Real-time detection of distributed denial-of-service
attacks using RBF networks and statistical features
Dimitris Gavrilis, Evangelos Dermatas
*Department of Electrical Engineering and Computer Technology, University of Patras, Kato Kastritsi, 26500 Patras, Greece
Received 17 July2003; received in revised form 12 April 2004; accepted 6 August 2004 Available online 21 December 2004
Responsible Editor: Z.-L. Zhang
Abstract
In this paper we present and evaluate a Radial-basis-function neural network detector for Distributed-Denial-of-Ser-vice (DDoS) attacks in public networks based on statistical features estimated in short-time window analysis of the incoming data packets. A small number of statistical descriptors were used to describe the DDoS attacks behaviour, and an accurate classification is achieved using the Radial-basis-function neural networks (RBF-NN). The proposed method is evaluated in a simulated public network and showed detection rate better than 98% of DDoS attacks using onlythree statistical features estimated from one window of data packets of 6 s length. The same type of experiments were carried out on a real network giving significantlybetter results: a 100% DDoS detection rate is achieved followed bya 0% of false alarm rate using different statistical descriptors and training conditions for the RBF-NN.
Ó2004 Elsevier B.V. All rights reserved.
Keywords:Intrusion detection; Denial-of-service attacks; RBF networks; Neural networks; Computer security
1. Introduction
In recent years there has been a sudden increase of Network-based intrusion and Distributed De-nial of Service (DDoS) attacks. Especiallyafter the year 2000 the problem has grown enormously, increasing the costs of losses to billions of US
dol-lars. Major commercial web sites have been dis-abled for several hours due to such attacks. The DDoS attacks usuallydo not take advantage of some securityflaw but instead theymake legiti-mate use of a service until all the resources that this service uses are exhausted [14]. The attacker increases the number of network processes requir-ing significant computer resources: CPU load, memory, disk space, and network bandwidth. This characteristic of those attacks makes them difficult to detect especiallyin large commercial networks
1389-1286/$ - see front matter Ó2004 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2004.08.014
*
Corresponding author. Tel.: +30 261 099 6476.
E-mail addresses: [email protected] (D. Gavrilis),[email protected](E. Dermatas).
such as yahoo.com or amazon.com where they serve hundreds or maybe thousands of users per minute. When the flow of packets on a network suddenlyincreases we cannot be certain that it is because of a DDoS attack that is in progress or be-cause too manyusers happen to use that service at that time [16]. Commercial DDoS detection sys-tems [13,16–19] have high false-alarm rates, pro-ducing hundreds of false alarms per daybecause it is often difficult to select manuallythe identifica-tion condiidentifica-tions for a great number of attacks and their variants[17–19,2].
1.1. Network-based intrusion and DDoS attacks
A great number of methods for recognizing intrusion and DDoS attacks have alreadybeen presented (4–25). In [4], the Articon-Intergralis group discusses the specification and test process of Intrusion Detection Systems and proposed a detailed topology, machines and attacks scenarios that were used to make the assessment. The Net-work Intrusion Detection System technology is described in [5], comparing the most popular methods: Pattern-searching and protocol analysis. The protocol analysis usually can be used to detect the true signature of the intrusion when it is hidden in the protocol. In this case most of the pattern-search methods fail to detect the intrusion. A com-mon protocol analysis is based on a decision tree. The computational effort of the tree search in-creases significantlyin case of intrusion or DDoS attacks. In this case the Network Intrusion Detec-tion System would overload and eventually shutdown.
An intrusion detection approach has been pro-posed byMe (in [6]) based on predefined attack scenarios and using a genetic algorithm. Taking into account that pattern-searching methods are NP-Complete problems, a genetic algorithm is used to reduce the computations in Ôthe security audit trail analysis problemÕ. The experimental evaluation showed successful detection of the at-tacks after 20 generations, giving a detection rate of 99% after 100 generations. If the attacks coded in the Attacks–Events matrix grows, the final gen-eration number has to increase to keep the detec-tionÕs qualityat the same level.
