A Novel Distributed Detection Scheme against ... - Semantic Scholar

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

921

A Novel Distributed Detection Scheme against DDoS Attack Zaihong Zhou School of Computer and Communications, Hunan University, Changsha, China Email:[email protected]

Dongqing Xie and Wei Xiong School of Computer Science and Educational Software, Guangzhou University, Guangzhou, China Email:[email protected], [email protected]

Abstract —A novel detection scheme against DDoS attack is proposed from a distributed perspective. The distributed end-hosts in the Internet are organized into a P2P network by Chord protocol for detection. The detection algorithm based on CUSUM and space similarity is deployed at each node in the P2P detection network. The P2P-based detection network is adopted, which makes the scheme be able to scale to the situation with a large number of detection nodes. CUSUM-based detection at the end-host can detect the slight change at the host. Thus it implements the early detection against DDoS attack, and relieves the detection burden at the victim end. It also can prevent the DDoS attack from forging and randomly changing the IP address, so it can locate the real attack hosts. Node trust is introduced for abnormal information broadcast, which can prevent network from congestion caused by malicious broadcast from malicious nodes. Abnormality detection among nodes based on space similarity can improve the detection accuracy. The experimental results indicate that the proposed scheme has better performance than CUSUM and time similarity algorithm individually deployed. It can reach as high as 96.1% detection rate and only 6.9% false positive rate. This P2Pbased scheme can be applied to resolve the communication problem in other distributed application system. Index Terms—DDoS Attack, Distributed Detection, CUSUM Algorithm, Similarity, P2P

I. INTRODUCTION DDoS attack is one of the most malicious attacks with major impact in the Internet at present. It results in inestimable loss on Internet business. However, there is no substantive breakthrough on the detection research against the DDoS attack in the world so far. The detection schemes to DDoS attack are mainly deployed at the victim end. Though the victim end can attain higher detection accuracy, they cannot defend the DDoS attack which adopts forging and changing IP address at random. They also cannot locate the real attack hosts and will impact on

Corresponding Author: Zaihong Zhou; [email protected]; School of Computer and Communications, Hunan University, Changsha, China, 410082; 0086-13055198652

© 2009 ACADEMY PUBLISHER doi:10.4304/jnw.4.9.921-928

the performance of the routers. In few existing distributed detection methods, although the detection burden has been alleviated at the victim end, there exist problems in scalability of the distributed nodes. Aiming at these disadvantages, a novel mechanism is proposed. The distributed end-hosts in Internet are organized into a P2P network according to Chord protocol by using the characteristics of P2P network such as high performance, robustness and high scalability. By this way, the detection network can be scaled up to hundreds of thousands of endhosts easily. The detection algorithm based on CUSUM and space similarity is deployed at each node in the detection network. The detection based on the CUSUM can find the slight change in outgoing flow at early stage, and the early detection against DDoS attack can be reached; the space similarity detection algorithm is utilized to calculate the similarity of the packets generated by the distributed attack sources, thus the detection accuracy is enhanced. Each node in the P2P network plays two roles, one is as a detection node which is responsible for detecting the abnormality at the local host; the other is as a response node that is in charge of responding the request from detection node. The CUSUM algorithm is used to detect the change in the amount of packets to destination at the detection node. On finding abnormal circumstances, the detection node will broadcast the detection request. The response node uses the CUSUM algorithm to detect the change in the amount of packets to the given destination. Upon finding abnormal circumstances, the space similarity algorithm is utilized to calculate the similarity of abnormality between the response node and the request node. If the similarity value exceeds some threshold, the alert packet is sent to the victim end; the victim counts the number of similar nodes, which is the number of attacker sources, by all the packets sent from all the detection nodes to make a comprehensive judgment. To prevent the network from congestion caused by malicious broadcast from malicious node while the detection node is broadcasting detect request information, the broadcast algorithm in structured P2P network proposed by S. Elansary et al [1] is improved. The node trust is introduced and the broadcast request from the node with poor trust is not forwarded. An early detection mechanism against

