DECISION ANALYSIS OF STATISTICALLY DETECTING ...
August 6, 2003 16:33 WSPC/173-IJITDM
00072
International Journal of Information Technology & Decision Making Vol. 2, No. 3 (2003) 397–405 c World Scientific Publishing Company
DECISION ANALYSIS OF STATISTICALLY DETECTING DISTRIBUTED DENIAL-OF-SERVICE FLOODING ATTACKS
MING LI∗,†,‡ and CHI-HUNG CHI∗,§ ∗School
of Computing, National University of Singapore, Singapore 117540
†School
of Information Technology, Southern Yangtze University Wuxi 214036, PR China ‡[email protected] §[email protected] WEIJIA JIA
Department of Computer Engineering and Information Technology City University of Hong Kong, Hong Kong, SAR China [email protected] WEI ZHAO Department of Computer Science, Texas A&M University College Station, USA [email protected] WANLEI ZHOU School of Information Technology, Deakin University, Australia [email protected] JIANNONG CAO Department of Computer, Hong Kong Polytechnic University Hong Kong, SAR China [email protected] DONGYANG LONG Department of Computer Science, Zhongshan University Guangzhou 510275, PR China [email protected] QIANG MENG Department of Civil Engineering, National University of Singapore Singapore 117576 [email protected]
397
August 6, 2003 16:33 WSPC/173-IJITDM
398
00072
M. Li et al. There are two statistical decision making questions regarding statistically detecting sings of denial-of-service flooding attacks. One is how to represent the distributions of detection probability, false alarm probability and miss probability. The other is how to quantitatively express a decision region within which one may make a decision that has high detection probability, low false alarm probability and low miss probability. This paper gives the answers to the above questions. In addition, a case study is demonstrated. Keywords: Statistical decision making; statistical detection; network security; distributed denial-of-service attacks; pattern matching.
1. Introduction IP Networks are subject to cyber attacks. An intrusion detection system (IDS) collects information from a variety of systems and network sources to identify signs of attacks.1,18 For distributed denial-of-service (DDOS) flooding attacks, intruders attack a site with flooding packets at a tremendous traffic rate. Attack traffic lasts a long period of time such that the attacked site is overwhelmed to deny any services it normally offers.2 Since Ya hoo servers were successfully attacked in 2001, the issue of how to detect DDOS flooding attacks has been paid much attention to. Various methods and systems have been proposed in this aspect, see Refs. 3–8. However, statistical decision making of a statistical detection system based on monitoring arrival traffic has been rarely seen, to the best of our knowledge. This paper addresses the statistics for decision making. Several tools for running DDOS flooding attacks have been developed and are commonly used in launching DDOS attacks.9 – 14 Theoretically, no matter what attack tool is used, the basic feature of DDOS flooding attacks is that attackers have to send attack packets to attacked sites. For that reason, signs of DDOS flooding attacks can be detected by statistically identifying the pattern of arrival traffic at a site that is to be protected. In this paper, autocorrelation function (autocorrelation for short) is taken as a feature for statistical detection. This is because experimental analysis of real traffic has shown that traffic in IP networks is generally a second-order random process.15 In the following, traffic is called normal if the protected site is not under attack and vice versa. We assume that the pattern of abnormal traffic usually appears significantly different from that of a normal one. Otherwise, DDOS flooding attack would have no effect. A fundamental issue in the field of statistical detection is to quantitatively describe the probabilities with respect to a statistical decision making. Basically, a decision making of detection is related to three probabilities of interest: detection probability Pd , false alarm probability Pf , and miss probability Pm . A good decision making should have high Pd , low Pf and low Pm . This paper briefs detection scheme in Sec. 2. Section 3 presents three formulas for three types of probabilities and explains how to achieve high Pd with low Pf and low Pm for a decision making of detection. Section 4 demonstrates a case study and Sec. 5 concludes the paper.
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
y(t)
399
r y (t) Correlation Estimator
Distance Detector r x (t) Template
ξ
Threshold Detector
V
Decision
V : Threshold
Report Fig. 1. Diagram of an IDS.
