IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks

Transcription

1 1274 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 PAPER Special Section on Information and Communication System Security IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks Ping DU õa) and Shunji ABE õ, Members SUMMARY Denial of service (DoS) attacks have become one of the most serious threats to the Internet. Enabling detection of attacks in network traffic is an important and challenging task. However, most existing volume-based schemes can not detect short-term attacks that have a minor effect on traffic volume. On the other hand, feature-based schemes are not suitable for real-time detection because of their complicated calculations. In this paper, we develop an IP packet size entropy (IPSE)-based DoS/DDoS detection scheme in which the entropy is markedly changed when traffic is affected by an attack. Through our analysis, we find that the IPSE-based scheme is capable of detecting not only long-term attacks but also short-term attacks that are beyond the volume-based schemes' ability to detect. Moreover, we test our proposal using two typical Internetraffic data sets from DARPA and SINET, and the test resultshow that the IPSEbased detection scheme can provide detection of DoS/DDoS attacks not only in a local area network (DARPA) and but also in academic backbone network (SINET). key words: denial of service attack, network security, attack detection 1. Introduction With the explosive growth of the global Internet, people enjoying the network services with worldwide connectivity are at risk of attacks from other malicious users. In recent years, denial of service (DoS) [1] attacks have caused significant financial loss and have become one of the most serious security threats to the Internet. In a DoS attack, a malicious user often cripples a victim by simply flooding the target with many legitimate-looking requests. A sophisticated version of DoS is known as a distributed denial of service (DDoS) attack in which an attack is launched by multiple coordinated computers under an attacker's control. Launching a DoS/DDoS attack is very easy by using some attack tools such as Tribe Flood Network (TFN), TFN2K, and Trinity, which are available on the Internet [2]. But detection is still an open issue because of the complex nature of network traffic. The current approaches of DoS/DDoS detection can be divided into two types: volume-based and feature-based. In a volume-based detection scheme, attacks are detected by identifying abrupt changes in traffic volume. In [3], J. Haggerty et al. proposed a real-time anomaly detection scheme to identify TCP SYN flooding attacks by analyzing the daily maximum arrival rate. In [6], the anomalies were detected with a wavelet-based signal analysis system. Although these Manuscript received August 1, Manuscript revised December 12, The authors are with the National Institute of Informatics, Tokyo, Japan. a) duping@nii.ac.jp DOI: /ietisy/e91-d volume-based detection schemes have been successful in isolating large traffic changes [3], [4], [6], [8]-[10], a large class of short-term DoS attacks do not cause detectable disruptions in traffic volume because they have only minor effects on the traffic volume. A feature-based detection scheme detects attacks by inspecting changes in the distributional aspects of packet header fields. H. Wang et al. [7] proposed a statistics-based mechanism to detect TCP SYN flooding attacks by checking the ratio of SYN/FIN packets. In [5], a DDoS attack was detected when it caused the destination addresses to be concentrated on the victim address while the source addresses were spoofed. Although feature-based detection schemes can detect even small-volume attack traffic [5], [7], [11], inspecting the header fields of every packet to collect and analyze the features is too exhausting a method to detect attacks in real time. In this paper, considering that different application traffic has different packet size distributions and that this distribution changes during DoS/DDoS attacks, we propose an IP packet size entropy (IPSE)-based scheme in which the attacks are detected by observing time series of packet size entropy. A spike in the time series indicates that a possible DoS/DDoS attack is under way. We provide two methods to distinguish DoS traffic and DDoS traffic from legitimate traffic at the detected possible attack points. Different from existing volume-based and feature-based methods, our research studies DoS/DDoS traffic characteristics from the perspective of the IP packet size distribution, which has not been used in attack detection yet. The main contribution of this paper is that our proposal not only detects long-term attack traffic, but also detects short-term attack traffic which does not cause detectable changes in traffic volume. The second contribution is that our proposal can provide a means of detection of DDoS attacks before they cripple the target. Compared with featurebased methods, our proposal does not need to inspect the header fields of each packet. This makes it simpler and more practical for real-time implementation. Finally, our proposal can work in both local area network (LAN) (such as DARPA [12]) and backbone network (such as SINET [15]) environments. The rest of the paper is organized as follows. Section 2 elaborates on the utility of the IPSE-based scheme for detecting DoS/DDoS attacks and introduces two methods for distinguishing attack traffic from legitimate traffic. Section 3 discusses the performance of our proposal with a traditional Copyright (c) 2008 The Institute of Electronics, Information and Communication Engineers

