https ddos检测——研究现状

from： https://jyx.jyu.fi/bitstream/handle/123456789/52275/1/URN%3ANBN%3Afi%3Ajyu-201612125051.pdf

相关文献汇总如下：

S1 Eliseev and Gurina (2016) Algorithms for network server anomaly behavior detection without traffic content inspection ACM 1

S2 Zolotukhin et al. (2016b) Weighted Fuzzy Clustering for Online Detection of Application DDoS Attacks in Encrypted Network Traffic Scopus 1

S3 Zolotukhin et al. (2016a) Increasing Web Service Availability by Detecting Application-Layer DDoS Attacks in Encrypted Traffic IEEE, Scopus 1

S4 Zolotukhin et al. (2015) Data Mining Approach for Detection of DDoS Attacks Utilizing SSL/TLS Protocol Scopus 1

S5 Petiz et al. (2014) Detecting DDoS Attacks at the Source Using Multiscaling Analysis IEEE 1

S6 Wang et al. (2015) DDoS attack protection in the era of cloud computing and Software-Defined Networking ScienceDirect 1

S7 Hoeve (2013) Detecting Intrusions in Encrypted Control Traffic ACM 1

S8 Amoli and Hämäläinen (2013) A Real Time Unsupervised NIDS for Detecting Unknown and Encrypted Net- work Attacks in High Speed Network IEEE 1

S9i Das, Sharma, and Bhattacharyya (2011) Detection of HTTP Flooding Attacks in Multiple Scenarios ACM 0

S10i Shiaeles et al. (2012) Real time DDoS detection using fuzzy estimators ScienceDirect 0

S11 Chen, Chen, and Delis (2007) An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks Scopus 1

S12i Lee et al. (2008) DDoS attack detection method using cluster analysis ScienceDirect 0

S13i Caulkins, Lee, and Wang (2005) A Dynamic Data Mining Technique for Intrusion Detection Systems ACM 0

S14 Abimbola, Shi, and Merabti (2003) NetHost-Sensor: A Novel Concept in Intrusion Detection Systems IEEE 0

加密的检测手段：

Table 11. Detection methods in encrypted networks from included studies Study

Detection method Strategy Features

[S1] Correlation functions & MLP Statistical analysis & Classification Server response rate metrics

[S2] Fuzzy c-means Fuzzy clustering Statistics and data from packet headers

[S3] Single-linkage, Kmeans, fuzzy c-means, SOM, DBSCAN & SAE Classification (NN) & clustering Statistics and data from packet headers

[S4] DBSCAN, K-means, k-NN, SOM, SVDD Clustering Packet header statistics

[S5] Multiscaling Analysis Statistical analysis Number of packets & average energy per timescale

[S6] Probabilistic inference graphical model Bayesian networks Chow-Liu algorithm for feature decision

[S7] Edit distance -based searching Statistical analysis & clustering time, size and direction of the packet

[S8] DBSCAN Statistical analysis & clustering Packet header and flow data in different resolutions

[S11] Signatures & stateful protocol analysis Signature & stateful protocol analysis TCP, UDP and ICMP packet headers and statistics as well as payload

[S14] Snort signatures Signature & system call sequence analysis packet payload

非加密的检测：

Table 12. Applicable methods from non-encrypted research in included studies Study

Detection method Strategy Features

[S9i] Statistical analysis, pattern disagreement and projected clustering Statistical analysis and clustering TCP header data & packet rate per interval

[S10i] Fuzzy estimator Statistical analysis Mean time between network packets

[S12i] Hierarchical clustering Clustering TCP header information & number of packets

[S13i] Classification tree Classification TCP header data

详细分析：

《Algorithms for network server anomaly behavior detection without traffic content inspection》目标是检测异常：

[S1] Eliseev and Gurina (2016) use correlation functions of data block size & number of packets per time unit observed from the webserver. They use long time intervals, i.e. three weeks of real data to train. They propose two algorithms. The first looks at the Pearson correlation coefficient between cross-correlation functions in a similar time interval in the current and training sets. The second algorithm uses a multilayer perceptron (MLP) with Levenberg-Marquardt algorithm to train and test the current cross-correlation functions. A threshold for the reconstruction error is set to determine an anomalous function. They say that these algorithms can be easily implemented as a lightweight DDoS HIDS in IoT devices. The method uses both statistical analysis and classification.

S2 Zolotukhin et al. (2016b) Weighted Fuzzy Clustering for Online Detection of Application DDoS Attacks in Encrypted Network Traffic Scopus 1

[S2] Zolotukhin et al. (2016b) propose a method for detecting DDoS attacks in encrypted network traffic in both offline and online case using fuzzy c-means clustering algorithm. In the method, they train the system with flow information such as conversation length, packet velocity, packet size averages, and flags. They build feature vectors form the information by also normalizing the values with min-max normalization. They have two different versions of the algorithm: an online and an offline version. The tests of the method are conducted using the Realistic Global Cyber Environment (RGCE), where the attacks can be simulated as realistically as possible. Slowloris, SSLsqueeze, and some advanced DDoS attacks were tested in the system and they found that the trivial cases such as Slowloris and SSLsqueeze were detected nearly 100% of the time, whereas the advanced DDoS attacks had only 70% accuracy when keeping the false positives to the minimum. Categorical classification of this method is clustering.