In[1], Mell et al. describes an intrusion detec-tion system (IDS) to become resistant to flooding DoS attacks using a combination of techniques: the critical IDS components are made invisible to the attacker, critical IDS components are made adaptive to flooding DoS attacks. The authors do not prevent an attacker from launching attacks but instead makes the significant targets invisible which forces the attacker to fire blindly.
Recentlyneural network architectures for intru-sion detection have been proposed[12,20,22,21]. A backpropagation neural network (multilayer per-ceptron) has been presented byRyan et al. [3]. The neural network is trained to identifyusers based on what commands theyuse during a day. In a system of 10 users and a dataset collected for 12 days, the neural network was 96% accurate in detecting anomalous behaviour, with a false alarm of 7%. In[7]an adaptive intrusion detection system for TCP/IP networks is described based on neural networks. The training process is based on previous well-known intrusion profiles, and the adaptation capabilities is realized byre-training the neural network using new profiles. The system is based on the fact that an intrusion can be de-tected from an analysis of predetermined models for both normal and intrusion actions. The best performance of approximately95% has been achieved using a two hidden-layer perceptron neu-ral network (20-5-1 neurons per layer) trained by the error backpropagation algorithm.
The well-known K-nearest Neighbor Classifier KNNC has been evaluated in [8], to categorize a process into normal or intrusive class using system calls over each program execution. The computa-tional load of the KNNC is partiallyfaced bypro-cessing the restricted set of system calls (less than 100 in DARPA BSM data), while a typical Pat-tern-searching intrusion detection system in shell level could have over 15,000 unique words. The KNNC calculates the similaritybetween the new process and each training process instance using the assumption that the process belonging to the same class will cluster together in the vector space. The KNNC is applied to the 1998 DARPA data. The audit data were collected on a traffic simulator of an Air Force Local Area Network. The system is extensivelyevaluated giving an excellent
detec-tion rate. When the number of simultaneouslypro-cesses increases, the detector is computationally expensive for real-time implementation in some computers. In the same dataset (1998 DARPA) a statistical traffic model for detecting novel attacks has been presented in[15]. The model effectiveness in discriminating normal connections from DoS attacks is quantified byplotting the Receiver Operating Characteristics curves. The kolmogo-rov–Smirnov test is used as a classifier between the normal and the attack conditions byprocess-ing the statistical differences of the number of bytes from the responder, and the byte ratio re-sponder–originator.
Recently, Streilein et al.[21]presents neural net-work classifiers based on the multilayer perceptron for accuratelydetection of several classes of attacks including stealthyprobes and novel DDoS attacks. The neural-based detection system achieves a recognition rate of 100% with a false alarm of 0.1% when tested against stealthyattacks in the DARPA 1999 IDS Evaluation data. From the original extended set of features, the authors eliminate the least effective, proposing a minimal set of five onlyfeatures.
1.2. The DDos attacks
As reported in[23], where a structural approach of the DDoS attacks and the defense mechanisms can be found, DDoS attacks can be classified in five categories. The most important are the TCP Flooding, UDP Flooding, ICMP Flooding and Smurf attacks. The first three attempt to flood a network with TCP[10,11], UDP and ICMP traffic respectivelyso as to exhaust the networkÕs or the serverÕs resources. The latter works in a different manner and does not pose a threat when certain modifications are made in the networkÕs devices. The DoS attacks performed using ICMP messages usuallysucceed because the victim host does not maintain enough information on the messages communication[9]. However, with the appropriate modifications, it can be prevented. The most important work is concentrated in the first type of attack because TCP is the most widelyused pro-tocol and WWW is the most widelyused service on the Internet. The same mechanism can be applied
successfullyboth in UDP and ICMP protocols. In a great number of Internet sites, DDoS attack tools are available.
After an analysis of the available tools that perform DDoS attacks, it is found that a DDoS attack has the following characteristics:
(a) The source IP of the packets is set random. (b) The source and the destination port of the
packets is set random.
(c) Some of the flags (URG, ACK), fragmenta-tion, TCP options, TTL and the clientÕs SEQ number are assigned bya pseudorandom generator.
