Traffic Anomaly Detection in DDos Flooding
Attack
Yudha Purwanto, Kuspriyanto, Hendrawan, Budi Rahardjo
Bandung Insitute of Technology
Bandung, Indonesia
[email protected], [email protected], [email protected], [email protected]
Abstract—Researches have been conducted to overcome
Distributed Denial of Service (DDoS) flooding attack. Beside the
use of signature based detection, anomaly based detection is also
used to detect the attack. Several methods such as statistic,
information theory, data mining and forecasting have been
proposed. In several researches, they just focused to detect the
traffic anomaly, but not to recognize the types of anomaly that
were detected such as flashcrowd, types of botnet, types of DDoS,
and prevention action. In this paper we categorize anomaly
traffic detection system based on process and capability focus.
Anomaly detection system process including traffic features,
preprocessing, and detection process. Capability focus based on
each main research problem to be solved, there are detectingonly
anomaly, types of anomaly, and prevention system that include
process to overcome the attack. At the end of paper, we provide
overview of research direction and opportunities that may be
done in future research.
Keywords—DDoS, anomaly detection, flashcrowd,
botnet, prevention
I. INTRODUCTION
Quality of Service (QoS) is an important factor in
computer network. Several QoS architecture developed in
networking scope to guarentee QoS requirement. Capability
that couldn’t be successfully acomplished in QoS architecture
is to deal with flooding traffic. Flood traffic could be happend
as flooding attack DDoS phenomena or normal flashcrowd.
Flashcrowd is legal flooding traffic that tried to rearch the
service as it came from the increasing legitimate users with
normal rate. But DDoS is ilegal flooding trafficthat tried to hit
the server down by sending high packet rate traffic (or might
be combined with huge packet size) so legitimate user
couldn’t access the service. This is because the
telecommunication resources that were used to serve the user
traffic is not unlimited.
This paper review many researches on traffic anomaly
detection, esspecially flooding attack, and categorize them
based capability focus. Almost all anomaly detection survey
paper classify reasearch based on methods as listed in table
I.[1]categorize system based on fundamental approach of
detection methods, which explain almost all technical aspects
that influence the detection system in several application area.
A modest survey in [2]categorize system in three technical
domain which are statistical mehtod, streaming algorithm, and
unsupervised machine learning. A comprehensive survey in
[3]categorize research based on methods/techniques, tools, and
broad view of in many applications. The paper review almost
all detection methods in past anomaly detection research.
978-1-4799-7447-4/14/$31.00 ©2014 IEEE
However, all survey mentioned above haven’t discussed the
spesific research problem in each anomaly detection system.
Specific problem will be resolved in specific methods and
process, and lead to system capability focus.
This paper contribution are as follow :
• Categorize methods based on sistem capability, which are
anomaly detection, type of anomaly detection, differentiate
flashcrowd and DDoS, and prevention action to overcome
the attack.
• Provide overview of research direction due regard to
anomaly traffic detection capability focus.
II. OVERVIEW
In an attempt to protect the host and service from DoS and
DDoS attacks there are two methods in the IDS / IPS, namely
intrusion signature-based and anomaly-based traffic. Intrusion
signature-based is done by matching the packet signature with
existing attack signatures in a database (known signature
attack). This detection technique has the advantage of low
false positive for constantly updated database, but has
weakness that can’t detect attacks that haven’t exist in the
database (unknown attack).This weakness lead to very
vulnerable system to new type of attack or modified attack.
Flashcrowd is an increasing traffic phenomena as the
number of users who access the server increase significantly
during any spesific event. The natural increasing number of
users occurs gradually, not so instantaneous/drastic as the
information dissemination of any event.From the QoS
perspective, flashcrowd should still be served by the server to
maintain a good QoS level. The number of packets that
traverse through the network links and nodes should still be
maintained, and the availability of the server must remain high
even though the number of packets is very large.
As the opposite, DDoS flooding attack was done to disrupt
the QoS both in network links and nodes. Attack targets is
either link (bandwidth) and node computing resources
(processes, memory, and buffer) to make the system crashes
therefore can’t serve any user request. DDoS flooding attacks
can be either one or a combination of exploited protocol
(communication sequence), many connections, connection with
huge message size, address spoofing, reflection and
amplification from open service server.In [4]describe
flashcrowd as a situation when hundreds of thousands users try
to access computing resources in the same time, while DDoS
almost few thousand in [5].
