On Modeling Counteraction against TCP SYN Flooding
Information Networking. Towards Ubiquitous Networking and Services
Processing intrusion detection alert aggregates with time series modeling
Information Fusion
Characterising Anomalous Events Using Change - Point Correlation on Unsolicited Network Traffic
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Quickest change detection of a Markov process across a sensor array
IEEE Transactions on Information Theory
Computer Networks: The International Journal of Computer and Telecommunications Networking
Parametric methods for anomaly detection in aggregate traffic
IEEE/ACM Transactions on Networking (TON)
Dynamic sample size detection in continuous authentication using sequential sampling
Proceedings of the 27th Annual Computer Security Applications Conference
A stochastic search on the line-based solution to discretized estimation
IEA/AIE'12 Proceedings of the 25th international conference on Industrial Engineering and Other Applications of Applied Intelligent Systems: advanced research in applied artificial intelligence
Countermeasures on application level low-rate denial-of-service attack
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
| Hi-index | 35.74 |
Large-scale computer network attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic. In the early stage of an attack, however, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. Rapid response, a minimal false-alarm rate, and the capability to detect a wide spectrum of attacks are the crucial features of intrusion detection systems. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, port-scanning, and man-in-the-middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The algorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. There are three attractive features of the proposed approach. First, the developed algorithms are self-learning, which enables them to adapt to various network loads and usage patterns. Secondly, they allow for the detection of attacks with a small average delay for a given false-alarm rate. Thirdly, they are computationally simple and thus can be implemented online. Theoretical frameworks for detection procedures are presented. We also give the results of the experimental study with the use of a network simulator testbed as well as real-life testing for TCP SYN flooding attacks