Testing of DDoS Protection Solutions

Transcription

1 Testing of DDoS Protection Solutions Lukas Malina, Petr Dzurenda, Jan Hajny Faculty of Electrical Engineering and Communication Brno University of Technology Brno, Czech Republic Abstract Distributed Denial of Service (DDoS) attacks invade networks and web services every day. Many current research projects and activities try to design various DDoS protection solutions. Nevertheless, there are more and more advanced DDoS attacks that are ingenious and powerful which may cause that many of these comprehensive DDoS protection solutions are not so efficient and do not fully mitigate advanced DDoS attacks. Accordingly, it is important to test DDoS protection solutions and reveal their limitations and bottlenecks prior to employ them into networks. This work deals with DoS and DDoS detection techniques and presents the testing procedures of DDoS protection solutions. We describe state of the art in detection techniques of current DDoS attacks. The techniques are based on signature and anomaly detection. Other alternative approaches are also evaluated and their advantages and drawbacks are discussed. Besides these detection techniques, we survey the DDoS protection solutions and special DDoS protection appliances and evaluate them. Further, we introduce two testing procedures for observing the behaviour of network security and DDoS protection appliances during the DDoS attacks. The first testing procedure is based on a software DDoS generator that runs on common server or personal computer. The paper also presents various software DDoS generators and their specifications. The second testing procedure uses the professional stress tester Spirent Avalanche which enables to generate various types of DDoS attacks. This stress tester is able to mix legitimate traffic with DDoS attacks and emulates various communication protocols and services. We evaluate these testing procedures and present our experimental results of both approaches. We focus on the performance and modularity of these testing procedures and the range of possible DoS/DDoS attacks that can be generated. Keywords: DoS Attacks, DDoS Attacks, DDoS protection, DDoS detection, network, security, tests.

2 1 Introduction Internet services, websites and web applications are frequently used by many clients every day. These services must work correctly and must be available for users who use them. Nevertheless, the Internet connection enables to various attackers to hit these services and cause economic damages caused by the malfunction or interruption of these services. Distributed denial of service attacks become very frequent nowadays. Generally, a Denial of Service (DoS) attack is realized by one host. Distributed DoS attacks are sent by more hosts or bots that are controlled by an attacker. These attacks usually flood services at target devices connected to the Internet. The basic principle of DDoS attacks is depicted in Figure 1. In the figure, the combination of flood DDoS and amplification flood DDoS attacks is shown. More information about types of DDoS attacks can be found in the paper [ 1 ]. Figure 1: The principle of DDoS attacks (Flood and Amplification attacks).

3 DoS/DDoS attacks are threats especially for highly-profiled web services and sites of financial institutions, government and large corporations. Many of these institutions use data centers that are very often targets for sophisticated and powerful attacks. There are many solutions, techniques and appliances that try to mitigate DoS/DDoS attacks. The testing of these solutions and devices provides important information about the defense of the sites and services. The test outputs can help to better configure the employed devices and fix the bottlenecks in the security solutions. There are many test appliances that can provide this testing. Nevertheless, these appliances are usually expensive. Therefore, owners of websites and services are not able to test their security solutions and perform the stress tests to detect bottlenecks and the limits of their sites. In this paper, we present some state of the art DDoS detection techniques (Section 2) and protection solutions and appliances (Section 3). Then, we describe popular DDoS testing tools and appliances (Section 4). The main contribution of this work can be found in Sections 5-7 where we introduce the DDoS testing procedures which are based on software DDoS generator (Section 5) and hardware appliance (Section 6). Section 7 discusses the pros and cons of these two procedures and compares them. 2 DDoS/DoS Detection Techniques In this section, we describe basic DDoS/DoS detection techniques that try to detect DoS/DDoS attacks in data traffic or in a network. The detection can help to mitigate the damage effects of the attack. The detection must be fast, precise and should produce a minimum number of false positive alerts. The detection devices/tools are often called Intrusion Detection Systems (IDS). The study and basic classification of IDS devices is presented in the work [ 2 ]. Generally, the DDoS/DoS detection techniques can be divided on two approaches: signature detection and anomaly detection. Nevertheless, we add the hybrid and alternative detection techniques. 2.1 Signature detection techniques The signature detection methods are based on the basic knowledge of DDoS attacks patterns. These signatures/patterns are usually observed by security experts. Then, the patterns are implemented into security network devices and IDS. These devices must monitor packets and recognize the patterns of incoming DDoS attacks. This type of the detection is fast but is effective only against already known DDoS attacks. There are many DoS/DDoS attacks (e.g. TCP mixed flag attacks,

