{"title":"A lightweight snapshot-based DDoS detector","authors":"Gilles Roudière, P. Owezarski","doi":"10.23919/CNSM.2017.8256014","DOIUrl":null,"url":null,"abstract":"Despite the efforts made from both the research community and the industry in inventing new methods to deal with distributed denial of service attacks, they stay a major threat in the Internet network. Those attacks are numerous, and can prevent, in most serious cases, the targeted system from answering any request from its clients. Detecting such attacks means dealing with several difficulties, such as their distributed nature or the several evasions techniques available to the attackers. The detection process has also a cost, which includes both the resources needed to perform the detection and the work of the network administrator. In this paper we introduce AATAC (Autonomous Algorithm for Traffic Anomaly Detection), an unsupervised DDoS detector that focuses on reducing the computational resources needed to process the traffic. It models the traffic using a set of regularly created snapshots. Each new snapshot is compared to this model using a k-NN based measure to detect significant deviations toward the usual traffic profile. Those snapshots are also used to provide the network administrator with an explicit and dynamic view of the traffic when an anomaly occurs. Our evaluation shows that AATAC is able to efficiently process real traces with low computational resources requirements, while achieving an efficient detection producing a low number of false-positives.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 13th International Conference on Network and Service Management (CNSM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/CNSM.2017.8256014","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6
Abstract
Despite the efforts made from both the research community and the industry in inventing new methods to deal with distributed denial of service attacks, they stay a major threat in the Internet network. Those attacks are numerous, and can prevent, in most serious cases, the targeted system from answering any request from its clients. Detecting such attacks means dealing with several difficulties, such as their distributed nature or the several evasions techniques available to the attackers. The detection process has also a cost, which includes both the resources needed to perform the detection and the work of the network administrator. In this paper we introduce AATAC (Autonomous Algorithm for Traffic Anomaly Detection), an unsupervised DDoS detector that focuses on reducing the computational resources needed to process the traffic. It models the traffic using a set of regularly created snapshots. Each new snapshot is compared to this model using a k-NN based measure to detect significant deviations toward the usual traffic profile. Those snapshots are also used to provide the network administrator with an explicit and dynamic view of the traffic when an anomaly occurs. Our evaluation shows that AATAC is able to efficiently process real traces with low computational resources requirements, while achieving an efficient detection producing a low number of false-positives.