This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Change-Point Monitoring for the Detection of DoS Attacks
October-December 2004 (vol. 1 no. 4)
pp. 193-208
This paper presents a simple and robust mechanism, called Change-Point Monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behaviors and is an instance of the Sequential Change Point Detection. To make the detection mechanism insensitive to sites and traffic patterns, a nonparametric Cumulative Sum (CUSUM) method is applied, thus making the detection mechanism robust, more generally applicable, and its deployment much easier. CPM does not require per-flow state information and only introduces a few variables to record the protocol behaviors. The statelessness and low computation overhead of CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated by detecting a SYN flooding attack—the most common DoS attack. The evaluation results show that CPM has short detection latency and high detection accuracy.

[1] P. Barford, J. Kline, D. Plonka, and A. Ron, “A Signal Analysis of Network Traffic Anomalies,” Proc. ACM Internet Measurement Workshop, Nov. 2002.
[2] M. Basseville and I.V. Nikiforov, Detection of Abrupt Changes: Theory and Application. Prentice Hall, 1993.
[3] S.M. Bellovin, “ICMP Traceback Messages,” Internet Draft: draft-bellovin-itrace-00.txt (work in progress), Mar. 2000.
[4] D.J. Bernstein and E. Schenk,“Linux Kernel SYN Cookies Firewall Project,” http://cr.yp.tosyncookies.html, 1997.
[5] S. Bhattacharyya, C. Diot, J. Jetcheva, and N. Taft, “Pop-Level and Access-Link-Level Traffic Dynamic in a Tier-1 POP,” Proc. ACM Internet Measurement Workshop, Nov. 2001.
[6] B.E. Brodsky and B.S. Darkhovsky, Nonparametric Methods in Change-Point Problems. Kluwer Academic, 1993.
[7] H. Burch and B. Cheswick, “Mapping the Internet,” Computer, vol. 32, no. 4, 1999.
[8] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. USENIX LISA Conf., Dec. 2000.
[9] R. Caceres, P.B. Danzig, S. Jamin, and D.J. Mitzel, “Characteristics of Wide-Area TCP/IP Conversations,” Proc. ACM SIGCOMM Conf., Sept. 1991.
[10] W.S. Cleveland, D. Lin, and D. Sun, “IP Packet Generation: Statistical Models for TCP Start Times Based on Connection-Rate Superposition,” Proc. ACM SIGMETRICS Conf., June 2000.
[11] D. Dean, M. Franklin, and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Trans. Information and System Security, vol. 5, no. 2, May 2002.
[12] S. Dietrich, N. Long, and D. Dittrich, “Analyzing Distributed Denial of Service Tools: The Shaft Case,” Proc. USENIX LISA Conf., Dec. 2000.
[13] D. Dittrich, Distributed Denial of Service (DDoS) Attacks/Tools Page, http://staff.washington.edu/dittrich/misc ddos/, 2002.
[14] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2267, Jan. 1998.
[15] L. Garber, “Denial-of-Service Attack Rip the Internet,” Computer, Apr. 2000.
[16] S. Gibson, “Distributed Reflection Denial of Service,” technical report, Gibson Research Corporation, Feb. 2002, http://grc.com/dosdrdos.htm.
[17] T.M. Gil and M. Poletter, “MULTOPS: A Data-Structure for Bandwidth Attack Detection,” Proc. USENIX Security Symp., Aug. 2001.
[18] P. Gupta and N. McKeown, “Packet Classification on Multiple Fields,” Proc. ACM SIGCOMM Conf., Sept. 1999.
[19] M. Handley, V. Paxson, and C. Kreibich, “Network Intrusion Detection: Evasion, Traffic Normalization, and End-To-End Protocol Semantics,” Proc. USENIX Security Symp., Aug. 2001.
[20] U. Hengartner, S. Moon, R. Mortier, and C. Diot, “Detection and Analysis of Routing Loops in Packet Traces,” Proc. ACM Internet Measurement Workshop, Nov. 2002.
[21] A. Hussain, J. Heidemann, and C. Papadopoulos, “A Framework for Classifying Denial of Service Attacks,” Proc. ACM SIGCOMM Conf., Aug. 2003.
[22] G. Iannaccone, C.-N. Chuah, R. Mortier, S. Bhattacharyya, and C. Diot, “Analysis of Link Failures in an IP Backbone,” Proc. ACM Internet Measurement Workshop, Nov. 2002.
[23] Arbor Networks Inc., “Peakflow,” http:/arbornetworks.com, 2003.
[24] Netscreen Inc., “Netscreen 100 Firewall Appliance,” http:/www. netscreen.com, 2001.
[25] J. Ioannidis and S.M. Bellovin, “Implementing Pushback: Router-Based Defense Against Ddos Attacks,” Proc. Network and Distributed System Security Symp., Feb. 2002.
[26] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense Against Spoofed Ddos Traffic,” Proc. ACM Conf. Computer and Comm. Security, Oct. 2003.
[27] A. Juels and J. Brainard, “Client Puzzle: A Cryptographic Defense Against Connection Depletion Attacks,” Proc. Network and Distributed System Security Symp., Feb. 1999.