4 X-mas tree attacks) that can be easily detected by this technique. On the other hand, the signature detection techniques are not able to recognize unknown DoS/DDoS attacks. The more details about signature detection techniques can be found in papers [ 3 ] and [ 4 ]. 2.2 Anomaly detection techniques This type of the detection method detects and classifies attacks by anomalies caused in network traffic. There are attacks such as flooding attacks that use a large amount of TCP-SYN, UDP or ICMP packets. This increase can be observed as an anomaly in the normal network traffic. The classic anomaly detection techniques can be based on the observation of the dynamic statistical properties in network traffic, e.g., time to live, IP header information and other data. Some of these techniques are described in papers [ 5 ], [ 6 ], [ 7 ]. The paper [ 8 ] presents the possibility of using Artificial Intelligence (A.I.) tools, e.g., neural networks and genetic algorithms, to detect unusual network traffic and the classification of DDoS attacks. A.I. methods are able to learn how normal network traffic looks like, and then, the methods can detect and classify anomalies in the traffic. The main disadvantage of the anomaly detection methods is a larger number of false positive alarms. The anomaly detection methods are usually slower than signature detection methods due to the observation of larger samples of data from the network traffic. Nevertheless, these methods might detect unknown and new types of DDoS/DoS attacks. 2.3 Hybrid and alternative detection techniques These detection techniques are usually based on hybrid or alternative approaches. The hybrid solutions that employ anomaly and signature methods have usually higher computational and memory complexity. Nevertheless, these hybrid techniques can combine advantages of signature and anomaly detection methods. On the other hand, some trade-off between anomaly and signature detection techniques must be set. As a hybrid approach, Blazek et al. [ 9 ] propose a method based on statistical analysis on the data from different network layers. Their method provides a selflearning process, the small delay of the attack detection and scalable computational complexity. The paper [ 10 ] presents an alternative detection technique that is based on a time series analysis. This method provides a proactively DDoS detection by the correlation between victim s traffic and attacker s traffic. Key variables

5 (patterns) are extracted from the both traffics. Extracted variables can be calculated by statistical tools, e.g., Granger Causality Test, Auto Regressive Model and so on. Observed deviations from the normal profile then cause attack alarms. 3 DDoS/DoS Protection Solutions and Appliances The section presents DDoS protection solutions and some DDoS protection appliances and their evaluation. Firstly, we describe common security devices based protection strategies. Secondly, we present some special anti-ddos appliances and finally, we describe cloud based DDoS/DoS protection solutions. 3.1 Common network security devices based protection Network security devices such as firewalls, Intrusion Detection Systems (IDSs), load balancing mechanisms and routers can be employed into comprehensive DDoS protection solutions. Nevertheless, these devices have not been designed to protect against DDoS attacks. Their imperfections are described in the paper [ 11 ]. For example, routers with configured Access Control Lists (ACLs) can defend against simple and known DDoS attacks based on nonessential and unwanted protocols but they are not able to block many attacks that spoof IP addresses. Further, firewalls are designed to control access into and from private networks. Nevertheless, firewalls can be easily saturated in their CPU and memory usages by strong flood DDoS attacks. Firewalls usually do not employ antispoofing and anomaly detection mechanisms. IDSs provide usually signature-based application layer detection but they are not designed for the DDoS mitigation. Besides these network security devices, the redundant links and load balancing mechanisms are employed to keep legitimate connections when client networks are under DDoS/DoS attacks. The cooperation of these security devices and mechanisms has to be set and maintained. On the other hand, this task is not so easy if the network employs the devices from various vendors. Further, some large and sophisticated DDoS attacks can overcome these security devices based protections. 3.2 Special appliances based protection The special DDoS/DoS protection appliances offer one single-box solutions that can be plugged into networks or data centers to protect the services against the various types of DDoS/DoS attacks. These special anti-ddos appliances are

