Change-Point Monitoring for Detection of DoS Attacks∗
Haining Wang Danlu Zhang Kang G. Shin
Abstract
This paper presents a simple and robust mechanism, called Change-Point Monitoring (CPM),
to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network proto-
col behaviors, and is an instance of the Sequential Change Point Detection. To make the detection
mechanism insensitive to sites and traffic patterns, a non-parametric Cumulative Sum (CUSUM)
method is applied, thus making the detection mechanism robust, more generally applicable and its
deployment much easier. CPM does not require per-flow state information and only introduces a
few variables to record the protocol behaviors. The statelessness and low computation overhead of
CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated
by detecting a SYN flooding attack — the most common DoS attack. The evaluation results show
that CPM has short detection latency and high detection accuracy.
Keywords — CUSUM algorithm, DoS attacks, intrusion detection, protocol behavior
1 Introduction
The growing number of denial of service (DoS) attacks impose a significant threat on the availability
of network services, and the vulnerability of the Internet to DoS attacks has been witnessed by the
frequent attacks on Internet servers and their resultant disruption of services [15, 21, 37]. Due to the
readily available tools and its simple nature, flooding packets is the most common and effective DoS
attack. While flooding tools have been becoming more sophisticated, they have been getting easier to
use. An adversary without much knowledge of programming can download a flooding tool and then
launch a DoS attack. The flooding traffic of a DoS attack may originate from either a single source or
multiple sources. We call the latter case a distributed denial of service (DDoS) attack. Briefly, a DDoS
attack works as follows. An attacker sends control packets to the previously-compromised flooding
sources, instructi