Containing all the ip addresses that have the same

Info icon This preview shows pages 54–56. Sign up to view the full content.

View Full Document Right Arrow Icon
containing all the IP addresses that have the same first 16 bits (/16), so we have N = 256 channels. In each channel, we monitor the number of SYN packets sent per second for the entire eight-hour duration. In the single- channel case, the time series is formed by monitoring the total number of SYNs per second for all the IP addresses that have the same 8-bit prefix; the pre-change mean value µ = 3 SYNs/sec and the post-change (attack) mean µ = 19 SYNs/sec with the same (approximately) variance. Thus, a linear score has been used ( C 2 = 0 in (2.15)). In the multichannel case, the attack occurs in the channel i = 113 with mean values µ 113 = 0 . 0063 SYNs/sec and µ 113 = 15.3 SYNs/sec. It is therefore obvious that local- izing the attack with the multichannel MAX algorithm (2.18) based on the thresholding of the statistic W max ( n ) = max 1 i 256 W ( i ) n enhances the detection capability. Figures 2.5(a) and 2.5(b) illustrate the relation between the ADD and log(FAR) = log ARL2FA for the SC-CUSUM and MAX MC-CUSUM detection algorithms, respectively. The optimal value of the design param- eter C 3 = c is c opt = 0 . 1 for the single-channel case and c opt = 1 . 8 for the multichannel case. In the extreme right of the plot, we achieve the ARL2FA of 8103 sec, i.e., 2.25 hours ( log(FAR) = 9) . For this FAR, the ADD for the MAX MC-CUSUM is 3 . 5 sec, while the ADD for the SC-CUSUM is 45 sec, about 13 times higher. Since the ADD dramatically increases as the FAR decreases, for the lower FAR the SC-CUSUM algorithm may be unable to detect short attacks. We therefore conclude that in certain scenarios the use of multichannel intrusion detection systems may be very important. Copyright © 2014. Imperial College Press. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 2/16/2016 3:37 AM via CGC-GROUP OF COLLEGES (GHARUAN) AN: 779681 ; Heard, Nicholas, Adams, Niall M..; Data Analysis for Network Cyber-security Account: ns224671
Image of page 54

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Rapid Detection of Attacks by Quickest Changepoint Detection Methods 55 3 4 5 6 7 8 9 5 10 15 20 25 30 35 40 45 - log(FAR) ADD (sec) c = 0 c = 0.05 c = 0.1 c = 0.15 (a) The SC-CUSUM algorithm 3 4 5 6 7 8 9 1 2 3 4 5 6 7 - log(FAR) ADD (sec) c = 1.4 c = 1.6 c = 1.8 c = 2.0 (b) The MAX MC-CUSUM algorithm Fig. 2.5. ADD versus - log(FAR) for the SC-CUSUM and MAX MC-CUSUM algorithms. TCP SYN DDoS Attack (LANDER Project). Next, we present the results of testing the single-channel (score-based) CUSUM and SR detection algorithms with respect to the STADD introduced in (2.9) when the attack occurs long after surveillance starts and is preceded by multiple false alarms. This testing was performed for a real data set containing a DDoS SYN flood attack. The data is courtesy of the Los Angeles Network Data Exchange and Repository (LANDER) project (see ). Specifically, the trace is flow data cap- tured by Merit Network Inc. (see ) and the attack is on a University of Michigan IRC server. It starts at approximately 550 seconds into the trace and lasts for ten minutes. Figure 2.6 shows the
Image of page 55
Image of page 56
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern