An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition

In the aspect of intrusion detection, reliable detection remains a challenge issue as stated in Kemmrer and Vigna (Suppl IEEE Comput (IEEE Secur Priv) 35(4) (2002) 28). "The challenge is to develop a system that detects close to 100% of attacks with minimal false positives. We are still far from achieving this goal." Hence, reliable detection of distributed denial-of-service (DDOS) attacks is worth studying. By reliable detection, we mean that signs of attacks can be identified with predetermined detection probability and false alarm probability. This paper focuses on reliable detection of DDOS flood attacks by identifying pattern of traffic with long-range dependence (LRD). In this aspect, there are three fundamental issues in theory and practice: What is a statistical feature of traffic to be used for pattern recognition? How to represent distributions of identification probability, false alarm probabitity and miss probability? How to assure a decision-making that has high identification probability, low false alarm probability and low miss probability? This paper gives a statistical detection scheme based on identifying abnormal variations of LRD traffic time series. The representations of three probability distributions mentioned above are given and a decision-making region is explained. With this region, one can know what an identification (or false alarm or miss) probability is for capturing signs of DDOS flood attacks. The significance of a decision-making region is that it provides a guideline to set appropriate threshold value so as to assure high identification probability, low false alarm probability and low miss probability. A case study is demonstrated. (C) 2004 Elsevier Ltd. All rights reserved.