HIDDEN: Hausdorff Distance Based Intrusion Detection Approach DEdicated to Networks

DoS attacks represent a big threat for the Internet. While most of attack detection techniques are based on passive monitoring of traffic, we propose a detection method, HIDDEN, based on active measurements, the objective being to make possible the real-time detection and classification of DoS attacks, without intrusive probing. The originality of our contribution relies on the use of the entropy function computed from probabilities of time series of measured ICMP request/echo delays. However, the evaluation of the method exhibits a dramatic number of false positives. It has then been enriched by the use of the Hausdorff distance on probabilities of time series, which significantly decreases the number of false positives. In addition, a method for discriminating ICMP attacks from others (TCP/UDP attacks) using icmp_seq has been added. Experiments for evaluating the effectiveness of the approach have been run on the French operational RENATER network, on which artificial attacks have been generated using TFN2K [14]. Results exhibit that TCP, UDP and ICMP DoS attacks have been accurately detected in less than 1 second.