论文信息 - A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods

A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods

In computer networks, large scale attacks in theirflnalstagescanreadilybeidentifledbyobservingvery abruptchangesinthenetworktra-c,butintheearlystage of an attack, these changes are hard to detect and di-cult todistinguishfromusualtra-c∞uctuations. Inthispaper, wedevelope-cientadaptivesequentialandbatch-sequential methods for an early detection of attacks from the class of \denial{of{service attacks". These methods employ statis- tical analysis of data from multiple layers of the network protocol for detection of very subtle tra-c changes, which are typical for these kinds of attacks. Both the sequential and batch-sequential algorithms utilize thresholding of test statistics to achieve a flxed rate of false alarms. The algo- rithmsaredevelopedonthebasisofthechange-pointdetec- tiontheory: todetectachangeinstatisticalmodelsassoon as possible, controlling the rate of false alarms. There are threeattractivefeaturesoftheapproach. First,bothmeth- odsareself-learning,whichenablesthemtoadapttovarious network loads and usage patterns. Second, they allow for detecting attacks with small average delay for a given false alarm rate. Third, they are computationally simple, and hence,canbeimplementedonline. Theoreticalframeworks for both kinds of detection procedures, as well as results of simulations, are presented.

Alexander G. Tartakovsky | Boris Rozovskii | A. Tartakovsky | B. Rozovskii

[1] Stephen L. Scott,et al. Detecting Network Intrusion Using a Markov Modulated Nonhomogeneous Poisson Process , 2000 .

[2] M. Pollak. Optimal Detection of a Change in Distribution , 1985 .

[3] A. Shiryaev. On Optimum Methods in Quickest Detection Problems , 1963 .

[4] S. Kent,et al. On the trail of intrusions into information systems , 2000 .

[5] E. S. Page. CONTINUOUS INSPECTION SCHEMES , 1954 .

[6] D. Siegmund. Sequential Analysis: Tests and Confidence Intervals , 1985 .

[7] Albert N. Shiryaev,et al. Optimal Stopping Rules , 1980, International Encyclopedia of Statistical Science.

[8] G. Lorden. PROCEDURES FOR REACTING TO A CHANGE IN DISTRIBUTION , 1971 .

[9] A. Tartakovsky. ASYMPTOTIC PROPERTIES OF CUSUM AND SHIRYAEV'S PROCEDURES FOR DETECTING A CHANGE IN A NONHOMOGENEOUS GAUSSIAN PROCESS , 1995 .

[10] Michèle Basseville,et al. Detection of Abrupt Changes: Theory and Applications. , 1995 .

[11] Alʹbert Nikolaevich Shiri︠a︡ev,et al. Optimal stopping rules , 1977 .

[12] Michèle Basseville,et al. Detection of abrupt changes: theory and application , 1993 .

[13] T. Lai. Sequential changepoint detection in quality control and dynamical systems , 1995 .

[14] Moshe Pollak,et al. Average run length to false alarm for surveillance schemes designed with partially specified pre-change distribution , 1997 .

[15] H. Cramér. Mathematical methods of statistics , 1947 .