Detection of Denial-of-QoS Attacks Based On χ Statistic And EWMA Control Charts

In this paper, we describe a method of detecting denial of Quality of Service attacks on DiffServ networks. Our approach focusses on real time and quick detection, scalability to large networks, and a negligible false alarm generation rate. Sensors sample QoS parameters like bit rate, packet dropping rate, and jitter of specific Virtual Leased Line (VLL) flows at predefined strategic points in their paths. We detect anomalies in sampled network flow statistics using the EWMA Control Chart test for the highly stationary measures and for the rest adapt SRI’s χ statistic based NIDES approach. Our implementation shows that the method has a 100% detection rate for attacks above its threshold level those attacks that produce statistically significant QoS degradation. The detection time is low and less than about 15 minutes. The maximum inherent false alarm generation rate for both the tests and any of the monitored measures combined is of the order of 1 false alarm in 1000 valid status alerts of either normal or under attack. We believe that given the results of the tests on our implementation of the attacks and the detection system, the method is a strong candidate for QoS intrusion detection for a low-cost commercial deployment. ∗Vinay A. Mahadik is pursuing Master of Science in Computer Networking at the NC State University, Raleigh. Email : [email protected] †Xiaoyong Wu is with the Advanced Networking Research Group, MCNC, Research Triangle Park. Email : [email protected] ‡Douglas S. Reeves is with the Department of Computer Science, NC State University, Raleigh. Email : [email protected]