AN EFFECTIVE DEFENSE CUM PREVENTION OF DDoS ATTACKS

IN ACTIVE NETWORKS USING ATTRIBUTE TREES

P.Jayashree1 , Dr.K.S.Easwarakumar2
1
Department of Information Technology, Anna University, MIT, Chennai,India
2
Department of Computer Science and Engineering, Anna University, CEG, Chennai,India
pjshree@annauniv.edu

ABSTRACT
With the development and deployment of increasing internet services due to
emerging technologies to meet the ever growing demands of the web users, the
necessity to make these services available in also equally demanding. But web has
become a necessary iniquity due to cyber attacks that are springing in abundance
everyday. One of the most threatening attacks is the denial of service attacks
originated from a single or multiple sources to make the legitimate users starve
from the requested services. Many solutions have been proposed in the literature to
defend against such attacks with each one having its own strength and weakness.
In this paper an optimal datamining based defense cum protection mechanism, that
identifies and uses the candidate packet attributes which can demark the attack
packets from legitimate traffic more accurately, is devised as a complement to
existing solutions and tested for its detection efficiency using ANTS, an active
network test bed.

Keywords: network security,denial of service attack, data mining, acive network .

1 INTRODUCTION framework where network elements are

With the advent of internet technology, the
number and variety of services on the web are
tremendously increasing. Free and open accessibility
of these resources also give room for security
attacks, imposing the need for adopting security
measures for the network. One of the serious security
threats from users’ view point is the denial of service
(DoS) attacks. The damaging effect of such attacks
can further be intensified through a set of attack
sources distributed over a network domain leading to
distributed denial of service attacks(DDoS).These
attacks are employed from a set of compromised
hosts for consuming computational and
communication resources rapidly [1].
Addressing denial of service problem is
important as there has been an increase in network
attacks in recent times [2].Many solutions have been
proposed in the literature for defending against such
attacks, each one having its own strength and
weakness. As the DDoS attacks primarily aim at
flooding the network, depleting the bandwidth and
other resources rapidly, the same characteristics is
made use of in devising the attack detection solution.
In this paper a data mining based defense cum
prevention mechanism is proposed based on
analyzing the features of the network data packet
using efficient data structures and employing present
and traffic history details for the classification of
legitimate and attack traffic.
The solution is addressed for active network, a
programmable. This differs from traditional network
in that all the network components are active in
nature [3],[4].Like end hosts, the routers are capable
of performing any customized computation on the
packets flowing through them as specified by user or
application.
Commonly two approaches exist to bring
activity to network nodes namely discrete approach
and integrated approach. The discrete approach or
programmable node approach allows programs to be
injected into the active programmable nodes out of
band (i.e) separately from the data packets. The data
packets carry information for the active nodes to
handle them. In integrated approach or encapsulation
approach the code to be executed is integrated into
every packet of data called as capsule. When the data
arrives at the active node, it interprets the code and
processes the data depending on code interpretation.
Each active node has a built in mechanism to load
the code, an execution environment to execute the
code and a relatively permanent storage where the
capsules would retrieve or store information.
Though active network increases the flexibility
and ease of deploying network applications, it also
poses severe security threats. The presence of
distrusted code that is executed on the network
components may be malicious in nature to damage
the routers. Hence dealing with security is an
important issue for these type of networks.