2. Brief Description of Detection Scheme Let x(t) be a normal traffic series. Normally, a protected site serves x(t) peacefully though x(t) may sometimes be unpleasantly delayed because of the normal traffic jam. Assume that the site is being flooded by DDOS attacks at t0 . Generally, the site may not be overwhelmed immediately at the moment of t0 . Assume that attack traffic is such that the site is overwhelmed to deny services at t1 . The time interval (t0 , t1 ) is called the transition process of intrusion. Let y(t) be the abnormal traffic during the transition process of intrusion. Then, y(t) can be abstractly expressed by y(t) = x(t) + n(t) ,
(2.1)
where n(t) is the component of attack traffic. Let rx , ry and rn be autocorrelations of x, y and n, respectively. Suppose that x and n are uncorrelated. Then, ry = r x + r n .
(2.2)
The derivation of Eq. (2.2) can be seen in Ref. 16. According to the terminology in pattern matching,17 we call rx the template of x. Thus, the distance ξ = krn k = krx − ry k can be used for pattern matching. Figure 1 shows a detection system diagram. 3. Probability Distributions for Decision Making To facilitate the discussion on decision making, three terms are explained as follows. Correctly recognizing an abnormal sign is termed detection; failing to recognize it, miss; and mistakenly recognizing a normal sign as abnormal, false alarm. Let V > 0 be the threshold. Then, we give the following detection hypotheses: krx − ry k = krn k = ξ > V ,
Detection ,
(3.1)
August 6, 2003 16:33 WSPC/173-IJITDM
400
00072
M. Li et al.
krx = rxl k = ς > V , krn k = ξ < V ,
False alarm , Miss .
(3.2) (3.3)
In Eq. (3.2), rxl stands for the autocorrelation which is not used as the template but obtained when there is no intrusion. Here, the distance is selected as " # X ry r y − log (3.4) ξ=E − 1 , rx rx k
where E is the mean operator. Clearly, ξ and ζ are random variables. 3.1. Probability distributions 3.1.1. Detection probability
For making a decision, we arrange enough samples of y(t) such that ξ obeys Gaussian distribution. Let µξ and σξ2 be the mean and the variance of ξ, respectively. Then, ξ∼
N (µξ , σξ2 )
− 1 e =√ 2πσξ
(ξ−µξ )2 2σ2 ξ
.
(3.5)
Let Φ(t) =
Z
t −∞
t2 1 √ e− 2 dt . 2π
Then, detection probability is given by Z ∞ 1 t2 Pd = P {V < ξ < ∞} = V −µ √ e− 2 dt = 1 − Φ[(V − µξ )/σξ ] . ξ 2π σ
(3.6)
(3.7)
ξ
3.1.2. False alarm probability Let µζ and σς2 be the mean and the variance of ζ. Then, false alarm probability is given by Z ∞ 1 t2 √ e− 2 dt = 1 − Φ[(V − µζ )/σζ ] . Pf = P {V < ζ < ∞} = (3.8) V −µς 2π σς 3.1.3. Miss probability According to probability theory, Pd + Pm = 1. Hence, miss probability is given by Pm = P {−∞ < ξ < V } =
Z
V −µξ σξ
−∞
t2 1 √ e 2 dt = Φ[(V − µξ )/σξ ] . 2π
(3.9)
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
Detection probability
0.6
0.5
Pf(V)
1
Pm(V)
Pd(V)
False alarm probability
Miss probability
1
401
0.5
0.4
0.2
0
0
200
400
0
0
200
400
0
0
200
V
V
V
(40, 10) (80, 20) (120, 30)
(40, 10) (80, 20) (120, 30) (a) Detection probability
(b) Miss probability
400
(0, 10) (0, 20) (0, 30) (c) False alarm probability
Fig. 2. Performance evaluation.
Generally, µζ = 0. Besides, data processing can be arranged such that σζ = σξ = σ. In this case, three types of probabilities are written by Z ∞ t2 1 Pd = V −µ √ e− 2 dt = 1 − Φ[(V − µξ )/σ] , (3.10) ξ 2π σ Z ∞ t2 1 √ e− 2 dt = 1 − Φ(V /σ) , Pf = (3.11) V 2π σ V −µξ σ
t2 1 √ e− 2 dt = Φ[(V − µξ )/σ] . 2π −∞ Figure 2 shows the curves of three types of distributions, respectively.
Pm =
Z
(3.12)
3.2. Decision region The intersection of the distribution functions with respect to Pd , Pf and Pm provides decision region. Given a false alarm probability f , we want to find the threshold Vf such that Pf (Vf ) ≤ f . From Eq. (3.11), it is seen that Pf (Vf ) ≤ f if Vf ≥ −σΦ−1 (f ) .
