Analysis of DDoS Detection Systems

Michael Singhof
Heinrich-Heine-Universität
Institut für Informatik
Universitätsstraße 1
40225 Düsseldorf, Deutschland
[email protected]

ABSTRACT targeting specific weaknesses in that service or by brute force

While there are plenty of papers describing algorithms for approaches. A particularly well-known and dangerous kind
detecting distributed denial of service (DDoS) attacks, here of DoS attack are distributed denial of service attacks. These
an introduction to the considerations preceding such an im- kinds of attacks are more or less brute force bandwidth DoS
plementation is given. Therefore, a brief history of and in- attacks carried out by multiple attackers simultaneously.
troduction to DDoS attacks is given, showing that these kind In general, there are two ways to detect any kind of net-
of attacks are nearly two decades old. It is also depicted that work attacks: Signature based approaches in which the in-
most algorithms used for the detection of DDoS attacks are trusion detection software compares network input to known
outlier detection algorithms, such that intrusion detection attacks and anomaly detection methods. Here, the software
can be seen as a part of the KDD research field. is either trained with examples for normal traffic or not
It is then pointed out that no well known and up-to-date previously trained at all. Obviously, the latter method is
test cases for DDoS detection system are known. To over- more variable since normal network traffic does not change
come this problem in a way that allows to test algorithms as quickly as attack methods. The algorithms used in this
as well as making results reproducible for others we advice field are, essentially, known KDD methods for outlier detec-
using a simulator for DDoS attacks. tion such as clustering algorithms, classification algorithms
The challenge of detecting denial of service attacks in or novelty detection algorithms on time series. However,
real time is addressed by presenting two recently published in contrast to many other related tasks such as credit card
methods that try to solve the performance problem in very fraud detection, network attack detection is highly time crit-
different ways. We compare both approaches and finally ical since attacks have to be detected in near real time. This
summarise the conclusions drawn from this, especially that makes finding suitable methods especially hard because high
methods concentrating on one network traffic parameter only precision is necessary, too, in order for an intrusion detection
are not able to detect all kinds of distributed denial of service system to not cause more harm than being of help.
attacks. The main goal of this research project is to build a dis-
tributed denial of service detection system that can be used
in today’s networks and meets the demands formulated in
Categories and Subject Descriptors the previous paragraph. In order to build such a system,
H.2.8 [Database Management]: Database Applications— many considerations have to be done. Some of these are
Data Mining; H.3.3 [Information Storage and Retrieval]: presented in this work.
Information Search and Retrieval—Clustering, Information The remainder of this paper is structured as follows: In
filtering section 2 an introduction to distributed denial of service at-
tacks and known countermeasures is given, section 3 points
Keywords out known test datasets. In section 4 some already existing
approaches are presented and finally section 5 concludes this
DDoS, Intrusion Detection, KDD, Security work and gives insight in future work.

