Efficient distinct heavy hitters for DNS DDoS attack detection

Yehuda Afek, Anat Bremler-Barr, Edith Cohen, Shir Landau Feibish, Michal Shagam

פרסום מחקרי: פרסום בכתב עתמאמרביקורת עמיתים


Motivated by a recent new type of randomized Distributed Denial
of Service (DDoS) attacks on the Domain Name Service (DNS),
we develop novel and efficient distinct heavy hitters algorithms and
build an attack identification system that uses our algorithms.
Heavy hitter detection in streams is a fundamental problem with
many applications, including detecting certain DDoS attacks and
anomalies. A (classic) heavy hitter (HH) in a stream of elements is
a key (e.g., the domain of a query) which appears in many elements
(e.g., requests). When stream elements consist of a hkey, subkeyi
pairs, (hdomain, subdomaini) a distinct heavy hitter (dhh) is a
key that is paired with a large number of different subkeys. Our
dHH algorithms are considerably more practical than previous algorithms. Specifically the new fixed-size algorithms are simple to
code and with asymptotically optimal space accuracy tradeoffs.
In addition we introduce a new measure, a combined heavy hitter (cHH), which is a key with a large combination of distinct and
classic weights. Efficient algorithms are also presented for cHH
Finally, we perform extensive experimental evaluation on real
DNS attack traces, demonstrating the effectiveness of both our algorithms and our DNS malicious queries identification system.
שפה מקוריתאנגלית
מספר עמודים9
כתב עתarXiv preprint arXiv:1612.02636
סטטוס פרסוםפרסום מקדים מקוון - 2016

טביעת אצבע

להלן מוצגים תחומי המחקר של הפרסום 'Efficient distinct heavy hitters for DNS DDoS attack detection'. יחד הם יוצרים טביעת אצבע ייחודית.

פורמט ציטוט ביבליוגרפי