, Vol. 6, No. 2.
Shannon, C. E. (1948) “A mathematical theory of communication”, Bell System Technical Journal, 27:379-423 and 623-656.
Kalekar, P. S. e Rekhi, K. (2004) “Time series Forecasting using Holt-Winters Exponential Smoothing”, School of Information Technology, December 6.
Brutlag, J. D. (2000) “Aberrant Behavior Detection in Time Series for Network Monitoring”. Proceedings of the 14th Systems Administration Conference (LISA 2000).
Ward, A., Glynn, P. e Richardson, K. (1998) “Internet Service Performance Failure Detection”, ACM SIGMETRICS Performance Evaluation Review, Vol. 26, No. 3.
Feitosa, E. L., Souto E. J. P. e Sadok D. (2008) “Tráfego Internet não Desejado: Conceitos, Caracterização e Soluções”, Livro-Texto dos Minicursos do VIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, p. 91-137.
Castelúcio, A. O., Salles, R. M. e Ziviani, A. (2009) “An AS-Level Overlay Network for IP Traceback”, IEEE Network, Vol. 23, pp. 36-41.
Kaur, G., Saxena, V. e Gupta, J. P. (2010) “Anomaly Detection in network traffic and role of wavelets”, 2nd International Conference on Computer Engineering and Technology (ICCET), v.7, p.46-51.
Lakhina, A., Crovella, M. e Diot, C. (2005) “Mining anomalies using traffic feature distributions”, Proceedings of the ACM SIGCOMM'2005, Philadelphia, PA, USA.
Lucena, S. C. e Moura, A. S. (2008) “Detecção de Anomalias Baseada em Análise de Entropia no Tráfego da RNP”, XIII Workshop de Gerência e Operação de Redes e Serviços (WGRS), Rio de Janeiro. Anais do XIII Workshop de Gerência e Operação de Redes e Serviços, p. 163-176.
Park, K. e Lee, H. (2000) “A Proactive Approach to Distributed DoS Attack Prevention using Route-Based Packet Filtering”, Technical Report CSD-TR-00-017, Purdue University, Dept. of Computer Sciences.
Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D. R. e Shenker S. (2010) “DDoS defense by offense”, ACM Transactions on Computer Systems (TOCS), Journal Vol. 28, Issue 1.
Feng, J. e Liu, Y. (2009) “The Research of DDoS Attack Detecting Algorithm Based on the Feature of the Traffic”, Networking and Mobile Computing 5th International Conference on Wireless Communications (WiCom'09).
Law, K. T., Lui, J. C. S. e Yau, D. K. Y. (2002) “An Effective Methodology to Traceback DDoS Attackers”, X IEEE Int'l Symp, MASCOTS'02.
Demir, O. e Khan, B. (2010) “Quantifying Distributed System Stability through Simulation: A Case Study of an Agent-Based System for Flow Reconstruction of DDoS Attacks”, IEEE, 2010 ISMS, Liverpool, England, January.
Chen, Y. e Hwang, K. (2006) “Collaborative Change Detection of DDoS Attacks on Community and ISP Networks”, IEEE Networks, pp. 401-410.
Lin, B. P. e Uddin M. S. (2005) “Synmon Architecture for Source-based SYN-flooding Defense on Network Processor”, IEEE, 2005 Asia-Pacific Conference on Communications, Perth, Western Australia.
Kline, J., Nam, S., Barford, P., Plonka, D. e Ron, A. (2008) “Traffic Anomaly Detection at Fine Time Scales with Bayes Nets”, The Third International Conference on Internet Monitoring and Protection, ICIMP'08, PP. 37-46.
Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A. e Govindan, R. (2003) “COSSACK: Coordinated Suppression of Simultaneous Attacks”, Proc. Third DARPA Information Survivability Conf. and Exposition (DISCEX-III’03), pp.2-13.
Mirkovic, J. e Reiher, P. (2005) “D-WARD: A Source-End Defense against Flooding DoS Attacks”, IEEE Trans. Dependable and Secure Computing, pp. 216-232.
Chen, Y., Hwang, K. e Ku, W. S. (2007) “Collaborative Detection of DDoS Attacks over Multiple Network Domains”, IEEE Transactions on Parallel and Distributed Systems, Vol. 18, Issue 12, pp. 1649 1662.
Xiang, Y., Li, K., e Zhou, W. (2011) “Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics”, IEEE Transactions on Information Forensics and Security, Vol. 6, No. 2.
Shannon, C. E. (1948) “A mathematical theory of communication”, Bell System Technical Journal, 27:379-423 and 623-656.
Kalekar, P. S. e Rekhi, K. (2004) “Time series Forecasting using Holt-Winters Exponential Smoothing”, School of Information Technology, December 6.
Brutlag, J. D. (2000) “Aberrant Behavior Detection in Time Series for Network Monitoring”. Proceedings of the 14th Systems Administration Conference (LISA 2000).
Ward, A., Glynn, P. e Richardson, K. (1998) “Internet Service Performance Failure Detection”, ACM SIGMETRICS Performance Evaluation Review, Vol. 26, No. 3.
Published
2012-11-19
How to Cite
R. E SILVA, Nícolas; SALLES, Ronaldo M..
Avaliação da Sensibilidade de Preditores de Suavização Exponencial na Detecção de Ataques de Inundação. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 12. , 2012, Curitiba.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2012
.
p. 16-29.
DOI: https://doi.org/10.5753/sbseg.2012.20533.