1. INTRODUCTION
2. INTRODUCTION TO DDOS ATTACKS
Denial of service (DoS) attacks are attacks that have the
goal of making a network service unusable for its legitimate Denial of service and distributed denial of service attacks
users. This can be achieved in different ways, either by are not a new threat in the internet. In [15] the first notable
denial of service attack is dated to 1996 when the internet
provider Panix was taken down for a week by a TCP SYN
flood attack. The same article dates the first noteworthy
distributed denial of service attack to the year 1997 when
internet service providers in several countries as well as an
IRC network were attacked by a teenager. Since then, many
of the more elaborate attacks that worked well in the past,
have been successfully defused.
25th GI-Workshop on Foundations of Databases (Grundlagen von Daten-
banken), 28.05.2013 - 31.05.2013, Ilmenau, Germany. Let us, as an example, examine the TCP SYN flood at-
Copyright is held by the author/owner(s). tack. A TCP connection is established by a three way hand-
shake. On getting a SYN request packet, in order to open a
TCP connection, the addressed computer has to store some
information on the incoming packet and then answers with
a SYN ACK packet which is, on regularly opening a TCP
connection, again replied by an ACK packet.
The idea of the SYN flood attack is to cause a memory
overrun on the victim by sending many TCP SYN packets.
As for every such packet the victim has to store information
while the attacker just generates new packets and ignores the
victim’s answers. By this the whole available memory of the
victim can be used up, thus disabling the victim to open le-
gitimate connection to regular clients. As a countermeasure, Figure 1: Detection locations for DDoS attacks.
in [7] SYN cookies were introduced. Here, instead of storing
the information associated with the only half opened TCP
connection in the local memory, that information is coded
testing that allows users, among other functions, to volun-
into the TCP sequence number. Since that number is re-
tary join a botnet in order to carry out an attack. Since
turned by regular clients on sending the last packet of the
the tool is mainly for testing purposes, the queries are not
already described three way handshake and initial sequence
masqueraded so that it is easy to identify the participat-
numbers can be arbitrarily chosen by each connection part-
ing persons. Again, however, the initiator of the attack does
ner, no changes on the TCP implementation of the client
not necessarily have to have direct contact to the victim and
side have to be made. Essentially, this reduces the SYN
thus remains unknown.
cookie attack to a mere bandwidth based attack.
A great diversity of approaches to solve the problem of
The same applies to many other attack methods that have
detecting DDoS attacks exists. Note again, that this work
been successfully used in the past, such as the smurf attack
focuses on anomaly detection methods only. This describes
[1] or the fraggle attack. Both of these attacks are so called
methods, that essentially make use of outlier detection meth-
reflector attacks that consist of sending an echo packet –
ods to distinguish normal traffic and attack traffic. In a field
ICMP echo in case of the smurf attack and UDP echo in
with as many publications as intrusion detection and even,
case of the fraggle attack – to a network’s broadcast address.
more specialised, DDoS detection, it is not surprising, that
The sender’s address in this packet has to be forged so that
many different approaches are used, most of which are com-
the packet occurs to be sent by the victim of the attack, so
mon in other knowledge discovery research fields as well.
that all replies caused by the echo packet are routed to the
As can be seen in Figure 1 this research part, again, can
victim.
be divided in three major categories, namely distributed de-
Thus, it seems like nowadays most denial of service attacks
tection or in network detection, source end detection and
are distributed denial of service attack trying to exhaust the
end point or victim end detection.
victims bandwidth. Examples for this are the attacks on
By distributed detection approaches we denote all ap-
Estonian government and business computers in 2007 [12].
proaches that use more than one node in order to monitor
As already mentioned, distributed denial of service attacks
the network traffic. This kind of solution is mostly aimed
are denial of service attacks with several participating at-
to be used by internet providers and sometimes cooperation
tackers. The number of participating computers can differ
between more than one or even all ISPs is expected. The
largely, ranging from just a few machines to several thou-
main idea of almost all of these systems is to monitor the
sands. Also, in most cases, the owners of these computers
network traffic inside the backbone network. Monitors are
are not aware that they are part of an attack. This lies in the
mostly expected to be backbone routers, that communicate
nature of most DDoS attacks which consist of three steps:
the results of their monitoring either to a central instance or
1. Building or reusing a malware that is able to receive among each other. These systems allow an early detection of
commands from the main attacker (“master”) and to suspicious network traffic so that an attack can be detected
carry out the attack. A popular DDoS framework is and disabled – by dropping the suspicious network packets
Stacheldraht [9]. – before it reaches the server the attack is aimed at. How-
ever, despite these methods being very mighty in theory,
2. Distribute the software created in step one to create they suffer the main disadvantage of not being able to be
a botnet. This step can essentially be carried out in employed without the help of one or more ISPs. Currently,
every known method of distributing malware, for ex- this makes these approaches impractical for end users since,
ample by forged mail attachments or by adding it to to the knowledge of the author, at this moment no ISP uses
software like pirate copies. such an approach.
Source end detection describes approaches that monitor
3. Launch the attack by giving the infected computers outgoing attack streams. Of course, such methods can only
the command. be successful if the owner of an attacking computer is not
aware of his computer participating in that attack. A widely
This procedure – from the point of view of the main at- used deployment of such solutions is necessary for them to
tacker – has the advantage of not having to maintain a direct have an effect. If this happens, however, these methods have
connection to the victim. This makes it very hard to track the chance to not only detect distributed denial of service
that person. It is notable though, that during attacks origi- attacks but also to prevent them by stopping the attacking
nating to Anonymous in the years 2010 and 2012 Low Orbit traffic flows. However, in our opinion, the necessity of wide
Ion Cannon [6] was used. This is originally a tool for stress deployment makes a successful usage of this methods – at
 Packet type No of packets Percentage 1e+08
Number of packets over arrival times
IP 65612516 100
1e+07
TCP 65295894 99.5174
UDP 77 0.0001 1e+06
ICMP 316545 0.4824
100000

