A New Traffic Pattern Matching for DDoS Traceback Using Independent Component Analysis
Recently, Denial of Service(DoS) attacks and Distributed DoS(DDoS) attacks which are stronger form of DoS attacks from plural hosts have become security threats on the Internet. It is important to identify the attack source and to block attack traffic as one of the measures against these attacks. In general, it is difficult to identify them because information about the attack source is falsified. Therefore a method of identifying the attack source by tracing the route of the attack traffic is necessary. A traceback method which uses traffic patterns, using changes in the number of packets over time as criteria for the attack traceback has been proposed. The traceback method using the traffic patterns can trace the attack by matching the shapes of input traffic patterns and the shape of output traffic pattern observed at a network branch point such as a router. The traffic pattern is a shapes of traffic and unfalsifiable information. The proposed trace methods proposed till date cannot obtain enough tracing accuracy, because they directly use traffic patterns which are influenced by non-attack traffics. In this paper, a new traffic pattern matching method using Independent Component Analysis(ICA) is proposed.
[1] Rocky K.C.Chang, Defending against Flooding-Based Distributed
Denial-of-Service Attacks: A Tutorial, IEEE Communications Magazine,
Octorber 2002.
[2] Kohei OHTA and G.Mansfield, Illigal Access Detection on the Internet-
Present status and future directions-, IEICE Trans., vol.83-B, no.9,
pp.1209-1216, Sep. 2000.
[3] S.Savage, D.Wetherall, A.Karlin, and T.Anderson, Network Support for
IP Traceback, IEEE/ACM Trans. Networking, vol.9, no.3, pp.226-237,
Jun. 2001.
[4] D.Song and A.Perrig, Advanced and authenticated marking schemes for
IP Traceback, Proc. IEEE Infocom 2001 Conf., Anchorage, Alaska USA,
April 2001. University of California, Berkeley, Jun. 2000.
[5] H.Lee and K.Park, On the effectiveness of probabilistic packet marking
for IP Traceback under denial of service attack, Proc. IEEE Inforcom
2001 Conf., Anchorage, Alaska USA, April 2000.
[6] S.M.Bellovin, ICMP Traceback Messages, InternetDraft, IETF, draftietf-
itrace-02.txt(work in progress), Nov. 2002.
[7] A.C.Snoren, C.Partridge, L.A.Sanchez, C.E.Jones, F.Tchakountio,
S.T.Kent, and W.T.Strayer, Hash-Based IP Traceback, Proc. of ACM
SIGCOMM -01, Aug. 2001.
[8] T.Peng, C.Leckie, and K.Ramamohanarao, Adjusted Probabilistic Packet
Marking for IP Traceback, Networking, May, 2002, Pisa, Italy.
[9] T.Peng, C.Leckie, and K.Ramamohanarao, Defending Against Distributed
Denial of Service Attacks Using Selective Pushback, 9th IEEE
International Conference on Telecommunications, June, 2002, Beijing,
China.
[10] Y. Takei, K. Ohta, N. Kato,and Y. Nemoto, Detecting and Tracing Illigal
Access by using Traffic Pattern Matching Technique, IEICE Trans.,
Vol.J84-B, no.8, pp.1464-1473, Aug. 2001.
[11] K. Sakaguchi, K. Ohta, Y. Waizumi, N. Kato, and Y. Nemoto, Tracing
DDoS Attacks by Comparing Traffic Patterns Based on Quadratic
Programming Method, IEICE Trans., Vol.J85-B, no.8, pp.1295-1303,
Aug. 2002.
[12] CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks,
Feb.8, 1996.
[13] CERT Advisory CA-96.01, UDP Port Denial-of-Service Attacks, Feb.8,
1996.
[14] CERT Advisory CA-96.26, Denial-of-Service Attack via ping, Dec.18,
1996.
[15] Y. Uchiyama, Y. Waizumi, N. Kato, and Y. Nemoto, Detecting and
Tracing DDOoS Attacks in the Traffic Analysis Using Auto Regressive
Model, IEICE Trans., vol.E87-D, No.12, pp.2635-2643, Dec. 2004. E.
Leland, M.S. Taqque, W.Willinger, and D.V.Willson, On the self-similar
Nature of Ethernet Traffic (Extended Version), Proc. IEEE/ACM Trans.
Networking, vol.2, no.1, pp.1-15, Feb. 1994.
[16] A.Hyv¨arinen, E.Oja, A fast fixed-point algorithm for independent component
analysis, Neural Computation, 9(7):pp1483-1492, 1997
[17] D.Moore, G.Voelker, and S.Savage, Inferring Internet Denial-of-Service
Activity, Proc. of the 2001 USENIX Security Symposium, May 2001.
[18] The Internet Traffic Archive, Available from
http://ita.ee.lbl.gov/contrib/DEC-PKT.html.
[19] A.Kuzmanovic and E.W.Knightyly, Low-Rate TCP-Targeted Denial of
Service Attacks(The Shrew vs. the Mice and Elephants), Proc. of ACM
SIGCOMM 03, Aug. 2003.
[1] Rocky K.C.Chang, Defending against Flooding-Based Distributed
Denial-of-Service Attacks: A Tutorial, IEEE Communications Magazine,
Octorber 2002.