922

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

DDoS attack at the end-hosts is proposed for the first time, where those end-hosts located at the source end. It can locate the real attackers so that it responds to the DDoS attack in time with little impact on the legal users. The proposed scheme is deployed at the zombies or the suspicious zombies as far as possible. The zombies have good performance normally, and the applications running on it are few, so it is endurable to implant the lightweighted detection method. The rest of this paper is organized as follows. In Section II, we describe related work on detection. Section Ⅲ demonstrates the proposed scheme, including the construction of the P2P detection network, the detection algorithm at the end-host, the broadcast algorithm based on trust, the similarity detection algorithm of abnormality based on space similarity between nodes; Section Ⅳ shows the experimental results. Finally, we make a conclusion for this paper. II. RELATED WORK There are many schemes and theories on detection against DDoS attack. Joao.B.D.Cabrera et al [2] proposed to use management information base (MIB) traffic variables from routers to detect DDoS attack proactively. Relevant MIB variables at the attacker can be extracted automatically by using statistical tests. The DDoS attack can be detected by analyzing several key variables before the victim is down. Therefore, the early detection against DDoS attack is implemented. It seems that the statistical abnormality on the ICMP packets, UDP packets and TCP packets from specified DDoS attack can be depicted in this scheme, but it still needs to be proved further in the real network. To enhance the accuracy for DDoS attack, the statistical approaches to DDoS attack detection and response is proposed by Laura Feinsteinet et al [3], the statistical distribution values on IP address and packet length are calculated by using entropy and Chi-Square algorithm, the DDoS attack is identified according to the two values. However, if the attackers know the frequency-sorted distributions of the source IP address, the attackers can simulate the distribution to make the statistical value by using above methods approach the normal value, and the DDoS attack cannot be detected. In order to enhance the intensity to DDoS attack detection, Christos Papadopoulos et al [4] proposed the COSSACK method to detect and respond the DDoS attack. The traffic at ingress point and egress point of the edge network is monitored by the COSSACK component at the edge network by using multicast communications mechanism, the network topology information and the new blind detection technology to defeat DDoS attack. Shu Yuan Jin et al [5] proposed a covariance analysis model for DDoS attacks detection. The correlation analysis model is proposed to detect DDoS attacks based on the effectiveness of multivariate correlation analysis for DDoS detection. All the flags in control field of TCP header are selected as feature’s value; the change of the detection correlation among different features is used to determine abnormality. The normal traffic and the attack one can be differentiated sensitively and the different intensity of DDoS at© 2009 ACADEMY PUBLISHER

tacks traffic can be detected accurately in the scheme, but it only applies to the SYN flooding attack. Subsequently, aiming at the limitations of the correlation analysis model, Shu Yuan Jin et al proposed a feature space model for DDoS detection [6]. The new feature space is constructed based on the network physical features. It uses the covariance matrix to present the relationship between each pair of physical features. With the help of the classification algorithm, the mixed or unknown attack can be identified. The commonality of the scheme is improved. In 2005, Wei Lu et al [7] uses the Gaussian mixture model in pattern recognition to measure the network traffic for DDoS attack detection. In that year, Christos Siaterlis et al [8] proposed to use multiple metrics to detect DDoS attack, including incoming traffic and outgoings. However, it is used to detect specific DDoS attack traffic only. Most of these existing detection schemes to DDoS attack are deployed at the victim end. Though the victim end can attain higher detection accuracy, the large-scale attack has been formulated, and the loss is not avoidable, thus it cannot provide effective early alert. The distributed problem should be resolved by distributed methods, but the research achievements in distributed detection in the world are still few. In 2003, J. Mirkovic et al proposed a distributed defense scheme against DDoS attack [9] , which constructed a distributed framework based on overlay network and added the detection node at the victim end, response nodes at the medium network and the traffic classification nodes at the source end into the framework. These nodes collaborate with each other to defend DDoS attack. Though this scheme can implement the collaboration among heterogeneous nodes, the detection is still deployed at the victim end. It cannot detect and control the DDoS attack effectively at early stage. H. Y. Lam [10] and B. Xiao [11] et al extended the scope from victim end to source end. At the source end, the detection is based on the change of the rate of incoming TCP packets per second and outgoing TCP packets per second and the change of the rate between ACK and SYN (i.e. ACK/SYN). But the source end referred by H. Y. Lam is the router in ISP domain where the source end resides. The source end referred by B. Xiao is the router at the innocent hosts, which are not the real attack hosts. Moreover, the two schemes can only detect DDoS attack based on TCP. Considering the fact that the AS (Autonomous Systems) is the unit of management in Internet, G. Koutepas et al proposed distributed management architecture for collaborating detection and response among AS [12]. The scheme is deployed at the AS which participate in the detection, and a group of trust partners from different management scope cooperate mutually. This scheme relies on the widespread participants, rapid alarm correlation and detection data, and has no concrete detection method. So it is only a management system for detection information. Y. Chen et al also have done some research on DDoS detection taking the AS as a unit. A scheme for collaborative change detection of DDoS attack on community and ISP networks is proposed at first [13], but the scheme can only detect DDoS attack in one AS collabora-

