A Robust and Efficient Detection Model of DDoS Attack for Cloud Services

8/19/2019 A Robust and Efficient Detection Model of DDoS Attack for Cloud Services

1/14

A Robust and Efficient Detection Model

of DDoS Attack for Cloud Services

Jian Zhang, Ya-Wei Zhang, Jian-Biao He(B), and Ou Jin

School of Information Science and Engineering, Central South University,Changsha 410083, China

[email protected]

Abstract. Recently, DDoS attacks have become a major security threatto cloud services. How to detect and defend against DDoS attacks is cur-

rently a hot topic in both industry and academia. In this paper, wepropose a novel model to detect DDoS attacks and identify attack pack-ets for abnormal traffic filtering. The novelties of the model are that:(1) combined with the characteristics of three types of IP spoofing-basedattacks and temporal correlation of transport layer connection state, aset of accurate check rules for abnormal packets are designed; (2) byimproving the Bloom Filter algorithm, the efficient mapping mechanismof TCP2HC/UDP2HC and the reliable two-way checking mechanism of abnormal data packet are implemented; (3) DDoS attacks detection andfiltering are realized by using non-parameter CUSUM algorithm to model

the growth scale of abnormal packets. Experiments show that no matterwhat type of IP spoofing technology and the attack traffic scale, detec-tion model can accurately detect the DDoS attacks as early as possible.

Keywords: DDoS · IP spoofing · HOP COUNT · Check · CUSUM

1 Introduction

With the development and application of cloud computing, the main goal of DDoS attacks turns to cloud node [1, 2], the specific performance for the limitedcomputing resources (such as CPU, memory and network bandwidth, protocolstack, etc.), relies on exhausting the damaged cloud nodes resources to achievethe effect of attack. Since cloud computing has strong service resources, DDoSneeds to launch large-scale attack to be effective.

In view of research on DDoS attack detection for cloud services, it is necessaryto satisfy three major goals: one is the timeliness of detection, that is, as far aspossible to detect aggressive behavior in the early time, because it is meaningless

to detect aggressive behavior after large-scale attack outbreaks and it has causeddamage to the availability of the target; secondly, it is the sensitivity of attacktraffic, detection features can be used to distinguish between normal traffic andabnormal traffic effectively, which improve the accuracy of attack detection andfiltering; the third one is the adaptability of attack scale, that is, whether it is a

c Springer International Publishing Switzerland 2015G. Wang et al. (Eds.): ICA3PP 2015, Part III, LNCS 9530, pp. 611–624, 2015.DOI: 10.1007/978-3-319-27137-8 44


2/14

612 J. Zhang et al.

high-rate attack or low-rate one, the method of detection can detect aggressivebehavior accurately. At present, most of the DDoS attack detection methodsin academia [3–8] are proposed by the target of the sensitivity of abnormaltraffic. These methods emphasize the ability of detection feature to distinguish

between normal and abnormal traffic, present many complicated machine learn-ing algorithm to detect, and obtain good detection precision. However, withthe application layer based on DDoS attacks of low-rate rampant, a few DDoSdetection methods [16, 17] begin to focus on the adaptability of attack scale, butalso because of the high complexity of detection algorithm, these methods can’tsatisfy the goal of the timeliness of detection. The contradiction between thecomplexity of detection methods and the timeliness of detection caused that thecurrent detection method can not meet all the requirements of three goals, howto achieve a good tradeoff is the urgent problem need to solve.

There are many destructive and strong DDoS attacks [9–11], such as SYNflooding, ACK flooding and RST/FIN flooding in the transport layer, the DNSflooding, HTTP flooding and Mail flooding in the application layer. These attacksare threatening the dependability of cloud computing with varying degrees. Inaddition, their common features mainly exist in two aspects: first of all, they arebased on transport layer protocol such as TCP or UDP transport layer protocol;secondly, all of the attacks use IP spoofing technology, and the transport layerconnection state of attack traffic exists abnormal. Therefore, we can judge in atimely and effective manner whether the cloud node is under DDoS attack or not