(3.13)
If f = 0 and the computation precision is 4, Eq. (3.13) becomes Vf ≥ 4σ .
(3.14)
On the other hand, given a detection probability d, we want to find the threshold Vd such that Pd (Vd ) ≥ d. According to Eq. (3.10), it is seen that Pd (Vd ) ≥ d if Vd ≤ µξ − σΦ−1 (d) ,
if µξ − σΦ−1 (d) > 0 .
(3.15)
August 6, 2003 16:33 WSPC/173-IJITDM
402
00072
M. Li et al.
In the case of d = 1 and the computation precision being 4, Vd ≤ µξ − 4σ ,
if µξ − 4σ > 0 .
According to Eqs. (3.13) and (3.15), therefore, we obtain ( Pd ≥ d if V ∈ [−σΦ−1 (f ), µξ − σΦ−1 (d)], µξ − σΦ−1 (d) > 0 . Pf ≤ f ,
(3.16)
(3.17)
The general decision region corresponding to Eq. (3.17) is given by V ∈ [−σΦ−1 (f ), µξ − σΦ−1 (d)], µξ − σΦ−1 (d) > 0 . For d = 1 and f = 0, Eq. (3.17) becomes ( Pd = 1 if V ∈ [4σ, µξ − 4σ], µξ − 4σ > 0 Pf = 0 ,
(3.18)
(3.19)
and Eq. (3.18) becomes V ∈ [4σ, µξ − 4σ], µξ − 4σ > 0 .
(3.20)
The dark part in Fig. 3 indicates a threshold area versus µξ for Pd = 1, Pf = 0 and σ = 1. In the case of µξ = 80 and σ = 10, three types of distributions are indicated in Fig. 4(a) and the decision region for Pd = 1 and Pf = Pm = 0 is shown by the dark part of Fig. 4(b). 4. Case Study Suppose the following normalized function describes the pattern of normal traffic as shown in Fig. 5(a): rx = (k + 1)−0.78 = (k + 1)2H0 −2 ,
k = 0, 1, . . .
(4.1)
where H0 = 0.854. Assume that the following is the autocorrelation of abnormal traffic ry = (k + 1)2H−2 ,
H ∈ (0.50, 0.75] .
(4.2)
Figure 5(b) shows a curve of ry for H = 0.60. In the case study, 9999 points of Hs in [0.51, 0.75] are randomly selected to simulate the abnormal traffic. According to Eq. (3.4), the distance ξ is obtained as indicated in Fig. 5(c). By numeric computation, we obtain µξ = 242.342 and σ = 7.261. The probability distributions for detection, false alarm and miss are obtained as shown in Fig. 5(d). Under the conditions of Pd = 1 and Pf = Pm = 0, we obtain Vmin = 29.045 and Vmax = 213.297, which can be observed from Fig 5(d).
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
403
Pd(V), Pf(V), Pm(V)
Fig. 3. Threshold area.
1
0.5
0 0
100
200
300
V
Pd(V); (80, 10) Pf(V); (0, 10) Pm(V); (80, 10) (a) Distributions
(b) Decision region
Fig. 4. Distributions and decision region.
5. Conclusions This paper has discussed statistical decision making in a statistical detection system of DDOS flooding attacks. The expressions with respect to detection probability, false alarm probability and miss probability for decision making have been derived. For a given detection probability and a given false alarm probability, the decision region has been obtained. Acknowledgments The authors are grateful to anonymous referees for their valuable comments on our work. The work is supported in part by Hong Kong, SAR China RGC Grant (nos,
August 6, 2003 16:33 WSPC/173-IJITDM
404
00072
M. Li et al.
1
r(k)
r(k)
1
0.5
0
0
170.67 341.33 k (lag)
0.5
0
512
ξ(Η)
300
250
200 0.51
0.57
0.63
0.69
170.67 341.33 k (lag)
512
(b) ry for H = 0.60
Pd(V), Pf(V) and Pm(V)
(a) Template: H0 = 0.854
0
0.75
1
0.5
0
0.5
0
200
Η
400 V
600
800
Pd(V) Pf(V) Pm(V) (c) Detection distance ξ
(d) Distributions (decision making region) Fig. 5. Case study.
CityU 1039/02E and CityU 1055/01E) and City University of Hong Kong Strategic Grant no. 7001355.
