Anomaly-based Identification of Large-Scale Attacks

Large-scale attacks like Distributed Denial-of-Service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based business. Thus, many attack detection systems using various anomaly detection methods were developed in the past. These detection systems result in a set of anomalies detected by analysis of the traffic behavior. A realtime identification of the attack type that is represented by those anomalies simplifies important tasks like taking countermeasures and visualizing the network state. In addition, an identification facilitates a collaboration of distributed heterogeneous detection systems. In this paper, we first lay the foundations for a generalized identification system by establishing a model of those entities that form anomaly-based attack detection: large-scale attacks, anomalies, and anomaly detection methods. Based on this flexible model, an adaptable and resource-aware system for the identification of large-scale attacks is developed that additionally offers an autonomous processing control.