through the cumulative calculation based on both the check results of abnormaltransport layer connection state and the authenticity of transport layer data seg-ments source. Compared to IP flow, the HOPCOUNT value calculated by TTLvalues in TCP segment has better stability, which helps to reduce the occurrenceof judging the legal packets to be IP spoofing packets due to update delay of HOPCOUNT, and can better solve the problem of false positives. This paperpresents a DDoS attack detection model for traffic filtering. The core idea is thatthrough analysis on the characteristics of HOPCOUNT value calculated from thepackets with different types of IP spoofing, the preliminary checks of the abnor-mal packets from inbound and outbound traffic are accomplished by temporalcorrelation features of transport layer connection state; on this basis, a non para-meter CUSUM algorithm is used to achieve accurate DDoS attack detection andfiltering. The experiment results show that detection model can divide packetsinto the normal and the abnormal accurately. And aggressive behavior can befound at the beginning of the attack, which makes a best opportunity for clean-ing the attack traffic. In addition, our detection model is not only sensitive toDDoS attack with high-rate, but also to low-rate one such as HTTP asymmetricattack, the data of ROC curves indicate that our detection model has betterperformance.

The rest of the paper is organized as follows. In Sect. 2, we briefly overviewthe related work. Section 3 presents our framework of DDoS attacks detectionmodel designed in this paper. In Sect. 4, we propose a set of check rules and rele-vant check algorithm for abnormal packets. Section 5 presents the DDoS attacks


3/14

A Robust and Efficient Detection Model of DDoS Attack for Cloud Services 613

detection algorithm based on non-parameter CUSUM. In Sect. 6, we introducethe evaluation and analysis results of experimental scheme and data used in thispaper by deploying model in actual network architecture, and the summary of the paper and the future research work are given in the last section.

2 Related Work

In this section, we scan related work on the three goals above-mentioned.For the first goal of the timeliness of detection, Peng et al. [12] proposed

the method of monitoring the number of new IP addresses to achieve DDoSattack detection, and it decreased false alarm due to flash crowd to some extent.This method uses a simple database to store the legitimate IP address set, andrealizes judging the new IP address by simple search algorithm, and can detect

the aggressive behavior earlier. However, the method for the judgment of newIP address is only based on the source IP address of packets, and the source of packets is not authenticated, so it is susceptible to IP Spoofing attack. Tao andYu [13] proposed a feature independent DDoS flooding detection method, whichcan detect the attack behavior in the early detection. The simulation resultsprove the validity of the method, but the method is limited to the detectionof the high strength flood. FireCol [14] is a distributed cooperative detectionsystem deployed in multiple ISP overlay networks. The early attack behavior canbe detected accurately and reliably by monitoring the network traffic betweentarget host and attack source. However, the system can only be used for thedetection of high strength flooding type DDoS attack.

For the second goal of the sensitivity of the abnormal traffic, Vikas et al. [15]proposed the thought that using packets hop count to judge the authenticity of the source of packets, they analyzed and demonstrated the feasibility, stability,the diversity of distribution of the authenticity of the source of the IP addressby using HOPCOUNT, and based on this, they realized the filtering of DDoSattack packets by the mapping table between IP and hop count. For the aggres-sive behavior of IP spoofing, the detection accuracy rate can reach 90 %, withgood effect, and easy deployment. However, the method itself is vulnerable to

distributed attacks. In addition, if the IP2HCs update is not timely, the legit-imate packets will be mistaken for attack traffic and cause false alarm. Basedon chaos modeling, Chonka et al. [16] exploited the self similarity theory todistinguish DDoS attack traffic and normal traffic. The method can accuratelyfilter abnormal traffic, but the computational complexity caused by this methodmake it hard to detect the attack behavior timely. By mining the correlation fea-tures of attributes in both IP header and TCP header, Dou et al. [17] proposeda method to DDoS attack detection for cloud computing environment which isbased on Credible Filtering (CBF). This method has high detection accuracy for

the trained DDoS aggressive behavior, but for the unknown aggressive behav-ior, both false negatives and false positives are higher because of the weight of relevant characteristics cannot be measured.