Number of packets
Protocol Incoming Traffic Outgoing Traffic
10000
IP 24363685 41248831
TCP 24204679 41091215 1000

UDP 77 0
ICMP 158929 157616 100

10
Table 1: Distribution of web traffic on protocol types
and incoming and outgoing traffic at the university’s 1
web server. 0 0.2 0.4 0.6 0.8 1
Arrival time [seconds]

least in the near future – difficult. Figure 2: Arrival times for the university’s web-
In contrast to the approaches described above, end point server trace.
detection describes those methods that rely on one host only.
In general, this host can be either the same server other ap-
UDP packets seem to be unwanted packets as none of these
plications are running on or a dedicated firewall in the case
packets is replied. The low overall number of these packets is
of small networks. Clearly, these approaches suffer one dis-
an indicator for this fact, too. With ICMP traffic, incoming
advantage: Attacks cannot be detected before the attack
and outgoing packet numbers are nearly the same which lies
packets arrive at their destination, as only those packets
in the nature of this message protocol.
can be inspected. On the other hand end point based meth-
In order to overcome the problems with old traces, based
ods allow individual deployment and can therefore be used
on the characteristics of the web trace, as a next step we
nowadays. Due to this fact, our work focuses on end point
implement a simulator for distributed denial of service at-
approaches.
tacks. As the results in [20] show, the network simulators
OMNeT++ [19], ns-3 [10] and JiST [5] are, in terms of speed
3. TEST TRACES OF DISTRIBUTED DE- and memory usage, more or less equal. To not let the simula-
tion become either too slow or too inaccurate, it is intended
NIAL OF SERVICE ATTACKS to simulate a nearer neighbourhood of the victim server very
Today, the testing of DDoS detection methods unfortu- accurately. With greater distance to the victim, it is planned
nately is not easy, as not many recordings of real or simu- to simulate in less detail. In this context, the distance be-
lated DDoS attacks exist or, at least, are not publicly avail- tween two network nodes is given by the number of hops
able. The best known test trace is the KDD Cup 99 data between the nodes.
set [3]. A detailed description of this data set is given in Simulation results then will be compared with the afore-
[18]. Other known datasets are the 1998 DARPA intrusion mentioned network trace to ensure its realistic behaviour.
detection evaluation data set that has been described in [14] After the simulation of normal network traffic resembles the
as well as the 1999 DARPA intrusion detection evaluation real traffic at the victim server close enough, we will proceed
data set examined in [13]. by implementing distributed denial of service attacks in the
In terms of the internet, with an age of 14 to 15 years, simulator environment. With this simulator it will then,
these data sets are rather old and therefore cannot reflect hopefully, be possible to test existing and new distributed
today’s traffic volume and behaviour in a realistic fashion. denial of service detection approaches in greater detail as
Since testing with real distributed denial of service attacks has been possible in the past.
is rather difficult both on technical as well as legal level, we
suggest the usage of a DDoS simulator. In order to get a feel-
ing for today’s web traffic, we recorded a trace at the main 4. EXISTING APPROACHES
web server of Heinrich-Heine-Universität. Tracing started on Many approaches to the detection of distributed denial of
17th September 2012 at eight o’clock local time and lasted service attacks already exist. As has been previously pointed
until eight o’clock the next day. out in section 1, in contrast to many other outlier and nov-
This trace consists of 65612516 packets of IP traffic with elty detection applications in the KDD field, the detection
31841 unique communication partners contacting the web of DDoS attacks is extremely time critical, hence near real
server. As can be seen in Table 1 almost all of these packets time detection is necessary.
are TCP traffic. This is not surprising as the HTTP protocol Intuitively, the less parameters are observed by an ap-
uses the TCP protocol and web page requests are HTTP proach, the faster it should work. Therefore, first, we take a
messages. look at a recently issued method that relies on one parameter
About one third of the TCP traffic is incoming traffic. only.
This, too, is no surprise as most clients send small request
messages and, in return, get web pages that often include 4.1 Arrival Time Based DDoS Detection
images or other larger data and thus consist of more than In [17] the authors propose an approach that bases on ir-
one package. It can also be seen, clearly, that all of the regularities in the inter packet arrival times. By this term
 1
Now, since we are solely interested in the estimation of x̄,
0.9 only 1 M is needed, which is computed to be [x̄, x̄] since
 
0.8 1 β β 1 1
g(1) = − 1 + = (1 − β + β) =
0.7
2 2 2 2 2
0.6 and
1
0.5
zg(1) = Φ−1 (1 − g(1)) = Φ−1 ( ) = 0.
α

