Department of Computer, Buinzahra branch, Islamic Azad University, Buinzahra, Iran



Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate.


[1] An Wang, Aziz Mohaisen, Wentao Chang, and Songqing Chen. Capturing ddos attack dynamics behind the scenes. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 205–215. Springer, 2015.

[2] Samad S Kolahi, Amro A Alghalbi, Abdulmohsen F Alotaibi, Saarim S Ahmed, and Divyesh Lad. Performance comparison of defense mechanismsagainsttcpsynfloodddosattack. In 2014 6th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), pages 143–147. IEEE, 2014.

[3] Monowar H Bhuyan, Hirak Jyoti Kashyap, Dhruba Kumar Bhattacharyya, and Jugal K Kalita. Detecting distributed denial of service attacks: methods, tools and future directions. The Computer Journal, 57(4):537–556, 2013.

[4] MartinRoeschetal. Snort:Lightweightintrusion detection for networks. In Lisa, volume 99, pages 229–238, 1999.

[5] Richa Srivastava and Vineet Richhariya. Survey of current network intrusion detection techniques. Journal of Information Engineering and Applications, 3(6):27–33, 2013.

[6] Bayu Adhi Tama and Kyung-Hyune Rhee. Data mining techniques in dos/ddos attack detection: A literature review. Information (Japan), 18(8):3739, 2015.

[7] Amey Kulkarni, Youngok Pino, Matthew French, and Tinoosh Mohsenin. Real-time anomaly detection framework for many-core router through machine-learning techniques. ACM Journal on Emerging Technologies in Computing Systems (JETC), 13(1):10, 2016.

[8] Anna L Buczak and Erhan Guven. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(2):1153– 1176, 2015.

[9] P Arun Raj Kumar and S Selvakumar. Distributed denial of service attack detection using an ensemble of neural classifier. Computer Communications, 34(11):1328–1341, 2011.

[10] Vincenzo Gulisano, Mar Callau-Zori, Zhang Fu, Ricardo Jiménez-Peris, Marina Papatriantafilou, and Marta Patiño-Martínez. Stone: A streaming ddos defense framework. Expert Systems with Applications, 42(24):9620–9633, 2015.

[11] Hao Huang and Shiva Prasad Kasiviswanathan. Streaming anomaly detection using randomized matrix sketching. Proceedings of the VLDB Endowment, 9(3):192–203, 2015.

[12] Chin-Ling Chen. A new detection method for distributed denial-of-service attack traffic based on statistical test. J. UCS, 15(2):488–504, 2009.

[13] Emmanuelle Anceaume and Yann Busnel. A distributed information divergence estimation over data streams. IEEE Transactions on Parallel and Distributed Systems, 25(2):478–487, 2013.

[14] Solomon Kullback and Richard A Leibler. On information and sufficiency. The annals of mathematical statistics, 22(1):79–86, 1951.

[15] TomaszAndrysiakandŁukaszSaganowski. Ddos attacks detection by means of statistical models. In Proceedings of the 9th International Conference on Computer Recognition Systems CORES 2015, pages 797–806. Springer, 2016.

[16] Nazrul Hoque, Hirak Kashyap, and DK Bhattacharyya. Real-time ddos attack detection using fpga. Computer Communications, 110:48–58, 2017.

[17] Balázs Nagy, Péter Orosz, Tamás Tóthfalusi, László Kovács, and Pál Varga. Detecting ddos attacks within milliseconds by using fpga-based hardware acceleration. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pages 1–4. IEEE, 2018.

[18] Sharmila Bista, Roshan Chitrakar, et al. Ddos attack detection using heuristics clustering algorithm and naïve bayes classification. Journal of Information Security, 9(01):33, 2017.

[19] M Baskar, T Gnanasekaran, and J Frank Vijay. Time variant predicate based traffic approximation algorithm for efficient low rate ddos attack detection. 2018.

[20] Abigail Koay, Aaron Chen, Ian Welch, and Winston KG Seah. A new multi classifier system using entropy-based features in ddos attack detection. In 2018 International Conference on Information Networking (ICOIN), pages 162–167. IEEE, 2018.

[21] Andrey Evgenievich Krasnov, Evgeniy Nikolae
vich Nadezhdin, Vladimir Sergeevich Galayev, Evgenia Andreevna Zykova, Dmitrii Nikolaevich Nikol’skii, and Dmitrii Sergeevich Repin. Ddos attack detection based on network traffic phase coordinates analysis. International Journal of Applied Engineering Research, 13(8):5647–5654, 2018.

[22] Xinlei Ma and Yonghong Chen. Ddos detection method based on chaos analysis of network traffic entropy. IEEE Communications Letters, 18(1):114–117, 2013.

[23] Xubin Zeng, R Eykholt, and RA Pielke. Estimating the lyapunov-exponent spectrum from short time series of low precision. Physical Review Letters, 66(25):3229, 1991.

[24] Sunny Behal and Krishan Kumar. Detection of ddos attacks and flash events using novel information theory metrics. Computer Networks, 116:96–110, 2017.

[25] Stefano Fortunati, Fulvio Gini, Maria S Greco, Alfonso Farina, Antonio Graziano, and Sofia Giompapa. An improvement of the state-ofthe-art covariance-based methods for statistical anomaly detection algorithms. Signal, Image and Video Processing, 10(4):687–694, 2016. [26] Paul L Butzer and François Jongmans. Pl chebyshev (1821–1894) and his contacts with western european scientists. Historia mathematica, 16(1):46–68, 1989.

[27] İlker Özçelik and Richard R Brooks. Cusumentropy: an efficient method for ddos attack detection. In 2016 4th International Istanbul Smart Grid Congress and Fair (ICSG), pages 1–5. IEEE, 2016.

[28] lbl dataset. lbl dataset. gov/html/traces.html,2017. [Online;accessed 2017/23/9].

[29] lbl conn dataset. lbl conn dataset., 2017. [Online; accessed 2017/23/9].

[30] NASA dataset. NASA dataset. http://ita., 2017. [Online; accessed 2017/23/9].

[31] KDD-CUP dataset. KDD-CUP dataset. communications/ist/index.html, 2017. [Online; accessed 2017/23/9].