Article Preview
TopIntroduction
Denials of Service (DoS) attacks impose serious threat on the availability and quality of Internet services (Moore, Voelker, & Savage, 2001). They exhaust limited resources such as network bandwidth, DRAM space, CPU cycles, or specific protocol data structures, inducing service degradation or outage in computing infrastructures for the clients. System downtime resulting from DoS attacks could lead to million dollars’ loss.
Generally, DoS attacks can be either flooding-based or software exploit-based. In a flooding-based DoS attack, a malicious user sends out a tremendously large number of packets aiming at overwhelming a victim host. For example, in a SYN-flooding attack, a significant number of TCP SYN packets are sent towards a victim machine, saturating resources in the victim machine. We can observe a surge of TCP connections in a short time, which are modeled by a tuple of application features <source IP, destination IP, source port, destination port>. In exploit-based DoS attacks, specially crafted packets are sent to the victim system targeting at specific software vulnerabilities in the operating system, service or application. The success of exploitation will either overwhelm or crash the target system. An existing solution to the exploit-based attacks is to patch and update software frequently.
Currently, research work on DoS intrusion detections mainly rely on Network-based Intrusion Detection Systems (NIDSs) (Chen et al., 2005; Handley et al., 2001; Hussain et al., 2003; Jin et al., 2003; Chari et al., 2003; Kuzmanovic et al., 2003; Wang et al. 2003). The NIDSs monitor features extracted from network packet headers at the application layer such as packet rate and traffic volume. Ramp-up behaviors and frequency domain characteristics are also studied to aid in improving the accuracy and performance of IDS (Chen et al., 2005; Hussain et al., 2003). On the other hand, Host-based Intrusion Detection Systems (HIDSs) which widely employ audit trails and system call tracking can effectively identify buffer overflow (BoF) attacks (Chari et al., 2003; Chaturvedi et al., 2006; Wagner et al., 2002). However, the DoS attacks are not easily observed by such an HIDS and not widely researched in the HIDS literature. Some researchers have proposed to limit the bound of certain system calls (Chari et al., 2003) such as fork(). However, with the advent of large-scale application software, such bounds may seriously impair the performance of normal applications. Moreover, DoS attacks may not involve huge number of system calls at all. Therefore, a more generic solution is needed to detect DoS attacks.