Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms

The paper aims at the change of core routers ports' ingress and egress traffic, employing a modified CUSUM (cumulative sum) algorithm to trace their statistics characteristic in real time and detect network flow abnormity. According to the characteristics of multi-ports in a router, the paper puts forward a matrix-based, multi-statistics modified CUSUM algorithm (M-CUSUM). M-CUSUM presents an adjustable parameter setup system to increase detecting accuracy. M-CUSUM algorithm can monitor changes of the equal value in real time through calculating the ratio between the subtracting and plus absolute value among ingress and egress ports traffic. Simulation experiments indicate that the algorithm has the higher detecting speed and accuracy to DOS/DDOS attacks, and spends less system resources. The algorithm has been used successfully in software routers.

[1]  Daniel S. Yeung,et al.  A covariance analysis model for DDoS attack detection , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[2]  B. R. Upadhyaya,et al.  Signal anomaly detection using modified CUSUM method , 1988, Proceedings of the 27th IEEE Conference on Decision and Control.

[3]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[4]  Matrix CUSUM: a recursive multi-hypothesis change detection algorithm , 2001, Proceedings. 2001 IEEE International Symposium on Information Theory (IEEE Cat. No.01CH37252).

[5]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[6]  Zhu Wen A Router-Agent-Based Distributed Flooding Detection System , 2003 .

[7]  Y. Xiang,et al.  Detecting DDOS attack based on network self-similarity , 2004 .

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  George V. Moustakides Performance of CUSUM tests for detecting changes in continuous time processes , 2002, Proceedings IEEE International Symposium on Information Theory,.