Cai, Xue

Ph.D. Student

Department of Computer Science
University of Southern California

E-mail: xuecai at usc.edu

Basic Approach of Spectral Analysis

 

What is spectral analysis?

Basiclly, spectral analysis is a method of analyzing the frequency domain of network traffic.

 

How does it work?

Step 1. Get the Internet traffic trace

Step 2. Sample the trace, get the packet arrival time series (packet number vs. sec)

Step 3. Generate the Power Spectral Density (PSD) or FFT of the time series (power vs. frequency)

Step 4. Analyze the PSD or FFT

- In this step, you could do whatever you want. How to utilize the PSD or FFT of the packet arrival time series may be the most creative part. What we are doing now is using PSD to detect Denial of Service (DOS) attack as described below.

 

Using Spectral Analysis to Detect Denial of Service (DOS) Attack

 

What is in the frequency domain?

The periodicity of network traffic.

 

Where does this periodicity come from?

Data transfer between TCP connection, between realtime multimedia server and client, or "saturated links".

 

How to detect DOS attack using spectral analysis?

We assume that links are saturated by DOS attack traffic, and saturated links have periodic behavior, thus the periodicity can be used to detect attacks.

We got the list of common link capacities and attack packet sizes, and we calculate the expected attack frequencies by equation

expected attack frequency = link capacity / attack packet size

Then we look for the expected attack frequencies in frequency domain to detect DOS attack. Look at the PSD graph above, there is a peak frequency near 1000Hz. That is an expected attack frequency which shows that a 125Mbps link is saturated by 1518-byte packets.