2 DU and ABE: DOS ATTACK DETECTION 1275 volume-based scheme in experiments using real traffic-trace data sets. We use DARPA data as LAN traffic, and SINET data as backbone network traffic for investigating proposed IPSE-based attack detection scheme. Section 4 concludes our proposal and outlines our future work. 2. Packet Size Entropy-Based Detection Scheme This section describes the IP packet size entropy (IPSE)- based detection scheme. We first show how IP packet size entropy can be used to detect a potential DoS/DDoS attack. After discussing the discrepancy between legitimate traffic and DoS/DDoS attack traffic, we give a finer detection scheme. 2.1 Using Entropy to Detect Traffic Anomalies As shown in Fig. 1, many applications have typical packet sizes with respect to requests and responses or data and acknowledgments. For long-term TCP sessions such as FTP applications, traffic mostly consists of simple acknowledgment packets with 40bytes and full data packets with 1500bytes. For short-term TCP sessions such as MSN&TELNET, each data packet only contains simple text messages with small sizes. In a HTTP application, each object on a web page corresponds to a short-term TCP session. Hence, HTTP packets have a wide range of byte sizes because of the different object sizes. On the other hand, attacks usually produce packets independent of the response from the victim. Moreover, flooding-based attack traffic often consists of packets with identical sizes. For example, a SYN flooding attack traffic consists of SYN packets with 40bytes and an ICMP flooding attack traffic consists of ICMP packets with 1500bytes. Hence, we believe that the distribution of packet size is changed under attacks and that analysis of the packet size distribution can identify attacks on some degree especially when some special IP packet size distribution appears. How to effectively describe the packet size distribution in a manner that provides necessary information for attack detection is the key question. After conducting observations, we find that entropy, which describes the degree of dispersal or concentration of a distribution, is an effective metric for extracting the properties of the packet size distribution in a manner that is appropriate for attack detection. By observing the time series of the entropy of packet size, we can expose the changes in packet size distribution and detect attack points. Suppose an observation window contains S packets at time t; the entropy of the packet size at time t is defined as where nl is the number of times packets with size l in the observation window. The time series of entropy consists of the entropies calculated within a sliding observation window of specified size S. The length of this sliding observation window should depend on the duration of the attack traffic that we wish to capture. If we denote the duration of the attack traffic by S0 packets, we need, in the ideal situation, to have q=s0/s1. If the quotient q is too small, the anomaly may be blurred and lost. If the quotient is too large, we may be overwhelmed by gattacks h that are of very little interest to the network operator. Our current experiment focuses on anomalies with durations of at least 200 packets. The entropy takes on a small value when size distribution of observed packets are concentrated (i.e, all packets are of the same size) and takes on a large value when the size distribution is dispersed. We observed the time series of packet size entropy for the traffic from the DARPA/MIT Lincoln Laboratory off-line intrusion detection evaluation data set [12], which has been widely used for testing intrusion detection systems [13], [14]. As indicated in Fig. 2, a short-term ICMP flooding attack and a long-term SYN flooding attack happened at 09:18:15 and 11:20:15 on 03/11/1999, respectively. The ICMP flooding attack lasted for 0.3s and the SYN flooding attack lasted for 120s. The top plot of Fig. 2 shows that not only the long-term SYN flooding attack causes a spike in the graph of the time series of packet size entropy; the short-term ICMP flooding attack does as well. On the other hand, as shown in the bottom plot of Fig. 2, the ICMP flooding attack does not cause a detectable change in traffic volume. These analysis results show that the entropy of Fig. 1 Illustration of packet size distribution for different applications. Fig. 2 Example of DoS attacks viewed in terms of entropy (top plot) and volume (bottom plot).

