Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning

  • Sanguk Noh
  • Cheolho Lee
  • Kyunghee Choi
  • Gihyun Jung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2690)


As the complexity of Internet is scaled up, it is likely for the Internet resources to be exposed to Distributed Denial of Service (DDoS) flooding attacks on TCP-based Web servers. There has been a lot of related work which focuses on analyzing the pattern of the DDoS attacks to protect users from them. However, none of these studies takes all the flags within TCP header into account, nor do they analyze relationship between the flags and the TCP packets. To analyze the features of the DDoS attacks, therefore, this paper presents a network traffic analysis mechanism which computes the ratio of the number of TCP flags to the total number of TCP packets. Based upon the calculation of TCP flag rates, we compile a pair of the TCP flag rates and the presence (or absence) of the DDoS attack into state-action rules using machine learning algorithms. We endow alarming agents with a tapestry of the compiled rules. The agents can then detect network flooding attacks against a Web server. We validate our framework with experimental results in a simulated TCP-based network setting. The experimental results show a distinctive and predictive pattern of the DDoS attacks, and our alarming agents can successfully detect various DDoS attacks.


Transmission Control Protocol Internet Protocol Address Flooding Attack Transmission Control Protocol Connection Simultaneous Connection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Clark, P., Niblett, T.: The CN2 Induction Algorithm. Machine Learning Journal 3(4), 261–283 (1989)Google Scholar
  2. 2.
    Garber, L.: Denial-of-Service Attacks Rip the Internet. IEEE Computer 33(4), 12–17 (2000)Google Scholar
  3. 3.
    Gil, T.M., Poletto, M.: MULTOPS: a data-structure for bandwidth attack detection. In: Proceedings of the 10th USENIX Security Symposium, pp. 23–38 (2001)Google Scholar
  4. 4.
    Hanson, R., Stutz, J., Cheeseman, P.: Bayesian Classification Theory. Technical Report FIA-90-12-7-01, NASA Ames Research Center, AI Branch (1991)Google Scholar
  5. 5.
    Holder, L.: ML v2.0: Machine Learning Program Evaluator, available on-line:
  6. 6.
    Houle, J.K., Weaver, M.G.: Trends in Denial of Service Attack Technology, CERT Coordination Center (2001)Google Scholar
  7. 7.
    Kulkarni, A.B., Bush, S.F., Evans, S.C.: Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. TR176, GE Research Center (2001)Google Scholar
  8. 8.
    Lawrence Berkeley National Labs Network Research Group. libpcap, available on-line:
  9. 9.
    Li, M., Vitanyi, P.: An Introduction to Kolmogorov Complexity and Its Applications. Springer, Heidelberg (1997)zbMATHGoogle Scholar
  10. 10.
    Moore, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. In: Proceedings of the 10th USENIX Symposium, pp. 9–22 (2001)Google Scholar
  11. 11.
    Noh, S., Gmytrasiewicz, P.J.: Towards Flexible Multi-Agent Decision-Making Under Time Pressure. In: Proceedings of IJCAI, pp. 492–498 (1999)Google Scholar
  12. 12.
    Storm, P.: Tribe Flood Network (TFN2K) DDoS tool, available on-line (2000),
  13. 13.
    Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Francisco (1993)Google Scholar
  14. 14.
    Standard Performance Evaluation Corporation. SPECweb 1999 Benchmark, available on-line:
  15. 15.
    Wang, H., Zhang, D., Shin, K.G.: Detecting SYN Flooding Attacks. In: Proceedings of IEEE INFOCOM, vol. 21(1), pp. 1530–1539 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Sanguk Noh
    • 1
  • Cheolho Lee
    • 2
  • Kyunghee Choi
    • 2
  • Gihyun Jung
    • 3
  1. 1.School of Computer Science and information EngineeringThe Catholic University of KoreaBucheonKorea
  2. 2.Graduate School of Information and CommunicationAjou UniversitySuwonKorea
  3. 3.Division of Electronics EngineeringAjou UniversitySuwonKorea

Personalised recommendations