6 usually very computationally and memory powerful. They have good technical support and can mitigate some unknown and large DDoS/DoS attacks. Some of common DDoS/DoS protection appliances are shortly described in the following text: Radware DefensePro these series of appliances provide DDoS/DoS mitigation by network-wide protection methods (behavioral analysis, SYN protection, TCP/UDP scanning), server protection methods (connection limit, server-cracking protection, HTTP mitigation), signature-based protection methods and access control list. The models of Defense Pro x4420, which are designed mainly for service providers and clouds, are able to work with network throughputs up to 300 Gbps (model ). The series x420 and x412 provide network throughputs up to 40 Gbps (12 Gbps respectively) and are designed for large data centers, e-commerce and enterprises. The less performed series x016 and x06 are mainly for medium sized data centers, e-commerce and Internet gateways with network throughputs between 200 Mbps 3 Gbps. Check Point DDoS Protector appliances these appliances block known and unknown DDoS/DoS attacks. The several models of this DDoS protection family are offered for large data centers (X420), datacenters (X412) and enterprises (X06). The most powerful appliance X420 is able to inspect and protects up to 40 Gbps network traffic. The dedicated hardware acceleration is employed to defend against DDoS/DoS flood attacks with rate up to 25 million packets per second (X420). The technical specification of these appliances claims that detection and protection against attacks is in less than 18 seconds. The Check Point DDoS Protector appliances family protects against TCP, UDP, ICMP, IGMP and Fragment DDoS attacks by using a behavioral (anomaly) detection and against known DDoS attacks by using filters (signature/pattern detection). Further, the appliances are able to protect against application based DDoS/DoS attacks that run on HTTP, DNS protocols. FortiDDoS these DDoS attack mitigation appliances provide Layer 3, 4 and 7 DDoS flood mitigation, packet inspection and anomaly detection techniques. This solution does not use any signature files. The packet inspection is based on techniques such as predictive behavioral analysis, heuristic analysis, granular deep packet inspection, continuous adaptive rate limiting and stateful monitoring for specific attack vectors. FortiDDoS appliances are offered in several models. The most powerful model

7 (2000B) is able to inspect bidirectional traffic up to 24 Gbps. The DDoS attack mitigation response time is less than 2 seconds according to the technical specification of the appliances. RioRey RG-Series these appliances provide DDoS protection against 25 classes of DDoS attacks such as TCP, HTTP, UDP or ICMP based attacks. The most powerful model (RG40) is able to work with 200 Gbps bandwidth throughput in an off-ramp hairpined mode, and for in-line applications, throughput is 100 Gb/s. The solution inspects up to 32 million packets per second. Detection and mitigation DDoS attacks is automatic and does not use traffic patterns. DDoS detection time is seconds and mitigation takes seconds. The solution uses source and destination IP White and Black lists. Juniper DDoS Secure these appliances provide fine-grained DDoS mitigation. DDoS Secure protects against flood and application-layer DDoS attacks by using methods such as heuristic analysis and inspection, dynamic and self-learning thresholds. The model 1200-SR/LR is able to work with 10 Gbps bandwidth throughput, and a cluster solution can work up to 160 Gb/s throughput. Generally, special appliances developed by IT network security companies are usually focused on large data centers and e-commerce clients. The main advantage of these appliances is their single-box usage and high performance that is demanded in these large scale networks. The cons of these special appliances are their expensive costs (tens thousands euros) and the restricted expansion of the protection solution if clients extend their data centers or networks. 3.3 Cloud based protection Nowadays, there are many cloud based DDoS protection providers who offer DDoS/DoS protection as a service. This service is especially used by small-medium businesses and enterprise-level companies who cannot afford the special anti-ddos appliances. When a DDoS/DoS attack is detected at the client side, whole inbound traffic is redirect to a cloud DDoS protection technology, more precisely, the nearest cloud center of the provider, which employs DDoS filtering techniques to remove the DDoS traffic and route the legitimate traffic back to the client. The cloud DDoS protection services and providers such as Incapsula, Defense.net, Prolexic DDoS Mitigation Services, Verising DDoS Protection Services, CloudFlare Enterprise, Nexusguard and others rent their services usually for one year per thousands to tens thousands euros. Nevertheless, using the cloud based

