Cardinality change-based early detection of large-scale cyber-attacks

Cyber-attacks are happening every day, with a variety of behaviors and objects. For example, email spammers may compromise computers to sign-up millions of email accounts for sending spam emails; during worm spreading, each infected host may try to connect to many hosts to further spread the worm, etc. However, many such large-scale and often distributed cyber-attacks share a common characteristic that the activities involved in them result in changes in the cardinality of attack traffic. Examples include: the cardinality of the accounts signed up by a compromised host often increases in spam email delivery scenarios, and the cardinality of the connections made from a host may increase in worm spreading scenarios. In this paper, we focus on changes in the cardinality of the network/attack traffic that may indicate on-going cyber-attacks. We formulate this problem as cardinality-based change point detection in distributed streams of attack traffic, and develop a nonparametric error-bounded scheme for it. Our scheme supports the capability of merging information collected from multiple monitoring points to detect large-scale attacks. Also, our scheme uses small space as well as constant processing time, which makes it applicable for spaceconstrained network or security systems. We have conducted experiments using both real-world traces and synthetic data. Experimental results and theoretical analysis show that our scheme can detect changes in the cardinality within given time and error bounds. We expect the solutions of this work will be deployed as a building block in network and security monitoring systems to detect large distributed cyber attacks.