An Adaptive Method for Source-end Detection of Pulsing DoS Attacks



Similar documents
Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

Modified Line Search Method for Global Optimization

Data Analysis and Statistical Behaviors of Stock Market Fluctuations

AN ANOMALY DETECTION SYSTEM FOR DDOS ATTACK IN GRID COMPUTING

COMPARISON OF THE EFFICIENCY OF S-CONTROL CHART AND EWMA-S 2 CONTROL CHART FOR THE CHANGES IN A PROCESS

Reliability Analysis in HPC clusters

Research Article Real-Time Detection of Application-Layer DDoS Attack Using Time Series Analysis

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

DDoS attacks defence strategies based on nonparametric CUSUM algorithm

Evaluating Model for B2C E- commerce Enterprise Development Based on DEA

1 Computing the Standard Deviation of Sample Means

Malicious Node Detection in Wireless Sensor Networks using Weighted Trust Evaluation

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

ADAPTIVE NETWORKS SAFETY CONTROL ON FUZZY LOGIC

Recovery time guaranteed heuristic routing for improving computation complexity in survivable WDM networks

LECTURE 13: Cross-validation

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Hypothesis testing. Null and alternative hypotheses

Output Analysis (2, Chapters 10 &11 Law)

Confidence Intervals for One Mean

I. Chi-squared Distributions

CHAPTER 7: Central Limit Theorem: CLT for Averages (Means)


CONTROL CHART BASED ON A MULTIPLICATIVE-BINOMIAL DISTRIBUTION

Research Article Sign Data Derivative Recovery

Determining the sample size

Statistical and Fuzzy Approach for Database Security

Extracting Similar and Opposite News Websites Based on Sentiment Analysis

PROCEEDINGS OF THE YEREVAN STATE UNIVERSITY AN ALTERNATIVE MODEL FOR BONUS-MALUS SYSTEM

On the Periodicity of Time-series Network and Service Metrics

Research Method (I) --Knowledge on Sampling (Simple Random Sampling)

DDoS Verification and Attack Packet Dropping Algorithm in Cloud Computing

Soving Recurrence Relations

C.Yaashuwanth Department of Electrical and Electronics Engineering, Anna University Chennai, Chennai , India..

Convention Paper 6764

Estimating Probability Distributions by Observing Betting Practices

Z-TEST / Z-STATISTIC: used to test hypotheses about. µ when the population standard deviation is unknown

A probabilistic proof of a binomial identity

Quadrat Sampling in Population Ecology

(VCP-310)

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

Faulty Clock Detection for Crypto Circuits Against Differential Fault Analysis Attack

Chapter XIV: Fundamentals of Probability and Statistics *

Capacity of Wireless Networks with Heterogeneous Traffic

Clustering Algorithm Analysis of Web Users with Dissimilarity and SOM Neural Networks

Overview of some probability distributions.

Maximum Likelihood Estimators.

Universal coding for classes of sources

PSYCHOLOGICAL STATISTICS

The Stable Marriage Problem

Domain 1: Designing a SQL Server Instance and a Database Solution

STUDENTS PARTICIPATION IN ONLINE LEARNING IN BUSINESS COURSES AT UNIVERSITAS TERBUKA, INDONESIA. Maya Maria, Universitas Terbuka, Indonesia

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

University of California, Los Angeles Department of Statistics. Distributions related to the normal distribution

Confidence Intervals. CI for a population mean (σ is known and n > 30 or the variable is normally distributed in the.

Department of Computer Science, University of Otago

client communication

Multi-server Optimal Bandwidth Monitoring for QoS based Multimedia Delivery Anup Basu, Irene Cheng and Yinzhe Yu

On Formula to Compute Primes. and the n th Prime

How to read A Mutual Fund shareholder report

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

Properties of MLE: consistency, asymptotic normality. Fisher information.