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

tively. To cope with the limitation of detection scope, the author proposed a new collaborative detection of DDoS attacks over multiple network domains [14]. A CAT server is equipped in each ISP. The server is used to aggregate the attack information reported by the routers in local ISP, construct CAT sub-tree, and then the CAT sub-trees in all ISP are sent to CAT server at the victim end ISP. The CAT server at the victim merges all CAT sub-trees, and makes a final judgment according to the threshold of the tree size. Although this scheme holds the idea of distributed detection, the construction of global CAT tree and final detection are centralized at the victim end. Therefore, the overhead is high at the victim end, and has the risk to be submerged by the attack traffic. The collaboration among ISPs extends the protecting scope, but the scalability is still limited. Because of the wide distribution of attack sources which may be out of the ISP deployment area, the distributed detection system with lower burden at the victim end, wider collaboration scope and better scalability are required to countermeasure DDoS attack. This paper proposes a novel distributed detection mechanism. The detection network is a P2P network constructed according to the Chord protocol. So the detection network has the characteristics such as high performance, robustness and high scalability. With these characteristics, the detection nodes can be scaled in the scheme and the range of the coordination is wider; the detection to the abnormal of the local host and the abnormal between nodes is done at the end-hosts, only the alert packets which sent from all abnormal nodes are required to be counted at the victim end, it heavily reduces the detection burden at the victim end.

923

association detects DDoS attack, it will broadcast the detection request to other members quickly to detect DDoS attack as early as possible. Based on the requirements of security association on high scalability as well as high performance communication, and the features that the structured P2P network based on Chord protocol has, such as completely distributed, good load balance, good availability and scalability, and flexible naming rule, Chord protocol is adopted to construct the structured P2P detection network. The Chord protocol used in our scheme adopts m-bit SHA-1 hash function, which hash the IP address of detection nodes to generate node ID. All the nodes line up by ascending order of IDs in clockwise direction in a logic IDs ring – Chord ring. A pointers table Finger with less than or equal to m-entry is maintained at each node, the ith (10 0, yαm, the detection request and abnormal message is broadcast to other nodes in the detection network. Abnormal message is a triple: {target host, number of packets, size of packet}. The detection algorithm at the source end is shown in Figure 2. CUSUM（Xn,m, em, αm, MSG） Y0,m:=0 Yn,m :=max{0, Yn-1,m+ Xn,m-em } © 2009 ACADEMY PUBLISHER

Figure 2. Abnormality Detection Algorithm at the local host

C. Broadcast of Detection Request and Abnormal Message When any node in the P2P-based detection network, which is any end-host, uses the algorithm based on CUSUM to detect abnormal circumstances, it continues to monitor the abnormal circumstances for n periods and records the number of packets to destination and packet size in n periods, and then broadcasts detection request and abnormal message to the P2P-based detection network. Having received the detection request, the detection nodes use CUSUM algorithm to detect the abnormality to the specified destination. Upon finding abnormality, they will calculate the similarity between the number of packets, packet size to the destination and those of abnormality sent from the detection request node in n monitoring periods. If the similarity value is more than one threshold, the alert packet on attack is sent to the victim end. The detection network is a structured P2P network based on Chord. In order to broadcast the detection request and abnormal message in lowest message complexity and faster broadcast speed and prevent malicious broadcast from malicious nodes, the broadcast algorithm proposed by S. El-ansary [1] is improved in our scheme. We introduce the node trust, and the broadcast request from the poor trust nodes is not forwarded. The improved broadcast algorithm is consisted of two parts: one is the initialization at the broadcast sponsor, as shown in Figure 3; the other is the processing algorithm at the receiving node, as shown in Figure 4. A is the ID for the sponsor node, S is the ID for forwarding node, R is the ID for receiving node. When it is initializing, the forwarding node is the sponsor node. MSG (n) is the abnormal message in n periods, and Limit is the constraint parameter. InitBroadcast(A) S: =A FOR i: =1 to m-1 IF Finger[i]! = Finger [i + 1] R: = Finger[i] Limit= Finger [i + 1] Send (A, S, R, MSG (n), Limit) ENDIF ENDFOR Send (A,S,Finger[m], MSG(n),S) Figure 3. Initializing Algorithm at the Sponsor

Receive (A, S, R, MSG (n), Limit) Calculate trust (A) at R according to the history and recommendation IF trust (A)>θ S: =R FOR i: =1 to m-1

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

IF Finger[i]! = Finger [i + 1] IF Finger [i]Є(S, Limit) R: = Finger[i] IF Finger [i + 1] Є(S, Limit) NewLimit: = Finger [i + 1] ELSE NewLimit: = Limit ENDIF Send (A, S, R, MSG (n), NewLimit) ELSE Exit for ENDIF ENDIF ENDFOR IF Finger[m] Є(S, Limit) Send (A,S,Finger[m],MSG(n),S) ENDIF ENDIF Figure 4. Processing Algorithm at the Receiver

When any node A in detection network detects abnormal circumstances, it will broadcast the abnormal message, which consists of the broadcast message MSG (n) and a constraint parameter Limit, to all neighboring nodes. The parameter Limit is used to limit the broadcast space. If the number of entries in the pointer table is m, and 1b=Sab/Iab

Here, Iab represents the total response times that node A responds node B during the period [tstart, tend], Sab represents the times that node A is detected to be similar to node B during the same period. The similarity values between node B and other nodes in the same detection network with node B are all sent to the victim. In order to reduce the waiting time for the recommendation data from other nodes in the detection network while the trust is calculating, we replace the recommendation data from other nodes with Tb, where Tb is the global trust of victim to node B, and it can be calculated according to (2): Tb=Nbv/Db

N3

Figure 5. Broadcast Distribution

© 2009 ACADEMY PUBLISHER

(2)

Db is the total detection request times sponsored by node B in a unit time; Nbv is the times that the detection request sponsored by node B is determined to be DDoS attack by the victim end. So the comprehensive trust node A to node B (denote as Ga->b) can be calculated according to (3): Ga->b=wa La->b+ (1- wa) Tb

(3)

In (3), wa is the weight that node A refers the historical experience. In order to prevent the node correcting the trust by itself, the global trust of node B – Tb calculated by the victim end is stored into the successor of the node B. D. Abnormal Similarity Detection based on Space Similarity between Nodes The attack programs planted in the zombies in advance send simultaneously large number of packets to the victim end to cause DDoS attack. These packets are controlled by the same DDoS attack manipulator, so there is similar among the packets from different hosts. Here, we use the correlation coefficient in statistics and probability to describe the degree of similarity. Having detected suspicious circumstances at the source end, the detection request is sent. After the response node detects suspicious circumstances, it will calculate the similarity of the attack traffic between the response node and the request node. The correlation coefficient of N dimensional variables X and Y is as follows.