For the third goal of the adaptability of attack scale, Wang et al. [18] dividethe attack detection into three stages, including NTS (network traffic state)


4/14

614 J. Zhang et al.

forecasting, fine-grained singularity detection and malicious address extractionengine, and proposed a multistage detection method. The method can accuratelydetect multiple types of DDoS attacks including subtle DDoS attacks, but due tothe complexity of the method, it causes bad real-time performance of the attack

detection, and it cant detect the aggressive behavior in the early outbreak of attacks. Through empirical evaluation of the ability to detect high-rate and low-rate based DDoS attacks respectively, Monowar et al. [19] put forward a effectivedetection model. They use several information metrics to detect different kindsof attacks such as the Hartley entropy, Shannon entropy, Renyi entropy, general-ized entropy, Kullback-Leibler divergence distance and generalized informationdistance. Although the model can be applied to detect any traffic scale, thecapability of detecting early attacks is relatively weak.

3 Overall Architecture of the Model

Figure 1 shows the overall architecture of the model. The abnormal check com-ponent monitors IP flow and TCP/UDP segment. This component monitorsthe packets through the inbound and outbound, checks the authenticity of thesource of data segment and the abnormality of the packets. Caching the sourceIP address in the data segment and corresponding TTL values by the IP flowmonitoring, and preliminary checks the authenticity of the IP flow’s source by

Fig. 1. The architecture of the defensive model


5/14


HOPCOUNT. The packets which are judged as IP source forging and related toabnormal connection state of the transport layer are called abnormal packets.They include TCP based abnormal packets, such as SYN and SYN/ACK, ACK,and UDP based abnormal packets, such as DNS, NTP, and common packets.

Their quantity indicates the growth of abnormal traffic. All check results aresubmitted to the decision component. The decision component judges whetherthe network service is under DDoS attack. Finally, the decision is sent to responsecomponents (router or firewall). This paper focuses on the traffic abnormal checkcomponent and decision component which are related to DDoS attack detection.

4 Abnormal Check Component of Network Traffic

The traffic abnormal check component contains two main functions. After theauthentication of network traffic source, the first check judges the authentica-tion of source of data segments in transport layer by searching data segmentaddress. The second check is based on the abnormal connection state of thetransport layer. They provide important information for the decision compo-nent. This component is a part of packet parsing process, therefore, it must beefficient. Efficient mapping data structure and corresponding search algorithmare required.

4.1 Data Structure of Check Algorithm

Definition 1. Key of Transport Layer Connection State. Supposed the transport layer connection address is represent as TCA, where TCA = , T CA = . If the connection state of transport layer is represented as KEY, where KEY = ,we can classify KEY into requestKEY and replyKEY according to the finite state machine in the transport layer. For example, if requestKEY = , then its replyKEY = ; While if requestKEY =, then its replyKEY = .

The TCP2HC database keeps the records of legitimate TCP connectionswithin a certain survival period. Each record contains the Key of TCP connectionstate, source IP address, HOPCOUNT, and timestamp. Every record in thedatabase have a unified survival period T 1, which is related to the maximumlength of TCP timeout retransmission. When the difference between the currenttime and the timestamp exceeds the survival period, the corresponding recordwill be delete automatically from the database. If UDP protocol is used, theUDP2HC database is adopted to save the legitimate UDP connection records,

and the lifetime of UDP2HC record is set to be T 2, which is different from T 1.In order to realize an efficient lookup and storage of transport layer connec-tion state, we propose an improved data structure for bloom filter algorithm[20]. As shown in Fig. 2, a 2-Bits array is adopted. The first bit is the same asthe bloom filter, and the second bit groups stores the first pointer to the linear


6/14

616 J. Zhang et al.

linked list which is composed of different nodes corresponding to the same KEY.Once the second bit is assigned, it can’t be re-assigned to avoid the conflict of the hash function and the damage to the first pointer of the linear linked list.Nodes of linear list include the Source IP, the corresponding HOPCOUNT value

and the time stamp. If the KEY search conflict occurs, the information in thenodes can help to avoid misjudgment. The improved bloom filter provides anefficient data structure for both TCP2HC and UDP2HC. Efficient key search-ing and robust HOPCOUNT abnormal check are supported, which is helpful toimprove the overall performance of the check component.

