We propose a methodology for utilizing network management systems for the early detection of distributed denial of service (DDoS) attacks. Although there are quite a large number of events that are prior to an attack (e.g. suspicious log-ons, start of processes, addition of new files, sudden shifts in traffic, etc.), in this work we depend solely on information from MIB (management information base) traffic variables collected from the systems participating in the attack. Three types of DDoS attacks were effected on a research test bed, and MIB variables were recorded. Using these datasets, we show how there are indeed MIB-based precursors of DDoS attacks that render it possible to detect them before the target is shut down. Most importantly, we describe how the relevant MIB variables at the attacker can be extracted automatically using statistical tests for causality. It is shown that statistical tests applied in the time series of MIB traffic at the target and the attacker are effective in extracting the correct variables for monitoring in the attacker machine. Following the extraction of these key variables at the attacker, it is shown that an anomaly detection scheme, based on a simple model of the normal rate of change of the key MIBs can be used to determine statistical signatures of attacking behavior. These observations suggest the possibility of an entirely automated procedure centered on network management systems for detecting precursors of distributed denial of service attacks, and responding to them.
展开▼
