NetSTAT: a network-based intrusion detection system
Journal of Computer Security
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A non-instrusive, wavelet-based approach to detecting network performance problems
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A wavelet-based framework for proactive detection of network misconfigurations
Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
Monitoring the Macroscopic Effect of DDoS Flooding Attacks
IEEE Transactions on Dependable and Secure Computing
Inferring Internet denial-of-service activity
ACM Transactions on Computer Systems (TOCS)
Detecting anomalies in network traffic using maximum entropy estimation
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies
IEEE Transactions on Dependable and Secure Computing
Anomaly detection in IP networks
IEEE Transactions on Signal Processing
Hi-index | 0.00 |
In this paper we propose an automated system able to detect volume-based anomalies in network traffic caused by Denial of Service (DoS) attacks. We designed a system with a two-stage architecture that combines more traditional change point detection approaches (Adaptive Threshold and Cumulative Sum) with a novel one based on the Continuous Wavelet Transform. The presented anomaly detection system is able to achieve good results in terms of the trade-off between correct detections and false alarms, estimation of anomaly duration, and ability to distinguish between subsequent anomalies. We test our system using a set of publicly available attack-free traffic traces to which we superimpose anomaly profiles obtained both as time series of known common behaviors and by generating traffic with real tools for DoS attacks. Extensive test results show how the proposed system accurately detects a wide range of DoS anomalies and how the performance indicators are affected by anomalies characteristics (i.e. amplitude and duration). Moreover, we separately consider and evaluate some special test-cases.