John Heidemann

Detection of Low-Rate Attacks in Computer Networks

TitleDetection of Low-Rate Attacks in Computer Networks
Publication TypeConference Paper
Year of Publication2008
AuthorsG. Thatte, U. Mitra, and J. Heidemann
Date Publishedapr
Conference LocationPhoenix, Arizona, USA

This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poissonbased scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second.