TY - GEN
T1 - Performance evaluation of a multi-stage network event detection scheme against DDoS attacks
AU - Murase, Tutomu
AU - Fukushima, Yukinobu
AU - Kobayashi, Masayoshi
AU - Fujiwara, Hiroki
AU - Fujimaki, Ryohei
AU - Yokohira, Tokumi
N1 - Copyright:
Copyright 2008 Elsevier B.V., All rights reserved.
PY - 2008
Y1 - 2008
N2 - Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.
AB - Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.
UR - http://www.scopus.com/inward/record.url?scp=56649117221&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=56649117221&partnerID=8YFLogxK
U2 - 10.1109/APSITT.2008.4653540
DO - 10.1109/APSITT.2008.4653540
M3 - Conference contribution
AN - SCOPUS:56649117221
SN - 9784885522260
T3 - 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT
SP - 58
EP - 63
BT - 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT
T2 - 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT
Y2 - 22 April 2008 through 24 April 2008
ER -