research-article

Change-Point Monitoring for the Detection of DoS Attacks

Authors:

Kang G. ShinAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 1, Issue 4

Pages 193 - 208

https://doi.org/10.1109/TDSC.2004.34

Published: 01 October 2004 Publication History

Abstract

This paper presents a simple and robust mechanism, called Change-Point Monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behaviors and is an instance of the Sequential Change Point Detection. To make the detection mechanism insensitive to sites and traffic patterns, a nonparametric Cumulative Sum (CUSUM) method is applied, thus making the detection mechanism robust, more generally applicable, and its deployment much easier. CPM does not require per-flow state information and only introduces a few variables to record the protocol behaviors. The statelessness and low computation overhead of CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated by detecting a SYN flooding attack the most common DoS attack. The evaluation results show that CPM has short detection latency and high detection accuracy.

References

[1]

P. Barford J. Kline D. Plonka and A. Ron, “A Signal Analysis of Network Traffic Anomalies,” Proc. ACM Internet Measurement Workshop, Nov. 2002.]]

Digital Library

[2]

M. Basseville and I.V. Nikiforov, Detection of Abrupt Changes: Theory and Application. Prentice Hall, 1993.]]

Digital Library

[3]

S.M. Bellovin, “ICMP Traceback Messages,” Internet Draft: draft-bellovin-itrace-00.txt (work in progress), Mar. 2000.]]

[4]

D.J. Bernstein and E. Schenk, “Linux Kernel SYN Cookies Firewall Project,” http://cr.yp.to/syncookies.html, 1997.]]

[5]

S. Bhattacharyya C. Diot J. Jetcheva and N. Taft, “Pop-Level and Access-Link-Level Traffic Dynamic in a Tier-1 POP,” Proc. ACM Internet Measurement Workshop, Nov. 2001.]]

Digital Library

[6]

B.E. Brodsky and B.S. Darkhovsky, Nonparametric Methods in Change-Point Problems. Kluwer Academic, 1993.]]

[7]

H. Burch and B. Cheswick, “Mapping the Internet,” Computer, vol. 32,no. 4, 1999.]]

Digital Library

[8]

H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. USENIX LISA Conf., Dec. 2000.]]

Digital Library

[9]

R. Caceres P.B. Danzig S. Jamin and D.J. Mitzel, “Characteristics of Wide-Area TCP/IP Conversations,” Proc. ACM SIGCOMM Conf., Sept. 1991.]]

Digital Library

[10]

W.S. Cleveland D. Lin and D. Sun, “IP Packet Generation: Statistical Models for TCP Start Times Based on Connection-Rate Superposition,” Proc. ACM SIGMETRICS Conf., June 2000.]]

Digital Library

[11]

D. Dean M. Franklin and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Trans. Information and System Security, vol. 5, no. 2, May 2002.]]

Digital Library

[12]

S. Dietrich N. Long and D. Dittrich, “Analyzing Distributed Denial of Service Tools: The Shaft Case,” Proc. USENIX LISA Conf., Dec. 2000.]]

Digital Library

[13]

D. Dittrich, Distributed Denial of Service (DDoS) Attacks/Tools Page, http://staff.washington.edu/dittrich/misc/ddos/, 2002.]]

[14]

P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2267, Jan. 1998.]]

Digital Library

[15]

L. Garber, “Denial-of-Service Attack Rip the Internet,” Computer, Apr. 2000.]]

Digital Library

[16]

S. Gibson, “Distributed Reflection Denial of Service,” technical report, Gibson Research Corporation, Feb. 2002, http://grc.com/dos/drdos.htm.]]

[17]

T.M. Gil and M. Poletter, “MULTOPS: A Data-Structure for Bandwidth Attack Detection,” Proc. USENIX Security Symp., Aug. 2001.]]

Digital Library

[18]

P. Gupta and N. McKeown, “Packet Classification on Multiple Fields,” Proc. ACM SIGCOMM Conf., Sept. 1999.]]

Digital Library

[19]

M. Handley V. Paxson and C. Kreibich, “Network Intrusion Detection: Evasion, Traffic Normalization, and End-To-End Protocol Semantics,” Proc. USENIX Security Symp., Aug. 2001.]]

