Detection of Syn Flooding Attacks Using Generalized Autoregressive Conditional Heteroskedasticity (GARCH) Modeling Technique
|
|
- Alicia Dawson
- 5 years ago
- Views:
Transcription
1 Detection of Syn Flooding Attacks Using Generalized Autoregressive Conditional Heteroskedasticity (GARCH) Modeling Technique Nikhil Ranjan, Hema A. Murthy, Timothy A. Gonsalves Department of Computer Science and Engineering Indian Institute of Technology Madras, Chennai {ranjan, hema, Abstract This paper explores a fast and effective method to detect TCP flooding attack. The Generalized autoregressive conditional heteroskedastic (GARCH) model which is the most commonly used statistical modeling technique for financial time series is proposed as a new technique for Denial of service attack detection. The exponential backoff and retransmission property of TCP during timeouts is exploited in the detection mechanism. We are able to detect low as well as high intensity flooding attacks by modeling the difference between and +ACK packets using GARCH. Our studies show that this non linear volatility model performs better than earlier models like Linear Prediction. Index Terms TCP flooding, GARCH, Heteroskedasticity. I. INTRODUCTION The Internet was designed to move packets from source to the destination as fast as possible, irrespective of whether the receiver actually wants those packets. This is at the heart of denial-of-service (DoS) attacks. Any act to deny legitimate use of a service can be classified as a Denial of Service (DoS) attack [1]. These active attacks continue to be prevalent in the internet today, in spite of significant advances that have been made in network management and security. The CSI/FBI Computer Crime and Security Survey reports of 24 revealed that denial of service was one of the major source of financial loss due to cybercrime during that year [2]. Most of the attacks use TCP among which TCP flooding is quite popular [3]. TCP flooding is a denial of service attack. In order to exchange data using TCP, hosts must establish a connection. TCP establishes a new connection using the 3-way handshake as shown in the Figure 1. A TCP connection is initiated with a client issuing a request to a server with the flag on in the TCP header. Normally the server will issue a /ACK back to the client. The client will then send an ACK to the server and data transfer can commence. The attacker sends a few hundreds of requests to the target TCP port with source IP-address spoofed to be that of another, (currently unreachable from the target). The target responds with /ACKs to what it believes is the source of the incoming s. If the final ACK does not reach the server, the connection will remain half-open until the associated timer expires (which is usually 75 seconds). Since the memory allocated for maintaining half-open connections is finite, there is a limit to the maximum number of half-open connections. When this maximum count is exceeded the server starts dropping requests, whether legitimate or not. The target port is flooded. This is how the TCP flood attack works. Attacker with spoofed ip LOST Fig. 2. +ACK +ACK +ACK +ACK +ACK +ACK SERVER LISTEN -RECEIVED HALF-OPEN CONNECTIONS ABORT TCP flood attack Fig. 1. TCP three way handshake A consequence of the flooding attack is that a service can be brought down by flooding the server with a few tens of requests per second. It is therefore important to detect these attacks as early as possible so as to bring the halted services back to normal. As most e-commerce depends heavily on TCP based applications, the severity of the problem increases. Earlier work by Divakaran et al [4] used Linear Prediction to model network traffic but LP used in this context cannot model long tail distribution well. We therefore propose the
2 use of GARCH which is more appropriate model as it can model long tailed distribution of the network traffic better [5]. Because of the exponential backoff and retransmission properties of TCP, we find a unique pattern at the time of attack based on the difference of number of and +ACK packets with respect to a network. We use our model to detect such patterns and hence the attacks. The proposed system is stateless and fast and detects low intensity attacks well. Any change in network traffic pattern can be detected well by GARCH analysis and in most cases better than LP. The rest of the paper is organized as follows. Section II discusses related work. Parameters used for modeling and the issues of detection are discussed in Section III. Section IV details detection using GARCH analysis and the proposed algorithm. Performance evaluation and comparison between GARCH and LP detection mechanisms are discussed in Section V. Finally, concluding remarks are drawn in Section VI. II. RELATED WORK There are mechanisms available to defend a server or network from flooding attacks. cookies [6] and cache [7] defense mechanisms are limited to the victim server side. cookies can not encode all the TCP options from the initial into the cookie, and thus breaks the TCP semantics. kill [8] and Defender [9] are installed at the firewalls but they too tend to slow down connection even in the absence of attacks. All these mechanisms are stateful which tends to degrade TCP performance. Stateless approach is always a better alternative. Earlier works also used stateless detection techniques. CUSUM type algorithm [1] monitored the number of packets over a given interval to check if it has crossed a particular threshold. But the method is not scalable to large network scenarios where number of connection requests may increase abruptly. A different parameter namely the difference between and FIN packets was used [11] to detect attacks but the system can be easily be defeated sending equal number of FIN packets. A better parameter which can be very effective to