3 1276 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 the IP packet size is a more suitable metric than volume because it successfully captures both long-term and short-term attacks. The threshold of entropy Hth for reporting an alarm can be gotten by self-learning of legitimate traffic data for a certain period. After checking clean legitimate DARPA data sets for two weeks, we found that the entropies are mostly distributed in [0.6,3.5] and events with entropies of less than 0.5 only happened two or theee times per day. This is a very low false alarm rate. (As described in [12], a system with 10 false alarms per day is preferred.) Here, two consecutive alarms are calculated as one alarm when their interval is less than one second since the network operator has already been alerted by the first alarm and too many alarms are not meaningful. Hence, we set 0.5 as the default threshold of entropy Hth for studying the DARPA traffic data. When the entropy is less than Hth, it indicates that a possible denial of service is under way. Of course, an IPSE-based scheme can not detect all attacks completely and actually no scheme can. In a volumebased scheme, a false-negative case will occur for a shortterm DoS attack that does not cause detectable disruption in traffic volume. For a feature-based scheme, a false-negative case will occur for a new kind of attack that has not been described in the database of attack features. Comparing with traditional volume-based schemes, an IPSE-based scheme can detect short-term DoS attacks. Moreover, because the IPSE-based scheme is not based on the database of existing attack features, it can detect new kind of attacks. In an IPSE-based scheme, a false-negative case will occur when a wily attacker knows our detection scheme and modifies his strategy by generating attack packets of different sizes. However, there is still a possibility to find new differences between the packet size distributions of the humanparticipating legitimate traffic and the machine-automating attack traffic. For example, when the attacker generates packets with randomized sizes, the packet size entropy of the attack traffic will be expected much larger than that of legitimate traffic. Our future work is to detect these more stealthy attacks. A false-negative case may also occur when the attack packet rate is too low and we will discuss the detection performance under different attack packet rates in Sect Discrepancy between DoS Attack and Legitimate Traffic Another potential problem for the IPSE-based detection scheme is false alarm when many legitimate packets arrive simultaneously. Here, we will try to solve the problem by analyzing the different packet arrival processes of legitimate applications and attacks. Here, we would like to make the same assumption as in [1], [16]; an attacker will do his best to cripple the victim by sending data with the maximum rate possible and will consistently make requests for higher rates than legitimate clients. Because any computer and network interface has a maximum possible transmission rate due to Fig. 3 Packet arrival processes for FTP DATA session (top plot) and ICMP flooding attack traffic (bottom plot). Fig. 4 Packet arrival process for SYN flooding attack traffic. hardware or operating system limits, the attacker's sending rate will be usually at constant rate. As shown in Fig. 2, besides the ICMP flooding attack that happened on 09:18:15 which causes a small spike on the time series of packet size entropy, there is another spike at 09:28:06 which is caused by an FTP DATA session. We compare the packet arrival processes in Fig. 3 by counting the number of arrival packets at 10 ms intervals. The packets of the ICMP flooding attack traffic arrive at a constant rate, whereas the packet arrival process of the FTP DATA session is burstier. Figure 4 shows the packet arrival process of the SYN flooding attack traffic of one observation window in which its packet size entropy is less than 0.5. In the figure, the number of arriving packets is counted at 100ms intervals. The results show that the packet arrival rate also approximates constant. While Figs. 3 and 4 provide some intuition to judge whether the packets arrive at a constant rate, it is difficult to automate and quantify this idea in an implementation. Whether the packet arrival rate is constant or not can also be judged by calculating the variance of the number of arrival packets in a time unit. Suppose Xn is the number of packets in the nth time interval and ƒ nxn=s. We assume {Xn} to be a wide-sense stationary discrete stochastic process, with mean ƒê=e[xn]. The variance is defined as

