Hybrid Scaling Based Dynamic Time Warping for Detection of Low-rate TCP Attacks

  • 소원호 (순천대학교 컴퓨터교육과 컴퓨터네트워크연구실) ;
  • 유경민 (전북대학교 전자정보공학부 차세대통신망연구실) ;
  • 김영천 (전북대학교 전자정보공학부 차세대통신망연구실)
  • Published : 2008.07.30

Abstract

In this paper, a Hybrid Scaling based DTW (HS-DTW) mechanism is proposed for detection of periodic shrew TCP attacks. A low-rate TCP attack which is a type of shrew DoS (Denial of Service) attacks, was reported recently, but it is difficult to detect the attack using previous flooding DoS detection mechanisms. A pattern matching method with DTW (Dynamic Time Warping) as a type of defense mechanisms was shown to be reasonable method of detecting and defending against a periodic low-rate TCP attack in an input traffic link. This method, however, has the problem that a legitimate link may be misidentified as an attack link, if the threshold of the DTW value is not reasonable. In order to effectively discriminate between attack traffic and legitimate traffic, the difference between their DTW values should be large as possible. To increase the difference, we analyze a critical problem with a previous algorithm and introduce a scaling method that increases the difference between DTW values. Four kinds of scaling methods are considered and the standard deviation of the sampling data is adopted. We can select an appropriate scaling scheme according to the standard deviation of an input signal. This is why the HS-DTW increases the difference between DTW values of legitimate and attack traffic. The result is that the determination of the threshold value for discrimination is easier and the probability of mistaking legitimate traffic for an attack is dramatically reduced.

Keywords

References

  1. Y.S. Kim, "Technological Issues and Prospect of BcN," Telecommunication Technology Association, 2005
  2. J. Mirkovic, J. Martin, and P. Reiher, Computer Science Department, UCLA "A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms," Technical report #020018
  3. J. Mirkovic, "D-WARD: Source-End defense Against Distributed Denial-of-Service Attacks", Ph.D Thesis 2003
  4. A. Kuzmanovic and E. Knightly, "Low-rate TCP-targeted denial of service attacks," In Proc. ACM SIGCOMM, Karlsruhe, Germany, August 2003
  5. G. Yang, M. Gerla, and M. Y. Sanadidi, "Randomization: Defense against Low-Rate TCP-targeted Denial-of-Service Attacks," In Proc. IEEE Symposium on Computers and Communications, July 2004, pp. 345-350
  6. Shevtekar, K. Anantharam, and N. Ansari, "Low Rate TCP Denial-of-Service Attack Detection at Edge Routers," IEEE Communications Letters, Vol.9, No.4, April 2005
  7. Y. Chen, K. Hwang, "Collaborative detection and filtering of shrew DDoS attacks using spectral analysis," J. Parallel Distributed Computing, Vol.66, 2006, pp.1137-1151 https://doi.org/10.1016/j.jpdc.2006.04.007
  8. H. Sun, J. C. S. Lui, and D. K. Y. Yau, "Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection," In Proc IEEE Conference on Network Protocols (ICNP2004), Oct. 2004, pp. 196-205
  9. E. Keogh, "Exact indexing of dynamic time warping," In Proceedings of the 28th VLDB Conference, Hong Kong, China, Aug. 2002
  10. W. H. So, S. H. Shim, K. M. Yoo, B. J. Oh, Y. S. Kim, Y. C. Kim, "Scaling based Dynamic Time Warping Algorithm for the Detection of Low-rate TCP Attack," Proceedings of IEEK Fall Conf. 2006, Hanyang Univ., Korea, Nov. 2006