DDoS Aacks Deecion Model and is Applicaion 1, MUHAI LI, 1 MING LI, XIUYING JIANG 1 School of Informaion Science & Technology Eas China Normal Universiy No. 500, Dong-Chuan Road, Shanghai 0041, PR. China muhaili@16.com, mli@ee.ecnu.edu.cn Deparmen of Compuer Science Zaozhuang Universiy Bei-An Road, Shandong 77160, PR. China Absrac: Wih he proliferaion of Inerne applicaions and nework-cenric services, nework and sysem securiy issues are more imporan han before. In he pas few years, cyber aacks, including disribued denial-of-service (DDoS) aacks, have a significan increase on he Inerne, resuling in degraded confidence and russ in he use of Inerne. However, he presen DDoS aack deecion echniques face a problem ha hey canno disinguish flooding aacks from abrup changes of legiimae aciviy. In his paper, we give a model for deecing DDoS aacks based on nework raffic feaure o solve he problem above. In order o apply he model convenienly, we design is implemenaion algorihm. By using acual daa o evaluae he algorihm, he evaluaion resul shows ha i can idenify DDoS aacks. Key- words: Algorihm, Aack, Applicaion, DDoS, Deecion, Modal 1 Inroducion A DDoS aack is a Denial-of-Service (DOS) aack, i has become one of he major hreas and among he hardes securiy problems in oday s inerne. whose impac has been well demonsraed in many compuer nework lieraures. A DoS aack is characerized by an explici aemp by aackers o preven legiimae users of a service from using ha service [1]. Examples include aemps o "flood" a nework, in order o preven legiimae nework raffic. aemps o disrup connecions beween wo machines, hereby prevening access o a service. aemps o keep a paricular individual from accessing a service. aemps o sop service o a specific sysem or person. The goal of a DoS aack is o preven a compuer or nework from providing normal services. The mos common DoS aacks will arge he compuer's nework bandwidh or conneciviy. Bandwidh aacks flood he nework wih such a high volume of raffic ha all available nework resources are consumed and legiimae user requess canno be responded. Conneciviy aacks flood a compuer wih so many connecion requess ha hey consume all available operaing sysem resources, and resul in he compuer can no longer process requess of legiimae user. Disribued Denial of Service (DDoS) is a relaively simple, ye very powerful echnique o aack Inerne resources. DDoS aack adds he many-o-one dimension o he DoS aack problem, and makes he prevenion and miigaion of hese aacks more difficul and he impac proporionally ISSN: 1109-750 1159 Issue 8, Volume 7, Augus 008
severe. Unlike DoS aacks ha rely on a specific nework proocol or a sysem weakness, he DDoS aackers do no require o maser high compuer echnologies, hey can aack a sie server wih simply exploiing he huge resource asymmery beween he Inerne and he vicim, namely many o one. Before aacking, he aackers have conrolled a sufficien number of zombies. Then hey command hese zombies generae so huge amouns of useless packes ha overwhelm vicim. Boh DoS and DDoS aacks are have he same goal, his is o say, all of hey wan o ie up cerain nework resources compleely so ha he vicim server denies services for legiimae users. Compared wih a DoS aack, A DDoS aack is very difficul o be defended. Because DDoS aack can make use of opening inerne feaure, which is ha a large number of users can be permied o visi he same sie server a he same ime. The feaure of inerne makes he DDoS aack be able o block access o he horoughfare reaching he vicim, effecively aking he vicim off he Inerne so ha any vicim-level of defense becomes irrelevan. In addiion, he DDoS aack s sraegies of hierarchical aack and he echnologies of IP spoofing make aackers difficul o be raced. Alhough grea effors have been involved in aack deecion and prevenion, here is sill a lack of effecive and efficien soluions o inercep ongoing aacks in a imely fashion, i.e. shor enough o preven raffic build up from DDOS aack. By now, DDoS aacks have risen o be he Number 1 hrea on he Inerne [], DDoS aacks are comprised of packe sreams from disparae aack sources. Aacker can coordinae