Affordable Access

Access to the full text

Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management

  • Cabrera, João B. D.1
  • Lewis, Lundy2
  • Qin, Xinzhou3
  • Lee, Wenke3
  • Mehra, Raman K.1
  • 1 Scientific Systems Company, 500 West Cummings Park, Suite 3000, Woburn, Massachusetts, 01801 , Woburn
  • 2 Aprisma Management Technologies, 121 Technology Drive, Durham, New Hampshire, 03824 , Durham
  • 3 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive, Atlanta, Georgia, 30332 , Atlanta
Published Article
Journal of Network and Systems Management
Kluwer Academic Publishers-Plenum Publishers
Publication Date
Jun 01, 2002
DOI: 10.1023/A:1015910917349
Springer Nature


Little or no integration exists today between Intrusion Detection Systems (IDSs) and SNMP-based Network Management Systems (NMSs), in spite of the extensive monitoring and alarming capabilities offered by commercial NMSs. This difficulty is mainly associated with the distinct data sources used by the two systems: packet traffic and audit records for IDSs and SNMP MIB variables for NMSs. In this paper we propose and evaluate a methodology for utilizing NMSs for the early detection of Distributed Denial of Service attacks (DDoS). A principled approach is described for discovering precursors to DDoS attacks in databases formed by MIB variables recorded from multiple domains in networked information systems. The approach is rooted in time series quantization, and in the application of the Granger Causality Test of classical statistics for selecting variables that are likely to contain precursors. A methodology is proposed for discovering precursor rules from databases containing time series related to different regimes of a system. These precursor rules relate precursor events extracted from input time series with phenomenon events extracted from output time series. Using MIB datasets collected from real experiments involving Distributed Denial of Service Attacks, it is shown that precursor rules relating activities at attacking machines with traffic floods at target machines can be extracted by the methodology. The technology has extensive applications for security management: it enables security analysts to better understand the evolution of complex computer attacks, it can be used to trigger alarms indicating that an attack is imminent, or it can be used to reduce the false alarm rates of conventional IDSs.

Report this publication


Seen <100 times