A Robust and Ecient Detection Model

of DDoS Attack for Cloud Services

Jian Zhang, Ya-Wei Zhang, Jian-Biao He(B) , and Ou Jin
School of Information Science and Engineering, Central South University,
Changsha 410083, China
jbhe@csu.edu.cn

Abstract. Recently, DDoS attacks have become a major security threat

to cloud services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we
propose a novel model to detect DDoS attacks and identify attack packets for abnormal trac ltering. The novelties of the model are that:
(1) combined with the characteristics of three types of IP spoong-based
attacks and temporal correlation of transport layer connection state, a
set of accurate check rules for abnormal packets are designed; (2) by
improving the Bloom Filter algorithm, the ecient mapping mechanism
of TCP2HC/UDP2HC and the reliable two-way checking mechanism of
abnormal data packet are implemented; (3) DDoS attacks detection and
ltering are realized by using non-parameter CUSUM algorithm to model
the growth scale of abnormal packets. Experiments show that no matter
what type of IP spoong technology and the attack trac scale, detection model can accurately detect the DDoS attacks as early as possible.

Keywords: DDoS

IP spoong HOP COUNT Check CUSUM

Introduction

With the development and application of cloud computing, the main goal of
DDoS attacks turns to cloud node [1,2], the specic performance for the limited
computing resources (such as CPU, memory and network bandwidth, protocol
stack, etc.), relies on exhausting the damaged cloud nodes resources to achieve
the eect of attack. Since cloud computing has strong service resources, DDoS
needs to launch large-scale attack to be eective.
In view of research on DDoS attack detection for cloud services, it is necessary
to satisfy three major goals: one is the timeliness of detection, that is, as far as
possible to detect aggressive behavior in the early time, because it is meaningless
to detect aggressive behavior after large-scale attack outbreaks and it has caused
damage to the availability of the target; secondly, it is the sensitivity of attack
trac, detection features can be used to distinguish between normal trac and
abnormal trac eectively, which improve the accuracy of attack detection and
ltering; the third one is the adaptability of attack scale, that is, whether it is a
c Springer International Publishing Switzerland 2015

G. Wang et al. (Eds.): ICA3PP 2015, Part III, LNCS 9530, pp. 611624, 2015.
DOI: 10.1007/978-3-319-27137-8 44

612

J. Zhang et al.

high-rate attack or low-rate one, the method of detection can detect aggressive
behavior accurately. At present, most of the DDoS attack detection methods
in academia [38] are proposed by the target of the sensitivity of abnormal
trac. These methods emphasize the ability of detection feature to distinguish
between normal and abnormal trac, present many complicated machine learning algorithm to detect, and obtain good detection precision. However, with
the application layer based on DDoS attacks of low-rate rampant, a few DDoS
detection methods [16,17] begin to focus on the adaptability of attack scale, but
also because of the high complexity of detection algorithm, these methods cant
satisfy the goal of the timeliness of detection. The contradiction between the
complexity of detection methods and the timeliness of detection caused that the
current detection method can not meet all the requirements of three goals, how
to achieve a good tradeo is the urgent problem need to solve.
There are many destructive and strong DDoS attacks [911], such as SYN
ooding, ACK ooding and RST/FIN ooding in the transport layer, the DNS
ooding, HTTP ooding and Mail ooding in the application layer. These attacks
are threatening the dependability of cloud computing with varying degrees. In
addition, their common features mainly exist in two aspects: rst of all, they are
based on transport layer protocol such as TCP or UDP transport layer protocol;
secondly, all of the attacks use IP spoong technology, and the transport layer
connection state of attack trac exists abnormal. Therefore, we can judge in a
timely and eective manner whether the cloud node is under DDoS attack or not
through the cumulative calculation based on both the check results of abnormal
transport layer connection state and the authenticity of transport layer data segments source. Compared to IP ow, the HOPCOUNT value calculated by TTL
values in TCP segment has better stability, which helps to reduce the occurrence
of judging the legal packets to be IP spoong packets due to update delay of
HOPCOUNT, and can better solve the problem of false positives. This paper
presents a DDoS attack detection model for trac ltering. The core idea is that
through analysis on the characteristics of HOPCOUNT value calculated from the
packets with dierent types of IP spoong, the preliminary checks of the abnormal packets from inbound and outbound trac are accomplished by temporal
correlation features of transport layer connection state; on this basis, a non parameter CUSUM algorithm is used to achieve accurate DDoS attack detection and
ltering. The experiment results show that detection model can divide packets
into the normal and the abnormal accurately. And aggressive behavior can be
found at the beginning of the attack, which makes a best opportunity for cleaning the attack trac. In addition, our detection model is not only sensitive to
DDoS attack with high-rate, but also to low-rate one such as HTTP asymmetric
attack, the data of ROC curves indicate that our detection model has better
performance.
The rest of the paper is organized as follows. In Sect. 2, we briey overview
the related work. Section 3 presents our framework of DDoS attacks detection
model designed in this paper. In Sect. 4, we propose a set of check rules and relevant check algorithm for abnormal packets. Section 5 presents the DDoS attacks

