Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32586
A New Traffic Pattern Matching for DDoS Traceback Using Independent Component Analysis

Authors: Yuji Waizumi, Tohru Sato, Yoshiaki Nemoto


Recently, Denial of Service(DoS) attacks and Distributed DoS(DDoS) attacks which are stronger form of DoS attacks from plural hosts have become security threats on the Internet. It is important to identify the attack source and to block attack traffic as one of the measures against these attacks. In general, it is difficult to identify them because information about the attack source is falsified. Therefore a method of identifying the attack source by tracing the route of the attack traffic is necessary. A traceback method which uses traffic patterns, using changes in the number of packets over time as criteria for the attack traceback has been proposed. The traceback method using the traffic patterns can trace the attack by matching the shapes of input traffic patterns and the shape of output traffic pattern observed at a network branch point such as a router. The traffic pattern is a shapes of traffic and unfalsifiable information. The proposed trace methods proposed till date cannot obtain enough tracing accuracy, because they directly use traffic patterns which are influenced by non-attack traffics. In this paper, a new traffic pattern matching method using Independent Component Analysis(ICA) is proposed.

Keywords: Distributed Denial of Service, Independent Component Analysis, Traffic pattern

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1703


[1] Rocky K.C.Chang, Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial, IEEE Communications Magazine, Octorber 2002.
[2] Kohei OHTA and G.Mansfield, Illigal Access Detection on the Internet- Present status and future directions-, IEICE Trans., vol.83-B, no.9, pp.1209-1216, Sep. 2000.
[3] S.Savage, D.Wetherall, A.Karlin, and T.Anderson, Network Support for IP Traceback, IEEE/ACM Trans. Networking, vol.9, no.3, pp.226-237, Jun. 2001.
[4] D.Song and A.Perrig, Advanced and authenticated marking schemes for IP Traceback, Proc. IEEE Infocom 2001 Conf., Anchorage, Alaska USA, April 2001. University of California, Berkeley, Jun. 2000.
[5] H.Lee and K.Park, On the effectiveness of probabilistic packet marking for IP Traceback under denial of service attack, Proc. IEEE Inforcom 2001 Conf., Anchorage, Alaska USA, April 2000.
[6] S.M.Bellovin, ICMP Traceback Messages, InternetDraft, IETF, draftietf- itrace-02.txt(work in progress), Nov. 2002.
[7] A.C.Snoren, C.Partridge, L.A.Sanchez, C.E.Jones, F.Tchakountio, S.T.Kent, and W.T.Strayer, Hash-Based IP Traceback, Proc. of ACM SIGCOMM -01, Aug. 2001.
[8] T.Peng, C.Leckie, and K.Ramamohanarao, Adjusted Probabilistic Packet Marking for IP Traceback, Networking, May, 2002, Pisa, Italy.
[9] T.Peng, C.Leckie, and K.Ramamohanarao, Defending Against Distributed Denial of Service Attacks Using Selective Pushback, 9th IEEE International Conference on Telecommunications, June, 2002, Beijing, China.
[10] Y. Takei, K. Ohta, N. Kato,and Y. Nemoto, Detecting and Tracing Illigal Access by using Traffic Pattern Matching Technique, IEICE Trans., Vol.J84-B, no.8, pp.1464-1473, Aug. 2001.
[11] K. Sakaguchi, K. Ohta, Y. Waizumi, N. Kato, and Y. Nemoto, Tracing DDoS Attacks by Comparing Traffic Patterns Based on Quadratic Programming Method, IEICE Trans., Vol.J85-B, no.8, pp.1295-1303, Aug. 2002.
[12] CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks, Feb.8, 1996.
[13] CERT Advisory CA-96.01, UDP Port Denial-of-Service Attacks, Feb.8, 1996.
[14] CERT Advisory CA-96.26, Denial-of-Service Attack via ping, Dec.18, 1996.
[15] Y. Uchiyama, Y. Waizumi, N. Kato, and Y. Nemoto, Detecting and Tracing DDOoS Attacks in the Traffic Analysis Using Auto Regressive Model, IEICE Trans., vol.E87-D, No.12, pp.2635-2643, Dec. 2004. E. Leland, M.S. Taqque, W.Willinger, and D.V.Willson, On the self-similar Nature of Ethernet Traffic (Extended Version), Proc. IEEE/ACM Trans. Networking, vol.2, no.1, pp.1-15, Feb. 1994.
[16] A.Hyv¨arinen, E.Oja, A fast fixed-point algorithm for independent component analysis, Neural Computation, 9(7):pp1483-1492, 1997
[17] D.Moore, G.Voelker, and S.Savage, Inferring Internet Denial-of-Service Activity, Proc. of the 2001 USENIX Security Symposium, May 2001.
[18] The Internet Traffic Archive, Available from
[19] A.Kuzmanovic and E.W.Knightyly, Low-Rate TCP-Targeted Denial of Service Attacks(The Shrew vs. the Mice and Elephants), Proc. of ACM SIGCOMM 03, Aug. 2003.