TY - JOUR

T1 - BCDM

T2 - An Early-Stage DDoS Incident Monitoring Mechanism Based on Binary-CNN in IPv6 Network

AU - Wang, Yufu

AU - Wang, Xingwei

AU - Ni, Qiang

AU - Yu, Wenjuan

AU - Huang, Min

PY - 2024/10/31

Y1 - 2024/10/31

N2 - The rapid adoption of IPv6 has increased network access scale while also escalating the threat of Distributed Denial of Service (DDoS) attacks. By the time a DDoS attack is recognized, the overwhelming volume of attack traffic has already made mitigation extremely difficult. Therefore, continuous network monitoring is essential for early warning and defense preparation against DDoS attacks, requiring both sensitive perception of network changes when DDoS occurs and reducing monitoring overhead to adapt to network resource constraints. In this paper, we propose a novel DDoS incident monitoring mechanism that uses macro-level network traffic behavior as a monitoring anchor to detect subtle malicious behavior indicative of the existence of DDoS traffic in the network. This behavior feature can be abstracted from our designed traffic matrix sample by aggregating continuous IPv6 traffic. Compared to IPv4, the fixed-length header of IPv6 allows more efficient packet parsing in preprocessing. As the decision core of monitoring, we construct a lightweight Binary Convolution DDoS Monitoring (BCDM) model, compressed by binarized convolutional filters and hierarchical pooling strategies, which can detect the malicious behavior abstracted from input traffic matrix if DDoS traffic is involved, thereby signaling an ongoing DDoS attack. Experiment on IPv6 replayed CIC-DDoS2019 shows that BCDM, being lightweight in terms of parameter quantity and computational complexity, achieves monitoring accuracies of 90.9%, 96.4%, and 100% when DDoS incident intensities are as low as 6%, 10%, and 15%, respectively, significantly outperforming comparison methods.

AB - The rapid adoption of IPv6 has increased network access scale while also escalating the threat of Distributed Denial of Service (DDoS) attacks. By the time a DDoS attack is recognized, the overwhelming volume of attack traffic has already made mitigation extremely difficult. Therefore, continuous network monitoring is essential for early warning and defense preparation against DDoS attacks, requiring both sensitive perception of network changes when DDoS occurs and reducing monitoring overhead to adapt to network resource constraints. In this paper, we propose a novel DDoS incident monitoring mechanism that uses macro-level network traffic behavior as a monitoring anchor to detect subtle malicious behavior indicative of the existence of DDoS traffic in the network. This behavior feature can be abstracted from our designed traffic matrix sample by aggregating continuous IPv6 traffic. Compared to IPv4, the fixed-length header of IPv6 allows more efficient packet parsing in preprocessing. As the decision core of monitoring, we construct a lightweight Binary Convolution DDoS Monitoring (BCDM) model, compressed by binarized convolutional filters and hierarchical pooling strategies, which can detect the malicious behavior abstracted from input traffic matrix if DDoS traffic is involved, thereby signaling an ongoing DDoS attack. Experiment on IPv6 replayed CIC-DDoS2019 shows that BCDM, being lightweight in terms of parameter quantity and computational complexity, achieves monitoring accuracies of 90.9%, 96.4%, and 100% when DDoS incident intensities are as low as 6%, 10%, and 15%, respectively, significantly outperforming comparison methods.

U2 - 10.1109/tnsm.2024.3431701

DO - 10.1109/tnsm.2024.3431701

M3 - Journal article

VL - 21

SP - 5873

EP - 5887

JO - IEEE Transactions on Network and Service Management

JF - IEEE Transactions on Network and Service Management

SN - 1932-4537

IS - 5

ER -