University of Illinois Urbana-Champaign

Monitoring unknown source IP addresses and packet sizes to detect DDoS attacks

Kone, Roseline

Permalink

https://hdl.handle.net/2142/49735

Description

Title
Monitoring unknown source IP addresses and packet sizes to detect DDoS attacks
Author(s)
Kone, Roseline
Issue Date
2014-05-30T17:07:05Z
Director of Research (if dissertation) or Advisor (if thesis)
Sowers, Richard B.
Doctoral Committee Chair(s)
Sowers, Richard B.
Committee Member(s)
  • Abbas, Ali E.
  • Kiyavash, Negar
  • Song, Renming
Department of Study
Industrial&Enterprise Sys Eng
Discipline
Industrial Engineering
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
Ph.D.
Degree Level
Dissertation
Keyword(s)
  • Poisson Cluster Process
  • Compound Pareto Distribution
  • Binary Hypothesis Testing
  • Sequential Detection
  • Distributed Denial of Service (DDoS) Attacks
Abstract
This thesis presents three procedures to detect Distributed Denial of Service (DDoS) attacks. DDoS attacks are known as one of the most expensive and destructive Internet threats. Assuming network tra c is a marked Poisson process, two parametric detection models are developed. The arrival of packet ows is modeled as Poisson process with cluster sizes that follows a mixture of discrete and heavy tailed distributions. Both detection systems monitor the percentage of unknown source IP addresses. The rst detection model is formulated as a xed sample size binary hypothesis testing. The decision making is based on the Neyman-Pearson criteria. The second parametric model is a sequential probability ratio test where the sample size is a random variable. Acceptance and rejection boundaries are deduced based on Wald's Fundamental Identity. Given that parametric distributions may fail to capture the complex and dynamic nature of the Internet, a third non-parametric detection model is proposed. In addition to the percentage of unknown source IP addresses, a second test statistic is introduced. The latter represents the mean to standard deviation ratio of data packet sizes. The Neyman-Pearson threshold is estimated from the empirical distribution functions of both random variables.
Graduation Semester
2014-05
Permalink
http://hdl.handle.net/2142/49735
Copyright and License Information
Copyright 2014 Roseline Estelle Sindolmane Kone

Owning Collections

Graduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at Illinois
Dissertations and Theses - Industrial and Enterprise Systems Engineering