detect the attacks is the difference between and +ACK. This is called as the number of half open counts [4]. Work done by Divakaran et al [4] used Linear Prediction to model network data (the number of half open counts to be more precise) to detect the flood attacks. It is well known that network traffic is bursty in nature and Linear Prediction used in the context cannot model long tailed distribution well. We therefore propose the use of GARCH which is a more appropriate model as it can model long tailed distribution well as it models the volatility of the network traffic [5]. III. MODELING PARAMETER One of the better parameters for detection of flood attacks is the difference between and +ACK packets. This parameter shows a unique pattern during attacks whether it is a small network or a very large network unlike other parameters. Under normal scenario, the difference between the number of s and +ACKs is very small, as compared to the total number of s (TCP connection requests). The difference increases at the time of a attack. Fig 3 below shows the difference between s and +ACKs per time slot for normal as well as attack scenarios. Each time slot corresponds to.5 second. No. of half open counts Time slot Fig. 3. No. of half open count per time slot Network traffic traces were collected from the TeNeT network [12] for performing experiments. Only those packets with flag on (either or +ACK) were captured. The abnormal traffic was generated with different flooding rates starting with 15 s per second. The duration of time slot is chosen as.5 sec. For each time slot the number of half open counts is computed. Since the data is simulated, it can be labeled, that is the exact time at which the attacks happen is known apriori. Hence the values in data sets constitute the number of half open counts for consecutive.5 sec duration. We call these values as signal values s i for ith interval. The signal values can be normal or anomalous depending on whether it was computed during normal traffic scenario or during an attack. A. Motivation IV. GARCH MODEL The predictive property of network traffic plays an important role in many domains. Some examples include adaptive applications like network management systems and congestion control. The goodness of a traffic prediction model depends mostly on the fact that how well can it capture important traffic characteristics like short and long range dependence. Owing to the similarity between financial time series and network data, time series models used in the financial time series domain find applicability in network traffic modeling. It has been already shown that the network traffic data exhibited a high degree of long-range dependence (LRD) characteristics [13]. Previous works mostly focused on usage of linear time series models e.g. Auto Regressive (AR) and Auto Regressive Integrated Moving Average (ARIMA) [14] [15] but they fail to capture long range dependence.
3 There are various reasons to use GARCH as our modeling technique. The ACF (autocorrelation function) of the observed data set exhibits little correlation, the ACF of the squared data set still indicate significant correlation and persistence in the second-order moments. Sample Autocorrelation ACF of data set ACF of squared data set Lag Fig. 4. ACF of data set Engles ARCH test [16] on the data sets also shows significant evidence in support of GARCH effects (i.e heteroskedasticity). Computing Hurst exponent [17] on the data sets gave values greater than.5 strongly suggesting the presence of long range dependence. There are component GARCH models that do capture long range dependence [18] but we will not go into details now. The whole idea is to see how GARCH is able to react to the changes in the variance in the traffic characteristics. Such a model, thus holds promise for modeling the dynamics of network traffic better. B. Introduction to GARCH Model GARCH stands for generalized autoregressive conditional heteroskedasticity. Heteroskedasticity can be interpreted as time-varying variance (volatility). Conditional implies a dependence on the observations of the immediate past, and autoregressive describes a feedback mechanism that incorporates past observations into the present. GARCH is a time-series technique that can be used to model the serial dependence of volatility [19]. It is a mechanism that includes past variances in the explanation of future variances. C. Basic Modeling Technique Most models for financial returns are of the form: X t = σ t Z t (1) where Z t is a sequence of i.i.d. symmetric random variables, and σ t is a non-negative stochastic process such that Z t and σ t are independent for fixed t [16]. There is strong empirical support for stochastic volatility in financial time series and the presence of stochastic volatility implies that returns are not necessarily independent over time. The standard assumption for the noise Z t is that Z t is i.i.d. N (,1) with Z t independent of the standard deviation process σ t. In most of the linear time series models, one often assumes that the volatility is constant over time. Volatility is a central part of most asset pricing models. However, it is well known that financial time series exhibit time-varying volatility. In the year of 1982, Engle [2] proposed a model for σ t : σ 2 t = α + P α i Xt i 2 (2) This model is called the AutoRegressive Conditional Heteroskedasticity (ARCH process) where the autoregressive property in principle means that old events leave waves behind a certain time after the actual time of the action [16]. The process depends on its past. The terms conditional heteroskedasticity means that the variance (conditional on the available information) varies and depends on old values of the process. One can resemble this with the process having a short-term memory and that the behavior of the process is