TABLE I. COMPARISON BETWEEN THE REFERENCE SURVEY PAPER
 [1] [2] [3] our B. Detection method
s
Methods Statistical ¥ ¥ ¥ ¥ All researches using threshold based detection, identify
anomaly from changes in the pattern of observed traffic
Classification-based ¥ ¥ ¥
exceeds a predetermined threshold. Standard parameter in
Knowledge-based ¥ ¥ traffic anomaly detection system testing is detection rate and
Soft computing ¥ ¥ ¥ false positive rate. In detection rate, detection system accuracy
measuredby numbers ofdetected attacks compared to real
Clustering-based ¥ ¥ ¥ ¥ generated attacks. And false positive rateis a measure of the
Hybrid ¥ accuracy of the detected attacks.
Nearest Neighbor Based ¥ To increase detection rate and reduce the false positive
Information Theoretic ¥ ¥ rate, some anomaly detection methods have been developed,
ranging from simple volume-based packet in network layer to
Forecasting ¥
Deep Packet Inspection (DPI) of application payload. All
Tools Dataset ¥ methods was done to look for patterns of normal traffic and
Metric ¥ ¥ how to distinguish/detect different patterns of different
attacks. Many research based on any priors belief that the
Applications ¥
attack is (1) significant deviation / not obey legitimate traffic
Process Data Input ¥ ¥ ¥ profile [6] [24], (2) disproportional/heavy change/deviate on
Preprocessing ¥ distributional aspect of chosen features [11][12][13] [14], (3)
have different correlation among features [10], (4) has certain
Methods ¥ ¥ ¥ ¥
dominant activities in target [25] [26][10], (5) same botnet
Testing ¥ attacks came with same standar deviation [17]. The detection
Capability focus ¥ method will be reveiwed along with capability focus review.
IV. CAPABILITY FOCUS
III. PROCESSING FLOW
Based from our references, the capability focus of anomaly
A. Preprocessing traffic detection research taxonomy can be form as fig.1.
Based from majority of surveyed papers,The preprocessing
of traffic in each research came with different form, such as ĂŶŽŵĂůLJ
ƚƌĂĨĨŝĐďĂƐĞĚ
ĚĞƚĞĐƚŝŽŶ
• global features space in [6] [7][8], ĚĞƚĞĐƚŝŽŶ ƉƌĞǀĞŶƚŝŽ
ŽŶůLJ ŶĂĐƚŝŽŶ
• defined feature space such as : 5-tuple feature[9], 4 traffic
features [10] [11], packet volume sketch[12][13], Xflow ŽŶůLJ
ƚLJƉĞƐŽĨ ƌĂƚĞ
ĂŶŽŵĂůLJ ĨŝůƚĞƌŝŶŐ
hashbin[14], sender window and buffer size[15], packet ĂŶŽŵĂůLJ ĐŽŶƚƌŽů
ƚƌĂĨĨŝĐ
volume and size [16], ĨůĂƐŚĐƌŽǁĚ ƚƌĂĐĞďĂĐŬ
ĂŶĚŽ^ ƚLJƉĞƐŽĨ ͬƉƵƐŚďĂĐ
• traffic flow such as traffic flow with same destination[17],
ĂƚƚĂĐŬ Ŭ
and IF flowfrom input-output interface [18] [19], ŶŽƉĂƚŚ
ƚLJƉĞƐŽĨ ŝĚĞŶƚŝĨŝĐĂƚŝŽ
• transaction such as a set of communication protocol with Ž^ ƚLJƉĞƐŽĨ Ŷ
certain packet and port [20], three-way handshaking that ŝŶƐƉĞĐŝĨŝĐ ďŽƚŶĞƚ
ƉĂƚŚ
will include 3 packetin bidirectionalcommunication [15]. ƐĞƌǀŝĐĞŽƌ ŝĚĞŶƚŝĨŝĐĂƚŝŽŶ
ŶĞƚǁŽƌŬ
The preprocessing step will extract features and do feature Fig. 1. Anomaly traffic detection capability focus.
