Performance evaluation of a multi-stage network event detection scheme against DDoS attacks

Change-point detection schemes, which represent one type of anomaly detection schemes, are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. These events are detected as change-points. However, they generally also detect false-positive change-points caused by other events, such as hardware problems. Therefore there is a requirement for a scheme that detects only true-positive change-points caused by attacks and epidemics by unknown viruses and worms. The true-positive change-points tend to occur simultaneously and intensively in very large numbers, while the false-positive change-points tend to occur independently. We can exclude false-positive change-points by excluding those that occur independently, based on information gathered from the entire network. In this paper, we combine change-point detection schemes with a distributed IDS, and evaluate performance of the combined scheme by a simulation using the parameter values obtained by an experiment using real worms. The simulation results show that the combined scheme detects all the DDoS attacks without any false-positives while we have to tolerate false-positive rate of at least 0.02 to detect all the attacks in a stand-alone IDS scheme.