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

613

detection algorithm based on non-parameter CUSUM. In Sect. 6, we introduce

the evaluation and analysis results of experimental scheme and data used in this
paper by deploying model in actual network architecture, and the summary of
the paper and the future research work are given in the last section.

Related Work

In this section, we scan related work on the three goals above-mentioned.

For the rst goal of the timeliness of detection, Peng et al. [12] proposed
the method of monitoring the number of new IP addresses to achieve DDoS
attack detection, and it decreased false alarm due to ash crowd to some extent.
This method uses a simple database to store the legitimate IP address set, and
realizes judging the new IP address by simple search algorithm, and can detect
the aggressive behavior earlier. However, the method for the judgment of new
IP address is only based on the source IP address of packets, and the source of
packets is not authenticated, so it is susceptible to IP Spoong attack. Tao and
Yu [13] proposed a feature independent DDoS ooding detection method, which
can detect the attack behavior in the early detection. The simulation results
prove the validity of the method, but the method is limited to the detection
of the high strength ood. FireCol [14] is a distributed cooperative detection
system deployed in multiple ISP overlay networks. The early attack behavior can
be detected accurately and reliably by monitoring the network trac between
target host and attack source. However, the system can only be used for the
detection of high strength ooding type DDoS attack.
For the second goal of the sensitivity of the abnormal trac, Vikas et al. [15]
proposed the thought that using packets hop count to judge the authenticity of
the source of packets, they analyzed and demonstrated the feasibility, stability,
the diversity of distribution of the authenticity of the source of the IP address
by using HOPCOUNT, and based on this, they realized the ltering of DDoS
attack packets by the mapping table between IP and hop count. For the aggressive behavior of IP spoong, the detection accuracy rate can reach 90 %, with
good eect, and easy deployment. However, the method itself is vulnerable to
distributed attacks. In addition, if the IP2HCs update is not timely, the legitimate packets will be mistaken for attack trac and cause false alarm. Based
on chaos modeling, Chonka et al. [16] exploited the self similarity theory to
distinguish DDoS attack trac and normal trac. The method can accurately
lter abnormal trac, but the computational complexity caused by this method
make it hard to detect the attack behavior timely. By mining the correlation features of attributes in both IP header and TCP header, Dou et al. [17] proposed
a method to DDoS attack detection for cloud computing environment which is
based on Credible Filtering (CBF). This method has high detection accuracy for
the trained DDoS aggressive behavior, but for the unknown aggressive behavior, both false negatives and false positives are higher because of the weight of
relevant characteristics cannot be measured.
For the third goal of the adaptability of attack scale, Wang et al. [18] divide
the attack detection into three stages, including NTS (network trac state)

614

J. Zhang et al.

forecasting, ne-grained singularity detection and malicious address extraction

engine, and proposed a multistage detection method. The method can accurately
detect multiple types of DDoS attacks including subtle DDoS attacks, but due to
the complexity of the method, it causes bad real-time performance of the attack
detection, and it cant detect the aggressive behavior in the early outbreak of
attacks. Through empirical evaluation of the ability to detect high-rate and lowrate based DDoS attacks respectively, Monowar et al. [19] put forward a eective
detection model. They use several information metrics to detect dierent kinds
of attacks such as the Hartley entropy, Shannon entropy, Renyi entropy, generalized entropy, Kullback-Leibler divergence distance and generalized information
distance. Although the model can be applied to detect any trac scale, the
capability of detecting early attacks is relatively weak.

