Performance evaluation of a multi-stage network event detection scheme against DDoS attacks

Tutomu Murase, Yukinobu Fukushima, Masayoshi Kobayashi, Hiroki Fujiwara, Ryohei Fujimaki, Tokumi Yokohira

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.

Original languageEnglish
Title of host publication2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT
Pages58-63
Number of pages6
DOIs
Publication statusPublished - 2008
Event2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT - Bandos Island, Maldives
Duration: Apr 22 2008Apr 24 2008

Other

Other2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT
CountryMaldives
CityBandos Island
Period4/22/084/24/08

Fingerprint

Viruses
Hardware
Experiments

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

Murase, T., Fukushima, Y., Kobayashi, M., Fujiwara, H., Fujimaki, R., & Yokohira, T. (2008). Performance evaluation of a multi-stage network event detection scheme against DDoS attacks. In 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT (pp. 58-63). [4653540] https://doi.org/10.1109/APSITT.2008.4653540

Performance evaluation of a multi-stage network event detection scheme against DDoS attacks. / Murase, Tutomu; Fukushima, Yukinobu; Kobayashi, Masayoshi; Fujiwara, Hiroki; Fujimaki, Ryohei; Yokohira, Tokumi.

2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT. 2008. p. 58-63 4653540.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Murase, T, Fukushima, Y, Kobayashi, M, Fujiwara, H, Fujimaki, R & Yokohira, T 2008, Performance evaluation of a multi-stage network event detection scheme against DDoS attacks. in 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT., 4653540, pp. 58-63, 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT, Bandos Island, Maldives, 4/22/08. https://doi.org/10.1109/APSITT.2008.4653540
Murase T, Fukushima Y, Kobayashi M, Fujiwara H, Fujimaki R, Yokohira T. Performance evaluation of a multi-stage network event detection scheme against DDoS attacks. In 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT. 2008. p. 58-63. 4653540 https://doi.org/10.1109/APSITT.2008.4653540
Murase, Tutomu ; Fukushima, Yukinobu ; Kobayashi, Masayoshi ; Fujiwara, Hiroki ; Fujimaki, Ryohei ; Yokohira, Tokumi. / Performance evaluation of a multi-stage network event detection scheme against DDoS attacks. 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT. 2008. pp. 58-63
@inproceedings{eab3ed00d551423fa858f15f4fc51815,
title = "Performance evaluation of a multi-stage network event detection scheme against DDoS attacks",
abstract = "Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.",
author = "Tutomu Murase and Yukinobu Fukushima and Masayoshi Kobayashi and Hiroki Fujiwara and Ryohei Fujimaki and Tokumi Yokohira",
year = "2008",
doi = "10.1109/APSITT.2008.4653540",
language = "English",
isbn = "9784885522260",
pages = "58--63",
booktitle = "2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT",

}

TY - GEN

T1 - Performance evaluation of a multi-stage network event detection scheme against DDoS attacks

AU - Murase, Tutomu

AU - Fukushima, Yukinobu

AU - Kobayashi, Masayoshi

AU - Fujiwara, Hiroki

AU - Fujimaki, Ryohei

AU - Yokohira, Tokumi

PY - 2008

Y1 - 2008

N2 - Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.

AB - Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.

UR - http://www.scopus.com/inward/record.url?scp=56649117221&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=56649117221&partnerID=8YFLogxK

U2 - 10.1109/APSITT.2008.4653540

DO - 10.1109/APSITT.2008.4653540

M3 - Conference contribution

AN - SCOPUS:56649117221

SN - 9784885522260

SP - 58

EP - 63

BT - 2008 7th Asia-Pacific Symposium on Information and Telecommunication Technologies, APSITT

ER -