Abstract
Distributed Denial-of-Service (DDoS) attack has long been one of the biggest threats to network security. Most existing approaches collect and analyze the network traffic in a fixed window (e.g., 1 min or 5 min) to detect ongoing attacks. However, they cannot track temporal information, such as the arriving moments of packets and the persistence of malicious flows in the time dimension, which inevitably harms their effectiveness. To this end, this work proposes a novel solution called Time-Series DDoS Detection (TSD3). First, we design an attention-based traffic sampling algorithm to support short-period (e.g., 1 s) traffic monitoring. The proposed sampling solution can continuously track network flows with limited storage and communication resources and naturally attach the flow records with fine-grained time information, i.e., slice index. Then we perform time-series analysis by encoding the flow records of successive periods to persistence distributions and training a classifier to identify the attacking or normal flows. The experimental results based on real-world network traces show that our approach significantly outperforms the state-of-the-art methods in terms of Accuracy, Recall, and F1-score.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Neustar: Worldwide ddos attacks and cyber insights research report. https://www.home.neustar/.
References
CAIDA: The CAIDA UCSD DDoS Attack 2007 dataset (2007). https://www.caida.org/catalog/datasets/ddos-20070804_dataset. Accessed 16 Sept 2021
CAIDA: The CAIDA UCSD Anonymized Internet Traces 2016 (2016). https://www.caida.org/data/passive/passive_2016_dataset.xml. Accessed 28 July 2019
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1–58 (2009)
Cohen, R., Katzir, L., Yehezkel, A.: A minimal variance estimator for the cardinality of big data set intersection. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2017), pp. 95–103 (2017)
Du, Y., Huang, H., Sun, Y.E., Chen, S., Gao, G.: Self-adaptive sampling for network traffic measurement. In: IEEE INFOCOM 2021-IEEE Conference on Computer Communications, pp. 1–10. IEEE (2021)
Fawcett, T.: An introduction to ROC analysis. Pattern Recogn. Lett. 27(8), 861–874 (2006)
Meng, S., Wang, T., Liu, L.: Monitoring continuous state violation in datacenters: exploring the time dimension. In: Proceedings of the 26th International Conference on Data Engineering (ICDE 2010), pp. 968–979. IEEE (2010)
Gorovits, A., Gujral, E., Papalexakis, E.E., Bogdanov, P.: LARC: learning activity-regularized overlapping communities across time. In: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2018), pp. 1465–1474 (2018)
Herodotou, H., Ding, B., Balakrishnan, S., Outhred, G., Fitter, P.: Scalable near real-time failure localization of data center networks. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD 2014), pp. 1689–1698 (2014)
Huang, H., et al.: You can drop but you can’t hide: \( k \)-persistent spread estimation in high-speed networks. In: IEEE INFOCOM 2018-IEEE Conference on Computer Communications, pp. 1889–1897. IEEE (2018)
Huang, H., et al.: Spread estimation with non-duplicate sampling in high-speed networks. IEEE/ACM Trans. Networking 29(5), 2073–2086 (2021)
Huang, H., et al.: An efficient \(k\)-persistent spread estimator for traffic measurement in high-speed networks. IEEE/ACM Trans. Networking 28(4), 1463–1476 (2020)
Ying, X., Wu, X., Barbará, D.: Spectrum based fraud detection in social networks. In: Proceedings of the 27th International Conference on Data Engineering (ICDE 2011), pp. 912–923. IEEE ( 2011)
Li, C., Yang, J., Wang, Z., Li, F., Yang, Y.: A lightweight DDoS flooding attack detection algorithm based on synchronous long flows. In: Proceedings of the IEEE Global Communications Conference (GLOBECOM 2015), pp. 1–6. IEEE (2015)
Namaki, M.H., et al.: Kronos: lightweight knowledge-based event analysis in cyber-physical data streams. In: Proceedings of the 36th International Conference on Data Engineering (ICDE 2020), pp. 1766–1769. IEEE (2020)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Ting, D.: Approximate distinct counts for billions of datasets. In: Proceedings of the 2019 International Conference on Management of Data (SIGMOD 2019), pp. 69–86 (2019)
Acknowledgements
This work was supported by National Natural Science Foundation of China under Grant No. 62072322, No. 61873177, and No. U20A20182, Natural Science Foundation of Jiangsu Province under Grant No. BK20210706, and Jiangsu Planned Projects for Postdoctoral Research Funds under Grant No. 2021K165B.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Han, Y., Du, Y., Chen, S., Huang, H., Sun, YE. (2023). TSD3: A Novel Time-Series-Based Solution for DDoS Attack Detection. In: Li, B., Yue, L., Tao, C., Han, X., Calvanese, D., Amagasa, T. (eds) Web and Big Data. APWeb-WAIM 2022. Lecture Notes in Computer Science, vol 13423. Springer, Cham. https://doi.org/10.1007/978-3-031-25201-3_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-25201-3_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25200-6
Online ISBN: 978-3-031-25201-3
eBook Packages: Computer ScienceComputer Science (R0)