H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, New York, NY, Jun. 2002.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....victim, it hardly helps to stop the network bandwidth abuse. Therefore, the final solution for defending against the reflector attack is to let the reflectors detect the attack and trace back to the attacker. However he does not provide a scheme for the reflectors to detect the attack. Wang et al. [8] proposed a CUSUM detection scheme to detect SYN flooding attacks by observing the ratio of the number of SYN packets and number of FIN packets. Gil proposes a scheme called MULTOPS [9] to detect denial of service attacks by monitoring the packet rate in both the up and down links. However, none ....

....attack detection. The attack detection threshold is used for the , the accumulated positive values of which is illustrated in Figure 2 and defined below. In order to reduce the overhead for online implementation, we use the recursive version of the non parametric CUSUM algorithm [12] 11] [8] which is shown as follows: # # ) #0 . 1) is equal to if 12 3 and otherwise. A large is a strong indication of an attack. As we see in the bottom graph of Figure 2, the cumulative positive values of . We consider the change to have occurred at time ....

[Article contains additional citation context not shown here]

H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN flooding attacks," in Proceedings of IEEE Infocom'2002.

....improve the e#ciency of a multi agent system for distributed attack detection. We show that this approach is much more e#ective than earlier schemes, especially when there are multiple attack sources and the attack tra#c is highly distributed. We adapt the detection scheme proposed by Wang et al. [16], which is based on an advanced non parametric change detection scheme, CUSUM, and demonstrate that this approach detects a wide range of attacks quickly and with high accuracy. The rest of the paper is organized as follows. Section 2 gives an overview of our solution to this problem. Section 3 ....

....m in a sequential manner so that the detection delay and false positive rate are both minimized. In our experiment, we applied the non parametric CUSUM (Cumulative Sum) method [2] in our detection algorithm. This general approach is based on the 4 Tao Peng et al. model presented in Wang et al. [16] for attack detection using CUSUM. The main idea behind the non parametric CUSUM algorithm is that we accumulate values of X n that are significantly higher than the mean level under normal operation. One of the advantages of this algorithm is that it monitors the input random variables in a ....

[Article contains additional citation context not shown here]

Haining Wang, Danlu Zhang, and Kang G. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE Infocom'2002, June 2002.

....attacks. We demonstrate that this is a more sensitive variable for detecting bandwidth attacks than monitoring the total volume of incoming traffic. In addition, we present a method for detecting changes in our monitoring variable, based on the non parametric Cumulative Sum (CUSUM) algorithm [4][30]. The CUSUM algorithm reduces the false positive rate, and has been shown to optimal in terms of detection accuracy and computing overhead for parametric model and have good performance for non parametric model. 4] Our main contribution in this paper is a novel approach to detecting bandwidth ....

....bandwidth attacks by monitoring the arrival rate of new source IP addresses. We show that this approach is much more effective than earlier schemes, especially when there are multiple attack sources and the attack traffic is highly distributed. We adapt the detection scheme proposed by Wang et al. [30], which is based on an advanced non parametric change detection scheme, CUSUM, and demonstrate that this approach detects a wide range of simulated attacks quickly and with high accuracy. The rest of the paper is organized as follows. Section II gives an introduction to distributed denial of ....

[Article contains additional citation context not shown here]

Haining Wang, Danlu Zhang, and Kang G. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE Infocom'2002.

....WORK Denial of service attacks attempt to exhaust the resources at the victim. These resources are either network bandwidth, computing power, or operating system data structures. Research on denial of service attacks is focused on either attack detection mechanisms to identify an ongoing attack [10, 14, 30, 38, 43] or response mechanisms that attempt to alleviate the damage caused by the attack. Response mechanism usually take two approaches; localizing the source of the attack using traceback techniques [8, 16, 34, 35] or reducing the intensity of the attack [22, 18, 44] by blocking attack packets. ....

....an attack. Multops exploits the correlation of incoming and outgoing packet rates at different level of subnet prefix aggregation to identify attacks [14] Wang provides a rigorous statistical model to detect abrupt changes in the number of TCP SYN packets as compared to the TCP SYN ACK packets [43]. Bro, an intrusion detection system uses change in (statistical) normal behavior of applications and protocols to detect attacks [30] while Cheng use spectral analysis to detect high volume DoS attack due to change in periodicities in the aggregate traffic [10] All the above techniques are based ....

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, pages 000--001, New York, NY, June 2002. IEEE.

....source tracing, only related works in detection and response of DoS attacks will be described here. 49 Accurate, efficient, and fast detection of DoS attack instances is the first and critical step in successfully defending the target systems against various forms of DoS attacks. Wang et al. [67] introduced a simplistic, yet powerful, algorithm that exploits the normal behavior of TCP traffic to detect the presence of a SYN flood attack. Their algorithm was used as a basis for the algorithms presented in this work. Also, in [35] the method of EWMA (Exponentially Weighted Moving Average) ....

....additional benefit of using the handshakes to detect attacks is the temporal proximity of the messages. This allows for shorter sampling periods and hence lower detection time. 5.4. 1 Detection Algorithm The algorithm used in detecting the presence of an attack is based on the work presented in [67]. The correlation between the number of connection establishment attempts and the completed handshakes is similar to the relationship between connection setup and 59 tear down. The difference can be modeled as a stationary, random process. The sensor is an implementation of Sequential Change ....

H. Wang, D. Zhang, and K. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM 2002.

....proximity of the messages. All setup messages are transmitted within a relatively short time period. This allows for shorter sampling periods and hence lower detection time. 5.1. Detection Algorithm The algorithm used in detecting the presence of an attack is based on the work presented in [30]. The correlation between the number of connection establishment attempts and the completed handshakes is similar to the relationship between connection setup and tear down. The difference can be modeled as a stationary, random process. The sensor is an implementation of Sequential Change Point ....

....[11] Garg and Reddy present a prototype system capable of enforcing QoS restrictions on various resources including network bandwidth, protocol state memory buffers and CPU cycles. The other category of research has been on quickly and effectively detecting the presence of an attack. Wang et al. [30] introduced a simplistic, yet powerful, algorithm that exploits the normal behavior of TCP traffic to detect the presence of a SYN flood attack. Their algorithm was used as a basis for the algorithms presented in this paper. 9. Conclusion This study provided a detailed examination of DoS attacks ....

H. Wang, D. Zhang, and K. Shin. Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM 2002.

....hosts can be disastrous when they trigger a DDoS attack. I. INTRODUCTION During the last few years, the Internet has witnessed a surge in malicious traffic, such as that generated by denial ofservice (DDoS) attacks and due to the propagation of worm traffic [1] Most previous work [1] 2] 3] [4], 5] 6] 7] has focused on studying the reasons behind the malicious traffic but not their effects on the normal background traffic. We define normal traffic as the network traffic generated due to well known services and applications, for example, web, ftp, nntp, and smtp. In this paper, we ....

....how this paper complements previous studies. A. DDoS DDoS attacks attempt to exhaust the resources of the victim. The resources may be network bandwidth, computing power or operating system data structures. Previous research on DDoS attacks focused on either detecting the attack [9] 2] 3] [4], or responding to the attack [10] 11] 12] 13] 14] 15] 16] 17] 18] by blocking the attack packets. Attack detection techniques can be either based on an anomaly detection approach or a static signature scan technique. A large number of anomaly detection tools have been designed ....

[Article contains additional citation context not shown here]

D. Z. Haining Wang and K. Shin, "Detecting syn flooding attacks," in Proceedings of the IEEE Infocom. New York, NY: IEEE, June 2002, pp. 000--001. [Online]. Available: citeseer.nj.nec.com/508971.html

No context found.

H. Wang, D. Zhang, and K. G. Shin. Detecting syn flooding attacks. In Proceedings of IEEE INFOCOM '2002.

....normal condition, HCF resides in alert state, watching for abnormal TTL behaviors without discarding packets. Upon detection of an attack, HCF switches to action state, in which the HCF discards those IP packets with mismatching hopcounts. Besides the IP2HC inspection, several efficient mechanisms [14, 17, 28, 40] are available to detect DDoS attacks. Through analysis using network measurement data, we show that the HCF can recognize close to 90 of spoofed IP packets. Then, since our hop count based clustering significantly reduces the percentage of false positives, we can discard spoofed IP packets ....

H. Wang, D. Zhang, and K. G. Shin. Detecting syn flooding attacks. In Proceedings of IEEE INFOCOM '2002.

No context found.

H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, New York, NY, Jun. 2002.

No context found.

WANG, H., ZHANG, D., AND SHIN, K. G. Detecting syn flooding attacks. In Proceedings of IEEE INFOCOM (2002).

No context found.

H. Wang, D. Zhang, and K. G. Shin. Detecting SYN flooding attacks. In INFOCOM, 2002. http://www.ieee-infocom.org/2002/papers/800.pdf.

No context found.

Wang, H., Zhang, D., and Shin, K. Detecting syn flooding attacks. In IEEE INFOCOM (2002).

No context found.

H. Wang, D. Zhang, and K. Shin. Detecting SYN Flooding Attacks. In Proceedings of IEEE INFOCOM, April, 2002.

No context found.

H. Wang, D. Zhang, and K. G. Shin. Detecting SYN flooding attacks. In Proceedings of INFOCOM 2002.

No context found.

H. Wang, D. Zhang, and K. Shin. Detecting syn flooding attacks. In Proceedings of IEEE INFOCOM, pages 1530 --1539, June 2002.

No context found.

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.

No context found.

H. Wang, D. Zhang, and K. Shin, "Detecting syn flooding attacks," in Proceedings of the IEEE Infocom. New York, NY: IEEE, June 2002, pp. 000--001.

No context found.

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.

No context found.

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding Attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.

No context found.

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.

No context found.

Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC