Conference Paper

TrustGuard: A flow-level reputation-based DDoS defense system

Sch. of Electr. Eng. & Comput. Sci., Washington State Univ., Pullman, WA, USA
DOI: 10.1109/CCNC.2011.5766474 Conference: Consumer Communications and Networking Conference (CCNC), 2011 IEEE
Source: IEEE Xplore


Distributed Denial of Service (DDoS) attacks pose one of the most serious security threats to the Internet. We examine the drawbacks of existing defense schemes. To combat these deficiencies, we propose a credit-based defense system: TrustGuard. Essentially, flows accumulate credit based on the diversity of their packet-size distribution. The more diverse the flow, the more credit it has. Since DDoS attacks demonstrate low diversity they accumulate less credit and are likely to be dropped by the system. Naturally, the performance of TrustGuard greatly depends on the choice of credit accumulation and flow selection methods. We derive our solution by identifying the essential characteristics of DDoS attacks. Our analysis accounts for both micro and macro behaviors of DDoS attacks. The primary goal of this work is to not only detect the occurrence of a DDoS attack, but to also identify the attackers and victims involved. Experimental results demonstrate that TrustGuard performs admirably in both cases.

18 Reads
  • Source
    Journal of Communications 12/2011; 6(9):660-670. DOI:10.4304/jcm.6.9.660-670
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Botnets are considered one of the most dangerous and serious security threats facing the networks and the Internet. Comparing with the other security threats, botnet members have the ability to be directed and controlled via C&C messages from the botmaster over common protocols such as IRC and HTTP, or even over covert and unknown applications. As for IRC botnets, general security instances like firewalls and IDSes do not provide by themselves a viable solution to prevent them completely. These devices could not differentiate well between the legitimate and malicious traffic of the IRC protocol. So, this paper is proposing an IDS-based and multi-phase IRC botnet and botnet behavior detection model based on C&C responses messages and malicious behaviors of the IRC bots inside the network environment. The proposed model has been evaluated on five network traffic traces from two different network environments (Virtual network and DARPA 2000 Windows NT Attack Data Set). The results show that the proposed model could detect all the infected IRC botnet member(s), state their current status of attack, filter their malicious IRC messages, pass the other normal IRC messages and detect the botnet behavior regardless of the botnet communication protocol with very low false positive rate. The proposed model has been compared with some of the existing and well-known approaches, including BotHunter, BotSniffer and Rishi regarding botnet characteristics taken in each approach. The comparison showed that the proposed model has made a progress on the comparative models by not to rely on a certain time window or specific bot signatures.
  • Source
    Proceedings of the The Third International Conference on Digital Enterprise and Information Systems (DEIS2015), Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences (SIAT-CAS), Shenzhen, China; 04/2015


18 Reads
Available from