A cascade architecture for DoS attacks detection based on the wavelet transform

Authors:
Alberto Dainotti;Antonio Pescapé/;Giorgio Ventre
Affiliations:
Correspd. University of Napoli “/Federico II”/, Via Claudio 21, 80125 Napoli, Italy. Tel.: +39 081 7683821/ Fax: +39 081 7683816/ E-mail: alberto@unina.it;-;University of Napoli “/Federico II”/, Napoli, Italy. E-mails: {alberto,pescape,giorgio}@unina.it
Venue:
Journal of Computer Security
Year:
2009

Citing 14
Cited 0

NetSTAT: a network-based intrusion detection system

Journal of Computer Security
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A non-instrusive, wavelet-based approach to detecting network performance problems

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Specification-based anomaly detection: a new approach for detecting network intrusions

Proceedings of the 9th ACM conference on Computer and communications security
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Attacking DDoS at the Source

ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A wavelet-based framework for proactive detection of network misconfigurations

Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality
Aberrant Behavior Detection in Time Series for Network Monitoring

LISA '00 Proceedings of the 14th USENIX conference on System administration
Monitoring the Macroscopic Effect of DDoS Flooding Attacks

IEEE Transactions on Dependable and Secure Computing
Inferring Internet denial-of-service activity

ACM Transactions on Computer Systems (TOCS)
Detecting anomalies in network traffic using maximum entropy estimation

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies

IEEE Transactions on Dependable and Secure Computing
Anomaly detection in IP networks

IEEE Transactions on Signal Processing

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we propose an automated system able to detect volume-based anomalies in network traffic caused by Denial of Service (DoS) attacks. We designed a system with a two-stage architecture that combines more traditional change point detection approaches (Adaptive Threshold and Cumulative Sum) with a novel one based on the Continuous Wavelet Transform. The presented anomaly detection system is able to achieve good results in terms of the trade-off between correct detections and false alarms, estimation of anomaly duration, and ability to distinguish between subsequent anomalies. We test our system using a set of publicly available attack-free traffic traces to which we superimpose anomaly profiles obtained both as time series of known common behaviors and by generating traffic with real tools for DoS attacks. Extensive test results show how the proposed system accurately detects a wide range of DoS anomalies and how the performance indicators are affected by anomalies characteristics (i.e. amplitude and duration). Moreover, we separately consider and evaluate some special test-cases.