Abstract:
Denial of Service (DoS) attack is one of the greatest network security problem
faced these days. In DDoS attack the attacker uses multitude of compromised systems
(zombies or bots) to exhaust or deplete the resources (CPU cycles, memory, disk space,
and network bandwidth) of victim server, rendering it useless. The nature of threats posed
by DoS attacks on large networks demands effective detection which could lead to its
rapid obviation. Most of the detection approaches defines an attack as an abnormal and
noticeable deviation of some statistic of the monitored network traffic workload. Given
enough time most of the techniques detect DoS attack accurately but DoS detection in
real time is a critical issue which need to be tackled before web services provided by
server becomes inaccessible
Activity profiling is the approach which monitors network packet header
information. Chi-square statistic is applied on parameter values extracted from packet
header that determines deviation of observed frequencies from expected frequencies. Chisquare
statistics uses nominal (categorical) or ordinal level data, thus instead of using
mean and variance, this test uses frequencies. Along with Chi-Square analysis, algorithms
for memory and CPU consumption continuously calculate and compare runtime memory
and CPU values with specified thresholds. When the values exceed specified thresholds,
an alarm is generated notifying that the server is under DoS threat. The main objective is
to detect the DoS anomaly in runtime, with reduces false alarm rate.
Therefore Anomaly based DoS Detection System monitors chi-square statistic
as well as keep track of resource consumption of server. This approach would circumvent
large processing overheads and relieve network administrators from time consuming task
of scanning network traffic.
