Ebsco publishing ebook collection ebscohost printed

Info icon This preview shows pages 56–59. Sign up to view the full content.

EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 56

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Rapid Detection of Attacks by Quickest Changepoint Detection Methods 57 540 541 542 543 544 545 546 547 548 -1 0 1 2 3 4 5 6 7 8 Time (seconds) Log Shyriaev-Roberts Statistic, log(R) ~ Log SR Threshold False Alarms Fig. 2.7. Long run of the SR procedure (logarithm of the SR statistic versus time) for SYN flood attack. be filtered by a specially designed algorithm, as has been suggested by Pol- lak and Tartakovsky (2009) and will be further discussed in Section 2.4. Figure 2.8(a) shows the behavior of log R sc n shortly prior to the attack and right after the attack starts until detection. Figure 2.8(b) shows the CUSUM score-based statistic W sc n . Both procedures successfully detect the attack with very small delays and raise about seven false alarms per 1000 samples. The detection delay is approximately 0 . 14 seconds (seven samples) for the repeated SR procedure, and about 0 . 21 seconds (ten samples) for the CUSUM procedure. As expected, the SR procedure is slightly better. UDP DoS Flooding Attack (CAIDA). Finally, we validate the feasibil- ity of the binary CUSUM detection algorithm (2.21) on backbone data with the one-hour packet traces captured on SONET OC-48 links by CAIDA monitors. This data set, shown in Figure 2.9, contains the UDP flooding attack. Figure 2.9 shows the time series of the total number of UDP packets in a sample period of 0 . 015 msec. The attack is not visible to the naked eye, but an offline examination revealed that it consists of a Trojan horse called trojan.dasda sent from one source on port 10100 to one destination on port 44097. Trojan.dasda is a Trojan horse that can download and execute Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 57
58 A. G. Tartakovsky 547.4 547.6 547.8 548 548.2 548.4 548.6 -1 0 1 2 3 4 5 6 7 8 Time (seconds) Log Shyriaev-Roberts Statistic, log(R) Change Point SR Detection ~ Log SR Threshold (a) The multi-cyclic SR procedure 547.4 547.6 547.8 548 548.2 548.4 548.6 -1 0 1 2 3 4 5 6 7 8 Time (seconds) CUSUM Statistic, W CUSUM Detection Change Point ~ CUSUM Threshold (b) The multi-cyclic CUSUM procedure Fig. 2.8. Detection of the SYN flood attack by the multi-cyclic SR and CUSUM procedures. remote files and open a back-door on an infected computer. Careful esti- mation shows that there is a change from the pre-change mean µ = 87 packets per sample period to the post-change mean µ = 94 packets per sample period. Thus, the parameter differentiating the normal traffic from an abnormal one is changed from 87 to 94 packets per sample period.
Image of page 58

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

Image of page 59
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '12
  • Kushal Kanwar
  • Graph Theory, Statistical hypothesis testing, Imperial College Press, applicable copyright law

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern