This paper gives a novel traffic feature for identifying abnormal variation of traffic under DDOS flood attacks. It is the histogram of the maxima of the bounded traffic rate on an interval-by-interval basis. We use it to experiment on the traffic data provided by MIT Lincoln Laboratory under Defense Advanced Research Projects Agency (DARPA) in 1999. The experimental results profitably enhance the evidences that traffic rate under DDOS attacks is statistically higher than that of normal traffic considerably. They show that the pattern of the histogram of the maxima of bounded rate of attack-contained traffic greatly differs from that of attack-free traffic. Besides, the present traffic feature is simple in mathematics and easy to use in practice.
1. Introduction
People nowadays are heavily dependent on the Internet that serves as an infrastructure in the modern society. However, distributed denial-of-service (DDOS) flood attackers remain great threats to it. By consuming resources of an attacked site, the victim may be overwhelmed such that it denies services it should offer or its service performances are significantly degraded. Therefore, intrusion detection system (ISD) for detecting DDOS flood attacks has been greatly desired.
There are two categories regarding IDSs. One is misuse detection and the other anomaly detection. Attacking alerts given by misuse detection is primarily based on a library of known signatures to match against network traffic, see, for example, [1–5]. Thus, attacking with unknown signatures from new variants of an attack can escape from being detected by signature-based IDSs with the probability one, see, for example, [6], making such a category of IDSs at the protected site irrelevant. However, based on anomaly detection, abnormal variations of traffic are identified as potential intrusion so that this category of IDSs are particularly paid attention to for identifying new attacking, see, for example, [7–13]. For the simplicity, in what follows, the term IDS is in the sense of anomaly detection.
Noted that the detection accuracy is a key issue of an anomaly detector, see, for example, [14, 15]. To be effective, IDSs require appropriate features for accurately detecting an attack and distinguishing it from the normal activity as can be seen from [10, Section IV]. Hence, developing new traffic features for anomaly detection is essential.
The reference papers regarding traffic features for IDS use are wealthy. For example, 86 features for clustering normal activities are discussed in [9]. Note that a selected feature is methodology-dependent. In this regard, [16] uses packet head data. The paper [17] utilizes autocorrelation function of long-range dependent (LRD) traffic time series in packet size and [18] employs the Hurst parameter. Scherrer et al. adopt scaling properties of LRD traffic [19].
The traffic models used in [17–23] are in the sense of fractal. In general, fractal models might be somewhat complicated in practical application in engineering in comparison with the traffic feature proposed in this paper.
Recall that there are two categories in traffic modeling [24, Section XIV]. One is statistical modeling (e.g., LRD processes). The other bounded modeling, which has particular applications to modeling traffic at connection level, see, for example, [25–30]. Bounded models, in conjunction with a class of service disciplines, are feasible and relatively efficient in applications, such as connection admission control (CAC) in guaranteed quality-of-service (QoS). In addition, such models are simple in mathematics and relatively easy to be used in practice in comparison with fractal models. This paper aims at providing a new traffic feature for anomaly detection based on bounded modeling of traffic. The main contributions in this paper are as follows.
We present the histogram of the maxima of bounded traffic rate on an interval-by-interval basis as a traffic feature for exhibiting abnormal variation of traffic under DDOS flood attacks.
The experimental results exhibit that the maxima of rate bound of attack-contained traffic is statistically greater than that of attack-free traffic drastically.
The rest of paper is organized as follows. Experimental data and related work are briefed in Section 2. The histogram of the maxima of traffic rate bound is proposed in Section 3. Experimental results are demonstrated in Section 4, which is followed by discussions and conclusions.
2. Experimental Data and Related Work2.1. Experimental Data
While DDOS attacks continue to be a problem, there is currently not much quantitative data available for researchers to study the behaviors of DDOS flood attacks. The data in the 1998-1999 DARPA (http://www.ll.mit.edu/IST/ideval) are valuable but rare for public use though there are points worth further discussion [31]. Those data were obtained under the conditions of realistic background traffic and mean examples of realistic attacks [32, 33]. The used data sets in 1999 contain more than 200 instances and 58 attacks types, see, for details [34]. Two data sets are explained below.