selection from traffic. In DDoS analysis, there are seveal
dataset that commonly used as traffic data such as KDDCup A. Anomaly Detection
99[21], CAIDA 2007[22], etc. The KDDCUP 99 is an selected Broadly speaking, any anomaly detection research tried to
set of features from extracted real normal and attack traffic detect changes from normal patterns. Most of these studies
example that can directly used as features set in anomaly just focused only on detecting any abnormal traffic patterns,
detection. CAIDA 2007 is a real raw attacks traffic dataset that without finding out what’s really going on. In other words,
has to be processed in preprocessing step before entering will only come with intrusion detection function. Here we
detection step.Beside common datasets, many researchs also categorized the anomaly detection based on method.
use their own data by generating simulated traffic attack as
injection and sythetic attacks. There is also a binary web log 1) Statistical pattern
flashcrowd dataset in [23]. Statistical mean, median and mode of a dataset is
calculated, so that the anomalyis detected wheater it exceeds
the normal threshold. As examples are the detection
pattern[16][11][27][15][19], where the normal pattern was anomalous data as a baseline of adaptive holt-winters, or
characterized from the mean value (ȝ) and standard deviation because prevention is not done soon momentaryly after attack
(ı) of the number of observed features through a detection detected.
system for every sample. Threshold based is commonly used
3) Information theory
as anomaly was detected when the observed value pass the
normal range. The principle in information theory is to find important
data, with the use of techniques such as Relative uncertainty
A further statistical analysis is in the form of covariance
distribution [26], Dominant state analysis [26], Chi-square
and correlation analysis has conducted in[28][29][6][30]. In
[13], Hellinger distance [11], Mahalanobis distance [29][6],
[30][6] the number of traffic features in the feature space
Kullback-Leibler divergence distance [33], Entropy [14][25]
characterized as Triangle Area Map(TAM) used to detect
[33], Multiscale entropy [18], Mutual information ( [32].The
anomaly in sample-by-sample approach. The normal pattern is
most widelyused technique is the entropy, where the entropy
characterized by mean and variance of TAM’s Mahalanobis
can be known as dispersals grade of features. The interesting
Distance (MD), covariance matrices, and average TAM.
traffic anomaly detection research is the used of the Multiscale
[29]use almost the same approach but obtain the distribution
entropy [18]where the use of a single scale entropy are not
of ASCII characters contained in the message payload as
suitable to be implemented on complex behavior of traffic in
features. This research contributes to the integration of
each time series. In [26]analize realtime traffic patterns in high
geometrical structures and payload-based anomaly detection
speed communication link continuously using relative
that has never existed before,but requires DPI process
uncertainty distribution to automatically classifying traffic
capability and high processing time due to flow and payload
behavior and look for the dominant features. In [11]use a
based data. The approach used in those study wasproven better
combination of information theory and statistical methods to
than [28]which use only covariance matrices directed from
define traffic patterns, as the distance between the average
group-sample of traffic data.
number of 4-definedfeatures of observed trafficwas compared
In [7][31]the use of PCA as feature extraction from to normal historical traffic. Hellinger distancewas used to
covariance matrices result in reduced dimension of observed calculate the distance of traffic features, while statistic
data, making it easier to connect with the features of the data calculate the mean and variance of calculated Hellinger
in the detection system.Another version of PCA mentioned as distance.
robust PCA in [32]used to obtain statistical data results that
4) Soft computing
are more robust to outliers in statistics. This will obviously
In pattern recognition domain, there are two recognized
increase the precision of detection result where the observed
methods are supervised-learning classification and
datawas not affected by outliers that frequently arise and affect
unsupervised-learning clustering which process
the statistical mean of the data.
sometimeinvolving softcomputing/computational intelligent.
2) Forecasting Techniques used in softcomputing include Artificial
The use of forecasting techniques; which is also based on Intelligent, Neural Network, Artificial Neural Network, fuzzy
the statistical analysis; widely used in the detection method. A logic, immunity system,FCM, FCM, Fuzzy [7][14], Gaussian
time serie data can be used to predict thenext value that will Mixture Model[7] [20] [11][34], Likelihood ratio[20][16].
appear in the next state. These methods including Least Mean
Gausian Mixture Model (GMM) is one popular model to
Square[13], Exponentially Weighted Moving Average [12],
represent data. [20]use the mixture density of the feature
Linear regression [8], Non Seasonal Holt-Winters [12], and
vector of each transaction using GMM and calculating the
Holt-Winters [10] [33]. In [12]and[13]research carried out by
likelihood value of the feature vectors.The data traffic is used
the principle of dividing one time series into several time
to make the characteristics of the GMM models which are
series, predict the next value that will appear, and compare the
represented in the mixing coefficient, the mean and covariance
predicted value with real value which will be detected as an
matrices then was used as a normal pattern for the detection
anomaly when it has exceeded the distance difference adaptive
function. The use of GMM is also used in [34]to represent a
threshold. This research uses predetermined dimensional
mixture of multi-traffic generator (kernel) with different
sketch to increase sensitivity which are very influential on the
behavior,while [14]using the method of clustering on Distinct
detection rate and adaptive threshold. Research [33]has some
Feature Number (DFN) and integer-value traffic features.
