High Performance DDoS Attack Detection System Based on Distribution Statistics
Nowadays, web servers often face the threat of distributed denial of service attacks and their intrusion prevention systems cannot detect those attacks effectively. Many existing intrusion prevention systems detect attacks by the state of per-flow and current processing speed cannot fulfill the requirements of real-time detection due to the high speed traffic. In this paper, we propose a powerful system TreeSketchShield which can improve sketch data structure and detect attacks quickly. First, we discuss a novel structure TreeSketch to obtain statistics of network flow, which utilizes the stepped structure of binary tree to map the distribution and reduces the complexity of the statistic calculation. Second, we present a two-level detection scheme that could make a compromise between the detection speed and detection accuracy. Experimental results show that our method can process more than 100,000 records per second. The false alarm rate can achieve 2% to 25% performance improvement.
KeywordsDDoS attack Intrusion prevention system Sketch data structure Real-time
This work is supported in part by the National Key Research and Development Program of China under grant No. 2016QY02D0302, the Fundamental Research Funds for the Central Universities (HUST No. 3020210111).
- 6.Rahmani, H., Sahli, N., Kammoun, F.: Joint entropy analysis model for DDoS attack detection. In: Proceedings of the 5th International Conference on Information Assurance and Security, pp. 267–271 (2009)Google Scholar
- 9.Liu, Y., Chen, W., Guan, Y.: A fast sketch for aggregate queries over high-speed network traffic. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 2741–2745 (2012)Google Scholar
- 10.Gangam, S., Sharma, P., Fahmy, S.: Pegasus: precision hunting for icebergs and anomalies in network flows. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 1420–1428 (2013)Google Scholar
- 12.Schweller, R., et al.: Reverse hashing for high-speed network monitoring: algorithms, evaluation, and applications. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 1–12 (2006)Google Scholar
- 13.Liu, H., Sun, Y., Kim, M.: Fine-grained DDoS detection scheme based on bidirectional count sketch. In: Proceedings of the 20th International Conference on Computer Communications and Networks, pp. 1–6 (2011)Google Scholar
- 15.Worldcup98 (2016). http://ita.ee.lbl.gov/html/contrib/WorldCup.html