6th International ICST Conference on Collaborative Computing: Networking, Applications, Worksharing

Research Article

A collaborative approach to facilitate intrusion detection and response against DDoS attacks.

Download481 downloads
  • @INPROCEEDINGS{10.4108/icst.collaboratecom.2010.46,
        author={Saman Taghavi Zargar and James B.D. Joshi},
        title={A collaborative approach to facilitate intrusion detection and response against DDoS attacks.},
        proceedings={6th International ICST Conference on Collaborative Computing: Networking, Applications, Worksharing},
        publisher={IEEE},
        proceedings_a={COLLABORATECOM},
        year={2011},
        month={5},
        keywords={Network security Intrusion detection systems DDoS distributed attacks dIistributed IDS collaborative IDS},
        doi={10.4108/icst.collaboratecom.2010.46}
    }
    
  • Saman Taghavi Zargar
    James B.D. Joshi
    Year: 2011
    A collaborative approach to facilitate intrusion detection and response against DDoS attacks.
    COLLABORATECOM
    ICST
    DOI: 10.4108/icst.collaboratecom.2010.46
Saman Taghavi Zargar1,*, James B.D. Joshi2,*
  • 1: Networking and Telecommunications Department, School of Information Sciences, University of Pittsburgh, Pittsburgh, PA 15260, USA
  • 2: School of Information Sciences, University of Pittsburgh, Pittsburgh, PA 15260, USA
*Contact email: stzargar@sis.pitt.edu, jjoshi@sis.pitt.edu

Abstract

Intrusion detection and response systems (IPSs) for protecting against distributed denial-of-service (DDoS) attacks will beneflit significantly if all the routers within each autonomous system (AS) are capable of detection and response in addition to sampling. However, DDoS detection and response will incur high storage and processing overhead if each router does redundant detection and response tasks. Many overlay communication protocols have been introduced in the literature to achieve coordination among the routers but they generally have high communication overheads. Furthermore, DDoS detection and response requires that all the flows intended to the same destination be analyzed together in order to efficiently capture the correlation between them. In order to do that, current approaches centrally collect all the sampled data and analyze them, which also increases the communication overhead. In this paper, we present a collaborative approach to distribute the sampling, detection, and response responsibilities among all the routers within the AS in such a way that each router can detect and respond to DDoS attacks. Our proposed approach achieves coordination among all the routers in the network to eliminate redundant sampling, detection, and response tasks without exploiting any specific communication protocol. We propose an optimal assignment of disjoint flows to each of the routers within the ASs in such a way that all the flows destined for the same host will be sampled, analyzed, and properly responded at the same router. Each router can thus capture the correlation between flows destined for a specific destination.