Publication Type

Journal Article

Version

publishedVersion

Publication Date

3-2024

Abstract

Distributed Denial of Service (DDoS) defense is a profound research problem. In recent years, adversaries tend to complicate their attack strategies by crafting vast DDoS variants. On the one hand, this trend exacerbates both extremes of classification granularity (i.e., binary and attack level) in existing machine learning methods. On the other hand, massive attack categories make the filter rule table bulky, as well as cause problems of slow reaction presented in the recent state-of-the-art DDoS mitigation system. Therefore, we propose the concept of a DDoS family to reconcile/cope with these issues. The specific technical roadmap includes traffic pattern characterization, attack fingerprint production, and cross-executed family partition by community detection. Through extensive evaluations, we demonstrate the benefits of the proposal in terms of portraying similarities, guiding model classification/unknown attack detection, optimizing defense strategies, and speeding filtering reactions. For instance, our results show that using only one rule can defend 15 types of attacks due to their homogeneous behavioral representation. Particularly, we find the interesting observation that counting the backward packet is more efficient and robust against some attacks (e.g., Tor's Hammer Attack), which is very different from previous solutions.

Keywords

Backward packet statistics, Community detection, DDoS attack family, Defense strategy, Traffic fingerprint construction

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Computers and Security

Volume

138

First Page

1

Last Page

14

ISSN

0167-4048

Identifier

10.1016/j.cose.2023.103663

Publisher

Elsevier

Copyright Owner and License

Publisher

Additional URL

https://doi.org/10.1016/j.cose.2023.103663

Share

COinS