Overall Architecture of the Model

Figure 1 shows the overall architecture of the model. The abnormal check component monitors IP ow and TCP/UDP segment. This component monitors
the packets through the inbound and outbound, checks the authenticity of the
source of data segment and the abnormality of the packets. Caching the source
IP address in the data segment and corresponding TTL values by the IP ow
monitoring, and preliminary checks the authenticity of the IP ows source by

Fig. 1. The architecture of the defensive model

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

615

HOPCOUNT. The packets which are judged as IP source forging and related to
abnormal connection state of the transport layer are called abnormal packets.
They include TCP based abnormal packets, such as SYN and SYN/ACK, ACK,
and UDP based abnormal packets, such as DNS, NTP, and common packets.
Their quantity indicates the growth of abnormal trac. All check results are
submitted to the decision component. The decision component judges whether
the network service is under DDoS attack. Finally, the decision is sent to response
components (router or rewall). This paper focuses on the trac abnormal check
component and decision component which are related to DDoS attack detection.

Abnormal Check Component of Network Trac

The trac abnormal check component contains two main functions. After the
authentication of network trac source, the rst check judges the authentication of source of data segments in transport layer by searching data segment
address. The second check is based on the abnormal connection state of the
transport layer. They provide important information for the decision component. This component is a part of packet parsing process, therefore, it must be
ecient. Ecient mapping data structure and corresponding search algorithm
are required.
4.1

Data Structure of Check Algorithm

Definition 1. Key of Transport Layer Connection State. Supposed the

transport layer connection address is represent as TCA, where TCA = <SIP,
SPort, DIP, DPort>, T CA = <DIP, DPort, SIP, SPort>. If the connection
state of transport layer is represented as KEY, where KEY = <TCA, FLAG>,
we can classify KEY into requestKEY and replyKEY according to the finite
state machine in the transport layer. For example, if requestKEY = <TCA,
SYN>, then its replyKEY = <T CA, SYN/ACK>; While if requestKEY =
<SYN/ACK>, then its replyKEY = <TCA, ACK>.
The TCP2HC database keeps the records of legitimate TCP connections
within a certain survival period. Each record contains the Key of TCP connection
state, source IP address, HOPCOUNT, and timestamp. Every record in the
database have a unied survival period T1 , which is related to the maximum
length of TCP timeout retransmission. When the dierence between the current
time and the timestamp exceeds the survival period, the corresponding record
will be delete automatically from the database. If UDP protocol is used, the
UDP2HC database is adopted to save the legitimate UDP connection records,
and the lifetime of UDP2HC record is set to be T2 , which is dierent from T1 .
In order to realize an ecient lookup and storage of transport layer connection state, we propose an improved data structure for bloom lter algorithm
[20]. As shown in Fig. 2, a 2-Bits array is adopted. The rst bit is the same as
the bloom lter, and the second bit groups stores the rst pointer to the linear

616

J. Zhang et al.

linked list which is composed of dierent nodes corresponding to the same KEY.
Once the second bit is assigned, it cant be re-assigned to avoid the conict of
the hash function and the damage to the rst pointer of the linear linked list.
Nodes of linear list include the Source IP, the corresponding HOPCOUNT value
and the time stamp. If the KEY search conict occurs, the information in the
nodes can help to avoid misjudgment. The improved bloom lter provides an
ecient data structure for both TCP2HC and UDP2HC. Ecient key searching and robust HOPCOUNT abnormal check are supported, which is helpful to
improve the overall performance of the check component.

Fig. 2. The improved data structure of bloom lter algorithm

4.2

Check Algorithm

The core of our check algorithm includes new TCA check and abnormal data
packet check. Because most of the DDoS attacks use IP spoong, it is necessary
to authenticate the source of connection before the connection checking. To check
the abnormal data packet, we must check if there is connection state abnormity
in transport layer rst.
In this research, 3 assumptions are followed:
Assumption 1. The router of ISP communication network is not controlled by
attackers;
Assumption 2. All the DDoS attacks use IP spoofing technical;
Assumption 3. The attacker and the faked IP are not in the same LAN;
Assumptions 1 and 2 are general assumptions and widely accepted. For
Assumption 3, the attacker can be easily exposed if the attacker and the faked
IP are in the same LAN.
According to Assumption 1, it is feasible to authenticate the source of connection by hop count. The hop count of a packet is determined by the structure

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

617

of communication network and relatively stable [21], especially for the packet in
the transport layer. Whether the attacker can pass the checking system depends
on if it can set a proper initial TTL value for each cheating packet. In order to
set a proper initial TTL value, the attacker should get the hs which is the hop
number between the host of cheating IP to the target machine. However, it is
dicult to get hs when the attacker randomly select cheating source IP for each
packet. The attacker must have a mapping table from the IP addresses in all the
random IP space to their corresponding hs . The attacker must break through
at least one host in each subnet of every random address space to get the hs by
traceroute.