influenced by this memory. However, since it can be expected that σt 2 is a time-changing weighted average of past squared observations, it is quite natural to define σt 2, not only as a weighted average of past Xt 2 s, but also of past σt 2. Empirical evidence shows that high ARCH order has to be selected in order to capture the dynamics of the conditional variance. This leads to the Generalized ARCH model (GARCH) introduced in 1986 by Bollerslev [19]. The volatility process is: i=1 i=1 P Q σt 2 = α + α i Xt i 2 + β j σt j 2 (3) j=1 where the α i ś and the β j ś are non-negative parameters [2]. Hence we can say that the GARCH(P,Q) model takes into account the volatility of clustering and long tailed behavior of the financial time series and performs accurate forecast of the conditional variance of the series.in this specific case of GARCH modeling the conditional variance is a linear function of past squared innovations and earlier calculated conditional variances as shown in equation (3). D. Choosing the order of the model We model the network traffic data using GARCH(1,1). We used the relative values of the Akaike information criteria (AIC) and Bayesian information criteria (BIC) statistics [16] as guides in the model selection process and found that GARCH(1,1) fits better than any other order. Instead of computing the GARCH coefficients just once for the entire dataset, they are computed for each of the (possibly) overlapping frames in the dataset. Initially, a dataset is divided into frames of N samples or signal values. Adjacent frames are separated by M samples, and the frames will overlap depending on the value of M. Here the adjacent frames are overlapped by N 1. Frame size chosen here is N=15. As GARCH is a volatility model it is always better to compute the coefficients
4 with more than 1 data points to get accurate results and overcome convergence issues. The algorithm to compute the GARCH coefficients is explained in [21]. After the coefficients are computed, we can predict the future volatility of the series [21]. Now, the error between the actual realized volatility(σ t ) and the predicted volatility(pv) is given by: where the realized volatility is given by: e t = (σ t P V t )/σ t (4) σ 2 t = (x t X) 2 (5) where x t is the series value at time t and X is the historical mean taken over long period. The comparison of error values pertaining to different orders of GARCH(P,Q) on the data set is tabulated below. The values clearly suggests that GARCH(1,1) works better. TABLE I COMPARING PREDICTION ERROR Framesize P=1,Q=1 P=2,Q=1 P=1,Q=2 P=2,Q= The following plot is one such snapshot showing how the prediction error changes as we proceed from normal to anomalous frames in case of GARCH(1,1). Error value Frame number Fig. 5. Prediction error for signal values E. Comparing error values with Linear Prediction When we compared the prediction error values of GARCH(1,1) with Linear Prediction of order 3 for the same data sets and keeping the same framesize, it was observed that the error values using GARCH(1,1) is lower than that of the LP. The following table shows the mean error values using GARCH(1,1) and LP models computed for over 1 simulated attacks of each rate. Looking at the following table, we can clearly conclude that GARCH(1,1) fits the data well and show lesser prediction errors than LP. TABLE II MEAN PREDICTION ERROR # of syn/sec GARCH(1,1) mean(error) LP mean(error) F. Detection Algorithm The detection algorithm does the time series analysis of the traffic to detect any flooding attack. The data set contain signal values s i which corresponds to the half open count for the ith time slot. The data set is divided into overlapping frames. We have define a threshold on the error value α using normal frames For each frame the GARCH(1,1) coefficients are computed and next period s variance is predicted. We calculated the average error of three consecutive frames and check if it crosses the threshold α. Advance the frame by one signal value and repeat the above steps. If the average error value increases beyond the threshold then an alarm is raised signifying the attack. Recompute the coefficients and error values using normal frames and start all fresh. The last step makes sure that the anomalous frame are not chosen for error computation. Also we compute the average error value of three consecutive frame to be pretty sure about the fact that the attack actually has occurred. V. EVALUATION We collected the traces of normal traffic from the TeNeT network to evaluate our proposed detection mechanism. The abnormal traffic generated with the different attacks rates starting from 15 /sec. The data sets contain contain the signal values of number of number of half open counts for consecutive polling interval of.5 seconds. The data sets are divided into overlapping frames of size 15. The GARCH(1,1) and Linear Prediction techniques are applied in turn on the data sets to see which is performing better and when A. Results Using normal frames we had already set the threshold limits on error values for both models. We use different thresholds for GARCH(1,1) and LP since their error values shows remarkable difference for normal traffic. Say we use α for GARCH(1,1) and β for LP. Using these threshold we detect the attacks using algorithm discussed using GARCH(1,1) and LP modeling technique. About 1 attacks pertaining to each rate were simulated. The tables (3) and (4) show the detection delays using GARCH(1,1) and LP techniques respectively. B. Analysis Observing the tables (3) and (4) reveal few important facts. GARCH(1,1) performs better than that of Linear Prediction
