Anomaly Detection Systems for Distributed Denial of Service Attacks

Abstract

Distributed Denial of Service (DDOS) attacks persist and are growing stronger. According to the latest data, 2016 has seen DDOS attacks which were large in both frequency and size \cite{arbor}. DDOS attacks have been investigated extensively and various countermeasures have been proposed to protect networks from these attacks. However, DDOS is still considered to be the major threat to current networks and there is a need for Anomaly Detection Systems (ADSs) to accurately detect DDOS attacks. Furthermore, network traffic now has significant Peer to Peer (P2P) traffic. P2P traffic in Europe accounts for more than a quarter of all bandwidth, and 40 percent of all packets sent. Previous work has shown that P2P traffic can have a negative impact on the accuracy of ADSs. A P2P traffic preprocessor was proposed in \cite{sardarali} to compensate for the adverse impact of P2P traffic on ADSs. In this project, two well-known anomaly detectors, namely Network Traffic Anomaly Detector (NETAD) and Maximum Entropy Anomaly Detector (MaxEnt), are evaluated with and without this P2P traffic preprocessor for the detection of DDOS attacks. Performance of these ADSs has also been evaluated for the detection of TCP and UDP flood Denial of Service (DOS) attacks. Results are presented which show that using this P2P traffic preprocessor improves the ability of these ADSs to detect attacks.