Collaborative anomaly-based detection of large-scale internet attacks

The Internet infrastructure and Internet-based business today still suffer from various attacks like Distributed Denial-of-Service (DDoS) attacks or worm propagations. A necessary first step in order to cope with such large-scale attacks is to provide an Internet-wide detection of such ongoing attacks, i.e., a detection that is not limited to single detection systems only. Therefore, collaborative detection systems were developed in the past. They, however, often rely on close trust relationships, which only rarely are available in the Internet. This means that the scope of detection is limited to only a small part of the Internet, mostly to a single administrative domain. This paper, therefore, introduces our newly developed collaborative attack detection that facilitates collaboration beyond domain boundaries without requiring close trust relationships. In-network detection systems are explicitly considered, too. Such systems are located on routers in the core of the Internet and are characterized by limited resources available for detection. Finally, a detailed simulative evaluation of our proposed solution is presented.