Detection of SYN flooding attacks using generalized autoregressive conditional heteroskedasticity (GARCH) modeling technique

Author

Ranjan, Nikhil ; Murthy, Hema A. ; Gonsalves, Timothy A.

Author_Institution

Dept. of Comput. Sci. & Eng., Indian Inst. of Technol. Madras, Chennai, India

fYear

2010

fDate

29-31 Jan. 2010

Firstpage

1

Lastpage

5

Abstract

This paper explores a fast and effective method to detect TCP SYN flooding attack. The Generalized autoregressive conditional heteroskedastic (GARCH) model which is the most commonly used statistical modeling technique for financial time series is proposed as a new technique for Denial of service attack detection. The exponential backoff and retransmission property of TCP during timeouts is exploited in the detection mechanism. We are able to detect low as well as high intensity SYN flooding attacks by modeling the difference between SYN and SYN+ACK packets using GARCH. Our studies show that this non linear volatility model performs better than earlier models like Linear Prediction.

Keywords

autoregressive processes; regression analysis; security of data; transport protocols; SYN flooding attack detection; SYN+ACK packets; TCP SYN flooding attack detection; denial of service attack detection; exponential backoff; generalized autoregressive conditional heteroskedasticity modeling; nonlinear volatility model; retransmission property; statistical modeling technique; Computer crime; Computer science; Context modeling; Floods; Network servers; Paper technology; Predictive models; TCPIP; Telecommunication traffic; Traffic control; GARCH; Heteroskedasticity; TCP SYN flooding;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications (NCC), 2010 National Conference on

Conference_Location

Chennai

Print_ISBN

978-1-4244-6383-1

Type

conf

DOI

10.1109/NCC.2010.5430151

Filename

5430151