Application of anomaly detection algorithms for detecting SYN flooding attacks

Author

Siris, Vasilios A. ; Papagalou, Fotini

Author_Institution

Inst. of Comput. Sci., Found. for Res. & Technol. - Hellas, Heraklion, Greece

Volume

4

fYear

2004

fDate

29 Nov.-3 Dec. 2004

Firstpage

2050

Abstract

We investigate statistical anomaly detection algorithms for detecting SYN flooding, which is the most common type of denial of service (DoS) attack. The two algorithms considered are an adaptive threshold algorithm and a particular application of the cumulative sum (CUSUM) algorithm for change point detection. The performance is investigated in terms of the detection probability, the false alarm ratio, and the detection delay. Particular emphasis is on investigating the tradeoffs among these metrics and how they are affected by the parameters of the algorithm and the characteristics of the attacks. Such an investigation can provide guidelines to effectively tune the parameters of the detection algorithm to achieve specific performance requirements in terms of the above metrics.

Keywords

Internet; computer crime; computer network management; probability; CUSUM algorithm; DoS attack; SYN flooding attacks; adaptive threshold algorithm; change point detection; cumulative sum algorithm; denial of service; detection delay; detection probability; false alarm ratio; statistical anomaly detection; Application software; Change detection algorithms; Computer crime; Computer science; Delay; Detection algorithms; Floods; Guidelines; TCPIP; Web and internet services;

fLanguage

English

Publisher

ieee

Conference_Titel

Global Telecommunications Conference, 2004. GLOBECOM '04. IEEE

Print_ISBN

0-7803-8794-5

Type

conf

DOI

10.1109/GLOCOM.2004.1378372

Filename

1378372