Distributed change detection for worms, DDoS and other network attacks

Self-propagating code (worms) and distributed denial of service (DDoS) attacks are the most frequent and quite devastating attacks on communication networks and the Internet. We provide novel formulations for the rapid detection of these attacks in the control-theoretic framework of change detection. We present algorithms that effectively can detect worms from their temporal spreading characteristics. We describe the effects of the network topology on the algorithms and their performance. We next present algorithms for detecting DDoS while discriminating against changes in the normal traffic. This is accomplished by a distributed detection formalism where a concept of directionality is introduced and exploited. We then turn into attacks to routing protocols in mobile wireless networks. We develop change detection formulations involving hidden Markov models, which match distribution of the number of hops in the mobile and wireless nodes. Using observations that suggest that this distribution is altered substantially in the presence of such attacks we develop and analyze algorithms for their detection.