References 1. R. Bace, An Introduction to Intrusion Detection and Assessment, available from http://www.icsalabs.com/html/communities/ids/whitepaper/Intrusion1.pdf, ICSA, Inc., January 4, 2000. 2. L. Garber, Denial-of-Service attacks rip the internet, J. Computer 33, 4 (April 2000) 12–17. 3. S. Staniford, V. Paxson and N. Weaver, How to own the internet in your spare time, Proc. USENIX Security Symposium, 2002. 4. http://www.intrusion-detection-system-group.co.uk/index.htm, An Introduction to Intrusion Detection Systems and the Dragon IDS Suite, 2001. 5. P. Innella and O. McMillan, An introduction to intrusion detection systems, Tetrad Digital Integrity, LLC, http://www.securityfocus.com/infocus/1520, December 2001.
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
405
6. http://www.anml.iu.edu/ddos/links.html, Advanced Networking Management Lab (ANML), Distributed Denial of Service Attacks (DDoS) Resources. 7. http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f ds.htm 8. http://www.sans.org/dosstep/index.php 9. D. Dittrich, The DoS project’s ‘Trinoo’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/trinoo.analysis 10. D. Dittrich, The ‘Tribe flood network’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/tfn.analysis.txt 11. D. Dittrich, The ‘Stacheldraht’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt 12. CERT Coordination Center, CERT Advisory CA-1999-17 Denial-Of-Service Tools, http://www.cert.org/advisories/CA-1999-17.html 13. D. Dittrich, The ‘Mstream’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/mstream.analysis.txt 14. S. Dietrich, N. Long and D. Dittrich, An analysis of the ‘shaft’ distributed denial of service tool, http://www.adelphi.edu/∼spock/shaft analysis.txt 15. V. Paxson and S. Floyd, Wide area traffic: The failure of Poisson modeling, IEEE/ACM Trans. on Networking 3, 3 (1995) 226–244. 16. M. Li, B. H. Xu and Y. S. Wu, An H2 -optimal control of random loading for a laboratory fatigue test, J. Testing and Evaluation 26, 6 (1998) 619–625. 17. K. S. Fu (ed.), Digital Pattern Recognition (Springer-Verlag, 1976). 18. E. G. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response (Intrusion.Net Books, 1999).
00072
International Journal of Information Technology & Decision Making Vol. 2, No. 3 (2003) 397–405 c World Scientific Publishing Company
DECISION ANALYSIS OF STATISTICALLY DETECTING DISTRIBUTED DENIAL-OF-SERVICE FLOODING ATTACKS
MING LI∗,†,‡ and CHI-HUNG CHI∗,§ ∗School
of Computing, National University of Singapore, Singapore 117540
†School
of Information Technology, Southern Yangtze University Wuxi 214036, PR China ‡[email protected] §[email protected] WEIJIA JIA
Department of Computer Engineering and Information Technology City University of Hong Kong, Hong Kong, SAR China [email protected] WEI ZHAO Department of Computer Science, Texas A&M University College Station, USA [email protected] WANLEI ZHOU School of Information Technology, Deakin University, Australia [email protected] JIANNONG CAO Department of Computer, Hong Kong Polytechnic University Hong Kong, SAR China [email protected] DONGYANG LONG Department of Computer Science, Zhongshan University Guangzhou 510275, PR China [email protected] QIANG MENG Department of Civil Engineering, National University of Singapore Singapore 117576 [email protected]
397
August 6, 2003 16:33 WSPC/173-IJITDM
398
00072
M. Li et al. There are two statistical decision making questions regarding statistically detecting sings of denial-of-service flooding attacks. One is how to represent the distributions of detection probability, false alarm probability and miss probability. The other is how to quantitatively express a decision region within which one may make a decision that has high detection probability, low false alarm probability and low miss probability. This paper gives the answers to the above questions. In addition, a case study is demonstrated. Keywords: Statistical decision making; statistical detection; network security; distributed denial-of-service attacks; pattern matching.