similarities with [26]where the study [33]adds the forecasting
Prior believe of normal traffic is stable and consistent with
process on the same data [26]with a detection method using
Gausian distribution at short period, sothe anomaly can be
entropy techniques.
seen in the deviation fromdistribution.
Topics that may be analyzed and investigated further is the
5) Signal processing
use of adaptive threshold, which prones to gradually increase
and continously flooding attacks. In[10]where the use of Holt- In some literature, signal processing can be categorized as
winter forecasting to find the normal trafficbaseline, it had a a statistical method which is mostly done in a preprocessing
very poor detection rate when given any continously attack stage. Anomaly performed as identification of noise in the
intensity. This may be due to the inability of choosing a non-
signal by means of noise reduction and implement signal-to-
noise ratio as a detector. This can be seen in [9] which use the
signal to noise ratio on the time series classification of
previous 22counter. Wavelet transform also applied to detect
anomalies in which noise can be portrayed as an anomaly of
traffic.Signal processing with image-based detection was also
applied in [35] in which the anomaly depicted in the form of a
two-dimensional image in three levels. This study uses a line
detection and degree of concentration to detect flooding
attacks at the network. Unfortunately, these systems can only
be used to distinguish three types of attacks and can only be
implemented on an IPv4 B class network.
B. Type ofAnomaly
Further research of traffic anomaly detection is to answer
what type of traffic anomalies occur. Type of anomaly is
associated with type of attack (DDoS, probe, U2R, L2R, etc),
flashcrowd, type of botnet (TFN2K, shaft, mstream, sasser,
etc), and type of DDoS (SYN flood, ICMP flood, Xmas SYN
flood, etc).Theoretically, the ability to detect the type of
anomaly will be a step ahead of the detection method, as it can
be passed to different action of prevention.
1) Types of Attack
The main capability focus in [28][30]was the detection of
several types of flooding attacks, with the use ofcovariance
matrixfeatures space through multistage detection. The main
contributionis theproof of greater detection accuracyin group-
sample approach than sample-by-sample. But the main
concern ingroup-sample approach is to drop the entire
contents ofthe group-sample when it identified as anomaly,
where it is clearly very adverse for legal user in group-sample.
The result of detection accuracy is really depend on the
number of different features that used to detect types of DDoS.
2) Flashcrowd and DDoS
Research [17]capability focus was to distinguish between
legal flash-crowd and flooding attacks as both seen as
anomalous event. This research was conductedby calculating
flow-correlation on the packet volume-based dataamongtwo
different flows (number of flows with the same destination).
Almost the same approach used in [36] that use pearson’s
correlation betweenitself arrival rate, arrival rate and time;
[37] using total variation and Bhattacharyya coefficient; and
[38]use entropy to detect traffic anomalies and Sibson distance
to measure similarity of flow in Local Area Network (LAN).
Almost all similarity based system will clearly distinguish
flashcrowd and DDoS traffic, one DDoS flow must be in
steady-state and constant high rate traffic, and the accuracy
will decrease along with the increase of DDoS noise (number
of normal traffic still exist in DDoS flow).
3) Types of Botnet
The anomaly from botnet communication that lead to
determination of botnet type has conducted in
[39][40][41][42] [43]. Prior of such researchs was botsand
command and control (cnc) handler ina botnet will always
communicate intensively for status updates and cnc, therefore
will produce similarity among flows in botnet.[39] use cross-
epoch correlationin flow-correlation determine the similarity
of flows towards the target. Adaptive sampling based on
similarity group performed to monitor the activity of the host
associated with botnet cnc server. Beside cross-correlation,
similarity also can be measure by Kulczynski, Cosine, Jaccard
and Tanimoto similarity as in [43] to measure similarity
among DNS-based payload. High detection rate in [40][41]
use BotDel clustering algorithm based on number of instances
in k clusters to cluster 256-dimensional n-gram payload byte
distribution. Payload signature also used in[42] to discover
payload group similarity by calculating Normalized
Compression Distance (NCD) and discover group correlation
by calculating cross correlation coefficient between sequence
of flows.[44]use Hidden Markov Model to model cnc traffic
from Zeus botnets. Zeus botnet communicate periodically with
cnc handler that can be modeled by HMM to obtain cnc
communication patterns. This model was developed of the the
model [45]by considering several parameters to minimize
entropy HMM.
