from： https://jyx.jyu.fi/bitstream/handle/123456789/52275/1/URN%3ANBN%3Afi%3Ajyu-201612125051.pdf

相關文獻匯總如下：

S1 Eliseev and Gurina (2016) Algorithms for network server anomaly behavior detection without traffic content inspection ACM 1

S2 Zolotukhin et al. (2016b) Weighted Fuzzy Clustering for Online Detection of Application DDoS Attacks in Encrypted Network Traffic Scopus 1

S3 Zolotukhin et al. (2016a) Increasing Web Service Availability by Detecting Application-Layer DDoS Attacks in Encrypted Traffic IEEE, Scopus 1

S4 Zolotukhin et al. (2015) Data Mining Approach for Detection of DDoS Attacks Utilizing SSL/TLS Protocol Scopus 1

S5 Petiz et al. (2014) Detecting DDoS Attacks at the Source Using Multiscaling Analysis IEEE 1

S6 Wang et al. (2015) DDoS attack protection in the era of cloud computing and Software-Defined Networking ScienceDirect 1

S7 Hoeve (2013) Detecting Intrusions in Encrypted Control Traffic ACM 1

S8 Amoli and H?m?l?inen (2013) A Real Time Unsupervised NIDS for Detecting Unknown and Encrypted Net- work Attacks in High Speed Network IEEE 1

S9i Das, Sharma, and Bhattacharyya (2011) Detection of HTTP Flooding Attacks in Multiple Scenarios ACM 0

S10i Shiaeles et al. (2012) Real time DDoS detection using fuzzy estimators ScienceDirect 0

S11 Chen, Chen, and Delis (2007) An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks Scopus 1

S12i Lee et al. (2008) DDoS attack detection method using cluster analysis ScienceDirect 0

S13i Caulkins, Lee, and Wang (2005) A Dynamic Data Mining Technique for Intrusion Detection Systems ACM 0

S14 Abimbola, Shi, and Merabti (2003) NetHost-Sensor: A Novel Concept in Intrusion Detection Systems IEEE 0

加密的檢測手段：

Table 11. Detection methods in encrypted networks from included studies Study

Detection method Strategy Features

[S1] Correlation functions & MLP Statistical analysis & Classification Server response rate metrics

[S2] Fuzzy c-means Fuzzy clustering Statistics and data from packet headers

[S3] Single-linkage, Kmeans, fuzzy c-means, SOM, DBSCAN & SAE Classification (NN) & clustering Statistics and data from packet headers

[S4] DBSCAN, K-means, k-NN, SOM, SVDD Clustering Packet header statistics

[S5] Multiscaling Analysis Statistical analysis Number of packets & average energy per timescale

[S6] Probabilistic inference graphical model Bayesian networks Chow-Liu algorithm for feature decision

[S7] Edit distance -based searching Statistical analysis & clustering time, size and direction of the packet

[S8] DBSCAN Statistical analysis & clustering Packet header and flow data in different resolutions

[S11] Signatures & stateful protocol analysis Signature & stateful protocol analysis TCP, UDP and ICMP packet headers and statistics as well as payload

[S14] Snort signatures Signature & system call sequence analysis packet payload

非加密的檢測：

Table 12. Applicable methods from non-encrypted research in included studies Study

Detection method Strategy Features

[S9i] Statistical analysis, pattern disagreement and projected clustering Statistical analysis and clustering TCP header data & packet rate per interval

[S10i] Fuzzy estimator Statistical analysis Mean time between network packets

[S12i] Hierarchical clustering Clustering TCP header information & number of packets

[S13i] Classification tree Classification TCP header data

詳細分析：

[S1] Eliseev and Gurina (2016) use correlation functions of data block size & number of packets per time unit observed from the webserver. They use long time intervals, i.e. three weeks of real data to train. They propose two algorithms. The first looks at the Pearson correlation coefficient between cross-correlation functions in a similar time interval in the current and training sets. The second algorithm uses a multilayer perceptron (MLP) with Levenberg-Marquardt algorithm to train and test the current cross-correlation functions. A threshold for the reconstruction error is set to determine an anomalous function. They say that these algorithms can be easily implemented as a lightweight DDoS HIDS in IoT devices. The method uses both statistical analysis and classification.

[S2] Zolotukhin et al. (2016b) propose a method for detecting DDoS attacks in encrypted network traffic in both offline and online case using fuzzy c-means clustering algorithm. In the method, they train the system with flow information such as conversation length, packet velocity, packet size averages, and flags. They build feature vectors form the information by also normalizing the values with min-max normalization. They have two different versions of the algorithm: an online and an offline version. The tests of the method are conducted using the Realistic Global Cyber Environment (RGCE), where the attacks can be simulated as realistically as possible. Slowloris, SSLsqueeze, and some advanced DDoS attacks were tested in the system and they found that the trivial cases such as Slowloris and SSLsqueeze were detected nearly 100% of the time, whereas the advanced DDoS attacks had only 70% accuracy when keeping the false positives to the minimum. Categorical classification of this method is clustering. [S3] Zolotukhin et al. (2016a) study the application layer DDoS attacks in encrypted network traffic employing hierarchical, centroid- and density-based clustering algorithms and ....

TODO

https ddos檢測——研究現狀