5 TABLE III DETECTION DELAY IN SECONDS USING GARCH(1,1) # of syn/sec Best Average Worst False Positive % TABLE IV DETECTION DELAY IN SECONDS USING LP # of syn/sec Best Average Worst False Positive % when the rate of flood is relatively small. As the rate of flooding increases the performance of both models are almost the same. In actual real world scenario it is important to detect low intensity flooding attacks as quickly as possible because high intensity attacks are not very tough to detect. GARCH(1,1) proves better in detecting attacks under 3 /sec more quickly than that of LP. This is mainly due to the fact that GARCH(1,1) is able to fit in the data better than that of LP. This is quite obvious from the fact that error values are low in case of former as already depicted in Table 2. Hence we can say that GARCH(1,1) is able to react to the changes in the variance of network traffic better. C. Comparison with Snort Snort is an open source network intrusion prevention and detection system [22]. To detect flooding attacks we manually have to add static rules to set a threshold values on the number of half open counts. Whenever the count exceeds the threhold it will throw up an alert. The proposed detecting system takes into the account the statistics of the current traffic and dynamically sets thresholds so the rate of false alarms are relatively low. It was relatively difficult to set dynamic rules in earlier Snort versions. Snort 2.6 and later versions have the ability to add preprocessors and rules as dynamically loadable modules but this concept is in development phase. Many organisations have continued to rely upon traditional Snort rules. The ultimate aim is to integrate the proposed detection system with Snort so that we can take advantage of both the detection systems. VI. CONCLUSION Time series modeling has an important role to play in the performance evaluation of computer networks. As an example, we motivate the use of GARCH for detection of TCP flooding attacks. This work has highlighted some important results. First, GARCH(1,1) prediction can be used to analyze network traffic. Even though ARCH/GARCH modeling techniques are mostly used in financial time series, they can be used to analyze network time series data to good effect. GARCH models fits into network traffic data better than that of LP which helps to make a conclusion that network data are somewhat heteroskedastic in nature. Hence, with GARCH(1,1) technique we can detect low intensity flooding attacks more promptly than that of LP. Even though this paper has focused on TCP flooding attack, similar method can be used to detect other DoS attacks such as RESET attacks, ACK flooding, ICMP flooding etc. Choosing appropriate parameters, this approach should be able to detect other TCP based DoS attacks better than many other linear time series models. REFERENCES [1] Computer Emergency Response Team, CERT Coordination Center,Denial of Service Attacks. [Online]. Available: http: // tips/denial of service.html [2] CSI/FBI Computer Crime and Security Survey. [Online]. Available: area/pdfs/fbi/fbi24.pdf [3] D. Moore, G. M. Voelker, and S. Savage, Inferring internet denial-ofservice activity, pp [4] D. M. Divakaran, H. A. Murthy, and T. A. Gonsalves, Detection of flooding attacks using linear prediction analysis, 14th IEEE International Conference on Networks, pp. 1 6, September 26. [5] B. Zhou, D. He, and Z. Sun, Traffic predictability based on ARIMA/GARCH model, 26, pp [Online]. Available: all.jsp?arnumber= [6] Syn Cookies. [Online]. Available: [7] J. Lemon, Resisting syn flood dos attacks with a syn cache, in BSDCon 22, Feb 22, pp [8] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, Analysis of a denial of service attack on tcp, in Proceedings of the 1997 IEEE Symposium on Security and Privacy, IEEE Computer Society. IEEE Computer Society Press, May, pp [9] Tcp Syn Flooding Attack and the Firewall-1 Syndefender. [Online]. Available: [1] S. V. A and P. F, Application of anomaly detection algorithms for detecting syn flooding attacks, in IEEE GLOBECOM,4, no. 4. [11] H. Wang, H. Wang, D. Zhang, D. Zhang, K. G. Shin, and K. G. Shin, Detecting syn flooding attacks detecting syn flooding attacks, in INFOCOM 22. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, pp [12] The telecommunications and computer networking group, Indian Institute of Technology. [Online]. Available: [13] W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, On the self-similar nature of ethernet traffic (extended version), Networking, IEEE/ACM Transactions on, no. 1, pp [14] A.Sang and S.Li, A predictability analysis of network traffic, no. 39, pp , 22. [15] A. Adas, Traffic models in broadband networks, Communications Magazine, IEEE, no. 7, pp [16] Garch toolbox. [Online]. Available: DOCSERVER/raw/garch.pdf [17] B. Qian and K. Rasheed, Hurst exponent and financial market predictability, in IASTED conference on Financial Engineering and Applications (FEA 24), 24, pp [18] J. M. Maheu, Can Garch Models Capture the Long-Range Dependence in Financial Market Volatility? University of Toronto,Dept. of Economics, Tech. Rep. [19] T. Bollerslev, Generalized autoregressive conditional heteroskedasticity, Journal of Econometrics, vol. 31, pp , [2] R. Engle, Garch 11: The use of ARCH/GARCH models in applied econometrics, The Journal of Economic Perspectives, no. 4, pp [21] W. J. Kirchgssner, Gebhard, Introduction to Modern Time Series Analysis, Springer series 27. [22] Snort. [Online]. Available:
An Efficient and Practical Defense Method Against DDoS Attack at the Source-End
An Efficient and Practical Defense Method Against DDoS Attack at the Source-End Yanxiang He Wei Chen Bin Xiao Wenling Peng Computer School, The State Key Lab of Software Engineering Wuhan University, Wuhan
More informationConfiguring Flood Protection
Configuring Flood Protection NOTE: Control Plane flood protection is located on the Firewall Settings > Advanced Settings page. TIP: You must click Accept to activate any settings you select. The Firewall
