article

Detecting SYN flooding attacks based on traffic prediction

Authors:

Shangguang Wang,

Fangchun YangAuthors Info & Claims

Security and Communication Networks, Volume 5, Issue 10

Pages 1131 - 1140

https://doi.org/10.1002/sec.428

Published: 01 October 2012 Publication History

Abstract

SYN flooding attacks are a common type of distributed denial-of-service attacks. Up to now, many defense schemes have been proposed against SYN flooding attacks. Traditional defense schemes rely on passively sniffing an attacking signature and are inaccurate in the early stages of an attack. These schemes are effective only at the later stages when attacking signatures are obvious. In this paper, we propose a detection approach that makes use of SYN traffic prediction to determine whether SYN flooding attacks happen at the early stage. We firstly adopt grey prediction model to predict SYN traffic, and then, we employ cumulative sum algorithm to detect SYN flooding attack traffic among forecasted SYN traffic. Trace-driven simulation results demonstrate that our proposed detection approach can detect SYN flooding attacks effectively. Copyright © 2012 John Wiley & Sons, Ltd.

References

[1]

Zhou CV, Leckie C, Karunasekera S. A survey of coordinated attacks and collaborative intrusion detection. Computers and Security 2010; 29: 124–140.

[2]

Li Z, Gao Y, Chen Y. HiFIND: a high-speed flow-level intrusion detection approach with DoS resiliency. Computer Networks 2010; 54: 1282–1299.

[3]

Bellaiche M, Gregoire J-C. Source detection of SYN flooding attacks. Proceedings of the 2009 International Conference on Network and Service Security (N2S 2009), 2009; 1–6.

[4]

Nashat D, Xiaohong J, Horiguchi S. Detecting SYN flooding agents under any type of IP spoofing. Proceedings of IEEE International Conference on e-Business Engineering (ICEBE 200), 2008; 499–505.

Digital Library

[5]

Thatte G, Mitra U, Heidemann J. Parametric methods for anomaly detection in aggregate traffic. IEEE/ACM Transactions on Networking 2011; 19: 512–525.

[6]

Haining W, Danlu Z, Kang GS. Detecting SYN flooding attacks. Proceedings of the Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2002), 2002; 1530–1539.

[7]

Siris VA, Papagalou F. Application of anomaly detection algorithms for detecting SYN flooding attacks. Computer Communications 2006; 29: 1433–1442.

[8]

Yu J, Lee H, Kim M-S, Park D. Traffic flooding attack detection with SNMP MIB using SVM. Computer Communications 2008; 31: 4212–4219.

[9]

Palmieri F, Fiore U. Network anomaly detection through nonlinear analysis. Computers and Security 2010; 29: 737–755.

[10]

Safa H, Chouman M, Artail H, Karam M. A collaborative defense mechanism against SYN flooding attacks in IP networks. Journal of Network and Computer Applications 2008; 31: 509–534.

[11]

Yang-Seo C, Jin-Tae O, Jong-Soo J, Jae-Cheol R. Integrated DDoS attack defense infrastructure for effective attack prevention. Proceedings of the 2nd FTRA International Conference Information Technology Convergence and Services (ITCS 2010), 2010; 1–6.

[12]

Qibo S, Shangguang W, Danfeng Y, Fangchun Y. ARM-CPD: detecting SYN flooding attack by traffic prediction. Proceedings of the 2nd IEEE International Conference on Broadband Network and Multimedia Technology (IEEE IC-BNMT 2009), 2009; 443–447.

[13]

Ranjan N, Murthy HA, Gonsalves TA. Detection of SYN flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique. Proceedings of the 2010 National Conference on in Communications (NCC 2010), 2010; 1–5.

[14]

Fengyu W, Bin G, Yi H, Ningbo Z. Network anomaly detection based on traffic prediction. Proceedings of the International Conference on in Scalable Computing and Communications; the 8th International Conference on Embedded Computing (SCALCOM-EMBEDDEDCOM 2009), 2009; 449–454.

[15]

Yi S, Xinyu Y, Huijun Z. A flooding-based DoS/DDoS detecting algorithm based on traffic measurement and prediction advances in information and computer security. Proceedings of the First International Workshop on Security(IWSEC 2006), 2006; 252–267.

[16]

Xiao B, Chen W, He Y. An autonomous defense against SYN flooding attacks: detect and throttle attacks at the victim side independently. Journal of Parallel and Distributed Computing 2008; 68: 456–470.

[17]

Changhua S, Chengchen H, Yi T, Bin L. More accurate and fast SYN flood detection. Proceedings of 18th International Conference on Computer Communications and Networks (ICCCN 2009), 2009; 1–6.

