By Topic

Performance evaluation of a multi-stage network event detection scheme against DDoS attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

6 Author(s)
Tutomu Murase ; NEC Corporation, 1753 Shimonumabe, Nakahara-ku, Kawasaki, Kanagawa, 211-8666, Japan ; Yukinobu Fukushima ; Masayoshi Kobayashi ; Hiroki Fujiwara
more authors

Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.

Published in:

Information and Telecommunication Technologies, 2008. APSITT. 7th Asia-Pacific Symposium on

Date of Conference:

22-24 April 2008