Ubiquitous Computing and Communication Journal 1

1.1 Contributions
The proposed mechanism claims the following
contributions as a part of the effective solution to
DDoS attacks.
 A defense cum prevention solution is
deployed at the source end perimeter
routers and hence the network resources
are saved from flooding attacks.
 Effective mechanism is devised to
select packet attributes that act as
candidates for classifying attack packets
from legitimate traffic.
 The attributes are assigned varying
weights evaluated based on their degree
of contribution to detect attacks.
 The efficiency of attack detection for
further prevention depends on the use
of efficient and optimal data structures
and information exchange between
perimeter routers.
1.2 Paper Organization
The remainder of the paper is organized as
follows. Section 2 provides the preliminaries on
denial of service attack and the related works in the
literature. The proposed mechanism is discussed in
section 3 and the design and implementation details
are provided in section 4 and 5. Results of the
simulation and analysis are reported in Section 6 and
conclusions are drawn in section 7.
2 PRELIMINARIES
Denial of service was the top source of financial
loss due to cyber crime. The DoS attack on DNS
server last year lasted only an hour. Since DNS
information is heavily cached and had the attack
lasted longer, the Internet could have experienced
severe disruption. DDoS affects not only the target of
the attack but legitimate users of the target's services
are affected too. Observations and experiences
tracking denial of service attacks over a period of
time in the history serves as a base for better
understanding to build novel solutions for the same.
In this section a framework for classifying
defense strategies for denial of service attacks is
presented. Though many solutions are coming up, a
sample of the most popular solutions employing
variety of defense methods are overviewed here.
2.1 Related Works
Identifying IP address spoofing is an important
task in any attack detection and ingress filters and
egress filters and hop count filtering methods are
proposed in literature [5],[6],[7]. Various methods
employ some form of packet marking to identify or
trace down the attacks. Pushback mechanism
[8],Trace back methods [9],[10],[11] and (Pi) path
identification [12] are few of such methods. Few
Ubiquitous Computing and Communication Journal
solutions employ rate limiters to control and regulate
the traffic flow for attack mitigation as in [13][14].
In [15], various congestion control techniques like
RED, CHOKE and pushback are used for mitigating
attacks. Most of the solutions basically adopt some
analytical models or algebraic approach for the
solution as discussed in [16],[17],[18],[19].
The DWARD defense system is deployed at
source end and autonomously detect attacks at the
origin. [20].Secure Overlay Services (SOS) [21]
hides victims locations to safeguard against attacks.
DefCOM (Defensive overlay Cooperative Mesh)
[22] proposes a distributed, cooperative network of
routers that respond effectively to DDoS attacks
while making some guarantees of continued service
for legitimate clients. COSSACK [23] similarly
forms a multicast group of defense nodes that are
deployed at source and victim networks and
cooperate in filtering the attack and [24] defines a
defense solution for active networks.
2.2 Data Mining Solutions
Data mining is a powerful technology that
enables retrieving relevant data from a huge volume
in data ware houses. There exists many data mining
tools that can predict future trends and behaviors,
facilitating proactive, knowledge driven decisions in
many domains. This potential and automated
analysis offered by data mining along with past event
analysis provides a retrospective basis for decision
support systems. Extracting relevant information
from a huge data base in comparable time is a
promising alternative for earlier expert systems.
The main objective of going for mining the data
in data stores is to identify and extract some hidden
or indirectly documented information which may go
unnoticed otherwise and which may be necessary for
generating good predictive information in expert
systems and other decision making systems. The data
mining techniques that are commonly adopted are
using neural network, Decision trees, Near neighbor
method, support vector machines and association
rule induction[25]. Listed below is the collection of
few recent works in attack detection using data
mining techniques.
Many data mining based approaches are
discussed in the literature addressing the solution
using statistical, classification approaches and other
signal processing and pattern recognition techniques.
[25],[26] discussed a IDS model using historical data
analysis. Neural network based model is proposed in
[27] and genetic algorithm is used to model detection
system as in [28]. Different data mining techniques
are discussed and analyzed in [29] and [30] has
presented various intrusion detection approaches as
summarized above.