Optimization of Large Data in Cloud computing using Replication Methods

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Theorems About Power Series

Firewall Modules and Modular Firewalls

Automatic Tuning for FOREX Trading System Using Fuzzy Time Series

Analyzing Longitudinal Data from Complex Surveys Using SUDAAN

Verifying the Availability of Cloud Applications

Performance Evaluation of the MSMPS Algorithm under Different Distribution Traffic

A Secure Implementation of Java Inner Classes

Modeling the Propagation Process of Topology-Aware Worms: An Innovative Logic Matrix Formulation

In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

VEHICLE TRACKING USING KALMAN FILTER AND FEATURES

Chapter 7 Methods of Finding Estimators

Volatility of rates of return on the example of wheat futures. Sławomir Juszczyk. Rafał Balina

Virtual Machine Scheduling Management on Cloud Computing Using Artificial Bee Colony

Installment Joint Life Insurance Actuarial Models with the Stochastic Interest Rate

Non-life insurance mathematics. Nils F. Haavardsson, University of Oslo and DNB Skadeforsikring

FortiGuard Fortinet s Global Security Research and Protection

Cantilever Beam Experiment

Protecting Content Distribution Networks from Denial of Service Attacks

Vulnerability test system for SIP network elements

Configuring Additional Active Directory Server Roles

Systems Design Project: Indoor Location of Wireless Devices

Chapter 7 - Sampling Distributions. 1 Introduction. What is statistics? It consist of three major areas:

Iran. J. Chem. Chem. Eng. Vol. 26, No.1, Sensitivity Analysis of Water Flooding Optimization by Dynamic Optimization

Measures of Spread and Boxplots Discrete Math, Section 9.4

Transcription:

, pp.279-288 http://dx.doi.org/10.14257/ijsia.2013.7.5.26 A Adaptive Method for Source-ed Detectio of Pulsig DoS Attacks Mig Yu School of Iformatio ad Commuicatio Egieerig, Dalia Uiversity of Techology, Dalia, Chia yu_mig1111@dlut.edu.c Abstract The itermittet attackig behavior of pulsig deial of service (PDoS) attacks poses a real challege to the existig DoS detectio methods. I this paper, a adaptive method is preseted to meet this challege. Three features distiguish this method from others. (i) No assumptio is made o the distributio of the traffic samples. (ii) Automatic adjustmet of the detectio threshold accordig to the traffic coditios. (iii) Timely detectio of the ed of a PDoS attack. Simulatio results validate the efficacy of the proposed method i source-ed detectio of PDoS attacks. They show (i) the miimum malicious traffic that ca be detected by the proposed method is about 20% of the backgroud traffic, uder the requiremets for detectio delays of the start ad the ed of a PDoS attack are withi 3 observatio periods; (ii) the proposed method is more sesitive to pulsig SYN floodig traffic tha it is to pulsig UDP floodig traffic. Keywords: Pulsig deial of service, adaptive detectio, aomaly detectio, etwork security 1. Itroductio At SIGCOMM 2003, Kuzmaovic ad Kightly proposed a ew geeratio of DoS attacks, which could decrease the throughput of ormal TCP traffic by periodically sedig high-volume traffic i a short period. They amed it shrew attack [1]. By further ad deep study o shrew attacks, X.Luo et al., proposed a geeric defiitio of PDoS (Pulsig Deial of Service) [2]. That is, a DoS attack ca be called a PDoS attack oly if its attack traffic is set i a itermittet way. By this defiitio, a shrew attack is cosidered as a kid of PDoS attacks. Differet from traditioal DoS attacks, PDoS traffic is set periodically ad lasts for a short time withi each attackig period. Therefore, it is more difficult to detect PDoS attacks. Accordig to the differet deploymet locatios, a autoomous DoS defese systems ca be classified ito source-ed defese, victim-ed defese ad itermediate-etwork defese [3]. Amog them, source-ed refers to those etworks that uwittigly host attackig machies; victim-ed refers to the target etwork or the etwork that hosts the target machies; itermediate-etwork meas the ifrastructure betwee the attackig machies ad the target. I recet years, source-ed defese agaist DoS attacks has bee a hotspot i etwork security. Several methods have bee proposed for aomaly detectio of the sourceed traffic. Amog them, the oe used i the D-WARD system [4, 5] is widely accepted. It adopts a set of legitimate traffic models to idetify legitimate traffic ad detect or costrai malicious traffic. Ufortuately, these models eed to be updated periodically ad therefore caot adapt to the frequet chages i etwork traffic. This paper expatiates o our latest Mauscript received ; revised ; accepted. ISSN: 1738-9976 IJSIA Copyright c 2013 SERSC