he power of a vas number of Inerne zombies o consume some criical resource of he arge and makes he sie server deny he service o legiimae cliens. Aack raffic is usually so similar o normal raffic ha i is difficul o disinguish legiimae aack packes from normal packes. A he same ime, he packe sreams of DDoS aack have no apparen characerisics ha could be direcly and wholesalely used for deecion and filering. For keeping from racing, aackers afford o change aack packe fields (especially IP address). Wih he rapid developmen of compuer echnologies, here are more and more exremely sophisicaed, user-friendly and powerful DDoS oolkis, i makes DDoS aacking programs have very simple logic srucures and possess less memory sizes, and makes hem relaively easy o implemen and hide. Aackers consanly change heir ools o bypass inspecion of securiy sysems developed by sysem managers and researchers, who are in a consan aler o modify heir approaches o handle new aacks. The DDoS field is evolving quickly, i is becoming increasingly hard o deec he aack. DDoS aacks are geing more sophisicaed, spreading faser, and causing more damages [3]. However, here have no been developed fundamenal defense soluions of DDoS aacks since hese aacks have firsly appeared in June 1998 [4]. Therefore, i is necessary o sudy a new deecion model and keep away DDoS aacks. he goal of DDoS Aacks is in order o make he sie deny he service of legiimae users, i is necessary o send such a large number of garbage packes o vicim ha he vicim s sysem has no abiliy o handle hem. Therefore, he mehod recognizing abnormal increase of raffic is he shorcu o deec DDoS aack. In his paper, we jus use he ideal o build a modal o solve he deecion problem of DDoS aacks. Following his inroducion, he paper is organized as follows. Secion inroduces previous work on DDoS aacks. Secion 3 gives he mehod how o build deecing modal. In his secion, we discuss he feaure of nework raffic, which is he base o build deecing modal, and give an implemen algorihm of he deecing modal. Secion 4 applies deecing algorihm o verify validiy of he modal. Secion 5 draws he conclusion of his paper. Previous work ISSN: 1109-750 1160 Issue 8, Volume 7, Augus 008
There are a number of DDoS and DoS aack sudies [57], Mos of hem address vulnerabiliies or possible counermeasures, bu few focus on aack deecion. More recen repors [814], In [8], Anderson e al. rely on he use of a send-permission-oken o resric DoS aacks. Kreibich e al. use a decoy compuer, paern-maching echniques, and proocol conformance checks echnologies o creae inrusion deecion signaures [9]. In [10], Allen e al. use esimaes of he Hurs parameer o idenify aacks ha cause a decrease in he raffic s self-similariy. This mehod requires saisics of nework raffic self-similariy before he aack. Yu e al. give a saisical mehod, namely, Logisic Regression wih separae proocols [11]. The mehod is a heoreical mehod for finding feaures in inrusion deecion. Using he Suppor Vecor Machine mehod, he separae proocol model provides beer resuls wih high classificaion accuracy and low false alarm rae. In [1], a general classificaion of DDoS aacks and mehods o deal wih hem is given. The mehods can deec each kind of DDoS aacks and choose an appropriae defense mechanism auomaically. Wih he grea developmen of wavele echnology, many papers use he echnology o build deecion DDoS models [180], In [18], Carl e al. modify CUSUM approach o deec aacks by wavele analysis. In he papers [19,0], hey find DDoS aack poins by wavele decomposiion of signals wih singulariies. In he paper [3], Feinsein e al. provide wo saisical mehods of analyzing nework raffic o find DDoS aacks. One moniors he enropy of he source addresses found in packe headers, while he oher moniors he average raffic raes of he mos acive addresses. Some papers, e.g., [1,, 4] use probabilisic echniques, such as covariance ec, o deec aacks. All DDoS deecion mehods define an aack as an abnormal and noiceable deviaion of some saisic of he moniored nework raffic workload. Clearly, he choice of saisic-based deecion echniques is criically imporan. In [15], Glenn Carl e al. give a conclusion abou mehods of deecing aacks. A presen, here are hree kinds of deecion echnologies such as aciviy profiling, change poin deecion, and wavele-based signal analysis, bu all hese echniques face he considerable challenge of discriminaing neworkbased flooding aacks from sudden increases in legiimae aciviy or flash evens. In order o mee he challenge, we have done many research works, e.g., [16, 17]. In paper [16], we give a deecion model wih low false alarm and low miss probabiliy. In paper [16], we apply he Hurs parameer esimae o deermine wheher he sysem is under aacks. Alhough each deecion echnique shows promise in limied esing, none compleely solves he deecion problem [15]. The major shorcoming of classic echniques is ha hey do no disinguish anomalies from aacks. For example, hey canno be differen anomalies from sudden changes a 08:00 a.m., which is he beginning of office hours [19]. In his paper, we ry o solve he problem above wih using known normal raffic before deecing aacks. 3 Deecion model Le y() denoe a sie oal raffic, which is he number of byes arriving a a sie (or server) a ime. Hereby, y() can be divided ino normal raffic n() and aack raffic a(), where aack raffic is generaed by aackers. Then y() can be absracly expressed by y( ) n( ) a( ) (1) Obviously, when a sie is no aacked, a() 0, his is o say, y() n(). When he sie is under aacks, a() will rapidly increase o high level. Therefore, if we can ge he value of a() during deecion, i should be very easy o discover aacks. Unforunaely, we have no way o ge a() direcly during deecing aacks. However, y() can be ISSN: 1109-750 1161 Issue 8, Volume 7, Augus 008
capured wih sniffer sofware convenienly. According o Eq. (1), if we can ge he value of n(), hen he aforemenioned problem can be solved simply. Bu n() is also unknown in a period of deecion ye. Hence, how o ge n() becomes an essenial problem. 3.1 Feaure analysis of raffic In order o solve he problem above, i is necessary o know he feaures of nework raffic. For achieving he aim of DDoS aacks, he aackers mus sen large volume of garbash packes o vicim. Therefore, he aacks raffic is usually far more han normal raffic. This is a basic feaure of raffic. Abou raffic feaure, here are many lieraures o sudy i, e.g., [3, 58]. In [3], Feinsein e al. discusses wo kinds of deecion mehods. They define enropy H, and give a compuing formula following as: n H p log i, i1 i p where p i is probabiliy of n independen symbols, he symbols can be IP addresses. Hence, he enropy can be compued on a sample of consecuive packes. Through experimens, hey have observed ha while a nework is no under aack, he enropy value of user IP addresses falls in narrow range. According o he definiion of enropy, he value of enropy is acually he puriy of IP addresses. This means ha he number of new IP address is proporional o he one of old IP addresses. Acually, he old IP addresses represen common users of he sie, and new addresses can be regard as new users or random users. A he same ime, experimens also show ha he number of common users is far more han he one of he new users of he sie in normal sae [8], During sudying feaure of nework raffic, we have done many saisic experimens abou IP addresses, and also discovered he phenomenon above. We call he phenomenon he one of raffic feaures: In normal sae, he common users of a sie are sable, and he raio of he number of hem o he one of all he sie users is approximaely a consan. Tha is o say, if le n C () and n A () denoe he number of common users and all users a ime respecively, hen nc () n () a is almos a cons. In [6], Barford e al. give few raffic curves of weeks. These curves can clearly show similariy of raffic. Especially he raffic curves of he same day in differen weeks are so. This is anoher feaure of raffic: In he normal sae, raffic has daily and weekly cycles [6, 7].This is o say, he raffic is similar a he same ime of differen daes in a cerain period. If le C denoe ime cycle value of a day or a week, hen y() is almos equal o y(+c). Fig. 1 and Fig. can clearly show he feaure. For example, he raffic a 8 a.m. on Dec. 18 is similar o he one a same ime on Dec. 19. Fig. 1: The curve of raffic on Dec. 18, 007. Noe: The abrup changes around 3 p.m. include aack raffic in Fig. 1. The reason why raffic has hese feaures is mainly ha a sie provides sable services in a cerain period. On he one hand, he sable services cerainly consrain he requiremen of is users. On he oher hand, every user has sable requiremen for he server, and seady work habi. The wo elemens deermine a server has sable common users. ISSN: 1109-750 116 Issue 8, Volume 7, Augus 008