4 DU and ABE: DOS ATTACK DETECTION 1277 Table 1 Statistical comparison of different types of traffic. Var [Xn]=E[(Xn-ƒÊ)2]. Without loss of generality, we can use a new parameter, deviation D, which is defined as D=Var[Xn/ƒÊ]=E[(Xn/ƒÊ-1)2], to represent the variance of the packet arrival process. The calculation results for the packet arrival processes in Figs. 3 and 4 are shown as Table 1. According to the calculation results, we can see that D is a very suitable metric to judge whether the packets arrive at a constant rate or not. A smaller D indicates that the packet arriving process has a higher probability of a constant rate. On the other hand, considering the jitter during transmission, a too low threshold of D will result in a high false-negative rate. The choice of the threshold level for the deviation parameter D should be based on the collection of observations of DoS traffic and legitimate traffic trace data. After we did a lot of observations, we found that 0.01 was a suitable value for the threshold of D to distinguish whether the packets arrive at a constant rate or not. Therefore, we can distinguish the DoS attack traffic from legitimate traffic by calculating D. The D of legitimate traffic Dlegitimate â0.01, whereas the D of DoS attack traffic DDoS á0.01. When D<0.01, the traffic can be judged to be DoS attack traffic. Fig. 5 Example of DDoS attacks viewed in terms of entropy (top plot) and volume (bottom plot). represent the number of packets arriving from computer i on timescale [0,t] (t<1/ƒé). We get p=p(ni(t)=1)=ƒét (2) and q=p(ni(t)=0)=1-p=1-ƒét. Let Pk be the probability that k packets arrive on timescale [0,t] (t<1/ƒé) from M computers. Pk can be described as a binomial random variable, 2.3 Application versus DDoS Attacks Unlike a DoS attack that is launched by a single computer, a DDoS attack is launched by a large number of coordinated computers which generate a huge amount of traffic towards the victim. Here, we show an example of a DDoS attack in the. DARPA data set (Fig. 5). The DDoS attack happened at 11:28:19 on 03/08/2000 and lasted for 5s. As shown in the bottom plot of Fig. 5, detecting a DDos attack at the victim's network is relatively easy since the attack traffic near the victim is unusually overwhelming. A DDoS attack can be detected by identifying unusually high traffic volumes. However, if an upstream link has been jammed by attack packets, there is not much that can be done on the victim side. The IPSE-based detection scheme not only detects the DDoS attack on the victim side as shown in the top plot of Fig. 5. We will also try to detect a DDos attack in the upstream of the victim such as at the backbone level and we will show this in Sect. 3 in detail. 2.4 Discrepancy between DDos Attack and Legitimate Traffic When M is large enough, the binomial distribution can be approximated by a Poisson distribution, and we get So in a DDoS attack scenario, although each attacker sends out packets at a constant rate, in the aggregate, the DDoS attack traffic will blur together and follow a Poisson distribution. It is difficult to quantify the difference between a DDoS attack traffic and legitimate traffic on the traffic view. On the other hand, for DDoS attack traffic in an observed window, the source IP addresses will be dispersed and the destination addresses will focus on the victim. Similarly to the IPSE-based scheme, we can use the difference in the entropy of source IP address It(SrcIP) and the entropy of destination IP address It(DstIP) to distinguish DDoS attack traffic from legitimate traffic. Here, It(SrcIP) and It(DstIP) are defined as As has been introduced, a DDoS attack is launched by multiple coordinated computers under an attacker's control. We assume the number of computers is M and each computer sends out ƒé packets per second. For each computer, let Ni(t) and

