Evaluating the Impact of Traffic Sampling on AATAC’s DDoS Detection

Authors

  • Gilles Roudi`ere LAAS-CNRS, Universit´e de Toulouse, CNRS, Toulouse, France
  • Philippe Owezarski LAAS-CNRS, Universit´e de Toulouse, CNRS, Toulouse, France

DOI:

https://doi.org/10.13052/2245-1439.842

Keywords:

DDoS detection, sampled traffic, unsupervised learning

Abstract

As Distributed Denial of Service (DDoS) attack are still a severe threat for the Internet stakeholders, they should be detected with efficient tools meeting industrial requirements.We previously introduced theAATACdetector, which showed its ability to accurately detect DDoS attacks in real time on full traffic, while being able to cope with the several constraints due to an industrial operation, as time to detect, limited resources for running detection algorithms, detection autonomy for not wasting uselessly administrators’ time. However, in a realistic scenario, network monitoring is done using sampled traffic. Such sampling may impact the detection accuracy or the pertinence of produced results. Consequently, in this paper, we evaluateAATAC over sampled traffic. We use five different count-based or time-based sampling techniques, and show thatAATAC’s resources consumption is in general greatly reduced with little to no impact on the detection accuracy. Obtained results are succinctly compared with those from FastNetMon, an open-source threshold-based DDoS detector.

 

Downloads

Download data is not yet available.

Author Biographies

Gilles Roudi`ere, LAAS-CNRS, Universit´e de Toulouse, CNRS, Toulouse, France

Gilles Roudière received his PhD from Université de Toulouse in 2018. He prepared it at LAAS (Laboratory for Analysis and Architecture of Systems), in Toulouse, France. As his field of research relates to Internet security issues, he is currently working on building a new network anomaly detector that provides a more autonomous detection. His researches lead him to investigate techniques that are able to deal with networks big data, such as machine learning and data mining.

Philippe Owezarski, LAAS-CNRS, Universit´e de Toulouse, CNRS, Toulouse, France

Philippe Owezarski is director of research at CNRS (the French center for scientific research), working at LAAS (Laboratory for Analysis and Architecture of Systems), in Toulouse, France. He got a PhD in computer science in 1996 from Paul Sabatier University, Toulouse III, and an habilitation for advising research in 2006. His main interests deal with next generation Internet. More specifically Philippe Owezarski takes advantage of IP networks monitoring for enforcing Quality of Service and security. It especially focuses on techniques as machine learning and data mining on the big data collected from the networks for making the network related analytics autonomous and cognitive.

References

G. Roudi`ere and P. Owezarski, “A Lightweight Snapshot-Based DDoS

Detector,” in 2017 13th International Conference on Network and

Service Management (CNSM), 2017.

K. Bartos, M. Rehak, and V. Krmicek, “Optimizing flow sampling for

network anomaly detection,” in IWCMC 2011 - 7th Int. Wirel. Commun.

Mob. Comput. Conf., pp. 1304–1309, 2011.

Z. Jadidi, V. Muthukkumarasamy, E. Sithirasenan, and K. Singh, “A

Probabilistic Sampling Method for Efficient Flow-based Analysis,”

J. Commun. Networks, vol. 18, no. 5, pp. 818–825, 2016.

G. Androulidakis and S. Papavassiliou, “Intelligent flow-based sampling

for effective network anomaly detection,” in GLOBECOM – IEEE Glob.

Telecommun. Conf., pp. 1948–1953, 2007.

J. M. C. Silva, P. Carvalho, and S. R. Lima, “A Modular Sampling

Framework for Flexible Traffic Analysis,” 2015.

J. M. C. Silva, P. Carvalho, and S. R. Lima, “Analysing traffic flows

through sampling:Acomparative study,” in Proc. - IEEE Symp. Comput.

Commun., vol. 2016-Feb., pp. 341–346, 2016.

J.-h. Jun, D. Lee, and S.-h. Kim, “DDoS Attack Detection Using Flow

Entropy and Packet Sampling on Huge Networks,” Thirteen. Int. Conf.

Networks., no. c, pp. 185–190, 2014.

M. Roesch, “Snort: Lightweight Intrusion Detection for Networks.,”

LISA ’99 13th Syst. Adm. Conf., pp. 229–238, 1999.

“suricata.” https://suricata-ids.org/

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina,

“Impact of packet sampling on anomaly detection metrics,” Proc. 6th

ACM SIGCOMM Conf. Internet Meas., pp. 159–164, 2006.

B. Claise, “Cisco systems netflow services export version 9,” RFC 3954,

RFC Editor, October 2004.

J. Quittek, T. Zseby, B. Claise, and S. Zander, “Requirements for ip flow

information export (ipfix),” RFC 3917, RFC Editor, October 2004.

Y. Chen and L. Tu, “Density-Based Clustering for Real-Time Stream

Data,” in Proc. 13th ACM SIGKDD Int. Conf. Knowl. Discov. data Min.,

pp. 133–142, 2007.

U. K. Archive, “KDD Cup 1999 Data.” http://kdd.ics.uci.edu/data

bases/kddcup99/kddcup99.html. Accessed: 2018-01-24.

R. Fontugne, P. Borgnat, P. Abry, and K. Fukuda, “MAWILab : Combining

Diverse Anomaly Detectors for Automated Anomaly Labeling and

Performance Benchmarking,” in Proc. 6th Int. Conf. Emerg. Netw. Exp.

Technol. Co-NEXT’10, 2010.

A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward

developing a systematic approach to generate benchmark datasets for

intrusion detection,” Comput. Secur., vol. 31, no. 3, pp. 357–374, 2011.

“Ontic.” http://ict-ontic.eu/. Accessed: 2017-05-12.

“Pcapsampler.” https://github.com/groud/pcapsampler.

M. Bar-Hillel, “The Base-Rate Fallacy In Probability Judgments,” Acta

Psychol. (Amst)., vol. 44, no. 3, pp. 211–233, 1980.

K. Nasr, A. A.-e. Kalam, and C. Fraboul, “Performance Analysis of

Wireless Intrusion Detection Systems,” in Internet Distrib. Comput. Syst.

th Int. Conf. IDCS 2012, Wuyishan,, pp. 238–252, 2012.

Downloads

Published

2018-11-20

How to Cite

1.
Roudi`ere G, Owezarski P. Evaluating the Impact of Traffic Sampling on AATAC’s DDoS Detection. JCSANDM [Internet]. 2018 Nov. 20 [cited 2024 Apr. 19];8(4):419-38. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5361

Issue

2019: Vol 8 Iss 4

Section

Articles