A microscopic competition model and its dynamics analysis on network attacks

Modeling network traffic has been a critical task in the development of Internet. Attacks and defense are prevalent in the current Internet. Traditional network models such as Poisson-related models do not consider the competition behaviors between the attack and defense parties. In this paper, we present a microscopic competition model to analyze the dynamics among the nodes, benign or malicious, connected to a router, which compete for the bandwidth. The dynamics analysis demonstrates that the model can well describe the competition behavior among normal users and attackers. Based on this model, an anomaly attack detection method is presented. The method is based on the adaptive resonance theory, which is used to learn the model by normal traffic data. The evaluation shows that it can effectively detect the network attacks. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  Wanlei Zhou,et al.  Mark-aided distributed filtering by using neural network for DDoS defense , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[2]  P. Owezarski,et al.  Measurement Based Approach of Congestion Control for Enforcing a Robust QoS in the Inter , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[3]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[4]  Richard G. Baraniuk,et al.  A Multifractal Wavelet Model with Application to Network Traffic , 1999, IEEE Trans. Inf. Theory.

[5]  Van Jacobson,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[6]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[7]  B. Huberman,et al.  Social Dilemmas and Internet Congestions , 1997 .

[8]  Stephen Grossberg,et al.  Fuzzy ARTMAP: A neural network architecture for incremental supervised learning of analog multidimensional maps , 1992, IEEE Trans. Neural Networks.

[9]  Vic Grout,et al.  CoLoRaDe: A Novel Algorithm for Controlling Long-Range Dependent Network Traffic , 2007, Sixth International Conference on Networking (ICN'07).

[10]  Walter Willinger,et al.  Statistical analysis of CCSN/SS7 traffic data from working CCS subnetworks , 1994, IEEE J. Sel. Areas Commun..

[11]  Walter Willinger,et al.  Long-range dependence in variable-bit-rate video traffic , 1995, IEEE Trans. Commun..

[12]  Vishal Misra,et al.  Fluid-based analysis of a network of AQM routers supporting TCP flows with an application to RED , 2000, SIGCOMM 2000.

[13]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1997, TNET.

[14]  Eitan Altman,et al.  A stochastic model of TCP/IP with stationary random losses , 2005, TNET.

[15]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[16]  Philippe Owezarski,et al.  Internet Traffic Characterization - An Analysis of Traffic Oscillations , 2004, HSNMC.

[17]  Jennifer C. Hou,et al.  A case for exploiting self-similarity of network traffic in TCP congestion control , 2004, Comput. Networks.

[18]  Soundararajan Chandramathi,et al.  Estimation of cell loss probability for self-similar traffic in ATM networks--a fuzzy approach , 2003, Appl. Soft Comput..

[19]  Byeong-Hee Roh,et al.  A Novel Detection Methodology of Network Attack Symptoms at Aggregate Traffic Level on Highspeed Internet Backbone Links , 2004, ICT.

[20]  R.J. La,et al.  Asymptotic behavior of heterogeneous TCP flows and RED gateway , 2006, IEEE/ACM Transactions on Networking.

[21]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[22]  Claudio Narduzzi,et al.  Rate-interval curves - A tool for the analysis and monitoring of network traffic , 2008, Perform. Evaluation.

[23]  J. Hosking Modeling persistence in hydrological time series using fractional differencing , 1984 .