Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks
ABSTRACT In this paper we present two packet marking schemes that can be used against distributed denial of service attacks. We describe the architectural details of the filtering and traceback mechanism that is deployed on the victimpsilas network and show how the components utilize the packet markings to effectively stop ongoing DDoS attacks.
- [show abstract] [hide abstract]
ABSTRACT: Denial-of-service (DoS) detection techniques - such as activity profiling, change-point detection, and wavelet-based signal analysis - face the considerable challenge of discriminating network-based flooding attacks from sudden increases in legitimate activity or flash events. This survey of techniques and testing results provides insight into our ability to successfully identify DoS flooding attacks. Although each detector shows promise in limited testing, none completely solve the detection problem. Combining various approaches with experienced network operators most likely produce the best results.IEEE Internet Computing 02/2006; · 2.04 Impact Factor
- [show abstract] [hide abstract]
ABSTRACT: Whenever an intrusion occurs, the security and value of a computer system is compromised. Network-based attacks make it difficult for legitimate users to access vari- ous network services by purposely occupying or sabotaging network resources and services. This can be done by send- ing large amounts of network traffic, exploiting well-known faults in networking services, and by overloading network hosts. Intrusion Detection attempts to detect computer at- tacks by examining various data records observed in pro- cesses on the network and it is split into two groups, anomaly detection systems and misuse detection systems. Anomaly detection is an attempt to search for malicious behavior that deviates from established normal patterns. Misuse detection is used to identify intrusions that match known attack scenar- ios. Our interest here is in anomaly detection and our pro- posed method is a scalable solution for detecting network- based anomalies. We use Support Vector Machines (SVM) for classification. The SVM is one of the most successful classification algorithms in the data mining area, but its long training time limits its use. This paper presents a study for enhancing the training time of SVM, specifically when deal- ing with large data sets, using hierarchical clustering analy- sis. We use the Dynamically Growing Self-Organizing Tree (DGSOT) algorithm for clustering because it has proved to overcome the drawbacks of traditional hierarchical cluster- ing algorithms (e.g., hierarchical agglomerative clustering). Clustering analysis helps find the boundary points, which are the most qualified data points to train SVM, between two classes. We present a new approach of combination of SVM and DGSOT, which starts with an initial training set and ex- pands it gradually using the clustering structure produced by the DGSOT algorithm. We compare our approach with the Rocchio Bundling technique and random selection in terms of accuracy loss and training time gain using a single bench- mark real data set. We show that our proposed variations contribute significantly in improving the training process ofThe VLDB Journal 01/2007; 16:507-521. · 1.40 Impact Factor
Conference Proceeding: Packet Marking Scheme and Deployment Issues[show abstract] [hide abstract]
ABSTRACT: In this paper we describe a packet marking scheme which enables real time filtering of DDoS attack traffic as well as traceback to the real sources of the attack. We also present detailed deployment methodologies on the network and router level as well as a filtering mechanism that can be customized depending on each organization's specific needs.Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 2007. IDAACS 2007. 4th IEEE Workshop on; 10/2007