8 DDoS protection services can be less expensive for certain types of clients (small/medium high-profiled ecommerce companies) than employing the special anti-ddos appliances. On the other hand, the detection and mitigation of the DDoS/DoS attacks take longer time due to the routing. 4 DDoS/DoS Testing Tools and Appliances In this section, we describe existing DDoS/DoS testing appliances and tools. Testing the protection of appliances and network devices against DoS and DDoS attacks can be realized by generating these attacks by SW tools and HW devices. Besides these software tools and hardware appliances, there are many DDoS online tests that are provided as a service by many web sites, e.g. ipstresstest.com, iddos.net, redwolfsecurity.com, IONBooter.com. Nevertheless, we focus solely on special HW appliances and SW tools that can be used in our laboratory DoS/DDoS test procedures. These devices and tools which can be appropriate for certain laboratory testing are described in the following subsections. 4.1 Software DDoS/DoS generators/testers Software DDoS generators and program tools are usually easy to acquire. These tools can be often open source and can be downloaded for free. The tools can be started on common computers and servers which are plugged to a target which is testing. Some popular software DDoS/DoS generators and tools are shortly described in the following text: Low Orbit Ion Canon (LOIC) this open source tool, which is written in C#, provides stress testing and can generate various flooding HTTP, TCP and UDP attacks. LOIC is easy to use due to the graphic interface and enables DDoS attacks when is used by multiple users. XOIC this tool is similar to LOIC. The tool provides DoS attacks based on TCP, UDP, ICMP and HTTP protocols that is efficient against small websites. DDOSSIM this program, which is written in C++, enables to simulate several zombie hosts having random IP addresses. The tool generates DDoS attacks such as TCP-connection-based attacks, Application layerbased DDoS attacks, HTTP DDoS attacks, SMTP DDoS attacks and TCP flood attacks on random ports. DDOSSIM runs on Linux systems.

9 PyLoris this tool, which is written in Python, can be used for testing servers. The tool provides a simple graphic interface and enables to generate various DoS attacks based on protocols such as HTTP, FTP, SMTP, IMAP and Telnet to hit the concrete service. OWASP DOS HTTP POST this tool performs DoS attacks based on the HTTP protocol. The tool has been developed by OWASP (Open Web Application Security Project) group to provide a L7 DoS testing tool for websites. SlowLoris this DoS tool enables to generate only one type of a slow denial of service attack. The tool poisons a HTTP server due to the holding the connections open by sending partial HTTP requests. This tool, which is programmed in Perl, does not provide TCP/UDP DoS attacks and other flood attacks. R-U-D-Y this DoS tool enables to create HTTP POST-based DoS attacks. The tool generates low and slow attacks which generate only few connections but keeps the connections open for long time period. Tor s Hammer this program, which is written in Python, uses HTTP POST-based DoS attacks. The attacks can be sent anonymously via TOR network. Others there are many tools that can be used for testing or for hacking, such as GoldenEye HTTP Denial Of Service Tool, DAVOSET, HULK (HTTP Unbearable Load King). Many of described software DDoS/DoS tools focus solely on testing web servers such as OWASP DOS HTTP POST tool, SlowLoris, R-U-D-Y, Tor s Hammer, HULK. Some tools such as LOIC, XOIC, DDOSSIM and PyLoris can be used to test other services such as SMTP, FTP and can be used to flood servers and test their limits. 4.2 Hardware DDoS/DoS generators/testers There are appliances that can serve as hardware DDoS generators. These appliances mainly serve as powerful stress testers, traffic and protocol emulators and enable to test the network devices or whole network segments and solutions. These appliances are usually based on multi-core processors, strong memory and network interfaces with high throughput. These hardware based DDoS testers are very powerful and can generate large traffic and DDoS attacks. The main disadvantage of these appliances is their cost.

10 Common hardware DDoS generators and appliances are shortly described in the following text: Spirent Avalanche 3100 B this appliance enables to generate 16 types of DoS/DDoS attacks (L2/L4), L7 application attacks and mix these attacks into the normal traffic. Avalanche 3100B, which is depicted in Figure 2, provides 10 Gbps fiber interfaces and generates up to HTTPS requests per second or 30 million concurrent connections. The appliance emulates various protocols at the layers 4 7 and can simulate real behavior of the website clients. Avalanche 3100B is able to generate a large traffic with DoS/DDoS attacks to test servers, sites or whole network parts. Moreover, the emulation of the client and server sides can be performed in the same time. Therefore, the appliance is able to test network defense devices, firewalls, routers and so on. There is also an attack designer component which is the part of this tester and enables to add own attacks. Ixia Xcellon-Ultra XT this appliance emulates various protocols at the layers 4 7 (clients and servers). The performance of the appliance depends on the type of the hardware chassis. For example, the strongest type XT80-V2 provides 8 x 10 GE ports and is able to generate 3 million HTTP connections per second and SSL connections per second. The appliance also can emulate well-known DDoS attacks. Figure 2: Spirent Avalanche 3100 B stress tester.

