DDoS detection based on traffic profiles

Abstract

Distributed denial of service attacks has become a significant threat against Internet resources. These attacks aims at disrupting the victim’s service by commanding a massive number of compromised sources to send useless data towards the victim. The distributed nature of these attacks usually makes mitigation a time consuming process, and the risk of collateral damage is high. In this thesis I propose amethod for detecting and identifying the sources of DDoS attacks based on research in the field of network traffic measurement and source IP address monitoring. The method consists of two parts; a network traffic collector and a traffic profile analyser, where the first part is responsible for creating traffic profiles representing the network pattern over certain time periods, and the second part responsible for the analysis. A novelty in this thesis is the usage of learning automata for tracking the behaviour of source- IP addresses and subnets. I have shown that when using a specific reinforcement algorithm for the learning automata, the proposed method is able to correctly identifyand distinguish sources participating in distributed denial of service attacks and sources generating normal traffic. It has also been shown that this algorithm is robust against attacks based on IP spoofing. Due to the fact that the method is tracking both source IP addresses as well as their subnets, more efficient filtering rules can be created based on subnets instead of multiple IP addresses.