D-SAT: Detecting SYN Flooding Attack by Two-Stage Statistical Approach

Shin, Seungwon; Kim, Ki‐Young; Jang, Jongsoo

doi:10.1109/saint.2005.18

Cited by 9 publications

(3 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Network anomaly detection [5][6][7][8] has become critical to service providers in their commitment to maintain a given service level agreement.…”

Section: Related Workmentioning

confidence: 99%

“…the analysis method based on packet type. In paper [7] the authors have proposed a method through monitoring the number of the SYN packets and the change of the ratio of SYN packets to other type TCP packets to determine whether anomalies have taken place. The authors of paper [8] have used the restrictions of the number of various TCP control messages to detect anomalies.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Anomaly detection of network traffic based on the largest Lyapunov exponent

Xiong

Yue

et al. 2010

2010 2nd International Conference on Advanced Computer Control

View full text Add to dashboard Cite

A Real-time and reliable detection of anomalies is an important and challenging task. Unlike most detection methods based on the statistical analysis of the packet headers (Such as IP addresses and ports), we propose a new nonlinear approach only using network traffic volumes to detect anomalies reliably. Our method is based on the largest Lyapunov exponent and the change-point detection theory to judge whether anomalies have happened. In details, the largest Lyapunov exponents of normal and anomaly data fluctuate slightly respectively while those of the overlapped data composed of them fluctuate greatly because the dynamic structure of data has changed. Experimental results on network traffic volumes transformed from 1999 DARPA intrusion evaluation data set show that this method can more effectively detect network anomalies contrast to a linear method . 1

show abstract

“…Network anomaly detection [5][6][7][8] has become critical to service providers in their commitment to maintain a given service level agreement.…”

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Anomaly detection of network traffic based on the largest Lyapunov exponent

Xiong

Yue

et al. 2010

2010 2nd International Conference on Advanced Computer Control

View full text Add to dashboard Cite

show abstract

“…The Counting Bloom Filter is used to classify all the incoming SYN-ACK packets to the sub network into two streams, and the CUSUM algorithm is applied to make the detection decision by the two normalized differences, one of which is the difference between the number of SYN packets and the number of the first SYN-ACK packets and the other one is the difference between the number of the firs SYN-ACK packets and the number of the retransmission SYN-ACK. There are also some other related work such as SYN cookies , SYN cache, D-SAT [8] and DiDDeM [9] ,and more related work is in Refs. [10,11].…”

Section: Introductionmentioning

confidence: 99%

ARM-CPD: Detecting SYN flooding attack by traffic prediction

Sun

Wang

Yan

et al. 2009

2009 2nd IEEE International Conference on Broadband Network &Amp; Multimedia Technology

View full text Add to dashboard Cite

This paper proposed an ARM-CPD scheme that is a simple but fast and effective approach to detect SYN flooding attacks. Instead of managing all real time ongoing traffic on the network, ARM-CPD only monitors the SYN packet and use it to predict the SYN packet in the near future to detect the SYN flooding attacks. To get the prediction SYN traffic, the Autoregressive Integrated Moving Average Model (ARIMA) is proposed; and to make the detection method insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) algorithm is applied. The trace-driven simulations demonstrate that ARM-CPD can shorten the detection time of SYN flooding attack effectively.

show abstract