1. Introduction IP Networks are subject to cyber attacks. An intrusion detection system (IDS) collects information from a variety of systems and network sources to identify signs of attacks.1,18 For distributed denial-of-service (DDOS) flooding attacks, intruders attack a site with flooding packets at a tremendous traffic rate. Attack traffic lasts a long period of time such that the attacked site is overwhelmed to deny any services it normally offers.2 Since Ya hoo servers were successfully attacked in 2001, the issue of how to detect DDOS flooding attacks has been paid much attention to. Various methods and systems have been proposed in this aspect, see Refs. 3–8. However, statistical decision making of a statistical detection system based on monitoring arrival traffic has been rarely seen, to the best of our knowledge. This paper addresses the statistics for decision making. Several tools for running DDOS flooding attacks have been developed and are commonly used in launching DDOS attacks.9 – 14 Theoretically, no matter what attack tool is used, the basic feature of DDOS flooding attacks is that attackers have to send attack packets to attacked sites. For that reason, signs of DDOS flooding attacks can be detected by statistically identifying the pattern of arrival traffic at a site that is to be protected. In this paper, autocorrelation function (autocorrelation for short) is taken as a feature for statistical detection. This is because experimental analysis of real traffic has shown that traffic in IP networks is generally a second-order random process.15 In the following, traffic is called normal if the protected site is not under attack and vice versa. We assume that the pattern of abnormal traffic usually appears significantly different from that of a normal one. Otherwise, DDOS flooding attack would have no effect. A fundamental issue in the field of statistical detection is to quantitatively describe the probabilities with respect to a statistical decision making. Basically, a decision making of detection is related to three probabilities of interest: detection probability Pd , false alarm probability Pf , and miss probability Pm . A good decision making should have high Pd , low Pf and low Pm . This paper briefs detection scheme in Sec. 2. Section 3 presents three formulas for three types of probabilities and explains how to achieve high Pd with low Pf and low Pm for a decision making of detection. Section 4 demonstrates a case study and Sec. 5 concludes the paper.
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
y(t)
399
r y (t) Correlation Estimator
Distance Detector r x (t) Template
ξ
Threshold Detector
V
Decision
V : Threshold
Report Fig. 1. Diagram of an IDS.
2. Brief Description of Detection Scheme Let x(t) be a normal traffic series. Normally, a protected site serves x(t) peacefully though x(t) may sometimes be unpleasantly delayed because of the normal traffic jam. Assume that the site is being flooded by DDOS attacks at t0 . Generally, the site may not be overwhelmed immediately at the moment of t0 . Assume that attack traffic is such that the site is overwhelmed to deny services at t1 . The time interval (t0 , t1 ) is called the transition process of intrusion. Let y(t) be the abnormal traffic during the transition process of intrusion. Then, y(t) can be abstractly expressed by y(t) = x(t) + n(t) ,
(2.1)
where n(t) is the component of attack traffic. Let rx , ry and rn be autocorrelations of x, y and n, respectively. Suppose that x and n are uncorrelated. Then, ry = r x + r n .
(2.2)
The derivation of Eq. (2.2) can be seen in Ref. 16. According to the terminology in pattern matching,17 we call rx the template of x. Thus, the distance ξ = krn k = krx − ry k can be used for pattern matching. Figure 1 shows a detection system diagram. 3. Probability Distributions for Decision Making To facilitate the discussion on decision making, three terms are explained as follows. Correctly recognizing an abnormal sign is termed detection; failing to recognize it, miss; and mistakenly recognizing a normal sign as abnormal, false alarm. Let V > 0 be the threshold. Then, we give the following detection hypotheses: krx − ry k = krn k = ξ > V ,
Detection ,
(3.1)
August 6, 2003 16:33 WSPC/173-IJITDM
400
00072
M. Li et al.
krx = rxl k = ς > V , krn k = ξ < V ,
False alarm , Miss .
(3.2) (3.3)
In Eq. (3.2), rxl stands for the autocorrelation which is not used as the template but obtained when there is no intrusion. Here, the distance is selected as " # X ry r y − log (3.4) ξ=E − 1 , rx rx k
where E is the mean operator. Clearly, ξ and ζ are random variables. 3.1. Probability distributions 3.1.1. Detection probability
For making a decision, we arrange enough samples of y(t) such that ξ obeys Gaussian distribution. Let µξ and σξ2 be the mean and the variance of ξ, respectively. Then, ξ∼
N (µξ , σξ2 )
− 1 e =√ 2πσξ
(ξ−µξ )2 2σ2 ξ
.
