This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 10, OCTOBER 2006 1877 Adaptive Defense Against Various Network Attacks Cliff C. Zou , Member, IEEE , Nick Duffield , Fellow, IEEE , Don Towsley , Fellow, IEEE , and Weibo Gong , Fellow, IEEE Abstract— In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “ adaptive defense ” functionality based on cost minimization—adaptively adjusting its configura- tions according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misiden- tify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situa- tions or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system de- signs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it ap- plicable for a wide range of security defenses. Index Terms— Adaptive defense, computer security, distributed denial-of-service (DDoS), Internet worm, SYN flood. I. INTRODUCTION C URRENT Internet and computers are constantly under various attacks: hackers’ intrusion, port scan, distributed denial-of-service (DDoS), virus and worm infection, e-mail spam, etc. Many defense methods and systems have been proposed. These systems typically need to detect the ongoing attack traffic first, and then block (filter) the attack traffic before it reaches the victims. The attack detection is of crucial importance in such defense systems. When using an imperfect detection system, it can generate “false positives” and “false negatives.” A “false positive” means a detection system incor- rectly identifies a normal packet/connection/host as an attack, whereas a “false negative” means a detection system incorrectly identifies an attack packet/connection/host as a normal one. A good detection system generates fewer false positives and false negatives. However, these two types of detection errors always conflict with each other when the detection algorithm Manuscript received September 15, 2005; revised March 27, 2006. This work was supported in part by the Army Research Office (ARO) Contract DAAD19-01-1-0610, and in part by the National Science Foundation (NSF) under Grant EEC-0313747, Grant EIA-0080119, Grant ANI-0085848, and Grant CNS-0325868....
View Full Document
This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.
- Spring '08