Performance Evaluation of Multi-Stage Change-Point Detection Scheme against DDoS Attacks by Random Scan Worms

Transcription

1 Performance Evaluaton of Mult-Stage Change-Pont Detecton Scheme aganst DDoS Attacks by Random Scan Worms Tutomu Murase *, Yuknobu Fukushma **, Masayosh Kobayash *, Sakko Nshmoto **, Ryohe Fumak * and Tokum Yokohra ** * NEC Corporaton, 753 Shmonumabe, Nakahara-ku, Kawasak, Kanagawa, , Japan ** Okayama Unversty, 3-- Tsushma-naka, Okayama, Okayama, 7-853, Japan E-mal: fukusma@cne.okayama-u.ac.p, Tel: , FAX: Abstract- As a promsng approach for large-scale smultaneous events (e.g., DDoS attacks by unknown worms), we have proposed a mult-stage change-pont detecton scheme. In the scheme, the global detector gathers nformaton from dstrbuted change-pont detectors and detects smultaneous occurrence of change-ponts as target events. Because the scheme neglects sporadc false-postve change-ponts, whch are caused by non-target events such as hardware troubles and normal traffc changes, the scheme can acheve low false-postve rate. In the prevous paper, we nvestgated the performance of the scheme aganst DDoS attacks by a real worm, MSBLAST. In ths paper, we nvestgate the performance of the scheme aganst general DDoS attacks wth varous scales and smultanetes. In addton, we nvestgate the effect of the length of detectonperod for the global detector on detecton performance, where the detecton-perod means the perod durng whch the global detector regurarly checks whether or not target events occur. The smulaton results show that () our multstage change-pont detecton scheme acheves lower falsepostve rate than a stand-alone change-pont detector scheme under the constrant that detecton rate must be., (2) even f the length of detecton-perod for the global detector s not approprately set, our scheme can acheve better performance than a stand-alone change-pont detector scheme thanks to flterng effect of the global detector. I. INTRODUCTION Wth the development of the Internet nto a wdely used nformaton exchange nfrastructure, there has been a marked ncrease n malcous actvty. In partcular, largescale smultaneous events, such as dstrbuted denal of servce (DDoS) attacks and worm epdemcs, cause catastrophc damage. A detecton scheme that s capable of detectng these events s requred. Intruson detecton systems (IDSs) are manly used for the detecton of large scale smultaneous events. There are two types of detecton schemes used on IDSs: sgnaturebased schemes [, 2] and change-pont detecton schemes [3-7]. Sgnature-based schemes detect those events wth a sgnature that unquely dentfes a specfc malcous actvty. Ref. [2] proposes a detecton scheme that collects nformaton and performs sgnature-based detecton n a dstrbuted manner. Although sgnature-based schemes can detect known vruses and worms, they cannot detect unknown or novel varants. On the other hand, changepont detecton schemes can detect unknown vruses and worms as a change-pont n a montored metrc, such as traffc rate or the number of accesses to a certan port. However, they may detect change-ponts caused by nontarget events, such as hardware problems and natural traffc changes. Such msdetecton occurs because changepont detecton schemes smply detect change-ponts n a montored metrc and do not take nto account causes of change-ponts. Here, we consder change-ponts caused by non-target events to be false-postve change-ponts. One way to reduce the number of false-postve changeponts s to take nto account the correlaton among multple change-ponts. True-postve change-ponts, whch are caused by target events (.e., DDoS attacks), tend to occur smultaneously and ntensvely n very large numbers, whle false-postve change-ponts tend to occur ndependently. We can exclude false-postve changeponts by excludng those that occur ndependently, based on nformaton gathered from dstrbuted sensor nodes. We call the dstrbuted change-pont detecton scheme as the mult-stage change-pont detecton scheme and call the central devce whch gathers nformaton from dstrbuted change-pont detectors as the global detector. In the prevous study [8], we showed the effectveness of the mult-stage change-pont detecton scheme aganst DDoS attacks by a real worm, MSBLAST. In ths paper, we nvestgate the performance of our scheme aganst DDoS attacks by general random scan worms. The detecton performance of our scheme depends on the followng parameters: the scale of DDoS attacks (.e., the number of subnets that have attack hosts), the smultanety of DDoS attacks (.e., the number of attack hosts that perform an attack behavor at the same tme), and the length of detecton-perod for the global detector where the detecton-perod means the perod durng whch the global detector regurarly checks whether or not target events occur. Thus, we try to answer the followng questons: How much do the scale and the smultanety of DDoS attacks affect the performance of the multstage change-pont detecton scheme? How much does the length of detecton-perod for the global detector affect performance of the mult-stage detecton scheme? We descrbe our mult-stage change-pont detecton scheme n secton II. In secton III, we present our smulaton model and evaluaton results. Secton IV concludes the paper.

2 Local Local Result Global Alert Alert Alert Alert Local Local Network Network Network Network Fg.. Mult-stage change-pont detecton mechansm. II. DETECTION SCHEME FOR LARGE-SCALE SIMULTANEOUS EVENTS A. Mult-Stage Change-Pont Detecton Mechansm We use a mult-stage change-pont detecton mechansm consstng of one global detector (GD) and many local detectors (LDs) to detect large-scale smultaneous events (Fg. ). A local detector s deployed on each montored network and performs change-pont detecton. Whenever a local detector detects a changepont, t nforms the global detector by sendng an alert. The global detector then udges whether large-scale smultaneous events are occurrng based on the aggregated alerts. B. Change-Pont Detecton at Local s For our scheme, we can use any change-pont detecton scheme; we use ChangeFnder [5] here as a change-pont detecton scheme because t detects unknown events as change-ponts mmedately wth on-lne processng. The detecton process of ChangeFnder s as follows. Gven tme seres data of a target metrc, ChangeFnder frst learns the probablty densty functon of the data usng stochastc models. Next, t calculates an outler score for each nput data pont so that data ponts wth lower probablty obtan hgher scores. It then calculates movng averages of outler scores and generates new tme seres data. Then, t agan learns the probablty densty functon for the new tme seres data and outputs an outler score for each data pont of the new tme seres data. We call each data-pont of the new tme seres a change-pont canddate. Fnally, for each change-pont canddate, f ts score s greater than or equal to a predetermned threshold value, then ChangeFnder consders the change-pont canddate to be a change-pont and reports t to the global detector as an alert. On the other hand, when ChangeFnder s not used n a mult-stage change-pont detecton mechansm but used n a standalone way, t consders change-pont canddates wth a large score as an occurrence of target events. Examples of worm detecton usng ChangeFnder are descrbed n [6, 7]. In [6], ChangeFnder mmedately detects the nfecton behavor of MSBLAST by montorng the number of accesses per mnute to port 35. In [7], ChangeFnder mmedately detects LOVGATE, whch was an unknown worm at that tme, by montorng the number of mals sent per mnute. Change-Pont Canddate Score Fg. 2. Detecton of a smurf Mnute attack wth ChangeFnder. Fg. 2 shows another example of the detecton of a Smurf attack by ChangeFnder, whch s a type of DDoS attacks. In the example, we used traffc data ncluded n the 999 DARPA ntruson detecton evaluaton test set []. We used the ICMP traffc volume per mnute over a two-day nterval of the data set; the tme seres data of the frst day only ncludes normal traffc, whle that of the second day ncludes Smurf attack events. The changepont canddate score of the y-axs s normalzed between and 3. In Fg. 2, we can see two change-pont canddates wth hgh scores after the learnng perod. The change-pont canddate at mnute 277 catches the Smurf attack. On the other hand, another change-pont canddate at mnute 933 catches a change n the volume of normal traffc. As shown n Fg. 2, we can easly dstngush the two change-pont canddates descrbed above from the other change-pont canddates usng an approprate predetermned threshold value, and we can easly determne that the two change-pont canddates are change-ponts. However, the exstence of change-ponts such as that at mnute 933 hghlghts the dffculty n classfyng the causes of change-ponts when we use tme seres data that can change due to multple causes. C. Detecton of Large-Scale Smultaneous Events at the Global The global detector checks whether the proporton of local detectors that have sent alerts durng the latest detecton-perod Δ s greater than or equal to a predetermned threshold value. The proporton s expressed as follows: L = A[ t, ]/ L () where t s the tme for the global detector to determne f large-scale smultaneous events are occurrng, A[t,] s set to f local detector sends an alert to the global detector between t-δ and t, and A[t,] s set to otherwse, and L s the total number of local detectors. If the proporton s greater than or equal to the threshold value, the global detector udges that large-scale smultaneous events are occurrng, and otherwse t udges that they are not occurrng. Fg. 3 shows an example of the detecton of large-scale smultaneous events. The threshold value of the global detector s set to.5, and the number of local detectors s four. Although one local detector sends an alert to the global detector durng detecton-perods, 4, and 5, the global detector neglects each alert. That s, the global detector udges that large-scale smultaneous events are

