Faster detection and prediction of DDoS attacks using MapReduce and time series analysis

Abstract

Security in the Internet is gradually becoming a paramount aspect as large numbers of servers are being deployed over the Internet to provide various automated services. A very prominent attack on the web is Distributed Denial of Service (DDoS) attack which is also being considered as one of the major threats to the recent development in the field of computing such as Cloud Computing and Internet of Things. Despite various attempts to handle a DDoS attack, the problem of the fast detection and prevention of this attack still persists due to the huge amount of processing required on very large sized log files generated for every request and packet sent by a source. The datasets generated during a DDoS attack are voluminous and analyzing them for a possible attack can take hours which could lead to a denial of service to legitimate users and impair system resources adversely. In this paper, we use the Hadoop architecture to facilitate the faster processing of these log files by dividing a log file into multiple smaller chunks and processing each chunk separately over a cluster node in parallel. In addition to the faster detection of a DDoS attack from the log file, we also propose a method for the prediction of abnormal behavior of those sources that are generating packets erratically. The proposed method of prediction is based on time series analysis and further speeds up the process of detecting and blocking of the potential attackers. The proposed approach helps in faster identification of DDoS attacks and blocking of suspicious IPs thereby significantly decreasing the traffic from malicious users. The simulation results obtained reflect the fact that we can detect a DDoS attack in durations as short as five minutes and also block the IPs that could be potentially malicious thereby decreasing the traffic on the server significantly.