Efficient distinct heavy hitters for DNS DDoS attack detection

Yehuda Afek, Anat Bremler-Barr, Edith Cohen, Shir Landau Feibish, Michal Shagam

نتاج البحث: نشر في مجلةمقالةمراجعة النظراء


Motivated by a recent new type of randomized Distributed Denial
of Service (DDoS) attacks on the Domain Name Service (DNS),
we develop novel and efficient distinct heavy hitters algorithms and
build an attack identification system that uses our algorithms.
Heavy hitter detection in streams is a fundamental problem with
many applications, including detecting certain DDoS attacks and
anomalies. A (classic) heavy hitter (HH) in a stream of elements is
a key (e.g., the domain of a query) which appears in many elements
(e.g., requests). When stream elements consist of a hkey, subkeyi
pairs, (hdomain, subdomaini) a distinct heavy hitter (dhh) is a
key that is paired with a large number of different subkeys. Our
dHH algorithms are considerably more practical than previous algorithms. Specifically the new fixed-size algorithms are simple to
code and with asymptotically optimal space accuracy tradeoffs.
In addition we introduce a new measure, a combined heavy hitter (cHH), which is a key with a large combination of distinct and
classic weights. Efficient algorithms are also presented for cHH
Finally, we perform extensive experimental evaluation on real
DNS attack traces, demonstrating the effectiveness of both our algorithms and our DNS malicious queries identification system.
اللغة الأصليةالإنجليزيّة
عدد الصفحات9
دوريةarXiv preprint arXiv:1612.02636
حالة النشرنَشْر مسبق في الإنترنت - 2016


أدرس بدقة موضوعات البحث “Efficient distinct heavy hitters for DNS DDoS attack detection'. فهما يشكلان معًا بصمة فريدة.

قم بذكر هذا