Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks

Vasilios A. Siris and Fenia Papagalou
Institute of Computer Science (ICS), FORTH and University of Crete

In Proc. of IEEE Globecom 2004 (Security and Network Management Symposium), Dallas, USA, November 2004.
Preprint: PDF


We investigate statistical anomaly detection algorithms for detecting  SYN flooding, which is the most common type of  Denial of Service (DoS) attack. The two algorithms considered are an adaptive threshold algorithm and a particular application of the cumulative sum (CUSUM) algorithm for change point detection. The performance is investigated in terms of the detection probability, the false alarm ratio, and the detection delay. Particular emphasis is on investigating the tradeoffs among these metrics and how they are affected by the parameters of the algorithm and the characteristics of the attacks. Such an investigation can provide guidelines to effectively tune the parameters of the detection algorithm to achieve specific performance requirements in terms of the above metrics.

Keywords: denial of service, change point detection, intrusion detection

Back to Telecommunications & Networks Lab publications

ICS-FORTH Telecommunications and Networks Lab