study o source-ed defese agaist PDoS attacks. Symmetry is a obvious pheomeo i two-way commuicatios that follow a request/respose paradigm, such as HTTP traffic, DNS traffic, NTP traffic ad some types of ICMP traffic. I these commuicatios, oe party seds a request to its peer party, ad waits for a reply before sedig ay more packets. For such commuicatios, it is aomalous to observe a aggressive sedig rate coupled with a low respose rate. Usually, such a aomalous evet may idicate that some local hosts are ivolved i a attack. A source-ed defese system may be deployed to detect those aomalies that disrupt the symmetry i these two-way commuicatios [6, 7], but it is ow challeged by the subtlety ad complexity of the PDoS traffic, ad the bottleeck is how to select thresholds to adapt to the variability of traffic samples. I this paper, a oparametric adaptive method is preseted to meet this challege. Three distict features make this method differet from others i detectio of DoS traffic. (i) No assumptio is made o the distributio of the traffic samples. (ii) Automatic adjustmet of the detectio threshold accordig to the traffic coditios. (iii) Timely detectio of the ed of a aomalous evet. Rest of this paper is orgaized as follows. Sectio 2 gives a brief overview of related works o PDoS detectio methods. Sectio 3 presets the desig of a adaptive method for source-ed detectio of PDoS attacks. Sectio 4 presets the simulatio results o five real traffic traces. Sectio 5 cocludes this paper. 2. Related Works I a few papers [8-11], several methods are proposed for aomaly detectio whe distributios of the traffic samples ivolve ukow parameters. Although these methods are successful i some coditios, two shortcomigs of them are exposed whe used i aomaly detectio of etwork traffic. The first oe is all the methods are desiged with fixed cofiguratios, which ca ot adapt to the frequet chages of etwork traffic. The secod oe is they all require a parametric model for the observatios so that correspodig probability distributio fuctios ca be applied to the desig ad aalysis of these methods; i practice, however, it is usually very difficult to have a prior kowledge about the distributio of etwork traffic. Therefore, it is of crucial importace to desig a itelliget detectio method which ca automatically adjust its parameters to achieve the best performace possible ad work without a prior kowledge about the distributio of the observatios, that is, it is oparametric. Luo ad Chag proposed a two-stage detectio system to detect PDoS attacks o the receiver side [2]. Their method is based o the presece of two types of traffic aomalies iduced by PDoS attacks: periodic fluctuatios i the iboud TCP data traffic ad a declie i the tred of the outboud TCP ackowledgemet (ACK) traffic. I the first stage, the detectio system moitors the iboud data ad outboud ACK traffic usig discrete wavelet trasform. I the secod stage, a oparametric CUSUM algorithm is employed to detect the aomalies. Experimet results show the system is effective i detectig PDoS attacks with costat attack periods. However, it is ieffective i detectig floodig-based DoS attacks because such attacks will ot cause periodic fluctuatios i TCP traffic. Hussai et al., proposed to differetiate betwee sigle-source ad multi-source DoS attacks [12] by aalyzig spectrum of the etwork traffic. Che et al., foud the power spectrum desity of a traffic stream cotaiig shrew attacks has much higher eergy i lowfrequecy bad as compared with legitimate traffic. Based o this observatio, they proposed a spectral template matchig method to detect shrew attacks [13, 14]. However, all these spectrum-based methods are ieffective i detectig PDoS attacks with differet attackig frequecies ad itervals. 280 Copyright c 2013 SERSC