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationDetecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically
Detecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically Yuichi Ohsita Graduate School of Information Science and Technology, Osaka University 1-3 Machikaneyama, Toyonaka,
More informationMulticast Transport Protocol Analysis: Self-Similar Sources *
Multicast Transport Protocol Analysis: Self-Similar Sources * Mine Çağlar 1 Öznur Özkasap 2 1 Koç University, Department of Mathematics, Istanbul, Turkey 2 Koç University, Department of Computer Engineering,
More informationNetwork Bandwidth Utilization Prediction Based on Observed SNMP Data
160 TUTA/IOE/PCU Journal of the Institute of Engineering, 2017, 13(1): 160-168 TUTA/IOE/PCU Printed in Nepal Network Bandwidth Utilization Prediction Based on Observed SNMP Data Nandalal Rana 1, Krishna
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationIPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management IPv6 zone-based firewalls support the Protection of Distributed Denial of Service Attacks and the Firewall
More informationAaron Daniel Chia Huang Licai Huang Medhavi Sikaria Signal Processing: Forecasting and Modeling
Aaron Daniel Chia Huang Licai Huang Medhavi Sikaria Signal Processing: Forecasting and Modeling Abstract Forecasting future events and statistics is problematic because the data set is a stochastic, rather
More informationMeasuring Defence Systems Against Flooding Attacks
Measuring Defence Systems Against Flooding Attacks Martine Bellaïche Génie Informatique, Ecole Polytechnique de Montréal Montréal, QC, CANADA email: martine.bellaiche@polymtl.ca Jean-Charles Grégoire INRS
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2630 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706 Legal and notice information
More informationProtection Against Distributed Denial of Service Attacks
Protection Against Distributed Denial of Service Attacks The Protection Against Distributed Denial of Service Attacks feature provides protection from Denial of Service (DoS) attacks at the global level
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationDetecting Distributed Denial of Service (DDoS) Attacks Through Inductive Learning
Detecting Distributed Denial of Service (DDoS) Attacks Through Inductive Learning Sanguk Noh 1, Cheolho Lee 2, Kyunghee Choi 2, Gihyun Jung 3 1 School of Computer Science and information Engineering, The
More informationTransport Protocols and TCP: Review
Transport Protocols and TCP: Review CSE 6590 Fall 2010 Department of Computer Science & Engineering York University 1 19 September 2010 1 Connection Establishment and Termination 2 2 1 Connection Establishment
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More informationLixia Zhang M. I. T. Laboratory for Computer Science December 1985
Network Working Group Request for Comments: 969 David D. Clark Mark L. Lambert Lixia Zhang M. I. T. Laboratory for Computer Science December 1985 1. STATUS OF THIS MEMO This RFC suggests a proposed protocol
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationCorrelation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks
Journal of Computer Science Original Research Paper Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks 1 Ayyamuthukumar, D. and 2 S. Karthik 1 Department of CSE,
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationExperience with SPM in IPv6
Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationISSN INTRODUCTION
A Novel Syn Flood Detection Mechanism for Wireless Network Neethu Raj P, Dr. S Suresh Babu, Prof. Nishanth N PG student, TKM college of engineering, Kollam, Kerala University, India, neethurajpunathil@gmail.coml
More informationTowards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks
Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks N S ABOUZAKHAR, A GANI, E SANCHEZ, G MANSON The Centre for Mobile Communications
More informationMaster s Thesis. Detection and Defense Method against Distributed SYN Flood Attacks
Master s Thesis Title Detection and Defense Method against Distributed SYN Flood Attacks Supervisor Professor Masayuki Murata Author Yuichi Ohsita February 15th, 2005 Department of Information Networking
More informationDenial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows
Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows S. Farzaneh Tabatabaei 1, Mazleena Salleh 2, MohammadReza Abbasy 3 and MohammadReza NajafTorkaman 4 Faculty of Computer
More informationNetwork Security. Tadayoshi Kohno
CSE 484 (Winter 2011) Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationDetecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University
Detecting Distributed Denial-of of-service Attacks by analyzing TCP SYN packets statistically Yuichi Ohsita Osaka University Contents What is DDoS How to analyze packet Traffic modeling Method to detect
More informationCongestion control in TCP
Congestion control in TCP If the transport entities on many machines send too many packets into the network too quickly, the network will become congested, with performance degraded as packets are delayed
More informationTransport Protocols & TCP TCP
Transport Protocols & TCP CSE 3213 Fall 2007 13 November 2007 1 TCP Services Flow control Connection establishment and termination Congestion control 2 1 TCP Services Transmission Control Protocol (RFC
More informationConditional Volatility Estimation by. Conditional Quantile Autoregression
International Journal of Mathematical Analysis Vol. 8, 2014, no. 41, 2033-2046 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.47210 Conditional Volatility Estimation by Conditional Quantile
More informationDENIAL OF SERVICE ATTACKS
DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016 Contents 7.1 Denial of Service... 2 7.2 Targets of DoS attacks... 2 7.3 Purpose of flood attacks... 2 7.4 Packets used during flood attacks...
