| This dissertation begins with the description and analysis of a certain class of denial of service attack along with an overview of techniques and tools used to discover and analyze them. Two new solutions to the problem of detecting this type of attack are introduced, developed, and evaluated. We demonstrate that one of these techniques can detect an average of 84% of the attacks and the other detects an average of 96%, all with no occurrence of a false alarm. (In this arena the latter may be more important than the former.) Having experienced first-hand the difficulty of creating a controlled environment for testing new attack detection techniques, we then discuss the problems in this area. The first detection technique is based on an in-depth analysis of an invariant traffic characteristic that appears to be affected by certain types of network attack. This technique requires the self-similar theory which would be affected by the attack in traffic. The main benefits of detecting attacks by monitoring traffic invariants are that (1) no prior knowledge of the attack's behavior is needed and (2) no template of "normal"traffic activity is needed. The second technique is based on detecting abnormalities in a measurable traffic characteristic, which means the attack in traffic will affect the Network Traffic's local distribution and will change the fractal dimension, and although a traffic template is required, it does not require prior knowledge of the behavior of attacks, an advantage over some types of anomaly-based detectors.
|
PDF Full Text Request