Abstract
Distributed attacks have reportedly caused the most serious losses in recent years. Here, distributed attacks means those attacks conducted collaboratively by multiple hosts. How to detect distributed attacks has become one of the most important topics in the cyber security community. Many detection methods have been proposed, each of which, however, has its own weak points. For example, detection performance of information theory based methods strongly depends on the information theoretic measures and signature-based methods suffer from the fact that they can deal with neither new kinds of attacks nor new variants of existing attacks. Recently, behavior-based method has been attracting great attentions from many researchers and developers and it is thought as the most promising one. In behavior-based approaches, normal behavior modes are learned/extracted from past traffic data of the monitored network and are used to recognize anomalies in the future detection. In this paper, we explain how to implement an online behavior-based engine for detecting distributed cyber-attacks. Detection cases of our engine are also introduced and some actual attacks/incidents have been captured by our detection engine.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Xu, S.: Collaborative attack vs. collaborative defense. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. LNICSSITE, vol. 10, pp. 217–228. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03354-4_17
ComputerWeekly News. http://www.computerweekly.com/news/4500243431/DDoS-losses-potentially-100k-an-hour-survey-shows. Accessed 6 Nov 2016
Tang, Y.: Defending against internet worms: a signature-based approach. In: Proceedings of 24th IEEE Annual Joint Conference of the Computer and Communications Societies (INFOCOM), pp. 1384–1394 (2005)
Eskin, E., Lee, W.: Modeling system call for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivalility Conference and Exposition (DISCEX), pp. 165–175 (2001)
Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manage. 6(2), 1–12 (2009)
Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting outbreaks of low-rate attacks. In: Proceedings of 3rd Workshop on Network Technologies for Security, Administration and Protection (NETSAP), SAINT 2012, pp. 267–272 (2012)
Lee, W., **ang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 130–143 (2001)
**ang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–72 (2009)
Kim, M.S., Kang, H.J., Hong, S.C.: A flow-based method for abnormal network traffic detection. In: Proceedings of IEEE/IPIP Network Operations and Management Symposium, pp. 599–612 (2004)
Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)
Snort user’s manual. http://www.snort.org/docs. Accessed 6 Nov 2016
The Bro internet security monitor. https://www.bro.org/. Accessed 6 Nov 2016
Network and Security Manager (NSM). https://www.juniper.net/documentation/en_US/release-independent/nsm/information-products/pathway-pages/nsm/product/index.html. Accessed 6 Nov 2016
Gates, C.: The Modeling and Detection of Distributed Port Scans: a Thesis Proposal, Technical Report CS-2003-01, Dalhousie University (2003)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of 2003 ACM Joint International Conference on Measurement and Modeling of Computer Systems, pp. 138–147 (2003)
Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting distributed scan attacks in darknets. J. Inf. Process. (JIP) 21(3), 527–538 (2013)
Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM CCS Workshop on Rapid Malcode, pp. 54–64 (2004)
Eto, M., Inoue, D., Song, J., Ohtaka, K., Nakao, K.: NICTER: a large-scale network incident analysis system. In: Proceedings of 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 37–45 (2011)
Murakami, K., Kamatani, T., et al.: A proposal of method for detecting synchronized increase of attacks on multiple dataknet sensors. In: Computer Security Symposium in Japan, pp. 32–39 (2014)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of 12th ISOC Symposium on Network and Distributed Systems Security (NDSS), pp. 167–179 (2005)
National Police Agency of Japan: Internet Report. http://www.npa.go.jp/cyberpolice/detect/pdf/20140328.pdf
https://www.npa.go.jp/cyberpolice/detect/pdf/20151215_1.pdf. Accessed 6 Nov 2016
Hacker News (2014). http://www.daemonology.net/hn-daily/2014-04.html
Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring. IEICE Trans. Inf. Syst. 92(5), 787–798 (2009)
Feng, Y., Hori, Y., Sakurai, K.: A proposal for detecting distributed cyber-attacks using automatic thresholding. In: Proceedings of 10th Asia Conference on Information Security (AsiaJCIS) (2015)
Yazid, I., Hanan, A., Aizaini, M.: Volume-based network intrusion attacks detection. In: Advanced Computer Network and Security, pp. 147–162. UTM Press (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Feng, Y., Hori, Y., Sakurai, K. (2017). A Behavior-Based Online Engine for Detecting Distributed Cyber-Attacks. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)