2
0.4
During traffic monitoring, for a given time interval, the
0.3
current traffic arrival times tc are computed by estimating
0.2
     
1 1 1 1
[tc ]α = ln , ln
0.1 1 − p rα 1 − p lα
0
0.00122 0.00124 0.00126 0.00128 0.0013 0.00132 0.00134 0.00136 0.00138 0.0014 0.00142 where p is some given but again not specified probability and
Arrival times [s] [lα , rα ] are the α-cuts for E(T ) = t̄. As described above, the
only value that is of further use is tc , the only value in the
Figure 3: The fuzzy mean estimator constructed ac- interval of [tc ]1 . Since [E(T )]1 = [t̄]1 = [t̄, t̄] it follows that
cording to [17].      
1 1 1 1
[tc ]1 = ln , ln
1 − p t̄ 1 − p t̄
the authors describe the time that elapses between two sub- and thus
sequent packets.  
The main idea of this work is based on [8] where non- 1 1 1
tc = ln = (ln(1) − ln(1 − p)) .
asymptotic fuzzy estimators are used to estimate variable 1−p t̄ t̄
costs. Here, this idea is used to estimate the mean arrival As ln(1) = 0 this can be further simplified to
time x̄ of normal traffic packets. Then, the mean arrival
time of the current traffic – denoted by tc – is estimated, ln(1 − p)
tc = − ∈ [0, ∞)
too, and compared to the overall value. If tc > x̄, the traffic t̄
is considered as normal traffic and if tc < x̄ a DDoS attack with p ∈ [0, 1).
is assumed to be happening. We suppose here, that for a By this we are able to determine a value for p by choosing
value of tc = x̄ no attack is happening, although this case is the smallest p where tc ≥ x̄ for all intervals in our trace. An
not considered in the original paper. interval length of four seconds was chosen to ensure compa-
To get a general feeling for the arrival times, we computed rability with the results presented in [17].
them for our trace. The result is shown in Figure 2. Note, During the interval with the highest traffic volume 53568
that the y-axis is scaled logarithmic as values for arrival packets arrived resulting in an average arrival time of t̄ ≈
times larger than 0.1 seconds could not been distinguished 7.4671 · 10−5 seconds. Note here, that we did not maximise
from zero on a linear y-axis. It can be seen here, that most the number of packets for the interval but instead let the first
arrival times are very close to zero. It is also noteworthy interval begin at the first timestamp in our trace rounded
that, due to the limited precision of libpcap [2], the most down to full seconds and split the trace sequentially from
common arrival interval is zero. there on.
Computing the fuzzy mean estimator for packet arrival Now, in order to compute p one has to set
times yields the graph presented in Figure 3 and x̄ ≈ 0.00132.
Note, that since the choice of parameter β ∈ [0, 1) is not p = 1 − e−x̄t̄
specified in [17], we here chose β = 12 . We will see, however,
leading to p ≈ 9.8359 · 10−8 . As soon as this value of p is
that, as far as our understanding of the proposed method
learned, the approach is essentially a static comparison.
goes, this parameter has no further influence.
There are, however, other weaknesses to this approach
To compute the α-cuts of a fuzzy number, one has to
as well: Since the only monitored value is the arrival time,
compute
  a statement on values such as bandwidth usage cannot be
α σ σ made. Consider an attack where multiple corrupted com-
M = x̄ − zg(α) √ , x̄ + zg(α) √ puters try to download a large file from a server via a TCP
n n
connection. This behaviour will result in relatively large
where x̄ is the mean value – i.e. exactly the value that is packets being sent from the server to the clients, resulting
going to be estimated – and σ is presumably the arrival in larger arrival times as well. Still, the server’s connec-
times’ deviation. Also tion can be jammed by this traffic thus causing a denial of
service.
 
