Detecting DoS attacks using packet size distribution

Enabling early detection of Denial of service (DoS) attacks in network traffic is an important and challenging task because DoS attacks have become one of the most serious threats to the Internet. In this paper, we develop an IP packet size entropy (IPSE)-based DoS detection scheme in which the entropy is markedly changed when traffic is affected by an attack. Through our analysis, we find that the IPSE-based scheme is capable of detecting not only long-term attacks but also short-term attacks that are beyond the volume-based schemespsila ability to detect.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[3]  Antonio Pescapè,et al.  NIS04-1: Wavelet-based Detection of DoS Attacks , 2006, IEEE Globecom 2006.

[4]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[5]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[6]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[7]  Qi Shi,et al.  DiDDeM: a system for early detection of TCP SYN flood attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .