Spotlight E d i t o r : S i o b h á n C l a r ke • s i o b h a n . c l a r ke @ c s . t c d .

i e

Denial-of-Service Attack-
Detection Techniques
Glenn Carl and George Kesidis • Pennsylvania State University
Richard R. Brooks • Clemson University
Suresh Rai • Louisiana State University

Denial-of-service (DoS) detection techniques — such as activity profiling, change-

point detection,and wavelet-based signal analysis — face the considerable challenge
of discriminating network-based flooding attacks from sudden increases in
legitimate activity or flash events. This survey of techniques and testing results
provides insight into our ability to successfully identify DoS flooding attacks.
Although each detector shows promise in limited testing, none completely solve
the detection problem. Combining various approaches with experienced network
operators will most likely produce the best results.

T
he Internet was designed for the minimal Although software patching defends against some
processing and best-effort forwarding of attacks, it fails to safeguard against DoS flooding
any packet, malicious or not. For cyberat- attacks, which exploit the unregulated forwarding
tackers — motivated by revenge, prestige, politics, of Internet packets. A secondary defense that
or money — this architecture provides an unreg- includes both attack detection and countermea-
ulated network path to victims. Denial-of-service sures is required.
(DoS) attacks exploit this to target mission-criti- Here, we survey various approaches for
cal services. A quantitative estimate of worldwide detecting DoS flooding attacks — a network-
DoS attack frequency found 12,000 attacks over a based attack in which agents intentionally satu-
three-week period in 2001.1 The 2004 CSI/FBI rate system resources with increased network
Computer Crime and Security Survey2 listed DoS traffic. In a distributed DoS (DDoS) attack, the
attacks among the most financially expensive assault is coordinated across many hijacked sys-
security incidents. The magnitude of the inci- tems (zombies) by a single attacker (master).
dence rate and potential recovery expense has Techniques that detect DoS also apply to DDoS.
garnered the interest of security managers and (We don’t discuss defense or countermeasures;
researchers alike. these are surveyed elsewhere, 3 and typically
DoS attacks, which come in many forms, are include using packet filters to stem the attack’s
explicit attempts to block legitimate users’ system packet flow.) The malicious workload in net-
access by reducing system availability. We could, work-based DoS attacks comprises network data-
for example, consider the intentional removal of a grams or packets that consume network buffers,
system’s electrical power as a physical DoS attack. CPU processing cycles, and link bandwidth.
An attacker could also render a computing re- When any of these resources form a bottleneck,
source unavailable by modifying the system con- system performance degrades or stops, impeding
figuration (such as its static routing tables or legitimate system use. Overloading a Web serv-
password files). Such physical or host-based intru- er with spurious requests, for example, slows its
sions are generally addressed through hardened response to legitimate users. This specific DoS
security policies and authentication mechanisms. attack type doesn’t breach the end (victim) sys-

82 JANUARY • FEBRUARY 2006 Published by the IEEE Computer Society 1089-7801/06/$20.00 © 2006 IEEE IEEE INTERNET COMPUTING
 Attack-Detection Techniques

