Study of the phenomenology of DDOS network attacks in phase space

Denial of Service (DOS) network attacks continue to be a widespread problem throughout the internet. These attacks are designed not to steal data but to prevent regular users from accessing the systems. One particularly difficult attack type to detect is the distributed denial of service attack where the attacker commandeers multiple machines without the users´ awareness and coordinates an attack using all of these machines. While the attacker may use many machines, it is believed that the underlying characteristics of the resultant network traffic are fundamentally different than normal traffic due to the fact that the underlying dynamics of sources of the data are different than for normal traffic. Chaos theory has been growing in popularity as a means for analyzing systems with complex dynamics in a host of applications. One key tool for detecting chaos in a signal is analyzing the trajectory of a system´s dynamics in phase space. Chaotic systems have significantly different trajectories than non-chaotic systems where the trajectory of the chaotic system tends to have high fractal dimension due to its space filling nature, while non-chaotic systems have trajectories with much lower fractal dimensions. We investigate the fractal nature of network traffic in phase space and verify that indeed traffic from coordinated attacks have significantly lower fractal dimensions in phase space. We also show that tracking the signals in either number of ports or number of addresses provides superior detectability over tracking the number of bytes.