In most tools, multiple instances of the applica-tion (usuallyresiding on multiple machines), com-municate with each other and coordinate during the attack. The packets can be sent to the target(s) in bursts or in a continuous flow.
2. System innovations
Everyrobust DDoS detection system must sat-isfysome important specifications: (a) veryhigh detection rates with minimal false alarm rates, (b) real-time detection with low memoryand cpu-time requirements, (c) invariant in evolution-arytrends in DDoS attacks, network topology and the variations of the normal data-exchange rates, (d) minimum interference of the DDoS detector in the traffic. In the direction of building efficient DDoS detectors, we present a system pro-viding a number of important innovations:
(a) A small and a robust number of normalized statistical features is used for monitoring the statistical properties of the data exchange packets in the network. The computational effective features set is used to recognize in real-time the normal network traffic from sud-denlyincreased packet flow from a DDoS attack in veryshort time intervals.
(b) The features space present reduced variance in different DDoS attacks giving veryhigh detection rates, which is almost independent of the DDoS implementation details.
(c) Even in the case of very-fast networks, accu-rate estimation of the statistical features can be obtained byprocessing a subset of the packets transferred on the network.
(d) Even in the case of complex distribution of the features vector, the effective Radial-Basis-Function neural network (RBF-NN) is used to recognize DDoS attacks from the nor-mal traffic. The well-developed theoretical analysis of the RBF-NN [24] introduces a number of significant advantages over multi-layer perceptrons. The RBF-NN detector is a two layer neural network. In the first (hid-den) layer the neurons implement a radial function while the output neurons implement a weighted sum of hidden neuron outputs. The excellent approximation properties of the RBF-NN allows for complex non-linear mapping bymodifying onlythe number of hidden neurons, which simplifies the compu-tational complexityin both the activation and training process. Moreover, extremely faster learning rates, smaller approximation errors with extremelylow probabilityto con-verge in local minima has been measured in a great number of applications.
3. System description
The system consists of three sequentially con-nected modules:
Data collector. A sniffer captures the following data fields for each packet: Source Port, SEQ number of client, Window size, and the Syn, Ack, Fin, Psh, Urg, Rst flags. The timestamp for each packet is also recorded in order to group the packets into overlapping timeframes. The number of the distinct Source Ports, and Window size numbers are estimated for each timeframe. The SEQ number is a 32-bit random number produced bythe client as an identifica-tion for a certain TCP connecidentifica-tion. The estima-tion of the distinct SEQ numbers requires significant memoryspace and computing power. Experimental results showed that, although the SEQ number varies across clients, the upper
16 bits are adequate in estimating the SEQ num-bersÕ feature. The upper 16 bits can store the nec-essaryinformation in an arrayof 65,535 bytes long.
The statistics gathered for each timeframe are the frequencyof occurence for each of the follow-ing six flags to be set: Syn, Ack, Fin, Psh, Urg, Rst. In extended experiments it has been found that these flags contain significant information related to the presence of a DDoS attack. The Source IP Address is not used in the recognition process, even if it provides significant information, because it requires substantial amount of computing power to store the individual addresses. Additionally, it is also decided not to use the packet length informa-tion because it would make the DDoS detector system service specific (e.g. only for www). In the same experiments it is showed that other data transferred bythe TCP/IP packets, such as the Time-to-Live field, do not contain information related to the presence of a DDoS attack.
Features estimator. The frequencyof flags and the number of the distinct values for the Source Ports, SEQ number, and Window size are esti-mated for each timeframe. The statistical features for each timeframe for the six flags are the proba-bilityof the flag to be set. The number of the dis-tinct values is divided bythe total number of packets for a certain timeframe for the SEQ num-ber, the Window Size and the Source Port.
DDoS detector. The nine-features vector were used to activate a two-output RBF network at each timeframe. The most active output neuron detects the presence of a DDoS attack or charac-terizes the timeframe as normal traffic. In the experiments it is shown that a small number of hidden neurons can be used to achieve high detec-tion rates of DDoS attacks. Moreover, the RBF-NN classification capabilities are studied using an extremelysmall input vector containing only three features.
4. The RBF-NN trainingprocess
The gathered data were used to create two dif-ferent training scenarios. In the first scenario the DDoS detector is trained using normal www and
pure DDoS traffic. In the second scenario the pure DDoS traffic was replaced bythe data collected when the DDoS hits the server which serves the normal traffic. In both training scenarios different normal and combined traffic is used to estimate the RBF-NN efficiency, as shown inFig. 1.
The networkÕs efficiencywas measured for a dif-ferent number of hidden neurons ranging from 1 to 20. A mixture of Gaussian functions was used as the RBFÕs non-linear function. The mean and variance for the Gaussian function was estimated using the K-means clustering algorithm [24]. It is well-known that theK-meansÕinitial centers signif-icantlyinfluences the qualityof the training pro-cess. A good selection of the initial centers led to significantlybetter classification rates for different network topologies. Therefore, the K-means cen-ters which minimizes the quantization error from the training data are selected from a set of multiple local minimum set of centers. Multiple local mini-mum solutions are created byapplying the K -means algorithm using different initialization.
During the center re-estimation process of the
K-means algorithm the variance of some flags was zero (e.g. RST, URG flags) or veryclose to zero. In this case, the algorithm fails to continue or convergence to an extremelybad local mini-mum, decreasing significantlythe classification efficiencyof the RBF-NN. To overcome this prob-lem, a minimum value for the estimated variance was experimentallyderived, giving significantly better classification rates.
5. Experimental evaluation
The evaluation process is divided in three steps: in the first step the packets are captured from the
network using a linux based sniffer placed on a monitoring host, which is based on the popular libpcap libraryand while in capture mode a filter was used to monitor traffic for the www service only. In the second step, the captured packets for some scenario are grouped into timeframes and the statistical features for each timeframe and overlaptime sizes are produced. The data were grouped into 18 different timeframes ranging from 5 to 18 s, with an overlap time from 1 to 6 s. In the final step, the features data were used to train and evaluate the RBF-NN.
The DDoS attack was carried out using the pro-gram Tribe Flood Network (TFN2k). The sniffer recorded an actual attack, normal www requests onlyand traffic generated onlybythe TFN2k pro-gram. It is possible that the sniffer could ‘‘miss’’ some packets especiallywhen the packet rate is veryhigh. The missing data does not influence the systemÕs performance due to the statistical nature of the features.
5.1. The features set
Two different features sets were used to evaluate the RBF-NN detection efficiencydepending on the number of features used to build the input vector. In manycases the original set of 9 statistical fea-tures surpassed the 98% of correct classification. During experiments, it is also noticed that many of the fields of the input vector such as the Time-to-Live, the Window Size and some of the Flags did not contain sufficient information to contrib-ute in the DDoS detection process. This along with the excellent system performance led to an evalua-tion using the reduced set of the 3 input vector (Source Port, SEQ number, Syn flag). This set of features can be estimated in real-time using con-ventional low-cost computing systems. We consid-ered those three features to be the most important except the Source IP Address which we did not use in order to allow minimum computing resources in both computational complexityand memory requirements in the RBF-NN-based DDoS detec-tion system. The correct classificadetec-tion rate was in most cases as close as the 9 features rate. This figure verified the initial assumptions about the nature of the input fields.
Fig. 1. Time frames and a DDoS attack in the bold line: normal traffic (0), DDoS and normal traffic (1).
5.2. The experiments
The proposed RBF-NN detector was trained and evaluated in two experiments.
In the first experiment, a 100 Mbps network was setup and the Web Application Stress Tool from Microsoft Corp. was used to simulate the cli-ents. An entire web site was mirrored on the test server and actual users surfed the site. The users responseÕs, pages theysurfed, delaytime between hits etc, are recorded and saved as user profiles using the Web Application Stress Tool (a tool that sends HTTP requests on a web server using actual profiles).
The SEQ numbers and the Source Ports for a recorded session did not correspond to the real ones because theywere produced bythe same client machine (that simulated thousands of dif-ferent clients). In order to overcome this prob-lem, the distinct TCP sessions are recognised and the SEQ and Source Port numbers are modified according to the protocol rules. While parsing the file containing the captured packets, each distinct connection is recognised using the information provided bythe source port and the clientÕs SEQ number. After a connection has been found, a random number is generated which replaces the clientÕs SEQ number. The new SEQ number is modified in the same way with the old one during data exchange between the client and the server thus following the TCP/IP protocol rules. Several experiments were conducted, producing normal www traffic of 1 min total length, DDoS traffic of 1 min total length and combined traffic of 3 min total length.
In the second experiment, a DDoS attack was launched on the main web server of the univer-sityof Patras central library. This is probably the web server with most hits in the university as it serves over 25.000 users. The recorded pack-ets for the normal traffic were 78,361 (60 min duration). For the DDoS attack were 73,677 (1 min duration) and for the combined traffic 822,655 (6 min duration). During the combined traffic experiment, in the first 3 min there was normal traffic and after the 3rd minute the at-tack started.
6. Experimental results on the simulated network
The RBF-NN has better classification rate in the first experiment when the second training sce-nario (Sen2) is used to estimate the NN synaptic weights against the first training scenario (Sen1), as shown inFig. 2and 3 where the correct classi-fication rate for both features sets (9in-original fea-tures vector and 3in-reduced feafea-tures vector) is plotted for different timeframe sizes. These results are typical in pattern recognition experiments where the second training scenario describes better the pattern distribution in the features space than the training data of the first scenario. In the second scenario simultaneous normal traffic and a DDoS attack is recorded: the training and the evaluation data describe the same type of traffic. In the case where the overlap time was 2 s (Fig. 2) and the RBF-NN is trained with the second dataset, al-most 20% better classification rate is obtained in regard to the rate obtained bythe RBF-NN trained bythe first dataset. In addition, a compar-ison between the two figures showed better classi-fication rates in case where the overlap step is set to 1 s step, giving the best results when the RBF-NN is trained bythe second dataset.
In both training datasets, the 3 features NN is expected to behave worse than the RBF-NN processing the 9-features vector. However, the experimental results (Figs. 2 and 3) showed better classification rate for the 3-features vector. This unexpected behaviour is caused bythe insufficient number of training examples. In regression problems, where a great number of unknown parameters are met, the size of the training data must be increased enormouslyto obtain sufficient generalization capabilities. In the case of the 9-features input vector, the num-ber of training examples are insufficient to em-bodygeneralization capabilities to the synaptic weights.
As the timeframe increases, the correct classifi-cation rate is expected to improve. In general, that is the case mostlycarried out in the experiments using the training data derived bythe first scenario (Fig. 4). Classification rates better than 94% were achieved using the complete set of features and timeframe sizes greater than 10 s. A
totallydiffer-Fig. 2. Correct classification rate for the simulated network and 2 s overlapping step.
ent figure is met in case where the RBF-NN is trained using the second scenario training data (Fig. 5). Generally, the correct classification rate decreases when the timeframe size increases. The best classification rate of 99% was achieved using a 6 s window timeframe and the original set of 9-features vector. A small timeframe is more pref-erable in applications because the features estima-tion module is faster.
Generally, it is easier to achieve the first sce-nario dataset because the onlyrequired informa-tion is normal and pure DDoS traffic data, while in the case of the second scenario, a combined traf-fic signature is needed. The best correct classitraf-fica- classifica-tion rate of 94.5% was achieved using the first scenario data, the original features vector consist-ing of 9 components, a 12 s timeframe and 1 s overlap step. In the same conditions, the DDoS detection rate was 91.8% when the 3 features vec-tor is used. In the second scenario the best correct identification rate was 98.97% (6 s timeframe and 1 s step) for both feature vectors. In anycase, the
correct classification rate did not fall under 92% (16 s timeframe and 2 s step).
In Fig. 6 the correct classification versus the number of RBF weights are showed. The number of RBF weights that are capable to produce cor-rect classification rates more than 99%, varyfrom 70 to 90 and refer to a RBF-NN trained with the second scenario data.