3 not occurrng, because the proporton of local detectors sendng alerts durng each perod s below.5. Ths stuaton s referred to as Undetect. On the other hand, the global detector udges that large-scale smultaneous events are occurrng durng detecton-perods 2 and 3 because the proporton s greater than or equal to.5. Ths stuaton s referred to as Detect. GD Perod Undetect Perod 2 Detect Perod 3 Detect Perod 4 Undetect Alert Perod 5 Undetect III. PERFORMANCE EVALUATION We compare Detecton Rate () and False-Postve Rate () of our mult-stage change-pont detecton scheme wth those of a detecton scheme n whch each LD ndependently determnes occurrence of events n the correspondng subnet. We call the latter scheme the standalone LD scheme. As large-scale smultaneous events, we use DDoS attacks by hosts nfected wth random scan worms. A. Behavor of a Host Infected wth a Random Scan Worm We suppose that a host nfected wth a random scan worm performs TCP SYN flood attack, whch s one of the most common DoS attack, to a certan target host. We consder that an nfected host or an nfecton target host can become abnormal because of an nfecton falure (e.g., RPC falure n the nfecton behavor of MSBLAST [8]). We assume that such host s not able to nfect other hosts and also does not perform DoS attacks. B. Smulaton of DDoS Attacks by Hosts Infected wth Random Scan Worms We smulate DDoS attacks by hosts nfected wth random scan worms as follows. Step-: Smulatng the spread of random scan worms n the Internet usng the modfed Analytcal Actve Worm Propagaton (modfed AAWP) model [8] Step-2: Determnng attack start tme (.e., nfecton tme) of each nfected host that s montored by LDs Step-3: Generatng tme seres data of the number of outgong SYN packets montored by each LD Step-4: Obtanng s and s for our mult-stage change-pont detecton scheme and the standalone LD scheme In Step-, we smulate the spread of random scan worms n the Internet. The modfed AAWP (Analytcal Actve Worm Propagaton) model [8], that s a modfcaton of the AAWP model [], provdes a change n the number of hosts nfected by the worm that employs random scannng. The model uses a dscrete tme and contnuous state determnstc approxmaton model. The model gves the number of nfected hosts at each tme tck, regardng one tme tck as the tme for an nfected worm to compete nfecton. Gven parameters for the nfecton behavor of a host nfected by random scan worms n Table I, our modfed AAWP model expresses the number (n + ) of total nfected hosts at the +st tme tck as follows: n + = ( d p) n α f + γg ( ) (2) where f s the number of nfected hosts that fnd any Fg. 3. Detecton of large-scale smultaneous events by aggregatng nformaton. nfectble host at the th tme tck, g s the number of nfectble hosts that are found by any nfected host at the th tme tck and n = h, whch s the number of nfected hosts at the begnnng of the spread of a worm. In approxmatng the number of nfected/nfectble hosts that become abnormal, we assume that an nfected host fnds at most one nfectble host and an nfectble host s found by at most one nfected host. Thus, f = g. The second term (αf ) n (2) corresponds to the number of nfected hosts that become abnormal because of nfecton falures at the +st tme tck. The thrd term (γg ) n (2) means the number of nfectble hosts that are newly nfected at the +st tme tck. g s expressed as follows: sn g [( ) ][ ( ) = p V n α f β g ] (3) 32 2 = = where. For =, because any hosts are not patched and do not become abnormal, g s expressed as follows. sn g = ( V n )[ ( ) ] (4) 32 2 As shown n (3), g s calculated as the product of the number of nfectble hosts and the probablty that an nfectble host s found by any nfected hosts. The number of nfectble hosts at the th tme tck s calculated as the total number of non-patched hosts mnus the sum of the number (n ) of nfected hosts and the number ( α f + β = LD LD2 LD3 LD4 g = ) of abnormal hosts. Fg. 4 shows an example of the change n the number of hosts nfected by random scan worms, whch are obtaned wth our modfed AAWP model. Because a random scan worm spreads n the Internet n a logstc way, the number of nfected hosts (.e., attack hosts) follows a logstc curve. That s, the ncrease s exponental n the ntal phase and slows down n the later phase because the number of nfecton targets decreases. Usng ths graph, we can derve the nfecton tme (.e., attack start tme) of each nfectble host montored by LDs n Step-2. Frst, we obtan nfecton tme of the th nfected host, t ( V ), whch s an nverse functon of the number of nfected hosts n Fg. 4. We next obtan the nfecton tme of each nfectble host montored by LDs. We set the tme that s unformly selected among t s tme tme tme tme Chage-pont canddate score