S3 Zolotukhin et al. (2016a) Increasing Web Service Availability by Detecting Application-Layer DDoS Attacks in Encrypted Traffic IEEE, Scopus 1

[S3] Zolotukhin et al. (2016a) study the application layer DDoS attacks in encrypted network traffic employing hierarchical, centroid- and density-based clustering algorithms and stacked auto-encoder (SAE). The features for clustering come from the packet header infor-mation and conversation to the server by each user. The conversations are mended together

from two different flows with matching sources and destinations. After this, statistics such

as the velocity of packets, extent, flags and the number of encrypted messages are extracted

into tuples for clustering. The tuples are normalized with max-min normalization. Using

the clustering methods described in Table 11, the most common DDoS attack types can are

detected by comparing the incoming flows to the clusters. In each of the type, a different

deviation measure is used. For example, for centroid-based algorithms, a threshold is set

for the maximum distance of the vector from the normal traffic cluster centers. The com-

mon DDoS attack types are Slowloris and Slow POST and a more advanced DDoS attack

mimicked the behavior of the users in a web service. This attack was detected by combining

conversations from the same source together, calculating the approximate similarity form

each cluster by percentages and applying the stacked auto-encoder. A reconstruction error

value of the SAE is the anomaly measure. The methods presented in this paper put the paper

in both classification and clustering categories.

 

S4 Zolotukhin et al. (2015) Data Mining Approach for Detection of DDoS Attacks Utilizing SSL/TLS Protocol Scopus 1

[S4] Zolotukhin et al. (2015) present a clustering-based anomaly-based detection method

using DBSCAN (density-based spatial clustering of applications with noise) and comparing

the algorithm with others such as SOM (Self-Organizing Map), K-means, k-Nearest Neigh-

bors and Support Vector Data Description (SVDD). The features for training and testing data

use only packet header statistics such as the averages of packet sizes or TTL (Time to live),

TCP flag appearance averages, no name a few. The feature vectors are min-max normalized（聚类常用）.

If the pairwise distance from the nearest cluster member is more than the maximal pairwise

distance for that cluster, it is labeled as an anomaly. The method is categorized in clustering

methods because of the various clustering algorithms used in the detection.

 

S5 Petiz et al. (2014) Detecting DDoS Attacks at the Source Using Multiscaling Analysis IEEE 1

[S5] Petiz et al. (2014) propose a statistical analysis detection method in the source network

that uses a multiple scale traffic analysis. The statistics used as the features are statistics

of the packets flows. Thus they conclude that this method is also applicable to encrypted

traffic. The detection method is based on the premise that DDoS attacks have a pseudo-

periodicity fingerprint in the traffic. By calculating an average energy for packets per second

from multiple time intervals, the anomalous traffic should have higher energy in one interval

length. This paper is an example of a purely statistical analysis of network metrics.

 

S6 Wang et al. (2015) DDoS attack protection in the era of cloud computing and Software-Defined Networking ScienceDirect 1

[S6] Wang et al. (2015) develop a complete NIDS with detection and mitigation modules for

software-defined networks (SDN). Their detection method is based on probabilistic inference

graphical model that updates itself all the time in order to fight a data-shift issue, unlike

traditional Bayesian networks. The data shift issue assumes that the training data and real

attacks imitate the same statistical frequency (Wang et al. 2015, 313). The features are not

preselected by the researchers but by a Chow-Liu algorithm. They are selected from flows

or packet headers. After applying the algorithm, commonly the relevant variables have been

linked to the Chow-Liu tree. These are chosen for the analysis of the graphical model. The

graphical model is an adaptation from Bayesian networks. Thus the category for this paper

is in BN.

 

S7 Hoeve (2013) Detecting Intrusions in Encrypted Control Traffic ACM 1——感觉这种方法比较有效，先按照报文统计进行聚类，相同类别计算报文的编辑距离来判断内容相似性。

[S7] Hoeve (2013) explore an intrusion detection method for encrypted control traffic. A

packet series search and comparison using edit distance is the measure of the difference

between the series. The method uses time, size and direction of the packet to form the

feature vector. Traffic consists of series of these vectors. The training phase is done by a

clustering the series into clusters. The next phase searches for series with approximate string

matching and edit distance. The series which are over a set threshold, are malicious. This

method uses both statistical methods and clustering. Thus these are the categories.

