Time series models and its relevance to modeling TCP SYN based DoS attacks

Denial of Service (DoS) attacks are extensively modeled using linear time series models. But, the effectiveness of these models are seldom established in the literature. In particular, properties like stationarity, stability and adequacy of the model proposed, are not verified. This paper is an attempt to establish the relevance of linear time series models for detecting TCP SYN based DoS attack, by analysing the network traffic at an edge router, for three months. In the first part of the paper, higher order statistics of the difference between incoming SYN packets and outgoing SYN/ACK packets (called half-open count), accumulated over a sampling interval, are studied in detail. It is found that the half-open time series is unstable and non-stationary. In the second part of the paper, two different transformations on the half-open time series are studied, namely differencing and averaging. It is observed that the averaging pushes the process more to the region of instability, while the differencing brings back the process to stability. Further, differencing is found to be appropriate for the detection of SYN attack using linear time series model, the Auto-Regressive (AR) model in specific. Since the AR model is built on the difference series, it can also be called Auto-Regressive Integrated (ARI) model. The model proposed is tested for its adequacy, by analysing the autocorrelation of the residual error of prediction and through an N-fold cross validation. Low rate SYN attacks of the order of 10 to 20 SYN/second are simulated and studied.