tem, either physically or administratively, and spective, their workload isn’t being processed; a
requires no other pre-existing conditions except DoS situation has occurred.
an Internet connection.
Attack Detection
Network-Based DoS Attacks Vulnerability-attack workloads use common at-
Although many high-profile DoS attacks have tributes to exploit software weaknesses. A TCP
occurred, few have been empirically captured and SYN attack, for example, requires repetitive use of
analyzed. Given the potential for bad publicity, specific TCP flag fields. Once the exploit is identi-
victims hesitate to share information regarding fied, adequate vendor support ensures the vul-
security incidents. As a result, it’s difficult for nerability is short-lived and unlikely to return.
researchers to directly observe attacks and find Vendors can address TCP SYN attacks using syn
their ubiquitous characteristics. In cases in which cache, syn cookies, and synkill mechanisms,
attack forensics are available, researchers can for example.
introduce classification systems, but attackers typ- Although vendors can address vulnerability
ically modify their techniques soon after discov- attacks by correcting protocol or application weak-
ery. As a result, the DoS attack-definition space is nesses, these types of attacks can remain prob-
ever changing. lematic. If their volume is sufficient enough to
cause resource depletion and subsequent perfor-
General Attack Types mance degradation, they can be reclassified as
To keep our discussion manageable, we’ve gen- flooding attacks. For this reason, flooding attacks
eralized it based on the exploited weakness, are especially difficult because even the best-
dividing the network-based DoS attack space into maintained system can become congested, thus
vulnerability attacks and flooding attacks. A denying service to legitimate users.
more detailed classification of DoS attacks is
available elsewhere.4 Survey of Detection Approaches
In a vulnerability attack, malformed packets A detector’s main goal is to detect and distinguish
interact with some network protocol or application malicious packet traffic from legitimate packet
weakness present at the victim. This type of vul- traffic. If, for example, many clients all want Web
nerability typically originates in inadequate soft- service and a DoS attack maliciously floods many
ware assurance testing or negligent patching. The Web session requests as well, how can the Web
malformed attack packets interact with installed server discriminate between the requests? Clearly,
software, causing excessive memory consumption, legitimate user activity can be easily confused with
extra CPU processing, system reboot, or general a flooding attack, and vice versa.
system slowing. Popular examples are the land When large amounts of expected or unex-
attack, Neptune or Transmission Control Protocol pected traffic from legitimate clients suddenly
synchronization (TCP SYN) flag, the ping o’ death, arrive at a system, it’s called a flash event. One
and the targa3 attacks. way to predict such events and thus distinguish
Flooding attacks — our focus here — send the them from DoS attacks is for service providers to
victim a large, occasionally continuous, amount be aware, a priori, that adding new content might
of network traffic workload. As a result, legitimate trigger large request volume.5 Unpredictable and
workloads can become congested and lost at bot- legitimate Web activity is also possible, however
tleneck locations near or removed from the victim. (as with the Slashdot effect, in which a newly
Such an attack requires no software vulnerability posted link on a popular news or information site
or other specific conditions. To saturate network results in numerous Web requests). Because there
links, queues, and processors with workload any- is no innate Internet mechanism for performing
where in the network, the attack can use a range malicious traffic discrimination, our best alter-
of protocols, including Internet Control Message native is to install attack detectors to monitor
Protocol (ICMP), User Datagram Protocol (UDP), real-time traffic, rather than rely on static traffic
and TCP, through tools such as stream2, synhose, load predictions.
synk7, synsend, and hping2. Under continued DoS attack-detection approaches can be in-
attack-related congestion, flow-controlled appli- stalled locally, thus protecting a possible victim,
cations will continue to increase their back-off or remotely, to detect propagating attacks.
time between retransmissions. From the users’ per- Although detecting propagating attacks is desir-

