SpringerLink
Log in

A Behavior-Based Online Engine for Detecting Distributed Cyber-Attacks

  • Conference paper
  • First Online:
Information Security Applications (WISA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10144))

Included in the following conference series:

Abstract

Distributed attacks have reportedly caused the most serious losses in recent years. Here, distributed attacks means those attacks conducted collaboratively by multiple hosts. How to detect distributed attacks has become one of the most important topics in the cyber security community. Many detection methods have been proposed, each of which, however, has its own weak points. For example, detection performance of information theory based methods strongly depends on the information theoretic measures and signature-based methods suffer from the fact that they can deal with neither new kinds of attacks nor new variants of existing attacks. Recently, behavior-based method has been attracting great attentions from many researchers and developers and it is thought as the most promising one. In behavior-based approaches, normal behavior modes are learned/extracted from past traffic data of the monitored network and are used to recognize anomalies in the future detection. In this paper, we explain how to implement an online behavior-based engine for detecting distributed cyber-attacks. Detection cases of our engine are also introduced and some actual attacks/incidents have been captured by our detection engine.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Thailand)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 42.79
Price includes VAT (Thailand)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 49.99
Price excludes VAT (Thailand)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Xu, S.: Collaborative attack vs. collaborative defense. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. LNICSSITE, vol. 10, pp. 217–228. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03354-4_17

    Chapter  Google Scholar 

  2. ComputerWeekly News. http://www.computerweekly.com/news/4500243431/DDoS-losses-potentially-100k-an-hour-survey-shows. Accessed 6 Nov 2016

  3. Tang, Y.: Defending against internet worms: a signature-based approach. In: Proceedings of 24th IEEE Annual Joint Conference of the Computer and Communications Societies (INFOCOM), pp. 1384–1394 (2005)

    Google Scholar 

  4. Eskin, E., Lee, W.: Modeling system call for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivalility Conference and Exposition (DISCEX), pp. 165–175 (2001)

    Google Scholar 

  5. Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. Netw. Serv. Manage. 6(2), 1–12 (2009)

    Article  Google Scholar 

  6. Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting outbreaks of low-rate attacks. In: Proceedings of 3rd Workshop on Network Technologies for Security, Administration and Protection (NETSAP), SAINT 2012, pp. 267–272 (2012)

    Google Scholar 

  7. Lee, W., **ang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 130–143 (2001)

    Google Scholar 

  8. **ang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)

    Article  Google Scholar 

  9. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–72 (2009)

    Article  Google Scholar 

  10. Kim, M.S., Kang, H.J., Hong, S.C.: A flow-based method for abnormal network traffic detection. In: Proceedings of IEEE/IPIP Network Operations and Management Symposium, pp. 599–612 (2004)

    Google Scholar 

  11. Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)

    Article  Google Scholar 

  12. Snort user’s manual. http://www.snort.org/docs. Accessed 6 Nov 2016

  13. The Bro internet security monitor. https://www.bro.org/. Accessed 6 Nov 2016

  14. Network and Security Manager (NSM). https://www.juniper.net/documentation/en_US/release-independent/nsm/information-products/pathway-pages/nsm/product/index.html. Accessed 6 Nov 2016

  15. Gates, C.: The Modeling and Detection of Distributed Port Scans: a Thesis Proposal, Technical Report CS-2003-01, Dalhousie University (2003)

    Google Scholar 

  16. Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of 2003 ACM Joint International Conference on Measurement and Modeling of Computer Systems, pp. 138–147 (2003)

    Google Scholar 

  17. Feng, Y., Hori, Y., Sakurai, K., Takeuchi, J.: A behavior-based method for detecting distributed scan attacks in darknets. J. Inf. Process. (JIP) 21(3), 527–538 (2013)

    Google Scholar 

  18. Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM CCS Workshop on Rapid Malcode, pp. 54–64 (2004)

    Google Scholar 

  19. Eto, M., Inoue, D., Song, J., Ohtaka, K., Nakao, K.: NICTER: a large-scale network incident analysis system. In: Proceedings of 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 37–45 (2011)

    Google Scholar 

  20. Murakami, K., Kamatani, T., et al.: A proposal of method for detecting synchronized increase of attacks on multiple dataknet sensors. In: Computer Security Symposium in Japan, pp. 32–39 (2014)

    Google Scholar 

  21. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of 12th ISOC Symposium on Network and Distributed Systems Security (NDSS), pp. 167–179 (2005)

    Google Scholar 

  22. National Police Agency of Japan: Internet Report. http://www.npa.go.jp/cyberpolice/detect/pdf/20140328.pdf

  23. https://www.npa.go.jp/cyberpolice/detect/pdf/20151215_1.pdf. Accessed 6 Nov 2016

  24. Hacker News (2014). http://www.daemonology.net/hn-daily/2014-04.html

  25. Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring. IEICE Trans. Inf. Syst. 92(5), 787–798 (2009)

    Article  Google Scholar 

  26. Feng, Y., Hori, Y., Sakurai, K.: A proposal for detecting distributed cyber-attacks using automatic thresholding. In: Proceedings of 10th Asia Conference on Information Security (AsiaJCIS) (2015)

    Google Scholar 

  27. Yazid, I., Hanan, A., Aizaini, M.: Volume-based network intrusion attacks detection. In: Advanced Computer Network and Security, pp. 147–162. UTM Press (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Kyushu University, Fukuoka, Japan

    Yaokai Feng & Kouichi Sakurai

  2. Saga University, Saga, Japan

    Yoshiaki Hori

Authors
  1. Yaokai Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yoshiaki Hori
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kouichi Sakurai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yaokai Feng .

Editor information

Editors and Affiliations

  1. ETRI, Daejeon, Korea (Republic of)

    Dooho Choi

  2. Secure-IC, S.A.S., Paris, France

    Sylvain Guilley

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Feng, Y., Hori, Y., Sakurai, K. (2017). A Behavior-Based Online Engine for Detecting Distributed Cyber-Attacks. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-56549-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-56548-4

  • Online ISBN: 978-3-319-56549-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation