DDoS detection based on traffic self-similarity (2008)
Type of ContentTheses / Dissertations
Thesis DisciplineComputer Science
Degree NameMaster of Science
PublisherUniversity of Canterbury. Computer Science and Software Engineering
Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation techniques share the need for a DDoS detection mechanism. DDoS detection based on trafﬁc self-similarity estimation is a relatively new approach which is built on the notion that undis- turbed network trafﬁc displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal trafﬁc conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the trafﬁc ﬂow at the target of the attack. Existing literature assumes that DDoS trafﬁc lacks the self-similar properties of undisturbed trafﬁc. We show how existing bot- nets could be used to generate a self-similar trafﬁc ﬂow and thus break such assumptions. We then study the implications of self-similar attack trafﬁc on DDoS detection. We ﬁnd that, even when DDoS trafﬁc is self-similar, detection is still possible. We also ﬁnd that the trafﬁc ﬂow resulting from the superimposition of DDoS ﬂow and legitimate trafﬁc ﬂow possesses a level of self-similarity that depends non-linearly on both relative trafﬁc intensity and on the difference in self-similarity between the two incoming ﬂows.
Keywordsddos, self-similarity, distributed denial of service detection
RightsCopyright Delio Brignoli
Showing items related by title, author, creator and subject.
Nelson, Richard (University of Canterbury. Electrical and Electronic Engineering, 1998)Mobile networks are experiencing exponential rates of subscriber growth worldwide. In addition they are rapidly developing sophistication and capabilities for delivering multiple service types at widely varying data rates. ...
Reactive traffic control mechanisms for communication networks with self-similar bandwidth demands Östring, Sven Andrew Mark (University of Canterbury. Electrical and Electronic Engineering, 2001)Communication network architectures are in the process of being redesigned so that many different services are integrated within the same network. Due to this integration, traffic management algorithms need to balance the ...
Jeong, H-D.J.; McNickle, D.; Pawlikowski, K. (Department of Computer Science and Management, University of CanterburyUniversity of Canterbury. Computer Science and Software EngineeringUniversity of Canterbury. Management, 1999)It is generally accepted that self-similar (or fractal) processes may provide better models of teletra c in modern computer networks than Poisson processes. Thus, an important requirement for conducting simulation studies ...