TY - GEN
T1 - DDoS detection and traceback with decision tree and grey relational analysis
AU - Wu, Yi Chi
AU - Tseng, Huei Ru
AU - Yang, Wuu
AU - Jan, Rong Hong
PY - 2009
Y1 - 2009
N2 - As modern life becomes increasingly closely bound to the Internet, network security becomes increasingly important. Like it or not, we all live under the shadow of network threats. The threats could cause leakage of privacy and/or economic loss. Among network attacks, the DDoS (distributed denial-of-service) attack is one of the most frequent and serious. In a DDoS attack, an attacker first breaks into many innocent computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities in the software. Then the attacker sends a large number of packets from these already-captured zombies to a server. These packets either occupy a major portion of the server's network bandwidth or they consume much of the server's time. The server is then prevented from conducting normal business operations. In order to mitigate the DDoS threat, we design a system to detect DDoS attacks based on a decision-tree technique and, after detecting an attack, to trace back to the approximate locations of the attacker with a traffic-flow pattern-matching technique. We conduct our experiment on the DETER system. According to our experiment results, our system could detect the DDoS attack with the false positive ratio about 1.2% - 2.4%, false negative ratio about 2% - 10% with different kind of attack, attack sending rate and find the attack path in traceback with the false negative rate 8% - 12% and false positive rate 12% - 14%.
AB - As modern life becomes increasingly closely bound to the Internet, network security becomes increasingly important. Like it or not, we all live under the shadow of network threats. The threats could cause leakage of privacy and/or economic loss. Among network attacks, the DDoS (distributed denial-of-service) attack is one of the most frequent and serious. In a DDoS attack, an attacker first breaks into many innocent computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities in the software. Then the attacker sends a large number of packets from these already-captured zombies to a server. These packets either occupy a major portion of the server's network bandwidth or they consume much of the server's time. The server is then prevented from conducting normal business operations. In order to mitigate the DDoS threat, we design a system to detect DDoS attacks based on a decision-tree technique and, after detecting an attack, to trace back to the approximate locations of the attacker with a traffic-flow pattern-matching technique. We conduct our experiment on the DETER system. According to our experiment results, our system could detect the DDoS attack with the false positive ratio about 1.2% - 2.4%, false negative ratio about 2% - 10% with different kind of attack, attack sending rate and find the attack path in traceback with the false negative rate 8% - 12% and false positive rate 12% - 14%.
UR - http://www.scopus.com/inward/record.url?scp=72849151249&partnerID=8YFLogxK
U2 - 10.1109/MUE.2009.60
DO - 10.1109/MUE.2009.60
M3 - Conference contribution
AN - SCOPUS:72849151249
SN - 9780769536583
T3 - 3rd International Conference on Multimedia and Ubiquitous Engineering, MUE 2009
SP - 306
EP - 314
BT - 3rd International Conference on Multimedia and Ubiquitous Engineering, MUE 2009
T2 - 3rd International Conference on Multimedia and Ubiquitous Engineering, MUE 2009
Y2 - 4 June 2009 through 6 June 2009
ER -