Title :
Change-point monitoring for the detection of DoS attacks
Author :
Wang, Haining ; Zhang, Danlu ; Shin, Kang G.
Author_Institution :
Dept. of Comput. Sci., Coll. of William & Mary, Williamsburg, VA
Abstract :
This paper presents a simple and robust mechanism, called change-point monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behavior and is an instance of the sequential change point detection. To make the detection mechanism insensitive to sites and traffic patterns, a nonparametric cumulative sum (CUSUM) method is applied, thus making the detection mechanism robust, more generally applicable, and its deployment much easier. CPM does not require per-flow state information and only introduces a few variables to record the protocol behaviors. The statelessness and low computation overhead of CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated by detecting a SYN flooding attack - the most common DoS attack. The evaluation results show that CPM has short detection latency and high detection accuracy
Keywords :
Internet; monitoring; protocols; security of data; telecommunication security; telecommunication traffic; CUSUM algorithm; DoS attack detection; SYN flooding attack; change-point monitoring; denial of service attacks; flooding attack immunity; high detection accuracy; intrusion detection; low computation overhead; network protocol behavior; nonparametric cumulative sum method; robust detection mechanism; sequential change point detection; short detection latency; traffic pattern; Computer crime; Floods; IP networks; Intrusion detection; Monitoring; Protocols; Robustness; Telecommunication traffic; Traffic control; Web and internet services; DoS attacks; Index Terms- CUSUM algorithm; intrusion detection; protocol behavior.;
Journal_Title :
Dependable and Secure Computing, IEEE Transactions on
DOI :
10.1109/TDSC.2004.34
