Covariance-matrix modeling and detecting various flooding attacks

IEEE Transactions on Systems, Man, and Cybernetics Part A:Systems and Humans

Volumn 37, Issue 2, 2007, Pages 157-169

  Yeung, Daniel S ^a   Jin, Shuyuan ^a   Wang, Xizhao ^a,b  

^a HONG KONG POLYTECHNIC UNIVERSITY   (Hong Kong)

^b HEBEI UNIVERSITY   (China)

Author keywords

Covariance matrix; Flooding attacks; Second order feature; Statistical anomaly detection; Threshold matrix

Indexed keywords

COVARIANCE MATRIX; DISTRIBUTED COMPUTER SYSTEMS; HEURISTIC METHODS; MATHEMATICAL MODELS; STATISTICAL METHODS;

FLOODING ATTACKS; SECOND-ORDER FEATURE; STATISTICAL ANOMALY DETECTION; THRESHOLD MATRIX;

INFORMATION SYSTEMS;

EID: 33947660479     PISSN: 10834427     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSMCA.2006.889480     Document Type: Article

References (36)

1. R. K. C. Chang, "Defending against flooding based distributed denial-of-service attacks: A tutorial," IEEE Commun. Mag., vol. 40, no. 10, pp. 42-51, Oct. 2002.
2. D. E. Denning, "An intrusion-detection model," IEEE Trans. Softw. Eng., vol. SE-13, no. 2, pp. 222-232, Feb. 1987.
3. D. Anderson, T. Frivold, and A. Valdes, "Next-generation intrusion detection expert system (NIDES): A summary," SRI Int., Menlo Park, CA, Tech. Rep. SRI-CSL-97-07, 1995.
4. H. S. Javitz and A. Valdes, "The NIDES statistical component description of justification," SRI Int., Menlo Park, CA, Tech. Rep. A010, 1994.
5. P. Neumann and P. Porras, "Experience with EMERALD to date," in Proc. 1st USENIX Workshop Intrusion Detect. and Netw. Monit., 1999, pp. 73-80.
6. N. Ye, S. M. Emran, Q. Chen, and S. Vilbert, "Multivariate statistical analysis of audit trails for host-based intrusion detection," IEEE Trans. Comput., vol. 51, no. 7, pp. 810-820, Jul. 2002.
7. L. Feinstein and D. Schnackenberg, "Statistical approaches to DDoS attack detection and response," in Proc. DISCEX, Apr. 2003, vol. 1, pp. 303-314.
8. C. Manikopoulos and S. Papavassiliou, "Network intrusion and fault detection: A statistical anomaly approach," IEEE Commun. Mag., vol. 40, no. 10, pp. 76-82, Oct. 2002.
9. S. Jin and D. Yeung, "A covariance analysis model for DDoS attack detection," in Proc. IEEE ICC, Jun. 2004, vol. 4, pp. 20-24.
10. R. B. Blazek, H. Kim, B. Rozovskii, and A. Tartakovsky, "A novel approach to detection of denial-of-service attacks via adaptive sequential and batch-sequential change-point detection methods," in Proc. Workshop Stat. and Mach. Learn. Tech. Comput. Intrusion Detect., Jun. 2001, pp. 220-226.
11. M. Thottan and C. Ji, "Anomaly detection in IP networks," IEEE Trans. Signal Process., vol. 51, no. 8, pp. 2191-2204, Aug. 2003.
12. H. Wang, D. Zhang, and K. G. Shin, "Change-point monitoring for the detection of DoS attacks," IEEE Trans. Dependable Secur. Comput., vol. 1, no. 4, pp. 193-208, Oct.-Dec. 2004.
13. W. Lee and S. Stolfo, "A framework for constructing features and models for intrusion detection systems," ACM Trans. Inf. Syst. Secur., vol. 3, no. 4, pp. 227-261, Nov. 2000.
14. J. Xu, "Sustaining availability of Web services under severe denial of service attacks," Georgia Inst. Technol., Atlanta, GA, Tech. Rep. GITCC-01-10, May 2001.
15. W. Lee, "A data mining framework for constructing features and models for intrusion detection systems," Ph.D. dissertation, Columbia Univ., New York, 1999.
16. M. V. Mahoney and P. K. Chan, "An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection," in Proc. RAID, Oct. 2003, pp. 220-237.