C. Prevention Actions
Prevention is the action choosen to overcome the attacks,
and very important to avoid damages.The main concern is to
drop attacks packet and maintain the QoS level for the
legitimate user.Prevention system is usually done in
collaboration with other fields, including the method of
routing, packet scheduling, queuing systems, classification,
and others. Issues raised is the inability of the detection and
prevention systems to choose whichever packets come from
the attacker,so unproportional action can lead to collateral
damage.
Many research still proposed unfit actions such as drop
entire packet in a group sample without choosing which
packets are from legitimate users [28], will lead to QoS drop
for legitimate users. Approach to drop packets in[46]will
perform a gradual drop packets (each 10%) on the aggregate
traffic.If the drop occurs after the traffic rate decrease is
believed to be normal/flashcrowd traffic, but when inremains
or increases it is believed the attack traffic and will continue to
be the addition of percentage drop packets.
Another prevention concern is to stop the flooding traffic
from the attack source, so the determination of source
(traceback) will be very important. Traceback can be done by
adding path identification in packet header, or not.In [19]
which use a multistage cooperative in monitoring a distributed
change-point detection (DCD) traffic. Research based on
statistical traffic data to calculate the deviation ratio of traffic
volume on each router interface. The alarm will be sent to a
specific server (CAT server) via secure protocol to create a
subtree alarm of lines experiencing anomalies to then detect the
attack sources. IP Source history used in [47] to filter the
incoming traffic by only allowing IP source that exist in history
database. In[48]also do filtering based on IP history and do
traceback using probability packet marking to identify the
attack flow from router interface. Extended traceback and
filtering using cumulative Poisson forwarding probability in
[49] tried to improve the memory usage in probability packet
marking by the used of hob-by-hop probabilistic route selection
to identify attack source even in IP spoofing attack. This
scheme use modified IP header to communicate alert between
agents.
Collaboration system with the used of path identification in
[50](using CoDef to prevent network as attack target)that
almost the same approach as [51](using Active Internet Traffic
Filtering to prevent server as attack target)proposes the use of
collaborative rerouting/detouring and rate control.
Collaborative rerouting was proposed to detect the attack
source autonomous system (AS) while attack target will
sendreroute request and compliance reroute test to suspect AS.
Collaborative rate control was done by sending rate control
request to all connected AS to target. Another rate control
mechanism in [52]using throttling approach that force the
router to reduce the rate of traffic to server.All collaboration
system started when the target's performance began to exceed
the normal value threshold.
V. CONCLUSION AND RESEARCH OPPORTUNITIES
Several research have been discussed in this paper, with
respect todetection system processing flow, methods and
system capabilities focus. Thissurvey provide overview of
how important the selection of features as traffic detection
input in contributing to the capability of the system. Statistical
method has the largest portion in anomaly detection as this
method is the underlying method used in others.
The current research trend in addition to only detect traffic
anomaly, is to distinguish types of anomalies. Many research
that have been done based on assumption of the currrent scale
and capabilities of certain botnet, sofurther study of future
botnet capabilites with varied possible attacksin the future is
needed.Determination of right threshold value wheter static or
adaptive, is very important as it will measure the result
performance on detection rate and false positive rate. Adaptive
threshold based on traffic behaviour still be important topic.
This is because the advantage of anomaly traffic detection is
to detect the unknown new attacks from evolving non-
stationary traffic condition. The windowing mechanism also
might have an important role in anomaly detection, as the
traffic has to be analized streamly and online.
The next is the ability to take action after detecting an
attack prevention. This is very important because not all
features in traffic anomaly detection can be used for
proportional prevention action. Selection of prevention actions
after anomaly detection has also become a very interesting
topic that prevention must maintain a high QoS and
availability on legitimate users but drop the only attack traffic.
REFERENCES
[1] Varun Chandola, Arindam Banerjee, Vipin Kumar. Anomaly Detection:
A Survey. ACM Computing Surveys, Vol. 41, No. 3, Article 15 (2009),
15:1 - 15:58.