[28] A.D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services,” Proc. ACM SIGCOMM Conf., Aug. 2002.
[29] B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, “Sketch-Based Change Detection: Methods, Evaluation, and Applications,” Proc. ACM Internet Measurement Conf., Oct. 2002.
[30] T.V. Lakshman and D. Stiliadis, “High Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching,” Proc. ACM SIGCOMM Conf., Sept. 1998.
[31] W. Leland, M. Taqqu, W. Willinger, and D. Wilson, “On the Self-Similar Nature of Ethernet Traffic,” IEEE/ACM Trans. Networking, vol. 2, no. 1, Feb. 1994.
[32] J. Lemon, “Resisting SYN Flooding Dos Attacks with a SYN Cache,” Proc. USENIX BSDCon Conf., Feb. 2002.
[33] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “SAVE: Source Address Validity Enforcement Protocol,” Proc. IEEE INFOCOM Conf., June 2002.
[34] Check Point Software Technologies Ltd., “Syndefender,” http://www.checkpoint.com/productsfirewall-1 , 2001.
[35] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” ACM Computer Comm. Rev., vol. 32, no. 3, July 2002.
[36] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proc. IEEE Int'l Conf. Network Protocols, Nov. 2002.
[37] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial of Service Activity,” Proc. USENIX Security Symp., Aug. 2001.
[38] Mazu Networks Enforcer, http://www.mazunetworks.com products/, 2002.
[39] R. Oliver, “Countering SYN Flood Denial-of-Service Attacks,” Tech Mavens, Inc., Aug. 2001, http://www.tech-mavens.comsynflood.htm.
[40] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed Dos Attack Prevention in Power-Law Internets,” Proc. ACM SIGCOMM Conf., Aug. 2001.
[41] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, vol. 31, nos. 23-24, 1999.
[42] V. Paxson, “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks,” ACM Computer Comm. Rev., vol. 31, no. 3, July 2001.
[43] V. Paxson and S. Floyd, “Wide-Area Traffic: The Failure of Poisson Modeling,” IEEE/ACM Trans. Networking, vol. 3, no. 3, June 1995.
[44] X. Qie, R. Pang, and L. Peterson, “Defensive Programming: Using an Annotation Toolkit to Build Dos-Resistant Software,” Proc. USENIX Symp. Operating Systems and Design Implementation, Dec. 2002.
[45] M. Roesch, “Snort— Lightweight Intrusion Detection for Networks,” Proc. USENIX Systems Administration Conf. (LISA '99), Nov. 1999.
[46] K.A. Ross, Elementary Analysis: The Theory of Calculus, Fifth ed. Springer-Verlag, 1980.
[47] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM Conf., Aug. 2000.
[48] C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” Proc. IEEE Symp. Security and Privacy, May 1997.
[49] F.D. Smith, F.H. Campos, K. Jeffay, and D. Ott, “What TCP/IP Protocol Header Can Tell Us About the Web,” Proc. ACM SIGMETRICS Conf., June 2001.
[50] A.C. Snoren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, and W.T. Strayer, “Hash-Based IP Traceback,” Proc. ACM SIGCOMM Conf., Aug. 2001.
[51] D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM Conf., Mar. 2001.
[52] O. Spatscheck and L. Peterson, “Defending Against Denial of Service Attacks in Scout,” Proc. USENIX Symp. Operating Systems and Design Implementation, Feb. 1999.
[53] V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel, “Fast and Scalable Layer Four Switching,” Proc. ACM SIGCOMM Conf., Sept. 1998.
[54] W.R. Stevens, TCP/IP Illustrated, vol. 1. Addison-Wesley, 1994.
[55] R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proc. USENIX Security Symp., Aug. 2000.
[56] K. Thompson, G.J. Miller, and R. Wilder, “Wide-Area Internet Traffic Patterns and Characteristics,” IEEE Network, vol. 11, no. 6, Nov./Dec. 1997.
[57] M. Thottan and C. Ji, “Anomaly Detection in IP Networks,” IEEE Trans. Signal Processing, vol. 51, no. 8, Aug. 2003.
[58] H. Wang and K.G. Shin, “Layer-4 Service Differentiation and Resource Isolation,” Proc. IEEE Real-Time and Embedded Technology and Applications Symp., Sept. 2002.
[59] X. Wang and M. Reiter, “Defending Against Denial-of-Service Attacks with Puzzle Auctions,” Proc. IEEE Symp. Security and Privacy, May 2003.
[60] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend Against DDoS Attacks,” Proceedings of IEEE Symp. Security and Privacy, May 2003.
[61] D. Yau, J. Lui, and F. Liang, “Defending Against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” Proc. 10th Int'l Workshop Quality of Service, May 2002.

Index Terms:
CUSUM algorithm, DoS attacks, intrusion detection, protocol behavior.
Citation:
Haining Wang, Danlu Zhang, Kang G. Shin, "Change-Point Monitoring for the Detection of DoS Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 4, pp. 193-208, Oct.-Dec. 2004, doi:10.1109/TDSC.2004.34
Usage of this product signifies your acceptance of the Terms of Use.