Few commercial and many experimental
products like EMERALD, ISOA(information
security office assistant), DIDS(Distributed IDS),
2
Kane secure, SNORT are also available. Each of
these proposals has its own merit and provides
techniques that can help address the DoS problem in
different angles. No method has suggested a
complete solution to the attack so far. But it is vital
to have a more complete attack solution for
comprehensive network security. In this paper
another data mining based defense strategy to
complement the list of existing techniques, with its
own strengths, is proposed.
3 PROPOSED STRATEGY
3.1 An Overview
The proposed detection cum prevention method
for DDoS attacks is based on statistical mining of the
analyzed traffic data characteristic and behavior to
extract and order the packet features that decide the
success of the detection system. The system is
designed for active network domain and hence the
deployment of the defense solution supports a
preventive mechanism for further attacks. Active
networks allows all the network elements and hence
the routers to be programmable which makes the
deployment in the routers at ease.
The DDoS attacks though aim at pinning down
the hosts providing services to users on the network,
the attack traffic depletes the network resources also
at a faster rate to make the entire network stumble
for its normal request and response activities. Hence
it is wise to deploy the defense solution at the source
end so that attack traffic can be prevented from
entering the network once detected and thereafter the
attack packets get dropped at the network perimeter
itself. Identifying the source end routers ahead of the
attack severity is a basic requirement and the first
hop routers in the network are identified through a
simple packet marking scheme as discussed in our
previous work [31]. One of the common
characteristics of DDoS attacks is the use of IP
spoofing and ingress filter [5] is employed as the first
level of the solution phase to take care of IP spoofing.
The packet attributes are collected and mined as an
array of attribute trees to extract the required the
information for traffic classification. The proposed
scheme defines the methodology adopted by the
system for an attempt to develop an effective
detection strategy.
3.2 Data Mining Approach
The set of data mining tasks commonly used for
any data retrieval operation are summarizing the data
to pick up relevant and hidden data items, applying
some association rules to convert the data into
categorical set and applying some method of
classification to categorize the data for future
prediction. This approach naturally pay way for its
suitability in network intrusion detection applications.
Data mining technique, with its power to make
Ubiquitous Computing and Communication Journal
future predictions of likely events, using the
knowledge of existing data collection, is found to be
an competitive alternative to many attack detection
methods proposed. The attack traffic, modeled as an
array of trees, each of which stores and updates the
data for a promising attribute of the packets for
efficient attack detection, is mined dynamically. The
approach is similar to the random forest data
classifier method [32],[33]. The application of
random forest, a collection of unpruned regression
trees to detect intrusions is proposed in [34]wherein
the detection mechanism using random forest
classification is deployed at home router of victim to
mine the static data set. Moreover the application of
random forests, collection of yes/no decision trees,
was used to classify data sets corresponding to
misuse detection effectively. In the proposed defense
strategy, the trees are used as binary search trees
populated with attribute values to aid in effective
detection of attack traffic.
3.3 Defense Framework
The defense system is a two phase system with a
training phase and a detection phase. The boundary
between the two phases is not strictly demarked
though the detection phase follows training phase, as
the attribute trees learn to get their characteristic
features for the detection redefined periodically over
their life time. This section provides an overview of
the system architecture and conceptual outline of the
defense strategy adopted for attack detection, the
details of which are discussed in the next section.
Denial of service attack traffic is modeled as a
set of binary trees, each tree corresponds to an
attribute of the attack traffic packet. Denial of service
attacks are primarily characterized by flooding type
of traffic from a single or a set of sources towards a
particular destination host. The attack may be of
either constant rate or varying rate flow of packets.
The solution should be able to handle both types
effectively. Based on the characteristics of the attack
and from what is learnt from the previous works in
literature, the following attributes of the traffic are
expected to be more suitable for traffic classification
to detect DoS and DDoS attacks namely Destination
address and port, Source address, Frequency of