[2] Marina Thottan, Guanglei Liu, Chuanyi Ji. Anomaly Detection
Approaches for Communication Networks. In Graham Cormode and
Marina Thottan, eds., Algorithms for Next Generation Networks.
Springer London, Springer-Verlag London, 2010.
[3] Monowar H. Bhuya, D. K. Bhattacharyya, J. K. Kalita. Network
Anomaly Detection : Methods, Systems, and Tools. Communications
Surveys & Tutorials, IEEE (Volume:16 , Issue: 1 ) (2013).
[4] WorldCup98, http://ita.ee.lbl.gov/html/contrib/WorldCup.html. 2011.
[5] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis.
My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size
estimates remain challenging. In First Workshop Hot Topics in
Understanding Botnets (HotBots ’07) ( 2007).
[6] Zhiyua Tan, Aruna Jamdagni, Xiangjian He, Priyadarsi Nanda, Ren Ping
Liu. Triangle-Area-Based Multivariate Correlation Analysis for
Effective Denial-of-Service Attack Detection. In IEEE 11th
International Conference on Trust, Security and Privacy in Computing
and Communications ( 2012).
[7] Duo Liu, Chung-Horng Lung, Ioannis Lambaradis, Nabil Seddigh.
Network Traffic Anomaly Detection Using Clustering Techniques and
Perofrmance Comparison. In IEEE Candian Conference of Electrical
and Computer Engineering ( 2013), IEEE Computer Society.
[8] Zhang Yong-ping, Qi Zhi-wei, Liu Jia. A Prediction Model for Network
Traffic Anomaly Detection. ( 2009), IET International Communication
Conference on Wireless Mobile and Computing (CCWMC 2009).
[9] Florin Vancea, Codruta Vancea. NEAR – Network Extractor of
Anomaly Records or Traffic Split-Counting For Anomaly Detection. In
EuroCon (Zagreb 2013), EUROCON, IEEE Computer Society.
[10] Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi.
Network Traffic Anomalies Detection and Identification with Flow
Monitoring. In Wireless and Optical Communications Networks ( 2008),
5th IFIP International Conference on Wireless and Optical
Communications Networks, 2008. WOCN '08..
[11] Hemant Sengar, Xinyuan Wang, Haining Wang, Dumina Wijesekera,
Sushil Jajodia. Online Detection of Network Traffic ANomalies Using
Behavioral Distance. In International Workshop on Quality of Service (
2009).
[12] Christian Callegari, Stegano Giordano, Michele Pagano, Teresa Pepe.
Forecasting The Distribution of Network Traffic for Anomaly Detection.
In International Joint Conference of IEEE TrustCom-11/IEEE-11/FCST-
11 ( 2011).
[13] Osman Salem, Ali Makke, Jean Tajer, Ahmed Mehaoua. Flooding
Attacks Detection in Traffic Backbone Network. In 35th Annual IEEE
Conference on Local omputer Network ( 2011).
[14] Bin Zhang, Jiahai Yang, Jianping Wu, Donghong Qin, Lei Gao. MCST :
Anomaly Detection Using Feature Stability for Pakcet-Level Traffic. In
Asia Pacific Network Operations and Management Symposium
(APNOMS) ( 2011), IEEE Computer Society.
[15] Sandy Rahme, Yann Labit, Frederic Gouaisbaut. Sliding Mode Observer
for Anomaly Detection in TCP/AQM Network. In International
Conference on Communication Theory, Relliability and Quality of
Service (Colmar 2009), IEEE Conference Publications, 113 - 118.
[16] Gautam Thatte, Urbashi Mitra, John Heidemann. Parametric Methods
for Anomaly Detection in Aggregate Traffic. IEEE/ACM Transactioni
on Networking , 19, 2 (April 2011), 512 - 525.
[17] Shui Yu, Wanlei Zhou, Weijia Jia, Song Guo, Yong Xiang, Feilong
Tang. Discriminating DDOS Attack from Flashcrowds Using Flow
Correlation CoefficientT. IEEE Transactions on Parallel and
Distributed Systems, Vol. 23, No. 6, June 2012 (2012), 1073-1080.