Fig. : The curve of raffic on Dec. 19, 007. Noe: The abrup changes around 9 a.m. include aack raffic in Fig.. Undoubedly, in normal sae, here are few random users o visi he sie, bu hey only browse he web accidenally. Hence, he raffic, which he random users generae, is far lower han he one of common users. Therefore, common users deerminae ha raffic of a sie has similar feaure. According o he similar feaure of nework raffic, we can use saisic raffic, which came from a sie under no aacks before deecion, insead of normal raffic during deecion. Le N() denoe he saisic raffic. So Eq. (1) can be rewrien as a( ) y( ) N( ) () Due o having known y() and N(), we can build a deecion model based on formula (). To his purpose, we inroduce a lemma as follows: Lemma 1. x i ( i 1,,, n) are n independen random variables, y x1 x... xn, For large n (e.g., n30), he disribuion of y approaches a normal disribuion. This lemma is jus he cenral limi heorem in probabiliy heory [9]. Theorem 1. In normal sae, if he number of a sie users is invarian, hen he disribuion of y() approaches he normal disribuion. Proof. According o he condiion of he heorem, we can assume ha he sie server has m users. Hereby, y() can be expressed by y( ) y ( ) y ( )... y ( ), 1 n where i1,,, m, y i () is he raffic generaed by he ih user. In normal sae, he sie users are independen of each oher, so heir raffic y 1 (), y (),, y m () are naurally independen. In addiion, he number of a sie users is generally far greaer han 30. Therefore, he raffic y() saisfies he condiion of lemma 1, he conclusion of he heorem is rue. I is naural o hink ha we can build a deecing model based on Theorem 1. Unforunaely, he condiion of Theorem 1 is no always saisfied, and someimes he number of sie users changes promply. For insance, he number of he sie users will be abrup increase a 08:00 a.m.. Because he ime is beginning of office hours, here are many users log in he sie, and lead o raffic increase rapidly, Fig. 1 and Fig. show i clearly. Obviously, he model relaes wih he saring ime of deecion. So if using he model o deec aacks, he resul may no be good. According o raffic similar feaure, in normal sae, y() N(), namely a(), can eliminae he majoriy of abrup changes. However, we canno use a() o build he deecing model ye, because he value of a() is mainly deermined by he random raffic. According o he second feaure of raffic, he random raffic is proporional o normal raffic, a he same ime, he number of common users relaes wih he deecing ime. Therefore, i is no beer ha only using he value of a() o build deecing modal. The second raffic feaure can be used o solve he problem above, we discover ha a () is a random variable, and is independen of he beginning ime of deecion in normal sae, So, we use i o build deecing model. In he res of his paper, le A() denoes a (). Theorem. In normal sae, he disribuion of A() approaches he normal disribuion wih mean 0, ISSN: 1109-750 1163 Issue 8, Volume 7, Augus 008
