A Method for Investigating Distributed Denial of Service (DDoS) Attacks

Prevention of Distributed Denial of Service (DDoS) attacks before they achieve their intrusive objectives is a critical problem in network security. This is because the attacks rapidly build up and flood the networks with disruptive packets that consume network bandwidth within a short range of timestamp. Consequently, network activities are suddenly shutdown and legitimate users that are present on the networks together with critical operations such as data update, audit hook that records suspicious events, etc are inevitably deactivated. Unfortunately, network detectors that report network intrusions are flawed with imprecise reporting of complex attacks and they lack ability to establish patterns of attacks. Similarly, system administrators that review the audit logs to correct these errors often adopt heuristic rules and manual methods. Nevertheless, these processes are inefficient and they are susceptible to lots of errors whenever large quantities of complex alerts of closely related attacks are processed. For these reasons, how to promptly and correctly review the audit logs so that DDoS attacks would be thwarted in progress is an active research issue in network security. Thus, this paper proposes an automated DoS-Analyzer model for investigating these problems. The analyzer clustered suspicious alerts using the arrival time, addresses, timestamp, protocol, etc to substantiate hidden patterns of attacks that were present in the audit log. In addition, the model was broadly evaluated on six datasets that included synthetic and realistic attacks and the results substantiated patterns of attacks and how they built up over time.