A novel approach to detection of “denial–of–service” attacks via adaptive sequential and batch–sequential change–point detection methods

In computer networks, large scale attacks in their final stages can readily be identified by observing very abrupt changes in the network traffic, but in the early stage of an attack, these changes are hard to detect and difficult to distinguish from usual traffic fluctuations. In this paper, we develop efficient adaptive sequential and batch-sequential methods for an early detection of attacks from the class of “denial–of–service attacks”. These methods employ statistical analysis of data from multiple layers of the network protocol for detection of very subtle traffic changes, which are typical for these kinds of attacks. Both the sequential and batch-sequential algorithms utilize thresholding of test statistics to achieve a fixed rate of false alarms. The algorithms are developed on the basis of the change-point detection theory: to detect a change in statistical models as soon as possible, controlling the rate of false alarms. There are three attractive features of the approach. First, both methods are self-learning, which enables them to adapt to various network loads and usage patterns. Second, they allow for detecting attacks with small average delay for a given false alarm rate. Third, they are computationally simple, and hence, can be implemented on line. Theoretical frameworks for both kinds of detection procedures, as well as results of simulations, are presented. Keywords— Attack Detection, Change Point Detection, Denial of Service, Network Security, Network Traffic, Service Survivability.