| Abstract |
Over the past few years many sites on the Internet have been subjected to Denial of Service (DoS) attacks, among which TCP SYN flooding is the most prevalent. The aim of denial of service attacks is to consume all the available resources, with main purpose to prevent legitimate users from receiving service. TCP SYN flooding exploits the three-way handshake mechanism of the TCP protocol and its limitation in maintaining half-open connections. Any system connected to the Internet and providing TCP-based network services, such as a Web server or mail server, is potentially subject to this kind of attack. In this study, we present and evaluate two anomaly detection algorithms for detecting early TCP SYN attacks: an adaptive threshold algorithm and a particular application of the cumulative sum (CUSUM) algorithm for change point detection. We focus on investigating, through extended experiments with real traffic traces, the tradeoffs between the detection probability, the false alarm rate and the detection delay, and how these tradeoffs are affected by the parameters of the detection algorithm and the characteristics of the attacks. Such an investigation can assist in tuning the parameters of the detection algorithm to satisfy specific performance requirements. Our experimental results indicate that although simple and straightforward algorithms, such as the adaptive threshold algorithm, have good performance for high intensity attacks, their performance deteriorates for low intensity attacks. On the other hand, algorithms based on a strong theoretical foundation, like the CUSUM algorithm, can exhibit robust performance over various attack types, without necessarily being complex or costly to implement.
|
Αξιολόγηση Αλγορίθμων Εντοπισμού Επιθέσεων ’ρνησης Υπηρεσίας από την Κίνηση του Δικτύου