Su et al., proposed to detect shrew attacks usig a dyamic time warpig method which is divided ito two stages [15]. I the first stage, autocorrelatio is used to extract the periodic patters i the iboud etwork traffic ad elimiate the problem of time shiftig. I the secod stage, a slightly modified dyamic time warpig algorithm is used to detect the sigature of a shrew attack based o its autocorrelatio coefficiet. However, performace of this method is usatisfactory whe used i detectig PDoS attacks which are ot separated by a costat iterval. Moreover, such methods are ieffective i detectig floodig-based DoS attacks because the assumed square-wave patters i such methods do ot exhibit i the traffic uder attack. The D-WARD system is desiged ad implemeted for source-ed defese of DoS attacks. It adopts a useful metric that computes ratio of the iboud TCP traffic to the outboud TCP ACK traffic i detectig DDoS attacks [4]. Such a metric is also adopted i the Vaguard DoS detectio system [16, 17]. I both systems, however, a fixed ratio of the iboud TCP traffic to the outboud TCP ACK traffic is used to distiguish a attack flow from legitimate oes, which caot adapt to the frequet chages i etwork traffic. Therefore, it is of crucial importace to desig a itelliget detectio method which ca automatically adjust its detectio parameters to adapt to the chagig etwork coditios. I [7], I have proposed a oparametric adaptive CUSUM method for etwork aomaly detectio. This paper expatiates o my latest study of source-ed defese agaist PDoS attacks. Its mai cotributio is to propose a adaptive detectio method for source-ed detectio of PDoS attacks. 3. Desig of a Adaptive Method for Source-ed Detectio of PDoS Attacks 3.1. Problem Formulatio Let us begi by givig the problem formulatio of PDoS detectio before we go deep ito the desig of the proposed adaptive detectio method. Suppose X={x, =1,2, } is a sequece of idepedet radom variables observed sequetially, ad x =[(O - I )/O ] +. Respectively, O ad I deote the umber of outgoig requests ad icomig replies collected withi the th observatio period which is represeted by the symbol T. x + is equal to x if x>0 ad 0 otherwise. For legitimate traffic, O is approximately equal to I, thus we have x 1. Normally, the mea of X (deoted by μ X ) is stable ad close to 1. This coclusio has bee referred by Mirkovic [4]. It is also supported by our aalysis o some real traffic datasets collected at Dalia Uiversity of Techology. Figure 1 gives the result of our aalysis o oe of those datasets. As we ca see, a aomalous evet occurs ad μ X is icreased at a certai momet (radom ad ukow). Whe the aomaly eds, the mea of X is decreased to ormal. Figure 2 illustrates this process. However, o prior kowledge is kow about the probability distributio fuctio of X. The aim of a PDoS detectio method is to accurately detect the start ad the ed of the PDoS attack as soo as possible. 3.2. Desig of the Method Firstly, the slidig widow mechaism is adopted to alleviate the o-statioary ifluece of X o the method. Size of the widow is deoted by N, ad elemets i the widow are j j j deoted by w, where 0 j N-1 ad =0, 1, 2,. Usually, w is iitialized by 0 w0 = a, where Copyright c 2013 SERSC 281

0 a 1. I practice, a ca be empirically set ad it does ot have much ifluece o the performace of the method. Figure 1. Aalysis of x based o Oe of the Real Traffic Dataset Figure 2. Illustratio of PDoS Detectio Secodly, the test statistic t is costructed as N 1 = ( 2 j= 0 t j 2 x w 1 ), = 1,, (1) Thirdly, the detectio threshold for raisig a alarm o the start of a PDoS attack is set as N 1 1 1) j = 0 δ = OA/ ( OA + O 1 G start 2 = N (( 1 w 1) δ) (2) j where w = ( w /N ad δ is the ormalized itesity of the aggressive sedig rate. δ is defied as ) requests i a observatio period ad 1, where O A deotes the umber of aggressive outgoig O deotes the averaged umber of ormal outgoig th requests i the 1 observatio period. To reduce false alarms, threshold violatios are couted. If the couter (deoted by Num) reaches a specified umber τ s, a alarm is raised ad the couter is reset to zero. Detectio results are deoted by d, by which d =1 is for raisig alarms ad d =0 for o alarms. Update of elemets i the slidig widow depeds o the detectio results, as ca be see from the codes i Table 1, which gives the key codes for judgig the start of a PDoS attack. Lastly, aother two thresholds, ed G ad G_saved, are used i cacelig a alarm. G_saved ed is set whe a alarm is raised, as ca be see i Table 1. G is set as ed 2 G = 0.5 N ((1 w 1) δ ). The same couter used for reducig false alarms is also used here to avoid missig alarms. A alarm caot be caceled util the couter reaches aother specified umber τ e. I this proposed method, τ s ad τ e are respectively cosidered as the requiremets for detectio delays of the start ad the ed of a PDoS attack. Codes for judgig the ed of a aomalous evet are give i Table 2. 282 Copyright c 2013 SERSC

