Discriminating DDoS attacks from flash crowds using flow correlation coefficient

Shui Yu; Wanlei Zhou; Weijia Jia; Song Guo; Yong Xiang; Feilong Tang

doi:10.1109/TPDS.2011.262

Discriminating DDoS attacks from flash crowds using flow correlation coefficient

Shui Yu, Wanlei Zhou, Weijia Jia, Song Guo, Yong Xiang, Feilong Tang

Department of Computer Science

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

186 Citations (Scopus)

Abstract

Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice. © 1990-2012 IEEE.

Original language	English
Article number	6060809
Pages (from-to)	1073-1080
Journal	IEEE Transactions on Parallel and Distributed Systems
Volume	23
Issue number	6
DOIs	https://doi.org/10.1109/TPDS.2011.262
Publication status	Published - 2012

Research Keywords

DDoS attacks
discrimination
flash crowds
similarity

Access Output

10.1109/TPDS.2011.262

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{7d01e3f6cee845b3820f90642bc2ddc4,

title = "Discriminating DDoS attacks from flash crowds using flow correlation coefficient",

abstract = "Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice. {\textcopyright} 1990-2012 IEEE.",

keywords = "DDoS attacks, discrimination, flash crowds, similarity",

author = "Shui Yu and Wanlei Zhou and Weijia Jia and Song Guo and Yong Xiang and Feilong Tang",

year = "2012",

doi = "10.1109/TPDS.2011.262",

language = "English",

volume = "23",

pages = "1073--1080",

journal = "IEEE Transactions on Parallel and Distributed Systems",

issn = "1045-9219",

publisher = "IEEE Computer Society",

number = "6",

}

TY - JOUR

T1 - Discriminating DDoS attacks from flash crowds using flow correlation coefficient

AU - Yu, Shui

AU - Zhou, Wanlei

AU - Jia, Weijia

AU - Guo, Song

AU - Xiang, Yong

AU - Tang, Feilong

PY - 2012

Y1 - 2012

N2 - Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice. © 1990-2012 IEEE.

AB - Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice. © 1990-2012 IEEE.

KW - DDoS attacks

KW - discrimination

KW - flash crowds

KW - similarity

UR - http://www.scopus.com/inward/record.url?scp=84860543902&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-84860543902&origin=recordpage

U2 - 10.1109/TPDS.2011.262

DO - 10.1109/TPDS.2011.262

M3 - RGC 21 - Publication in refereed journal

SN - 1045-9219

VL - 23

SP - 1073

EP - 1080

JO - IEEE Transactions on Parallel and Distributed Systems

JF - IEEE Transactions on Parallel and Distributed Systems

IS - 6

M1 - 6060809

ER -

Discriminating DDoS attacks from flash crowds using flow correlation coefficient

Abstract

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this