Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals-Volume 2009, Article ID 256821, 13 pages (original) (raw)

Detecting pulsing denial-of-service attacks with nondeterministic attack intervals

EURASIP Journal on Advances in …, 2009

This paper addresses the important problem of detecting pulsing denial of service (PDoS) attacks which send a sequence of attack pulses to reduce TCP throughput. Unlike previous works which focused on a restricted form of attacks, we consider a very broad class of attacks. In particular, our attack model admits any attack interval between two adjacent pulses, whether deterministic or not. It also includes the traditional flooding-based attacks as a limiting case (i.e., zero attack interval). Our main contribution is Vanguard, a new anomaly-based detection scheme for this class of PDoS attacks. The Vanguard detection is based on three traffic anomalies induced by the attacks, and it detects them using a CUSUM algorithm. We have prototyped Vanguard and evaluated it on a testbed. The experiment results show that Vanguard is more effective than the previous methods that are based on other traffic anomalies (after a transformation using wavelet transform, Fourier transform, and autocorrelation) and detection algorithms (e.g., dynamic time warping).

On a New Class of Pulsing Denial-of-Service Attacks and the Defense

2005

In this paper we analyze a new class of pulsing denialof-service (PDoS) attacks that could seriously degrade the throughput of TCP flows. During a PDoS attack, periodic pulses of attack packets are sent to a victim. The magnitude of each pulse should be significant enough to cause packet losses. We describe two specific attack models according to the timing of the attack pulses with respect to the TCP's congestion window movement: timeout-based and AIMD (additive-increasemultiplicative-decrease)-based. We show through an analysis that even a small number of attack pulses can cause significant throughput degradation. The second part of this paper is a novel two-stage scheme to detect PDoS attacks on a victim network. The first stage is based on a wavelet transform used to extract the desired frequency components of the data traffic and ACK traffic. The second stage is to detect change points in the extracted components. Through both simulation and testbed experiments, we verify the feasibility and effectiveness of the detection scheme.

Vanguard: A New Detection Scheme for a Class of TCP-targeted Denial-of-Service Attacks

2006

A few low-rate, TCP-targeted Denial-of-Service (DoS) attacks have been recently proposed, including the Shrew attack, Reduction of Quality (RoQ) attack, and Pulsing DoS (PDoS) attack. All of them use periodic attack pulses to throttle TCP flows. These attacks could potentially become major threats to the Internet's stabiliity and therefore they have motivated the development of a number of detection mechanisms for such attacks. However, those detection mechanisms are designed for specific attacks. Moreover, they assume that the period of the attack pulses is a nonzero constant. Unfortunately, these assumptions can be easily thwarted by more sophisticated attack strategies. In this paper, we propose a new detection system called Vanguard to identify a wide range of the aforementioned low-rate, DoS attacks, including the traditional flooding-based attacks as a special case. Vanguard can also detect attacks with randomized attack periods. We have validated Vanguard's efficacy based on extensive test-bed experiments. We have also compared Vanguard with other recently proposed detection systems.

Detecting Denial-of-Service attacks using the wavelet transform

Computer Communications, 2007

Anomaly-based intrusion detection is a crucial research issue as it permits to identify attacks that does not necessarily have known signatures. However, approaches using anomalies often consume more resources than those based on misuse detection and have a higher false alarm rate. This paper presents an efficient anomaly analysis method that is proved to be more efficient and less complex than the existing techniques. The approach relies on monitoring the security state by using a set of accurate metrics. The Wavelet Transform (WT) is used to decompose these metrics in the time-scale space. Attacks are viewed as Lipschitz singularities that arise in some specific points of time. Henceforth, the anomaly detection process is performed through processing the signals representing the metrics. The proposed approach is also shown to be extensible to the case where the monitoring points, used to gather the measurable features, are distributed according to the network topology.

Anomaly based DDoS Attack Detection

International Journal of Computer Applications, 2015

Distributed denial-of-service (DDoS) attack poses a serious threat to network security. Several methods have been introduced to reduce the damage. However, most of the methods have been found unable to detect the attack in real-time with high detection accuracy. This paper presents a simple yet effective method to detect DDoS attack for all possible attack scenarios given by Mirkoviac [1] viz constant rate, pulsing rate, increasing rate and subgroup. The proposed method is validated using well known CAIDA dataset.

Wavelet-based detection of DoS attacks

Proceedings of IEEE Global …, 2006

Automated detection of anomalies in network traffic is an important and challenging task. In this work we propose an automated system to detect volume-based anomalies in network traffic caused by Denial of Service (DoS) attacks. The system has a two-stage architecture that combines more traditional approaches (Adaptive Threshold and Cumulative Sum) with a novel one based on the Continuous Wavelet Transform. Thanks to the proposed architecture, we obtain good results in terms of tradeoff between correct detections and false alarms, estimation of anomaly duration, and ability to distinguish between subsequent anomalies. We test our system using a set of publicly available traffic traces to which we superimpose anomalies related to real DoS attacks tools. Extensive test results show how the proposed system accurately detects a wide range of anomalies and how the performance indicators are affected by anomalies characteristics (i.e. amplitude and duration).

IAETSD-A Survey on Detecting Denial-of-Service Attacks

Modern World Systems such as Web servers, database servers, cloud computing environment etc, are now under threads from network attackers. One of most threat is Denial-of-Service (DoS) attacks cause serious impact on these computing systems. In this paper, we present a detection mechanism for DoS attack that uses Multivariate Correlation Analysis (MCA) for analyzing network traffic characterization by studying the geometrical correlations between network traffic features. Our MCA-based DoS attack detection mechanism employs the principle of anomaly-based detection in attack recognition. Thus making it easier for detecting known and unknown attacks by learning patterns of legitimate network traffic. Further a triangle area based approach is employed to speed up the process of MCA. The propsed system is effectively checked using KDD Cup 99 Dataset.

Early DoS Attack Detection using Smoothened Time-Series andWavelet Analysis

Third International Symposium on Information Assurance and Security, 2007

Denial of Service(DoS) attacks are ubiquitous to computer networks. Flood based attacks are a common class of DoS attacks. DoS detection mechanisms that aim at detecting floods mainly look for sudden changes in the traffic and mark them anomalous. In this paper, we propose a method that considers the traffic in a network as a time-series and smoothens it using exponential moving average and analyzes the smoothened wave using energy distribution based on wavelet analysis. The parameters we used to represent the traffic are number of bytes received per unit time and the proportion between incoming and outgoing bytes. By analyzing the energy distribution in the wavelet form of a smoothened time-series, growth in the traffic, which is the result of a DoS attack can be detected very early. As the parameters we considered represent different properties of the network, the accuracy of the detection will be very high and with less false positives.

Low rate TCP denial-of-service attack detection at edge routers

IEEE Communications Letters, 2005

Low rate TCP Denial-of-Service attacks are a new type of DoS attacks that are carefully orchestrated to exploit the fixed minimum TCP RTO property, and thereby deny services to legitimate users. This type of attacks is different from traditional flood-based attacks, and hence conventional solutions to detect these attacks are not applicable. We propose a novel approach to detect these attack flows at edge routers. A flow exhibiting a periodic pattern is marked malicious if its burst length is greater than or equal to RTTs of other connections with the same server, and its time period is equal to the fixed minimum RTO. A carefully designed light weight data structure is proposed to store the necessary flow history at edge routers. Simulation results show that such flows can be detected by our proposed approach, which does not require any modification to TCP congestion control algorithms like randomizing the fixed minimum RTO.