Detection of abrupt changes: theory and application
Detection of abrupt changes: theory and application
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Finding Frequent Items in Data Streams
ICALP '02 Proceedings of the 29th International Colloquium on Automata, Languages and Programming
SYN-dog: Sniffing SYN Flooding Sources
ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Tabulation based 4-universal hashing with applications to second moment estimation
SODA '04 Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
An improved data stream summary: the count-min sketch and its applications
Journal of Algorithms
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Reversible Sketch Based on the XOR-Based Hashing
APSCC '06 Proceedings of the 2006 IEEE Asia-Pacific Conference on Services Computing
Statistical analysis of network traffic for adaptive faults detection
IEEE Transactions on Neural Networks
| Hi-index | 0.00 |
With the rapid dependency on the internet for business, and the fast spread of powerful destructive DoS/DDoS attack tools, the detection and thwarting of these attacks is primordial for ISP, enterprises, hosting centers, etc. In this paper, we present the implementation of a new framework, for efficient detection and identification of flooding attacks over high speed links. To accomplish that, we apply multi-channel non-parametric CUSUM (MNP-CUSUM) over the shared counters in the proposed reversible sketch, in order to pinpoint flows with abrupt change via a new approach for sketch inversion. Shared counters are used to minimize the memory requirements and to identify the victim of flooding attacks. We apply our system at various real traces, some traces are provided by France Telecom (FT) within the framework of ANR-RNRT OSCAR project, other traces are collected in FT backbone network, during online experiments for testing and adjusting the proposed detection algorithms in this project. Our analysis results from real internet traffic, and from online implementation over Endace DAG 3.6ET sniffing card, show that our proposed architecture is able to quickly detect various kinds of flooding attacks and to disclose culprit flows with a high level of accuracy.