Digital Library

[20]

U. Hengartner S. Moon R. Mortier and C. Diot, “Detection and Analysis of Routing Loops in Packet Traces,” Proc. ACM Internet Measurement Workshop, Nov. 2002.]]

Digital Library

[21]

A. Hussain J. Heidemann and C. Papadopoulos, “A Framework for Classifying Denial of Service Attacks,” Proc. ACM SIGCOMM Conf., Aug. 2003.]]

Digital Library

[22]

G. Iannaccone C.-N. Chuah R. Mortier S. Bhattacharyya and C. Diot, “Analysis of Link Failures in an IP Backbone,” Proc. ACM Internet Measurement Workshop, Nov. 2002.]]

Digital Library

[23]

Arbor Networks Inc., “Peakflow,” http://arbornetworks.com, 2003.]]

[24]

Netscreen Inc., “Netscreen 100 Firewall Appliance,” http://www. netscreen.com, 2001.]]

[25]

J. Ioannidis and S.M. Bellovin, “Implementing Pushback: Router-Based Defense Against Ddos Attacks,” Proc. Network and Distributed System Security Symp., Feb. 2002.]]

[26]

C. Jin H. Wang and K.G. Shin, “Hop-Count Filtering: An Effective Defense Against Spoofed Ddos Traffic,” Proc. ACM Conf. Computer and Comm. Security, Oct. 2003.]]

Digital Library

[27]

A. Juels and J. Brainard, “Client Puzzle: A Cryptographic Defense Against Connection Depletion Attacks,” Proc. Network and Distributed System Security Symp., Feb. 1999.]]

[28]

A.D. Keromytis V. Misra and D. Rubenstein, “SOS: Secure Overlay Services,” Proc. ACM SIGCOMM Conf., Aug. 2002.]]

Digital Library

[29]

B. Krishnamurthy S. Sen Y. Zhang and Y. Chen, “Sketch-Based Change Detection: Methods, Evaluation, and Applications,” Proc. ACM Internet Measurement Conf., Oct. 2002.]]

Digital Library

[30]

T.V. Lakshman and D. Stiliadis, “High Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching,” Proc. ACM SIGCOMM Conf., Sept. 1998.]]

Digital Library

[31]

W. Leland M. Taqqu W. Willinger and D. Wilson, “On the Self-Similar Nature of Ethernet Traffic,” IEEE/ACM Trans. Networking, vol. 2, no. 1, Feb. 1994.]]

Digital Library

[32]

J. Lemon, “Resisting SYN Flooding Dos Attacks with a SYN Cache,” Proc. USENIX BSDCon Conf., Feb. 2002.]]

Digital Library

[33]

J. Li J. Mirkovic M. Wang P. Reiher and L. Zhang, “SAVE: Source Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM Conf., June 2002.]]

[34]

Check Point Software Technologies Ltd., “Syndefender,” http://www.checkpoint.com/products/firewall-1, 2001.]]

[35]

R. Mahajan S.M. Bellovin S. Floyd J. Ioannidis V. Paxson and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” ACM Computer Comm. Rev., vol. 32, no. 3, July 2002.]]

Digital Library

[36]

J. Mirkovic G. Prier and P. Reiher, “Attacking DDoS at the Source,” Proc. IEEE Int'l Conf. Network Protocols, Nov. 2002.]]

Digital Library

[37]

D. Moore G. Voelker and S. Savage, “Inferring Internet Denial of Service Activity,” Proc. USENIX Security Symp., Aug. 2001.]]

Digital Library

[38]

Mazu Networks Enforcer, http://www.mazunetworks.com/ products/, 2002.]]

[39]

R. Oliver, “Countering SYN Flood Denial-of-Service Attacks,” Tech Mavens, Inc., Aug. 2001, http://www.tech-mavens.com/synflood.htm.]]

[40]

K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM Conf., Aug. 2001.]]

Digital Library

[41]

V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, vol. 31, nos. 23-24, 1999.]]

Digital Library

[42]

V. Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31,no. 3, July 2001.]]