4. Simulatios ad Aalysis Five real traffic traces are used to validate the proposed method. Three of them were collected by a Edace DAG card at Dalia uiversity of techology (DLUT) with a OC- 48c PoS lik coected to CERNET. The other two were collected by the NLANR group at the Uiversity of Aucklad (Auck) with a OC3 Iteret access lik. A summary of these traces is give i Table 3. Table 1. Key Codes for Judgig the Start of a PDoS Attack Table 2. Key Codes for Judgig the Ed of a PDoS Attack ----------------------------------------------------- ----------------------------------------------------- ----------------------------------------------------- ----------------------------------------------------- Table 3. Summary of the Real Traffic Traces used i the Experimets Trace Start time Ru legth IP headers DLUT-1 09:10:01,Aug 11, 2012 02:46:01 115 millio DLUT-2 09:10:02, Sep 12, 2012 01:30:05 176 millio DLUT-3 14:18:59, Oct 21, 2012 02:00:00 130 millio Auck-1 18:59:16, Ju 8, 2001 05:00:43 14 millio Auck-2 12:00:00, Ju 9, 2001 06:00:00 22 millio Firstly, simulatios o source-ed detectio of SYN floodig attacks were carried out to illustrate the efficacy of the proposed method. I these simulatios, the aggressive floodig rates were assumed costat after the attacks were lauched. Durig a attack, the pulsig attack traffic lasted 10 miutes, ad the it stopped for 5 miutes. Some results of the simulatios o the trace of DLUT-1, Auck-1 ad Auck-2 are preseted i Figure 3-Figure 5. For the DLUT-1 trace, four pulsig attacks were lauched respectively at the 105 th, 210 th, 315 th ad 420 th observatio periods, ad each attack persisted for 30 miutes. For the Auck-1 trace, five pulsig attacks were lauched respectively at the 75 th, 255 th, 435 th, 615 th ad 795 th observatio periods, ad each attack persisted for 45 miutes. For the Auck-2 trace, six pulsig attacks were lauched respectively at the 75 th, 255 th, 435 th, 615 th, 795 th ad 975 th Copyright c 2013 SERSC 283

observatio periods, ad each attack persisted for 45 miutes. The observatio period T was set to 20 secods. Other parameters ivolved i the proposed method were set as follows: N=4, α=0.1, δ=0.2 ad τ s =τ e =3. Figure 3. Simulatio Results o DLUT-1 Trace Figure 4. Simulatio Results o Auck-1 Trace 284 Copyright c 2013 SERSC

Figure 5. Simulatio Results o Auck-2 Trace Secodly, detailed iformatio about the simulatios is preseted to show the efficiecy of the proposed method. For each trace, two types of PDoS traffic were icluded. Respectively, they are SYN floodig traffic ad UDP floodig traffic. All the attacks are lauched every 15 miutes, ad the burstig time of each attackig machies is 10 miutes. Other parameters ivolved i the proposed method were set as follows: N=4, α=0.1, δ=0.2, ad τ s =τ e =3. I this paper, we emphasize o studyig the detectio of low itesity attacks with the detectio delays kept as short as possible. Table 4 ad Table 5 give the averaged detectio results o pulsig SYN floodig traffic ad pulsig UDP floodig traffic by the proposed method after 30 experimets o each trace. Table 4. Averaged Detectio Results o Pulsig SYN Floodig Traffic DLUT-1 DLUT-2 DLUT-3 Auck-1 Auck-2 δ 0.217 0.199 0.190 0.191 0.209 τs ( T ) 3.1 3 3.1 3.1 3.2 τ ( ) e T 3.1 3 3.1 3.1 3.2 Table 5. Averaged Detectio Results o Pulsig UDP Floodig Traffic DLUT-1 DLUT-2 DLUT-3 Auck-1 Auck-2 δ 0.223 0.215 0.23 0.216 0.207 τs ( T ) 3.3 3..2 3 3.2 3.1 τ ( ) e T 3.3 3.1 3 3.1 3.1 Two coclusios ca be draw from both tables. (1) Uder the requiremet that the detectio delays be withi oe miute, the lowest Copyright c 2013 SERSC 285

