Detection of flooding distributed denial of service attacks in rule-based network intrusion detection systems

Abstract

Distributed Denial of Service (DDoS) attack is launched by sending huge network traffic to a victim system, using multiple systems resulting in unavailability of services to legitimate users. Detecting such attacks has gained much attention in current literature. Studies have shown that flow-based anomaly detection mechanisms give promising results as compared to typical signature based attack detection mechanisms, which have not been able to detect such attacks effectively. The thesis starts with an investigation of the detection techniques used by Rule-Based Network Intrusion Detection Systems for detecting flooding DDoS attacks. A variety of flow-based DDoS detection algorithms have been put forward for detection of flooding DDoS. The flow-based DDoS attack detection techniques have been divided broadly into two categories: Packet Based and Mathematical Formulation Based. Analyses has been done on two recent techniques one belonging to first category; IP Address Feature Value (IAFV) and the other belonging to second; Correlation of IP addresses. In order to analyze the algorithms under study effectively, two different test benches have been established, one using real systems and the other using DETERlab. Both of the algorithms have been analyzed under several normal and flooding DDoS attack scenarios and evaluation has been done with respect to their detection capability and accuracy. The correlation technique has been found to outperform the rest of the techniques and has been finally chosen for further improvements by introducing multiple sliding time window intervals and calculating correlation coefficient for each of them. A comparison of correlation coefficient values over multiple sliding window time intervals leads to better decision making. The proposed technique was then implemented and integrated with the de-facto rule-based network intrusion detection system, Snort. The effects of the algorithms integrated with Snort were evaluated and results were generated to see the impact of the proposed technique. Finally, an analyses of the proposed technique has been conducted with respect to false alarms. It has been found that the proposed multiple sliding window correlation technique outperforms the old correlation technique and Snort's default flooding DDoS attack detection mechanism.