2.1.1. Set One: Attack-Free Traffic (1999 Training Data—Week 1)
The first set of data containing 5 traces. We name them by OM-W1-i-1999AF (i=1, 2, 3, 4, 5), meaning Outside-MIT-week1-i-1999-attack-free. Table 1 indicates the actual times at which the first packet and last one were extracted for each trace.
Data set for attack-free traffic.
First Packet Time
Last Packet Time
Trace Name
Mon
Mar 1
08:00:02
Tue
Mar 2
06:00:02
OM-W1-1-1999AF
Tue
Mar 2
08:00:02
Wed
Mar 3
06:00:01
OM-W1-2-1999AF
Wed
Mar 3
08:00:03
Thu
Mar 4
06:00:01
OM-W1-3-1999AF
Thu
Mar 4
08:00:03
Fri
Mar 5
06:00:02
OM-W1-4-1999AF
Fri
Mar 5
08:00:02
Sat
Mar 6
06:00:02
OM-W1-5-1999AF
2.1.2. Set Two: Attack-Contained Traffic (1999 Training Data—Week 2)
Five traces are included in the second data set. They are named as OM-W2-i-1999AC (i=1, 2, 3, 4, 5), implying Outside-MIT-week2-i-1999-attack contained. The actual times at which the first packet and last one were extracted for each trace are listed in Table 2.
Data set for attack-contained traffic.
First Packet Time
Last Packet Time
Trace Name
Mon
Mar 8
08:00:01
Tue
Mar 9
06:00:49
OM-W2-1-1999AC
Tue
Mar 9
08:00:01
Wed
Mar 10
06:00:59
OM-W2-2-1999AC
Wed
Mar 10
08:00:03
Thu
Mar 11
06:00:01
OM-W2-3-1999AC
Thu
Mar 11
08:00:03
Fri
Mar 12
06:00:00
OM-W2-4-1999AC
Fri
Mar 12
08:00:02
Sat
Mar 13
06:00:00
OM-W2-5-1999AC
2.2. Traffic Rate under DDOS Flood Attacks
Roughly, high rate is the radical feature of attack-contained traffic. The paper [35] reported the real events in 2000. He noticed that “the attacks inundated servers with 1 gigabit per second of incoming data, which is much more traffic than they were built to handle [35, page 12].” The analysis given by Moore et al. says that “to load the network, an attacker generally sends small packets as rapidly as possible since most network devices (both routers and NICs) are limited not by bandwidth but by packet processing rate [36, Section 2.1].” They infer that traffic rate is usually the best measure of network load during an attack. In short, computer scientists consider high rate as a basic feature of attack-contained traffic, also see, for example, [37–42]. The experimental results in this paper are simply for the data of the 1999 DARPA in the case of high-rate attacks.
2.3. Traffic Bounds
In this subsection, we brief the deterministic bounds for accumulated traffic and traffic rate with the help of demonstrations using traffic traces OM-W1-1-1999AF and OM-W1-1-1999CF.
Let x(ti) be the series, indicating the number of bytes in the ith packet (i=0,1,…) of arrival traffic at time ti. Then, x(i) is a discrete series, indicating the number of bytes in the ith packet of arrival traffic. Figure 1 shows a plot of x(i) for the first 1024 points of OM-W1-1-1999AF.
Time series: OM-W1-1-1999AF for the first 1024 points.
According to [27, 43], an upper bound of arrival traffic x(i) is given below.
Definition 2.1.
Let x(i) be the arrival traffic function. Then,
F(I)=maxi≥0[x(i+I)-x(i)],fori>0,I>0,
is called traffic upper bound of x(i) over the duration of length I.
Note 1.
The physical meaning of F(I) is that the accumulated amount of arrival traffic x(i) over the duration of length I is upper bounded by F(I). The unit of F(I) is bytes. F(I) is an increasing function in terms of I. Figure 2 indicates F(I) of OM-W1-1-1999AF for 0≤I≤63.
Traffic upper bound of OM-W1-1-1999AF for 0 ≤ I ≤ 63.
Definition 2.2.