packets per flow, Frequency variations in traffic flow,
Length of the packets per flow, Type of protocol
used in per flow traffic. These six attributes can well
represent both the packet as well as the traffic
characteristics that can be used for discriminating
Dos attacks, when evaluated over different periods of
time.
The training phase is meant as a preprocessing
phase for the attack detection. The attributes
extracted from the packets of a training set of attack
samples is represented using a set of trees which are
populated with the data. The trees are attributed by a
weight factor that defines the priority of the
3
attribute’s contribution in detecting the attack.
During the detection phase the packets from the
Training Phase
attack traffic packets
Packet Elicitor
real traffic packets
Detection phase
Figure 1. System architecture
score point based on degree of relevance to attack
characteristics possessed by them. This information
is fed back to the set of attribute trees that are used
for classifying the traffic. This positive feed back
aids in fine tuning the classifier to more correctly
classify the traffic. The packets that score above a
predefined threshold value are stamped as attack
packets and get dropped at the router and thereby
prevented from entering the network. The detection
mechanism outlined here is depicted in the fig. 1.
4 SYSTEM DESIGN DETAILS
4.1 Attribute Tree construction
After identifying the necessary attributes of the
packet, called the deciding set (SA), which can more
clearly distinguish the legitimate packets from the
attack packets, as the conformity of each property
towards its legitimacy decision is not the same, the
packet elicitor extracts the deciding set of attributes
from the incoming packets. The deciding set is
selected such that when some attributes fail to detect
the packet correctly, the others in the set should be
able to do it. Hence they are not considered as
independent quantities; instead, they are highly
interrelated with each other such that each feature
completely cooperates with the rest in deciding the
legitimacy of the packets.
Each element (Ai) in the deciding set SA, is
represented by a binary search tree Ti . The tree Ti is
represented as a collection of nodes N1,N2 etc
Ubiquitous Computing and Communication Journal
actual network traffic are evaluated and assigned a
Attribute Tree
attributes
Populator
attribute trees
Tree Attributer
attack
attribute trees packets
Traffic Classifier
normal
packets
corresponding to the various values taken by the
attribute. Each node Nj has two fields to signify the
attribute value (Vj) and the frequency (Fj). The tree
is constructed dynamically as repeated insertion of
nodes as and when a packet with that attribute
arrives. The set of trees for the deciding set of
attributes used for attack detection is represented as
in Eq.(1).
SA  Ai , i is an integer
Ti  Nj , j is an integer (1)
Nj  Vj , Fj
During the training phase the trees are initially
populated with DoS attack packets of varying classes
and during the detection phase the trees are
dynamically updated with incoming real packet
attributes when analysed to be an attack packet.
The range and type of values taken by the
various attributes defined by S A, is not within a
defined boundary. In order to perform effective
searching of the trees it is proposed to convert the
actual values to an equivalent hash integer values .
The field Vj of the jth node of an attribute defines the
hash equivalent of the actual attribute value. Pearson
hashing [35] is simple and less likely to have
collisions. Given an input (C), consisting of any
number of bytes, it produces as output, a single byte
(h) that is strongly dependent on every byte of the
input. Its implementation requires only few
4
instructions, and a 256-byte lookup table (T)
containing a permutation of the values 0 through 255
as defined below.
h[0] = 0
for i in 1..n
index = h[i-1] xor C[i]
h[i] = T[index]
end loop
return h[n]
The field Fj of the node Nj defines the number of
the packets with the equivalent attribute value of Vj
i.e. the frequency of occurrence of Vj as two packets
that are perfectly similar get mapped only to a single
value according to the hash function. The tree is
subjected to updations only when a packet which has
been detected as an attack is used to update the tree.
In all other situations a mere look up is carried out to
search for the presence of a particular node.
Whenever a new attribute value needs to be inserted
in the tree, its frequency (F) is set to 1. For each
successive insertions of the same node value, its
frequency(F) is incremented. This is done whenever
the packet analyzed by the traffic classifier is
categorized as an attack and its hashed value of the
feature is the same as the value of that particular
node.
4.2 Prioritizing the Attributes
The various attributes selected for detecting DoS
attacks need not contribute the same in detection
process. Each attribute may have some
characteristics to identify the legitimacy or attack