Fig. 2. The improved data structure of bloom filter algorithm

4.2 Check Algorithm

The core of our check algorithm includes new TCA check and abnormal datapacket check. Because most of the DDoS attacks use IP spoofing, it is necessaryto authenticate the source of connection before the connection checking. To check

the abnormal data packet, we must check if there is connection state abnormityin transport layer first.In this research, 3 assumptions are followed:

Assumption 1. The router of ISP communication network is not controlled by attackers;

Assumption 2. All the DDoS attacks use IP spoofing technical;

Assumption 3. The attacker and the faked IP are not in the same LAN;

Assumptions 1 and 2 are general assumptions and widely accepted. ForAssumption 3, the attacker can be easily exposed if the attacker and the fakedIP are in the same LAN.

According to Assumption 1, it is feasible to authenticate the source of con-nection by hop count. The hop count of a packet is determined by the structure


7/14


of communication network and relatively stable [21], especially for the packet inthe transport layer. Whether the attacker can pass the checking system dependson if it can set a proper initial TTL value for each cheating packet. In order toset a proper initial TTL value, the attacker should get the hs which is the hop

number between the host of cheating IP to the target machine. However, it isdifficult to get hs when the attacker randomly select cheating source IP for eachpacket. The attacker must have a mapping table from the IP addresses in all therandom IP space to their corresponding hs. The attacker must break throughat least one host in each subnet of every random address space to get the hs bytraceroute.

Fig. 3. Illegal connection form based on IP spoofing

According to Assumption 2, we focus on the abnormal packet checking of DDoS attacks with IP spoofing. In the transport layer, IP spoofing can be char-acterized into three types according to the types of attacks. Figure 3 shows the3 main types of IP spoofing. Figure 3a shows the IP spoofing of half-open con-nection form. A fakes the address of C and requests connection to B. B sends aresponse to C to accept this connection and then waits for the response from C

until timeout. We use timeout to represent highest tolerance time for the firsttimeout, regardless of different settings of different systems. Figure 3b shows thatA gets a successful guess by RTT and ISN, sends response to B, and establishesa cheating ‘legal’ connection. It shows that it is inaccurate to judge the authen-ticity of source IP only by whether the connection is established. In this case,we can judge the authenticity of unknown source IP address by the difference of the TTL value of SYN packet and subsequent packets. The SYN/ACK packetsare from A and the subsequent packets are from C. According to Assumption 3,A and C are in different LANs, there are obvious difference between the TTL

value of them. Figure 3c shows the IP spoofing of indirect form. A masqueradesthe IP address of C and requests connections to a group of IP nodes. By reboundprotocol, this group of IP nodes sends responses to C simultaneously. Becausethe IP addresses of received packets are real, we should check if correspondingrequest packets have been sent out before receiving.


8/14

618 J. Zhang et al.

Table 1. Abnormal connection state check rules

Coding of the rule Contents of the rule

TCP InboundCRule1 If SYN flag is not set and TCA exists in TCP2HC table,then calculate the packets HOPCOUNT. Check if theHOPCOUNT matches with the stored HOPCOUNT, if not, then the source of the packet is forged, and thepacket is abnormal;

TCP InboundCRule2 If SYN flag is not set and the TCA is not found inTCP2HC table, then the packet is abnormal;

TCP InboundCRule3 If ACK flag is set and the TCA exists in TCP2CH table,then calculate HOPCOUNT, and if the HOPCOUNTdoes not match the stored HOPCOUNT, the packet isabnormal; otherwise, add a new entry for the replyKEYof with the HOPCOUNT;

TCP InboundCRule4 If all TCP flags are not set, and the TCA exists inTCP2HC table, then calculate HOPCOUNT, and if thisHOPCOUNT does not match the stored HOPCOUNT,the packets are abnormal;

TCP InboundMRule1 If SYN flag is set, and the TCA is not found in TCP2HCtable, then calculate HOPCOUNT, and add a newentry for the requestKEY of with the

HOPCOUNT;TCP InboundMRule2 If SYN flag is set, and the TCA exists in TCP2HC table,

then calculate HOPCOUNT, but if the packets SIP isnot found in table, it indicates that Bloomfilterconflicts, then add a new node including the SIP,HOPCOUNT and time stamp in linear linked list;otherwise, if calculated HOPCOUNT does not matchthe stored HOPCOUNT, then update the HOPCOUNTand timestamp field of node;