17. P. Uppuluri and R. Sekar, "Experiences with specification-based intrusion detection," in Proc. RAID, Oct. 2001, pp. 172-189.
18. C. Tseng, P. Balasubramanyam, and C. Ko, "A specification-based intrusion detection system for AODV," in Proc. 1st ACM Workshop Secur. Ad Hoc and Sensor Netw. Fairfax, Oct. 2003, pp. 125-134.
19. P. Barford, J. Kline, D. Plonka, and A. Ron, "A signal analysis of network traffic anomalies," in Proc. 2nd ACM SIGCOMM Workshop Internet Meas., Nov. 2002, pp. 71-82.
20. D. Moore, G. Voelker, and S. Savage, "Inferring internet denial of service activity," in Proc. USENIX Secur. Symp., Aug. 2001, pp. 9-22.
21. J. A. Gubner, "Theorems and fallacies in the theory of long-range-dependent processes," IEEE Trans. Inf. Theory, vol. 51, no. 3, pp. 1234-1239, Mar. 2005.
22. T. Karagiannis, M. Molle, and M. Faloutsos, "Long-range dependence ten years of Internet traffic modelling," IEEE Internet Comput., vol. 8, no. 5, pp. 57-64, Sep./Oct. 2004.
23. J. Ryan, M. J. Lin, and R. Miikkulainen, "Intrusion detection with neural networks," in Advances in Neural Information Processing. Cambridge, MA: MIT Press, 1998.
24. Y. Xiong, S. Liu, and P. Sun, "On the defense of the distributed denial of service attacks: An on-off feedback control approach," IEEE Trans. Syst., Man, Cybern. A, Syst., Humans, vol. 31, no. 4, pp. 282-293, Jul. 2001.
25. J. Kong, M. Mirza, J. Shu, C. Yoedhana, M. Gerla, and S. Lu, "Random flow network modeling and simulations for DdoS attack mitigation," in Proc. IEEE ICC, May 2003, vol. 1, pp. 487-491.
26. T. V. Lakshman and D. Stiliadis, "High speed policy-based packet forwarding using efficient multi-dimensional range matching," in Proc. ACM SIGCOMM, Sep. 1998, pp. 203-214.
27. J. Jung, B. Krishnamurthy, and M. Rabinovich, "Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites," in Proc. 11th Int. World Wide Web Conf., Honolulu, HI, May 2002, pp. 252-262.
28. Y. Ohsita, S. Ata, and M. Murata, "Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically," in Proc. IEEE GLOBECOM, Nov./Dec. 2004, vol. 4, pp. 2043-2049.
29. D. Y. Yeung and Y. X. Ding, "Host-based intrusion detection using dynamic and static behavioral models," Pattern Recognit., vol. 36, no. 1, pp. 229-243, Jan. 2003.
30. W. Lee, S. Stolfo, P. Chan, E. Eskin, W. Fan, M. Miller, S. Hershkop, and J. Zhang, "Real time data mining-based intrusion detection," in Proc. DISCEX II, Jun. 2001, pp. 85-100.
31. J. Toelle and O. Niggenmann, "Supporting intrusion detection by graph clustering and graph drawing," in Proc. 3rd Int. Workshop RAID, Oct. 2000.
32. H. Debar, M. Becker, and D. Siboni, "A neural network component for an intrusion detection system," in Proc. IEEE Comput. Soc. Symp. Res. Comput. Secur. and Privacy, 1992, pp. 240-250.
33. DARPA Intrusion Detection Evaluation Documentation. (1999). [Online]. Available: http://www.ll.mit.edu/IST/ideval/docs/docs_index.html
34. L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, 2004 CSI/FBI Computer Crime and Security Survey, 2004, San Francisco, CA: Comput. Secur. Inst. (CSI). [Online]. Available: http://i.cmpnet.com/gocsi/ db_area/pdfs/fbi/FBI2004.pdf
35. G. H. Hardy, J. E. Littlewood, and G. Pólya, Chebychef's Inequality, 2nd ed. Cambridge, U.K.: Cambridge Univ. Press, 1988, ch. 2.17 and 5.8, pp. 43-45. 123.
36. X. Qin, W. Lee, L. Lewis, and J. B. D. Cabrera, "Using MIB II variables for network anomaly detection - A feasibility study," in Proc. ACM Workshop Data Mining Secur. Appl., Philadelphia, PA, Nov. 2001, pp. 609-622.