DDOS attack detection by control charts

Abstract

Distributed Denial of Service (DDoS) attacks are considered as the major threats in today’s cyberworld. The fact that the source of these threats is often uncertain increases the concerns of many network operators. These types of attacks exhaust the resources to make them unavailable for the legitimate users and they take control over remote hosts. Infrastructure dependent business processes are adversely affected so that companies suffer financial losses. They are violating the security components of information security; confidentiality, integrity and availability. However, many tech niques to overcome DDoS attacks have been developing by researchers who have the awareness of these threats. In this thesis, in order to detect DDoS attacks, we first compared cumulative sum mation patterns of datasets which have normal and weibull distributions. We applied Tabular CUSUM and V-mask CUSUM methods to two datasets which we maintained at Bog˘azi¸ci University by using hping DDoS tool. It was found that these techniques can be applied to detect the anomalies of DDoS attack traffic by analyzing numerical changes of SYN packets during the process. The comparison of the accuracy rates of Tabular CUSUM and V-mask CUSUM techniques was made by Receiver Operating Characteristic (ROC) curves. We made a performance analysis of EWMA and CUSUM control charts evaluating Average Run Length (ARL) approximation. Finally, the Au toregressive Integrated Moving Average (ARIMA) forecasting model was applied in order to obtain the forecasting residuals which are also utilized in the performance evaluation of these two control charts.