TCP OutboundCRule1 If both SYN flag and ACK flag are set, then search theentry for the requestKEY of in TCP2HCtable, if it does not exist, then the packet is abnormal;

TCP OutboundCRule2 If both SYN flag and ACK flag are set, and TCA exists inTCP2HC table, start the timeout retransmission timer.When the timer overflow,query the entry withreplyKEY of in TCP2HC table, if itdoes not exist, then the packet is abnormal;

UDP InboundCRule1 If the TCA of UDP request packet does not exist inUDP2HC table during the lifetime, then the packet is

abnormal;UDP OutboundMRule1 If the TCA is not found in UDP2HC table, then add a new

entry for the KEY of in UDP2HC table.


9/14


In order to guarantee that a real TCP packet with ACK flag can bequeried in TCP2HC database after the overflow of retransmission timeout, T 1 >RTO + RTT + a should be satisfied, where RTO is the maximum time of time-out retransmission timer, T 1 is the maximum time of life cycle of each record

in the TCP2HC database, RTT is the round time of transmission between theTCP endpoints, and a is the reliable boundary coefficient for safety. Accordingto RTO = RTT + 4* MDEV, we have T 1 > 2*RTT + 4*MDEV, where MDEV isthe average deviation of RTT which can measure the RTT jitter. For UDP2HCdatabase, we set T 2 > RTT + a, where T 2 is the maximum time of life cycle of each record in the UDP2HC database.

According to the analysis on new TCA check and abnormal data packetcheck, we propose two categories of check rules: Inbound and Outbound. Themain rules are shows in Table 1.

5 Decision Component

The check algorithm in Sect. 4 is only to authenticate each single packet. Althoughthe check result of single packet cannot directly judge if the network is beingattacked, it affords necessary information for further decision. A sudden increaseof abnormal packet indicates that there is DDoS attack or scanning to the net-work [22]. Therefore, the DDoS attack decision algorithm can be based on thecumulative check results in a certain period of time.

5.1 The Selection of Detection Feature

In normal state, the accumulated number of abnormal packets is small andstable. When DDoS attack occurs, those abnormal events increase fast. Becausethere are a small number of errors and misses in the check component, we choosethe accumulated number of abnormal packets as the detection feature in thedecision component. We set counters for the number of packets and abnormalpackets in the decision component, θn denotes the count of the collected packets

at the end of period ∆t, and φn denotes the count of the abnormal packets atthe end of the period ∆t. We use the following metric to describe the growth of abnormal packets in different time periods of ∆t:

C n = Φn

Θn. (1)

5.2 Non-parametric CUSUM Based Decision Algorithm

Network traffic on the internet is considered as a complex stochastic model. Anyabnormal traffic leads to changes of the model. In order to achieve real-timedetection at the early stage of attack, The sequence C(n, ∆t) is convert into aform of continuous function:

C n = b + ξ nI (n < m) + (h + ηn)I (n ≥ m) (2)


10/14

620 J. Zhang et al.

where E (C n) = b, ξ = {ξ n}∞n=1 and η = {ηn}

∞n=1 are two stochastic sequences

satisfying E (ξ n) = E (ηn) ≡ 0, h = 0. I (H ) is an indicator function. The functionvalue equals 1 if H is true, 0 otherwise. For sequence C(n, ∆t), if the mean valueexists a step change from b to b+h at the point m, it indicates that there

is a sudden change in the sequence value. We adopt non-parametric CUSUMalgorithm to continuously detect the sequence change and the change point m.It can monitor the sequence in real-time with low false-alarm rate and thusdetect DDoS attacks immediately.

In case the network traffic is in normal state, the mean value of C(n, ∆t)is close to 0, i.e., E (C n) 1. We denote F (n) = C n − λ, when b

= b − λ,h λ. λ is the offset determined for each specific network environment. Themean value of sequence F n in normal state is offset to negative and turns positivewhen a attack occurs. Consequently, the offset sequence is applicable to the non-

parametric CUSUM algorithm:F n = b

+ ξ nI (n < m) + (h + ηn)I (n ≥ m) (3)

where b < 0, −b < h < 1. According to the non-parametric CUSUM algo-rithm, the stochastic sequence F n produces negative mean value ϕ. When theattack occurs, F n jump to positive (h + b

> 0, h is the minimum growth of the sequence F n when attack occurs). We accumulate the positive value andignore the negative value. If the accumulation exceeds the threshold at a cer-tain moment, the system determined that DDoS attack occurs. In normal state,

the value of sequence F n is either negative or non-continuous small positive.The accumulation will not exceed the threshold. Furthermore, the algorithm isconverted into a problem of calculating formula 4. It is worth noting that h isthe smallest increment when attack occurs, it is not the threshold for attackdetection in the algorithm.

