Data Mining Approaches for IP Address Clustering

  • Madeleine Victoria Kongshavn
  • Anis YazidiEmail author
  • Hårek Haugerud
  • Hugo Hammer
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 221)


Distributed Denial of Service (DDoS) attacks have for the last two decades been among the greatest threats facing the internet infrastructure. Mitigating DDoS attacks is a particularly challenging task as an attacker masks the attack traffic among legitimate users. Mitigation approaches within DDoS has therefore often been investigated within the field of anomaly intrusion detection. This means that even a successful mitigation approach will risk a high disregard of legitimate users. This article proposes to use data mining and machine learning approaches to find unique hidden data structures which keep a high degree of accepted legitimate traffic, while still being able to remove illegitimate and irrelevant data traffic which don’t follow the hidden structure. In this perspective, we devise and evaluate two novel IP Address clustering algorithms for DDoS mitigation, namely, Geographical Clustering (GC) and Reduced Geographical Clustering (RGC).


  1. 1.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)CrossRefGoogle Scholar
  2. 2.
    Akamai: Akamai’s state of the internet report q1 2016 (2016)Google Scholar
  3. 3.
    Goldstein, M., Lampert, C., Reif, M., Stahl, A., Breuel, T.: Bayes optimal ddos mitigation by adaptive history-based IP filtering. In: Seventh International Conference on Networking (ICN 2008), pp. 174–179. IEEE (2008)Google Scholar
  4. 4.
    Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: IEEE International Conference on Communications (ICC 2003), vol. 1, pp. 482–486. IEEE (2003)Google Scholar
  5. 5.
    Goldstein, M., Reif, M., Stahl, A., Breuel, T.: Server-side prediction of source IP addresses using density estimation. In: International Conference on Availability, Reliability and Security, 2009 (ARES 2009), pp. 82–89. IEEE (2009)Google Scholar
  6. 6.
    Qin, X., Xu, T., Wang, C.: DDoS attack detection using flow entropy and clustering technique. In: 2015 11th International Conference on Computational Intelligence and Security (CIS), pp. 412–415. IEEE (2015)Google Scholar
  7. 7.
    Yu, J., Li, Z., Chen, H., Chen, X.: A detection and offense mechanism to defend against application layer DDoS attacks. In: Third International Conference on Networking and Services (ICNS), p. 54. IEEE (2007)Google Scholar
  8. 8.
    Li, Z., Li, Y., Xu, L.: Anomaly intrusion detection method based on k-means clustering algorithm with particle swarm optimization. In: 2011 International Conference on Information Technology, Computer Engineering and Management Sciences (ICM), vol. 2, pp. 157–161. IEEE (2011)Google Scholar
  9. 9.
    Mingqiang, Z., Hui, H., Qian, W.: A graph-based clustering algorithm for anomaly intrusion detection. In: 2012 7th International Conference on Computer Science & Education (ICCSE), pp. 1311–1314. IEEE (2012)Google Scholar
  10. 10.
    Ranjan, R., Sahoo, G.: A new clustering approach for anomaly intrusion detection, arXiv preprint arXiv:1404.2772 (2014)
  11. 11.
    Guan, Y., Ghorbani, A.A., Belacel, N.: Y-means: a clustering method for intrusion detection. In: Canadian Conference on Electrical and Computer Engineering (CCECE), vol. 2, pp. 1083–1086. IEEE (2003)Google Scholar
  12. 12.
    Xue-Yong, L., Guo-hong, G., Jia-xia, S.: A new intrusion detection method based on improved DBSCAN. In: 2010 WASE International Conference on Information Engineering (ICIE), vol. 2, pp. 117–120. IEEE (2010)Google Scholar
  13. 13.
    Ester, M., Kriegel, H.-P., Sander, J., Xu, X., et al.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Kdd, vol. 96, no. 34, pp. 226–231 (1996)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Madeleine Victoria Kongshavn
    • 1
  • Anis Yazidi
    • 1
    Email author
  • Hårek Haugerud
    • 1
  • Hugo Hammer
    • 1
  1. 1.Department of Computer ScienceOslo and Akershus University College of Applied SciencesOsloNorway

Personalised recommendations