An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition

An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition

In the aspect of intrusion detection, reliable detection remains a challenge issue as stated in Kemmrer and Vigna (Suppl IEEE Comput (IEEE Secur Priv) 35(4) (2002) 28). “The challenge is to develop a system that detects close to 100% of attacks with minimal false positives. We are still far from ach...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2004-10, Vol.23 (7), p.549-558
Main Author: Li, Ming
Format: Article
Language:eng
Subjects:
Anomaly intrusion detection
Decision making
Denial of service attacks
Distributed denial-of-service attacks
False alarms
Long-range dependent time series
Network security
Pattern recognition
Reliability
Statistical detection
Statistical pattern recognition
Studies
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In the aspect of intrusion detection, reliable detection remains a challenge issue as stated in Kemmrer and Vigna (Suppl IEEE Comput (IEEE Secur Priv) 35(4) (2002) 28). “The challenge is to develop a system that detects close to 100% of attacks with minimal false positives. We are still far from achieving this goal.” Hence, reliable detection of distributed denial-of-service (DDOS) attacks is worth studying. By reliable detection, we mean that signs of attacks can be identified with predetermined detection probability and false alarm probability. This paper focuses on reliable detection of DDOS flood attacks by identifying pattern of traffic with long-range dependence (LRD). In this aspect, there are three fundamental issues in theory and practice: • What is a statistical feature of traffic to be used for pattern recognition? • How to represent distributions of identification probability, false alarm probability and miss probability? • How to assure a decision-making that has high identification probability, low false alarm probability and low miss probability? This paper gives a statistical detection scheme based on identifying abnormal variations of LRD traffic time series. The representations of three probability distributions mentioned above are given and a decision-making region is explained. With this region, one can know what an identification (or false alarm or miss) probability is for capturing signs of DDOS flood attacks. The significance of a decision-making region is that it provides a guideline to set appropriate threshold value so as to assure high identification probability, low false alarm probability and low miss probability. A case study is demonstrated.
ISSN:0167-4048
1872-6208