DDoS detection based on traffic profiles
Abstract
Distributed denial of service attacks has become a significant threat against
Internet resources. These attacks aims at disrupting the victim’s service by
commanding a massive number of compromised sources to send useless
data towards the victim. The distributed nature of these attacks usually
makes mitigation a time consuming process, and the risk of collateral damage
is high.
In this thesis I propose amethod for detecting and identifying the sources
of DDoS attacks based on research in the field of network traffic measurement
and source IP address monitoring. The method consists of two parts;
a network traffic collector and a traffic profile analyser, where the first part
is responsible for creating traffic profiles representing the network pattern
over certain time periods, and the second part responsible for the analysis.
A novelty in this thesis is the usage of learning automata for tracking
the behaviour of source- IP addresses and subnets.
I have shown that when using a specific reinforcement algorithm for
the learning automata, the proposed method is able to correctly identifyand
distinguish sources participating in distributed denial of service attacks
and sources generating normal traffic. It has also been shown that this
algorithm is robust against attacks based on IP spoofing.
Due to the fact that the method is tracking both source IP addresses as
well as their subnets, more efficient filtering rules can be created based on
subnets instead of multiple IP addresses.
Description
Masteroppgave i informasjons- og kommunikasjonsteknologi 2006 - Høgskolen i Agder, Grimstad
Publisher
Høgskolen i AgderAgder University College