itesity of the attacks that ca be detected by the proposed method is 0.199. This result excels those obtaied i [18, 19] where the lowest itesity of the attacks that ca be detected by the oparametric CUSUM method is 0.25. (2) The proposed method is more sesitive to the pulsig SYN floodig traffic tha the pulsig UDP floodig traffic. This is because the proportio betwee outgoig SYN packets ad icomig ACK packets is more regular ad closer to 1. I fact, the low itesity of the PDoS attacks that ca be detected by the proposed method depeds o the users requiremets o δ, which reflects the aomalies of the PDoS attacks. As a example, Table 6 gives aother group of the detectio results o pulsig SYN floodig traffic whe δ=0.15 ad other parameters were kept uchaged. As we ca see, the lowest itesity of the attacks that ca be detected is further decreased. However, we thik δ=0.15 is isufficiet to discrimiate betwee the attacks ad the ormal fluctuatio of legitimate traffic so far as SYN floodig attacks are cocered. The experimetal results show the choice of δ completely depeds o the related applicatios ad it rests with the users. Table 6. Averaged Detectio Results o Pulsig SYN Floodig Traffic whe δ=0.15 DLUT-1 DLUT-2 DLUT-3 Auck-1 Auck-2 δ 0.154 0.164 0.133 0.138 0.145 τs ( T ) 3.5 3.2 3.6 3.8 3.2 τ ( ) e T 3.2 3.1 3.1 3.1 3.5 5. Coclusio I this paper, a adaptive method is preseted for source-ed detectio of PDoS attacks. This method requires little kowledge of the etwork traffic except a loose symmetry betwee the outgoig packets ad the icomig packets. Three distict features of this method are emphasized. Firstly, o assumptio is made o the distributio of the traffic samples. Secodly, it succeeds i implemetig a selfadjustig detectio threshold, which makes it adapt to various traffic coditios. Thirdly, it reacts quickly to the ed of the PDoS attacks. Experimets o real traffic traces show the efficacy of this method i detectig low itesity PDoS attacks. I the future, we pla to employ this method i detectig other DDoS attacks such as DRDoS, SYN/ACK attacks ad RESET attacks. Ackowledgemets This work was supported by (1) Natioal Natural Sciece Foudatio of Chia (Grat No.61172059); (2) the Scietific Research Foudatio for Ph.Ds of Liaoig Provice, Chia (Grat No.20111022). Refereces [1] A. Kuzmaovic ad E. W. Kightly, Low-rate TCP-targeted Deial of Service Attacks: the Shrew vs. the Mice ad Elephats, Proceedigs of ACM SIGCOMM 2003 Coferece o Applicatios, Techologies, Architectures, ad Protocols for Computer Commuicatio, Karlsruhe, Germay, (2003) August 25-29. [2] X. Luo, ad R. Chag, O a New Class of Pulsig Deial-of-Service Attacks ad the Defese, Proceedigs of Network ad Distributed System Security Symposium, Sa Diego, USA, (2005) February 3-4. [3] Y. Mig, A Noparametric Adaptive CUSUM Method ad Its Applicatio i Source-Ed Defese agaist SYN Floodig Attacks, WuHa Uiversity Joural of Natural Sciece, vol. 16, o. 5, (2011), pp. 414-418. 286 Copyright c 2013 SERSC