Digital Library

[43]

V. Paxson and S. Floyd, “Wide-Area Traffic: The Failure of Poisson Modeling,” IEEE/ACM Trans. Networking, vol. 3, no. 3, June 1995.]]

Digital Library

[44]

X. Qie R. Pang and L. Peterson, “Defensive Programming: Using an Annotation Toolkit to Build Dos-Resistant Software,” Proc. USENIX Symp. Operating Systems and Design Implementation, Dec. 2002.]]

Digital Library

[45]

M. Roesch, “Snort-Lightweight Intrusion Detection for Networks,” Proc. USENIX Systems Administration Conf. (LISA '99), Nov. 1999.]]

Digital Library

[46]

K.A. Ross, Elementary Analysis: The Theory of Calculus, Fifth ed. Springer-Verlag, 1980.]]

[47]

S. Savage D. Wetherall A. Karlin and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Conf., Aug. 2000.]]

Digital Library

[48]

C.L. Schuba I.V. Krsul M.G. Kuhn E.H. Spafford A. Sundaram and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” Proc. IEEE Symp. Security and Privacy, May 1997.]]

Digital Library

[49]

F.D. Smith F.H. Campos K. Jeffay and D. Ott, “What TCP/IP Protocol Header Can Tell Us About the Web,” Proc. ACM SIGMETRICS Conf., June 2001.]]

Digital Library

[50]

A.C. Snoren C. Partridge L.A. Sanchez C.E. Jones F. Tchakountio S.T. Kent and W.T. Strayer, “Hash-Based IP Traceback,” Proc. ACM SIGCOMM Conf., Aug. 2001.]]

Digital Library

[51]

D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM Conf., Mar. 2001.]]

[52]

O. Spatscheck and L. Peterson, “Defending Against Denial of Service Attacks in Scout,” Proc. USENIX Symp. Operating Systems and Design Implementation, Feb. 1999.]]

Digital Library

[53]

V. Srinivasan G. Varghese S. Suri and M. Waldvogel, “Fast and Scalable Layer Four Switching,” Proc. ACM SIGCOMM Conf., Sept. 1998.]]

Digital Library

[54]

W.R. Stevens, TCP/IP Illustrated, vol. 1. Addison-Wesley, 1994.]]

Digital Library

[55]

R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proc. USENIX Security Symp., Aug. 2000.]]

Digital Library

[56]

K. Thompson G.J. Miller and R. Wilder, “Wide-Area Internet Traffic Patterns and Characteristics,” IEEE Network, vol. 11, no. 6, Nov./Dec. 1997.]]

Digital Library

[57]

M. Thottan and C. Ji, “Anomaly Detection in IP Networks,” IEEE Trans. Signal Processing, vol. 51, no. 8, Aug. 2003.]]

Digital Library

[58]

H. Wang and K.G. Shin, “Layer-4 Service Differentiation and Resource Isolation,” Proc. IEEE Real-Time and Embedded Technology and Applications Symp., Sept. 2002.]]

Digital Library

[59]

X. Wang and M. Reiter, “Defending Against Denial-of-Service Attacks with Puzzle Auctions,” Proc. IEEE Symp. Security and Privacy, May 2003.]]

Digital Library

[60]

A. Yaar A. Perrig and D. Song, “Pi: A Path Identification Mechanism to Defend Against DDoS Attacks,” Proceedings of IEEE Symp. Security and Privacy, May 2003.]]

Digital Library

[61]

D. Yau J. Lui and F. Liang, “Defending Against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” Proc. 10th Int'l Workshop Quality of Service, May 2002.]]