and i is independen of he number of sie users. Proof. We assume he number of common users is m a ime, Le nm () and Nm () be raffic of he m common users respecively. Le r, and s be he number of he oher users of y() and N() a ime respecively, where he oher users are jus random users. Le nr () and Ns () be he random users raffic. Hence, we have N( ) N ( ) N ( ), y( ) n ( ) n ( ). Then a () A () s nm ( ) N ( ) m r nr ( ) N ( ) s. In normal sae, y() is jus n(), According o he similar feaure of raffic, n( ) N( ), n () is far greaer han nr (), namely, N() nm () nr (), where >> denoes far more han. Similarly, N() Nm () N (). This means ha n ( ) N ( ) r s s is almos zero. Hence, he disribuion of A() is deermined by he one of n ( ) N ( ). Since () m n and N () come from he same group of common users, hence he disribuion of n ( ) N ( ) Because of he raffic feaure, nm m m has mean zero. () and Nm () are almos consans which are independen of m, (i.e. he number of common users ), According o Theorem 1, he disribuion of n ( ) N ( ) approaches has normal disribuion wih mean 0. 3. Building deecion model When he sie is under aack, nr () includes aack raffic, his leads o nr ( ) N( ). Hence, he mean of A() is far greaer han zero. Using Theorem, we can ge a deecing mehod: if A() yields normal disribuion wih mean zero, we can deermine he server is secure, oherwise, here are aacks. We will build a model for deecing aacks wih he parameers esimae mehod of probabiliy heory. Le T and be he number of samples and he mean of random variable A() respecively, u(t) is he sample mean of A() wih T samples. For he variance of A() is unknown, in order o esimae he mean, we form he sample variance S(T): T 1 1 S ( T) [ A( ) u( T)]. T 1 0 In fac, he S (T) is an unbiased esimae of he variance of A() [9]. Thus, under he assumpion ha A() is normal, he raio ut ( ) S( T) / T has a Suden- disribuion wih T1 degrees of freedom [9]. Using he disribuion, we can esimae he mean η. If we have known he confidence coefficien P, hen η yields he approximae confidence inerval S( T) S( T) u( T) u( T), T where δ=1p, 1 T and 1 are he perceniles of he disribuion respecively. Appling acual daa o his model, we discover, if he sie is no under aack, he confidence inerval of η is included in (0.5, 0.5). Oherwise, he relaion above is no rue. Thus, we obain a model for deecing DDoS aacks. Using he model above, we give a run-ime deecing algorihm as follows ISSN: 1109-750 1164 Issue 8, Volume 7, Augus 008
1) Assign P and T an iniial value respecively. he saring ime of deecion is 0. ) Open a daabase, which has sored saisic raffic of he sie. Fech daa from he daabase and load he daa ino array N(); These daa correspond wih he ime from 0 o T 1. 3) Se u(0) N(0); S(0) y(0), where y(0) is he raffic daum a saring ime 0. 4) Judge wheher he relaion T is saisfied. If he answer is rue, go o 8). 5) Capure he raffic of he sie a ime, and load i ino y(). 6) Compue u() and S(). 7) Le = 1, and go o 4). 8) Compue he confidence inerval of η, his is S( T) S( T) ( u( T), u( T) ), T 1 P (1 P) 1 T where u(t) and S(T) can be compued wih recursive algorihm below. 9) Judge wheher he confidence inerval of η is included in (0.5, 0.5), if he resul is Yes, hen he sie is safe; oherwise, gives an aack alarm. 10) End. For improving efficiency of deecion, u() and S() can be compued wih recursive algorihm. The recursive algorihm of u() is as follows: 1 1 1 1 a ( ) u( ) A( s) A( s) N() s0 s0 1 1 y( ) u ( 1) [ 1]. N() The recursive algorihm of S() is 1 S ( ) [ A( s) u( )] 1 1 s0 1 1 1 1 [ ( ) ( ) ( ) ( ) A s u A s u ] 1 s0 s0 s0 1 1 A( s) u( ) u( ) 1 s0 1 1 [ A( ) u( ) ], 1 where 1 1 1 1 y( ) A( ) A( s) A( 1) [ 1]. N() s0 Obviously, he algorihms ime complexiy is O(T). Hence, he recursive algorihms make he deecing modal has more high efficiency of execuion, and can help he modal finish run-ime deecion of DDoS aacks. 4 Model Applicaion For verifying he algorihm above, we sample a large of daa from a cenral server in Zaozhuang Universiy wih Sniffer sofware. The sample ime inerval is 10s. Fig. 3 shows he curve of he daa. Fig. 3 is componen of hree secions; he firs secion is saisic raffic, which was sampled before deecion wihou aacks. The oher wo secions represen he daa sampled on Dec. 1 and Dec. 19 in 007 respecively. Fig. 3: Saisic and deecion raffic From he Fig. 3, i is obvious o see ha he raffic has a similar characerisic. We can also discover some abnormal raffic in he figure. In fac, some of hem are generaed wih aack sofware. We apply aack sofware o aack he server hree imes. Two of hem occurred on Dec. 18, he firs aack was a :33 p.m., and he ime lengh of he aack is 10 minues. The second aack is a 3:36 p.m., he ime lengh of aack is 8 minues.. There was one aack o he sie on Dec.19, and he aack lased 11 minues. From Fig. 3, we can see he abrup changes of raffic a corresponding ime. ISSN: 1109-750 1165 Issue 8, Volume 7, Augus 008