γ n = T n − min1≤k≤n

T k, where T k =k

i=1F i, T 0 = 0 (4)

γ n is the statistical feature of our detection method, in order to reduce the

complexity of the implementation, a nested non-parametric CUSUM algorithmis used, as follows:γ n = (γ n−1 + F n)

+ (5)

Where x+ expresses x+ = x when x > 0; x+ = 0, when x ≤ 0.A greater value γ n (exceeds the corresponding threshold) means that attack

exists in the network. γ n represents the sum of the positive sequence. Whenγ tN ≥ N , it shows that the statistic is mutated at the time of tN , and the networkis suffering from distributed denial of service attack. The decision function basedon the number of abnormal packets is described as:

W N (γ n) = {1 γ n>N

0 γ n≤N (6)

Where N is the threshold of attack detection, W N (γ n) = 1, if and only if γ n > N means the occurrence of attack behavior W N (γ n) = 0, if and only if γ n < N means the network traffic is normal.


11/14


6 Performance Evaluation

In order to evaluate the detection performance of the model, we conduct attackexperiment in the MAN network of Changsha National Software industry base.

Exploiting BOT network, we launch SYN flooding attacks by (a) type of IPspoofing, HTTP flooding attacks by (b) type of IP spoofing and DNS floodingattacks by (c) types of IP spoofing. Table 2 gives the statistical data of differenttypes of attacks, where K is the number of abnormal packets of SYN floodingattack, Σ is the number of abnormal packets of Http flooding attack and Ω is thenumber of abnormal packets of DNS flooding attack. ∆t is set as 10 s. Figure 4shows the detection results of 3 types of attack. The result shows that SYNflooding attack (Fig. 3a) can be detected in 23.7 s with accurate rate of 100 %when the K is equal to 53. False negative exists only if K < 53. The HTTP

flooding attack (Fig. 3b) can be detected in 83.6 s with accurate rate of 100 %when Σ is equal to 19. The detection miss occurs only if Σ < 19. The DNSflooding attack (Fig. 3c) can be detected in 68.4 s with accurate rate of 100 %when Ω is equal to 32. The detection miss occurs only if Ω


12/14

622 J. Zhang et al.

Fig. 4. Three critical values of different attack in the detection

Table 3. The results of performance test

(a) DDoS attack (b) HTTP flooding attack (c) DNS flooding attack

K Accuracy (%) Test time Σ Accuracy (%) Test time Ω Accuracy (%) Test time

30 98.9 45.3 14 92.1 115.8 25 94.6 86.4

53 100 23.7 19 100 83.6 32 100 68.4

68 100 11.2 35 100 17.3 45 100 14.5

89 100 6.7 50 100 8.7 60 100 7.1

120 100 5.1 85 100 8.3 75 100 6.3

Fig. 5. The ROC curve of three different types of attack

7 Conclusions and Future Work

This paper proposed a robust and efficient detection model of DDoS attack forcloud services. First, we give a set of rules on IP address authenticity, transportlayer connection address authenticity and transport layer abnormal connectionstate to check the abnormal packet in the communication process in the transportlayer. In detail, we use hop-count based filtering for IP address authentication.


13/14


For transport layer connection address authentication, we use hop-count basedfiltering and connection address aggregation. The improved bloom-filter algo-rithm is used to achieve efficient address query and data storage. The transportlayer abnormality check uses TCP state diagram and UDP reflection proto-

col characteristics based on the former authentication. Second, we analysis theincrease of the number of abnormal packets by non-parameter CUSUM algo-rithm to detect DDoS attacks. The experiments demonstrate that the detectionmodel shows strong advantages in the immediacy of detection, the sensitivity toattack traffic and the adaptability of attack scale.

