Abstract
This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered a system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good indication of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time will have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation) while an introduction of attack traffic in the network will elicit significant energy distribution deviation in a short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance markedly changes, causing a “spike” when traffic behaviors are affected by DDoS attack. In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in the early stages of an attack, far ahead of congestion build-up, making it an effective detection of the attack.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
P. Abry and D. Veitch, Wavelet analysis of long range dependent traffic, IEEE Transactions on Information Theory 44(1) (1998) 2–15.
P. Abry, D. Veitch and P. Flandrin, Long-range dependence: Revisiting aggregation with wavelets, Journal of Time Series Analysis 19 (May 1998) 253–266.
P. Barford and M.E. Crovella, Generating representative Web workloads for network and server performance evaluation, in: ACM SigMetrics (1998) pp. 151–160.
P. Barford, J. Kline, D. Plonka and A. Ron, A signal analysis of network traffic anomalies, in: Internet Measurement Workshop (November 2002).
CERT, Overview of attack trends, http://www.cert.org/archive/pdf/attack_trends.pdf (8 April 2002).
CERT Advisory CA-2001-23, Continued threat of the Code Red Worm (17 January 2002).
R.K.C. Chang, Defending against flooding-based distributed denial-of-service attack: A tutorial, IEEE Communication Magazine 40(10) (2002) 42–51.
M.E. Crovella and A. Bestavros, Self-similarity in World Wide Web traffic: Evidence and possible causes, IEEE/ACM Transactions on Networking 5(6) (1997) 835–846.
I. Daubechies, The wavelet transform, time-frequency localization and signal analysis, IEEE Transactions on Information Theory 36 (September 1990) 961–1005.
P. Ferguson and D. Senie, Network ingress filtering: Defeating denial of service attacks which employ IP address spoofing, Internet draft (January 1998).
K. Fox, R. Henning, J. Reed and R. Simonian, A neural network approach towards intrusion detection, Technical Report, Harris Corporation (July 1990).
M. LaMonica, Microsoft releases anti-Slammer tools, http://zdnet.com.com/2100-1105-983603.html (6 February 2003).
W. Leland, M. Taqqu, W. Willinger and D. Wilson, On the self-similar nature of Ethernet traffic, Proc. of ACM SIGCOMM 23(4) (1993) 183–193.
W. Leland, M. Taqqu, W. Willinger and D. Wilson, On the self-similar nature of Ethernet traffic (extended version), IEEE/ACM Transactions on Networking 2(1) (1994) 1–15.
S. Ma and C. Ji, Modeling heterogeneous network traffic in wavelet domain, IEEE/ACM Transactions on Networking 9(5) (2001) 634–649.
D. Moore, C. Shannon and J. Brown, Code-Red: A case study on the spread and victims of an Internet worm, in: Proc. of Internet Measurement Workshop (2002).
K. Park and H. Lee, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, in: Proc. of IEEE INFOCOM’01 (April 2001) pp. 338–347.
V. Paxson and S. Floyd, Wide area traffic: The failure of Poisson modeling, IEEE/ACM Transactions on Networking 3(3) (1995) 226–244.
R. Riedi, M.S. Crouse, V. Ribeiro and R.G. Baraniuk, A multifractal wavelet model with application to TCP network traffic, Special Issue on Multiscale Statistical Signal a Nalysis and Its Applications of IEEE Transactions on Information Theory 45 (April 1999) 992–1018.
R. Ritke, X. Hong and M. Gerla, Contradictory relationship between Hurst parameter and queueing performance (extended version), Telecommunication Systems 16 (February 2001) 159–175.
M. Roghan, D. Veitch and P. Abry, Real-time estimation of the parameters of long-range dependence, IEEE/ACM Transactions on Networking 8 (August 2000) 467–478.
S. Sarvotham, R. Riedi and R. Baranuik, Connection-level analysis and modeling of network traffic, in: Proc. of the ACM SIGCOMM IMW (November 2001).
S. Staniford, V. Paxson and N. Weaver, How to own the Internet in your spare time, in: Proc. of the 11th USENIX Security Symposium (August 2002).
The Internet traffic archive, http://ita.ee.lbl.gov/ (April 2000).
The network simulator-ns-2, http://www.isi.edu/nsnam/ns/ (July 2003).
X. Tian, J. Wu and C. Ji, A unified framework for understanding network traffic using independent wavelet models, in: Proc. of IEEE INFOCOM (June 2002).
N. Ye, A Markov chain model of temporal behavior for anomaly detection, in: Workshop on Information Assurance and Security (June 2000).
Z. Zhang, V.J. Ribeiro, S. Moon and C. Diot, Small-time scaling behaviors of Internet backbone traffic: An empirical study, in: Proc. of IEEE INFOCOM (April 2003).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Li, L., Lee, G. DDoS Attack Detection and Wavelets. Telecommun Syst 28, 435–451 (2005). https://doi.org/10.1007/s11235-004-5581-0
Issue Date:
DOI: https://doi.org/10.1007/s11235-004-5581-0