No. Saring ime Confidence inerval sae 1 8:30 (0.0151, 0.1001) no 10:01 (0.1409, 0.0883) no 3 14:33 (.3799,3.045) yes 4 15:36 (3.6149,5.0761) yes Fig. 4: The curve of A() on Dec. 18, 007 Fig. 4 is he curve of A() on Dec. 18, 007. From he figure, i can be easy o see ha he curve is independen of raffic scale. Tow abrup changes represen he sie is being under aacks a ha ime. Noe: In Table 1, yes represens he sie is under aacks, no means no. The able 1 shows ha wo Confidence inervals are no include in (0.5,05), his means ha he sie was under aacks a :33 p. m. and 3:36 p. m. on Dec. 18, 007 respecively. Table: The deecion resuls on Dec. 19, 007 No. Saring ime Confidence inerval sae 1 8:05 (0.973,0.3697) no 8: (0.0449,0.1684) no Fig. 5: The curve of A() on Dec. 19, 007 Fig. 5 represens he curve of A() on Dec. 19, 007. We can clear see a abrup change in he figure, he change is caused by aack raffic, and shows ha he sie is being under aacks a ha ime. In addiion, we can also see ha he curve is independen of nework raffic scale. For improving he efficiency of deecion, we se an alarm value. Once he raffic of he server reaches i, deecion program will sar auomaically. In his paper, he alarm value is.5 10 6 ; he lengh of deecion ime is 10 minues; confidence coefficien P is 0.95; he sample ime inerval is 10s. On Dec. 18, 007, he deecion program was execued four imes; wo of hem gave aack alarm. On anoher day, he server was deeced five imes auomaically, we go wo aack alarms. Table 1 and Table show he resuls of deecion. Table 1: The deecion resuls on Dec. 18, 007 3 8:55 (3.534,3.743) yes 4 9:05 (0.954,0.759) yes 5 10:9 (0.1439,0.060) no Noe: The meaning of yes and no in Table is he same as he one in Table1. Table shows as if ha he sie server was under aacks wo imes on Dec. 19, 007. However, we acually aacked he sie one ime on ha day. This is because he lengh of aack ime is longer han he one of deecion ime. Thus, he fourh deecion used 1-minue aack daa. Therefore, we received wo alarms. The example shows ha our deecion algorihm can idenify wheher he server is under aacks. 5 Conclusion In his paper, by sudying he basic feaure of raffic, we give a model of deecing DDoS aacks. The model canno be influenced by abrup changes of ISSN: 1109-750 1166 Issue 8, Volume 7, Augus 008
normal raffic, and is independen of he saring ime of deecion. Hence he modal do i s beer in deecing DDoS aack. During deecion, he modal do no used he signaures of DDoS aacks, so i can deec unknown DDoS aacks. This is o say he deecing modal is more robus. In order o realize run-ime deecion, we give an implemenaion algorihm of he model wih simple srucure, low complexiy, and low memory possession. Wih acual daa o es he algorihm, he resuls show he algorihm can rapidly idenify wheher he server is under aacks. However, he deecing modal is dependen on saisic raffic before deecion, he qualiy of he saisic raffic direcly affec on he resul of deecing. Thus, i is very imporan o know he normal sae of he sie, and capure nework raffic in ime. During he deecion of DDoS aacks, we use he confidence inerval (0.5,05), In fac, he confidence inerval is no invarian, i may vary wih he difference of sie, and relae wih he precision of deecion. If we require he modal can recognize he DDoS aacks ha have sligh aack raffic, he inerval should be se up more small. Usually, he confidence inerval (0.5,05) is good choice for deecion. In fuure, we will sudy he conrol funcion of firewalls and rouers abou raffic, and ry o build a managemen sysem, which can auomaically deec, conrol, and manage he server. Acknowledgemen This work was suppored in par by he Naional Naural Science Foundaion of China under he projec gran number 6057315, and by he Research and Developmen Projec of Shandong Provincial Educaion Deparmen under he projec number J07WJ9. Reference [1] Denial of Service Aacks hp://www.cer.org /ech_ips/denial_of_service.hml, 008. [] Background on DDoS hp://www.ddos.com/ index.php?conen=producs/background.hml, 008. [3] Ediorial, Disribued denial-of-service and inrusion deecion, Journal of Nework and Compuer Applicaions, Vol. 30, 007, pp.819 8. [4] K. Lee, K. Kim, e al., DDoS aack deecion mehod using cluser analysis, Exper Sysems wih Applicaions, 007, doi:10.1016/j.eswa. 007.01.040. [5] V. Paxson, Bro: a sysem for deecing nework inruders in realime, Compuer Neworks Vol. 31, 1999, pp. 435 63. [6] L. Ricciuli, P. Lincoln, P. Kakkar, TCP SYN flooding defense, Communicaion Neworks and Disribued Sysems Modeling and Simulaion (CNDS '99), 1999, pp. 17 0. [7] E. Sroher, Denial of service proecion he Nozzle, In: Proceedings of he 16h annual compuer securiy applicaions conference (ASAC 00), 000, pp. 3 41. [8] T. Anderson, T. Roscoe, D.Weherall, Prevening inerne denial-of-service wih capabiliies, Compuer Communicaions Review, Vol. 34, No. 1, 004, pp. 39 [9] C. Kreibich, J. Crowcrof, Honeycomb creaing inrusion deecion signaures using honeypos, Compuer Communicaion Review (ACM SIGCOMM), Vol. 34, No. 1, 004, pp. 51 56. [10] W. Allen, G. Marin, The LoSS echnique for deecing new denial of service aacks, SouheasCon, 004. Proceedings. IEEE, 004, pp. 30-309. [11] K. M. Yu, M. F. Wu, Proocol-Based Wih Feaure Selecion in Inrusion Deecion, WSEAS Transacions on Compuer, Vol. 3, No. 3, 008, pp. 135 146. [1] A. Asosheh, N. Ramezania, A comprehensive faxonomy of DDoS aacks and defense mechanism applying in a smar classificaion, WSEAS Transacions on Communic- aions, Vol 7, No. 4, 008, pp. 8190 [13] H. Sun, B. Fang, H. Zhang, A new inrusion ISSN: 1109-750 1167 Issue 8, Volume 7, Augus 008
Deecion Approach based on Nework Tomography, WSEAS Transacions on Informaion Science & Applicaions, Vol.3, No., 006, pp. 1117. [14] D. H. Kang, B. K. Kim, J. T. Oh, Proocol anomaly and paern maching based inrusion deecion sysem, WSEAS Transacions on Communicaion, Vol.4, No. 10, 005, pp. 994 1101. [15] G. Carl, e al., DenialofService Aack Deecion Techniques, IEEE Inerne Compu- ing, Vol. 10, No. 1, 006, pp. 889. [16] M. Li, An approach o reliably idenifying signs of DDoS flood aacks based on LRD raffic paern recogniion, Compuers & Securiy, Vol. 3, 004, pp. 549 558. [17] M. Li, Change rend of averaged Hurs parameer of raffic under DDoS flood aacks, Compuers & Securiy, Vol. 5, No. 3, 006, pp. 130. [18] G. Carl, R. R. Brook, S. Rai, Wavele based denial-of-service deecion, Compuers & Securiy, Vol. 5, 006, pp. 600615. [19] M. Hamdi, N. Boudriga, Deecing denial- ofservice aacks using he wavele ransform, Compuer Communicaions. Vol. 30, 007, pp. 303313. [0] A. Anoniadis, I. Gijbels, Deecing abrup changes by wavele mehods, Technical Repor, Laboraoire LMC-IMAG. France: Universie Joseph Fourier, 1997. 9. [1] N. Ye, X. Li, e al., Probabilisic echniques for inrusion deecion based on compuer audi daa, IEEE Transacions on Sysems, Man and Cyberneics Par A: Sysems and Humans, Vol. 31, No.4, 001, pp. 66 74. [] S.Y. Jina, e al., Nework inrusion deecion in covariance feaure space, Paern Recogniion, Vol. 40, 007, pp. 185197. [3] L. Feinsein, e al., Saisical approaches o DDoS aack deecion and response, In: DARPA informaion survivabiliy conference and exposiion proceedings, Vol. 1, 003, pp. 303 14. [4] C.Krugel, T.Toh, E.Kirda, Service specific anomaly deecion for nework inrusion deecion, ACM, 00. [5] P. Abry, R. Baraniuk, e al., Muliscale naure of nework raffic, IEEE Signal Processing, Vol. 19, No. 3, 00, pp. 846. [6] P. Barford, J. Kline, D. Plonka, A.Ron, A signal analysis of nework raffic anomalies, In: Proceedings of ACM SIGCOMM Inerne measuremen workshop, Marseilles, France, 00. [7] V. Paxson, Measuremens and analysis of end-o-end inerne dynamics, Ph.D. hesis, Universiy of California Berkeley, 1997. [8] T. Peng, C. Leckie and R. Koagiri. Deecing reflecor aacks by sharing beliefs, In: Proceedings of IEEE Global Conference, Globecom, 003. [9] A. Papuilis, S. U. Pillai, Probabiliy, Random Variables, sochasic Processes, McGraw-Hill Inc., 00. ISSN: 1109-750 1168 Issue 8, Volume 7, Augus 008