D-SAT: detecting SYN flooding attack by two-stage statistical approach

Author

Shin, Seung-Won ; Kim, Ki-Young ; Jang, Jong-Soo

Author_Institution

Electron. & Telecommun. Res. Inst., Taejeon, South Korea

fYear

2005

fDate

31 Jan.-4 Feb. 2005

Firstpage

430

Lastpage

436

Abstract

We propose D-SAT (detecting SYN flooding attack by two-stage statistical approach) system that is simple and robust approach to detect SYN flooding attacks by observing network traffic. Instead of managing all ongoing traffic on the network, D-SAT only monitors SYN count and ratio between SYN and other TCP packets at first time. And it detects SYN flooding and finds victims more accurately in its second stage. To make the detection mechanism robustly and easily, D-SAT uses CUSUM (cumulative sum) approach in SPC (statistical process control) (H. Wang et al., 2002) (D.C. Montgomery, 2001) (D.M. Hawkins et al., 1998). It makes the detection mechanism much more generally applicable and easier to implement. D-SAT also employed AFM (aggregation flow management) for finding victims quickly and accurately. The trace-driven simulation results demonstrate that D-SAT system is efficient and simple to implement and prove that it detects SYN flooding accurately and finds attack in a very short detection time.

Keywords

Internet; authorisation; statistical process control; telecommunication congestion control; telecommunication security; telecommunication traffic; transport protocols; D-SAT system; SYN flooding attack detection; TCP packets; aggregation flow management; cumulative sum; network traffic; statistical approach; statistical process control; Electronic mail; Floods; Network servers; Process control; Protection; Robust control; Robustness; Telecommunication traffic; Web and internet services; Web server;

fLanguage

English

Publisher

ieee

Conference_Titel

Applications and the Internet, 2005. Proceedings. The 2005 Symposium on

Print_ISBN

0-7695-2262-9

Type

conf

DOI

10.1109/SAINT.2005.18

Filename

1386144