1 β β
g(α) = − α+ By this, we draw the conclusion that a method relying on
2 2 2
only one parameter – in this example arrival times – can-
and not detect all kinds of DDoS attacks. Thus, despite its low
zg(α) = Φ−1 (1 − g(α)). processing requirements, such an approach in our opinion is
not suited for general DDoS detection even if it seems that
Note, that α M is the (1 − α)(1 − β) confidence interval it can detect packet flooding attacks with high precision as
for µ, the real mean value of packet arrival times. stated in the paper.
 Algorithm 1 LCFS algorithm based on [11].
Require: the initial set of all features I,
the class-outputs y,
the desired number of features n
Ensure: the dimension reduced subset F ⊂ I
1: for all fi ∈ I do
2: compute corr(fi , y)
3: end for
4: f := max{correlation(fi , y)|fi ∈ I}
5: F := {f }
6: I := I \ {f }
7: while |F | <(n do )
1
P
8: f := max corr(fi , y) − |F | corr(fi , fj ) fi ∈ I
Figure 4: Protocol specific DDoS detection architec- fj ∈F
ture as proposed in [11]. 9: F := F ∪ {f }
10: I := I \ {f }
11: end while
4.2 Protocol Type Specific DDoS Detection 12: return F
In [11] another approach is presented: Instead of using the
same methods on all types of packets, different procedures
are used for different protocol types. This is due to the fact, the university’s campus. The presented results show that
that different protocols show different behaviour. Especially on all data sets the DDoS detection accuracy varies in the
TCP traffic behaviour differs from UDP and ICMP traffic range of 99.683% to 99,986% if all of the traffic’s attributes
because of its flow control features. By this the authors try are used. When reduced to three or five attributes, accuracy
to minimise the feature set characterising distributed denial stays high with DDoS detection of 99.481% to 99.972%. At
of service attacks for every protocol type, separately, such the same time, the computation time shrinks by a factor of
that computation time is minimised, too. two leading to a per instance computation time of 0.0116ms
The proposed detection scheme is described as a four step (three attributes) on the KDD Cup data set and 0.0108ms
approach, as shown in Figure 4. Here, the first step is the (three attributes) and 0.0163ms (five attributes) on the self-
preprocessing where all features of the raw network traffic recorded data sets of the authors.
are extracted. Then packets are forwarded to the correspon- Taking into account the 53568 packets in a four second
dent modules based on the packet’s protocol type. interval we recorded, the computation time during this in-
The next step is the protocol specific feature selection. terval would be about (53568 · 0.0163ms ≈) 0.87 seconds.
Here, per protocol type, the most significant features are However, there is no information about the machine that
selected. This is done by using the linear correlation based carried out the computations given in the paper such that
feature selection (LCFS) algorithm that has been introduced this number appears to be rather meaningless. If we suppose
in [4], which essentially ranks the given features by their a fast machine with no additional tasks, this computation
correlation coefficients given by time would be relatively high.
Pn
(xi − x̄)(yi − x̄) Nevertheless, the results presented in the paper at hand
corr(X, Y ) := pPn i=1 Pn are promising enough to consider a future re-evaluation on a
i=1 (xi − x̄)
2
i=1 (yi − ȳ)
2
known machine with our recorded trace and simulated DDoS
for two random variables X, Y with values xi , yi , 1 ≤ i ≤ n, attacks.
respectively. A pseudo code version of LCFS is given in
Algorithm 1. As can be seen there, the number of features
in the reduced set must be given by the user. This number 5. CONCLUSION
characterises the trade-off between precision of the detection We have seen that distributed denial of service attacks are,
and detection speed. in comparison to the age of the internet itself, a relatively
The third step is the classification of the instances in ei- old threat. Against many of the more sophisticated attacks
ther normal traffic or DDoS traffic. The classification is specialised counter measures exist, such as TCP SYN cook-
trained on the reduced feature set generated in the previous ies in order to prevent the dangers of SYN flooding. Thus,
step. The authors tested different well known classification most DDoS attacks nowadays are pure bandwidth or brute
techniques and established C4.5 [16] as the method working force attacks and attack detection should focus on this types
best in this case. of attacks, making outlier detection techniques the method
Finally, the outputs of the classifiers are given to the of choice. Still, since many DDoS toolkits such as Stachel-
merger to be able to report warnings over one alarm gen- draht allow for attacks like SYN flooding properties of this
