Detection of LDDoS attacks based on TCP connection parameters

Michael Siracusano; Stavros Shiaeles; Bogdan Ghita

doi:10.1109/GIIS.2018.8635701

Detection of LDDoS attacks based on TCP connection parameters

Michael Siracusano, Stavros Shiaeles, Bogdan Ghita

School of Computing

University of Plymouth

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

79 Downloads (Pure)

Abstract

Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and kNN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.

Original language	English
Title of host publication	2018 Global Information Infrastructure and Networking Symposium, GIIS 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	978-1-5386-7272-3
ISBN (Print)	978-1-5386-7273-0
DOIs	https://doi.org/10.1109/GIIS.2018.8635701
Publication status	Published - 7 Feb 2019
Event	2018 Global Information Infrastructure and Networking Symposium - Thessaloniki, Greece Duration: 23 Oct 2018 → 25 Oct 2018

Publication series

Name	IEEE GIIS Proceedings Series
Publisher	IEEE
ISSN (Print)	2379-3783
ISSN (Electronic)	2150-329X

Conference

Conference	2018 Global Information Infrastructure and Networking Symposium
Abbreviated title	GIIS 2018
Country/Territory	Greece
City	Thessaloniki
Period	23/10/18 → 25/10/18

Keywords

Artificial Intelligence
computer Security
cyber Security
deep Learning
distributed Denial of Service
doS
lDDoS
lDoS
low rate attack
machine Learning
network Defence
roQ

Access to Document

10.1109/GIIS.2018.8635701

Detection_of_LDDoS_attacks
© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript (Post-print), 612 KB

Cite this

@inproceedings{0ebbcc650c594aa98106598f8056b183,

title = "Detection of LDDoS attacks based on TCP connection parameters",

abstract = "Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and kNN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.",

keywords = "Artificial Intelligence, computer Security, cyber Security, deep Learning, distributed Denial of Service, doS, lDDoS, lDoS, low rate attack, machine Learning, network Defence, roQ",

author = "Michael Siracusano and Stavros Shiaeles and Bogdan Ghita",

year = "2019",

month = feb,

day = "7",

doi = "10.1109/GIIS.2018.8635701",

language = "English",

isbn = "978-1-5386-7273-0",

series = "IEEE GIIS Proceedings Series",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2018 Global Information Infrastructure and Networking Symposium, GIIS 2018",

address = "United States",

note = "2018 Global Information Infrastructure and Networking Symposium, GIIS 2018 ; Conference date: 23-10-2018 Through 25-10-2018",

}

Siracusano, M, Shiaeles, S & Ghita, B 2019, Detection of LDDoS attacks based on TCP connection parameters. in 2018 Global Information Infrastructure and Networking Symposium, GIIS 2018. IEEE GIIS Proceedings Series, Institute of Electrical and Electronics Engineers Inc., 2018 Global Information Infrastructure and Networking Symposium, Thessaloniki, Greece, 23/10/18. https://doi.org/10.1109/GIIS.2018.8635701

Detection of LDDoS attacks based on TCP connection parameters. / Siracusano, Michael; Shiaeles, Stavros; Ghita, Bogdan.

2018 Global Information Infrastructure and Networking Symposium, GIIS 2018. Institute of Electrical and Electronics Engineers Inc., 2019. (IEEE GIIS Proceedings Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Detection of LDDoS attacks based on TCP connection parameters

AU - Siracusano, Michael

AU - Shiaeles, Stavros

AU - Ghita, Bogdan

PY - 2019/2/7

Y1 - 2019/2/7

N2 - Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and kNN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.

AB - Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried out using six supervised AI algorithms to categorise attack from legitimate flows. Decision trees and kNN accurately classified up to 99.99% of flows, with exceptionally low false positive and false negative rates, demonstrating the potential of AI in LDDoS detection.

KW - Artificial Intelligence

KW - computer Security

KW - cyber Security

KW - deep Learning

KW - distributed Denial of Service

KW - doS

KW - lDDoS

KW - lDoS

KW - low rate attack

KW - machine Learning

KW - network Defence

KW - roQ

UR - http://www.scopus.com/inward/record.url?scp=85062868681&partnerID=8YFLogxK

UR - http://giis-2018.org/

UR - https://pearl.plymouth.ac.uk/handle/10026.1/14704

U2 - 10.1109/GIIS.2018.8635701

DO - 10.1109/GIIS.2018.8635701

M3 - Conference contribution

AN - SCOPUS:85062868681

SN - 978-1-5386-7273-0

T3 - IEEE GIIS Proceedings Series

BT - 2018 Global Information Infrastructure and Networking Symposium, GIIS 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2018 Global Information Infrastructure and Networking Symposium

Y2 - 23 October 2018 through 25 October 2018

ER -

Detection of LDDoS attacks based on TCP connection parameters

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this