Distributed Denial of Service Attack
Detection by Using Wallaroo-based Time
Series Analysis
Detection by Using Wallaroo-based Time
Series Analysis
Name : Farzana binti Zakaria
Matric Number : BTBL15040784
Supervisor’s Name : Dr. Mohd Fadzil bin Abdul Kadir
ABSTRACT
- DDoS attacks can be described as temporarily deny several services of the end users.
- It consumes network resources and overloads the system with undesired request.
- This project present the method of detecting DDoS attacks by using the Wallaroo-based.
wallaroo
- About the distributed data processing framework for building high-performance streaming data applications.
- A Wallaroo application consists of one or more pipelines that :
- performs a series of computations based on that data,
- optionally produces outputs which are sent to an external system.
PROBLEM STATEMENT
|
OBJECTIVES
|
Framework
The basic logic for detecting DDoS :
- Each web request produces a log entry containing a timestamp, a client IP address, the server IP address, and the resource requested.
- While the server is healthy, we compute a weighted mean and weighted standard deviation over the last 60 seconds of data (for each of requests/second and unique-clients/second).
We update these values whenever a full second rolls over and the window moves forward by one second. - For the current fragment of a second, we compute the predictedmetrics, using the current number of requests and unique clients measured so far, divided by the fraction of the second.
- We subtract the mean values from the predicted ones, and compare the difference to their respective standard deviations. If either of the differences is greater than 2 multiples of the standard deviation (e.g. > 2 sigma), we call this prediction anomalous.
- Since early data can be misleading, we also apply a minimum threshold to prevent flapping: in order to change from “healthy” to “under attack”, there must be at least 20 requests the current prediction’s sample.
And likewise, in order to change from “under attack” to “healthy”, there must be at least 10 requests in the current prediction’s sample.
RESULT :
CONCLUSION
- Whenever a server’s status changes from either “healthy” to “under attack” and vice versa. Consumer will be notify via a message over Transfer Control Protocol(TCP) , noting the server’s address, the new status and the time at which it changed.