CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS

Thumbnail Image

Files

6705347.pdf (2.71 MB)

Links to Files

https://www.hindawi.com/journals/wcmc/2019/6705347/

Permanent Link

https://doi.org/10.1155/2019/6705347
 http://hdl.handle.net/11603/13027

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2019-02-20

Type of Work

journal articles
Text

Department

Program

Citation of Original Publication

Cheng Huang, Ping Yi, Futai Zou, Yao Yao, Wei Wang, and Ting Zhu, CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS, Wireless Communications and Mobile Computing Volume 2019, Article ID 6705347, 9 pages, https://doi.org/10.1155/2019/6705347

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution 4.0 International (CC BY 4.0)

Subjects

DDoS (Distributed Denial of Service)
TCP (Transmission Control Protocol)
CCID (Cross-Correlation Identity Distinction) method

Abstract

This study presents a new method for detecting ShrewDDoS (DistributedDenial of Service) attacks and analyzes the characteristics of the Shrew DDoS attack. Shrew DDoS is periodic to be suitable for the server’s TCP (Transmission Control Protocol) timer. It has lower maximum to bypass peak detection.This periodicity makes it distinguishable from normal data packets. By proposing the CCID (Cross-Correlation Identity Distinction) method to distinguish the flow properties, it quantifies the difference between a normal flow and an attack flow. Simultaneously, we calculated the cross-correlation between the attack flow and the normal flow in three different situations.The server can use its own TCP flow timer to construct a periodic attack flow.The cross-correlation between Gaussian white noise and simulated attack flow is less than 0.3.The cross-correlation between single-door function and simulated attack flow is 0.28. The cross-correlation between actual attack flow and simulated attack flow is more than 0.8. This shows that we can quantitatively distinguish the attack effects of different signals. By testing 4 million data, we can prove that it has a certain effect in practice.