Anomaly based denial of service detection system

Abstract

Denial of Service (DoS) attack is one of the greatest network security problem faced these days. In DDoS attack the attacker uses multitude of compromised systems (zombies or bots) to exhaust or deplete the resources (CPU cycles, memory, disk space, and network bandwidth) of victim server, rendering it useless. The nature of threats posed by DoS attacks on large networks demands effective detection which could lead to its rapid obviation. Most of the detection approaches defines an attack as an abnormal and noticeable deviation of some statistic of the monitored network traffic workload. Given enough time most of the techniques detect DoS attack accurately but DoS detection in real time is a critical issue which need to be tackled before web services provided by server becomes inaccessible Activity profiling is the approach which monitors network packet header information. Chi-square statistic is applied on parameter values extracted from packet header that determines deviation of observed frequencies from expected frequencies. Chisquare statistics uses nominal (categorical) or ordinal level data, thus instead of using mean and variance, this test uses frequencies. Along with Chi-Square analysis, algorithms for memory and CPU consumption continuously calculate and compare runtime memory and CPU values with specified thresholds. When the values exceed specified thresholds, an alarm is generated notifying that the server is under DoS threat. The main objective is to detect the DoS anomaly in runtime, with reduces false alarm rate. Therefore Anomaly based DoS Detection System monitors chi-square statistic as well as keep track of resource consumption of server. This approach would circumvent large processing overheads and relieve network administrators from time consuming task of scanning network traffic.