2.1 N2

(1)

RX,Y=

COV ( X , Y ) D ( X ) D (Y )

(4)

926

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

COV (X, Y) is the covariance of random variable X, Y, COV(X, Y) =E {[X-E(X)] [Y-E(Y)]} D (X), D (Y) is the variance of random variable X, Y. D (X) =E [X - E (X)] 2, D (Y) =E [Y - E(Y)] 2 In our scheme, the amount of packets to destination in n periods is the main concern. The amount can be deduced from the number of packets and packet size. The similarity of traffic between node M and N is calculated as follows.

n ∑ ( XM , i − XM )( XN , i − XN ) i =1 SM, N= n 2 n 2 ∑ ( XM , i − XM ) ∑ ( XN , i − XN ) i =1 i =1

(5)

the amount of packets to a fixed destination. Having made a statistics to the background flow offline, we set e = 45.2KB, α = 60KB. We test 5 times for each scheme. In each experiment, the attack is launched 50 times and the duration for each attack is 1 minute. The test results are shown as table 2, table 3, and table 4. Table 2 The Detection Rate and False Positives in CUSUM No Detection Rate False Positives 1 2 3 4 5

84.6% 91.2% 98.1% 99.0% 96.3%

24.1% 23.6% 18.9% 26.3% 22.7%

XM,i, XN,i represents the amount of packets at the node M and node N to destination in i periods, X M , X N represents the average amount of packets at the node M and node N to destination in n periods. If SM,N>β (β is the threshold of similarity), the response node sends alert packet to the victim end, and alert packet contains the IDs of broadcast sponsor node and the forwarding node. The victim counts the number of alert packets received, that is, counts similarity nodes in traffic. The number of source nodes having launched attack is acquired in this way. If the number is more than a certain threshold γ, we consider that the DDoS attack has taken place. IV. EXPERIMENTS In order to evaluate the effectiveness of our scheme, we have established a test platform for experiment. The test platform is consisted of two subnets, one is 192.168.1.*, the other is 192.168.88.*. The subnet 1.* is deployed as the attack sources, 88.* is for the external network. The router is a personal computer installed RedHat Linux Fedora core 1 and two 100M NICs. One host from the subnet 88.* is the victim, many hosts from subnet 1.* are installed the typical DDoS tool – TFN respectively. The background flow of attack hosts is the partial dataset without attack in 1998 from Lincoln lab. Except for the router, all the computers are installed the software designed by us for testing. We test the detection rate and false positives under three situations, one is that only the CUSUM module is installed at the detection node, the second one is that only the detection module based on similarity is installed and the third is both modules deployed. The detection based on similarity at the source end is to detect the similarity of the amount of packets to destination in n periods. We call the method as time similarity. The detection based on similarity among nodes is to detect the similarity of the amount of packets in different nodes; we call it as space similarity. The window for monitoring is set to 500ms in our test. Having detected abnormality, we continue to monitor for 10 periods. The correlation coefficient β is set to 0.8. The target of the attack is specified in test platform, so the CUSUM algorithm is simplified to detect the change of © 2009 ACADEMY PUBLISHER

From the test results, the detection rate in our scheme is a little lower than the scheme only based on CUSUM, but it is higher than the scheme only based on time similarity, and the most important thing is that the false positives is much lower than the above two schemes. Table 3 The Detection Rate and False Positives in Time Similarity No Detection Rate False Positives 1 2 3 4 5

86.3% 85.2% 86.9% 89.2% 84.5%

20.2% 21.2% 21.5% 17.4% 19.3%

Table 4 The Detection Rate and False Positives in CUSUM and Space Similarity No Detection Rate False Positives 1 2 3 4 5

91.5% 88.7% 92.4% 96.1% 92.8%

8.8% 10.7% 6.9% 9.3% 12.1%

The performance of the detection network based on Chord, because of fewer nodes, does not reflect the superiority of the detection network. In the future, we will further expand the scale of our experiments to test the performance of communication. V. CONCLUSION DDoS attack is one of the most serious threats in Internet at present. The best method to countermeasure DDoS attack is early coordinated detection. But the detection to DDoS currently is mainly deployed at the victim end. Though the victim end can attain higher detection accuracy, the large-scale attack has been formed, and the loss is not avoidable, thus it cannot provide early alert. In the existing few distributed detection schemes, the detection node is difficult to scale. Aiming to the disadvantages of the detection scheme deployed at the victim and the difficulty in detection nodes’ scalability, a novel distributed

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

detection scheme is proposed. The distributed end-hosts in Internet are organized into a P2P network according to Chord protocol; The CUSUM algorithm is used to detect the change in the amount of packets to destination. On finding abnormality, the detection node will broadcast the detection request to other nodes in the detection network based on the node trust; the response node uses the CUSUM algorithm to detect at first, on finding abnormality, then the space similarity algorithm is utilized to calculate the similarity of abnormality between the response node and the request node. If similarity value exceeds some threshold, the alert packet is sent to the victim end; the victim counts the similar nodes, which is the number of attacker sources. if it exceeds the given threshold, the DDoS attack has happened. Because of the characteristics of the P2P network, it makes the proposed scheme be of high scalability, high performance; the proposed scheme implemented the DDoS attack detection at the end-hosts, so it can prevent the DDoS attack from forging and randomly changing the IP address and can locate the real attack hosts. It also reduces the detection burden at the victim end. The CUSUM algorithm at the end-hosts can detect the slight change of the traffic out from the endhosts early so that the early detection against DDoS attack is reached. The node trust is introduced, the detection request from the node with poor trust is forbidden to be forwarded, which prevents congestion caused by malicious broadcast from malicious nodes; using space similarity detection algorithm and calculating the similarity of the attack packets from distributed attack sources improve the detection accuracy. But the scalability and communication performance of the P2P detection network in a large scale environment need to be tested further, and the portability to IPV6 has yet to be further studied.

927

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

ACKNOWLEDGMENT We wish to thank Jian Zhou for insightful technical discussion. This work was supported by National Natural Science Foundation of China under grant No.60673156 and by National High Technology Research and Development Program of China (863 Program).

[14]

[15]

REFERENCES [1]

[2]

[3]

[4]

S. El-ansary, L. O. Alima, P. Brand, et al. “Efficient Broadcast in Structured Peer-to-Peer Networks,” In: Proceedings of International Workshop on Peer-to-Peer Systems. Springer-Verlag, London, 2003, pp: 304-314. J.B.D. Cabrera, L. Lewis, X.Z. Qin et al. “Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study,” In: proceedings of IEEE/IFIP Inter- national Integrated Network Management Symposium. Seattle, Washington, May 2001, pp: 609-622. L. Feinstein, D. Schnackenberg, R. Balupari et al. “Statistical approaches to DDoS attack detection and response,” In: Proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC, April 2003, pp: 303-314. C. Papadopoulos, R. Lindell, J. Mehringer et al. “COSSACK: Coordinated Suppression of Simultaneous

© 2009 ACADEMY PUBLISHER

[16]

[17]

[18]