11 5 Software Based DDoS/DoS Testing Procedure In this section, we present our proposal of a software based DDoS/DoS testing procedure. We describe chosen testing topology with chosen devices and the details of the procedure. Then, we present the performance results of this procedure. 5.1 Testing topology and procedure description The testing topology consists of two switches (Cisco Catalyst 2960 and Linksys EG008W), a server/pc which generates DoS traffic a SW DoS generator, a control terminal, service/site clients (a voluntary node which emulates clients or routed real clients traffic) and a tested device. This testing topology which is based on the software DoS generator is depicted in Figure 3. Figure 3: Testing topology with software-based DoS generator. The most important part is the SW DoS generator node. We use a server with Linux OS (Debian 7.4). This device must have two network interfaces with high throughput (at least 1 Gbps). The first interface is used for configuration and remote control. The second interface is used for sending the DoS traffic to a tested device. The generator can employ any existed software DDoS testers that are described in Section 4.1 but we use a simple script to generate DDoS/DoS attacks. The implemented DoS tester program which generates DoS attacks is written in Python. The program provides 5 types of DoS attacks, namely TCP-SYN DoS attack, TCP-RST DoS attack, TCP Xmas DoS attack, UDP flood attack and ARP DoS attack.

12 The hardware of the SW DoS generator node should be powerful (strong CPU and memory) to generate a large number of packets. Tested device can be a webserver, a firewall, a router and so on. If we want test webservers or other services, we should emulate website/service clients traffic by a client emulator application and mix it with DoS traffic by using highly performed switch (Switch 2) to get real results. If we test a firewall or a router performance and DoS mitigation functions, we can generate DoS attacks directly (Switch 2 is not needed). The control terminal is used for remote control and configuration of the nodes and devices in the testing topology via Switch Testing the performance results We test our procedure with two differently powerful hardware nodes (HW1: CPU Intel Xeon GHz RAM 2GB / 333MHz,, HW2: CPU Intel Xeon GHz RAM 8GB / 1 333MHz). Figure 4 shows how the hardware specification of the SW DoS generator is important. The more powerful device HW2 is able to generate more DDoS packets than device HW1 (HW2 around packets per second and HW1 around packets per second). The most packets can be generated by using the ARP flood attack. Nevertheless in practice, the number of packets can be limited by network interface used (1 Gbps in this measurement). Figure 4: Comparison of software-based DoS generator performance which runs on different hardware platforms.

13 6 Appliance Based DDoS/DoS Testing Procedure In this section, we present an appliance based testing procedure. We describe the testing topology and details of this procedure. Then, we show some example results. 6.1 Testing topology and procedure description The testing topology consists of one switch (Cisco Catalyst 2960), a test appliance which generates normal traffic and DDoS/DoS traffic, a control terminal and a tested device. This testing topology which is based on DDoS/DoS test appliance is depicted in Figure 5. Figure 5: Testing topology with DDoS/DoS test appliance. The most important part of this procedure is the test appliance. We use Spirent Avalanche 3100B stress tester. This tester which is shortly described in Section 4.2 is used for generating DDoS/DoS traffic and normal traffic from emulated clients or servers. The tester provides 16 types of DDoS/DoS attacks. Furthermore, there is an attack designer component which can be used to implement the new attacks for testing purposes. The advantage is that the emulations of the client and server/service sides are in one single device. The tester is able to generate more attacks at one time and mix them with emulated traffic to get more real results. Thus, we can test a wide range of network security devices and network services. The control terminal is used for remote control and configuration of the test appliance and the tested device in the topology via Switch 1. The connection between the test appliance and tested devices should have high throughput (e.g. 10 Gbps fiber interfaces). The example of results with tested device Firewall ASA 5510 during SYN flood attacks is depicted in Figure 6.