Cited By

Wu JPan HCui PHuang YZhou JHe PLi YLi ZXie G(2024)Patronum: In-network Volumetric DDoS Detection and Mitigation with Programmable SwitchesComputer Security – ESORICS 202410.1007/978-3-031-70903-6_10(187-207)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_10
Shalini PRadha VSanjeevi S(2023)Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square testThe Journal of Supercomputing10.1007/s11227-023-05057-x79:9(10353-10385)Online publication date: 7-Feb-2023
https://dl.acm.org/doi/10.1007/s11227-023-05057-x
Guo JJia RSu RSong YJing F(2023)DoS attack detection in identification of FIR systems with binary‐valued observationsAsian Journal of Control10.1002/asjc.300525:4(2469-2481)Online publication date: 2-Jul-2023
https://dl.acm.org/doi/10.1002/asjc.3005
Show More Cited By

Recommendations

DDoS attacks and defense mechanisms: classification and state-of-the-art

Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls
POLICY '09: Proceedings of the 2009 IEEE International Symposium on Policies for Distributed Systems and Networks

Denial of Service (DoS) attacks are very dangerous as they consume resources at the network and transport layers. Firewalls are considered as the first line of defense in any network. An attacker may use probing to learn a firewall’s policy, and then ...
Detect DDoS flooding attacks in mobile ad hoc networks

Mobile Ad hoc NETworks (MANETs) are vulnerable to the Denial of Service (DoS) attack. In this work, we focus on one specific DoS attack, Distributed DoS (DDoS) flooding attack. First of all, we present a quantitative model to characterise the flooding ...

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 1, Issue 4

October 2004

64 pages

ISSN:1545-5971

Issue’s Table of Contents

Copyright © 2004.

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 October 2004

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wu JPan HCui PHuang YZhou JHe PLi YLi ZXie G(2024)Patronum: In-network Volumetric DDoS Detection and Mitigation with Programmable SwitchesComputer Security – ESORICS 202410.1007/978-3-031-70903-6_10(187-207)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_10
Shalini PRadha VSanjeevi S(2023)Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square testThe Journal of Supercomputing10.1007/s11227-023-05057-x79:9(10353-10385)Online publication date: 7-Feb-2023
https://dl.acm.org/doi/10.1007/s11227-023-05057-x
Guo JJia RSu RSong YJing F(2023)DoS attack detection in identification of FIR systems with binary‐valued observationsAsian Journal of Control10.1002/asjc.300525:4(2469-2481)Online publication date: 2-Jul-2023
https://dl.acm.org/doi/10.1002/asjc.3005
Luo JBai RHe SShin K(2022)Pervasive Pose Estimation for Fall DetectionACM Transactions on Computing for Healthcare10.1145/34780273:3(1-23)Online publication date: 7-Apr-2022
https://dl.acm.org/doi/10.1145/3478027
Shalini PRadha VSanjeevi S(2022)DOCUS-DDoS detection in SDN using modified CUSUM with flash traffic discrimination and mitigationComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2022.109361217:COnline publication date: 9-Nov-2022
https://dl.acm.org/doi/10.1016/j.comnet.2022.109361
Zhang XShao XProvelengios GDumpala NGao LTessier R(2020)CoNFVACM Transactions on Reconfigurable Technology and Systems10.1145/340911314:1(1-29)Online publication date: 18-Aug-2020
https://dl.acm.org/doi/10.1145/3409113
Madireddy SBalaprakash PCarns PLatham RLockwood GRoss RSnyder SWild S(2019)Adaptive Learning for Concept Drift in Application Performance ModelingProceedings of the 48th International Conference on Parallel Processing10.1145/3337821.3337922(1-11)Online publication date: 5-Aug-2019
https://dl.acm.org/doi/10.1145/3337821.3337922
Olufowobi HEzeobi UMuhati ERobinson GYoung CZambreno JBloom GZhao ZChen QAhn G(2019)Anomaly Detection Approach Using Adaptive Cumulative Sum Algorithm for Controller Area NetworkProceedings of the ACM Workshop on Automotive Cybersecurity10.1145/3309171.3309178(25-30)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3309171.3309178
Lau TTay WVeeravalli V(2019)A Binning Approach to Quickest Change Detection With Unknown Postchange DistributionIEEE Transactions on Signal Processing10.1109/TSP.2018.288166667:3(609-621)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1109/TSP.2018.2881666
Iwata TNakamura KTokusashi YMatsutani H(2018)Accelerating Online Change-Point Detection Algorithm Using 10 GbE FPGA NICEuro-Par 2018: Parallel Processing Workshops10.1007/978-3-030-10549-5_40(506-517)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1007/978-3-030-10549-5_40
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents