Using the TEDA algorithm for anomaly detection in ISP networks with emphasis on DoS / DDoS attacks
DDoS, TEDA, Network Security
A Distributed Denial of Service (DDoS) attack is an organized distributed packet sending technique designed to overload network devices and communication channels between them. In general, its primary purpose is to prevent legitimate users from accessing networks, servers, services, or other networking features. Although the importance of mechanisms to protect or mitigate the effects of this type of attack is clear, their correct detection is still a challenge due to the dynamics and volume of current communications and network connections. Although the specific literature is full of solutions to the problem, most of them rely on Artificial Intelligence algorithms that involve learning based on training or reinforcement, and it is necessary to extract characteristics from previously collected traffic. Thus, these techniques need to “look back” to understand network traffic. Because of this, many of these solutions are not applicable to more dynamic and high-traffic environments such as internet providers. In this dissertation, we propose an approach for detecting DDoS attacks using the Typicality and Eccentricity Data Analytics (TEDA) algorithm. TEDA is a recursive and non-parametric method, firstly proposed to the general problem of anomaly detection on data streams. By using TEDA we expect that it will be possible to analyze the current traffic on the network, reducing the detection delay, since it is based on the concept of data eccentricity, without any prior knowledge of the network traffic pattern. Thus, TEDA allows you to “look into the present”, ie the data currently being trafficked, thus ensuring a more timely detection. This approach should be evaluated and tested against other related approaches in terms of sensitivity, specificity, false positive rate (PRF) and detection accuracy.