4 Notaton V h b c s d p α β γ TABLE I PARAMETERS FOR MODIFIED AAWP MODEL Explanaton Total number of nfectble hosts n the Internet Number of nfected hosts at the begnnng of the spread of a worm Tme to nfect a found vctm host Number of nfecton packets per second Number of hosts scanned by an nfected host per unt tme (= bc) Rate at whch an nfected host s detected on a host and elmnated wthout patchng Rate at whch an nfected or nfectble host becomes unnfectble due to patchng Rate at whch an already nfected host becomes abnormal durng an nfecton behavor Rate at whch a found vctm host becomes abnormal durng an nfecton behavor Infecton success rate to the nfecton tme of such host because any nfected host unformly selects the vctm host. After determnng the attack start tme of each nfectble host montored by LDs, we make tme seres data of the number of outgong SYN packets per mnute montored by each LD n Step-3. As normal traffc, that s, as the number of outgong SYN packets per mnute whch are generated by all the non-nfected hosts n the correspondng subnet, we use the numbers of outgong SYN packets n a vrtual subnet of 5 weekdays n a week ncluded n the 999 DARPA ntruson detecton evaluaton set []. The number of SYN packets per mnute n the dataset ranges between and about 3. As attack traffc, we use the number of outgong SYN packets generated by the attack behavor of an nfected host. The number (a) s dfferent worm by worm. In ths paper, we determned the values by an experment usng a real worm, MSLBAST. In Step-4, we obtan s and s for our mult-stage change-pont detecton scheme and the stand-alone LD scheme based on ther detecton results aganst the number of outgong SYN packets descrbed above. For more nformaton about defntons of and, the reader can refer to [8]. C. Evaluaton Result In our scheme, the number of LDs should be as large as possble. However, due to the lmt of deployment cost, we set the number of LDs to. We assume that each LD montors a subnet wth 256 hosts (Class C network). We set the total number of nfectble hosts (V) to 8,663,863, assumng that 2% [2] of all the hosts n the Internet (433,93,99 [3]) are nfectble. The detecton performance of our scheme depends on the followng parameters: the scale of a DDoS attack (.e., the number of subnets that have attack hosts), the smultanety of a DDoS attack (.e., the number of attack hosts that perform an attack behavor at the same tme), and the length of detecton-perod (Δ) for a global detector. The scale of DDoS attacks depends on the number (e) of subnets that have nfectble hosts. The smultanety of DDoS attacks depends on the worm spread speed (c n Table I). Number of nfected hosts t Tme [s] Fg. 4. Change n the number of hosts nfected by random scan worms Frst, we nvestgate the effect of the scale (e) and the smultanety (c) of DDoS attacks on and. We evaluate our scheme n the followng cases; ) small scale and low smultanety, 2) large scale and low smultanety, and 3) small scale and hgh smultanety. We set e to 5 for large scale DDoS attacks, whle we set e to for small scale DDoS attacks. We set c to (.e., the same spread speed as MSBLAST) for DDoS attacks wth hgh smultanety, whle we set c to 2.75 (.e., one-fourth spread speed of MSBLAST) for DDoS attacks wth low smultanety. We determne parameter values for modfed AAWP model based on MSBLAST s nfecton behavor [8]: b = 5 [s], d =, p =, α =.8, β =.8, γ =.68. We set a to about 7, whch s the same as the number generated by a host nfected by MSBLAST. We set smulaton tme to 32 mn, whch s as long as the one-day data n the 999 DARPA ntruson detecton evaluaton set. We dvde the tme nto two perods: the normal perod 2 mn n duraton and the attack perod, where a random scan worm spreads and the nfected hosts perform an attack behavor, 2 mn n duraton. The duraton of the attack perod s suffcent for all of the montored subnets to be nfected by random scan worms. We set the ntal number of nfected hosts (h) to. In ths evaluaton, we set the length of the detectonperod (Δ) for GD to 5 mn, to catch realstc DDoS attacks, because the duratons of DDoS attacks montored on the Internet from 2 to 23 mostly ranged around 5 mn [9]. We set the detecton cycle of the global detector to mn. The detecton cycles of local detectors (δ) are assumed to be dentcal and are set to mn, because local detectors should perform change-pont detecton several tmes durng a detecton-perod for GD, and because we succeeded n detectng a Smurf attack wth the detecton cycle n Secton II.B. Threshold values of local detectors are assumed to be dentcal. We frst evaluate our mult-stage change-pont detecton scheme when the scale of DDoS attacks s small (e = ) and the smultanety of DDoS attacks s low (c = 2.75). Fgs. 5 and 6 show ROC curves (Recever Operatng Characterstc curves), whch s used as the performance metrc of IDS n Ref. []. The x-axs of ROC curve s the average value of the false-postve rate and the y-axs of that s the average value of the detecton rate. The closer the graph gets to the upper left corner (,), the better a detecton scheme dscrmnates between normal behavor and large-scale smultaneous events. In the fgures, label stand-alone LD shows detecton usng the stand-alone LD scheme and label GD+LD shows detecton usng our mult-stage change-pont detecton scheme. Label th refers to the threshold value of the global detector. In each curve, each plotted pont represents the average value of the detecton rate and the false-postve rate when the local detector s threshold value s set to each value between 2 and 3. As the local

