A Lightweight Detection Using Bloom Filter against Flooding DDoS Attack

Sanghun CHOI  Yichen AN  Iwao SASASE  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E103-D   No.12   pp.2600-2610
Publication Date: 2020/12/01
Publicized: 2020/09/14
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2020EDP7115
Type of Manuscript: PAPER
Category: Information Network
Keyword: 
DDoS attack,  flooding attack,  bloom filter,  

Full Text: PDF(1.6MB)>>
Buy this Article




Summary: 
The flooding DDoS attack is a serious problem these days. In order to detect the flooding DDoS attack, the survival approaches and the mitigation approaches have been investigated. Since the survival approach occurs the burden on the victims, the mitigation approach is mainly studied. As for the mitigation approaches, to detect the flooding DDoS attack, the conventional schemes using the bloom filter, machine learning, and pattern analyzation have been investigated. However, those schemes are not effective to ensure the high accuracy (ACC), the high true positive rate (TPR), and the low false positive rate (FPR). In addition, the data size and calculation time are high. Moreover, the performance is not effective from the fluctuant attack packet per second (pps). In order to effectively detect the flooding DDoS attack, we propose the lightweight detection using bloom filter against flooding DDoS attack. To detect the flooding DDoS attack and ensure the high accuracy, the high true positive rate, and the low false positive rate, the dec-all (decrement-all) operation and the checkpoint are flexibly changed from the fluctuant pps in the bloom filter. Since we only consider the IP address, all kinds of flooding attacks can be detected without the blacklist and whitelist. Moreover, there is no complexity to recognize the attack. By the computer simulation with the datasets, we show our scheme achieves an accuracy of 97.5%. True positive rate and false positive rate show 97.8% and 6.3%, respectively. The data size for processing is much small as 280bytes. Furthermore, our scheme can detect the flooding DDoS attack at once in 11.1sec calculation time.