Intrusion Detection, Forecast and Traceback Against DDoS Attacks

Fang-Yie Leu

 Department of Computer Science, Tunghai University, Taiwan

leufy@thu.edu.tw

Abstract

Nowadays, DDoS is one of the most troublesome attacks. Attackers often penetrate innocent routers and hosts to make them unwittingly participate in such large-scale attacks acting as zombies or reflectors. Also, the Internet consists of autonomous network management units. Organizing these units is helpful in detecting DDoS attacks if several adjacent or nearby network management units could collaboratively guard and protect their important surrounded neighbors. In this article, we propose an Intrusion Detection, Forecast and Traceback System (IDeFT) based on united defense environment. First, a detection system that is able to detect two types of attacks, logical and DoS/DDoS, is developed. Logical attacks are recognized by neural networks. DDoS, distributed reflective DoS and what role a host/router plays in the two types of attacks are identified by the CUSUM algorithm. A hash-based intrusion tracer is also deployed to trace back to malicious clients. A forecasting model which plays the role as a proactive intrusion prevention system monitors network forwarding traffic to forecast malicious behaviors previously for its neighbor unit. Network management units with the properties of regional cooperation and autonomy can carry their network security to a higher achievement level.

Keywords: DDoS, DRDoS, intrusion detection, intrusion traceback, CUSUM