Let x(i) be the arrival traffic function. Then,
GAMA(I)=F(I)I=maxi≥0[x(i+I)-x(i)]I,fori>0,I>0,
is called upper bound of traffic rate (traffic rate bound for short) of x(i).
Note 2.
Equation (2.2) specifies that GAMA(I) is the maximum arrival rate at a specific point in the network over any duration of length I. The unit of GAMA(I) is defined as Bytes per I. GAMA(I) is a decreasing function in terms of I. Figure 3 demonstrates GAMA(I) of OM-W1-1-1999AF for 0≤I≤63.
Traffic rate bound of OM-W1-1-1999AF for 0≤I≤63.
3. Histogram of Maxima of Traffic Rate Bound: A Feature for Identifying Abnormal Variation of Traffic under DDOS Attacks
In this section, we first introduce the time series of traffic rate bound. Then, we establish the maxima of traffic rate bound. Finally, we achieve the histogram of the maxima of traffic rate bound. The demonstrations with the experimental data are used for facilitating the discussions.
3.1. Traffic Bound Series
Theoretically, I can be any positively real number. In practice, however, I is selected as a finite positive integer. Fix the value of I and observe traffic bounds in the interval ((n-1)I,nI),n=1,2,…,N. Then, we express traffic bounds as a function in terms of the interval index n. Considering the index n, we express traffic upper bound by F(I,n), which is a series.
Note that x(i) is a stochastic series and so is F(I,n). That is, F(I,m)≠F(I,n) for m≠n. We term F(I,n) traffic upper bound series. Similarly, we use GAMA(I,n) to represent traffic rate bound series. Figure 4 shows the traffic upper bound series. Figure 5 plots the rate bound series.
Traffic upper bound series for OM-W1-1-1999AF.
Traffic rate bound series for OM-W1-1-1999AF.
Since GAMA(I,n) is random, identification in a single interval is not enough. We use Figure 6 to explain this point of view. From Figure 6, we see that the rate bound of attack-contained traffic is greater than that of attack-free traffic in some intervals, for example, in the second and third intervals. However, it is less than the rate bound of attack-free traffic in some intervals, for example, in the first and fourth intervals. Therefore, we will study the issue how the bound series of traffic rate statistically varies under DDOS flood attacks. For this reason, we study the maxima of traffic rate bound.
Traffic rate bound series. Solid lines for attack-free traffic OM-W1-1-1999AF. Dot lines for attack-contained traffic OM-W1-1-1999AC.
3.2. Maxima of Traffic Rate Bound
Denote thatMGAMA(n)=Max[GAMA(I,n)],
over the index I in each interval [(n-1)I,nI]. Then, MGAMA(n) represents a series to describe the maximum value of GAMA(I,n) in each interval [(n-1)I,nI]. In other words, MGAMA(n) stands for the maxima of GAMA(I,n). The unit of MGAMA(n) is the same as that of GAMA(I,n). Here and below, we use the notation MGAMA_F(n) for attack-free traffic and MGAMA_C(n) for attack-contained traffic. Figures 7(a) and 7(b) give the plots of MGAMA_F(n) and MGAMA_C(n) for OM-W1-1-1999AF and OM-W2-1-1999AC, respectively.
Maxima of traffic rate bound. (a) Maxima of GAMA(I,n) for OM-W1-1-1999AF. (b) Maxima of GAMA(I,n) for OM-W2-1-1999AC.
3.3. Histogram of Maxima
Denote Hist[MGAMA_F(n)] and Hist[MGAMA_C(n)] as the histograms of MGAMA_F(n) and MGAMA_C(n), respectively. Then, they represent empirical distributions of MGAMA_F(n) and MGAMA_C(n). Figures 8(a) and 8(b) indicate the Hist[MGAMA_F(n)] and Hist[MGAMA_C(n)] for OM-W1-1-1999AF and OM-W1-1-1999CF, respectively. From Figure 8(c), we see that the pattern of Hist[MGAMA_F(n)] considerably differs from that of Hist[MGAMA_C(n)]. To investigate this phenomenon quantitatively, we need a measure to describe the similarity or dissimilarity between the pattern of Hist[MGAMA_F(n)] and that of Hist[MGAMA_C(n)], which will be explained in the next subsection.
