| Presentation | 2019-05-24 Feature Value for Low-Bandwidth L3, L4 DDoS Detection based on Number of 5-tuple Flows in 3-tuple Flow Yuhei Hayashi, Hikofumi Suzuki, Takeaki Nishioka, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Recently, new sophisticated attacks such as pulse-wave DDoS has been observed. The DDoS attack repeats short duration attacks, so the time-averaged bandwidth of the attack traffic can be observed as low rate. On the other hand, routers are already deployed in their network and it can send traffic flow information by using NetFlow etc. Level of DDoS countermeasure can be raised economically and quickly if the attacks can be detected by the flow information. Some researchers proposed to detect DDoS attack by calculating bandwidth from the flow information and collaborating it and machine learning. However, in a case where the bandwidth of attack is low so there is no significant difference between attack traffic and normal traffic in terms of bandwidth, the conventional approach is not effective. To make up for the disadvantage of the conventional method, we propose a new feature value and its fast calculation method for detection low-bandwidth L3, L4 DDoS attacks. This feature value is based on a consideration that the number of 5-tuple flows existing in 3-tuple flow defined by (src_ip, dst_ip, dst_port) differs between normal traffic and attack traffic. In addition, we evaluated attack detection accuracy when our proposed feature value and Local Outline Filter (LOF) collaborate. Under the evaluation, we used the dataset obtained by carrying out attacks on the Shinshu University network. We also used the dataset obtained at the transit link of WIDE. The evaluation results show that the proposed feature value is effective to detect low-bandwidth L3, L4 attack while suppressing false negative and false positive |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | DDoS / Detection / Low-bandwidth / NetFlow / sFlow / Machine Learning |
| Paper # | ICM2019-5 |
| Date of Issue | 2019-05-16 (ICM) |
| Conference Information | |
| Committee | ICM / IPSJ-CSEC / IPSJ-IOT |
|---|---|
| Conference Date | 2019/5/23(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | Kiyohito Yoshihara(KDDI Research) |
| Vice Chair | Takumi Miyoshi(Shibaura Inst. of Tech.) / Yoichi Sato(NEC) |
| Secretary | Takumi Miyoshi(NTT) / Yoichi Sato(Hitachi) |
| Assistant | Yunchen Zhu(NTT) |
| Paper Information | |
| Registration To | Technical Committee on Information and Communication Management / Special Interest Group on Computer Security / Special Interest Group on Internet and Operation Technology |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Feature Value for Low-Bandwidth L3, L4 DDoS Detection based on Number of 5-tuple Flows in 3-tuple Flow |
| Sub Title (in English) | |
| Keyword(1) | DDoS |
| Keyword(2) | Detection |
| Keyword(3) | Low-bandwidth |
| Keyword(4) | NetFlow |
| Keyword(5) | sFlow |
| Keyword(6) | Machine Learning |
| 1st Author's Name | Yuhei Hayashi |
| 1st Author's Affiliation | Nippon Telegraph and Telephone Corporation(NTT) |
| 2nd Author's Name | Hikofumi Suzuki |
| 2nd Author's Affiliation | Shinshu University(Shindai) |
| 3rd Author's Name | Takeaki Nishioka |
| 3rd Author's Affiliation | Nippon Telegraph and Telephone Corporation(NTT) |
| Date | 2019-05-24 |
| Paper # | ICM2019-5 |
| Volume (vol) | vol.119 |
| Number (no) | ICM-52 |
| Page | pp.pp.65-70(ICM), |
| #Pages | 6 |
| Date of Issue | 2019-05-16 (ICM) |