[2] Kohei OHTA and G.Mansfield, Illigal Access Detection on the Internet-
Present status and future directions-, IEICE Trans., vol.83-B, no.9,
pp.1209-1216, Sep. 2000.
[3] S.Savage, D.Wetherall, A.Karlin, and T.Anderson, Network Support for
IP Traceback, IEEE/ACM Trans. Networking, vol.9, no.3, pp.226-237,
Jun. 2001.
[4] D.Song and A.Perrig, Advanced and authenticated marking schemes for
IP Traceback, Proc. IEEE Infocom 2001 Conf., Anchorage, Alaska USA,
April 2001. University of California, Berkeley, Jun. 2000.
[5] H.Lee and K.Park, On the effectiveness of probabilistic packet marking
for IP Traceback under denial of service attack, Proc. IEEE Inforcom
2001 Conf., Anchorage, Alaska USA, April 2000.
[6] S.M.Bellovin, ICMP Traceback Messages, InternetDraft, IETF, draftietf-
itrace-02.txt(work in progress), Nov. 2002.
[7] A.C.Snoren, C.Partridge, L.A.Sanchez, C.E.Jones, F.Tchakountio,
S.T.Kent, and W.T.Strayer, Hash-Based IP Traceback, Proc. of ACM
SIGCOMM -01, Aug. 2001.
[8] T.Peng, C.Leckie, and K.Ramamohanarao, Adjusted Probabilistic Packet
Marking for IP Traceback, Networking, May, 2002, Pisa, Italy.
[9] T.Peng, C.Leckie, and K.Ramamohanarao, Defending Against Distributed
Denial of Service Attacks Using Selective Pushback, 9th IEEE
International Conference on Telecommunications, June, 2002, Beijing,
China.
[10] Y. Takei, K. Ohta, N. Kato,and Y. Nemoto, Detecting and Tracing Illigal
Access by using Traffic Pattern Matching Technique, IEICE Trans.,
Vol.J84-B, no.8, pp.1464-1473, Aug. 2001.
[11] K. Sakaguchi, K. Ohta, Y. Waizumi, N. Kato, and Y. Nemoto, Tracing
DDoS Attacks by Comparing Traffic Patterns Based on Quadratic
Programming Method, IEICE Trans., Vol.J85-B, no.8, pp.1295-1303,
Aug. 2002.
[12] CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks,
Feb.8, 1996.
[13] CERT Advisory CA-96.01, UDP Port Denial-of-Service Attacks, Feb.8,
1996.
[14] CERT Advisory CA-96.26, Denial-of-Service Attack via ping, Dec.18,
1996.
[15] Y. Uchiyama, Y. Waizumi, N. Kato, and Y. Nemoto, Detecting and
Tracing DDOoS Attacks in the Traffic Analysis Using Auto Regressive
Model, IEICE Trans., vol.E87-D, No.12, pp.2635-2643, Dec. 2004. E.
Leland, M.S. Taqque, W.Willinger, and D.V.Willson, On the self-similar
Nature of Ethernet Traffic (Extended Version), Proc. IEEE/ACM Trans.
Networking, vol.2, no.1, pp.1-15, Feb. 1994.
[16] A.Hyv¨arinen, E.Oja, A fast fixed-point algorithm for independent component
analysis, Neural Computation, 9(7):pp1483-1492, 1997
[17] D.Moore, G.Voelker, and S.Savage, Inferring Internet Denial-of-Service
Activity, Proc. of the 2001 USENIX Security Symposium, May 2001.
[18] The Internet Traffic Archive, Available from
http://ita.ee.lbl.gov/contrib/DEC-PKT.html.
[19] A.Kuzmanovic and E.W.Knightyly, Low-Rate TCP-Targeted Denial of
Service Attacks(The Shrew vs. the Mice and Elephants), Proc. of ACM
SIGCOMM 03, Aug. 2003.
@article{"International Journal of Information, Control and Computer Sciences:61316", author = "Yuji Waizumi and Tohru Sato and Yoshiaki Nemoto", title = "A New Traffic Pattern Matching for DDoS Traceback Using Independent Component Analysis", abstract = "Recently, Denial of Service(DoS) attacks and Distributed DoS(DDoS) attacks which are stronger form of DoS attacks from plural hosts have become security threats on the Internet. It is important to identify the attack source and to block attack traffic as one of the measures against these attacks. In general, it is difficult to identify them because information about the attack source is falsified. Therefore a method of identifying the attack source by tracing the route of the attack traffic is necessary. A traceback method which uses traffic patterns, using changes in the number of packets over time as criteria for the attack traceback has been proposed. The traceback method using the traffic patterns can trace the attack by matching the shapes of input traffic patterns and the shape of output traffic pattern observed at a network branch point such as a router. The traffic pattern is a shapes of traffic and unfalsifiable information. The proposed trace methods proposed till date cannot obtain enough tracing accuracy, because they directly use traffic patterns which are influenced by non-attack traffics. In this paper, a new traffic pattern matching method using Independent Component Analysis(ICA) is proposed.
", keywords = "Distributed Denial of Service, Independent Component Analysis, Traffic pattern", volume = "3", number = "12", pages = "2894-6", }