More informationDenial of Service (DoS)
Flood Denial of Service (DoS) Comp Sci 3600 Security Outline Flood 1 2 3 4 5 Flood 6 7 8 Denial-of-Service (DoS) Attack Flood The NIST Computer Security Incident Handling Guide defines a DoS attack as:
More informationDetecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically
IEICE TRANS. COMMUN., VOL.Exx??, NO.xx XXXX 2x 1 PAPER Detecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically Yuichi OHSITA a), Shingo ATA b), Members, and Masayuki
More informationA Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence
2nd International Conference on Electronics, Network and Computer Engineering (ICENCE 206) A Network Intrusion Detection System Architecture Based on Snort and Computational Intelligence Tao Liu, a, Da
More informationSYN Flood Attack Protection Technology White Paper
Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Keywords: flood, Cookie, Safe Reset Abstract: This document describes the technologies and measures provided
More informationAuthors: Mark Handley, Vern Paxson, Christian Kreibich
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley, Vern Paxson, Christian Kreibich Exploitable Ambiguities NIDS does not have full range
More informationDetecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically
IEICE TRANS. COMMUN., VOL.Exx??, NO.xx XXXX 2x 1 PAPER Detecting Distributed Denial-of-Service Attacks by analyzing TCP SYN packets statistically Yuichi OHSITA a), Student Member, Shingo ATA b), and Masayuki
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationMINI-PAPER A Gentle Introduction to the Analysis of Sequential Data
MINI-PAPER by Rong Pan, Ph.D., Assistant Professor of Industrial Engineering, Arizona State University We, applied statisticians and manufacturing engineers, often need to deal with sequential data, which
More informationA proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing
A proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing Yuki Katsurai *, Yoshitaka Nakamura **, and Osamu Takahashi ** * Graduate School
More informationAn Implementation of LoSS Detection with Second Order Statistical Model
Postgraduate Annual Research Seminar 007 (3-4 July 007) An Implementation of LoSS Detection with Second Order Statistical Model Mohd Fo ad Rohani *, Mohd Aizaini Maarof *, Ali Selamat * and Houssain ettani
More informationDetecting Denial of Service Intrusion Detection Aamir Islam Dept. of Computer Science, University of Central Punjab, Lahore, Pakistan.
Detecting Denial of Service Intrusion Detection Aamir Islam Dept. of Computer Science, University of Central Punjab, Lahore, Pakistan. aamir.islam@pcit.ucp.edu.pk Abstract Denial of Service (DoS) attack
More informationSecurity Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 12.2SX
Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 12.2SX Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationDoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors
DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1 Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team
More informationBuffer Management for Self-Similar Network Traffic
Buffer Management for Self-Similar Network Traffic Faranz Amin Electrical Engineering and computer science Department Yazd University Yazd, Iran farnaz.amin@stu.yazd.ac.ir Kiarash Mizanian Electrical Engineering
More informationLecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms
CS 4740/6740 Network Security Feb. 09, 2011 Lecturer: Ravi Sundaram I. Worms and Viruses Lecture 6: Worms, Viruses and DoS attacks 1. Worms They are self-spreading They enter mostly thru some security
More informationThe aim of this unit is to review the main concepts related to TCP and UDP transport protocols, as well as application protocols. These concepts are
The aim of this unit is to review the main concepts related to TCP and UDP transport protocols, as well as application protocols. These concepts are important requirements for developing programs that
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationImproving TCP Performance over Wireless Networks using Loss Predictors
Improving TCP Performance over Wireless Networks using Loss Predictors Fabio Martignon Dipartimento Elettronica e Informazione Politecnico di Milano P.zza L. Da Vinci 32, 20133 Milano Email: martignon@elet.polimi.it
More informationNETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES
NETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES RENATO PREIGSCHADT DE AZEVEDO, DOUGLAS CAMARGO FOSTER, RAUL CERETTA NUNES, ALICE KOZAKEVICIUS Universidade
More informationYour projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100
You should worry if you are below this point Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /0 * 100 o Optimistic: (Your
More informationNetwork Traffic Anomaly Detection based on Ratio and Volume Analysis
