Title: Timing considerations in detecting resource starvation attacks using statistical profiles

Authors: Colin Pattinson, Kemal Hajdarevic

Addresses: Leeds Metropolitan University, Caedmon Hall, Headingley Campus, Leeds LS6 3QS, UK. ' Central Bank of Bosnia and Herzegovina, M. Tita 25, Sarajevo 71000, Bosnia and Herzegovina

Abstract: Resource starvation Denial of Service (DoS) attacks cause the attacked services to be denied to legitimate users. This paper introduces an approach to proactively detect such a DoS attack in its early development stages and therefore avoid damage. Our approach uses the set of data in the Management Information Base (MIB) retrieved by the Simple Network Management Protocol (SNMP). MIB traffic data (such as origin/destination; TCP connection state) and process table content (memory/CPU utilisation by specific processes) are used to construct performance profiles over long and short time scales. We define appropriate indicators and identifiable steps (check points) where resource starvation DoS attacks are recognised and stopped before they affect a system. By detecting in the early development stages, it is possible to avoid service interruption, system availability problems and other related effects, such as system and bandwidth performance degradation caused by legitimate operations.

Keywords: proactive intrusion attack resolution; short statistical profiles; long-term statistical profiles; simple network management protocol; SNMP; local agents; timing; resource starvation attacks; denial of service; DoS attacks; early detection; electronic security; digital forensics; distributed DoS.

DOI: 10.1504/IJESDF.2007.016868

International Journal of Electronic Security and Digital Forensics, 2007 Vol.1 No.2, pp.194 - 205

Published online: 26 Jan 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article