2005 Journal of Software. Router Anomaly Traffic Detection Based on Modified-CUSUM Algorithms

-9825/25/6(227 25 Joural of Software Vol6 No2 CUSUM + ( 2 Router Aoaly Traffc Detecto Based o Modfed-CUSUM Algorths SUN h-x + TANG Y-We CHENG Yua (College of Coputer Scece ad Techology Najg Uersty of Posts ad Telecoucatos Najg 2 Cha + Correspodg author Ph +86-25-859895 E-al suzx@jupteduc http//wwwupteduc Receed 24-8-24; Accepted 25--7 Su X Tag YW Cheg Y Router aoaly traffc detecto based o odfed-cusum algorths Joural of Software 256(227 223 DOI 36/jos627 Abstract The paper as at the chage of core routers ports gress ad egress traffc eployg a odfed CUSUM (cuulate su algorth to trace ther statstcs characterstc real te ad detect etwork flow aborty Accordg to the characterstcs of ult-ports a router the paper puts forward a atrx-based ult-statstcs odfed CUSUM algorth (M-CUSUM M-CUSUM presets a adjustable paraeter setup syste to crease detectg accuracy M-CUSUM algorth ca otor chages of the equal alue real te through calculatg the rato betwee the subtractg ad plus absolute alue aog gress ad egress ports traffc Sulato experets dcate that the algorth has the hgher detectg speed ad accuracy to DOS/DDOS attacks ad speds less syste resources The algorth has bee used successfully software routers Key words CUSUM (cuulate su algorth; DOS (deal of serce; DDOS(dstrbuted deal of serce; router; truso detecto CUSUM(cuulate su CUSUM (M-CUSUM M-CUSUM DOS/DDOS CUSUM ; ; TP393 A Supported by the Natoal Natural Scece Foudato of Cha uder Grat No7275 ( ; the Natoal Hgh-Tech Research ad Deelopet Pla of Cha uder Grat No25AA7755 ( (863; the Scetfc Research Foudato for the Retured Oerseas Chese Scholars Mstry of Educato of Cha ad Najg Goeret ( ; the Scetfc Research Foudato of Huawe ad E Corporato of Cha ( (964 ; (982 ; (98

28 Joural of Software 256(2 Iteret TCP/IP (DOS (DDOS 2 2 YahooeBUYAazoCNN DOS DDOS DOS/DDOS CUSUM(cuulate su DOS/DDOS 2 CUSUM M-CUSUM 3 M-CUSUM [2] SYN FLOOD CUSUM TCP SYN FIN CUSUM SYN FLOOD SYN FIN [3] 9 TCP SYN FIN CUSUM [] SYN FLOOD DOS/DDOS DOS/DDOS [4] [3] MIT (adapted threshold algorth CUSUM CUSUM [5] TCP URGACKPSHRSTSYNFIN 6 SYN FLOOD UDPICMP [5] [6] IP IP M-CUSUM 2 CUSUM (M-CUSUM 2 CUSUM CUSUM [8 ] CUSUM

CUSUM 29 x x N ( x x x N(δ t 2 x t x x2 x3 x t ( < L t+ t+ 2 t+ 3 = t = ( φ( N( φ( x φ( x φ( x = = + = + = = = exp δ x φ( x φ( x δ 2 δ φ( x = x = A = l L = δ x + + 2 x x2 x t x t+ xt+ 2 xt+ 3 δ Λ = ax Λ = ax δ x (2 < 2 δ > δ = ax x (3 < 2 h = 2 h x / 2 > h x + x > h x + x + x 2 3δ / 2 > h x + x + + x δ / 2 > h δ k x = x ; x = Sk = x S = 2 { S } ax{ } ax{ } ax{ S = x x S + S = x S S = x } = x (4 k δ / 2 = ax{ + x k} = 2 (5 CUSUM h > > h( h = 2 22 CUSUM (M-CUSUM CUSUM (X CUSUM X CUSUM {x } δ = ( β δ + β δ (6 x = x = x d (7 S = S = (8 Y S S k k = (9 δ {x =23 } β EWMA(expoetally weghted og aerage β=3d E( 2 t t ( h Y h=23 t (