Histograms. (a) Hist[MGAMA_F(n)] of OM-W1-1-1999AF. (b) Hist[MGAMA_C(n)] of OM-W1-1-1999CF. (c) Comparison: Corr_FC = 0.01751.
3.4. Correlation Coefficient Used as a Similarity Measure for Pattern Matching
There are many measures to characterize the similarity or the dissimilarity of two patterns in the field of pattern matching, see, for example, [44, 45]. Among them, the correlation coefficient between two patterns is commonly used in engineering, see, for example, [46]. We use it to measure the pattern similarity in this research. Denote thatCorrFC=|corr{Hist[MGAMAF(n)],Hist[MGAMAC(n)]}|,
where corr implies the correlation operation.
It is known that 0 ≤ Corr_FC ≤ 1. The larger the value of Corr_FC the more similar between the pattern of Hist[MGAMA_F(n)] and that of Hist[MGAMA_C(n)]. Mathematically, the case of Corr_FC = 1 implies that the pattern of Hist[MGAMA_F(n)] is exactly the same as that of Hist[MGAMA_C(n)]. On the contrary, Corr_FC = 0 means that the pattern of Hist[MGAMA_F(n)] is totally different from that of MGAMA_C(n)]. From the point of view of engineering, however, the extreme case of either Corr_FC = 1 or Corr_FC = 0 does not make much sense due to errors and uncertainties in measurement and digital computation. In practical terms, one uses a threshold for Corr_FC to evaluate the similarity between two. The concrete value of the threshold depends on the requirement designed by researchers that but it is quite common to take 0.7 as the smallest value of the threshold for the pattern patching purpose. Suppose that we consider 0.8 as the threshold value. Then, we say that the pattern of Hist[MGAMA_F(n)] is similar to that of Hist[MGAMA_C(n)] if Corr_FC ≥ 0.8 and dissimilar otherwise.
By computing, we obtain Corr_FC = 0.01751 for OM-W1-1-1999AF and OM-W2-1-1999CF, implying the pattern of Hist[MGAMA_F(n)] considerably differs from that of Hist[MGAMA_C(n)] as indicated in Figure 8(c). We will further demonstrate this interesting phenomenon in the next section.
4. Experimental Results
The value of Corr_FC for OM-W1-1-1999AF and OM-W2-1-1999CF has been mentioned above. In this section, we illustrate experimental results describing Corr_FC for OM-W1-2-1999AF and OM-W2-2-1999CF. The plots to illustrate Corr_FC for OM-W1-3-1999AF and OM-W2-3-1999CF, OM-W1-4-1999AF and OM-W2-4-1999CF, OM-W1-5-1999AF and OM-W2-5-1999CF and are listed in the appendices.
Figures 9(a) and 9(b) are the plots of the first 1024 points of OM-W1-2-1999AF and OM-W2-2-1999CF, respectively. Figures 10(a) and 10(b) indicate the series of traffic rate bound for OM-W1-2-1999AF and OM-W2-2-1999CF for n=0,1,…,16 with I=64, respectively. Figures 11(a) and 11(b) demonstrate the maxima of rate bound for both traffic traces for n=0,1,…,128. Figures 12(a) and 12(b) show the histograms of the maxima of traffic rate bound for both traces. Figure 12(c) gives the comparison between two. By computation, we have Corr_FC = 0.163261, meaning that the pattern of Hist[MGAMA_F(n)] considerably differs from that of Hist[MGAMA_C(n)] for OM-W1-2-1999AF and OM-W2-2-1999AC.
Time series of traffic traces. (a) The first 1024 points of OM-W1-2-1999AF. (b) The first 1024 points of OM-W2-2-1999AC.
Series of traffic rate bound. (a) For OM-W1-2-1999AF. (b) For OM-W2-2-1999AC.
Series of the maxima of traffic rate bound. (a) For OM-W1-2-1999AF. (b) For OM-W2-2-1999AC.
Histograms of the maxima of traffic rate bound. (a) For OM-W1-2-1999AF. (b) For OM-W2-2-1999AC. (c) Comparison: Corr_FC = 0.163261.