IEEE INTERNET COMPUTING www.computer.org/internet/ JANUARY • FEBRUARY 2006 83

Spotlight

able, IT departments generally focus on protect- can indicate a few attacking agents increasing
ing their own networks and therefore choose local their attack-generation rate; or
detection approaches. In this case, they place • an increase in the overall number of distinct
detectors at the potential victim resource or at a clusters, which can represent many distributed
router or firewall within the victim’s subnetwork. attacking agents (as in a DDoS).
Under this assumption, we have limited our scope
to that of the victim, which excludes several other In the backscatter analysis project,1 researchers
potential detection methods, such as the source- monitored a wide IP address space for incoming
unsolicited “backscatter” packets. Such packets are
a non-collocated victim’s response to several spoofed
A survey of detection methods vulnerability and flooding attacks. The backscatter
packets’ source address is that of the victim, but the
reveals disparate uses of test data, packet’s destination address is randomly spoofed.
An attack that uses uniformly distributed address-
different attack types, and a wide spoofing leads to a finite probability that any mon-
itored address space will receive backscatter packets.
range of reported results. At the monitoring point, captured backscatter pack-
ets are clustered based on the unique victim source
address. To detect attacks, the researchers analyze a
based DWARD6, traceback, path identification, cluster’s destination address distribution uniformity
and others. using an Anderson-Darling test statistic, in addition
All detection methods define an attack as an to thresholding the cluster’s activity level (the attack
abnormal and noticeable deviation of some statis- rate) and lifetime.
tic of the monitored network traffic workload. Laura Feinstein and her colleagues focus their
Clearly, the choice of statistic is critically impor- detection efforts on activity level and source
tant. Each of the following groupings of attack address distribution.7 They cluster flows according
detection techniques includes an evaluation of a to the addresses of the destination machines locat-
different statistic of network traffic. ed behind the monitoring point. The first cluster
contains the single most frequently seen source
Activity Profiling address, the second cluster contains the next four
Monitoring a network packet’s header information most frequent, the third cluster the next 16, the
offers an activity profile. Loosely defined, this fourth the next 256, and the fifth the next 4,096;
activity profile is the average packet rate for a net- the sixth cluster encompasses all remaining traf-
work flow, which consists of consecutive packets fic. The researchers compare each cluster’s activi-
with similar packet fields (such as address, port, ty level to the expected amount using a chi-square
and protocol). The elapsed time between consecu- statistic, thus providing a “goodness of fit” result.
tive matching packets determines the flow’s aver- A deviation from the expected traffic profile sug-
age packet rate or activity level. We can measure gests anomalous activity, and is detectable by
total network activity as the sum over the average thresholding the chi-square statistic’s magnitude.
packet rates of all inbound and outbound flows. Many other address-distribution statistics are
To analyze individual flows for all possible possible, including entropy, which is considered a
UDP services, we would have to monitor on the measure of randomness. Attacks that use uniform
order of 264 flows, and including other protocols, address distributions will maximize the entropy
such as TCP, ICMP, and Simple Network statistic, whereas one large voluminous flow will
Management Protocol (SNMP) greatly com- minimize the entropy. Thresholding an entropy
pounds the number of possible flows. To avoid deviation from the expected traffic’s source address
high-dimensionality issues, we can cluster indi- profile can suggest anomalous activity.7
vidual flows with similar characteristics. Each
cluster’s activity level is the summation of con- Sequential Change-Point Detection
stituent flows. For this abstraction, an attack is Change-point detection algorithms isolate a traf-
indicated by fic statistic’s change caused by attacks. These
approaches initially filter the target traffic data by
• increasing activity levels among clusters, which address, port, or protocol and store the resultant

84 JANUARY • FEBRUARY 2006 www.computer.org/internet/ IEEE INTERNET COMPUTING

 Attack-Detection Techniques

flow as a time series. The time series can be con- attack. To identify anomalies, they weighted a
sidered a time-domain representation of a cluster’s combination of high- and middle-spectral ener-
activity. If a DoS flooding attack begins at time ␭, gies, and then thresholded its variability.
the time series will show a statistical change either Wavelet energies in the high-band spectral
around or at a time greater than ␭. window can also identify change points within an
One class of change-point detection algorithms input signal. To enhance a Cusum change-point
operates on continuously sampled data and detection approach’s performance, Richard Brooks
requires only low amounts of memory and compu- and his colleagues used discrete wavelet analysis
tational resources. An example here is cumulative to postprocess the Cusum statistic’s response.10 The
sum (Cusum) algorithms. To identify and localize a signed magnitude of the high-band wavelet ener-
DoS attack, the Cusum identifies deviations in the gy is proportional to the abruptness of an increas-
actual versus expected local average in the traffic ing Cusum statistic. Thresholding the high-band
time series.8–10 If the difference exceeds some upper spectral energies quantifies the Cusum’s abrupt-
bound, the Cusum’s recursive statistic increases for ness, which is a potential indicator of an abrupt
each time-series sample. During time intervals con- flooding attack.
taining only normal traffic, the difference is below
this bound, and the Cusum statistic decreases until Detection Method Results
reaching zero. Using an appropriate threshold Surveying each detection method’s validation
against the Cusum statistic, the algorithm identi- reveals disparate uses of test data, different attack
fies an increasing trend in the time-series data, types, and a wide range of reported results. In most
which might indicate a DoS attack’s onset. Through cases, researchers provided quantitative true detec-
the settings of the threshold and upper bound, the tion results, but didn’t provide false positives,
Cusum algorithm can trade off detection delay and missed detections, and detection delay results.
false-alarm rates. Other researchers have extended Table 1 summarizes the testing conditions and
this detection method to identify the typical scan- noteworthy detection test results.
ning activities of network worms.11
Backscatter Analysis
Wavelet Analysis Researchers1 analyzed the backscatter within three
Wavelet analysis describes an input signal in weeks’ worth of empirical data from an ingress
terms of spectral components. Although Fourier link supporting 224 IP addresses. Conservative
analysis is more common, it provides a global fre- results indicated that more than 12,000 DoS
quency description and no time localization. attacks were attempted, involving 5,000 distinct
Wavelets provide for concurrent time and fre- victims’ IP addresses. The researchers suggested
quency description, and can thus determine the that 50 percent of those attacks were either TCP
time at which certain frequency components are SYN floods or closed port probes, and 15 percent
present. For detection applications, wavelets sep- were ICMP responses from TCP floods. Overall, 90
arate out time-localized anomalous signals from percent of the attacks used TCP ranging across
background noise; the input signal contains both. various services, including Internet Relay Chat
Ideally, the signal and noise components will (IRC), HTTP, Telnet , and Authd. Almost half the
dominate in separate spectral windows. Analyz- attacks (46 percent) had an estimated rate of 500+
ing each spectral window’s energy determines the packets per second.
presence of anomalies.
Paul Barford and his colleagues12 define anom- Chi-Square/Entropy Detector
alies as network failures or misconfigurations, Researchers tested the chi-square and entropy
attacks (DoS or other), flash events, and other detector7 against a small set of six publicly avail-
“measurement” events. They decomposed traffic able data sets with anonymized IP addresses. The
data into distinct time series of average IP/HTTP networking environments included a peering Inter-
packet sizes per second, flows per second, and net service provider (NZIX), a 450-person research
bytes per second. They then applied wavelet analy- organization (Bell Labs), a small university (Ohio
sis to each time series, resulting in time-localized University), and a small company. The total amount
high- and mid-band spectral energies. They con- of data appeared to be between 100 and 150 hours,
sidered low-frequency content to be daily or week- with data rates ranging from 1 to 16 Mbits per sec-
ly activity, and thus not an onset of an abrupt ond. Because the data traces included no known

