Deakin home > Deakin University Library > Deakin Research Online > Discriminating DDoS flows from flash crowds using information distance
Openly accessible

Discriminating DDoS flows from flash crowds using information distance

Yu, Shui, Thapngam, Theerasak, Liu, Jianwen, Wei, Su and Zhou, Wanlei 2009, Discriminating DDoS flows from flash crowds using information distance, in NSS 2009 : Proceedings of the third International Conference on Network and System Security, IEEE, Piscataway, N. J., pp. 351-356.

Attached Files (Some files may be inaccessible until you login with your Deakin Research Online credentials)
Name Description MIMEType Size Downloads
yu-discriminatingddosflows-2009.pdf Published version application/pdf 220.17KB 382

Title Discriminating DDoS flows from flash crowds using information distance
Author(s) Yu, Shui
Thapngam, Theerasak
Liu, Jianwen
Wei, Su
Zhou, Wanlei
Conference name Network and System Security International Conference (3rd : 2009 : Gold Coast, Queensland)
Conference location Gold Coast, Queensland
Conference dates 19-21 Oct. 2009
Title of proceedings NSS 2009 : Proceedings of the third International Conference on Network and System Security
Editor(s) Xiang, Yang
Lopez, Javier
Wang, Haining
Zhou, Wanlei
Publication date 2009
Conference series Network and System Security International Conference
Start page 351
End page 356
Publisher IEEE
Place of publication Piscataway, N. J.
Keyword(s) DDoS Attack
Distance
Measurement
Summary Discriminating DDoS flooding attacks from flash crowds poses a tough challenge for the network security community. Because of the vulnerability of the original design of the Internet, attackers can easily mimic the patterns of legitimate network traffic to fly under the radar. The existing fingerprint or feature based algorithms are incapable to detect new attack strategies. In this paper, we aim to differentiate DDoS attack flows from flash crowds. We are motivated by the following fact: the attack flows are generated by the same prebuilt program (attack tools), however, flash crowds come from randomly distributed users all over the Internet. Therefore, the flow similarity among DDoS attack flows is much stronger than that among flash crowds. We employ abstract distance metrics, the Jeffrey distance, the Sibson distance, and the Hellinger distance to measure the similarity among flows to achieve our goal. We compared the three metrics and found that the Sibson distance is the most suitable one for our purpose. We apply our algorithm to the real datasets and the results indicate that the proposed algorithm can differentiate them with an accuracy around 65%.
Notes This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
ISBN 9780769538389
Language eng
Field of Research 080503 Networking and Communications
Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences
HERDC Research category E1 Full written paper - refereed
Copyright notice ©2009, IEEE
Persistent URL http://hdl.handle.net/10536/DRO/DU:30029015

Document type: Conference Paper
Collections: School of Information Technology
Open Access Collection
Connect to link resolver
 
Unless expressly stated otherwise, the copyright for items in Deakin Research Online is owned by the author, with all rights reserved.

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.

Versions
Version Filter Type
Access Statistics: 323 Abstract Views, 382 File Downloads  -  Detailed Statistics
Created: Tue, 01 Jun 2010, 11:34:51 EST by Leanne Swaneveld