Affordable Access

Access to the full text

Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management

Authors
  • Cabrera, João B. D.1
  • Lewis, Lundy2
  • Qin, Xinzhou3
  • Lee, Wenke3
  • Mehra, Raman K.1
  • 1 Scientific Systems Company, 500 West Cummings Park, Suite 3000, Woburn, Massachusetts, 01801 , Woburn
  • 2 Aprisma Management Technologies, 121 Technology Drive, Durham, New Hampshire, 03824 , Durham
  • 3 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive, Atlanta, Georgia, 30332 , Atlanta
Type
Published Article
Journal
Journal of Network and Systems Management
Publisher
Kluwer Academic Publishers-Plenum Publishers
Publication Date
Jun 01, 2002
Volume
10
Issue
2
Pages
225–254
Identifiers
DOI: 10.1023/A:1015910917349
Source
Springer Nature
Keywords
License
Yellow

Abstract

Little or no integration exists today between Intrusion Detection Systems (IDSs) and SNMP-based Network Management Systems (NMSs), in spite of the extensive monitoring and alarming capabilities offered by commercial NMSs. This difficulty is mainly associated with the distinct data sources used by the two systems: packet traffic and audit records for IDSs and SNMP MIB variables for NMSs. In this paper we propose and evaluate a methodology for utilizing NMSs for the early detection of Distributed Denial of Service attacks (DDoS). A principled approach is described for discovering precursors to DDoS attacks in databases formed by MIB variables recorded from multiple domains in networked information systems. The approach is rooted in time series quantization, and in the application of the Granger Causality Test of classical statistics for selecting variables that are likely to contain precursors. A methodology is proposed for discovering precursor rules from databases containing time series related to different regimes of a system. These precursor rules relate precursor events extracted from input time series with phenomenon events extracted from output time series. Using MIB datasets collected from real experiments involving Distributed Denial of Service Attacks, it is shown that precursor rules relating activities at attacking machines with traffic floods at target machines can be extracted by the methodology. The technology has extensive applications for security management: it enables security analysts to better understand the evolution of complex computer attacks, it can be used to trigger alarms indicating that an attack is imminent, or it can be used to reduce the false alarm rates of conventional IDSs.

Report this publication

Statistics

Seen <100 times