22 Joural of Software 256(2 CUSUM (M-CUSUM Y Y = X + = ax Y t >h { S Sk } = ax{ S + Sk } k k { Sk S } = ax{ Y } k + Y = ( Y + = + x x > X = x Y Y ( 3 CUSUM ( 3 C ( ( Cout C ( ( out C E < < ( ( t (2 Cout + C C ( Cout ( Cout ( << C ( C ( << Cout ( > E >> t Cout C (3 ( + ( C C t out t 32 C ( Cout ( t = ax E = 23 whe attack s ot happeed (4 Cout ( + C ( [8] CUSUM CUSUM ( C ( Cout ( x = =23 (5 C ( + C ( out x ( t t < = x d δ d DOS/DDOS 2 X T a ρ T = f{ Y h} a > a (6 ρ = T T (7

CUSUM 22 f T a d ( h d Y h Y h x d = µ δ µ (525 (8 h = λ δ λ (2 (9 = µ λ δ δ (6 (7 (7 k ρ = f k ( x d > h (2 µ λ 5 25% µ λ ( x 25% 3 ( x 5% (2 CUSUM µ λ h d 33 CUSUM Syste cotrol Router Packets Socket data collecto I/Out data Statstc per te M-Cusu algorth Alar Log Fg Syste structure µ λ h d

222 Joural of Software 256(2 (5 x x M-CUSUM ( (6 x δ ; (2 (7 ; (3 ( Y ; (4 Y >h (6 δ µ (525 λ (3575 ; (8 (9 h d h d 34 µ = 5 λ = 5 β= s( /s δ =8955 = 336 d h = 78 5 5 SYN FLOOD 2 4 Fg2 x state chage 2 x Fg3 state chage 3 Fg4 Y state chage 4 Y x 5 5 Y h DOS/DDOS M-CUSUM

CUSUM 223 % 225 M-CUSUM 9% 9% 5 [3] M-CUSUM M-CUSUM 4 CUSUM Refereces [] Wag HN hag DL Kag GS Detectg SYN floodg attacks IEEE Coputer ad Coucato Socety 223(6 53 539 [2] hu WT L JS Hog PL A router aget based dstrbuted floodg detecto syste Chese Joural of Coputers 23 26(585 59 ( Chese wth Eglsh abstract [3] Srs VA Papagalou F Applcato of aoaly detecto algorths for detectg SYN floodg attacks I Proc of the Cof o Global Telecoucatos (GLOBECOM 24 IEEE 24 25 254 [4] Xag Y L Y Le WL Huag SJ Detectg DDOS attack based o etwork self-slarty IEEE It l Cof o Coucatos 245(3292 295 [5] J SY Yeug DS A coarace aalyss odel for DDoS attack detecto I Proc of the It l Cof o Coucatos IEEE 24 882 886 [6] Feste L Schackeberg D Balupar R Kdred D Statstcal approaches to DDoS attack detecto ad respose I Proc of the DARPA Iforato Surablty Cof ad Exposto 23 33 34 [7] Oskper T Poor HV Matrx CUSUM A recurse ult-hypothess chage detecto algorth I Proc of the 2 IEEE It l Syp o Iforato Theory 2 [8] Pu Xl O the prog of cuulate su chart ACTA Matheatcae Applcatae SINICA 2326(2226 24 ( Chese wth Eglsh abstract [9] Morgester VM Upadhyaya BR Beedett M Sgal aoaly detecto usg odfed CUSUM ethod I Proc of the 27th IEEE Cof o Decso ad Cotrol 988 234 234 [] Moustakdes GV Perforace of CUSUM tests for detectg chages cotuous te processes I Moustakdes GV ed Proc of the IEEE It l Syp Iforato Theory 2286 87 [2] 2326(585 59 [8] (CUSUM 2326(2226 24