relatively better for certain classes of attack than
others. Then there are chances that these features can
be used to classify the packets more easily and so
these attributes need to be given more credence
compared to others. Hence the trees representing the
packet attributes are attributed by a weight factor
symbolizing the priority of the attributes’ role in the
attack detection process.
The weight Wi associated with the attribute Ai
or tree Ti takes a value in the closed interval [0 1]
which is the ratio to which it can classify a packet
correctly. All the trees are assigned a weight value of
1 during the starting of the training period. After a
period of time allowing the trees to get stabilized
with training data set, the trees are updated with new
weight values as computed by the algorithm. The
weight values are updated periodically depending on
the rate of traffic flow during detection phase. The
weight values get modified based on the number of
tree misses. Whenever the value extracted from the
current packet for the attribute is not already a part of
the tree, as a node when hashed to the tree, it is
marked as tree miss. After a period of time Δt, the
number of tree- misses (Mi ) is calculated for each
tree indicating the number of new nodes added
Ubiquitous Computing and Communication Journal
during that period. Based on the number of new
nodes inserted in a tree as well as the total number of
new nodes added in the set of trees (Mtotal), weight
value of each tree is updated as stated in Eq.(2), to
fix its weightage relatively proportional to its
relevance in detecting attacks.
W i t  t  W i t  (W i t  M i  M total) (2)
where W i t  t defines the weight assigned to tree Ti
at time instant of t+Δt and W i t is the corresponding
value at time t. The functionality of tree attributer
that attributes trees with weights dynamically is
defined in the following pseudo code.
set weight of all trees as 1
set miss-count of all trees as 0
repeat
do until time t = t+Δt
repeat for each incoming packet
read packet's attributes
repeat for each attribute
extract the attribute value val
let hash(val) be h
search tree for h
if a node n found with value v=h then
increment its frequency f
else insert a new node with v = h,set f = 1
and increment tree miss-count
end repeat
end repeat
end do
record the miss-count of all trees and sum up as
miss-counts
if change in previous miss-count then
update its weight value to weight_new
weight_new = weight_old - (weight_old * miss-
count / miss-counts)
end repeat
4.3 Optimal Search Tree
Given n nodes, it is possible to construct 2nCn
/(n+1) different valid binary search trees. One of the
objective of the attack detector is to detect attacks as
early and as fast as possible thereby attack traffic can
be prevented from entering the network even. For
finding the legitimacy of the packets, tree searching
is associated and needs to be efficient. If the attribute
value of attack packets represented by a node in the
corresponding tree is near the root level, then during
attack the tree searching to hash such values in the
trees become easy and fast. Moreover as the input is
very random, there is a probability that the tree
becomes imbalanced in height which may lead to
longer searches. Without loss of generality, it can be
assumed that the searches made in the trees are
proportional to the frequency values in each node.
2
 However, when there is a severe attack, most of
the packets are attack packets and in which case, it is
60 2
46 4 78 2
25 2 62 6 80 3
67 1
Heaviness = 51
Figure 2: Attribute tree and its equivalent optimized tree
performing a search throughout its height though
takes longer time, will add only a very small delay.
So restructuring of the tree helps in achieving the
search efficiency. It is required that there should be
an optimal rearrangement such that the heaviness H
is minimized. For a tree Ti with node Nj having
frequency Fj and depth Dj, the heaviness Hi is
defined as in Eq.(3).
H i  all nodes j ( Fj  Dj ) (3)
For optimizing the tree, a parameter called tree
heaviness is considered as the objective function. It
The root node is defined as level 1 and successive
siblings at successive levels. The optimal tree is
obtained using dynamic programming approach as
applied in the Maximum Chain Multiplication
problem. From a given set of nodes, the most
appropriate root node is chosen that serves the best.
The same procedure is applied at all levels
recursively to arrive at the most optimized tree. It is
the most appropriate tree needed which satisfies all
the constraints and is optimal. An example attribute
tree with depth 4 and its equivalent optimized tree
are shown in Fig.2
5 DEFENSE STRATEGY – PACKET
SCORE
Size of a tree is defined by the number of
packets that have been used to construct that tree.
Numerically it is equal to the sum of the
frequencies of all the nodes of the tree. Let this size
Ubiquitous Computing and Communication Journal
needed to minimize the tree search to the maximum
extent possible. When the traffic is normal,
62 6
46 4 80 3
25 2 60 2 78 2
