TY - JOUR
T1 - Traffic-flow analysis for source-side DDoS recognition on 5G environments
AU - Sotelo Monge, Marco Antonio
AU - Herranz González, Andrés
AU - Lorenzo Fernández, Borja
AU - Maestre Vidal, Diego
AU - Rius García, Guillermo
AU - Maestre Vidal, Jorge
N1 - Publisher Copyright:
© 2019 Elsevier Ltd
PY - 2019/6/15
Y1 - 2019/6/15
N2 - This paper introduces a novel approach for detecting the participation of a protected network device in flooding-based Distributed Denial of Service attacks. With this purpose, the traffic flows are inspected at source-side looking for discordant behaviors. In contrast to most previous solutions, the proposal assumes the non-stationarity and heterogeneity inherent in the emergent communication environment. In particular, the approach takes advantage of the monitorization and knowledge acquisition capabilities implemented in the SELFNET (H2020-ICT-2014-2/671672) project, which facilitates its implementation as a self-organizing solution on 5G mobile networks. Monitorization, feature extraction and knowledge acquisition tasks are carried out on centralized control plane, hence the proposed architecture minimizes the impact on operational performance and prompts the end-points mobility. The preliminary results observed when considering different metrics, adjustment parameters, and a dataset with traffic observed in 61 real devices proven efficiency when distinguishing normal activities from DDoS behaviors of different intensity. With an optimal granularity selection, the highest AUC reached values close to 1.0 when measured under the most intense attacks, hence demonstrating optimal TPR and FPR relationships by adapting to the instantiated use cases.
AB - This paper introduces a novel approach for detecting the participation of a protected network device in flooding-based Distributed Denial of Service attacks. With this purpose, the traffic flows are inspected at source-side looking for discordant behaviors. In contrast to most previous solutions, the proposal assumes the non-stationarity and heterogeneity inherent in the emergent communication environment. In particular, the approach takes advantage of the monitorization and knowledge acquisition capabilities implemented in the SELFNET (H2020-ICT-2014-2/671672) project, which facilitates its implementation as a self-organizing solution on 5G mobile networks. Monitorization, feature extraction and knowledge acquisition tasks are carried out on centralized control plane, hence the proposed architecture minimizes the impact on operational performance and prompts the end-points mobility. The preliminary results observed when considering different metrics, adjustment parameters, and a dataset with traffic observed in 61 real devices proven efficiency when distinguishing normal activities from DDoS behaviors of different intensity. With an optimal granularity selection, the highest AUC reached values close to 1.0 when measured under the most intense attacks, hence demonstrating optimal TPR and FPR relationships by adapting to the instantiated use cases.
KW - 5G
KW - Denial of service
KW - Intrusion detection systems
KW - Knowledge acquisition
KW - Source-side detection
UR - http://www.scopus.com/inward/record.url?scp=85064242953&partnerID=8YFLogxK
U2 - 10.1016/j.jnca.2019.02.030
DO - 10.1016/j.jnca.2019.02.030
M3 - Artículo (Contribución a Revista)
AN - SCOPUS:85064242953
SN - 1084-8045
VL - 136
SP - 114
EP - 131
JO - Journal of Network and Computer Applications
JF - Journal of Network and Computer Applications
ER -