High Performance DDoS Attack Detection System Based on Distribution Statistics

  • Xia XieEmail author
  • Jinpeng Li
  • Xiaoyang Hu
  • Hai Jin
  • Hanhua Chen
  • Xiaojing Ma
  • Hong Huang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11783)


Nowadays, web servers often face the threat of distributed denial of service attacks and their intrusion prevention systems cannot detect those attacks effectively. Many existing intrusion prevention systems detect attacks by the state of per-flow and current processing speed cannot fulfill the requirements of real-time detection due to the high speed traffic. In this paper, we propose a powerful system TreeSketchShield which can improve sketch data structure and detect attacks quickly. First, we discuss a novel structure TreeSketch to obtain statistics of network flow, which utilizes the stepped structure of binary tree to map the distribution and reduces the complexity of the statistic calculation. Second, we present a two-level detection scheme that could make a compromise between the detection speed and detection accuracy. Experimental results show that our method can process more than 100,000 records per second. The false alarm rate can achieve 2% to 25% performance improvement.


DDoS attack Intrusion prevention system Sketch data structure Real-time 



This work is supported in part by the National Key Research and Development Program of China under grant No. 2016QY02D0302, the Fundamental Research Funds for the Central Universities (HUST No. 3020210111).


  1. 1.
    Osanaiye, O., Choo, K.K.R., Dlodlo, M.: Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud DDoS mitigation framework. J. Netw. Comput. Appl. 67, 147–165 (2016)CrossRefGoogle Scholar
  2. 2.
    Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)CrossRefGoogle Scholar
  3. 3.
    Yu, S., Zhou, W., Jia, W., Guo, S., Xiang, Y., Tang, F.: Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE Trans. Parallel Distrib. Syst. 23(6), 1073–1080 (2012)CrossRefGoogle Scholar
  4. 4.
    Xie, Y., Yu, S.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17(1), 15–25 (2009)CrossRefGoogle Scholar
  5. 5.
    Chonka, A., Singh, J., Zhou, W.: Chaos theory based detection against network mimicking DDoS attacks. IEEE Commun. Lett. 13(9), 717–719 (2009)CrossRefGoogle Scholar
  6. 6.
    Rahmani, H., Sahli, N., Kammoun, F.: Joint entropy analysis model for DDoS attack detection. In: Proceedings of the 5th International Conference on Information Assurance and Security, pp. 267–271 (2009)Google Scholar
  7. 7.
    Ben, U., Bremler, A., Levy, H.: Vulnerability of network mechanisms to sophisticated DDoS attacks. IEEE Trans. Comput. 62(5), 1031–1043 (2013)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Tang, J., Cheng, Y., Hao, Y., Song, W.: SIP flooding attack detection with a multi-dimensional sketch design. IEEE Trans. Dependable Secur. Comput. 11(6), 582–595 (2014)CrossRefGoogle Scholar
  9. 9.
    Liu, Y., Chen, W., Guan, Y.: A fast sketch for aggregate queries over high-speed network traffic. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 2741–2745 (2012)Google Scholar
  10. 10.
    Gangam, S., Sharma, P., Fahmy, S.: Pegasus: precision hunting for icebergs and anomalies in network flows. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 1420–1428 (2013)Google Scholar
  11. 11.
    Wang, P., Guan, X., Zhao, J., Tao, J., Qin, T.: A new sketch method for measuring host connection degree distribution. IEEE Trans. Inf. Forensics Secur. 9(6), 948–960 (2014)CrossRefGoogle Scholar
  12. 12.
    Schweller, R., et al.: Reverse hashing for high-speed network monitoring: algorithms, evaluation, and applications. In: Proceedings of the IEEE International Conference on Computer Communications, pp. 1–12 (2006)Google Scholar
  13. 13.
    Liu, H., Sun, Y., Kim, M.: Fine-grained DDoS detection scheme based on bidirectional count sketch. In: Proceedings of the 20th International Conference on Computer Communications and Networks, pp. 1–6 (2011)Google Scholar
  14. 14.
    Wang, C., Miu, T.N., Luo, X., Wang, J.: SkyShield: a sketch-based defense system against application layer DDoS attacks. IEEE Trans. Inf. Forensics Secur. 13(3), 559–573 (2018)CrossRefGoogle Scholar
  15. 15.

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Xia Xie
    • 1
    Email author
  • Jinpeng Li
    • 1
  • Xiaoyang Hu
    • 1
  • Hai Jin
    • 1
  • Hanhua Chen
    • 1
  • Xiaojing Ma
    • 1
  • Hong Huang
    • 1
  1. 1.National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and TechnologyHuazhong University of Science and TechnologyWuhanChina

Personalised recommendations