5 1278 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 where Ps is the probability of packets with source IP address s and Qd is the probability of packets with destination IP address d. We expect that the observed window with a large It(SrcIP)-It(DstIP) is reported to contain DDoS attack traffic. According to our calculation, It(SrcIP)-It(DstIP) during the DDoS attack process in Fig. 5 equals On the other hand, the difference is less than 2 for legitimate traffic in other periods. 2.5 IPSE-Based Detection Scheme Figure 6 summarizes the operations of the IPSE-based detection scheme. The first step is to detect a possible DoS/DDoS attack by using the packet size entropy. The observation window containing DoS/DDoS attack traffic will have a small H which is less than the threshold Hth gotten by self-learning. The second step is to judge whether the traffic in the observation window arrives at a constant rate by calculating the deviation D. This step can detect the DoS traffic. In the third step, we judge whether the observation window contains DDoS traffic by computing the difference in entropies of the source IP address and destination address. Although we have to inspect the packet header fields, this only happens in the third step where a possible DDoS attack has been detected in the first two steps. Compared with general feature-based schemes which need to inspect the packet header fields all the time, our proposal has a much smaller calculation burden. The fourth step is to identify the spoofed source of a DDoS attack packet. Assuming a packet arriving with source IP address s and destination IP address d, we can identify whether it is a DDoS attack packet by its corresponding pair <Ps,Qd>, where Ps is the probability of packets with source IP address s and Qd is the probability of packets with destination IP address d. For a typical DDoS attack packet, since its source address is randomly dispersed and its destination address is concentrated on a victim, its Ps will be of a small value and Qd will be of a large value. Moreover, according to the performance of detection probability versus attack traffic rate studied in Sect. 3, a DDoS attack willl be effectively detected only when the DDoS attack packets are more than about 40% of total traffic. Let k be the number of spoofed source IP addresses. In our observation, k was at least 50. For each packet, when its Ps<0.02 and Qd>0.4, it is identified as an attack packet and its source address s is identified as a spoofed source. The tracing of a spoofed source is a very difficult task which requires the routing information of network and should be performed hop-by-hop as in [18]. 3. Experimental Evaluation In this section, we will investigate the performance of the IPSE-based algorithm presented in the previous section. Our validation approach is centered on answering two questions. (1) Does the IPSE-based method work in different environments such as in a LAN or a backbone network? (2) How does the attack traffic rate and duration affect the method's performance? To answer the first question, we use not only real LAN traffic (DARPA) data, but also real backbone network traffic (SINET) data to evaluate our scheme. To answer the second question, we inject the attack traffic of different rates and durations into the real traffic data sets as shown in Fig. 7. We quantify performance as follows: (1) detection probability: DP=number of successful detections; and (2) detection time: the detection delay after the detection starts. Since the performance of a feature-based detection scheme is highly dependent of the database of attack features and is usually independent of attack traffic rate and duration, here we will only compare the performance of our proposed IPSE-based scheme with a traditional volumebased scheme that detects attacks by checking disruptions in the time series of traffic volume. 3.1 LAN Experiments with DARPA Data Set Our LAN experiments use real network traffic taken from the MIT Lincoln Laboratory. The data set taken on 03/08/2000 contains 11 hours of collected packets (08:00-19:00) and has a mean rate of about 13packets/s. Fig. 6 Flowchart of IPSE-based scheme. Fig. 7 The environment of DoS/DDoS attack detection experiments.