5 detector s threshold value ncreases, the plotted pont moves from the upper rght regon to the lower left regon. Fg. 6 s an enlargement of the upper left corner of Fg % confdence ntervals for s and s of both schemes are very small n all cases. For example, Table II depcts 95% confdence ntervals of s and s for pont A (stand-alone LD scheme) and pont B (our scheme) n Fg. 6. Thus, we only show the average values of s and s, hereafter. In Fg. 6, our scheme wth the global detector s threshold values between.4 and.8 shows better detecton performance compared to the stand-alone LD scheme. We next evaluate the reducton n wth our scheme. Table III shows values when of. s acheved wth each scheme. In the stand-alone LD scheme, the local detectors threshold values are set to 4. In our scheme, the thresholds of local detectors and the global detector are set to 4 and.4, respectvely. Our scheme yelds a lower (.47) compared wth the standalone LD scheme because of the flterng effect aganst false-postve change-ponts at the global detector. Fg. 7 shows ROC curves when the scale of DDoS attacks s large (e = 5) and the smultanety of DDoS attacks s low (c = 2.75). Wth the ncrease n the scale of the attacks, our scheme plots closer to the upper left corner n Fg. 7 than n Fg. 6. Table IV shows values when of. s acheved wth each scheme. In the stand-alone LD scheme, the local detectors threshold values are set to 4. In our scheme, the thresholds of the local detectors and the global detector are set to 8 and.4, respectvely. Our scheme does not yeld any falsepostves. Further, we evaluate our scheme when the scale of DDoS attacks s small (e = ) and the smultanety of DDoS attacks s hgh (c = ). Fg. 8 depcts the change n the numbers of hosts nfected by random scan worms wth hgh/low smultanety. Most of nfectble hosts are ntensvely nfected wthn mnutes (between mnute 2 and mnute 3) n DDoS attacks wth hgh smultanety (c = ) whle most of them are nfected wthn 4 mnutes (between mnute 7 and mnute ) n the attack wth low smultanety (c = 2.5). Fg. 9 shows ROC curves when the scale of DDoS attacks s small (e = ) and the smultanety of DDoS attacks s hgh (c = ). Wth the ncrease n the smultanety of the attacks, our scheme plots closer to the upper left corner n Fg. 9 than n Fg. 6. Table V shows values when of. s acheved wth each scheme. In stand-alone LD scheme, the local detectors threshold values are set to 2. In our scheme, the thresholds of the local detectors and the global detector are set to and.8, respectvely. Our scheme does not yeld any false-postves. Lastly, we nvestgate the effect of the length of the detecton-perod (Δ). Fgs. and show ROC curves when Δ s set to and, respectvely. The scale of DDoS attacks s large (e = 5) and the smultanety of DDoS attacks s hgh (c = ). When the threshold value of GD s.2, our scheme shows worse detecton performance as the length of detecton-perod becomes larger. Ths s because our scheme wth large detecton-perod tends to regard a set of sporadc false-postve change-ponts as DDoS attacks that occur smultaneously. However, when the threshold value of GD s large enough, our scheme can acheve better performance than the stand-alone scheme because flterng effect of GD works well Fg. 5. ROC curve (e =, c = 2.75). A.5. Fg. 6. Enlargement of Fg. 6. TABLE II 95% confdence nterval of s and s for ponts A and B n Fg ± 2. A 6.848± ± 2. B 4.559±.4 TABLE III when of. s acheved (e =, c = 2.75) Stand-alone LD scheme.7 Our scheme.47 IV. CONCLUSIONS In ths paper, we evaluated a mult-stage change-pont detecton scheme aganst DDoS attacks by random scan worms. We showed that the scheme acheves better performance than a stand-alone change-pont detecton scheme aganst DDoS attacks wth varous scales an smultanetes. We also showed that, even f the length of detecton-perod for GD s not approprately set, our scheme can acheves better performance by the flterng effect of GD. In our future work, we plan to propose a scheme that determnes the optmal threshold values for LD and GD. ACKNOWLEDGMENT GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.) The authors gratefully acknowledge the contrbuton of Dr. Hdeyuk Shmonsh of System Platforms Research Laboratores n NEC Corporaton, Dr. Ken Yamansh and Mr. Takayuk Nakata of Common Platform Software Research Labs n NEC Corporaton. The authors wsh to thank Dr. Shnsuke Mwa of Natonal Insttuton of Informaton and Communcatons Technology n Japan for provdng a vrus sample. B GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.)

