Abstract:
This paper presents an improved approach previously developed by the authors for detection of DDoS attacks. It uses traffic evolution and dynamical operators, which makes it possible to take into consideration interrelations observed for data packets headers of traffic. It is assumed that each traffic state (normal state and anomalous attacked states) can be described by unique temporal patterns of characteristics generated by unknown linear dynamical operators. Interrelations between values of network traffic characteristics in different discrete time samples are determined by the evolution operator. The approach was applied for classification of three traffic states: normal and two abnormal (HTTP flood and SlowLoris DDoS attacks). The results prove that it is possible to distinguish normal and abnormal traffic states by hash functions of address and load fields of traffic data packets.
The work was supported by the Ministry of Education and Science of Russian Federation by lot code 2017-14-579-0002 on the topic: “The development of effective algorithms for detection network attacks based on identifying of deviations in the traffic of extremely large volumes arriving at the border routers of the data network and creating a sample of software complex for detection and prevention of information security threats aimed at denial of service”. The unique identifier of the work (project) is RFMEFI57817X0261.
Citation:
A. E. Krasnov, E. N. Nadezhdin, D. N. Nikol'skii, D. S. Repin, V. S. Galyaev, “Detecting DDoS attacks by analyzing the dynamics and interrelation of network traffic characteristics”, Vestn. Udmurtsk. Univ. Mat. Mekh. Komp. Nauki, 28:3 (2018), 407–418