[18] Yan Ruo-Yu, Zheng Qing-Hua. Multiscale Entropy Based Traffic
Analysis and Anomaly Detection. In International Conference on
Intellifent Systems Design and Applications ( 2008), Eighth International
Conference on Intelligent Systems Design and Applications, ISDA '08. ,
 151 - 157.
[19] Yu Chen, Kai Hwang, Wei-Shin Ku. Collaborative Detection of DDOS
Attacks Over Multiple Network Domains. IEEE Transactions on
Parallel and Distributed Systems, 18, 12 (2007), 1649 - 1662.
[20] Vadiraj Panchamukhi, Hema A Murthy. Port-based Traffic Verification
as A Paradigm for Anomaly Detection. ( 2012), National Conference on
Communications (NCC).
[21] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html,
1999. Available on. Last modified: October 28, 1999.
[22] Dataset, The CAIDA UCSD "DDoS Attack 2007".
http://www.caida.org/data/passive/ddos-20070804_dataset.xml.
[23] Jin, M. Arlitt and T. 1998 World Cup Web Site Access Logs. August
1998.
[24] Federico Simmross-Wattenberg, Juan Ignacio Asensio-Perez, Pablo
Casaseca-de-la-Higuera, Marcos Martin-Fernandez, Ioannis A
Dimitridis, Carlos Alberola-Lopez. Anomaly Detection in Network
Traffic Based on Statistical Inference and Į-Stable Modeling. IEEE
Transaction on Dependable and Secure Computing, Vol 8 No 4 2011
(2011).
[25] Long Zhang, Jinsong Wang, Sheng Lin. Design of The Network Traffic
ANomaly Detection System in Cloud Computing Environment. In
International Symposium on Information Science and Engineering (
2012).
[26] Kuai Xu, Feng wang, Supratik Bhattacharyya, Zhi-Li Zhang. A Realtime
Network Traffic Profiling System. In 37th Annual IEEE International
Conference on Dependable Systems and Network ( 2007), IEEE
Computer Society, 595 - 605.
[27] N., Muraleedharan. Analysis of TCP Flow Data for Traffic Anomaly and
Scan Detection. ( 2008).
[28] Shuyuan Jin, Daniel So Yeung, Xizhao Wang. Network Intrusion
Detection in Covariance Feature Space. Journal of the Pattern
Recognition Society 40, Elsevier (2007).
[29] Aruna Jamdagni, Zhiyuan Tan, Priyadarsi Nanda, Xiangjian He, Ren
Liu. Intrusion Detection Using Geometrical Structure. In International
Conference on Frontier of Computer Science and Technology ( 2009),
IEEE Computer Society.
[30] Zhiyua Tan, Aruna jamdagni, Xiangjian He, Priyadarsi Nanda, Ren Ping
Liu. A System for Denial of Service Attack Detection Based on
Multivariate Correlatin Analysis. IEEE Transactions on Parallel and
Distributed Systems (2013).
[31] Mahbod Tavallaee, Wei Lu, Shah Arif Iqbal, Ali A Ghorbani. A Novel
Covariance Matrix Based Approach for Detecting Network Anomalies.
In Communication Network and Services Research Conference ( 2008).
[32] Claudia Pascoal, M. Rosario de Oliveira, Rui Valadas, Peter Filzmoser,
Paulo Salvador, Antonio Pacheco. Robust Feature Selection and Robust
PCA for Internet Traffic Anomaly Detection. In IEEE INFOCOM (
2012), IEEE, 1755-1763.
[33] Shuying Chang, Xuesong Qiu, hipeng Gao, Feng Qi, Ke Liu. A Flow-
Based Anomaly Detection Method Using Entropy And Multiple Traffic
Features. In Proceeding of IC-BNMT ( 2010), IEEE Conference
Publications, 223 - 227.
[34] Shuang Hao, Hua Song, Wenbao Jiang, Yiqi Dai. A Queue Model to
Detect DDos Attack. In Proceedings of the 2005 International
Symposium on Collaborative Technologies and Systems ( 2005), 106-
112.
[35] Chi Yoon Jeong, Beom-Hwan Chang, Jung-Chan Na. A Hierarchical
Approach to Traffic Anomaly Detection Using Image Processing
Technique. In Networked Computing and Advanced Information
Management (NCM) (Seoul 2010), Sixth International Conference on
Networked Computing and Advanced Information Management (NCM).
[36] Therasak Thapngam, Shui Yu, Wanlei Zhou, Gleb Beliakov.