190 Network Traffic Anomaly Detection based on Ratio and Volume Analysis Hyun Joo Kim, Jung C. Na, Jong S. Jang Active Security Technology Research Team Network Security Department Information Security
More informationCYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
More informationIntroduction and Statement of the Problem
Chapter 1 Introduction and Statement of the Problem 1.1 Introduction Unlike conventional cellular wireless mobile networks that rely on centralized infrastructure to support mobility. An Adhoc network
More informationIntrusion Detection with CUSUM for TCP-Based DDoS
Intrusion Detection with CUSUM for TCP-Based DDoS Fang-Yie Leu and Wei-Jie Yang Department of Computer Science and Information Engineering, Tunghai University, Taiwan leufy@thu.edu.tw Abstract. DDoS(Distributed
More informationA senior design project on network security
Michigan Technological University Digital Commons @ Michigan Tech School of Business and Economics Publications School of Business and Economics Fall 2007 A senior design project on network security Yu
More informationMean Waiting Delay for Web Object Transfer in Wireless SCTP Environment
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 009 proceedings Mean aiting Delay for eb Object Transfer in
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationRouting Protocols in MANETs
Chapter 4 Routing Protocols in MANETs 4.1 Introduction The main aim of any Ad Hoc network routing protocol is to meet the challenges of the dynamically changing topology and establish a correct and an
More informationDenial of Service (DoS) attacks and countermeasures
Dipartimento di Informatica Università di Roma La Sapienza Denial of Service (DoS) attacks and countermeasures Definitions of DoS and DDoS attacks Denial of Service (DoS) attacks and countermeasures A
More informationTable of Contents 1 TCP Proxy Configuration 1-1
Table of Contents 1 TCP Proxy Configuration 1-1 Overview 1-1 Introduction to SYN Flood Attack 1-1 Introduction to TCP Proxy 1-1 How TCP Proxy Works 1-2 Configuring TCP Proxy 1-3 Configuration Task List
More informationETSF05/ETSF10 Internet Protocols Transport Layer Protocols
ETSF05/ETSF10 Internet Protocols Transport Layer Protocols 2016 Jens Andersson Transport Layer Communication between applications Process-to-process delivery Client/server concept Local host Normally initialiser
More informationTCP and Congestion Control (Day 1) Yoshifumi Nishida Sony Computer Science Labs, Inc. Today's Lecture
TCP and Congestion Control (Day 1) Yoshifumi Nishida nishida@csl.sony.co.jp Sony Computer Science Labs, Inc 1 Today's Lecture Part1: TCP concept Part2: TCP detailed mechanisms Part3: Tools for TCP 2 1
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationAnomaly Detection in Cyber Physical Systems
Anomaly Detection in Cyber Physical Systems Maggie Cheng Illinois Institute of Technology December 11, 2018 IEEE Big Data Conference Seattle, WA Outline Introduction Outlier Detection Sequential Change
More information6.1 Internet Transport Layer Architecture 6.2 UDP (User Datagram Protocol) 6.3 TCP (Transmission Control Protocol) 6. Transport Layer 6-1
6. Transport Layer 6.1 Internet Transport Layer Architecture 6.2 UDP (User Datagram Protocol) 6.3 TCP (Transmission Control Protocol) 6. Transport Layer 6-1 6.1 Internet Transport Layer Architecture The
More informationRED behavior with different packet sizes
RED behavior with different packet sizes Stefaan De Cnodder, Omar Elloumi *, Kenny Pauwels Traffic and Routing Technologies project Alcatel Corporate Research Center, Francis Wellesplein, 1-18 Antwerp,
More informationDDoS Attack Detection Using Moment in Statistics with Discriminant Analysis
DDoS Attack Detection Using Moment in Statistics with Discriminant Analysis Pradit Pitaksathienkul 1 and Pongpisit Wuttidittachotti 2 King Mongkut s University of Technology North Bangkok, Thailand 1 praditp9@gmail.com
More informationWorldwide Detection of Denial of Service (DoS) Attacks
Worldwide Detection of Denial of Service (DoS) Attacks David Moore, Geoff Voelker and Stefan Savage August 15, 2001 dmoore @ caida.org www.caida.org Outline The Backscatter Analysis Technique Observations
More informationStrengthening and Securing the TCP/IP Stack against SYN Attacks
Strengthening and Securing the TCP/IP Stack against SYN Attacks A.Baes Mohamed Arab Academy for Science and Technology baithmm@hotmail.com Abstract. This paper analyzes a (DoS) Denial of Service attack
More informationSYS 6021 Linear Statistical Models
SYS 6021 Linear Statistical Models Project 2 Spam Filters Jinghe Zhang Summary The spambase data and time indexed counts of spams and hams are studied to develop accurate spam filters. Static models are
More informationBayesian Learning Networks Approach to Cybercrime Detection