Note that the values of Corr_FC for other three pairs of test traces, see Figures 16(c), 20(c), and 24(c), also exhibit that the pattern of Hist[MGAMA_F(n)] is noticeably different from that of Hist[MGAMA_C(n)]. We summarize the values of Corr_FC of all five pairs of traces in Table 3, which shows that Corr_FC < 0.2 for all pairs of test traces.
Correlation coefficients between the pattern of Hist[MGAMA_F(n)] and that of Hist[MGAMA_C(n)] for 5 pairs of test traces.
Attack-free traffic traces
Attack-contained traffic traces
Corr_FC
OM-W1-1-1999AF
OM-W2-1-1999AC
0.01751
OM-W1-2-1999AF
OM-W2-2-1999AC
0.163261
OM-W1-3-1999AF
OM-W2-3-1999AC
0.045515
OM-W1-4-1999AF
OM-W2-4-1999AC
0.141885
OM-W1-5-1999AF
OM-W2-5-1999AC
0.177468
5. Discussions and Conclusions
The maxima of rate bound of attack-contained traffic is not always higher than that of attack-free traffic, see Figure 7. Statistically, however, it is higher than that of attack-free traffic significantly as can be seen from the experimental results illustrated by Figures 8(c), 12(c), 16(c), 20(c), and 24(c). In addition, the results expressed in Table 3 indicate that the pattern of Hist[MGAMA_F(n)] is obviously different from that of Hist[MGAMA_C(n)]. Thus, the results in this paper suggest that the histogram of the maxima of traffic rate bound may yet be a traffic feature to distinctly identify abnormal variation of traffic under DDOS flood attacks.
In comparison with fractal model of traffic as discussed in [18,19,43], the present feature has an apparent advantage. Recall that statistical models like LRD processes, see, for example, [18,19], are usually for traffic in the aggregate case, but there is lack of evidence to use them to characterize statistical patterns of real traffic at connection. As a matter of fact, finding statistical patterns of traffic at connection may be a tough task. To overcome difficulties in describing traffic at connection level, bounded modeling is introduced [25–29]. Thus, if we let xj,k(t) be all flows going through server k from input link j and let Fj,k(I) be the maximum traffic constraint function of xj,k(t), the present analysis method of traffic is technically sound and usable for xj,k(t) but fractal models may not. Since the bounded models of traffic are mainly used at connection level in some applications, such as real-time admission control, it is clear that the present traffic feature for identifying abnormal variation of traffic under DDOS flood attacks can be extracted at early stage of attacks.
Appendices
These appendices gives experimental results for three pairs of traces. They are OM-W1-3-1999AF and OM-W2-3-1999CF, OM-W1-4-1999AF and OM-W2-4-1999CF, and OM-W1-5-1999AF and OM-W2-5-1999CF. The values of Corr_FC for each pair of traces are given in the captions of Figures 16(c), 20(c), and 24(c), respectively.
A. Experiments for OM-W1-3-1999AF and OM-W2-3-1999CF
See Figures 13, 14, 15, and 16.
Time series of traffic traces. (a) The first 1024 points of OM-W1-3-1999AF. (b) The first 1024 points of OM-W2-3-1999AC.
Series of traffic rate bound. (a) For OM-W1-3-1999AF. (b) For OM-W2-3-1999AC.
Series of the maxima of traffic rate bound. (a) Maxima of GAMA(I,n) for OM-W1-3-1999AF. (b) Maxima of GAMA(I,n) for OM-W2-3-1999AC.
Histograms of the maxima of traffic rate bound. (a) For OM-W1-3-1999AF. (b) For OM-W2-3-1999AC. (c) Comparison: Corr_FC = 0.045515.
B. Experiments for OM-W1-4-1999AF and OM-W2-4-1999CF
See Figures 17, 18, 19, and 20.
Time series of traffic traces. (a) The first 1024 points of OM-W1-4-1999AF. (b) The first 1024 points of OM-W2-4-1999AC.
Series of traffic rate bound. (a) For OM-W1-4-1999AF. (b) For OM-W2-4-1999AC.
