Speedily, efficient and adaptive streaming algorithms for real-time detection of flooding attacks

摘要

Effectively detecting and preventing Distributed Denial of Service (DDoS) attacks is getting more and more important for internet service quality. Due to computer limitations for counting the number of flows present in network traffic, earlier work on DDoS detection has either focused on offline analysis of log data or ranged in a small number of potential victim destinations. However, those methods are not sufficient for detecting possible DDoS activity in real time over large networks. This paper proposes novel data-streaming algorithms for real-time detection of DDoS activity in large networks. The key idea is a hash-based synopsis data structure for sampling network data streams. This structure can efficiently track, guarantees small space, and offers accurate synopses. It also presents an algorithm for counting the number of potentially malicious (e.g., "half-open") connections from the network streams. Moreover, the algorithm focuses on counting the distinct destination or source IP by distinguishing difference connection types.