Flooding attacks detection in traffic of backbone networks

Internet services are vulnerable to flooding attacks that lead to denial of service. This paper proposes a new framework to detect anomalies and to provide early alerts for flooding attacks in backbone networks. Thus allow to quickly react in order to prevent the flooding attacks from strangling the victim server and its access network. The proposed detection scheme is based on the application of Least Mean Square (LMS) filter and Pearson Chi-square divergence on randomly aggregated flows in Sketch data structure. Instead of analyzing one time series for overall traffic, random aggregation of flows is used to investigate a fixed number of time series for grained analysis. Least mean square filter is used to predict the next value of the time series based on previous values, and Pearson Chi- square divergence is used to measure the deviations between the current and estimated probability distributions. We evaluate our approach using publicly available real IP traces (MAWI) collected from the WIDE backbone network, on trans-Pacific transit link between Japan and USA. Our experimental results show that the proposed approach outperforms existing techniques in terms of detection accuracy and false alarm rate. It is able to detect low intensity attacks covered by the large number of traffic in high speed network.