67 1
Heaviness = 42
factor be Si for the tree Ti. Frequency of the node
corresponding to the attribute value of the incoming
packet is Fi. The value Fi / Si gives the contribution
of that node or attribute value in that particular tree.
Packet score is nothing but the weighed ratio of the
number of attack packets having that value for the
feature to the total number of packets that have
been used to construct the tree. The decision
whether to pass the packet or drop it is taken based
on this packet score value.
Score   attributes i (W i  Fi  S i ) /  attributes i (W i )
(4)
The packets scoring a high value is detected as
an attack as they resemble the more frequently
occurred packets structured in the attribute trees for
attack traffic. Packets scoring a lower value may
not be attack packets. Some delimiter value for the
score is to be used to classify the packets as attack
or not. This threshold value should be able to
correctly classify the packets. This is determined
using the sensitivity analysis by plotting the
response curves of the traffic classification for
various threshold values. The statistics is collected
for legitimate, attack and mixed traffic. Let the
attack threshold value figured out is Tha. If score >
Tha, then the packet is classified as attack and is
used to update the trees and then dropped at the
router itself. This feedback of the attack
characteristics helps in refining the detection
accuracy by enabling the packets to score values
that have distinct margins for attack and legitimate
packets.
3
 The defense mechanism is deployed in active
routers at the perimeter of the network. Routers get
their defense structures updated periodically by
way of exchange of attack knowledge from peer
routers. The router updation is essential for
preventing attacks at the source network. Instead of
sending the whole tree structures, which is costly,
the routers are designed to send the hash value of
the node whenever the frequency of that node hits a
particular threshold as defined. The router
information exchange is part of the prevention
mechanism of the system.
6 RESULTS AND ANALYSIS OF
SIMULATED STUDY
6.1 Simulation Environment
The proposed system is deployed in active
networks where the routers are programmable.
ANTS is a Java based toolkit used for constructing
an active network and the solution is deployed and
tested in ANTS. As ANTS has limitation in the size
of topology that can be defined, a distributed
version is developed, as defined in our earlier
work[36], to support larger network topology for
simulation. The test topology with zombies to
launch DDoS attacks as shown in fig.3 is used for
testing the defense system proposed that is
deployed in all the intelligent routers at the network
perimeter.
Figure 3: Test topology in active network
DARPA dataset is the standard dataset in the
field of intrusion detection [37],[38] .KDD 99
intrusion detection datasets, which are based on
DARPA 98 dataset, provides labeled data for
feature identification and is the only labeled dataset
publicly available. 10% of the data set corresponds
to DoS attacks. In the training data set containing
24 attack types classified into 4 broad classes, only
the DoS class of records were taken as the data set
for evaluation. The relevance of each feature in
KDD 99 intrusion detection datasets with 41
Ubiquitous Computing and Communication Journal
features is identified for the six attributes
considered for traffic classification by the proposed
system namely Destination address and port,
Source address, Frequency of packets per flow,
Frequency variations in traffic flow, Length of the
packets per flow, Type of protocol used in per flow
traffic. Six attribute trees are used and packets over
a time window of 2 plus minutes is used to analyze
the output parameters.
6.2 Performance Analysis
The threshold value for the packet score to
discriminate the attack traffic is evaluated as
depicted in fig. 4 and fig. 5. The system is tested
with attack traffic and legitimate traffic separately
to define the limit. As the threshold value
approaches 0.32, the number of attack packets
getting dropped at the router is increased. Similarly
the maximum legitimate traffic passed through the
routers is for the threshold value nearly 0.3. Hence
the attack threshold Tha is set as 0.32 for testing.
Figure 4: Flow through router for attack traffic
Figure 5: Flow through router for legitimate traffic
Based on various simulation runs performed
using generic, nominal and SYN-flood attacks, the
false alarm rate is evaluated. The average false
positive percentage is 2.65 for nominal traffic and 0
for others while the average false negative
percentage is 2.5, 2.08, 3.55 for generic, nominal
and SYN flood attacks. Since the solution deployed
at the routers employs feed back loops to allow
learning cum detection for fine tuning the detection
process, it is justified that false negative rate exceed
false positive as some attack packets get through
the routers undetected at the initial time instances
of testing time window.
2