The DDoS detection errors occurred onlyat the timeframes where the attack begins or at the time-frame where the attack ends (Fig. 1, timeframes no: 5, 43, 75), In these timeframes transition phe-nomena distort the statistical features. In time-frames 5 and 75 the DDoS starts to hit the network, while in those timeframes some DDoS packets remains in the traffic.
7. Experimental results on the real network
In the case of the real network (second experi-ment), the results are surprisinglybetter. The
tification rate of the RBF-NN was 100% when the number of hidden neurons are greater than 3, as shown in Fig. 6 (D1-Simulated and D2-real net-work). The results show that in the worst case, when the RBF-NN is trained using the first sce-nario data, the correct identification was better than 98%. If the RBF-NN is trained using the sec-ond scenario data the correct identification rate was 100% in all timeframes and overlapping steps.
8. DDoS detection on the UDP protocol
While all our experiments so far, are concerned with the TCP/IP protocol, the same recognition mechanism should also detect DDoS attacks in the UDP protocol. To evaluate the DDoS detector preliminaryexperiments were carried out using the RBF-NN and onlytwo features: the Source-port and the Time-to-Live which are both used in the UDP protocol. A 3 up to 20 hidden neuron RBF-NN was trained using 186 examples, and the detector was evaluated using a different set of
195 examples, established on the simulated net-work. The correct classification rate in all experi-ments was better than 83.59% reaching its maximum (87.69%) when 8 hidden neurons were used. The experimental results were almost as good as with the TCP protocol but with a slight smaller efficiency.
9. Conclusions
The DDoS attacks are becoming one of the InternetÕs most critical problems. With the Inter-netÕs speeds increasing, the need for lighter and more efficient detection systems is necessary. It is shown that the proposed method can successfully identifyknown DDoS attacks with veryhigh detection rates. It can be easilyimplemented and integrated into anynetwork because it is a passive monitoring system requiring very few computing resources since it uses statistical features.
Today, the most widely method used for pre-venting Denial of Service attacks is to block all
packets that donÕt belong to an established con-nection when a DDoS attack has been recog-nized. This procedure takes place within a time frame where the DDoS detector monitors the network byallowing all packets to pass. If a DDoS is detected, all packets that donÕt belong to an established connection are blocked. Thus, the proposed method can be easilyintegrated with existing technologies to prevent such attacks.
A most challenging task is to effectivelyblock a DDoS attack without interfering with normal traf-fic. The task of selectivelyblocking packets that are presumed to belong to an attack session is ex-tremelydifficult and has never been attempted. Also the use of more advanced DDoS tools than those that exist today, must be considered.
Another method of preventing an attack is to search for patterns in the network packets when a DDoS attack has been recognized and then to block the packets that follow a specific statistical pattern. This can be successfullyimplemented if
we assume known DDoS attacks. Each of those tools has a specific signature that allows it to be detected. However, someone could write a new tool that follows a different pattern. In such a case, if a DDoS detector isolates the DDoS packets, the development of automatic blocking methods for the DDoS packets can be used to eliminate the influence of the DDoS attacks especiallyin large networks.
References
[1] P. Mell, D. Marks, M. McLarnon, A denial-of-service, Computer Networks 34 (2000) 641–658.
[2] T. Ptacek, T. Newsham, Insertion, Evasion, and Denial-of-Service: Eluding Network Intrusion Detection, Secure Networks Inc., 1998.
[3] J. Ryan, M. Lin, R. Miikkulainen, Intrusion detection with neural networksAdvances in Neural Information Processing Systems, vol. 10, MIT Press, Cambridge, MA, 1998.
[4] R. Barder, The evolution of intrusion detection systems— the next step, Computer & Security20 (1) (2001) 132–145. Fig. 6. Correct classification rate versus the number of weights for the best timeframe configuration, the simulated (D1) and the real (D2) network.
[5] R. Graham, NIDS-pattern search vs. protocol decode, Computer & Security20 (1) (2001) 37–41.
