Detection of Variations of Local Irregularity of Traffic under DDOS Flood Attack

The aim of distributed denial-of-service (DDOS) flood attacks is to overwhelm the attacked site or to make its service performance deterioration considerably by sending flood packets to the target from the machines distributed all over the world. This is a kind of local behavior of traffic at the protected site because the attacked site can be recovered to its normal service state sooner or later even though it is in reality overwhelmed during attack. From a view of mathematics, it can be taken as a kind of short-range phenomenon in computer networks. In this paper, we use the Hurst parameter (H) to measure the local irregularity or self-similarity of traffic under DDOS flood attack provided that fractional Gaussian noise (fGn) is used as the traffic model. As flood attack packets of DDOS make the H value of arrival traffic vary significantly away from that of traffic normally arriving at the protected site, we discuss a method to statistically detect signs of DDOS flood attacks with predetermined detection probability and false alarm probability.

[1]  G.M. White,et al.  Digital pattern recognition , 1976, Proceedings of the IEEE.

[2]  J. Bendat,et al.  Random Data: Analysis and Measurement Procedures , 1971 .

[3]  Ming Li,et al.  An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition , 2004, Comput. Secur..

[4]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[5]  Dong Xuan,et al.  Middleware-based approach for preventing distributed deny of service attacks , 2002, MILCOM 2002. Proceedings.

[6]  Susan A. Murphy,et al.  Monographs on statistics and applied probability , 1990 .

[7]  Jan Beran,et al.  Statistics for long-memory processes , 1994 .

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  M. Basseville Distance measures for signal processing and pattern recognition , 1989 .

[10]  J. Wade Davis,et al.  Statistical Pattern Recognition , 2003, Technometrics.

[11]  Ming Li,et al.  A rigorous derivation of power spectrum of fractional Gaussian noise , 2006 .

[12]  V. Paxson,et al.  WHERE MATHEMATICS MEETS THE INTERNET , 1998 .

[13]  N.D. Georganas,et al.  Self-Similar Processes in Communications Networks , 1998, IEEE Trans. Inf. Theory.

[14]  Ming Li,et al.  A Statistical Model for Detecting Abnormality in Static-Priority Scheduling Networks with Differentiated Services , 2005, CIS.

[15]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[16]  Wei Zhao,et al.  Modeling autocorrelation functions of self-similar teletraffic in communication networks based on optimal approximation in Hilbert space , 2003 .

[17]  E. Amoroso Intrusion Detection , 1999 .

[18]  J. Bendat,et al.  Random Data: Analysis and Measurement Procedures , 1987 .

[19]  V. Paxson,et al.  Wide-area traffic: the failure of Poisson modeling , 1994, SIGCOMM.

[20]  George Coulouris,et al.  Distributed systems - concepts and design , 1988 .

[21]  Ghiocel Toma Practical Test-Functions Generated by Computer Algorithms , 2005, ICCSA.

[22]  Riccardo Bettati,et al.  Real-time Intrusion Detection and Suppression in ATM Networks , 1999, Workshop on Intrusion Detection and Network Monitoring.

[23]  A. Adas,et al.  Traffic models in broadband networks , 1997, IEEE Commun. Mag..

[24]  Ming Li,et al.  Modeling network traffic using generalized Cauchy process , 2008 .

[25]  Hervé Debar An Introduction to Intrusion-Detection Systems , 2000 .