In the present computer era, the vulnerabilities inherent in the Internet architecture enable various kinds of attacks. Distributed Denial of Service (DDoS) is one of such prominent attack that is a lethal threat to Internet domain that harnesses its computing and communication resources. The increase in network traffic rates of legitimate traffic and its flow similarity with attack traffic has made the DDoS detection very difficult despite deployment of diversified defense solutions. The ISPs are bound to invest heavily to counter such problems which has a significant impact on company finances. To provide uninterrupted quality services to the end users, ISPs needs to deploy a distributed solution for timely detection and discrimination of attack and behaviorally similar flash events (FE) traffic. Such distributed defense systems can be deployed at source-end, intermediate network-end or at the victim-end location. Since the volume of traffic to be analyzed is very large, the detection accuracy and low computational complexity of the proposed defense solution is always a challenging problem. This paper proposes an ISP level distributed, collaborative and automated (D-CAD) defense system for detecting DDoS attacks and FEs, and has the capability to effectively distinguishing the two. Additionally, D-CAD defense system is also capable of categorizing FE traffic and has low computational complexity. The proposed system is validated in novel software defined networks (SDN) using Mininet emulator. The results show that D-CAD defense system outperformed its existing counterparts on various detection system evaluation metrics.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
Arbor (2019) Worldwide Infrastructure Security Report (WISR), vol xi. Tech. Rep, Arbor Networks
Barford P, Plonka D (2001) Characteristics of network traffic flow anomalies. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, ACM, pp 69–73
Bawany NZ, Shamsi JA (2019) Seal: SDN based secure and agile framework for protecting smart city applications from DDoS attacks. J Netw Comput Appl 145:102381
Behal S, Kumar K (2017) Detection of DDoS attacks and flash events using information theory metrics-an empirical investigation. Comput Commun 103:18–28
Behal S, Kumar K, Sachdeva M (2017) Discriminating Flash Events from DDoS Attacks: a comprehensive review. IJ Netw Sec 19(5):734–41.
Behal S, Kumar K, Sachdeva M (2018) D-FACE: an anomaly based distributed approach for early detection of DDoS attacks and flash events. J Netw Comput Appl 111:49–63
Beitollahi H, Deconinck G (2014) Connectionscore: a statistical technique to resist application-layer ddos attacks. Ambient Intell Hum Comput J Springer 5(3):425–442
Bhandari A, Sangal AL, Kumar K (2016) Characterizing flash events and distributed denial-of-service attacks: an empirical investigation. Secur Commun Netw 9(13):2222–2239
Bhatia S (2016) Ensemble-based model for DDoS attack detection and flash event separation. In: Future Technologies Conference (FTC), IEEE, pp 958–967
Bhatia S, George M, A Tickle A, Ahmed E (2011) Parametric differences between a real-world distributed denial-of-service attack and a flash event. In: Availability, Reliability and Security (ARES), 2011 Sixth International Conference on, IEEE, pp 210–217
Bhatia S, Mohay G, Schmidt D, Tickle A (2012) Modelling web-server flash events. In: Network computing and applications (NCA), 2012 11th IEEE international symposium on, IEEE, pp 79–86
Bhushan K, Gupta BB (2019) Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Ambient Intell Hum Comput J Springer 10(5):1985–1997
Bhuyan MH, Bhattacharyya D, Kalita J (2015) An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit Lett Elsevier 51:1–7
Bhuyan MH, Bhattacharyya D, Kalita J (2016) E-LDAT: a lightweight system for DDoS flooding attack detection and ip traceback using extended entropy metric. Secur Commun Netw 9(16):3251–3270
Borovkov AA, Utev SA (1984) On an inequality and a related characterization of the normal distribution. Theor Probab Appl 28(2):219–228
Burbea J, Rao CR (1982) Entropy differential metric, distance and divergence measures in probability spaces: a unified approach. J Multivar Anal 12(4):575–596
Cover TM, Thomas JA (2012) Elements of information theory, 2nd edn. Wiley, Hoboken
Csiszár I, Korner J (1978) Broadcast channels with confidential messages. IEEE Trans Inf Theory 24(3):339–348
Cui Y, Yan L, Li S, Xing H, Pan W, Zhu J, Zheng X (2016) SD-Anti-DDoS: fast and efficient DDoS defense in software-defined networks. J Netw Comput Appl 68:65–79
Ghorbani AA, Lu W, Tavallaee M (2010) Network attacks. In: Network intrusion detection and prevention. Springer, Boston, MA, pp 1–25
Grosse I, Bernaola-Galván P, Carpena P, Román-Roldán R, Oliver J, Stanley HE (2002) Analysis of symbolic sequences using the jensen-shannon divergence. Phys Rev E 65(4):041905
Gupta B, Misra M, Joshi RC (2012) An ISP level solution to combat DDoS attacks using combined statistical based approach. arXiv preprint arXiv:12032400