7 CONCLUSION
DDoS attacks threatening the inter network
services need to be detected effectively and as early
as possible. In this paper, an effective detection
method using packet features mined using set of
trees for detection has been proposed. As the static
nature of the trees prevents it from gaining
knowledge as traffic pattern changes on the fly, for
the new attack patterns, a dynamic updation
algorithm has been employed by restructuring it
into an array of optimal attribute trees.
Attribute trees have been designed such that
they keep track of the distinct properties of attack
packets as learned from attack traffic profile to
improve detection accuracy. Hence multiple trees
do help in determining the legitimacy of the packets.
The trees are weighed to reflect the efficiency with
which it can classify the packet as attack or
legitimate. To prevent the random growth of the
trees, an optimization mechanism has been applied
for efficient searching of the tree to improve the
detection time as well as the detection efficiency.
As the detection mechanism is deployed at source
network, it also acts as a prevention system, though
not a complete prevention system.
8 REFERENCES
[1] L.Garber: Denial of service attacks rip the Inter
net, IEEE Computer, vol. 33, no. 4, pp. 12-17
(2000).
[2] D. Pappalardo and E. Messmer: Extortion Via
DDoS on the Rise, Network World( 2005).
http://www.networkworld.com/news/2005/051605-
ddos-extortion.html
[3] D.L.Tennenhouse and D.J.Wetherall: Towards
active network architecture, Computer
communication review,vol.26,no.2( 1996).
[4] K. L. Calvert et al.: Directions in Active
Networks, IEEE Communications( 2001).
[5] P. Ferguson and D. Senie: Network Ingress
Filtering: Defeating Denial of Service Attacks
which Employ IP Source Address Spoofing, RFC
2827 (2000).
[6] S.Templeton: Detecting Spoofed Packets,
Seminars , UC Davis Computer Security
Laboratory ( 2002).
[7] Cheng Jin, Kang G. Shin, and Haining Wang:
Defense Against Spoofed IP Traffic Using Hop-
Count Filtering, IEEE/ACM Transactions on
Networking ( 2007).
Ubiquitous Computing and Communication Journal
[8] J. Ioannidis and S.M. Bellovin: Implementing
Pushback: Router-Based Defense Against DDoS
Attacks, Proceedings of Network and Distributed
System Security Symposium (2002).
[9] M. Adler: Trade-offs in probabilistic packet
marking for IP trace back Journal of the ACM, vol.
52, no. 2, pp. 217-244 ( 2005).
[10] A. Yaar, A. Perrig, and D. Song: FIT: Fast
Internet trace back, IEEE INFOCOM, pp. 1395-
1406, (2005).
[11] A. Belenky and N. Ansari: IP Trace back with
Deterministic Packet Marking, IEEE
communications Letters, vol. 7, no. 4, pp. 162-164
(2003).
[12] A. Yaar, A. Perrig, and D. Song: Pi: A path
identification mechanism to defend against DDoS
attacks, IEEE Symposium on Security and Privacy,
pp. 93-107 ( 2003).
[13] A. Yaar, A. Perrig, and D. Song. SIFF: A
Stateless Internet Flow Filter to mitigate DDoS
flooding attacks, IEEE Symposium on Security and
Privacy( 2004).
[14] Xiaowei Yang, David Wetherall and Thomas
Anderson: A DoS limiting Network Architecture
SIGCOMM’05, pp: 22–26 , (2005).
[15] Takanori Komatsu and Akira Namatame: On
the Effectiveness of Rate-Limiting Methods to
Mitigate Distributed DoS (DDoS) Attacks, IEICE
Transactions on Communications, E90-B(10), pp:
2665-2672 (2007).
[16] C.-K. Fung and M.C. Lee: A Denial-of-Service
Resistant Public-key Authentication and Key
Establishment Protocol, Proceedings of IEEE
International Performance, Computing and
Communications, (2002).
[17] Shuyuan Jin, Daniel S. Yeung: A Covariance
Analysis Model for DDoS Attack Detection, IEEE
Communications ( 2004).
[18] George Oikonomou, Peter Reiher, Max
Robinson, and Jelena Mirkovic: A Framework for
Collaborative DDoS Defense, Proceedings of the
Annual Computer Security Applications
Conference ( 2006)
[19] Matthew Beaumont-Gay: A Comparison of
SYN Flood Detection Algorithms, Proceedings of
the Second International Conference on Internet
Measurement and Protection ( 2007).
[20] Jelena Mirkovic, Peter Reiher: D-WARD: A
3
Source End Defense against Flooding Denial of active networks, Proc. of International conference
Service Attacks, IEEE transactions on Dependable on Information security, pp: 242-248 (2005)
and Secure computing, Vol. 2, No. 3, pp. 216-
232(2005). [31] Kumar: Classification and Detection of
Computer Intrusions, Doctoral Dissertation, Purdue
[21] Keromytis, A.D. Misra, V. Rubenstein, D.: University(1995)
SOS: an architecture for mitigating DDoS attacks,
IEEE Journal on Selected Areas in [32] .Breiman: Random Forests, Machine Learning,
Communications, Volume: 22, Issue: 1,pp: 176- 45(1):5–32( 2001)
188 (2004)
[33] Frederick Livingston: Implementation of
[22] Papadopoulos, C.; Lindell, R.; Mehringer, J.; Breiman’s Random Forest Machine Learning
Hussain, A.; Govindan, R.:COSSACK: coordinated Algorithm, ECE591Q Machine Learning Journal
suppression of simultaneous attacks, DARPA Paper ( 2005).
Information Survivability Conference and
Exposition Proceedings, Volume 1, Issue , pp: 2 - [34] Jiong Zhang and Mohammad Zulkernine:
13 (2003) Network Intrusion Detection using Random Forests,
Queen’s University ( 2006).
[23] Robinson, M. Mirkovic, J. Michel, S.
Schnaider, M. Reiher, P.:DefCOM: defensive [35] Peter K. Pearson :Fast Hashing of Variable-
cooperative overlay mesh, DARPA Information Length Text Strings., Communications of the ACM
Survivability Conference and Exposition 33(6), 677 (1990).
Proceedings, Volume: 2,pp: 101- 102, vol.2 (2003)
[36] P.Jayashree, K.S.Easwarakumar, Ramya.P
[24] G. Kim, T. Bogovic, and D. Chee: Active Chandrasekar.M, and Vijay.M: Design of a
Edge-Tagging (ACT): An Intruder Identification & Distributed Active Network Toolkit, proc. of
Isolation Scheme in Active Networks, proceedings International Conference on Contemporary
of 6th IEEE Symposium on Computers and Computing, (2008)
Communications (2001).
[37] R. Lippmann, J. W. Haines, D. J. Fried, J.
[25] D. E. Denning: An intrusion detection model, Korba,and K. Das: The 1999 DARPA offline
IEEE Transactions on Software Engineering, vol. intrusion detection evaluation, Computer Networks,
13,no. 2, pp. 222-232 ( 1987). vol. 34, pp.579–595(2000).

