Publication Abstract

Streilein, W. W., Fried, D. J., Cunningham, R. K., Detecting Flood-based Denial-of-Service Attacks with SNMP/RMON, Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Fairfax VA, USA, September 2003.

Abstract

We present our work in detecting DoS attacks through the polling of Remote Monitoring (RMON) capable devices. Rather than the introduction of special purpose hardware, our detection capability relies upon RMON capabilities present in existing infrastructure network devices, such as switches and routers. RMON is a special purpose Management Information Base (MIB) designed for the SNMP (Simple Network Management Protocol), which tracks low-level network usage indicators, such as byte and packet count, packet size, and packet transmission error events. Using RMON data polled from a live enterprise network, we have developed a detection algorithm for simulated flood-based DoS attacks that achieves a high detection rate and low false alarm rate. The detection algorithm relies not only on the raw RMON variables but also on relationships between the variables to achieve this detection rate. We also indicate how the introduction of RMON2 variables and an accurate network map can be used to improve DoS detection accuracy and reduce false alarms by identifying the sources of specific DoS-related traffic. Our approach is less expensive than many commerically available solutions, requiring no special purpose hardware. It is more accurate than commonly used univariate statistical approaches and it is fast, requiring only the computation of packet variables ratios and processing by a feed-forward neural network.