An Exprimental Analysis of Proactive Detection of Distributed Denial of Service Attacks

Detection methods in Distributed Denial of Service attacks try to detect attacks before the target machine is shutdown. There are two major methods for attack detection in target, Anomaly and Pattern-Based. Pattern-based methods are sensitive to attack signatures and as such cannot detect attacks when the attack patterns change slightly. Anomaly methods, on the other hand, work on the basis of network traffic volume and measure abnormal traffic volume. So they can detect attacks more easily. One of the best solutions for anomaly detection of attacks is proactive detection in Network Management System (NMS), represented by Wenke Lee et al. in NCSU university. This method tries to detect precursors of attacks before the traffic reaches the target. It uses Management Information Base (MIB) variables in NMS to detect precursors of attacks. MIB variables that change in the attacker through the attack can be precursors of the attack. These MIB variables are related to some target MIB variables that change when the bogus traffic reaches the target. They can be extracted using statistical tests for causality. This paper presents an experimental analysis of this method. In contrast to previous work, the results of our experiments have shown lower computational overhead in finding the key MIB variables at the attacker. When the key MIB variables were found at the attacker, comparison between their normal and attack runs determined the attack signatures. When these signatures were observed in the Network Management System (NMS), it meant that an attack has occurred. Futhermore, we have implemented an SNMP-based system to detect some attacks in our network test bed. Five attacks were tested and analyzed in our experiment and MIB variables were recorded for each type of attack: Trin00, Targa3, TFN, Mstream and PingFlood.