While denial-of-service (DoS) attacks are devastating at their target, they often consist of an aggregation of many low-rate attacks, each small enough to evade typical detection. Attacks are best stopped at the source. We present a set of detection methods, the latter of which appear to be particularly effective for low rate attacks. Our methods operate on aggregate traffic (without flow separation). Initially we devised techniques based on the spectral characteristics of the packet arrival streams. The more recent approaches adopt simple statistical models for attack and background traffic features in the time-domain. We consider features such as the packet rate and the packet size distribution of traffic to yield a bivariate model that detects attacks rapidly and significantly reduces false alarms. The model employs sequential probability ratio tests, allowing for control over false alarm rate while examining the trade-off between detection time and attack strength. Experiments on synthetic and real network traces indicate that the time to detection is often less than one second. Synthetic traces are employed to characterize the sensitivity of the model to attack strength and we find that attacks that represent less than 10% of the total packet rate can be detected in fractions of a second.
The work presented was done in collaboration with Xinming He (Cisco), John Heidemann (ISI), Gautam Thatte (USC), Antonio Ortega (USC), and Christos Papadopoulos (CSU)