Abstract
Anomaly based DDoS detection systems construct profile of the traffic normally seen in the network, and identify anomalies whenever traffic deviate from normal profile beyond a threshold. This deviation in traffic beyond threshold is used in the past for DDoS detection but not for finding number of zombies. This chapter presents an approach that utilizes this deviation in traffic to predict number of zombies using isotonic regression model. A relationship is established between number of zombies and observed deviation in sample entropy. Internet type topologies used for simulation are generated using Transit-Stub model of GT-ITM topology generator. NS-2 network simulator on Linux platform is used as simulation test bed for launching DDoS attacks with varied number of zombies. Various statistical performance measures are used to measure the performance of the regression model. The simulation results are promising as we are able to predict number of zombies efficiently with very less error rate using isotonic regression model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Gupta BB, Misra M, Joshi RC (2008) An ISP level solution to combat DDoS attacks using combined statistical based approach. Int J Inf Assur Secur 3(2):102–110
Gupta BB, Joshi RC, Misra M (2009) Defending against distributed denial of service attacks: issues and challenges. Inf Secur J 18(5):224–247
Gupta BB, Joshi RC, Misra M (2009) Dynamic and auto responsive solution for distributed denial-of-service attacks detection in ISP network. Int J Comput Theory Eng 1(1):71–80
Wu WB, Woodroofe M, Mentz G (2009) Isotonic regression: another look at the changepoint problem. Biometrika 88(3):793–804
Barlow RE, Brunk HD (1972) The isotonic regression problem and its dual. J Am Stat Assoc 67(337):140–147
Moore D, Shannon C, Brown DJ, Voelker G, Savage S (2006) Inferring internet denial-of-service activity. ACM Trans Comput Syst 24(2):115–139
GT-ITM Traffic Generator documentation and tool. Available at http://www.cc.gatech.edu/fac/EllenLegura/graphs.html
Documentation NS. Available at http://www.isi.edu/nsnam/ns
Ferguson P, Senie D (1998) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. In: RFC 2267, the Internet Engineering Task Force (IETF)
Peng T, Leckie C, Ramamohanarao K (2003) Protection from distributed denial of service attack using history-based IP filtering. In: Proceedings of ICC 2003, USA, pp 482–486
Molsa J (2005) Mitigating denial of service attacks: a tutorial. J Comput Secur 13:807–837
Geng X, Whinston AB (2000) Defeating distributed denial of service attacks. IEEE IT Prof 2(4):36–41
Paxson V (1999) Bro: a system for detecting network intruders in real-time. Int J Comput Telecommun Netw 31(24):2435–2463
Roesch M (1999) Snort-lightweight intrusion detection for networks. In: Proceedings of the USENIX systems administration conference, LISA ’99, pp 229–238
Gil TM, Poletto M (2001) Multops: a data-structure for bandwidth attack detection. In: Proceedings of the 10th USENIX security symposium, Washington, DC, USA, pp 23–38
Blazek RB, Kim H, Rozovskii B, Tartakovsky A (2001) A novel approach to detection of denial-of-service attacks via adaptive sequential and batch sequential change-point detection methods. In: Proceedings of IEEE systems, man and cybernetics information assurance workshop, pp 220–226
Cheng CM, Kung HT, Tan KS (2002) Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, pp 2143–2148
Lee W, Stolfo SJ, Mok KW (1999) A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, CA, pp 120–132
Huang Y, Pullen JM (2001) Countering Denial of Service attacks using congestion triggered packet sampling and filtering. In: Proceedings of the 10th international conference on computer communications and networks, Scottsdale, Arizona, pp 490–494
Mirkovic J, Prier G, Reiher P (2002) Attacking DDoS at the source. In: Proceedings of ICNP-2002, Paris, France, pp 312–321
Bencsath B, Vajda I (2004) Protection against DDoS attacks based on traffic level measurements. In: Proceedings of the western simulation multi conference, San Diego, California, pp 22–28
Chen Y, Hwang K, Ku W (2007) Collaborative detection of DDoS attacks over multiple network domains. IEEE Trans Parallel Distrib Syst, TPDS-0228-0806 (12)
Feinstein L, Schnackenberg D, Balupari R, Kindred D (2003) Statistical approaches to DDoS attack detection and response. In: Proceedings of DISCEX’03, Washington, DC, USA, pp 303–314
Savage S, Wetherall D, Karlin A, Anderson T (2000) Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, pp 295–306
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT (2001) Hash-based IP traceback. In: Proceedings of ACM SIGCOMM 2001, San Diego, CA, USA, pp 3–14
Darmohray T, Oliver R Hot spares for DDoS attacks. http://www.usenix.org/publications/login/2000-7/apropos.html
Mahajan R, Bellovin SM, Floyd S, Ioannidis J, Paxson V, Shenker S (2002) Controlling high bandwidth aggregates in the network. Comput Commun Rev 32(3):62–73
Lau F, Rubin SH, Smith MH, Trajkovic L (2000) Distributed denial of service attacks. In: Proceedings of IEEE international conference on systems, man, and cybernetics, pp 2275–2280
Floyd S, Jacobson V (1993) Random early detection gateways for congestion avoidance. IEEE/ACM Trans Netw 1(4):397–413
Demers A, Keshav S, Shenker S (1990) Analysis and simulation of a fair queuing algorithm. J Internetworking Res Exp 1(1):3–26
Khattab SM, Sangpachatanaruk C, Melhem R, Mosse D, Znati T (2003) Proactive server roaming for mitigating denial-of-service attacks. In: Proceedings of international conference on information technology: research and education, ITRE2003, pp 286–290
Kumar K, Joshi RC, Singh K (2007) Predicting number of attackers using regression analysis. In: Proceedings of IEEE international conference on information and communication technology, Bangladesh, pp 319–322
Lindley DV (1987) Regression and correlation analysis. New Palgrave, A Dict Econ 4:120–123
Freedman DA (2005) Statistical models: theory and practice. Cambridge University Press, Cambridge
Shannon CE (2001) A mathematical theory of communication. Mob Comput Commun Rev 5(1):3–55
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Gupta, B.B., Jamali, N. (2013). Predicting Number of Zombies in a DDoS Attacks Using Isotonic Regression. In: Özyer, T., Erdem, Z., Rokne, J., Khoury, S. (eds) Mining Social Networks and Security Informatics. Lecture Notes in Social Networks. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6359-3_8
Download citation
DOI: https://doi.org/10.1007/978-94-007-6359-3_8
Publisher Name: Springer, Dordrecht
Print ISBN: 978-94-007-6358-6
Online ISBN: 978-94-007-6359-3
eBook Packages: Computer ScienceComputer Science (R0)