By Topic

Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

7 Author(s)
Cabrera, J.B.D. ; Scientific Syst. Co., Woburn, MA, USA ; Lewis, L. ; Xinzhou Qin ; Wenke Lee
more authors

We propose a methodology for utilizing network management systems for the early detection of distributed denial of service (DDoS) attacks. Although there are quite a large number of events that are prior to an attack (e.g. suspicious log-ons, start of processes, addition of new files, sudden shifts in traffic, etc.), in this work we depend solely on information from MIB (management information base) traffic variables collected from the systems participating in the attack. Three types of DDoS attacks were effected on a research test bed, and MIB variables were recorded. Using these datasets, we show how there are indeed MIB-based precursors of DDoS attacks that render it possible to detect them before the target is shut down. Most importantly, we describe how the relevant MIB variables at the attacker can be extracted automatically using statistical tests for causality. It is shown that statistical tests applied in the time series of MIB traffic at the target and the attacker are effective in extracting the correct variables for monitoring in the attacker machine. Following the extraction of these key variables at the attacker, it is shown that an anomaly detection scheme, based on a simple model of the normal rate of change of the key MIBs can be used to determine statistical signatures of attacking behavior. These observations suggest the possibility of an entirely automated procedure centered on network management systems for detecting precursors of distributed denial of service attacks, and responding to them

Published in:

Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on

Date of Conference:

2001