Series of the maxima of traffic rate bound. (a) Maxima of GAMA(I,n) for OM-W1-4-1999AF. (b) Maxima of GAMA(I,n) for OM-W2-4-1999AC.
Histograms of the maxima of traffic rate bound. (a) For OM-W1-4-1999AF. (b) For OM-W2-4-1999AC. (c) Comparison: Corr_FC = 0.141885.
C. Experiments for OM-W1-5-1999AF and OM-W2-5-1999CF
See Figures 21, 22, 23, and 24.
Time series of traffic traces. (a) The first 1024 points of OM-W1-5-1999AF. (b) The first 1024 points of OM-W2-5-1999AC.
Series of traffic rate bound. (a) For OM-W1-5-1999AF. (b) For OM-W2-5-1999AC.
Series of the maxima of traffic rate. (a) Maxima of GAMA(I,n) for OM-W1-5-1999AF. (b) Maxima of GAMA(I,n) for OM-W2-5-1999AC.
Histograms of the maxima of traffic rate bound. (a) For OM-W1-5-1999AF. (b) For OM-W2-5-1999AC. (c) Comparison: Corr_FC = 0.177468.
Acknowledgments
This work was supported in part by the 973 plan under the project number 2011CB302801/2011CB302802, by the National Natural Science Foundation of China under the project grant numbers, 60873264, 61070214, 61173096, by Zhejiang Provincial Natural Science Foundation of China (R1110679), and by the University of Macau.
ShireyR.2000RFC 2828HussainN.2005University of Southern CaliforniaChebroluS.AbrahamA.ThomasJ. P.Feature deduction and ensemble design of intrusion detection systems200524429530710.1016/j.cose.2004.09.008AmorosoE. G.1999Intrusion.Net BooksZBL1011.11045MirkovicJ.DietrichS.DittrichD.ReiherP.2004Prentice HallListonK.Intrusion Detection FAQ: can you explain traffic analysis and anomaly detection?2004, http://www.sans.org/security-resources/idfaq/anomaly_detection.phpSchultzE.Intrusion prevention20042342652662-s2.0-294253116210.1016/j.cose.2004.04.004LeachJ.TBSE—an engineering approach to the design of accurate and reliable security systems20042312652662-s2.0-124233128710.1016/S0167-4048(04)00069-0OhS. H.LeeW. S.An anomaly intrusion detection method by clustering normal user behavior20032275966122-s2.0-024246874710.1016/S0167-4048(03)00710-7GongF.Deciphering detection techniques: part III denial of service detection2003McAfee Network Security Technologies GroupSorensenS.Competitive overview of statistical anomaly detection2004Juniper NetworksChoS. B.ParkH. J.Efficient anomaly detection by modeling privilege flows using hidden Markov model200322145552-s2.0-003728263510.1016/S0167-4048(03)00112-3ChoS.ChaS.SAD: web session anomaly detection based on parameter estimation20042373123192-s2.0-294253300310.1016/j.cose.2004.01.006KemmererR. A.VignaG.Intrusion detection: a brief history and overview20023527302-s2.0-0037002475SchultzE. E.Representing information security fairly and accurately20062542372-s2.0-3374498189010.1016/j.cose.2006.04.004KimS. S.Narasimha ReddyA. L.VannucciM.Detecting traffic anomalies through aggregate analysis of packet header data20043042104710592-s2.0-33845536096LiM.An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition20042375495582-s2.0-834424459110.1016/j.cose.2004.04.005LiM.Change trend of averaged Hurst parameter of traffic under DDOS flood attacks20062532132202-s2.0-3364690018710.1016/j.cose.2005.11.007ScherrerA.LarrieuN.OwezarskiP.BorgnatP.AbryP.Non-Gaussian and long memory statistical characterizations for Internet traffic with anomalies20074156702-s2.0-3384776146410.1109/TDSC.2007.12TsybakovB.GeorganasN. D.Self-similar processes in communications networks19984451713172510.1109/18.7055381664070ZBL0988.90003LiM.Modeling autocorrelation functions of long-range dependent teletraffic series based on optimal approximation in Hilbert space-A further study20073136256312-s2.0-3375084532110.1016/j.apm.2005.11.029ZBL1197.94006LiM.LimS. C.Modeling