6 .95.9 GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.) GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.).5. Fg.. ROC curve (Δ = ). Fg. 7. ROC curve (e = 5, c = 2.75). TABLE IV WHEN OF. IS ACHIEVED (e = 5, c = 2.75) Number of nfected hosts Stand-alone LD scheme.7 Our scheme Tme [mnute] Fg. 8. Change n the number of hosts nfected by random scan worms (c = : hgh smultanety, c = 2.75: low smultanety) Fg. 9. ROC curve (e =, c = ). TABLE V WHEN OF. IS ACHIEVED (e =, c = ) Stand-alone LD scheme.42 Our scheme REFERENCES GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.).5. c= c=2.75 [] M. Roesch, Snort-Lghtweght Intruson Detecton for Networks, n Proc. of Usenx LISA 99 Conf., November 999. [2] V. Yegneswaran, P. Barford and S. Jha, Global Intruson Detecton n the DOMINO Overlay System, n Proc. of Network and Dstrbuted Securty Symposum (NDSS), February GD+LD (th=.2) GD+LD (th=.4) GD+LD (th=.6) GD+LD (th=.8) GD+LD (th=.).5. Fg.. ROC curve (Δ = ). [3] V. Guralnk and J. Srvastava, Event detecton from tme seres data, n Proc. of the ffth ACM SIGKDD Int l Conf. on Knowledge Dscovery and Data Mnng (KDD99), pp , August 22. [4] K. Yamansh and J. Takeuch, A Unfyng Framework for Detectng Outlers and Change-Ponts from Non-statonary Data, n Proc. of the Eghth ACM SIGKDD Int l Conf. on Knowledge Dscovery and Data Mnng (KDD22), pp , 22. [5] J. Takeuch and K. Yamansh, A Unfyng Framework for Detectng Outlers and Change Ponts from Tme Seres, IEEE Tran. on Knowledge and Data Engneerng, Vol. 8, No.4, pp , Aprl 26. [6] K. Yamansh, J. Takeuch and Y. Maruyama, Three Methods for Statstcal Anomaly Detecton, IPSJ Magazne, Vol. 46, No., January 25. [7] K. Yamansh, Applcatons of Data Mnng to Informaton Securty, Journal of Japanese Socety for Artfcal Intellgence, Vol. 2, No. 5, pp , September 26. [8] T. Murase, et al., Performance Evaluaton of a Mult-Stage Network Event Detecton Scheme aganst DDoS Attacks, to be presented at the 7 th Asa-Pacfc Symposum on Informaton and Telecommuncaton Technologes (APSITT), Aprl 28. [9] D. Moore, C. Shannon, D. Brown, G. M. Voelker and S. Savage, Inferrng Internet Denal-of-Servce Actvty, ACM Transactons on Computer Systems, Vol. 24, No. 2, pp. 5-39, May 26. [] MIT Lncoln Laboratory DARPA Intruson Detecton Evaluaton, [] Z. Chan, L. Gao and K. Kwat, Modelng the Spread of Actve Worms, n Proc. of the 22 nd Annual Jont Conference of the IEEE Computer and Communcatons Socetes (INFOCOM), Vol. 3, 89-9, Aprl 23. [2] M. Takahash, J. Murakam, T. Sudou, N. Hrahara and R. Sasak, Behavoural Analyss of Botnet based on Feld Research, Trans. of Informaton Processng Socety of Japan, Vol. 47, No. 8, pp , August 26. [3] Inc. Internet Systems Consortum.