Detection of variations of local irregularity of traffic under DDOS flood attack. (English) Zbl 1189.68114

Summary: The aim of Distributed Denial-Of-Service (DDOS) flood attacks is to overwhelm the attacked site or to make its service performance deterioration considerably by sending flood packets to the target from the machines distributed all over the world. This is a kind of local behavior of traffic at the protected site because the attacked site can be recovered to its normal service state sooner or later even though it is in reality overwhelmed during attack. From a view of mathematics, it can be taken as a kind of short-range phenomenon in computer networks. In this paper, we use the Hurst parameter (H) to measure the local irregularity or self-similarity of traffic under DDOS flood attack provided that fractional Gaussian noise (fGn) is used as the traffic model. As flood attack packets of DDOS make the H value of arrival traffic vary significantly away from that of traffic normally arriving at the protected site, we discuss a method to statistically detect signs of DDOS flood attacks with predetermined detection probability and false alarm probability.


68T10 Pattern recognition, speech recognition
93E10 Estimation and detection in stochastic control theory
37N99 Applications of dynamical systems


Full Text: DOI EuDML


[1] G. Coulouris, J. Dollimore, and T. Kindberg, Distributed Systems: Concepts and Design, Addison-Wesley, Reading, Mass, USA, 3rd edition, 2001. · Zbl 0848.68021
[2] E. G. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response, Intrusion.Net Book, Sparta, NJ, USA, 1999.
[3] L. Garber, “Denial-of-service attacks rip the Internet,” Computer, vol. 33, no. 4, pp. 12-17, 2000. · Zbl 05088169 · doi:10.1109/MC.2000.839316
[4] G. Toma, “Practical test functions generated by computer algorithms,” in Proceedings of the International Conference on Computational Science and Its Applications (ICCSA ’05), vol. 3482 of Lecture Notes in Computer Science, pp. 576-584, Singapore, May 2005. · Zbl 05377784 · doi:10.1007/11424857_62
[5] W. Willinger and V. Paxson, “Where mathematics meets the Internet,” Notices of the American Mathematical Society, vol. 45, no. 8, pp. 961-970, 1998. · Zbl 0973.00523
[6] M. Li, W. Zhao, W. Jia, D. Long, and C.-H. Chi, “Modeling autocorrelation functions of self-similar teletraffic in communication networks based on optimal approximation in Hilbert space,” Applied Mathematical Modelling, vol. 27, no. 3, pp. 155-168, 2003. · Zbl 1023.90007 · doi:10.1016/S0307-904X(02)00087-2
[7] B. Tsybakov and N. D. Georganas, “Self-similar processes in communications networks,” IEEE Transactions on Information Theory, vol. 44, no. 5, pp. 1713-1725, 1998. · Zbl 0988.90003 · doi:10.1109/18.705538
[8] A. Adas, “Traffic models in broadband networks,” IEEE Communications Magazine, vol. 35, no. 7, pp. 82-89, 1997. · doi:10.1109/35.601746
[9] B. B. Mandelbrot, Gaussian Self-Affinity and Fractals, Springer, New York, NY, USA, 2002. · Zbl 1007.01020
[10] M. Li and S. C. Lim, “A rigorous derivation of power spectrum of fractional Gaussian noise,” Fluctuation and Noise Letters, vol. 6, no. 4, pp. C33-C36, 2006. · doi:10.1142/S0219477506003604
[11] J. Beran, Statistics for Long-Memory Processes, vol. 61 of Monographs on Statistics and Applied Probability, Chapman and Hall, New York, NY, USA, 1994. · Zbl 0869.60045
[12] M. Li, “Change trend of averaged Hurst parameter of traffic under DDOS flood attacks,” Computers & Security, vol. 25, no. 3, pp. 213-220, 2006. · doi:10.1016/j.cose.2005.11.007
[13] M. Li and S. C. Lim, “Modeling network traffic using generalized Cauchy process,” Physica A, vol. 387, no. 11, pp. 2584-2594, 2008. · doi:10.1016/j.physa.2008.01.026
[14] J. S. Bendat and A. G. Piersol, Random Data. Analysis and Measurement Procedures, John Wiley & Sons, New York, NY, USA, 3rd edition, 2000. · Zbl 0953.62128
[15] M. Basseville, “Distance measures for signal processing and pattern recognition,” Signal Processing, vol. 18, no. 4, pp. 349-369, 1989. · doi:10.1016/0165-1684(89)90079-0
[16] K. S. Fu, Ed., Digital Pattern Recognition, Springer, Berlin, Germany, 2nd edition, 1980. · Zbl 0541.68064
[17] A. R. Webb, Statistical Pattern Recognition, Edward Arnold, London, UK, 1999. · Zbl 0968.68540
[18] M. Li and W. Zhao, “A statistical model for detecting abnormality in static-priority scheduling networks with differentiated services,” in Proceedings of the International Conference on Computational Intelligence and Security (CIS ’05), vol. 3802 of Lecture Notes in Computer Science, pp. 267-272, Springer, Xi’an, China, December 2005. · doi:10.1007/11596981_39
[19] V. Paxson, “Bro: a system for detecting network intruders in real time,” in Proceedings of the 7th USENIX Security Symposium, San Antonio, Tex, USA, January 1998.
[20] W. Yu, D. Xuan, and W. Zhao, “Middleware-based approach for preventing distributed deny of service attacks,” in Proceedings of IEEE Military Communications Conference (MILCOM ’02), vol. 2, pp. 1124-1129, Anaheim, Calif, USA, October 2002.
[21] P. Innella and O. McMillan, “An introduction to intrusion detection systems, tetrad digital integrity, LLC,” December 2001, http://www.securityfocus.com/infocus/1520/.
[22] http://en.wikipedia.org/wiki/Denial-of-service_attack/.
[23] http://www.sans.org/dosstep/index.php/.
[24] R. Bettati, W. Zhao, and D. Teodor, “Real-time intrusion detection and suppression in ATM net-works,” in Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, Calif, USA, April 1999.
[25] M. Li, “An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition,” Computers & Security, vol. 23, no. 7, pp. 549-558, 2004. · doi:10.1016/j.cose.2004.04.005
[26] http://www.acm.org/sigcomm/ITA/.
[27] V. Paxson and S. Floyd, “Wide area traffic: the failure of Poisson modeling,” IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226-244, 1995. · doi:10.1109/90.392383
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.