IEEE INTERNET COMPUTING www.computer.org/internet/ JANUARY • FEBRUARY 2006 85

Spotlight

Table 1.Testing Summary

Detection Reference Test data Attack description False- Detection Detection Memory Complexity
method positive delay results (1 = (1 =
rate lowest) lowest)
Activity 1 Three weeks’ worth “Backscatter” response — — 12,000 DoS 6 6
profiling of private network packets from TCP SYN, attacks on 5,000
data TCP flood, and closed distinct victims
port probes
7 Six publicly Stacheldraht ICMP, TCP — — 2 out of 2 3 3
available data sets SYN, and UDP flood attacks detected
attack overlay of 25
percent intensity; victims’
addresses randomly
chosen from a uniform
distribution
Change-point 8 ns-2 simulation of TCP, UDP, and ICMP floods 1–6 alarms 1–36 UDP abrupt/ 1 1
detection 100 nodes by abrupt and linear per 100 seconds linear flood
increase time-series ICMP abrupt/
samples linear flood
9 Three private TCP SYN constant rate — 20 seconds 100% detection 1 1
network data sets flood attack to 8 with rate of >35
minutes SYNs per second;
70% detection at
33 SYNS per second
Wavelet 12 Three weeks’ worth 119 DoS abrupt flood attacks 21% false Average: 25 47% detection 4 4
analysis of university data of 4x, 7x, and 10x intensities detection seconds rate over 119
overlaid on empirical data rate over time series
238 time
series
10 Three weeks’ worth 39 recorded anomalies, — 5 minutes 38 out 39 5 5
of university data including some DoS floods to 1.5 hours anomalies
with 109 anomalies

DoS attacks, the researchers added overlaid attack network of 100 nodes.8 Of those nodes, four were
traffic provided by the Stacheldraht DDoS attack core transit nodes and the remaining 96 nodes
tool. Stacheldraht — which means “barbed wire” in were distributed into 12 edge domains. Back-
German — performs ICMP, SYN, and UDP floods ground traffic was a mixture of ICMP, UDP, and
that can run for a specified duration. TCP protocols, with TCP accounting for more than
The study’s first test experiment overlaid the 75 percent of the traffic.
public data set with 25 percent attack packets. A The researchers performed three attack simu-
second experiment removed 25 percent of the traf- lations: TCP SYN, UDP, and ICMP floods. Each
fic and replaced it with attack packets. In both attack reached 20 percent of the total aggregate
cases, the attack packets’ source addresses were traffic through either linear or abrupt increases.
drawn from a uniform distribution. The entropy Cusum detected most of the attacks. In addition,
and chi-square detector provided positive attack the researchers confirmed the theoretical and
indication for both test cases. experimental relationships between detection
delay and false-alarm rate. False-alarm rates
Cusum and Wavelet Approaches ranged from less than 1 to 6 alarms per 100 pack-
To test the Cusum sequential change-point detec- ets monitored. Researchers observed detection
tion against UDP, TCP, and ICMP traffic floods, delays ranging from 1 to 36 seconds, depending
researchers used the ns-2 simulator to construct a on desired false-alarm rate.