[4] J. Mirkovic ad P. Reiher, D-WARD: A Source-Ed Defese Agaist Floodig Deial-of-Service Attacks, IEEE Trasactios o Depedable ad Secure Computig, vol. 2, o. 3, (2005), pp. 216-232. [5] O. Pal, P. Jai, S. Goyal, Zia Saquib ad B. L. Meezes, Itrusio Detectio Usig Graph Support: A Hybrid Approach of Supervised ad Usupervised Techiques, Iteratioal Joural of Advacemets i Computig Techology, vol. 2, o. 3, (2010), pp. 114-118. [6] X. Liu, X. Yag ad Y. Xia, NetFece: prevetig iteret deial of service from iside out, SIGCOMM Computer Commuicatio Review, vol. 40, o. 4, (2010), pp. 255-266. [7] M. Yu, A oparametric adaptive CUSUM method ad its applicatio i etwork aomaly detectio, Iteratioal Joural of Advacemets i Computig Techology, vol. 4, o. 1, (2012), pp. 280-288. [8] S. Ehlerta, D. Geeiatakisb ad T. Magedaz, Survey of etwork security systems to couter SIP-based deial-of-service attacks, Computers & Security, vol. 29, o. 2, (2010), pp. 225-243. [9] H. K. Yi, P. K. Park, S. Mi ad J. C. Ryou, DDoS Detectio Algorithm Usig the Bidirectioal Sessio, Commuicatios i Computer ad Iformatio Sciece: Computer Networks, vol. 160, (2010), pp. 191-203. [10] Z. Li, Y. Gao ad Y. Che, HiFIND: A high-speed flow-level itrusio detectio approach with DoS resiliecy, Computer Networks, vol. 54, o. 8, (2010), pp. 1282-1299. [11] O. I. Sheluhi, A. A. Atayero ad A. B. Garmashev, Detectio of Teletraffic Aomalies Usig Multifractal Aalysis, Iteratioal Joural of Advacemets i Computig Techology, vol. 3, o. 4, (2011), pp. 174-182. [12] A. Hussai, J. Heidema ad C. Papadopoulos, A Framework for Classifyig Deial of Service Attacks, Proceedigs of ACM SIGCOMM 2003 Coferece o Applicatios, Techologies, Architectures, ad Protocols for Computer Commuicatio, Karlsruhe, Germay, (2003)August 25-29. [13] Y. Che ad K. Hwag, Collaborative Detectio ad Filterig of Shrew DDoS Attacks Usig Spectral Aalysis, Joural of Parallel ad Distributed Computig, vol. 66, o. 9, (2006), pp. 1137-1151. [14] Y. Che ad K. Hwag, Spectral Aalysis of TCP Flows for Defese agaist Reductio-of-Quality Attacks, Proceedigs of IEEE Iteratioal Coferece o Commuicatios, Glasgow, Scotlad, (2007) Jue 24-28. [15] H. Su, J. C. S. Lu ad D. K. Y. Yau, Defedig agaist Low-rate TCP Attacks: Dyamic Detectio ad Protectio, Proceedigs of the 12th IEEE Iteratioal Coferece o Network Protocols, Berli, Germay, (2004) October 5-8. [16] X. Luo, E. W. W. Cha ad R. K. C. Chag, Detectig Pulsig Deial-of-Service Attacks with Nodetermiistic Attack Itervals, EURASIP Joural o Advaces i Sigal Processig, vol. 2009, (2009), pp. 1-13. [17] C. W. Zhag, Z. P. Cai, W. F. Che, X. Luo ad J. Yi, Flow Level Detectio ad Filterig of Low-rate DDoS, Computer Networks, vol. 56, o. 15, (2012), pp. 3417-3431. [18] V. A. Siris ad F. Papagalou, Applicatio of Aomaly Detectio Algorithms for Detectig SYN Floodig Attacks, Proceedigs of GLOBECOM, Dallas, USA, (2004) November 29-December 3. [19] P. Tao, C. Leckie ad K. Ramamohaarao, Proactively Detectig Distributed Deial of Service Attacks Usig Source IP Address Moitorig, Proceedigs of NETWORKING, Athes, Greece, (2004) May 9-14. Authors Mig Yu received the BS degree i electroics egieerig i 1998 from Shadog Uiversity, Chia. He received the MS degree ad Ph.D degree i iformatio ad telecommuicatio system i 2004 ad 2008 from Xidia Uiversity, Chia. He is curretly a associate professor i Dalia Uiversity of Techology, Chia. He is also a member of IEEE Computer Society. So far, he has 15 papers published i iteratioal jourals. His research iterests iclude etwork security, cloud computig ad DoS defese. Copyright c 2013 SERSC 287

288 Copyright c 2013 SERSC

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information