Bayesian Learning Networks Approach to Cybercrime Detection N S ABOUZAKHAR, A GANI and G MANSON The Centre for Mobile Communications Research (C4MCR), University of Sheffield, Sheffield Regent Court, 211
More informationVisualization of Internet Traffic Features
Visualization of Internet Traffic Features Jiraporn Pongsiri, Mital Parikh, Miroslova Raspopovic and Kavitha Chandra Center for Advanced Computation and Telecommunications University of Massachusetts Lowell,
More informationImproved Detection of Low-Profile Probes and Denial-of-Service Attacks*
Improved Detection of Low-Profile Probes and Denial-of-Service Attacks* William W. Streilein Rob K. Cunningham, Seth E. Webster Workshop on Statistical and Machine Learning Techniques in Computer Intrusion
More informationTransmission Control Protocol. ITS 413 Internet Technologies and Applications
Transmission Control Protocol ITS 413 Internet Technologies and Applications Contents Overview of TCP (Review) TCP and Congestion Control The Causes of Congestion Approaches to Congestion Control TCP Congestion
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationUser Datagram Protocol (UDP):
SFWR 4C03: Computer Networks and Computer Security Feb 2-5 2004 Lecturer: Kartik Krishnan Lectures 13-15 User Datagram Protocol (UDP): UDP is a connectionless transport layer protocol: each output operation
More informationPerformance of UMTS Radio Link Control
Performance of UMTS Radio Link Control Qinqing Zhang, Hsuan-Jung Su Bell Laboratories, Lucent Technologies Holmdel, NJ 77 Abstract- The Radio Link Control (RLC) protocol in Universal Mobile Telecommunication
More informationConnection Settings. What Are Connection Settings? management connections that go to the ASA.
This chapter describes how to configure connection settings for connections that go through the ASA, or for management connections that go to the ASA. What Are?, page 1 Configure, page 2 Monitoring Connections,
More informationDOMINO: A System to Detect Greedy Behavior in IEEE Hotspots
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots By Maxim Raya, Jean-Pierre Hubaux, Imad Aad Laboratory for computer Communications and Applications(LCA) School of Computer and Communication
More informationAdaptive Mechanism for Aggregation with fragments retransmission in high-speed wireless networks
Int. J. Open Problems Compt. Math., Vol. 4, No. 3, September 2011 ISSN 1998-6262; Copyright ICSRS Publication, 2011 www.i-csrs.org Adaptive Mechanism for Aggregation with fragments retransmission in high-speed
More informationTCP Performance. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim
TCP Performance EE 122: Intro to Communication Networks Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks
More information20: Networking (2) TCP Socket Buffers. Mark Handley. TCP Acks. TCP Data. Application. Application. Kernel. Kernel. Socket buffer.
20: Networking (2) Mark Handley TCP Socket Buffers Application Application Kernel write Kernel read Socket buffer Socket buffer DMA DMA NIC TCP Acks NIC TCP Data 1 TCP Socket Buffers Send-side Socket Buffer
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationDiscriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric
Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric HeyShanthiniPandiyaKumari.S 1, Rajitha Nair.P 2 1 (Department of Computer Science &Engineering,
More informationCISCO CONTEXT-BASED ACCESS CONTROL
51-10-41 DATA COMMUNICATIONS MANAGEMENT CISCO CONTEXT-BASED ACCESS CONTROL Gilbert Held INSIDE Operation; Intersection; The Inspect Statement; Applying the Inspection Rules; Using CBAC OVERVIEW Until 1999,
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationCisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection
Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection Document ID: 98705 Contents Introduction Prerequisites Requirements Components Used Conventions
More informationTree-Based Minimization of TCAM Entries for Packet Classification
Tree-Based Minimization of TCAM Entries for Packet Classification YanSunandMinSikKim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164-2752, U.S.A.
More informationDixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites
Characterization and Implications of Flash Crowds and DoS attacks on websites Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 9 Feb
More informationTransport Protocols and TCP
Transport Protocols and TCP Functions Connection establishment and termination Breaking message into packets Error recovery ARQ Flow control Multiplexing, de-multiplexing Transport service is end to end
More informationModelling data networks research summary and modelling tools
Modelling data networks research summary and modelling tools a 1, 3 1, 2 2, 2 b 0, 3 2, 3 u 1, 3 α 1, 6 c 0, 3 v 2, 2 β 1, 1 Richard G. Clegg (richard@richardclegg.org) December 2011 Available online at
More information