Hoon Shin, Jaeyeong Jeong, Kyu-min Cho, Jae-il Lee, Dong-kyoo Shin, Journal of Internet Computing and Services, Vol. 25, No. 6, pp. 131-145, Dec. 2024
10.7472/jksii.2024.25.6.131, Full Text:
Keywords: AI Security, Artificial intelligence, Machine Learning, Deep Learning, CNN, DDoS, DrDoS, image processing, Image Classification

Abstract

Domain Name System (DNS) amplification Distributed Reflection Denial of Service (DRDoS) is a type of Distributed Denial of Service (DDoS) attack in which multiple hosts spoof the source IP to that of the target system and send requests to DNS servers. As a result, the response packets flood the target system. The attacker conceals the origin of the attack, making it difficult to identify the attacker or detect abnormal packets. Additionally, legitimate DNS servers are often used as attack agents. Since User Datagram Protocol (UDP) is used in these attacks, it is challenging to detect anomalies based on session protocols, as is done in Transmissoon Control Protocol (TCP)-based DDoS attacks. In this paper, we propose a method for detecting DNS amplification DRDoS attacks by converting attack packets into images and training a Convolutional Neural Network (CNN) to recognize these attacks. Although this method may have a lower detection rate compared to approaches that extract and learn specific DDoS characteristics from packets, it offers the advantage of faster detection due to the omission of the data preprocessing step. Given the nature of DDoS attacks, where real-time response is often more critical than achieving near-perfect detection accuracy, this faster detection capability can be particularly valuable in practical scenarios.

Statistics
Cite this article