johnh: research teaching PAPERS software other contact about

Detection of Low-Rate Attacks in Computer Networks

Gautam Thatte, Urbashi Mitra, and John Heidemann
USC/Information Sciences Institute

Abstract

 This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poissonbased scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Thatte08a
Gautam Thatte, Urbashi Mitra, and John Heidemann. Detection of Low-Rate Attacks in Computer Networks. In Proceedings of the 11th IEEE Global Internet Symposium, p. xxx. Phoenix, Arizona, USA, IEEE. April, 2008. <http://www.isi.edu/~johnh/PAPERS/Thatte08a.html>. 
@inproceedings{Thatte08a,
	author = "Gautam Thatte and Urbashi Mitra and John Heidemann",
	title = "Detection of Low-Rate Attacks in Computer Networks",
	booktitle = "Proceedings of the 11th {IEEE} Global Internet Symposium",
	year = "2008",
	publisher = "{IEEE}",
	address = "Phoenix, Arizona, USA",
	month = "April",
	pages = "xxx",
	keywords = "dos attack detection, traffic modeling",
	url = "http://www.isi.edu/~johnh/PAPERS/Thatte08a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Thatte08a.pdf",
	copyrightholder = "{IEEE}",
}

Copyright

This paper is copyright © 2008 by IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

© 2008 $Date$