# STUDY OF THE PHENOMENOLOGY OF DDOS NETWORK ATTACKS IN PHASE SPACE

### Michael E. Farmer, William Arthur

#### Abstract

Denial of Service (DOS) network attacks continue to be a widespread problem throughout the internet. These attacks are designed not to steal data but to prevent regular users from accessing the systems. One particularly difficult attack type to detect is the distributed denial of service attack where the attacker commandeers multiple machines without the users’ awareness and coordinates an attack using all of these machines. While the attacker may use many machines, it is believed that the underlying characteristics of the resultant network traffic are fundamentally different than normal traffic due to the fact that the underlying dynamics of sources of the data are different than for normal traffic. Chaos theory has been growing in popularity as a means for analyzing systems with complex dynamics in a host of applications. One key tool for detecting chaos in a signal is analyzing the trajectory of a system’s dynamics in phase space. Chaotic systems have significantly different trajectories than non-chaotic systems where the trajectory of the chaotic system tends to have high fractal dimension due to its space filling nature, while non-chaotic systems have trajectories with much lower fractal dimensions. We investigate the fractal nature of network traffic in phase space and verify that indeed traffic from coordinated attacks have significantly lower fractal dimensions in phase space. We also show that tracking the signals in either number of ports or number of addresses provides superior detectability over tracking the number of bytes.

#### References

- Hu, J. Gao, and N. S. Rao, 2007. Defending against internet worms using a phase space method from chaos theory. In SPIE Proceedings # 6570, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security, SPIE.
- M. Li, Y-Y Zhang, and W. Zhao, 2008. A practical method for weak stationarity test of network traffic with long-range dependence. In Proceedings of the 8th WSEAS International Conference on Multimedia Systems and Signal Processing, IEEE.
- H. Liangxiu, C. Zhiwei, C. Chunbo, and G. Chuanshan, 2002. A new multifractal network traffic model. In Chaos, Solitons and Fractals, Elsevier.
- M. Masugo, 2002. Multi-fractal analysis of IP-network traffic based on a hierarchical clustering approach. In Communications in Nonlinear Science and Numerical Simulation, Elsevier.
- M. Li and W. Zhao, 2008. Detection of variations of local irregularity of traffic under DDOS flood attack. In Mathematical Problems in Engineering, Hindawi.
- D. Gregg, W. Blackert, D. Heinbuch, and D. Furnanage, 2001. Assessing and quantifying denial of service attacks. In Proceedings IEEE Military Communications Conference, IEEE.
- M. Li, 2006. Change trend of averaged Hurst parameter of traffic under DDOS flood attacks. In Computers & Society.
- A. Piskozub, 2002. Denial of service and distributed denial of service attacks, In Proceedings of International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science, IEEE.
- Y. Xiang, Y. Lin, W. L. Lei, and S. J. Huang, 2004. Detecting DDOS attack based on network selfsimilarity. In IEE Proc. Communications, IEE.
- L. Limwiwatkul and A. Rungsawang, 2004. Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In Proc. International Symposium on Communications and Information Technologies, IEEE.
- A. Mitrokotsa and C. Douligeris, 2005. Detecting denial of service attacks using emergent self-organizing maps. In Proc. IEEE International Symposium on Signal Processing and Information Technology, IEEE.
- G. Oke, G. Loukas, and E. Gelenbe, 2007. Detecting denial of service attacks Bayesian classifiers and random neural networks, In Proc. IEEE International Fuzzy Systems Conference, IEEE.
- G. Loukas and G. Oke, 2007. A biologically inspired denial of service detector using the random neural network, In Proc. IEEE International Conference on Mobile Adhoc and Sensor Systems, IEEE.
- M. F. Rohani, M. A. Maarof, A. Selamat, and H. Kettani, 2007. Uncovering anomaly traffic based on loss of self-similarity behavior using second order statistical l model, In International Journal of Computer Science and Network Security.
- L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, 2003. Statistical approaches to DDOS attack detection and response, In Proceedings of the DARPA Information Survivability Conference and Exposition, IEEE.
- H. O. Peitgen, H. Jurgens, and D. Saupe, 1992. Chaos and Fractals, Springer.
- J. L. P. Velaquez, 2005. Brain, behaviour, and mathematics: are we using the right approaches? In Physica D, Elsevier.
- T. Tel and M. Gruiz, 2006. Chaotic Dynamics, Cambridge.
- J. Theiler, 1990. Estimating Fractal Dimension, In Journal Optical Society of America, OSA.
- J. P. Eckmann and D. Ruelle, 1985. Ergodic theory of chaos and strange attractors, In Reviews of Modern Physics, APS.
- W. Kinsner, 2005. A unified approach to fractal dimensions, In Proc. IEEE Conf. on Cognitive Informatics, IEEE.
- A. J. Roberts, 2005. Use the information dimension, not the Hausdorff, In Journal of Nonlinear Sciences, Springer.
- M. T. Rosenstein and J. J. Collins, 1994. Visualizing the effects of filtering chaotic signals, In Computers & Graphics, Elsevier.
- H. Korn and P. Faure, 2003. Is there chaos in the brain? II. Experimental evidence and related models, In C.R. Biologies, Elsevier.

#### Paper Citation

#### in Harvard Style

E. Farmer M. and Arthur W. (2011). **STUDY OF THE PHENOMENOLOGY OF DDOS NETWORK ATTACKS IN PHASE SPACE** . In *Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)* ISBN 978-989-8425-71-3, pages 78-89. DOI: 10.5220/0003460800780089

#### in Bibtex Style

@conference{secrypt11,

author={Michael E. Farmer and William Arthur},

title={STUDY OF THE PHENOMENOLOGY OF DDOS NETWORK ATTACKS IN PHASE SPACE},

booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},

year={2011},

pages={78-89},

publisher={SciTePress},

organization={INSTICC},

doi={10.5220/0003460800780089},

isbn={978-989-8425-71-3},

}

#### in EndNote Style

TY - CONF

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)

TI - STUDY OF THE PHENOMENOLOGY OF DDOS NETWORK ATTACKS IN PHASE SPACE

SN - 978-989-8425-71-3

AU - E. Farmer M.

AU - Arthur W.

PY - 2011

SP - 78

EP - 89

DO - 10.5220/0003460800780089