Fig. 3. Illegal connection form based on IP spoong

According to Assumption 2, we focus on the abnormal packet checking of

DDoS attacks with IP spoong. In the transport layer, IP spoong can be characterized into three types according to the types of attacks. Figure 3 shows the
3 main types of IP spoong. Figure 3a shows the IP spoong of half-open connection form. A fakes the address of C and requests connection to B. B sends a
response to C to accept this connection and then waits for the response from C
until timeout. We use timeout to represent highest tolerance time for the rst
timeout, regardless of dierent settings of dierent systems. Figure 3b shows that
A gets a successful guess by RTT and ISN, sends response to B, and establishes
a cheating legal connection. It shows that it is inaccurate to judge the authenticity of source IP only by whether the connection is established. In this case,
we can judge the authenticity of unknown source IP address by the dierence of
the TTL value of SYN packet and subsequent packets. The SYN/ACK packets
are from A and the subsequent packets are from C. According to Assumption 3,
A and C are in dierent LANs, there are obvious dierence between the TTL
value of them. Figure 3c shows the IP spoong of indirect form. A masquerades
the IP address of C and requests connections to a group of IP nodes. By rebound
protocol, this group of IP nodes sends responses to C simultaneously. Because
the IP addresses of received packets are real, we should check if corresponding
request packets have been sent out before receiving.

618

J. Zhang et al.

Table 1. Abnormal connection state check rules

Coding of the rule

Contents of the rule

TCP InboundCRule1

If SYN ag is not set and TCA exists in TCP2HC table,

then calculate the packets HOPCOUNT. Check if the
HOPCOUNT matches with the stored HOPCOUNT, if
not, then the source of the packet is forged, and the
packet is abnormal;

TCP InboundCRule2

If SYN ag is not set and the TCA is not found in

TCP2HC table, then the packet is abnormal;

TCP InboundCRule3

If ACK ag is set and the TCA exists in TCP2CH table,

then calculate HOPCOUNT, and if the HOPCOUNT
does not match the stored HOPCOUNT, the packet is
abnormal; otherwise, add a new entry for the replyKEY
of <TCA, ACK> with the HOPCOUNT;

TCP InboundCRule4

If all TCP ags are not set, and the TCA exists in
TCP2HC table, then calculate HOPCOUNT, and if this
HOPCOUNT does not match the stored HOPCOUNT,
the packets are abnormal;

TCP InboundMRule1

If SYN ag is set, and the TCA is not found in TCP2HC

table, then calculate HOPCOUNT, and add a new
entry for the requestKEY of <TCA, SYN> with the
HOPCOUNT;

TCP InboundMRule2

If SYN ag is set, and the TCA exists in TCP2HC table,

then calculate HOPCOUNT, but if the packets SIP is
not found in table, it indicates that Bloomlter
conicts, then add a new node including the SIP,
HOPCOUNT and time stamp in linear linked list;
otherwise, if calculated HOPCOUNT does not match
the stored HOPCOUNT, then update the HOPCOUNT
and timestamp eld of node;

TCP OutboundCRule1 If both SYN ag and ACK ag are set, then search the
entry for the requestKEY of <TCA, SYN> in TCP2HC
table, if it does not exist, then the packet is abnormal;
TCP OutboundCRule2 If both SYN ag and ACK ag are set, and TCA exists in
TCP2HC table, start the timeout retransmission timer.
When the timer overow,query the entry with
replyKEY of <TCA, ACK> in TCP2HC table, if it
does not exist, then the packet is abnormal;
UDP InboundCRule1

If the TCA of UDP request packet does not exist in

UDP2HC table during the lifetime, then the packet is
abnormal;

UDP OutboundMRule1 If the TCA is not found in UDP2HC table, then add a new
entry for the KEY of <TCA, SYN> in UDP2HC table.

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

619

In order to guarantee that a real TCP packet with ACK ag can be

queried in TCP2HC database after the overow of retransmission timeout, T1 >
RTO + RTT + a should be satised, where RTO is the maximum time of timeout retransmission timer, T1 is the maximum time of life cycle of each record
in the TCP2HC database, RTT is the round time of transmission between the
TCP endpoints, and a is the reliable boundary coecient for safety. According
to RTO = RTT + 4* MDEV, we have T1 > 2*RTT + 4*MDEV, where MDEV is
the average deviation of RTT which can measure the RTT jitter. For UDP2HC
database, we set T2 > RTT + a, where T2 is the maximum time of life cycle of
each record in the UDP2HC database.
According to the analysis on new TCA check and abnormal data packet
check, we propose two categories of check rules: Inbound and Outbound. The
main rules are shows in Table 1.

Decision Component

The check algorithm in Sect. 4 is only to authenticate each single packet. Although
the check result of single packet cannot directly judge if the network is being
attacked, it aords necessary information for further decision. A sudden increase
of abnormal packet indicates that there is DDoS attack or scanning to the network [22]. Therefore, the DDoS attack decision algorithm can be based on the
cumulative check results in a certain period of time.
5.1

The Selection of Detection Feature

In normal state, the accumulated number of abnormal packets is small and

stable. When DDoS attack occurs, those abnormal events increase fast. Because
there are a small number of errors and misses in the check component, we choose
the accumulated number of abnormal packets as the detection feature in the
decision component. We set counters for the number of packets and abnormal
packets in the decision component, n denotes the count of the collected packets
at the end of period t, and n denotes the count of the abnormal packets at
the end of the period t. We use the following metric to describe the growth of
abnormal packets in dierent time periods of t:
Cn =
5.2

n
.
n

(1)

Non-parametric CUSUM Based Decision Algorithm

Network trac on the internet is considered as a complex stochastic model. Any

abnormal trac leads to changes of the model. In order to achieve real-time
detection at the early stage of attack, The sequence C(n, t) is convert into a
form of continuous function:
Cn = b + n I(n < m) + (h + n )I(n m)

(2)

620

J. Zhang et al.

where E(Cn ) = b, = {n }
n=1 and = {n }n=1 are two stochastic sequences
satisfying E(n ) = E(n ) 0, h = 0. I(H) is an indicator function. The function
value equals 1 if H is true, 0 otherwise. For sequence C(n, t), if the mean value
exists a step change from b to b + h at the point m, it indicates that there
is a sudden change in the sequence value. We adopt non-parametric CUSUM
algorithm to continuously detect the sequence change and the change point m.
It can monitor the sequence in real-time with low false-alarm rate and thus
detect DDoS attacks immediately.
In case the network trac is in normal state, the mean value of C(n, t)
is close to 0, i.e., E(Cn )  1. We denote F (n) = Cn , when b = b ,
h  . is the oset determined for each specic network environment. The
mean value of sequence Fn in normal state is oset to negative and turns positive
when a attack occurs. Consequently, the oset sequence is applicable to the nonparametric CUSUM algorithm:


Fn = b + n I(n < m) + (h + n )I(n m)

(3)

where b < 0, b < h < 1. According to the non-parametric CUSUM algorithm, the stochastic sequence Fn produces negative mean value . When the
attack occurs, Fn jump to positive (h + b > 0, h is the minimum growth of
the sequence Fn when attack occurs). We accumulate the positive value and
ignore the negative value. If the accumulation exceeds the threshold at a certain moment, the system determined that DDoS attack occurs. In normal state,
the value of sequence Fn is either negative or non-continuous small positive.
The accumulation will not exceed the threshold. Furthermore, the algorithm is
converted into a problem of calculating formula 4. It is worth noting that h is
the smallest increment when attack occurs, it is not the threshold for attack
detection in the algorithm.
k
F i , T0 = 0
(4)
n = Tn min T k , where T k =
i=1

1kn

n is the statistical feature of our detection method, in order to reduce the

complexity of the implementation, a nested non-parametric CUSUM algorithm
is used, as follows:
(5)
n = (n1 + Fn )+
Where x+ expresses x+ = x when x > 0; x+ = 0, when x 0.
A greater value n (exceeds the corresponding threshold) means that attack
exists in the network. n represents the sum of the positive sequence. When
tN N , it shows that the statistic is mutated at the time of tN , and the network
is suering from distributed denial of service attack. The decision function based
on the number of abnormal packets is described as:
WN (n ) = {10

n >N
n N

(6)

Where N is the threshold of attack detection, WN (n ) = 1, if and only if

n > N means the occurrence of attack behavior WN (n ) = 0, if and only if
n < N means the network trac is normal.