Acknowledgment. This work is partially supported by the Planned Science andTechnology Project of Hunan Province, China (NO.2015JC3044), and the NationalNatural Science Foundation of China (NO.61272147).

References

1. Sumter, R.L.Q.: Cloud Computing: Security Risk Classification. ACMSE, Oxford(2010)

2. Jansen, W., et al.: Cloud hooks: security and privacy issues in cloud computing.In: 44th Hawaii International Conference on System Sciences (HICSS), pp. 1–10.IEEE (2011)

3. Bhuyan, M.H., Kashyap, H.J., Bhattacharyya, D.K., Kalita, J.K.: Detecting dis-tributed denial of service attacks: methods, tools and future directions. Comput.

J. bxt031 (2013)4. Patel, K.: Security survey for cloud computing: threats and existing IDS/IPS tech-

niques. In: 24th International Conference on Control, Communication and Com-puter Technology, pp. 88–92. IEEE (2013)

5. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against dis-tributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor.15(4), 2046–2069 (2013)

6. Gupta, S., Kumar, P., Abraham, A.: A profile based network intrusion detectionand prevention system for securing cloud environment. Int. J. Distrib. Sens. Netw.(2013)

7. Yi, F., Yu, S., Zhou, W., Hai, J., Bonti, A.: Source-based filtering scheme againstDDoS attacks. Int. J. Database Theory Appl. 1(1), 9–20 (2008)

8. Gavaskar, S., Surendiran, R., Ramaraj, D.E.: Three counter defense mechanismfor TCP SYN flooding attacks. Int. J. Comput. Appl. 6(6), 0975–8887 (2010)

9. Gulshan, S., Kavita, S., Swarnlata, R.: A technical overview DoS and DDoS attack.Proc. Int. Conf. Comput. 2010, 274–282 (2010)

10. Bogdanoski, M., Suminoski, T., Risteski, A.: Analysis of the SYN flood DoS attack.Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 5(8), 1–11 (2013)

11. Bhandari, N.H.: Survey on DDoS attacks and its detection and defence approaches.Int. J. Sci. Mod. Eng. (IJISME) 1(3), 2319–6386 (2013)

12. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: IEEE International Conferenceon Communications, pp. 482–486 (2003)

13. Tao, Y., Yu, S.: DDoS attack detection at local area networks using informationtheoretical metrics. In: 12th IEEE International Conference on Trust, Security andPrivacy in Computing and Communications (TrustCom), pp. 233–240 (2013)


14/14

624 J. Zhang et al.

14. François, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network forthe detection of flooding DDoS attacks. IEEE/ACM Trans. Netw. (TON) 20(6),1828–1841 (2012)

15. Chouhan, V., Peddoju, S.K.: Packet monitoring approach to prevent DDoS attack

in cloud computing. Int. J. Comput. Sci. Electr. Eng. (IJCSEE) 1

(2), 2315–4209(2013)16. Chonka, A., Singh, J., Zhou, W.: Chaos theory based detection against network

mimicking DDoS attacks. IEEE Commun. Lett. 13(9), 717–719 (2009)17. Dou, W., Chen, Q., Chen, J.: A confidence-based filtering method for DDoS attack

defense in cloud environment. Future Gener. Comput. Syst. 29(7), 1838–1850(2013)

18. Wang, F., Wang, H., Wang, X., Su, J.: A new multistage approach to detect subtleDDoS attacks. Math. Comput. Model. 55(1), 198–213 (2012)

19. Bhuyan, M.H., Bhattacharyya, D., Kalita, J.: An empirical evaluation of informa-tion metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit.Lett. 51, 1–7 (2015)

20. Broder, A., Mitzenmacher, M.: Network applications of bloom filters: a survey.Internet Math. 1(4), 485–509 (2004)

21. Paxson, V.: End-to-end routing behavior in the internet. IEEE/ACM Trans. Netw.5(5), 601–615 (1997)

22. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of serviceattacks: characterization and implications for cdns and web sites. In: Proceedings of the 11th International Conference on World WideWeb, pp. 293–304. ACM (2002)

Documents

A Robust and Efficient Detection Model of DDoS Attack for Cloud Services