Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS flooding attack detection through a step-by-step investigation

Published byAgatha Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "DDoS flooding attack detection through a step-by-step investigation"— Presentation transcript:

1 DDoS flooding attack detection through a step-by-step investigation
IEEE 2011 Jae-Hyun Jun, Hyunju Oh, Sung-Ho Kim 許哲鳴 Page 1/16

2 Outline Introduction Principle of entropy
DDoS attack detection method by using entropy The result of experiment Conclusion Page 2/16

3 Introduction Distributed Denial of Service (DDoS)
Need an efficient real-time detection. Entropy-based detection mechanism Page 3/16

4 Entropy(熵) Entropy H is defined as
Pi is the probability mass function which is a chance to be observed during random period. If entropy decreases, uncertainty decreases. Page 4/16

5 DDoS attack detection method by using entropy
Page 5/16

6 DDoS attack detection method by using entropy
Step 1: Volume threshold If collected traffic amount during time window is over volume threshold (T1), it judges as first danger and it sends them to next detecting step Page 6/16

7 DDoS attack detection method by using entropy
Step 2: entropy threshold (T2) of destination IP address. Entropy decreases: If traffic in router are heading to some certain IP address. Danger! Entropy increases: If traffic in router are heading to many destination IP address. Page 7/16

8 DDoS attack detection method by using entropy
Step 3: entropy threshold (T3) of transmission port number. Entropy decreases: If a packet has few transmission numbers. Entropy increases: If a packet has various transmission numbers. Danger! Page 8/16

9 DDoS attack detection method by using entropy
Step 4 To compare the packet creation rate threshold (T4) per second Page 9/16

10 The result of experiment
Create normal traffic for web service Time widow = 6 seconds Create DDoS attack Page 10/16

11 The result of experiment
Volume threshold T1 = 1500 Traffic amount flow in router_5 when DDoS attack Page 11/16

12 The result of experiment
threshold T2 = 0.4 The entropy of traffic destination IP address flowed in router_5 when DDoS attack happens Page 12/16

13 The result of experiment
threshold T3 = 0.8 The entropy of source port number of traffic judged the second danger Page 13/16

14 The result of experiment
threshold T4 = 60 Packet creation rate Page 14/16

15 The result of experiment
The traffic came to sever after applying DDoS attack detection method by using entropy Page 15/16

16 Conclusion The detection method based on entropy is better than the detection method based on volume. There will be more necessity to study detection method with entropy. Page 16/16

Download ppt "DDoS flooding attack detection through a step-by-step investigation"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓 資訊工程學系 中央大學 1.

1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓 資訊工程學系 中央大學 1.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.

Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Similar presentations

Ads by Google