86 JANUARY • FEBRUARY 2006 www.computer.org/internet/ IEEE INTERNET COMPUTING

 Attack-Detection Techniques

Another study used a Cusum algorithm Varying Test Conditions

against TCP SYN attacks.9 The three test data set Most detectors we surveyed were woefully under-
sources included a large company’s wide-area tested against varying network and attack condi-
Internet access point (10 Mbits per second) and tions. Comprehensive testing is obviously a highly
two university’s Internet access points (10 and complex, time-consuming process, calling for
622 Mbits per second). From the test data, the more efficient and comprehensive approaches.
researchers extracted TCP traffic containing SYN, Existing studies employed little variation in net-
ACK (acknowledge), and RST (reset) flags into a work environment, attack-rate dynamics, or
time series, and then overlaid it with TCP SYN address spoofing to emulate a realistic deployment
floods of constant intensity. They used rates of setting. Researchers must include flash events and
33 to 100 TCP SYNs per second. For attacks other legitimate activities that closely mimic attack
above 33 and 35 SYNs per second, Cusum’s activity in all test traffic. Of the surveyed detec-
detection probability was 70 and 100 percent, tors, only one explicitly acknowledged the pres-
respectively. Detection delays ranged from 20 ence of flash events.
seconds to 8 minutes. This undertesting problem is partly due to the
Using wavelet analysis, researchers evaluated unavailability of comprehensive test data, testing
six months’ worth of router SNMP and IP flow environments, and standards. We hope that such
records, sampled at 5-minute intervals.12 The mon- issues will be addressed by upcoming cybersecu-
itoring point was a university-based wide-area rity initiatives, including the Cyber Defense Tech-
access point. Network engineering analysis of the nology Experimental Research Project (Deter;
log data identified more than 100 anomalous www.isi.edu/deter/docs/testbed.overview.htm) and
events, including network malfunctions, attacks, the Protected Repository for the Defense of Infra-
and flash events. The researchers used a subset of structure against Cyber Threats (Predict; www.
39 high-confidence anomalies for detection eval- hsarpacyber.com/ongoing.html#datasets).
uation, although it’s unclear how many of the
anomalies were specifically DoS attacks. The Measuring Network Activity
wavelet analysis missed only one of the anomalies. Attack-detection statistics are only relative to
Detection time had an ambiguity of 1.5 hours. “normal” network activity. Attack models with
In another study,10 researchers used both sharp volume increases or uniform address distri-
Cusum and a wavelet detector to analyze three butions reflect a small, aging subset of the attack
weeks’ worth of empirical data collected from a problem space. These are properties of earlier gen-
university gateway. The researchers separately erational DoS attack tools, and as is well known,
superimposed 119 DoS flooding attacks on this attackers change their tools soon after discovery.
data at intensities of four, seven, and 10 times that In all detector schemes, researchers have yet
of the background rate. Using a Cusum detection to develop nominal-traffic measures that encom-
algorithm against the 4x DoS attack, they mea- pass the range of possible networks conditions.
sured 15 percent true detection and 18 percent To quantify normal activity, we must know the
false positives for a detection rate of 0.83. Adding expected activity level of services running on the
wavelet processing raised these metrics to 40 per- network’s various machines. We can estimate net-
cent true detections and 30 percent false positives work service activity using information provid-
for a detection rate of 1.3. Wavelet processing pro- ed by network administrators, port probing, or
vided a 56 percent increase in detection efficien- direct traffic monitoring. Yet, normal activity is
cy over the Cusum alone. Using parameter tuning a varying process: network services have differ-
can slightly improve the wavelet’s true detection ent lifetimes, activity levels, and availability, in
rates to above 47 percent, with a decline in the keeping with users’ variable time-of-day interac-
false-positive rate to 21 percent. tions. At this point, it’s unclear whether suitable
training algorithms or rule-of-thumb guidelines
Outstanding Concerns exist that can adequately model nominal traffic’s
DoS detectors aim to differentiate legitimate from irregular behavior.
malicious traffic under a wide range of operating Traffic-flow clustering offers insight into net-
conditions. Although the surveyed detectors do work activity, and trained network analysts can
indeed detect some examples of DoS attacks, core easily visualize it with some of today’s tools.
problems are apparent. Quantitative measures, such as wavelet energies,

IEEE INTERNET COMPUTING www.computer.org/internet/ JANUARY • FEBRUARY 2006 87

Spotlight

lack this desirable property. Nonetheless, a strong recursive, exponentially weighted estimators, they’re
dependency naturally exists between clustering the least complex and have the lowest memory use.
and detection. Defining a cluster is inherently The chi-square/entropy detector7 is next because it
complex for a given network and can be difficult uses only six bins to analyze its address distribu-
to validate. We’ve yet to see real-time, truly scal- tions. More detailed clustering, however, will
able algorithms that can create, destroy, and mod- increase its complexity and memory requirements.
ify the clusters with no a priori application or The combined Cusum and wavelet-based meth-
protocol knowledge. od10 incurs an extra O(2n) complexity over the
Cusum methods, where 5 < n < 11 is the spectral-
resolution level. Compared to this method, Barford’s
An ‘attack’ is an abnormal and wavelet method12 is at least two times as complex
because it uses two redundant wavelet filter stages.
noticeable deviation of some David Moore and his colleagues1 analyze the largest
address distribution — a /8 network (224 individual
statistic of the monitored network addresses) — and their method consequently requires
the most computation and memory use.
traffic workload.
Subverting Detection
Most researchers concede that attackers can defeat
F or network administrators, security is a funda-
mental concern, and they must have efficient,
reliable tools to help them quickly recognize and
their detection methods by developing attacks investigate anomalous activities. Although intru-
through trial and error. When studying activity sion detection is immature and doesn’t always
profiling or evaluating entropy of an address dis- detect malicious activity, it can provide adminis-
tribution, researchers assume that the regular traf- trators with a useful diagnostic resource.
fic is distributed among a few clusters or flows. It At this point, we’ve yet to find a single tech-
seems reasonable that attackers can sniff local traf- nique to adequately detect DoS flooding attacks;
fic, understand the address distribution, and then combining approaches might offer the best perfor-
spoof the addresses based on this calculation. For mance.13,14 Because false positives are likely in any
change-point detectors that monitor changes in case, however, experienced network administrators
packet volume over time, an initially low, slowly are crucial in the attack-identification effort.
ramping attack rate dynamic might be obscured by
the background traffic’s high variability. Acknowledgments
Our work was supported by a US National Science Founda-
Setting Parameters tion grant (CCR0310916) and the Pennsylvania State Uni-
Each detector has multiple operating parameters, versity Applied Research Laboratory’s Educational and
including clustering configuration, sampling win- Foundational program.
dow size, thresholds, and wavelet filtering level. In
most cases, researchers offer no guidance on para- References
meter variations or their effect on performance. 1. D. Moore, G.M. Voelker, and S. Savage, “Inferring Internet
Indeed, researchers often optimize parameters to Denial-of-Service Activity,” Proc. Usenix Security Symp.,
their own experimental test cases. When it comes Usenix Assoc., 2001; http://citeseer.ist.psu.edu/moore01
to deployment, users have few clues as to how they inferring.html.
might adjust the detection performance for their 2. L. Gordon et al., CSI/FBI Computer Crime and Security Sur-
own environments; ad hoc training in parameter vey, Computer Security Inst., 2004; http://i.cmpnet.com/
settings is typically required. gocsi/db_area/pdfs/fbi/FBI2004.pdf.
3. J. Mirkovic et al., Internet Denial of Service: Attack and
Implementation Issues Defense Mechanisms, Prentice Hall, 2005.
None of the studies we reviewed addressed real- 4. J. Mirkovic, J. Martin, and P. Reiher, “A Taxonomy of DDoS
world implementation concerns. In Table 1, we offer Attacks and DDoS Defense Mechanisms,” ACM Sigcomm
our relative rankings of the detection methods’ com- Computer Comm. Rev., vol. 34, no. 2, 2004, pp. 39–53.
putational complexity and memory use. Because the 5. J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash
Cusum algorithms8,9 are based on single-stage, Crowds and Denial of Service Attacks: Characterization and

