Methodologies for detecting DoS/DDoS attacks against network servers

As denial of service (DoS) attacks are becoming more common in the Internet, there is greater need for solutions to overcome these attacks. Defending against DoS/ DDoS attacks can generally be divided into 3 phases: prevention, detection and response. Detection is one of the key steps in defending against DoS/ DDoS attacks. However, with the high variation in the DoS/DDoS attack types, the detection of such attacks becomes problematic. A good detection technique should have short detection time and low false positive rate. This paper presents an introduction to intrusion detection systems (IDS) and survey of different DoS/DDoS detection techniques. The key observation of this survey paper is that a CUSUM-based detection technique has many advantages over other statistical instruments in that it is nonparametric; consequently, it does not require training and is more robust to variations in the attack profile. Keywords-DoS; DDoS; detection; network security.

[1]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[2]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[3]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[4]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[5]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[6]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[7]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 1: The Protocols , 1994 .

[8]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[9]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[10]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[11]  Gerhard Münz,et al.  Attack Detection using Cooperating Autonomous Detection Systems ( CATS ) , 2004 .

[12]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[13]  Yoohwan Kim,et al.  Baseline Profile Stability for Network Anomaly Detection , 2008 .

[14]  Nong Ye Secure Computer and Network Systems: Modeling, Analysis and Design , 2008 .

[15]  V. Jacobson,et al.  Congestion avoidance and control , 1988, CCRV.

[16]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[17]  John McHugh,et al.  Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[18]  Wei Chen,et al.  Detecting SYN Flooding Attacks Near Innocent Side , 2005, MSN.

[19]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[20]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[21]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[22]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[23]  William Stallings,et al.  SNMP, SNMPv2, SNMPv3, and RMON 1 and 2 , 1999 .

[24]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[25]  Mohammad Zulkernine,et al.  Detecting Flooding-Based DDoS Attacks , 2007, 2007 IEEE International Conference on Communications.

[26]  Gitae Kim,et al.  NOMAD: traffic-based network monitoring framework for anomaly detection , 1999, Proceedings IEEE International Symposium on Computers and Communications (Cat. No.PR00250).

[27]  Gene Tyler Information Assurance Technology Analysis Center (IATAC) , 2008 .

[28]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[29]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[30]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[31]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[32]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.