[6] L. Me, GASSATA, A genetic algorithm as an alternative tool for securityaudit trails analysis, First International Workshop on the Recent Advances in Intrusion Detection, Belgium, 1998.
[7] J. Bonifacio, A. Casian, CPLF de A. Carvalho, E. Moreira, Neural networks applied in intrusion detection systems, in: Proceedings of the Word Congress on Computational Intelligence—WCCI, Anchorage, USA, 1998, pp. 205–210. [8] Y. Liao, R. Vemuri, Use ofK-nearest neighbor classifier for intrusion detection, Computer & Security21 (5) (2001) 439–448.
[9] M. Baltatu, A. Lioy, F. Maino, D. Mazzocchi, Security issues in control, management and routing protocols, Computer Networks 34 (2000) 881–894.
[10] Y.W. Chen, Studyon the prevention of SYN flooding byusing traffic policing, IEEE Symposium on Network Operations and Management, 2000, pp. 593–604. [11] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram,
D. Zamboni, Analysis of a denial-of-service attack on TCP, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, USA, 1997, pp. 208–223.
[12] R. Lippmann, R. Cunnigham, Improving intrusion detec-tion performance using Keyword selecdetec-tion and neural networks, Computer Networks 34 (2000) 596–603. [13] W. Scwartau, Surviving denial-of-service, Computers &
Security18 (2) (1999) 124–133.
[14] F. Lau, S. Rubin, M. Smith, L. Trajkovic, Distributed denial-of-service attacks, in: Proceedings of the IEEE International Conference on Systems, Man and Cybernet-ics, vol. 3, 2000, pp. 2275–2280.
[15] J. Cabrera, B. Ravichandran, R. Mehra, Statistical traffic modeling for network intrusion detection, IEEE Interna-tional Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, 2000, pp. 466–473.
[16] D. Cox, K. McClanahan, Method for blocking denial of service and address spoofing attacks on a private network, Patent WO9948303, Cisco Tech Ind (US), 1999.
[17] K. Narayanaswamy, T. Ross, B. Spinney, M. Paquette, C. Wright, System and process for defending against denial of service attacks on network nodes, Patent WO0219661, Top Layer Networks Inc. (US), 2002.
[18] R. Maher, V. Bennett, Method for preventing denial of service attacks, Patent WO0203084, Netrake Corp (US), 2002.
[19] J. Belissent, Method and apparatus for preventing a denial of service (DOS) attack byselectivelythrottling TCP/IP requests, Patent WO0201834, Sun Microsystems Inc. (US), 2002.
[20] A. Bivens, C. Palagiri, R. Smith, B. Szymanski, M. Embrechts, Network-based intrusion detection using neu-ral networks (2002), Artificial Neuneu-ral Networks In Engi-neering November 10–13, St. Louis, Missouri, 2002. [21] W. Streilein, R.K. Cunningham, S.E. Webster, Improved
detection of low-profile probe and novel denial-of-service attacks (2002), Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, Maryland, June 2002, pp. 11–13.
[22] H. Debar, M. Baker, D. Siboni, A neural network component for an intrusion detection system, in: Proceed-ings of the IEEE Computer SocietySymposium on Research in Securityand Privacy, 1992.
[23] C. Douligeris, A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks 44 (5) (2004) 643–666.
[24] S. Haykin, Neural Networks: A Comprehensive Founda-tion, Predice Hall, Upper Saddle River, NJ, 1994.
Dimitris Gavrilisreceived the Diploma in Electrical Engineering from the Universityof Patras in 2002. He is currentlya Ph.D. candidate in the Department of Electrical and Com-puter Engineering of the Universityof Patras. His research interest areas include computer security, intrusion detection, pattern recognition and information extraction.
Evangelos Dermatas is Assistant Pro-fessor at the Department of Electrical and Computer Engineering of the Universityof Patras, Patras, Hellas. He received his Diploma and Ph.D. degrees from the Department of Elec-trical Engineering of the Universityof Patras, Patras, Hellas in 1985 and 1991 respectively. His research interest areas include: statistical signal processing, pattern recognition, computer security and information extraction.
