Statistical approach to detect SYN flooding

Real Time Network Anomaly Detection

Jintae Oh: Electronics and Telecommunication Research Institute, 161 Gajeong-Gu, Yuseong-gu, Daejeon, 305-350, Korea. (TEL) +82-42-860-4977 (FAX) +82-42-860-5611 (E-Mail) showme@etri.re.kr

Seungwon Shin: Electronics and Telecommunication Research Institute, 161 Gajeong-Gu, Yuseong-gu, Daejeon, 305-350, Korea. (TEL) +82-42-860-4959 (FAX) +82-42-860-5611 (E-Mail) swshin@etri.re.kr

Jongsoo Jang: Electronics and Telecommunication Research Institute, 161 Gajeong-Gu, Yuseong-gu, Daejeon, 305-350, Korea. (TEL) +82-42-860-1910 (FAX) +82-42-860-5611 (E-Mail) jsjang@etri.re.kr

Abstract

We propose statistical approach that is simple and robust to detect SYN flooding attacks by observing network traffic. To make the detection mechanism robustly and easily, we have applied CUSUM (cumulative sum) approach and EWMA (Exponential weighted moving average) algorithms in SPC (statistical process control) to our investigation and compared each case. Both approaches make the detection mechanism much more generally applicable and easier to implement. The trace-driven simulation results demonstrate that our approach is efficient and simple to implement and prove that it detects SYN flooding accurately and finds attack in a very short detection time.

Short Biography

Jintae Oh: Jintae Oh is a Team Leader and senior researcher of Security Gateway System team at ETRI. His current research interests are in high speed pattern matching, anomaly detection algorithm, and high speed hardware architecture.

Before he joined the researcher of ETRI in 2003, he was a cofounder and CTO of a startup company in St. Louis Missouri USA. He developed pattern matching algorithms that were used for a first hardware based commercial Gigabit IDS product in 2002. He worked for couple of startup companies in St. Louis from 1998. He developed algorithms for 16Gbps ATM switch chip that transferred to Hanwha networks and packet classification algorithms. He was a senior researcher in ETRI from 1992 to 1998. He received a MS degree from the Department of Electronics Engineering, Kyungpook National University, in 1992; an BS degree from the Department of Electronics Engineering, Kyungpook National University, in 1990.

Seungwon Shin is a Researcher of Security Gateway System Team at ETRI. His research interests include most aspects of Network Security, with an emphasis on network anomaly detection, worm and DDOS (distributed denial of service) attack analysis.

He has been a senior researcher with the Tmax Soft for 3 years (from 2000 to 2002). He developed TP-Monitor and Web Server and joined various kinds of projects, which aim to design system software. He joined ETRI as a researcher from the end of 2002. He received his BS degree in electrical engineering from KAIST (Korea Advanced Institute of Science and Technology) in 1998, and his MS degrees in electrical engineering from the KAIST in 2000.

Jongsoo Jang: Jongsoo Jang is a Principal Engineer and Director of Network Security Research Group at ETRI. His current research interests are in policy based on the security management, home network security, P2P security, anomaly detection and high speed hardware architecture.

He was Principal Engineer in ETRI from 1989. He received a Ph.D degree from the Departmen

t of Computer Science, Chungbuk National University, in 2000; a MS degree from the Department of Electronics Engineering, Kyungpook National University, in 1986; a BS degree from the Department of Electronics Engineering, Kyungpook National University, in 1984.