Abnormal Event Detection for Network Flooding Attacks

Due to the high demand for network service availability and reliability, the IDS (Intrusion Detecting System) has become an essential element for IP networks. Currently, most IDSs use a pattern-matching mechanism to detect network flooding attacks. However, while running, such a mechanism needs to take into considerable the computing time/resource of an IDS or an IDS-embedded router. This can easily cause the IDS or router to become overloaded or to crash. In this paper, an abnormal event detection mechanism based on the abrupt variation analysis of network traffic is proposed. This detection mechanism works cooperatively with the pattern-matching mechanic to perform effective attack detection in a situation where overloading of an IDS or an IDS-embedded device should be avoided. In addition, a monitoring system using abnormal event detection is designed and implemented to demonstrate its detection performance. By using the developed system, network managers can not only determine the occurrence and the behavior of an attack, but also take some timely actions to present or stop the attack on crucial network resources.