(3.5)
Let Φ(t) =
Z
t −∞
t2 1 √ e− 2 dt . 2π
Then, detection probability is given by Z ∞ 1 t2 Pd = P {V < ξ < ∞} = V −µ √ e− 2 dt = 1 − Φ[(V − µξ )/σξ ] . ξ 2π σ
(3.6)
(3.7)
ξ
3.1.2. False alarm probability Let µζ and σς2 be the mean and the variance of ζ. Then, false alarm probability is given by Z ∞ 1 t2 √ e− 2 dt = 1 − Φ[(V − µζ )/σζ ] . Pf = P {V < ζ < ∞} = (3.8) V −µς 2π σς 3.1.3. Miss probability According to probability theory, Pd + Pm = 1. Hence, miss probability is given by Pm = P {−∞ < ξ < V } =
Z
V −µξ σξ
−∞
t2 1 √ e 2 dt = Φ[(V − µξ )/σξ ] . 2π
(3.9)
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
Detection probability
0.6
0.5
Pf(V)
1
Pm(V)
Pd(V)
False alarm probability
Miss probability
1
401
0.5
0.4
0.2
0
0
200
400
0
0
200
400
0
0
200
V
V
V
(40, 10) (80, 20) (120, 30)
(40, 10) (80, 20) (120, 30) (a) Detection probability
(b) Miss probability
400
(0, 10) (0, 20) (0, 30) (c) False alarm probability
Fig. 2. Performance evaluation.
Generally, µζ = 0. Besides, data processing can be arranged such that σζ = σξ = σ. In this case, three types of probabilities are written by Z ∞ t2 1 Pd = V −µ √ e− 2 dt = 1 − Φ[(V − µξ )/σ] , (3.10) ξ 2π σ Z ∞ t2 1 √ e− 2 dt = 1 − Φ(V /σ) , Pf = (3.11) V 2π σ V −µξ σ
t2 1 √ e− 2 dt = Φ[(V − µξ )/σ] . 2π −∞ Figure 2 shows the curves of three types of distributions, respectively.
Pm =
Z
(3.12)
3.2. Decision region The intersection of the distribution functions with respect to Pd , Pf and Pm provides decision region. Given a false alarm probability f , we want to find the threshold Vf such that Pf (Vf ) ≤ f . From Eq. (3.11), it is seen that Pf (Vf ) ≤ f if Vf ≥ −σΦ−1 (f ) .
(3.13)
If f = 0 and the computation precision is 4, Eq. (3.13) becomes Vf ≥ 4σ .
(3.14)
On the other hand, given a detection probability d, we want to find the threshold Vd such that Pd (Vd ) ≥ d. According to Eq. (3.10), it is seen that Pd (Vd ) ≥ d if Vd ≤ µξ − σΦ−1 (d) ,
if µξ − σΦ−1 (d) > 0 .
(3.15)
August 6, 2003 16:33 WSPC/173-IJITDM
402
00072
M. Li et al.
In the case of d = 1 and the computation precision being 4, Vd ≤ µξ − 4σ ,
if µξ − 4σ > 0 .
According to Eqs. (3.13) and (3.15), therefore, we obtain ( Pd ≥ d if V ∈ [−σΦ−1 (f ), µξ − σΦ−1 (d)], µξ − σΦ−1 (d) > 0 . Pf ≤ f ,
(3.16)
(3.17)
The general decision region corresponding to Eq. (3.17) is given by V ∈ [−σΦ−1 (f ), µξ − σΦ−1 (d)], µξ − σΦ−1 (d) > 0 . For d = 1 and f = 0, Eq. (3.17) becomes ( Pd = 1 if V ∈ [4σ, µξ − 4σ], µξ − 4σ > 0 Pf = 0 ,
(3.18)
(3.19)
and Eq. (3.18) becomes V ∈ [4σ, µξ − 4σ], µξ − 4σ > 0 .
(3.20)
The dark part in Fig. 3 indicates a threshold area versus µξ for Pd = 1, Pf = 0 and σ = 1. In the case of µξ = 80 and σ = 10, three types of distributions are indicated in Fig. 4(a) and the decision region for Pd = 1 and Pf = Pm = 0 is shown by the dark part of Fig. 4(b). 4. Case Study Suppose the following normalized function describes the pattern of normal traffic as shown in Fig. 5(a): rx = (k + 1)−0.78 = (k + 1)2H0 −2 ,
k = 0, 1, . . .
(4.1)
where H0 = 0.854. Assume that the following is the autocorrelation of abnormal traffic ry = (k + 1)2H−2 ,
H ∈ (0.50, 0.75] .