eration interface instead of three. The authors mention that attacks can still indicate an ongoing attack.
there is a check for false positives in the merger, too. How- Also, albeit much research on the field of DDoS detection
ever, there is no further information given on how this check has been done during the last two decades that lead to a
works apart from the fact that it is relatively slow. nearly equally large number of possible solutions, in section
The presented experiments have been carried out on the 3 we have seen that one of the biggest problems is the un-
aforementioned KDD Cup data set as well as on two self- availability of recent test traces or a simulator being able
made data sets for which the authors attacked a server within to produce such traces. With the best known test series
having an age of fourteen years, today, the results presented Off-line Intrusion Detection Evaluation. In DARPA
in many of the research papers on this topic are difficult to Information Survivability Conference and Exposition,
compare and confirm. 2000. DISCEX’00. Proceedings, volume 2, pages
Even if one can rate the suitability of certain approaches in 12–26. IEEE, 2000.
respect to detect certain approaches, such as seen in section [15] G. Loukas and G. Öke. Protection Against Denial of
4, a definite judgement of given methods is not easy. We Service Attacks: A Survey. The Computer Journal,
therefore, before starting to implement an own approach to 53(7):1020–1037, 2010.
distributed denial of service detection, want to overcome this [16] J. R. Quinlan. C4.5: Programs for Machine Learning,
problem by implementing a DDoS simulator. volume 1. Morgan Kaufmann, 1993.
With the help of this tool, we will be subsequently able to [17] S. N. Shiaeles, V. Katos, A. S. Karakos, and B. K.
compare existing approaches among each other and to our Papadopoulos. Real Time DDoS Detection Using
ideas in a fashion reproducible for others. Fuzzy Estimators. Computers & Security,
31(6):782–790, 2012.
6. REFERENCES [18] M. Tavallaee, E. Bagheri, W. Lu, and A.-A. Ghorbani.
[1] CERT CC. Smurf Attack. A Detailed Analysis of the KDD CUP 99 Data Set. In
http://www.cert.org/advisories/CA-1998-01.html. Proceedings of the Second IEEE Symposium on
[2] The Homepage of Tcpdump and Libpcap. Computational Intelligence for Security and Defence
http://www.tcpdump.org/. Applications 2009, 2009.
[3] KDD Cup Dataset. [19] A. Varga and R. Hornig. An Overview of the
http://kdd.ics.uci.edu/databases/kddcup99/ OMNeT++ Simulation Environment. In Proceedings
kddcup99.html, 1999. of the 1st International Conference on Simulation
[4] F. Amiri, M. Rezaei Yousefi, C. Lucas, A. Shakery, Tools and Techniques for Communications, Networks
and N. Yazdani. Mutual Information-based Feature and Systems & Workshops, Simutools ’08, pages
Selection for Intrusion Detection Systems. Journal of 60:1–60:10, ICST, Brussels, Belgium, Belgium, 2008.
Network and Computer Applications, 34(4):1184–1199, ICST (Institute for Computer Sciences,
2011. Social-Informatics and Telecommunications
[5] R. Barr, Z. J. Haas, and R. van Renesse. JiST: An Engineering).
Efficient Approach to Simulation Using Virtual [20] E. Weingartner, H. vom Lehn, and K. Wehrle. A
Machines. Software: Practice and Experience, Performance Comparison of Recent Network
35(6):539–576, 2005. Simulators. In Communications, 2009. ICC ’09. IEEE
[6] A. M. Batishchev. Low Orbit Ion Cannon. International Conference on, pages 1–5, 2009.
http://sourceforge.net/projects/loic/.
[7] D. Bernstein and E. Schenk. TCP SYN Cookies.
on-line journal, http://cr.yp.to/syncookies.html, 1996.
[8] K. A. Chrysafis and B. K. Papadopoulos.
Cost–volume–profit Analysis Under Uncertainty: A
Model with Fuzzy Estimators Based on Confidence
Intervals. International Journal of Production
Research, 47(21):5977–5999, 2009.
[9] D. Dittrich. The ‘Stacheldraht’ Distributed Denial of
Service Attack Tool.
http://staff.washington.edu/dittrich/misc/
stacheldraht.analysis, 1999.
[10] T. Henderson. ns-3 Overview.
http://www.nsnam.org/docs/ns-3-overview.pdf, May
2011.
[11] H. J. Kashyap and D. Bhattacharyya. A DDoS Attack
Detection Mechanism Based on Protocol Specific
Traffic Features. In Proceedings of the Second
International Conference on Computational Science,
Engineering and Information Technology, pages
194–200. ACM, 2012.
[12] M. Lesk. The New Front Line: Estonia under
Cyberassault. Security & Privacy, IEEE, 5(4):76–79,
2007.
[13] R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and
K. Das. The 1999 DARPA Off-line Intrusion Detection
Evaluation. Computer networks, 34(4):579–595, 2000.
[14] R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines,
K. R. Kendall, D. McClung, D. Weber, S. E. Webster,
D. Wyschogrod, R. K. Cunningham, et al. Evaluating
Intrusion Detection Systems: The 1998 DARPA