6 DU and ABE: DOS ATTACK DETECTION 1279 Table 2 Detection of short-term high-rate attacks for IPSE -based scheme Detection of Short-Term High-Rate Attacks Our first step is to detect short-term attacks with a high rate, as in the ICMP flooding attack in Fig. 2. In each experiment, we generate multiple attacks and inject them into the DARPA traffic for detection. The inter-arrival time between consecutive attacks is exponentially distributed with mean value 10 minutes. The attacks in the same experiment are modelled with the same duration and constant rate. For different experiments, one attack traffic consists of 200, 400, and 600 packets respectively and the attack traffic rate varies from 100packets/s to 600packets/s. Without loss of generality, all packets are of 1500bytes, which is the same as that of ICMP flooding attack traffic. Table 2 shows that the IPSEbased detection scheme has excellent performance against high rate attacks, since it yields very high detection probabilities. As a comparison, the volume-based scheme can not detect any attack since these short-term attacks do not cause detectable disruptions in traffic volume. Fig. 8 Detection probability for IPSE-based and volume-based scheme under different attack durations Detection of Long-Term Low-Rate Attacks An important issue in detecting attack traffic is when it is aggregated with a large amount of additional traffic. Intuition would say that the attacks with higher rates can be detected with higher certainty. Our experiments consider the effect of the packet rate of attacks on detection performance. For different experiments, the attack rate varies from 10packets/s to 70packets/s. The packet size is set to 40bytes, which is the same as that of SYN flooding attack traffic. Figure 8 compares the performance of detection probability for the IPSE-based and volume-based schemes under LAN experiments with DARPA data set. In the figure, the curve with gƒ s h denotes the detection probability when the attack traffic duration is set to ƒ seconds. These results indicate that the detection probability increases as attack rate and attack duration increase. It can be seen that the detection probabilities of the IPSE-based scheme is much higher than that of the volume-based scheme even when its attack duration is smaller than the latter's. This shows that the IPSEbased scheme has better performance of detection probability than the volume-based scheme. Figure 9 shows the tradeoff between the detection time and detection probability for different attack packet rates. Note that a curve with gƒàpps h corresponds to the attack traffic with a rate of ƒà packets/s. The analysis shows that it takes Fig. 9 Tradeoff between detection time and detection probability for different attack packet rates (LAN experiments). a long time to ensure a high detection probability for both schemes. Moreover, to achieve the same detection probability, the volume-based scheme needs more detection time than the IPSE-based scheme does. 3.2 Backbone Network Experiments with SINET Data Set Our backbone network experiments use real traffic data from the Japan Internet Exchange (JPIX) to SINET [15] data extracted over 1.2h (14:33-15:45, March 1, 2004) with a mean rate of about 80kpackets/s. Before applying the IPSE-based detection scheme to the SINET data traffic, we observed the time series of entropy on packet size of the first 30minutes (Fig. 10). Accordingly, we set the threshold Hth to 2.0, which is small enough to distinguish attack traffic from legitimate traffic. In a backbone network environment, small-volume DoS traffic is usually submerged in the legitimate traffic and only high-volume DDoS attack traffic can be detected. Hence we mainly investigate the performance of the detection scheme for the DDoS attacks. In the following back-

7 1280 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 Fig. 10 Time series of IP packet size entropy for SINET traffic. Fig. 12 Detection time versus detection probability for different attack packet rates (backbone network experiments). Fig. 11 Detection probability for IPSE-based and volume-based schemes under different attack durations (backbone network experiments). bone network experiments, the inter-arrival time between consecutive attacks is exponentially distributed with mean value 1 minute and the packets in one attack are generated according to a Poisson distribution. For different experiments, the mean traffic rate varies from 60kpackets/s to 200 kpackets/s. Without loss of generality, the packet size is set to 40bytes. Figure 11 shows that the IPSE-based scheme is also suitable for detection DDoS attacks in a backbone network environment. The detection probability increases as the attack traffic rate and duration increase. Moreover, the simulation results also show that the IPSE-based scheme has better performance of detection probability than the volume-based scheme and it is available even for a DDoS attack with only milliseconds durations. Figure 12 shows the tradeoff between the detection time and detection probability for different attack packet rates. For the IPSE-based scheme, although it takes a little larger detection time to ensure a higher detection probability, the detection time is only several milliseconds, which is well before the network congestion occurs. On the other hand, the volume-based schemes needs more than one second to ensure a high detection probability, which is about one thousand times that of the IPSE-based scheme. 