(4.2)
Figure 5(b) shows a curve of ry for H = 0.60. In the case study, 9999 points of Hs in [0.51, 0.75] are randomly selected to simulate the abnormal traffic. According to Eq. (3.4), the distance ξ is obtained as indicated in Fig. 5(c). By numeric computation, we obtain µξ = 242.342 and σ = 7.261. The probability distributions for detection, false alarm and miss are obtained as shown in Fig. 5(d). Under the conditions of Pd = 1 and Pf = Pm = 0, we obtain Vmin = 29.045 and Vmax = 213.297, which can be observed from Fig 5(d).
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
403
Pd(V), Pf(V), Pm(V)
Fig. 3. Threshold area.
1
0.5
0 0
100
200
300
V
Pd(V); (80, 10) Pf(V); (0, 10) Pm(V); (80, 10) (a) Distributions
(b) Decision region
Fig. 4. Distributions and decision region.
5. Conclusions This paper has discussed statistical decision making in a statistical detection system of DDOS flooding attacks. The expressions with respect to detection probability, false alarm probability and miss probability for decision making have been derived. For a given detection probability and a given false alarm probability, the decision region has been obtained. Acknowledgments The authors are grateful to anonymous referees for their valuable comments on our work. The work is supported in part by Hong Kong, SAR China RGC Grant (nos,
August 6, 2003 16:33 WSPC/173-IJITDM
404
00072
M. Li et al.
1
r(k)
r(k)
1
0.5
0
0
170.67 341.33 k (lag)
0.5
0
512
ξ(Η)
300
250
200 0.51
0.57
0.63
0.69
170.67 341.33 k (lag)
512
(b) ry for H = 0.60
Pd(V), Pf(V) and Pm(V)
(a) Template: H0 = 0.854
0
0.75
1
0.5
0
0.5
0
200
Η
400 V
600
800
Pd(V) Pf(V) Pm(V) (c) Detection distance ξ
(d) Distributions (decision making region) Fig. 5. Case study.
CityU 1039/02E and CityU 1055/01E) and City University of Hong Kong Strategic Grant no. 7001355.
References 1. R. Bace, An Introduction to Intrusion Detection and Assessment, available from http://www.icsalabs.com/html/communities/ids/whitepaper/Intrusion1.pdf, ICSA, Inc., January 4, 2000. 2. L. Garber, Denial-of-Service attacks rip the internet, J. Computer 33, 4 (April 2000) 12–17. 3. S. Staniford, V. Paxson and N. Weaver, How to own the internet in your spare time, Proc. USENIX Security Symposium, 2002. 4. http://www.intrusion-detection-system-group.co.uk/index.htm, An Introduction to Intrusion Detection Systems and the Dragon IDS Suite, 2001. 5. P. Innella and O. McMillan, An introduction to intrusion detection systems, Tetrad Digital Integrity, LLC, http://www.securityfocus.com/infocus/1520, December 2001.
August 6, 2003 16:33 WSPC/173-IJITDM
00072
Statistically Detecting Distributed Denial-of-Service Flooding Attacks
405
6. http://www.anml.iu.edu/ddos/links.html, Advanced Networking Management Lab (ANML), Distributed Denial of Service Attacks (DDoS) Resources. 7. http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/ids4f ds.htm 8. http://www.sans.org/dosstep/index.php 9. D. Dittrich, The DoS project’s ‘Trinoo’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/trinoo.analysis 10. D. Dittrich, The ‘Tribe flood network’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/tfn.analysis.txt 11. D. Dittrich, The ‘Stacheldraht’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt 12. CERT Coordination Center, CERT Advisory CA-1999-17 Denial-Of-Service Tools, http://www.cert.org/advisories/CA-1999-17.html 13. D. Dittrich, The ‘Mstream’ distributed denial of service attack tool, http://staff.washington.edu/dittrich/misc/mstream.analysis.txt 14. S. Dietrich, N. Long and D. Dittrich, An analysis of the ‘shaft’ distributed denial of service tool, http://www.adelphi.edu/∼spock/shaft analysis.txt 15. V. Paxson and S. Floyd, Wide area traffic: The failure of Poisson modeling, IEEE/ACM Trans. on Networking 3, 3 (1995) 226–244. 16. M. Li, B. H. Xu and Y. S. Wu, An H2 -optimal control of random loading for a laboratory fatigue test, J. Testing and Evaluation 26, 6 (1998) 619–625. 17. K. S. Fu (ed.), Digital Pattern Recognition (Springer-Verlag, 1976). 18. E. G. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response (Intrusion.Net Books, 1999).