Discrimiinating DDoS attack Traffic from Flash Crowd through Packet
Arrival Patterns. ( 2011), International Workshop on Security in
Computer, Networking and Communications 2011, pp 969-974.
[37] Ke Li, Wanlei Zhou, Ping Li, Jing Hai and Jianwen Liu. Distinguishing
DDoS Attacks from Flash Crowds Using Probability Metrics. In
International Conference on Network and ystem Security ( 2009),
International Conference on Network and System Security (2009), 9-17.
[38] Yuan Tao, Shui Yu. DDoS Attack Detection at Local Area Networks
Using Information Theoritical Metrics. In International Conference on
Trust, Security and Privacy in Computing and Communications ( 2013),
IEEE Computer Society, 233-240.
KDD Cup
[39] Junji Zhang, Xiapu Luo, Roberto Perdisci, Guofei Gu, Wenke Lee, Nick
Feamster. Bosting the Scalability of Botnet Detection Using Adaptive
Traffic Sampling. In ASIACCS, March 22-24 2011 (Hongkong China
2011), ACM, 124-134.
[40] Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi, and Ali A. Ghorbani.
BotCop: An Online Botnet traffic Classifier. In Seventh Annual
Communications Networks and Services Research Conference ( 2009 ),
70-77.
[41] Wei Lu, Mahbod Tavallaee, and Ali A. Ghorbani. Automatic Discovery
of Botnet Communities on Large-Scale Communication Networks. In
ASIACCS (Sydney, Australia 2009), 1-10.
[42] Tao Wang and Shun-Zheng Yu. Centralized Botnet Detection by Traffic
Aggregation. In IEEE International Symposium on Parallel and
Distributed Processing with Applications ( 2009), 86-93.
[43] Hyunsang Choi, Heejo Lee, and Hyogon Kim. BotGAD: Detecting
Botnets by Capturing Group Activities in Network Traffic. In
COMSWARE (Dublin, Ireland 2009).
[44] Chen Lu, Richard R. Brooks. Botnet Traffic Detection Using Hidden
Markov Models. In CSIIRW, 12-14 Oktober 2001 (Oak Ridge,
Tennessee, USA 2011), ACM.
[45] J. M. Schwier, R. R. Brooks, C. Griffin, S. Bukkapatnam. Zero
Knowlege Hidden Markov Model Inference. Pattern Recognition Letters
(2009), 1273-1280.
[46] Zhixin Sun, Jin Gong. Anomaly Traffic Detection Model Based on
Dynamic Aggregation. In International Symposium on Electronic
Commerce and Security ( 2010), IEEE Computer Society , 46-50.
[47] Markus Goldstein, Matthias Reif, Armin Stahl, Thomas Breuel. Server-
side Prediction of Source IP Address Using Density Estimation.
(Fukuoka Japan 16-19 Maret 2009), ARES '09. International Conference
on Availability, Reliability and Security, 2009, pp 82-8.
[48] Tadashi Kiuchi, Yoshiaki Hori, Kouchi Sakurai. A Design of History
Based Traffic Filtering with Probabilitstic Packet Marking Against Dos
Attacks. ( 2010), 10 Annual International Symposium on Application
and the Internet, 2010, pp 261-264.
[49] Honbin Yim, Taewon Kim Jaeil jung. Probabilistic Route Selection
Algorithm to Trace DDoS Attack Traffic Source. (Jeju Island, South
Korea 26-29 April 2011), IEEE International Conference on Information
Science and Applications (ICISA) 2011, pp 1-8.
[50] Soo Bum Lee, Min Suk Kang, Virgil D. Gligor. CoDef : Collaborative
Defense Against Large-Scale Link-Flooding Attacks. In CoNEXT,
December 9-12 2013 (Santa Barbara, California, USA 2013), ACM,
417-427.
[51] Katerina Argyraki, David R. Cheriton. Scalable Network-Layer Defense
Against Internet Bandwidth-Flooding Attacks. IEEE/ACM Transactions
on Networking (TON) Journal , Vol 17 no 4, August 2009, pp1284-1297
(2009), 1284-1297.
[52] David K. Y. Yau, John C. S. Lui, Feng Liang, Yeung Yam. Defending
Against Distributed Denial of Service Attacks with Max-Min Fair
Server-Centric Router Throttles. IEEE/ACM Transaction on Networking
vol 13, No. 1 February 2005 (2005), 29-42.