4. Conclusion and Future Work In this paper, we described an IP packet size entropy (IPSE)- based DoS/DDoS detection scheme, which was capable of detect not only long-term attacks but also short-term attacks which did not cause abrupt changes in traffic volume by observing the time series of the entropy of packet size. Although our proposal can not detect all attacks completely (actually no scheme can), it is a novel approach with a simple implementation for DoS/DDoS detection. If a wily attacker knows our detection scheme and modifies his strategy, there is still a possibility to find new differences between the packet size distributions of the humanparticipating legitimate traffic and the machine-automating attack traffic. Our future work is to detect more stealthy attacks. References [1] A. Hussain, J. Heidemann, and C. Papadopoulos, ga framework for classifying denial of service attacks, h Proc. ACM SIGCOMM [2] D. Dittrich, gdistributed denial of service (DDoS) attacks/tools page, h [3] J. Haggerty, T. Berry, Q. Shi, and M. Merabik, gdiddem: A system for early detection of TCP SYN flood attacks, h Proc. IEEE GLOBE- COM 2004, vol.4, no.4, pp , Dec [4] A. Lakhina, M. Crovella, and C. Diot, gdiagnosing network-wide traffic anomalies, h Proc. ACM SIGCOMM [5] A. Lakhina, M. Crovella, and C. Diot, gmining anomalies using traffic feature distributions, h Proc. ACM SIGCOMM [6] P. Barford, J. Kline, D. Plonka, and A. Ron, ga signal analysis of network traffic anomalies, h Proc. ACM SIGCOMM InternetMeasurement Workshop [7] H. Wang, D. Zhang, and K. Shin, gdetecting SYN flooding attacks, h Proc. IEEE INFOCOM 2002, no.1, pp , June [8] A. Dainotti, A. Pescape, and G. Ventre, gwavelet-based detection of DoS attacks, h Proc. IEEE GLOBECOM 2006, vol.25, no.1, pp , Nov [9] J. Brutlag, gaberrant behavior detection in time series for network monitoring, h USENIX Fourteenth System Administration Conference LISA XIV, pp , Dec [10] C.M. Cheng, H.T. Kung, and K.S. Tan, guse of spectral analysis in defense against DoS attacks, h Proc. IEEE GLOBECOM 2002, vol.3, no.3, pp , Dec [11] V.A. Siris and F. Papagalou, gapplication of anomaly detection algorithms for detecting SYN flooding attacks, h Proc. IEEE GLOBE- COM 2004, vol.4, pp , Nov

8 DU and ABE: DOS ATTACK DETECTION 1281 [12] R. Lippmann, et al., gthe 1999 DARPA off-line intrusion detection evaluation, h Comput. Netw., vol.34, no.4, pp , Data is available at [13] G. Vigna and R. Kemmerer, gnetstat: A network-based intrusion detection system, h J. Computer Security, vol.7, no.1, pp , [14] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, S. Zhou, A. Tiwari, and H. Yang, gspecification based anomaly detection: A new approach for detecting network intrusions, h Proc. ACM CCS, [15] [16] M. Walfish, et al., gddos defense by offense, h Proc. ACM SIG- COMM [17] L. Li and G. Lee, gddos attack detection and wavelets, h Proc. IEEE ICCCN 2003, pp , Oct [18] H. Burch and B. Cheswick, gtracing anonymous packets to their approximate source, h Proc. Usenix LISA, Dec Ping Du received B.E and M.E degrees from University of Science and Technology of China in 2000 and 2003, respectively. He received a Ph.D. from the Graduate University for Advanced Studies in Japan in Now, he works as a researcher at the National Institute of Informatics of Japan. His research interests include optical network, network security etc. Shunji Abe received B.E. and M.E. degrees from Toyohashi University of Technology, Japan, in 1980 and 1982, respectively. He received a Ph.D. from the University of Tokyo in In 1982 he joined Fujitsu Laboratories Ltd., where he engaged in research on broadband circuit switching system, ATM switching system, ATM traffic control, and network performance evaluation. He worked at the National Center for Science Information Systems, Japan NACSIS) from 1995 to Since 2000 he has worked at the National Institute of Informatics of Japan as an associate professor. He is currently interested in the Internet traffic analysis, network performance evaluation, optical switching system architecture, and mobile IP system architecture.