Victim-based defense against IP packet flooding denial of service attacks

Abstract

Denial of Service (DoS) attack detection is one of the most pressing issues in data networks’ security. To detect the attacks either signature based algorithms or anomaly detection algorithms or a combination of both are used. A number of detection techniques have been proposed to detect attacks at the source, core, and victim. In this work, we design a detection technique from a combination of a number of some of existing detection techniques to detect attacks at the victim machine. First we study the performance of a number of anomaly detection algorithms from which we select three algorithms that are most suitable for detection of attacks at the victim’s machine. The selected algorithms are cumulative sum algorithm (CUSUM), source IP address monitoring algorithm (SIM) and adaptive threshold algorithm. We used ns- 2 simulator to simulate background traffic and we superimposed on it traffic of the various attack types. We detected the attacks using the three algorithms. Using three performance indicators; probability of detection, detection delay and false detection rate, we analyzed the algorithms. We found out that on the whole, SIM and CUSUM algorithms performed equally well for all attacks while the adaptive threshold algorithm was only suitable for high intensity attacks. The SIM algorithm had the shortest average detection delay, followed by the CUSUM algorithm and lastly the adaptive threshold algorithm. Based on that performance, we designed a combined algorithm detection technique to be used for detecting flooding attacks while being used in the victim machine. The technique is a combination of parallel and sequential steps. The CUSUM and SIM algorithms are designed to work in parallel, while the adaptive threshold algorithm is run in case the results from the two are conflicting. An evaluation of the performance of the proposed technique was done.