242 experimental study we now present sample testing

Info icon This preview shows pages 65–67. Sign up to view the full content.

View Full Document Right Arrow Icon
2.4.2. Experimental study We now present sample testing results that illustrate efficiency of the HASIDS for LANDER data sets. ICMP Attack (LANDER). The first data set is a tcpdump trace file containing a fragment of real-world malicious network activity, identified as an ICMP attack. The trace was captured on one of the Los Nettos private networks (a regional ISP in Los Angeles). Figure 2.14 demonstrates the attack detection. It shows raw data (top), the behavior of the multi-cyclic CUSUM statistic (middle), and the power spectral density (PSD) of the data (bottom). The hybrid IDS filtered all false alarms (shown by green circles) and detected the attack very rapidly after its occurrence. Note that the spectral analyzer is triggered only when a threshold exceedance occurs. None of the false alarms passed the hybrid system since the peak in spectrum appeared only after the attack began. This allowed us to set a very low threshold in the anomaly IDS, resulting in a very small delay to detection of the attack. UDP Flooding Attack (LANDER). The next experiment demon- strates the supremacy of the hybrid anomaly–signature approach to intru- sion detection over the anomaly-based approach by applying HASIDS and AbIDS to detect and isolate a real-world “double-strike” UDP DDoS attack. The attack is composed of two consecutive “pulses” in the traffic intensity, shown in Figure 2.15(a). Each pulse is a sequence of seemingly insignificant packets (roughly 15 bytes in size) sent to the victim’s UDP port 22 at a rate of about 180 Kbps. This is approximately thrice the intensity of the background traffic (about 53 Kbps). Although each individual packet may appear to be harmless due to its small size, each pulse’s combined power is sufficient to knock the machine down almost instantaneously. One would think that because the attack is so strong, any IDS will be able to detect it quickly. However, the challenge is that each pulse is rather short, the Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 65

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
66 A. G. Tartakovsky Fig. 2.14. Detection of the ICMP DDoS attack with HASIDS. gap between the two pulses is very short, and the source of the attack packets for each pulse is different. Therefore, if the detection speed is com- parable to the short duration of the pulses, the attack will get through undetected. Furthermore, if the renewal time (i.e., the interval between the most recent detection and the time the IDS is ready for a new detection) is longer than the distance between the pulses, then even though the first pulse may be detected, the second one is likely to be missed. Hence, this scenario is challenging and illustrates the efficiency of the proposed HASIDS
Image of page 66
Image of page 67
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern