Detection of Low-Rate Attacks in Computer Networks. Thatte, G., Mitra, U., & Heidemann, J. In Proceedings of the 11thIEEE Global Internet Symposium, pages 1–6, Phoenix, Arizona, USA, April, 2008. IEEE. Paper doi abstract bibtex This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poissonbased scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second.
@InProceedings{Thatte08a,
author = "Gautam Thatte and Urbashi Mitra and John Heidemann",
title = "Detection of Low-Rate Attacks in Computer Networks",
booktitle = "Proceedings of the " # "11th" # " IEEE Global Internet Symposium",
year = 2008,
sortdate = "2008-04-01",
project = "ant, madcat",
jsubject = "spectral_network",
publisher = "IEEE",
address = "Phoenix, Arizona, USA",
month = apr,
pages = "1--6",
isbn = "978-1-4244-2219-7",
doi = "10.1109/INFOCOM.2008.4544638",
jlocation = "johnh: pafile",
keywords = "dos attack detection, traffic modeling",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.pdf",
copyrightholder = "IEEE",
copyrightterms = " Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. ",
usessoftware = "stream_merger",
abstract = "
This paper develops two parametric methods to detect
low-rate denial-of-service attacks and other similar
near-periodic traffic, without the need for flow separation.
The first method, the periodic attack detector, is based
on a previous approach that exploits the near-periodic
nature of attack traffic in aggregate traffic by modeling the
peak frequency in the traffic spectrum. The new method
adopts simple statistical models for attack and background
traffic in the time-domain. Both approaches use sequential
probability ratio tests (SPRTs), allowing control over false
alarm rate while examining the trade-off between detection
time and attack strength. We evaluate these methods with
real and synthetic traces, observing that the new Poissonbased
scheme uniformly detects attacks more rapidly, often
in less than 200ms, and with lower complexity than the
periodic attack detector. Current entropy-based detection
methods provide an equivalent time to detection but
require flow-separation since they utilize source/destination
IP addresses. We evaluate sensitivity to attack strength
(compared to the rate of background traffic) with synthetic
traces, finding that the new approach can detect attacks
that represent only 10\% of the total traffic bitrate in
fractions of a second.
",
}
Downloads: 0
{"_id":"btX7Q6fjy57S7qm8R","bibbaseid":"thatte-mitra-heidemann-detectionoflowrateattacksincomputernetworks-2008","author_short":["Thatte, G.","Mitra, U.","Heidemann, J."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Gautam"],"propositions":[],"lastnames":["Thatte"],"suffixes":[]},{"firstnames":["Urbashi"],"propositions":[],"lastnames":["Mitra"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Detection of Low-Rate Attacks in Computer Networks","booktitle":"Proceedings of the 11thIEEE Global Internet Symposium","year":"2008","sortdate":"2008-04-01","project":"ant, madcat","jsubject":"spectral_network","publisher":"IEEE","address":"Phoenix, Arizona, USA","month":"April","pages":"1–6","isbn":"978-1-4244-2219-7","doi":"10.1109/INFOCOM.2008.4544638","jlocation":"johnh: pafile","keywords":"dos attack detection, traffic modeling","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.pdf","copyrightholder":"IEEE","copyrightterms":"Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. ","usessoftware":"stream_merger","abstract":"This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poissonbased scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second. ","bibtex":"@InProceedings{Thatte08a,\n\tauthor = \t\"Gautam Thatte and Urbashi Mitra and John Heidemann\",\n\ttitle = \t\"Detection of Low-Rate Attacks in Computer Networks\",\n\tbooktitle = \t\"Proceedings of the \" # \"11th\" # \" IEEE Global Internet Symposium\",\n\tyear = \t\t2008,\n\tsortdate = \t\t\"2008-04-01\",\n\tproject = \"ant, madcat\",\n\tjsubject = \"spectral_network\",\n\tpublisher =\t\"IEEE\",\n\taddress =\t\"Phoenix, Arizona, USA\",\n\tmonth =\t\tapr,\n\tpages =\t\t\"1--6\",\n\tisbn = \"978-1-4244-2219-7\",\n\tdoi = \"10.1109/INFOCOM.2008.4544638\",\n\tjlocation =\t\"johnh: pafile\",\n\tkeywords =\t\"dos attack detection, traffic modeling\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.html\",\n\tpdfurl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.pdf\",\n\tcopyrightholder = \"IEEE\",\n\tcopyrightterms = \"\tPersonal use of this material is permitted. However, \tpermission to reprint/republish this material for advertising \tor promotional purposes or for creating new collective works for resale or redistribution to servers or lists, \tor to reuse any copyrighted component of this work in other works \tmust be obtained from the IEEE. \",\n\tusessoftware = \"stream_merger\",\n\tabstract = \"\nThis paper develops two parametric methods to detect\nlow-rate denial-of-service attacks and other similar\nnear-periodic traffic, without the need for flow separation.\nThe first method, the periodic attack detector, is based\non a previous approach that exploits the near-periodic\nnature of attack traffic in aggregate traffic by modeling the\npeak frequency in the traffic spectrum. The new method\nadopts simple statistical models for attack and background\ntraffic in the time-domain. Both approaches use sequential\nprobability ratio tests (SPRTs), allowing control over false\nalarm rate while examining the trade-off between detection\ntime and attack strength. We evaluate these methods with\nreal and synthetic traces, observing that the new Poissonbased\nscheme uniformly detects attacks more rapidly, often\nin less than 200ms, and with lower complexity than the\nperiodic attack detector. Current entropy-based detection\nmethods provide an equivalent time to detection but\nrequire flow-separation since they utilize source/destination\nIP addresses. We evaluate sensitivity to attack strength\n(compared to the rate of background traffic) with synthetic\ntraces, finding that the new approach can detect attacks\nthat represent only 10\\% of the total traffic bitrate in\nfractions of a second.\n\",\n}\n\n","author_short":["Thatte, G.","Mitra, U.","Heidemann, J."],"bibbaseid":"thatte-mitra-heidemann-detectionoflowrateattacksincomputernetworks-2008","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Thatte08a.html"},"keyword":["dos attack detection","traffic modeling"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["dos attack detection","traffic modeling"],"search_terms":["detection","low","rate","attacks","computer","networks","thatte","mitra","heidemann"],"title":"Detection of Low-Rate Attacks in Computer Networks","year":2008}