[26] W. Lee, S. J. Stolfo, and K. Mok: A data [38]S. D. Moitra and S. L. Konda: An empirical
mining framework for building intrusion detection investigation of network attacks on computer
model, IEEE Symposium on Security and Privacy, systems, Computers and Security, vol. 23, no. 1, pp.
pp. 120–132(1999). 43–51,(2004).

[27] R. Lippmann and R. K. Cunningham:

Improving intrusion detection performance using
keyword selection and neural networks, Computer
Networks, vol.34, pp. 597–603 ( 2000).

[28] D. E. Goldberg: Genetic Algorithms in Search,

Optimization and Machine Learning, Addison-
Wesley (1989).

[29] D. Zhu, G. Premkumar, X. Zhang, and C.-H.

Chu: Data mining for intrusion detection: A
comparison of alternative methods, Decision
Sciences, vol. 32, no. 4, pp. 635-660( 2001).

[30] T. Verwoerd and R. Hunt: Intrusion detection

techniques and approaches, Computer
Communications, vol. 25, no. 15, pp. 1356-1365
(2002).

[31] P.Jayashree, K.S.Easwarakumar: An

alternative approach to DDoS attack defense in

Ubiquitous Computing and Communication Journal 4

 .

Ubiquitous Computing and Communication Journal 5