John Heidemann / Papers / Detection of Low-Rate Attacks in Computer Networks

Detection of Low-Rate Attacks in Computer Networks
Gautam Thatte, Urbashi Mitra and John Heidemann

Citation

Gautam Thatte, Urbashi Mitra and John Heidemann. Detection of Low-Rate Attacks in Computer Networks. Proceedings of the 11th IEEE Global Internet Symposium (Phoenix, Arizona, USA, Apr. 2008), 1–6. [DOI] [PDF] [alt PDF]

Abstract

This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poissonbased scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second.

Bibtex Citation

@inproceedings{Thatte08a,
  author = {Thatte, Gautam and Mitra, Urbashi and Heidemann, John},
  title = {Detection of Low-Rate Attacks in Computer Networks},
  booktitle = {Proceedings of the 11th IEEE Global Internet Symposium},
  year = {2008},
  sortdate = {2008-04-01},
  project = {ant, madcat},
  jsubject = {spectral_network},
  publisher = {IEEE},
  address = {Phoenix, Arizona, USA},
  month = apr,
  pages = {1--6},
  isbn = {978-1-4244-2219-7},
  doi = {10.1109/INFOCOM.2008.4544638},
  jlocation = {johnh: pafile},
  keywords = {dos attack detection, traffic modeling},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.pdf},
  copyrightholder = {IEEE},
  copyrightterms = {
  	Personal use of this material is permitted.  However,
  	permission to reprint/republish this material for advertising
  	or promotional purposes or for creating new collective works
          for resale or redistribution to servers or lists,
  	or to reuse any copyrighted component of this work in other works
  	must be obtained from the IEEE.
  },
  usessoftware = {stream_merger}
}

Copyright

Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Copyright © by John Heidemann