88 JANUARY • FEBRUARY 2006 www.computer.org/internet/ IEEE INTERNET COMPUTING

 Attack-Detection Techniques

Implications for CDNs and Web Sites,” Proc. Int’l World George Kesidis is an associate professor in Pennsylvania State
Wide Web Conference, ACM Press, 2002, pp. 252–262. University’s computer science and engineering and elec-
6. J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the trical engineering departments. His current interests are in
Source,” Proc. 10th Int’l Conf. Network Protocols (ICNP routing for wireless mobile ad hoc networks, network pric-
2002), IEEE CS Press, 2002, pp. 312–321. ing and economics, and cybersecurity testing. Kesidis has a
7. L Feinstein et al., “Statistical Approaches to DDoS Attack PhD in electrical engineering and computer science from
Detection and Response,” Proc. DARPA Information Sur- the University of California, Berkeley. Contact him at
vivability Conf. and Exposition, vol. 1, 2003, IEEE CS Press, [email protected].
pp. 303–314.
8. R.B. Blazek et al., “A Novel Approach to Detection of Write for Spotlight
‘Denial-of-Service’ Attacks via Adaptive Sequential and
potlight focuses on emerging technologies, or new aspects of existing
Batch-Sequential Change-Point Detection Methods,” Proc.
IEEE Workshop Information Assurance and Security, IEEE
CS Press, 2001, pp. 220–226.
S technologies, that will provide the software platforms for Internet appli-
cations.
9. H. Wang, D. Zhang, and K. Shin, “Detecting SYN Flooding Spotlight articles describe technologies from the perspective of a devel-
Attacks,” Proc. 21st Joint Conf. IEEE Computer and Comm. oper of advanced Web-based applications. Articles should be 2,000 to 3,000
Societies (IEEE INFOCOM), IEEE Press, 2002, pp. words. Guidelines are at www.computer.org/internet/dept.htm.
1530–1539. To check on a submission’s relevance, please contact department edi-
10. R.R. Brooks, Disruptive Security Technologies with Mobile tor Siobhán Clarke at [email protected].
Code and Peer-to-Peer Networks, CRC Press, 2005.
11. J. Jung et al., “Fast Portscan Detection Using Sequential
Hypothesis Testing,” Proc. IEEE Symp. Security and Pri- THE IEEE’S 1ST ONLINE-ONLY MAGAZINE
vacy, IEEE CS Press, 2004, pp. 211–225.
12. P. Barford et al., “A Signal Analysis of Network Traffic
Anomalies,” Proc. ACM SIGCOMM Internet Measurement
Workshop, ACM Press, 2002, pp. 71–82.
13. J. Allen et al., State of the Practice of Intrusion Detection
Technologies, tech. report CMU/SEI-99-TR-028, Software
Eng. Inst., Carnegie Mellon Univ., 2000.
14. R. Lippmann et al., “The 1999 DARPA Off-Line Intrusion
IEEE Distributed Systems Online
Detection Evaluation,” Computer Networks, vol. 34, no. 4, brings you peer-reviewed articles, detailed
2000, pp. 579–595. tutorials, expert-managed topic areas, and
diverse departments covering the latest news
Glenn Carl is a Phd student in electrical engineering at Penn-
sylvania State University. His research interests include
and developments in this fast-growing field.
intrusion and anomaly detection, network security testing,
and large-scale network simulation. Contact him at
Log on for free access to such topic areas as
[email protected].

Richard R. Brooks is an associate professor in the Holcombe

Department of Electrical and Computer Engineering at Grid Computing • Middleware
Clemson University. His research interests are in strategic Cluster Computing • Security
distributed systems, network security, and adaptive infra-
structure. Brooks has a BA in mathematical sciences from Peer-to-Peer • Operating Systems
the Johns Hopkins University and a PhD in computer Web Systems • Mobile & Pervasive
science from Louisiana State University. Contact him at
[email protected]. and More!
To receive monthly
Suresh Rai is a professor in the Electrical and Computer Engi-
updates, email
neering Department at Louisiana State University. His
[email protected]
research interests include network traffic, wavelet-based
compression, and security. Rai has a PhD from Kurukshetra
University, India. Contact him at [email protected]. http://dsonline.computer.org

IEEE INTERNET COMPUTING www.computer.org/internet/ JANUARY • FEBRUARY 2006 89