 

S8 Amoli and Hämäläinen (2013) A Real Time Unsupervised NIDS for Detecting Unknown and Encrypted Net- work Attacks in High Speed Network IEEE 1——没懂。。。

[S8] Amoli and Hämäläinen (2013) have designed an NIDS to work with large amounts of

data. The method first employs an algorithm that uses statistical analysis to detect varia-

tions in the flows（how？）. If an anomaly is detected, the second phase with DBSCAN starts. The

outliers from the final set of clusters are flagged as anomalous and a potential DDoS attack.

Thresholds for the DBSCAN, the minimum size of the clusters is set to 5% of the number of

flows and the maximum distance between vectors shall be fixed to the average Mahalanobis

distance of the vectors. From the anomalous traffic, the starts to pinpoint the attacker from

C&C traffic patterns. Because of the two different phases, the category of this paper is in

both statistical analysis and clustering.

 

S9i Das, Sharma, and Bhattacharyya (2011) Detection of HTTP Flooding Attacks in Multiple Scenarios ACM 0

[S9i] Das, Sharma, and Bhattacharyya (2011) have developed a three-phased method for de-

tecting DDoS flooding attacks. The first phase uses a simple threshold value for the number

of HTTP requests per interval. The second takes advantage of parallel time interval request

rates and computes a pattern disagreement value. The maximum of this value during a time

with no known attacks is considered as the threshold for anomalous traffic. The third method

uses packet header data and projected clustering with Oracles SQL queries. They create an

index to determine the type of the cluster either malicious or normal. The first two are online

and the last is an offline detection method. This paper belongs to both statistical analysis and

clustering-based groups.

 

S10i Shiaeles et al. (2012) Real time DDoS detection using fuzzy estimators ScienceDirect 0

[S10i] Shiaeles et al. (2012) propose a detection method that uses the packets arrival times

in small time windows. It is assumed that DDoS attacks mean packet arrival does not follow

the Poisson distribution. An α-cuts fuzzy estimator is used to derive a single fuzzy value for

the mean arrival times in the earlier time window. Then the current mean time is compared to

the value. If the value is less than the fuzzy value, an alarm is raised. If it is more, the traffic

is considered to be normal. They note that flash crowd events might be flagged as DDoS

attacks using this method. I chose to include this paper, as the method does not require any

payload inspection and could be utilized as a detection method in encrypted network traffic.

This method is based on a statistical analysis.

 

S11 Chen, Chen, and Delis (2007) An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks Scopus 1

[S11] Chen, Chen, and Delis (2007) have developed an NIDS, called

DDoS Container , that uses several detection methods in succession to detect DDoS attacks from network traffic.

They consciously acknowledge that their method does not fully comply with encrypted net-

work traffic, but say that the behavioral analysis of the stateful inspection does also catch

flows that are encrypted. As stated in Table 11, the method combines both stateful protocol

analysis and signature-based payload inspection. The system is placed in the network, and

it has been placed in a segment where all the traffic flows through between two switches,

presumably before or in the DMZ (Demilitarized zone). The system comprises of multiples

phases of detection, whose names are Protocol Decoder, Behavior Police, Session Corre-

lator, Message Sequencer, Traffic Distinguisher, and Traffic Arbitrator. The first three take

care of the stateful protocol analysis and the latter three of the more careful packet inspection

using signatures. At the beginning only the header information of the packet is taken into

account, and therefore it is possible to detect malicious flows with abnormal behavior also in

encrypted traffic. Thus, this paper is in both stateful protocol analysis and signature-based

detection classes.

 

S12i Lee et al. (2008) DDoS attack detection method using cluster analysis ScienceDirect 0

[S12i] Lee et al. (2008) propose a hierarchical clustering-based detection method that uses

various entropy values and other metrics calculated from the packet header information as the

features. The vectors are normalized by standard deviation before clustering. Euclidean dis-

tance is used as the measure of similarity. The method is purely a clustering-based method.

 

S13i Caulkins, Lee, and Wang (2005) A Dynamic Data Mining Technique for Intrusion Detection Systems ACM 0

[S13i] Caulkins, Lee, and Wang (2005) use a decision tree to detect DDoS attacks. The

learning phase was done in a supervised manner from the known attacks of DARPA1999

IDEVAL dataset. Only the TCP packet header information was taken into account.（为啥没有使用tcp报文的data呢？） The

decision tree classifies connections into either intrusive or normal classes. This is a categor-

ically classification-based method.

 

S14 Abimbola, Shi, and Merabti (2003) NetHost-Sensor: A Novel Concept in Intrusion Detection Systems IEEE 0

[S14] Abimbola, Shi, and Merabti (2003) discuss the difficulty of signature-based systems

and encrypted network traffic. They propose a host-based IDS where they can access the

payload of the encrypted traffic. The HIDS lies right after the application layer and detects

DDoS attacks using signatures for network traffic packet payload and analyzes the system

calls of the target application. The, categorically signature and system call analysis -based,

paper is the first included in the mapping study that notifies the difficulties of analyzing

encrypted network traffic and consciously researches the field.