Attacks,” In: proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC,April 2003, pp: 94-96. S. Y. Jin, and D. S. Yeung, “A Covariance Analysis Model for DDoS Attack Detection,” IEEE International Conference on Communications (ICC 2004), June, 2004,pp:1882-1886 S. Y. Jin, and D. S. Yeung, “DDoS Detection Based On Feature Space Modeling,” IEEE International Conference on Machine Learning and Cybernetics, August, 2004,pp:4210-4215 W. Lu, I. Traore, "An unsupervised approach for detecting DDoS attacks based on traffic based metrics," IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, Victoria, BC, August 2005, pp: 462-465, C. Siaterlis and V. Maglaris, “Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics,” Proceedings. 10th IEEE Symposium on Computers and Communications, 2005. ISCC 2005, 27-30, June 2005, pp: 469-475. J. Mirkovic, M. Robinson, P. Reiher, et al. “Alliance Formation for DDoS Defense,” In: Proceedings of the New Security Paradigms Workshop. ACM SIGSAC, San Francisco, CA, USA, 2003, pp: 11-18. H. Y. Lam, C. P. Li, S. T. Chanson, et al. “A Coordinated Detection and Response Scheme for Distributed Denialof-Service Attacks,” In: Proceedings of IEEE International Conference on Communications. Istanbul, Turkey, 2006, pp: 2165-2170. B. Xiao, W. Chen, Y. X. He. “A novel approach to detecting DDoS Attacks at an Early Stage,” The Journal of Supercomputing, Springer Netherlands, 2006, 36(3): 235 248. G. Koutepas, F. Stamatelopoulos, B. Maglaris. “Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks,” Journal of Network and Systems Management, 2004, 12(1): 73-94. Y. Chen, K. Hwang. “Collaborative Change Detection of DDoS Attacks on Community and ISP Networks,” In: Proceedings of International Symposium on Collaborative Technologies and Systems. Las Vegas, NV, USA, 2006, pp: 401-410. Y. Chen, K. Hwang, W. S. Ku. Collaborative Detection of DDoS Attacks over Multiple Network Domains. In: Proceedings of the IEEE Transactions on Parallel and Distributed Systems, 2007, 18(12): 1649-1662. A. A. Cardenas, J. S. Baras, V. Ramezani. “Distributed Change Detection for Worms, DDoS and Other Network Attacks,” In: Proceedings of the American Control Conference. Boston, Massachusetts, USA, 2004, pp:10081013. R. B. Blazek, H. Kim, B. Rozovskii, et al. “A Novel Approach to Detection of Denial-of-Service Attacks Via Adaptive Sequential and Batch-Sequential Change-Point Detection Methods,” Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection. Pittsburgh, Pennsylvania, USA, 2006, pp: 3372 3382. H. N. Wang, D. L. Zhang, K. G. Shin. “Detecting SYN Flooding Attacks,” In: Proceedings of the 21st Annual Joint Conf. of the IEEE Computer and Communications Societies. New York, USA, 2002, pp: 1530-1539. H. N. Wang, D. L.Zhang, K. G. Shin. “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, 2004, 1(4): 193-208.

928

[19] T. Peng, C. Leckie, K. Ramamohanarao. “Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs,” In: Proceedings of the Eighth Australasian Conf. Information Security and Privacy. Wollongong, Australia, 2003, pp: 214~225. [20] Z. X. Sun, Y. W. Tang, Y. Cheng. “Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithm,” Journal of Software, 2005, 16(12): 2117-2123. [21] J. Kang, Z. Zhang, J. B. Ju. “An Improvement on Precision in D-WARD Detection System with CUSUM Algorithm,” Chinese Journal of Scientific Instrument, 2006, 27(5): 456-460.

Zaihong Zhou was born in Hunan province, China, on June 26, 1971. She graduated in Information Management in 1993, received her MSc. degree in information security in Software School of Hunan University in 2004. And now is working for her PhD Degree at Hunan University. Her research interest includes network security, distributed computing.

© 2009 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 4, NO. 9, NOVEMBER 2009

Dongqing Xie

was born in Hunan province, China, on August 5, 1965. He received the M.S. and PhD Degrees from Xidian University and Hunan University in 1988 and 1999, respectively. And he has been a Professor since 2001. His research interest includes algorithm analysis and design, Information Security.

Wei Xiong was born in Jiangxi province, China, on July 7, 1977. He received the M.S. and PhD Degrees in School of Computer and Communications from Hunan University in 2004 and 2008, respectively. His research interest includes P2P, distributed computing.