Advanced Network Data Analytics for Large-Scale DDoS Attack Detection

Advanced Network Data Analytics for Large-Scale DDoS Attack Detection

Konstantinos F. Xylogiannopoulos (University of Calgary, Calgary, Canada), Panagiotis Karampelas (Hellenic Air Force Academy, Dekelia, Greece) and Reda Alhajj (University of Calgary, Calgary, Canada)
Copyright: © 2017 |Pages: 11
DOI: 10.4018/IJCWT.2017070104
OnDemand PDF Download:
No Current Special Offers


Internet-enabled devices or Internet of Things as it has been prevailed are increasing exponentially every day. The lack of security standards in the manufacturing of these devices along with the haste of the manufacturers to increase their market share in this area has created a very large network of vulnerable devices that can be easily recruited as bot members and used to initiate very large volumetric Distributed Denial of Service (DDoS) attacks. The significance of the problem can be easily acknowledged due to the large number of cases regarding attacks on institutions, enterprises and even countries which have been recently revealed. In the current paper a novel method is introduced, which is based on a data mining technique that can analyze incoming IP traffic details and early warn the network administrator about a potentially developing DDoS attack. The method can scale depending on the availability of the infrastructure from a conventional laptop computer to a complex cloud infrastructure. Based on the hardware configuration as it is proved with the experiments the method can easily monitor and detect abnormal network traffic of several Gbps in real time using the minimum hardware equipment.
Article Preview


In recent years, the number of Internet enabled devices is increasing everyday exponentially. According to Ericsson Mobility Report (Ericsson, 2016) in the third quarter of 2016 there are more than 7.5 billion mobile subscriptions worldwide and most of the half of them are broadband. In most of the countries the penetration rate is over 100% which means that there are more mobile devices than the population. In UK in the first quarter of 2016 the percentage of mobile users between the adult population was 93% while more than 71% of the adult population use smart phones and 66% of the mobile users use their smart phone to access the Internet as reported by OfCom (OfCom, 2017). Apart from smart phones, other internet-enabled devices have appeared such as smart TVs, watches, security cameras, printers, washing machines, etc. which are connected to the Internet either directly or through pairing with a smart phone. All these devices are potential victims of the malevolent hackers who wish to exploit security weaknesses of the new devices and the privacy insensitivity or even ignorance of the users. As the number of the devices is increasing and as more and more types of devices are Internet-connected, the possibility of a device high jacking is also increasing. The most apparent reason for this is stealing private information such as financial information, personal emails and photos, etc. which can be used by the attacker for personal gain. However, someone would wonder why someone would like to take control of a smart washing machine apart from playing a trick on the device owner? A smart device, part of the Internet of Things (IoT), since it is connected to Internet is a valuable resource of the network and can be used in the service of, for example, a bot network to attack other legitimate users of the network. This type of attacks has already been reported (Kührer et al., 2014) especially using devices such as routers, VoIP gateways, network printers and surveillance cameras. Latest reports from various security firms have disclosed several serious attempts for distributed denial-of-service volumetric attacks attributed to IoT botnets. An example of such a DDoS attack was reported on September 2016 against the Brian Krebs’s security blog. An attack that created traffic of over 600 Gbps and was attributed to an IoT botnet created by Mirai malware (Bertino & Islam, 2017). The same month another attack was reported against the OVH French webhost at 1.1 or more Tbps (US CERT, 2017). On October 21st, 2016, Dyn Service Provider in the US experienced the largest so far reported DDoS attack of more than 1 Tbps which again is attributed to the infected from Mirai malware IoT devices (Arbor Networks, 2016).

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2022): Forthcoming, Available for Pre-Order
Volume 11: 4 Issues (2021): 3 Released, 1 Forthcoming
Volume 10: 4 Issues (2020)
Volume 9: 4 Issues (2019)
Volume 8: 4 Issues (2018)
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing