Memoirs of the Graduate Schools of Engineering and System Informatics Kobe University, No. 7, pp. 8-13, 2015

Distributed Denial of Service (DDoS) Backscatter Detection System Using Resource Allocating Network with Data Selection

Siti-Hajar-Aminah ALI1, Nobuaki FURUTANI1, Seiichi OZAWA1, Junji NAKAZATO2, Tao BAN2, Jumpei SHIMAMURA3

1Graduate School of Engineering, Kobe University, 1-1 Rokko-dai, Nada-ku, Kobe, Japan
2National Institute of Information and Communications Technology (NICT), Japan
3Clwit Inc. Japan

(Received April 13, 2015; Accepted May 29, 2015; Online published June 8, 2015)

Keywords: Distributed Denial of Service, Backscatter, Resource Allocating Network, Darknet, Locality Sensitive Hashing

In this paper, we propose a fast detection system for Distributed Denial of Service (DDoS) backscatter using packets from various protocols and port numbers, which is not restricted to only the following two types of packets that can be labeled with simple rules called labeled packet: Transmission Control Protocol (TCP) Port 80 (80/TCP) and User Datagram Protocol (UDP) Port 53 (53/UDP). Usually, it is not easy to detect DDoS backscatter from the unlabeled packets, which an expert needs to analyze packet traffic manually. To deal with unlabeled packets, first, the detection system would learns general rules of DDoS backscatter using information from 80/TCP and 53/UDP. After the learning process, the generalized detection system is used to detect the DDoS backscatter from unlabeled packets. This detection system consists of two main modules which are pre-processing and classifier. In the pre-processing module, the incoming packets are transformed into feature vectors. As for the classifier module, since it is important to detect DDoS backscatter from all protocols as early as possible, we use Resource Allocating Network (RAN) with data selection. Using this classifier, the learning time is shortened because the classifier only learns essential data. Here, essential data means the data located in "well learned" regions, in which the classifier gives trustable predictions. To quickly search for the regions closest to given data, the well-known Locality Sensitive Hashing (LSH) method is used. The performance of the proposed detection system is evaluated using 9,968 training data from labeled packets and 5,933 test data from unlabeled packets. They are collected from January 1st, 2013 until January 20th, 2014 at National Institute of Information and Communications Technology (NICT), Japan. The results indicate that the detection system can detects the DDoS backscatter with high detection rate within a short time.

[Full text] (PDF 564 KB)