14 Figure 6: Throughput of Cisco Firewall ASA 5510 with DDoS SYN flood attacks. 6.2 Testing the performance results Spirent Avalanche 3100 B has several interfaces with 10 Gbps and 1 Gbps throughput. The appliance by using 1 Gbps interface is able to generate huge number DDoS packets (up to several million) per second until the link saturation. By using one 10 Gbps interface, this appliance is able to generate around 7.5 million DDoS packets (SYN flood) per second. Avalanche 3100 B is able to mix the normal and DDoS traffic. Further, we can configure many options of DDoS attacks (rate, delay, iterance, duration and so on) and test more DDoS attacks in one test scenario. 7 Evaluation of Testing Procedures In the following text, we evaluate both presented procedures and describe their advantages and drawbacks. The main advantages of the software based DDoS testing procedure usually are low costs and easy-to-deploy in various networks. Nevertheless, the disadvantages of this procedure usually are a less number of DDoS/DoS attacks, limited setup of the attacks, clients/servers emulation has to be done at another device and the performance of DDoS traffic depending on server s HW specifications. The main advantages of the appliance based DDoS testing procedure usually are a sufficient number of DDoS/DoS attacks, advanced setup of the attacks, clients/servers emulation in the same device, mixing the normal and DDoS traffic,

15 strong performance of the attacks due to strong HW specifications of the appliances and technical support. On the other hand, the main disadvantage of the appliance based DDoS testing procedure usually is higher cost of the main test appliance. The software based DDoS testing procedure is suitable for testing the small and medium sized networks and devices employed in these networks. The appliance based procedure is more suitable for testing the medium and large sized networks and for professional testing the various security network devices that must be comprehensively tested. 8 Conclusions In this paper, we described and evaluated the basic DDoS/DoS detection techniques (anomaly, signature and hybrid) and three DDoS/DoS protection approaches (security network devices based, Anti-DoS appliance based and cloud based). The cloud based DDoS mitigation solutions are more appropriate for small and medium sized networks due to modest costs, a high percentage of the DDoS mitigation and solid detection and mitigation response times (minutes). Nevertheless, the anti-ddos/dos appliance based protection solutions are usually more costly than cloud based protection solutions but they should be employ in high-profiled large e-commerce and data centers due to faster DDoS/DoS detection and mitigation and the higher frequency of attacks. The paper also describes some common hardware and software based DDoS/DoS generators and testers and their specifications and two DDoS/DoS testing procedures are presented. The software based testing procedure is able to test some basic DoS/DDoS attacks and flood less performed network devices to get their limits. For example, the DDoS SYN attack is generated up to packets per second. The appliance based testing procedure is able to test this DDoS SYN attack up to 7.5 million packets per seconds if Avalanche 3100B with 10 Gbps interface is employed. For the professional testing of larger networks and some special security devices, the appliance based procedure is more appropriate than software based procedure due to their performance and configuration options. Acknowledgements Research described in this paper was financed by the National Sustainability Program under grant LO1401, by the Czech Science Foundation under grant no P and the Technology Agency of the Czech Republic project TA For the research, infrastructure of the SIX Center was used.

16 References [1] Dzurenda, P., Martinasek, Z., Malina, L.: Network Protection Against DDoS Attacks. International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems 4, no. 1, pp. 8-14, [2] Alenezi, M., and Reed, M.: Methodologies for detecting DoS/DDoS attacks against network servers, in ICSNC 2012, The Seventh International Conference on Systems and Networks Communications, pp , [3] Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys (CSUR), vol. 39, p. 42 pages, [4] Kompella, R. R., Singh, S., Varghese, G.: On scalable attack detection in the network, in Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. ACM Press, New York, pp , [5] You, Y., Zulkernine, M., Haque, A.: Detecting flooding-based DDoS attacks, pp , [6] Talpade, R., Kim, G., Khurana, S.: NOMAD: Traffic-based network monitoring framework for anomaly detection," in Fourth IEEE Symposium on Computers and Communications, pp , [7] Kim, Y., Jo, J. Y., Suh, K. K.: Baseline profile stability for network anomaly detection, International Journal of Network Security, vol. 6, No.1, pp , [8] Jalili, R., Imani-Mehr, F., Amini, M., Shahriari, H. R.: Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks, in Information Security Practice and Experience. Springer, pp , [9] Blazek, R. B., Kim, H., Rozovskii, B., Tartakovsky, A.: A novel approach to detection of denial-of-service attacks via adaptive sequential and batchsequential change-point detection methods, pp , [ 10 ] Cabrera, J. B. D. et al.: Proactive detection of distributed denial of service attacks using mib traffic variables-a feasibility study, pp , [ 11 ] Defeating DDOS Attacks, Cisco Systems, Inc., white paper, pages 11, 2004.