Vasilios A. Siris and Fenia Papagalou
Institute of Computer Science (ICS), FORTH and
In Proc. of IEEE
Globecom 2004 (Security and Network Management Symposium),
Preprint: PDF
Abstract
We investigate statistical
anomaly detection algorithms for detecting
SYN flooding, which is the most common type of Denial of Service (DoS) attack. The two
algorithms considered are an adaptive threshold algorithm and a particular
application of the cumulative sum (CUSUM) algorithm for change point detection.
The performance is investigated in terms of the detection probability, the
false alarm ratio, and the detection delay. Particular emphasis is on
investigating the tradeoffs among these metrics and how they are affected by
the parameters of the algorithm and the characteristics of the attacks. Such an
investigation can provide guidelines to effectively tune the parameters of the
detection algorithm to achieve specific performance requirements in terms of
the above metrics.
Keywords: denial of
service, change point detection, intrusion detection
Back to Telecommunications &
Networks Lab publications