[18]

Doron E, Wool A. WDA: a Web farm distributed denial of service attack attenuator. Computer Networks 2011; 55: 1037–1051.

[19]

Ramana Rao K, Sumeet S, George V. On scalable attack detection in the network. IEEE/ACM Transactions on Networking 2007; 15: 14–25.

[20]

Rathgeb EP, Hohendorf C, Nordhoff M. On the robustness of SCTP against DoS attacks. Proceedings of the 3nd FTRA International Conference on Convergence and Hybrid Information Technology (ICCIT 2008), 2008; 1144–1149.

[21]

Deng J. Control problems of grey system. Systems and Control Letters 1982; 1: 288–294.

[22]

Deng J. Introduction to grey system theory. Journal of Grey System 1989; 1: 1–24.

[23]

Kayacan E, Ulutas B, Kaynak O. Grey system theory-based models in time series prediction. Expert Systems with Applications 2010; 37: 1784–1789.

[24]

Wang H, Zhang D, Shin KG. Change-point monitoring for the detection of DoS attacks. IEEE Transactions on Dependable and Secure Computing 2004; 1: 193–208.

[25]

Hellerstein JL, Zhang F, Shahabuddin P. A statistical approach to predictive detection. Computer Networks 2001; 35: 77–95.

[26]

Tao L, Chen D, Ronggong S. Measure large scale network security using adjacency matrix attack graphs. Proceedings of the 5th FTRA International Conference on Future Information Technology (FutureTech 2010), 2010; 1–8.

[27]

Ponomarchuk Y, Seo D. Intrusion detection based on traffic analysis and fuzzy inference system in wireless sensor networks. Journal of Convergence 2010; 1: 35–42.

[28]

Imani M, Taheri M, Naderi M. Security enhanced routing protocol for ad hoc networks. Journal of Convergence 2010; 1: 43–48.

[29]

Xie B, Kumar A, Zhao D, Reddy R, He B. On secure communication in integrated heterogeneous wireless networks. International Journal of Information Technology, Communications and Convergence 2010; 1: 4–23.

[30]

Kumar D, Aseri T, Patel R. Multi-hop communication routing (MCR) protocol for heterogeneous wireless sensor networks. International Journal of Information Technology, Communications and Convergence 2011; 1: 130–145.

[31]

El-Semary AM, Mostafa MG-HM. Distributed and scalable intrusion detection system based on agents and intelligent techniques. Journal of Information Processing Systems 2010; 6: 481–500.

[32]

Kim H, Chitti RB, Song J. Handling malicious flooding attacks through enhancement of packet processing technique in mobile ad hoc networks. Journal of Information Processing Systems 2011; 7: 137–150.

Cited By

An XZhou XLü XLin FYang L(2018)Sample Selected Extreme Learning Machine Based Intrusion Detection in Fog Computing and MECWireless Communications & Mobile Computing10.1155/2018/74720952018Online publication date: 14-Jan-2018
https://dl.acm.org/doi/10.1155/2018/7472095
Li XNiu JKhan MLiao JZhao X(2016)Robust three-factor remote user authentication scheme with key agreement for multimedia systemsSecurity and Communication Networks10.1002/sec.9619:13(1916-1927)Online publication date: 10-Sep-2016
https://dl.acm.org/doi/10.1002/sec.961

Recommendations

An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently

Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection ...
Annulling SYN Flooding Attacks with Whitelist
AINAW '08: Proceedings of the 22nd International Conference on Advanced Information Networking and Applications - Workshops

SYN flooding is one of classical Denial of Service (DoS) attacks abusing the TCP 3-way handshake process. This attack causes a server not to accept additional connection requests by filling the server's backlog queue with malicious connection requests (...
Throttling spoofed SYN flooding traffic at the source

TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such ...

Comments

Information & Contributors

Information

Published In

cover image Security and Communication Networks

Security and Communication Networks Volume 5, Issue 10

October 2012

138 pages

ISSN:1939-0114

EISSN:1939-0122

Issue’s Table of Contents

Publisher

John Wiley & Sons, Inc.

United States

Publication History

Published: 01 October 2012

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

An XZhou XLü XLin FYang L(2018)Sample Selected Extreme Learning Machine Based Intrusion Detection in Fog Computing and MECWireless Communications & Mobile Computing10.1155/2018/74720952018Online publication date: 14-Jan-2018
https://dl.acm.org/doi/10.1155/2018/7472095
Li XNiu JKhan MLiao JZhao X(2016)Robust three-factor remote user authentication scheme with key agreement for multimedia systemsSecurity and Communication Networks10.1002/sec.9619:13(1916-1927)Online publication date: 10-Sep-2016
https://dl.acm.org/doi/10.1002/sec.961

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents