TY - JOUR ID - 107959 TI - F-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management JO - The ISC International Journal of Information Security JA - ISECURE LA - en SN - 2008-2045 AU - Nooribakhsh, Mahsa AU - Mollamotalebi, Mahdi AD - Department of Computer, Buinzahra branch, Islamic Azad University, Buinzahra, Iran Y1 - 2020 PY - 2020 VL - 12 IS - 2 SP - 113 EP - 128 KW - DDoS detection KW - Real time detection KW - Data stream algorithm KW - Binary-mapped Historical-memory Management KW - Anomaly Detection KW - Expected Profile Update Time DO - 10.22042/isecure.2020.167450.453 N2 - Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate. UR - https://www.isecure-journal.com/article_107959.html L1 - https://www.isecure-journal.com/article_107959_bf49f140f7f9e82841dd4f64c81f6a5e.pdf ER -