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

621

Performance Evaluation

In order to evaluate the detection performance of the model, we conduct attack

experiment in the MAN network of Changsha National Software industry base.
Exploiting BOT network, we launch SYN ooding attacks by (a) type of IP
spoong, HTTP ooding attacks by (b) type of IP spoong and DNS ooding
attacks by (c) types of IP spoong. Table 2 gives the statistical data of dierent
types of attacks, where K is the number of abnormal packets of SYN ooding
attack, is the number of abnormal packets of Http ooding attack and is the
number of abnormal packets of DNS ooding attack. t is set as 10 s. Figure 4
shows the detection results of 3 types of attack. The result shows that SYN
ooding attack (Fig. 3a) can be detected in 23.7 s with accurate rate of 100 %
when the K is equal to 53. False negative exists only if K < 53. The HTTP
ooding attack (Fig. 3b) can be detected in 83.6 s with accurate rate of 100 %
when is equal to 19. The detection miss occurs only if < 19. The DNS
ooding attack (Fig. 3c) can be detected in 68.4 s with accurate rate of 100 %
when is equal to 32. The detection miss occurs only if < 32.
Table 2. DDoS traces statistics.
TestBed type

Experiment times Average size of each Average packet size (bytes)

traces (MB)

SYN ooding

DNS ooding

120

65

54

1050

HTTP ooding 6

60

420

Table 3 list out the average accuracy and delay of detection with dierent K,
and values. The result shows that the proposed model has a high accuracy
and can satisfy the demand of detect attack in early stage.
To test the adaptability of the detection model to dierent attack scale, we
give the ROC curves of SYN ooding attack detection, HTTP ooding attack
detection and DNS ooding attack detection respectively. As shown in Fig. 5,
the result demonstrates that the abnormal detection rate of high distribution
SYN ooding attack reached almost 100 % while the false alarm rate is less than
2 %; for the high intensity DNS ooding attack, the abnormal detection rate is
more than 90 % when the false alarm rate is 2.5 %; for the lower distribution of
HTTP ooding attacks, the abnormal detection rate is more than 90 % when the
false alarm rate is 9 %. It can be seen that the model has a superior performance
against the high distribution of DDoS. Although the performance of low distribution and small-rate DDoS attack detection is decreased slightly, the overall
performance is relatively stable and eective. So we can say that the detection
model has a good adaptability for dierent scale of DDoS attack.

622

J. Zhang et al.

Fig. 4. Three critical values of dierent attack in the detection

Table 3. The results of performance test
(a) DDoS attack

(b) HTTP flooding attack

(c) DNS flooding attack

Accuracy (%) Test time

30

98.9

45.3

14 92.1

Accuracy (%) Test time

115.8

25 94.6

86.4

53

100

23.7

19 100

83.6

32 100

68.4

68

100

11.2

35 100

17.3

45 100

14.5

89

100

6.7

50 100

8.7

60 100

7.1

120 100

5.1

85 100

8.3

75 100

6.3

Accuracy (%) Test time

Fig. 5. The ROC curve of three dierent types of attack

Conclusions and Future Work

This paper proposed a robust and ecient detection model of DDoS attack for
cloud services. First, we give a set of rules on IP address authenticity, transport
layer connection address authenticity and transport layer abnormal connection
state to check the abnormal packet in the communication process in the transport
layer. In detail, we use hop-count based ltering for IP address authentication.

