Spatial Correlation Detection of DDoS Attack
DDoS attack flows distributed in many links exhibit directional nature, they are usually generated by certain tools and originate from different nodes, but have inherent dependencies in spatial when transit in network. This will cause correlation between the traffic where they traverse deviate from norm. By taking advantage of this feature, we propose a spatial correlation detection method deploying in backbone network to combat DDoS attack. In doing so, we first approximately estimate abnormality of every origin destination (OD) flow through comparing observations with predictions, then for OD flows with same destination, extracting spatial correlation between their abnormality estimations by principle component analysis(PCA). Abrupt change of spatial correlation indicates DDoS attack occurs. We evaluate the detection performance of our method in detecting synthetic DDoS attack that injected on real backbone traffic through receiver operating characteristic (ROC) curve. The contribution of this paper is utilizing spatial correlation between attack flows, rather than the volume of attack purely, facilitates us to detect relatively small attack being masked in tremendous traffic of backbone network. Moreover, contrary to the centralized computation of previous network-wide anomaly detection method, our method can be deployed separately in each node, in such a way that our method can adapt to different size of network, and thus scalable.
Zonglin Li Guangming Hu Xingmiao Yao
Key Lab of Broadband Optical Fiber Transmission and Communication Networks, University of Electronic Science and Technology of China (UESTC), P.R.China
国际会议
2009国际通信电路与系统学术会议(ICCCAS 2009)(2009 International Conference on Communications,Circuits and Systems)
成都
英文
304-308
2009-07-23(万方平台首次上网日期,不代表论文的发表时间)