A microscopic competition model and its dynamics analysis on network attacks

Modeling network traffic has been a critical task in the development of Internet. Attacks and defense are prevalent in the current Internet. Traditional network models such as Poisson‐related models do not consider the competition behaviors between the attack and defense parties. In this paper, we present a microscopic competition model to analyze the dynamics among the nodes, benign or malicious, connected to a router, which compete for the bandwidth. The dynamics analysis demonstrates that the model can well describe the competition behavior among normal users and attackers. Based on this model, an anomaly attack detection method is presented. The method is based on the adaptive resonance theory, which is used to learn the model by normal traffic data. The evaluation shows that it can effectively detect the network attacks. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  J. Hosking Modeling persistence in hydrological time series using fractional differencing , 1984 .

[2]  Wanlei Zhou,et al.  Mark-aided distributed filtering by using neural network for DDoS defense , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[3]  Jennifer C. Hou,et al.  A case for exploiting self-similarity of network traffic in TCP congestion control , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[4]  Vishal Misra,et al.  Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED , 2000, SIGCOMM.

[5]  P. Owezarski,et al.  Measurement Based Approach of Congestion Control for Enforcing a Robust QoS in the Inter , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[6]  Walter Willinger,et al.  Statistical analysis of CCSN/SS7 traffic data from working CCS subnetworks , 1994, IEEE J. Sel. Areas Commun..

[7]  Soundararajan Chandramathi,et al.  Estimation of cell loss probability for self-similar traffic in ATM networks--a fuzzy approach , 2003, Appl. Soft Comput..

[8]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[9]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[10]  Walter Willinger,et al.  On the Self-Similar Nature of Ethernet Traffic ( extended version ) , 1995 .

[11]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[12]  Philippe Owezarski,et al.  Internet Traffic Characterization - An Analysis of Traffic Oscillations , 2004, HSNMC.

[13]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[14]  Stephen Grossberg,et al.  Fuzzy ARTMAP: A neural network architecture for incremental supervised learning of analog multidimensional maps , 1992, IEEE Trans. Neural Networks.

[15]  Vic Grout,et al.  CoLoRaDe: A Novel Algorithm for Controlling Long-Range Dependent Network Traffic , 2007, Sixth International Conference on Networking (ICN'07).

[16]  R.J. La,et al.  Asymptotic behavior of heterogeneous TCP flows and RED gateway , 2006, IEEE/ACM Transactions on Networking.

[17]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[18]  Byeong-Hee Roh,et al.  A Novel Detection Methodology of Network Attack Symptoms at Aggregate Traffic Level on Highspeed Internet Backbone Links , 2004, ICT.

[19]  Richard G. Baraniuk,et al.  A Multifractal Wavelet Model with Application to Network Traffic , 1999, IEEE Trans. Inf. Theory.

[20]  Eitan Altman,et al.  A stochastic model of TCP/IP with stationary random losses , 2000, SIGCOMM.

[21]  Claudio Narduzzi,et al.  Rate-interval curves - A tool for the analysis and monitoring of network traffic , 2008, Perform. Evaluation.

[22]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[23]  Walter Willinger,et al.  Long-range dependence in variable-bit-rate video traffic , 1995, IEEE Trans. Commun..