Shunsuke Oshima

Early DoS/DDoS Detection Method using Short-term Statistics

Early detection methods are required to prevent the DoS / DDoS attacks. The detection methods using the entropy have been classified into the long-term entropy based on the observation of more than 10,000 packets and the short-term entropy that of less than 10,000 packets. The long-term entropy have less fluctuation leading to easy detection of anomaly accesses using the threshold, while having the defects in detection at the early attacking stage and of difficulty to trace the short term attacks. In this paper, we propose and evaluate the DoS/DDoS detection method based on the short-term entropy focusing on the early detection. Firstly, the pre-experiment extracted the effective window width; 50 for DDoS and 500 for slow DoS attacks. Secondly, we showed that classifying the type of attacks can be made possible using the distribution of the average and standard deviation of the entropy. In addition, we generated the pseudo attacking packets under a normal condition to calculate the entropy and carry out a test of significance. When the number of attacking packets is equal to the number of arriving packets, the high detection results with False-negative = 5% was extracted, and the effectiveness of the proposed method was shown.

DDoS Detection Technique Using Statistical Analysis to Generate Quick Response Time

DDoS attacks to servers cause the dysfunctional condition and finally bring the server to be stopped. Previous researches to detect and defense for DDoS attacks have shown that the entropy for the source IP address or destination port number is the effective metric to detect these DoS/DDoS attacks. In the organization incoming the small amount of packets, the window width to calculate an entropy value could be reduced in order to detect attacks early. On the other hand, the small window width leads to the difficulty to set the threshold of entropy value over the small available threshold value area. In this research, we propose the calculation method of the dynamic threshold varying the time sequence. This threshold will be effective on the case of the small window width leading the quick response to the attacks. Our proposed method could be able to early detect in the organization with the small amount of packets. In addition, the proposed calculation is effective for the case using the different IP fields.

A Detective Method for SYN Flood Attacks

DoS (Denial of Service) attacks are easily performed by utilizing the weakness of the network protocol. If should be notable that the firewall host hardly filters the SYN flood attacks, and the spoofed IP address keeps the position of the attacker from being traced. Early detection of this SYN flood attacks as well as the mechanism of escaping from the half-open state on TCP is required. In this paper, we present a detective method for SYN flood attacks in early stage. We implemented a program to send the SYN packet and collected the SYN+ACK response packet from the server. Our method firstly built a standard model generated by observations for the activity of the server. Secondly, we detect the slight fluctuations in relation to the packet response rate and the average response delay. Finally, the RST packet is sent to the server on which half-open state on TCP is released

Anomaly Detection Using Chi-square Values Based on the Typical Features and the Time Deviation

In the research of the anomaly detection system analyzing the packet header on the Internet, previous researches have proposed the anomaly detection system using chi-square values in terms of the source IP address and/or the destination port number. In these previous researches, the chi-square values were calculated from one feature causing the degradation in the False-Positive when the same symbol appears sequentially. Therefore, we propose the anomaly detection technique using chi-square values based on multi features. We also propose dynamic BIN division technique to deal with the traffic fluctuations such as day and night traffic differences. Applying our method, the chi-square values based on the time division were able to decrease the False-Positive. Our method was also able to adapt the traffic variations by applying the dynamic BIN division technique.

The Evaluation of an Anomaly Detection System Based on Chi-square Method

The conventional methods using X2 value have been proposed to detect anomaly attacks. These systems, however, merely treat the one feature such as the source IP address or the destination port number as the probabilistic variable. The method based on multiple variables has not been proposed to aim to improve the accuracy of anomaly detection. In this paper, we propose the multiple features X2 method named the CSDM (Chi-square-based Space Division Method) to improve the detection accuracy. The F-measure values of CSDM and the conventional method are compared to evaluate these systems. We also focus on the learning mechanism and its affection for both systems. As the results of experiments using the source IP address, the destination port number, and the interval time deviation of arriving packets as the probabilistic variables, the proposed CSDM improves the F-measure compared to the conventional method meaning that the CSDM using multiple features can improve the F-measure over DoS/DDoS attacks and double attacks with 30

DoS/DDoS Detection Scheme Using Statistical Method Based on the Destination Port Number

\%

Extraction of Characteristics of Anomaly Accessed IP Packets by the Entropy-Based Analysis

attacking rate. In addition, the learning time of the 2 days in the CSDM system is enough to learn the behavior of normal condition and can reveal the quick learning performance with the high F-measures.

Token-based Code Clone Detection Technique in a Student's Programming Exercise

To defend DoS (Denial of Service) attacks, an access filtering mechanism is adopted in the firewall. The difficulty to define the filtering rules lies where normal and anomaly packets have to be distinguished in incoming packets. The purpose of our research is to explore the early detective method for anomaly accesses based on statistic analysis. In this paper, we defined the chi-square method, and then conducted analyses the all amount of incoming packets to our College. As the results, we extracted the following features. Firstly, the chi-square analysis based on the destination port number is more sensitive to the DDoS attacks and IP scan than that based on the destination IP address. Secondly, DoS attacks raise the chi-square value up based on the analysis of the destination IP address. Finally, the multiplexing DoS attacks tend to reduce the chi-square values in both analyses.

Extraction of Characteristics of Anomaly Accessed IP Packets Using Chi-square Method

To defend DoS (denial of service) attacks, the access filtering mechanism is adopted on the end servers or the IDS (intrusion detection system). The difficulty to define the filtering rules comes from the hardness to identify normal and anomaly packets from the incoming packets. The purpose of our research is to explore the early detective method for anomaly accesses based on statistic analysis. In this paper, we firstly define the entropy-based analysis, then analyze the amount of incoming packets to our collage. As the results, we were able to extract the following features for the entropy analysis. Firstly, fluctuations for first octet aggregation lead to similar pattern compared to that of first and second octets aggregation. Secondly, sliding time of 10 minutes of entropy window was sensitive to detect anomaly accesses. Finally, differential entropy detected the small amount of 80/TCP anomaly accesses while analysis of frequency was hard to find that.

Performance Evaluation for Linux under SYN Flooding Attacks

The acts to submit the copied programs of other person make problems in the subject of the programming exercise in university curriculum. Teachers could not make accurate scores and evaluate the reached learning level of students. The code clone detection technique is to automatically detect the copied programs. Researches of the code clone detection technique have been proposed. The object of these researches, however, focused on the source code of industrial field. There are some problems to detect illicit copied codes of reports made by students. In this research, we developed the code clone detection algorithm focusing on the detection of illicit copied codes of submitted reports of students in a programming exercise. Our proposed algorithm is based on the comparison of tokens and can declare the illicit copied codes invalid. The features of illicit copied codes such as swapping the functions and program lines, renaming variable names, changing digits, comments and string constants and changing source codes using formatting tools are detected. We implemented the proposed algorithm and experimented to evaluate our system for the submitted subjects of 119 students. Compared to the human detection for small size of source codes of students in a programming exercise, our system found 32 codes as the illicit copy in 36 illicit copied codes among 14,042 combination detective rules with the threshold which are realized the recall=0.8. The miss detection finding as the copied code was 72 codes with precision=0.302.