Abstract
As Distributed Denial of Service (DDoS) attack are still a severe threat for the Internet stakeholders, they should be detected with efficient tools meeting industrial requirements.We previously introduced theAATACdetector, which showed its ability to accurately detect DDoS attacks in real time on full traffic, while being able to cope with the several constraints due to an industrial operation, as time to detect, limited resources for running detection algorithms, detection autonomy for not wasting uselessly administrators’ time. However, in a realistic scenario, network monitoring is done using sampled traffic. Such sampling may impact the detection accuracy or the pertinence of produced results. Consequently, in this paper, we evaluateAATAC over sampled traffic. We use five different count-based or time-based sampling techniques, and show thatAATAC’s resources consumption is in general greatly reduced with little to no impact on the detection accuracy. Obtained results are succinctly compared with those from FastNetMon, an open-source threshold-based DDoS detector.
References
G. Roudi`ere and P. Owezarski, “A Lightweight Snapshot-Based DDoS
Detector,” in 2017 13th International Conference on Network and
Service Management (CNSM), 2017.
K. Bartos, M. Rehak, and V. Krmicek, “Optimizing flow sampling for
network anomaly detection,” in IWCMC 2011 - 7th Int. Wirel. Commun.
Mob. Comput. Conf., pp. 1304–1309, 2011.
Z. Jadidi, V. Muthukkumarasamy, E. Sithirasenan, and K. Singh, “A
Probabilistic Sampling Method for Efficient Flow-based Analysis,”
J. Commun. Networks, vol. 18, no. 5, pp. 818–825, 2016.
G. Androulidakis and S. Papavassiliou, “Intelligent flow-based sampling
for effective network anomaly detection,” in GLOBECOM – IEEE Glob.
Telecommun. Conf., pp. 1948–1953, 2007.
J. M. C. Silva, P. Carvalho, and S. R. Lima, “A Modular Sampling
Framework for Flexible Traffic Analysis,” 2015.
J. M. C. Silva, P. Carvalho, and S. R. Lima, “Analysing traffic flows
through sampling:Acomparative study,” in Proc. - IEEE Symp. Comput.
Commun., vol. 2016-Feb., pp. 341–346, 2016.
J.-h. Jun, D. Lee, and S.-h. Kim, “DDoS Attack Detection Using Flow
Entropy and Packet Sampling on Huge Networks,” Thirteen. Int. Conf.
Networks., no. c, pp. 185–190, 2014.
M. Roesch, “Snort: Lightweight Intrusion Detection for Networks.,”
LISA ’99 13th Syst. Adm. Conf., pp. 229–238, 1999.
“suricata.” https://suricata-ids.org/
D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina,
“Impact of packet sampling on anomaly detection metrics,” Proc. 6th
ACM SIGCOMM Conf. Internet Meas., pp. 159–164, 2006.
B. Claise, “Cisco systems netflow services export version 9,” RFC 3954,
RFC Editor, October 2004.
J. Quittek, T. Zseby, B. Claise, and S. Zander, “Requirements for ip flow
information export (ipfix),” RFC 3917, RFC Editor, October 2004.
Y. Chen and L. Tu, “Density-Based Clustering for Real-Time Stream
Data,” in Proc. 13th ACM SIGKDD Int. Conf. Knowl. Discov. data Min.,
pp. 133–142, 2007.
U. K. Archive, “KDD Cup 1999 Data.” http://kdd.ics.uci.edu/data
bases/kddcup99/kddcup99.html. Accessed: 2018-01-24.
R. Fontugne, P. Borgnat, P. Abry, and K. Fukuda, “MAWILab : Combining
Diverse Anomaly Detectors for Automated Anomaly Labeling and
Performance Benchmarking,” in Proc. 6th Int. Conf. Emerg. Netw. Exp.
Technol. Co-NEXT’10, 2010.
A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward
developing a systematic approach to generate benchmark datasets for
intrusion detection,” Comput. Secur., vol. 31, no. 3, pp. 357–374, 2011.
“Ontic.” http://ict-ontic.eu/. Accessed: 2017-05-12.
“Pcapsampler.” https://github.com/groud/pcapsampler.
M. Bar-Hillel, “The Base-Rate Fallacy In Probability Judgments,” Acta
Psychol. (Amst)., vol. 44, no. 3, pp. 211–233, 1980.
K. Nasr, A. A.-e. Kalam, and C. Fraboul, “Performance Analysis of
Wireless Intrusion Detection Systems,” in Internet Distrib. Comput. Syst.
th Int. Conf. IDCS 2012, Wuyishan,, pp. 238–252, 2012.