[1] Shan Rongsheng, Li Jianhua, Wang Mingzheng,. Anomaly detection for network traffic flow [J]. Journal of Southeast University (English Edition), 2004, 20 (1): 16-20. [doi:10.3969/j.issn.1003-7985.2004.01.004]
Copy
Anomaly detection for network traffic flow(
)
)Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]
- Volumn:
- 20
- Issue:
- 2004 1
- Page:
- 16-20
- Research Field:
- Computer Science and Engineering
- Publishing date:
- 2004-03-30
Info
- Title:
- Anomaly detection for network traffic flow
- Author(s):
- Shan Rongsheng; Li Jianhua; Wang Mingzheng
- Department of Electronic Engineering, Shanghai Jiaotong University, Shanghai 200030, China
- Keywords:
- anomaly detection; intrusion detection; denial of service; port scan
- PACS:
- TP393
- DOI:
- 10.3969/j.issn.1003-7985.2004.01.004
- Abstract:
- This paper presents a novel mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. In this paper, SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average(EWMA)method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.
References:
[1] Moore D, Voelker G, Savage S. Inferring Internet denial of service activity [A]. In: Proceedings of the 10th USENIX Security Symposium [C]. Washington DC, 2001. 9-22.
[2] Lemon J. Resisting SYN flooding DoS attacks with a SYN cache [A].In: Proceedings of USENIX BSDCon’2002 [C]. San Francisco, 2002.89-97.
[3] Bernstein D J. SYN cookies [EB/OL]. http: //cr.yp.to/syncookies.html. 2000/2003-07-08.
[4] Check Point Software Technologies Ltd. SynDefender[EB/OL]. http: //www.checkpoint.com/products/protect/firewall-1.html. 2002/2003-07-08.
[5] Netscreen Technologies Ltd. Firewall appliance[EB/OL]. http: //www.netscreen.com/. 2002/2003-07-08.
[6] Schuba C L, Krsul I V, Kuhn M G, et al. Analysis of a denial of service attack on TCP[A]. In: Proceedings of IEEE Symposium on Security and Privacy [C]. Los Alamitos: IEEE Computer Society Press, 1997. 208-223.
[7] Roesch M. Snort-lightweight intrusion detection for networks[A]. In: Proceedings of the 13th Conference on Systems Administration(LISA’ 99)[C]. Seattle, Washington, 1999. 229-238.
[8] Staniford S, Hoagland J, McAlerney J. Practical automated detection of stealthy portscans [A]. In: ACM Computer and Communications Security IDS Workshop[C]. Athers, Greece, 2000. 1-7.
[9] Feldmann A. Characteristics of TCP connection arrivals[A]. In: Park K, Willinger W, eds. Self-Similar Network Trac and Performance Evluation [C]. John Wiley and Sons, 2000. 367-399.
[10] Caceres R, Danzig P B, Jamin S, et al. Characteristics of wide area TCP/IP conversations[A]. In: Proceedings of ACM SIGCOMM’91 [C]. Zurich, Switzerland, 1991. 101-112.
[11] Paxson V, Floyd S. Wide area traffic: the failure of poisson modeling [J]. IEEE/ACM Transactions on Networking, 1995, 3(3)226-244.
[12] Cleveland W S, Lin D, Sun D. IP packet generation: statistical models for start times on connection-rate superposition[A]. In: Proceedings of ACM SIGMETRICS [C]. California, 2000. 166-177.
[13] Bowerman B L, O’Connell R T. Forecasting and time series: an applied approach. 3rd ed.[M]. Thomson, 2003.
[14] Lincoln Laboratory, Massachusetts Institute of Technology. DARPA intrusion detection evaluation [EB/OL]. http: //www.ll.mit.edu/IST/ideval/index.html. 2001/2003-07-08.
[15] Stevens R W. TCP/IP Illustrated Volume: The protocols [M]. New York: Addison-Wesley, 1994.178-179.
Memo
- Memo:
- Biographies: Shan Rongsheng(1971—), male, graduate; Li Jianhua(corresponding author), male, professor, lijh888@sjtu.edu.cn.