Intrusion Detection with CUSUM for TCP-Based DDoS

DDoS(Distributed Denial of Service) is the most troublesome attack nowadays, especially for those people whose operational environment relies on network services and/or the Internet. However, attackers often penetrate innocent routers and hosts to make them unwittingly participate in such a large scale attack as zombies or reflectors. In this paper, we propose an Intrusion Detection System (IDS), named CUSUM Intrusion Detection System (CIDS), which invokes CUSUM as its detection algorithm and logically divides Internet into many autonomous network management units (NMUs), each deploys a CIDS to discover attacks and identify what role a client in such an attack acts as.

[1]  Nirwan Ansari,et al.  On IP traceback , 2003, IEEE Commun. Mag..

[2]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[3]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[4]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[5]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[6]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[7]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[8]  B. Brodsky,et al.  Nonparametric Methods in Change Point Problems , 1993 .

[9]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[10]  Fang-Yie Leu,et al.  IFTS: intrusion forecast and traceback based on union defense environment , 2005, 11th International Conference on Parallel and Distributed Systems (ICPADS'05).

[11]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[12]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[13]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..