network traffic using generalized Cauchy process200838711258425942-s2.0-3964912398310.1016/j.physa.2008.01.026LiM.ZhaoW.Detection of variations of local irregularity of traffic under DDOS flood attack200820082-s2.0-5294915428610.1155/2008/475878475878ZBL1189.68114MichielH.LaevensK.Teletraffic engineering in a broad-band era19978512200720322-s2.0-0031338888CruzR. L.A calculus for network delay—I: network elements in isolation19913711141312-s2.0-002600066010.1109/18.611091087890ZBL0712.94028Le BoudecJ.-Y.YvesJ.PatrickT.20012050Berlin, GermanySpringerxix+274Lecture Notes in Computer Science10.1007/3-540-45318-01932706WangS.XuanD.BettatiR.ZhaoW.Providing absolute differentiated services for real-time applications in static-priority scheduling networks20041223263392-s2.0-244253917510.1109/TNET.2004.826286LiM.ZhaoW.Representation of a stochastic traffic bound2010219136813722-s2.0-7795522733610.1109/TPDS.2009.1625342414LiM.ZhaoW.A model to partly but reliably distinguish DDOS flood traffic from aggregated one2012201212860569LiM.ZhaoW.Asymptotic identity in min-plus algebra: a report on CPNS2012201211154038McHughJ.Testing intrusion detection systems: a critique of the 1988 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory200034262294HainesJ. W.RosseyL. M.LippmannR.CunningharmR. K.Extending the DARPA off-line intrusion detection evaluations1Proceedings of the DARPA Information Survivability Conference and Exposition II2001Anaheim, Calif, USAIEEE7788FeinsteinL.SchnackenbergD.BalupariR.KindredD.Statistical approaches to DDoS attack detection and response1Proceedings of the DARPA Information Survivability Conference and Exposition2003Washington, DC, USA303314LippmannR.HainesJ. W.FriedD. J.KorbaJ.DasK.The 1999 DARPA off-line intrusion detection evaluation20003445795952-s2.0-003430151710.1016/S1389-1286(00)00139-0GarberL.Denial-of-service attacks rip the internet20003341217MooreD.VeolkerG. M.SavageS.Inferring internet denial-of-service activityProceedings of the 10th USENIX Security Symposium2001MahajanR.BellovinS. M.FloydS.Controlling high bandwidth aggregates in the network200232362732-s2.0-454427217510.1145/571697.571724LakhinaA.CrovellaM.DiotC.Characterization of network-wide anomalies in traffic flowsProceedings of the ACM SIGCOMM Internet Measurement Conference (IMC '04)October 2004Sicily, Italy2012062-s2.0-14944367267BarfordP.PlonkaD.Characteristics of network traffic flow anomaliesProceedings of the 1st ACM SIGCOMM Internet Measurement Workshop (IMW '01)November 2001San Francisco, Calif, USA69732-s2.0-0041534324SirisV. A.PapagalouF.Application of anomaly detection algorithms for detecting SYN flooding attacks2006299143314422-s2.0-3364642331510.1016/j.comcom.2005.09.008WangH.ZhangD.ShinK. G.Detecting SYN flooding attacksProceedings of the 21st Annual Joint Conference of the IEEE Computer and Communications SocietiesJune 2002New York, NY, USA153015392-s2.0-0036343692LiM.LiJ.ZhaoW.Simulation study of flood attacking of DDOSProceedings of the IEEE 3rd International Conference on Internet Computing in Science and Engineering (ICICSE '08)2008Harbin, China289293BettatiR.ZhaoW.TeodorD.Real-time intrusion detection and suppression in ATM networksProceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring1999111118FuK. S.19802ndSpringerBassevilleM.Distance measures for signal processing and pattern recognition198918434936910.1016/0165-1684(89)90079-01028051LiM.An iteration method to adjusting random loading for a laboratory fatigue test20052777837892-s2.0-1624441934110.1016/j.ijfatigue.2005.01.011