A Robust and Ecient Detection Model of DDoS Attack for Cloud Services

623

For transport layer connection address authentication, we use hop-count based

ltering and connection address aggregation. The improved bloom-lter algorithm is used to achieve ecient address query and data storage. The transport
layer abnormality check uses TCP state diagram and UDP reection protocol characteristics based on the former authentication. Second, we analysis the
increase of the number of abnormal packets by non-parameter CUSUM algorithm to detect DDoS attacks. The experiments demonstrate that the detection
model shows strong advantages in the immediacy of detection, the sensitivity to
attack trac and the adaptability of attack scale.
Acknowledgment. This work is partially supported by the Planned Science and
Technology Project of Hunan Province, China (NO.2015JC3044), and the National
Natural Science Foundation of China (NO.61272147).

References
1. Sumter, R.L.Q.: Cloud Computing: Security Risk Classication. ACMSE, Oxford
(2010)
2. Jansen, W., et al.: Cloud hooks: security and privacy issues in cloud computing.
In: 44th Hawaii International Conference on System Sciences (HICSS), pp. 110.
IEEE (2011)
3. Bhuyan, M.H., Kashyap, H.J., Bhattacharyya, D.K., Kalita, J.K.: Detecting distributed denial of service attacks: methods, tools and future directions. Comput.
J. bxt031 (2013)
4. Patel, K.: Security survey for cloud computing: threats and existing IDS/IPS techniques. In: 24th International Conference on Control, Communication and Computer Technology, pp. 8892. IEEE (2013)
5. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) ooding attacks. IEEE Commun. Surv. Tutor.
15(4), 20462069 (2013)
6. Gupta, S., Kumar, P., Abraham, A.: A prole based network intrusion detection
and prevention system for securing cloud environment. Int. J. Distrib. Sens. Netw.
(2013)
7. Yi, F., Yu, S., Zhou, W., Hai, J., Bonti, A.: Source-based ltering scheme against
DDoS attacks. Int. J. Database Theory Appl. 1(1), 920 (2008)
8. Gavaskar, S., Surendiran, R., Ramaraj, D.E.: Three counter defense mechanism
for TCP SYN ooding attacks. Int. J. Comput. Appl. 6(6), 09758887 (2010)
9. Gulshan, S., Kavita, S., Swarnlata, R.: A technical overview DoS and DDoS attack.
Proc. Int. Conf. Comput. 2010, 274282 (2010)
10. Bogdanoski, M., Suminoski, T., Risteski, A.: Analysis of the SYN ood DoS attack.
Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 5(8), 111 (2013)
11. Bhandari, N.H.: Survey on DDoS attacks and its detection and defence approaches.
Int. J. Sci. Mod. Eng. (IJISME) 1(3), 23196386 (2013)
12. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of
service attacks using history-based IP ltering. In: IEEE International Conference
on Communications, pp. 482486 (2003)
13. Tao, Y., Yu, S.: DDoS attack detection at local area networks using information
theoretical metrics. In: 12th IEEE International Conference on Trust, Security and
Privacy in Computing and Communications (TrustCom), pp. 233240 (2013)

624

J. Zhang et al.

14. Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for
the detection of ooding DDoS attacks. IEEE/ACM Trans. Netw. (TON) 20(6),
18281841 (2012)
15. Chouhan, V., Peddoju, S.K.: Packet monitoring approach to prevent DDoS attack
in cloud computing. Int. J. Comput. Sci. Electr. Eng. (IJCSEE) 1(2), 23154209
(2013)
16. Chonka, A., Singh, J., Zhou, W.: Chaos theory based detection against network
mimicking DDoS attacks. IEEE Commun. Lett. 13(9), 717719 (2009)
17. Dou, W., Chen, Q., Chen, J.: A condence-based ltering method for DDoS attack
defense in cloud environment. Future Gener. Comput. Syst. 29(7), 18381850
(2013)
18. Wang, F., Wang, H., Wang, X., Su, J.: A new multistage approach to detect subtle
DDoS attacks. Math. Comput. Model. 55(1), 198213 (2012)
19. Bhuyan, M.H., Bhattacharyya, D., Kalita, J.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit.
Lett. 51, 17 (2015)
20. Broder, A., Mitzenmacher, M.: Network applications of bloom lters: a survey.
Internet Math. 1(4), 485509 (2004)
21. Paxson, V.: End-to-end routing behavior in the internet. IEEE/ACM Trans. Netw.
5(5), 601615 (1997)
22. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service
attacks: characterization and implications for cdns and web sites. In: Proceedings of
the 11th International Conference on World WideWeb, pp. 293304. ACM (2002)