TY - GEN
T1 - Detection of stealthy TCP-based DoS attacks
AU - Aqil, Azeem
AU - Atya, Ahmed O.F.
AU - Jaeger, Trent
AU - Krishnamurthy, Srikanth V.
AU - Levitt, Karl
AU - McDaniel, Patrick D.
AU - Rowe, Jeff
AU - Swami, Ananthram
PY - 2015/12/14
Y1 - 2015/12/14
N2 - Denial of service (DoS) attacks are among the most crippling of network attacks because they are easy to orchestrate and usually cause an immediate shutdown of whatever resource is targeted. Today's intrusion detection systems check if specific single scalar features exceed a threshold to determine if a specific TCP-based DoS attack is underway. To defeat such systems we demonstrate that an attacker can simply launch a combination of attack threads, each of which on its own does not break a system down but together can be very potent. We demonstrate that such attacks cannot be detected by simple threshold based statistical anomaly detection techniques that are used in today's intrusion detection systems. We argue that an effective way to detect such attacks is by jointly considering multiple features that are affected by such attacks. Based on this, we identify a possible set of such features and design a new detection approach that jointly examines these features with regards to whether each exceeds a high threshold or is below a low threshold. We demonstrate that this approach is extremely effective in detecting stealthy DoS attacks; the true positive rate is close to 100 % and the false positive rate is decreased by about 66 % as compared to traditional detectors.
AB - Denial of service (DoS) attacks are among the most crippling of network attacks because they are easy to orchestrate and usually cause an immediate shutdown of whatever resource is targeted. Today's intrusion detection systems check if specific single scalar features exceed a threshold to determine if a specific TCP-based DoS attack is underway. To defeat such systems we demonstrate that an attacker can simply launch a combination of attack threads, each of which on its own does not break a system down but together can be very potent. We demonstrate that such attacks cannot be detected by simple threshold based statistical anomaly detection techniques that are used in today's intrusion detection systems. We argue that an effective way to detect such attacks is by jointly considering multiple features that are affected by such attacks. Based on this, we identify a possible set of such features and design a new detection approach that jointly examines these features with regards to whether each exceeds a high threshold or is below a low threshold. We demonstrate that this approach is extremely effective in detecting stealthy DoS attacks; the true positive rate is close to 100 % and the false positive rate is decreased by about 66 % as compared to traditional detectors.
UR - http://www.scopus.com/inward/record.url?scp=84959261712&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84959261712&partnerID=8YFLogxK
U2 - 10.1109/MILCOM.2015.7357467
DO - 10.1109/MILCOM.2015.7357467
M3 - Conference contribution
AN - SCOPUS:84959261712
T3 - Proceedings - IEEE Military Communications Conference MILCOM
SP - 348
EP - 353
BT - 2015 IEEE Military Communications Conference, MILCOM 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 34th Annual IEEE Military Communications Conference, MILCOM 2015
Y2 - 26 October 2015 through 28 October 2015
ER -