Hanley JA, McNeil BJ (1982) The meaning and use of the area under a receiver operating characteristic (roc) curve. Radiology 143(1):29–36
Jian-Qi Z, Feng F, Ke-Xin Y, Yan-Heng L (2013) Dynamic entropy based DoS attack detection method. Comput Electr Eng 39(7):2243–2251
Joldzic O, Djuric Z, Vuletic P (2016) A transparent and scalable anomaly-based DoS detection method. Comput Netw 104:27–42
Jung J, Krishnamurthy B, Rabinovich M (2002) Flash crowds and denial of service attacks: characterization and implications for CDNS and web sites. In: Proceedings of the 11th international conference on World Wide Web, ACM, pp 293–304
Kang MS, Gligor VD, Sekar V, et al. (2016) Spiffy: Inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: NDSS
Kumar K, Joshi R, Singh K (2007b) An ISP level distributed approach to detect DDoS attacks. In: Innovative algorithms and techniques in automation. Springer, Industrial Electronics and Telecommunications, pp 235–240
Li B, Springer J, Bebis G, Gunes MH (2013) A survey of network flow applications. J Netw Comput Appl 36(2):567–581
Li K, Zhou W, Li P, Hai J, Liu J (2009) Distinguishing DDoS attacks from flash crowds using probability metrics. In: Network and System Security, 2009. NSS’09. Third International Conference on, IEEE, pp 9–17
Lin J (1991) Divergence measures based on the shannon entropy. Inf Theory IEEE Trans 37:145–151
Lin C, Lin HY, Wu TW, Chen YH, Huang CH (2013) Preserving quality of service for normal users against DDoS attacks by using double check priority queues. Ambient Intell Hum Comput J Springer 4(2):275–282
Oikonomou G, Mirkovic J (2009) Modeling human behavior for defense against flash-crowd attacks. In: Communications, 2009. ICC’09. IEEE International Conference on, IEEE, pp 1–6
Park H, Li P, Gao D, Lee H, Deng RH (2008) Distinguishing between FE and DDoS using randomness check. In: International conference on information security. Springer, Berlin, Heidelberg.
Ranjan S, Swaminathan R, Uysal M, Nucci A, Knightly E (2009) DDoS-Shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans Netw (TON) 17(1):26–39
Sachdeva M, Kumar K, Singh G (2016) A comprehensive approach to discriminate DDoS attacks from flash events. J Inf Secur Appl 26:8–22
Shannon CE (1948) A note on the concept of entropy. Bell System Tech J 27(3):379-423.
Shin SW, Porras P, Yegneswara V, Fong M, Gu G, Tyson M (2013) Fresco: Modular composable security services for software-defined networks. In: 20th Annual Network & Distributed System Security Symposium, Ndss
Thapngam T, Yu S, Zhou W, Beliakov G (2011) Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: Computer Communications Workshops (INFOCOM WKSHPS), 2011 IEEE Conference on, IEEE, pp 952–957
Wang B, Zheng Y, Lou W, Hou YT (2015) Ddos attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319
Wang C, Miu TT, Luo X, Wang J (2017) Skyshield: a sketch-based defense system against application layer ddos attacks. IEEE Trans Inf For Secur 13(3):559–573
Wang X, Guo N, Fangping G, Feng J (2019) Distributed denial of service attack defence simulation based on honeynet technology. Ambient Intell Hum Comput J Springer 2019:1–16
Xu Y, Liu Y (2016) DDoS attack detection under SDN context. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, IEEE, pp 1–9
Yu S, Zhou W (2008) Entropy-based collaborative detection of DDoS attacks on community networks. In: Pervasive Computing and Communications, 2008. PerCom 2008. Sixth Annual IEEE International Conference on, IEEE, pp 566–571
Yu S, Zhou W, Doss R (2008) Information theory based detection against network behavior mimicking DDoS attacks. Commun Lett IEEE 12(4):318–321
Yu S, Thapngam T, Liu J, Wei S, Zhou W (2009) Discriminating DDOS flows from flash crowds using information distance. In: Network and System Security, 2009. NSS’09. Third International Conference on, IEEE, pp 351–356
Yu S, Guo S, Stojmenovic I (2012a) Can we beat legitimate cyber behavior mimicking attacks from botnets? In: INFOCOM, 2012, IEEE, pp 2851–2855
Yu S, Zhou W, Jia W, Guo S, Xiang Y, Tang F (2012b) Discriminating DDoS attacks from flash crowds using flow correlation coefficient. Parallel Distrib Syst IEEE Trans 23(6):1073–1080
Yu S, Guo S, Stojmenovic I (2013) Fool me if you can: mimicking attacks and anti-attacks in cyberspace. IEEE Trans Comput 64(1):139–151
Zheng J, Li Q, Gu G, Cao J, Yau DK, Wu J (2018) Realtime DDoS defense using cots SDN switches via adaptive correlation analysis. IEEE Trans Inf For Secur 13(7):1838–1853
This Research work has been supported by the All India Council for Technical Education (AICTE), New Delhi, India under Research Promotion Scheme (RPS) under Grant No. 8023/RID/RPS-93/2011-12.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Bhandari, A., Kumar, K., Sangal, A.L. et al. An anomaly based distributed detection system for DDoS attacks in Tier-2 ISP networks. J Ambient Intell Human Comput 12, 1387–1406 (2021). https://doi.org/10.1007/s12652-020-02208-3
- DDoS attacks
- Network security
- Information divergence
- Flash events