This thesis presents three procedures to detect Distributed Denial of Service (DDoS) attacks. DDoSattacks are known as one of the most expensive and destructive Internet threats. Assuming networktra c is a marked Poisson process, two parametric detection models are developed. The arrivalof packet ows is modeled as Poisson process with cluster sizes that follows a mixture of discreteand heavy tailed distributions. Both detection systems monitor the percentage of unknown sourceIP addresses. Therst detection model is formulated as axed sample size binary hypothesistesting. The decision making is based on the Neyman-Pearson criteria. The second parametricmodel is a sequential probability ratio test where the sample size is a random variable. Acceptanceand rejection boundaries are deduced based on Wald's Fundamental Identity. Given that parametricdistributions may fail to capture the complex and dynamic nature of the Internet, a thirdnon-parametric detection model is proposed. In addition to the percentage of unknown source IPaddresses, a second test statistic is introduced. The latter represents the mean to standard deviationratio of data packet sizes. The Neyman-Pearson threshold is estimated from the empiricaldistribution functions of both random variables.
【 预 览 】
附件列表
Files
Size
Format
View
Monitoring unknown source IP addresses and packet sizes to detect DDoS attacks