The Korean Journal of Applied Statistics (응용통계연구)

The Korean Statistical Society (한국통계학회)
권호 표지
DOI QR코드

DOI QR Code

Nonparametric Detection Methods against DDoS Attack

비모수적 DDoS 공격 탐지

  • Lee, J.L. (Department of Statistics, Sungkyunkwan University) ;
  • Hong, C.S. (Department of Statistics, Sungkyunkwan University)
  • Received : 2012.11.06
  • Accepted : 2013.03.21
  • Published : 2013.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Collective traffic data (BPS, PPS etc.) for detection against the distributed denial of service attack on network is the time sequencing big data. The algorithm to detect the change point in the big data should be accurate and exceed in detection time and detection capability. In this work, the sliding window and discretization method is used to detect the change point in the big data, and propose five nonparametric test statistics using empirical distribution functions and ranks. With various distribution functions and their parameters, the detection time and capability including the detection delay time and the detection ratio for five test methods are explored and discussed via monte carlo simulation and illustrative examples.

네트워크상에서 분산 서비스 거부(DDoS) 공격 탐지를 위해 수집되는 트래픽 자료(BPS, PPS 등)는 시간 순서대로 발생하는 대용량 자료이다. 대용량 자료에서 공격 탐지를 위한 변화점 탐지 알고리즘은 정확성 뿐 아니라 시간과 공간적인 계산 수행의 효율성이 확보되어야 한다. 본 연구에서는 대용량자료에서 변화점 탐지에 대한 Ross 등(2011)이 연구한 순차적인 Sliding Window and Discretization(SWD) 방법을 확장하였다. 그리고 경험적 분포함수와 순위를 이용한 다섯 종류의 검정방법을 사용하면서 자료의 분포에 대한 가정없이 DDoS 공격을 탐지할 수 있도록 새로운 비모수 모형을 제안한다. 다양한 확률밀도 함수와 이에 대응하는 모평균과 분산을 변화시키면서 모의실험하여 본 연구에서 제안한 비모수적 검정방법을 SWD 방법에 적용하여 모형의 효율성을 탐색하고 토론한다. 그리고 실증 분석을 통해 공격 탐지율 및 공격 탐지의 정확성을 기준으로 성능을 측정하고 비교하였다.

Keywords

References

  1. Anderson, T. W. (1962). On the distribution of the two-sample Cramer-Von-Mises criterion, Annals of Mathematical Statistics, 33, 1148-1159. https://doi.org/10.1214/aoms/1177704477
  2. Basseville, M. and Nikoforov, I. V. (1993). Detection of Abrupt Change Theory and Application, Prentice Hall, Englewood Clifs, NJ.
  3. Brodsky, B. E. and Darkhovsky, B. S. (1993). Nonparametric Methods in Change-point Problems, Kluwer Academic Publishers.
  4. Carl, G., Kesidis, G., Brooks, R. R. and Suresh, R. (2006). Denial-of-service attack-detection techniques, IEEE Internet Computing, 10, 82-89.
  5. Gibbons, J. D. and Chakraborti, S. (2003). Nonparametric Statistical Inference, 4th Edition, The university of Alabama.
  6. Gordon, L. and Pollak, M. (1994). An efficient sequential nonparametric scheme for detecting a change in distribution, Annuls of Statistics, 22, 763-804. https://doi.org/10.1214/aos/1176325495
  7. Greenwell, R. N. and Finch, S. J. (2004). Randomized rejection procedure for the two-sample Kolmogorov- Smirnov statistic, Computational Statistics and Data Analysis, 46, 257-267. https://doi.org/10.1016/S0167-9473(03)00148-8
  8. Karen, S. and Peter, M. (2007). Guide to Intrusion Detection and Prevention Systems(IDPS), Recommendations of the National Institute of Standards and Technology.
  9. Kim, P. K. (1969). On the exact and approximate sampling distribution of the two sample Kolmogorov Smirnov Criterion, Journal of the American Statistical Association, 64, 1625-1637.
  10. Lepage, Y. (1971). A combination of Wilcoxon's and Ansari-Bradley's statistics, Biometrika, 58, 213-217. https://doi.org/10.1093/biomet/58.1.213
  11. Li, L. and Lee, G. H. (2003). DDoS attack detection and wavelets, Computer Communications and Networks, Proceedings, 12, 421-427.
  12. McDonald, D. (1990). A Cusum procedure based on sequential ranks, Naval Research Logistics, 37, 627-646. https://doi.org/10.1002/1520-6750(199010)37:5<627::AID-NAV3220370504>3.0.CO;2-F
  13. Ming, Y. (2011). A nonparametric adaptive CUSUM method and its application in source-end defense against SYN flooding attacks, Wuhan University Journal of Natural Sciences, 16, 414-418. https://doi.org/10.1007/s11859-011-0772-5
  14. Ross, G. J. and Adams, N. M. (2012). Two nonparametric control charts for detecting arbitrary distribution changes, Journal of Quality Technology, 44, 102-116. https://doi.org/10.1080/00224065.2012.11917887
  15. Ross, G. J., Dimitris, K. and Adams, N. M. (2011). Nonparametric monitoring of data streams for changes in location and scale, Technometrics, 53, 379-389. https://doi.org/10.1198/TECH.2011.10069
  16. Siris, V. A. and Papagalou, F. (2006). Application of anomaly detection algorithms for detecting SYN flooding attacks, Computer Communications, 29, 1433-1442. https://doi.org/10.1016/j.comcom.2005.09.008
  17. Symantec, Inc. (2011). Norton Cyber Crime Report 2011.
  18. Takada, H. H. and Hofmann, U. (2004). Application and analyses of cumulative sum to detect highly distributed denial of service attacks using different attack traffic patterns, IST INTERMON Newsletter, 7, 1-14.
  19. Tartakovsky, A. G., Rozovskii, B. L. and Blazek, R. B. (2006). A novel approach to detection of denial-ofservice attacks via adaptive sequential and batch sequential change-point detection methods, IEEE Transactions on Signal Processing, 54, 3372-3382. https://doi.org/10.1109/TSP.2006.879308
  20. Wang, H., Zhang, D. and Shin, K. G. (2004). Change-point monitoring for detection of DoS attacks, IEEE Transactions on Dependable and Secure Computing, 1, 193-208. https://doi.org/10.1109/TDSC.2004.34

Cited by

  1. The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform vol.2016, 2016, https://doi.org/10.1155/2016/2946735