1 of 7 LD 2 : A SYSTEM FOR LIGHTWEIGHT DETECTION OF DENIAL-OF-SERVICE ATTACKS Sirikarn Pukkawanna and Panita Pongpaibool Vasaka Visoottiviseth National Electronics and Computer Technology Center Mahidol University Pathumthani, THAILAND Bangkok, THAILAND ABSTRACT This paper proposes a system for lightweight detection of DoS attacks, called LD 2 . Our system detects attack activities by observing flow behaviors and matching them with graphlets for each attack type. The proposed system is lightweight because it does not analyze packet content nor packet statistics. We benchmark performance of LD 2 , in terms of detection accuracy and complexity against Snort, a popular open-source IDS software. Our evaluations focus on six types of DoS attacks, namely SYN flood, UDP flood, ICMP flood, Smurf, port scan, and host scan. Results show that LD 2 can accurately identify all occurrences and all hosts associated with attack activities. Although LD 2 uses higher CPU cycles than Snort, it consumes much less memory than Snort. 1. INTRODUCTION Denial of Service (DoS) attacks pose a serious threat to the Internet. The main aim of DoS attacks is to disrupt service and network availability by attempting to reduce a legitimate user’s bandwidth, or preventing access to service or system [1]. This kind of attacks aims to make a network incapable of providing normal service by targeting either the network’s bandwidth or its connectivity. These attacks achieve their goal by sending a stream of packets to overload a victim’s network or its processing capabilities. Well-known examples of DoS attacks are flooding of TCP SYN packets, UDP packets, and ICMP packets. Before launching attacks, attackers use tools such as port scan and host scan to discover services they can break into. To secure networks against DoS attacks, tools such as Intrusion Detection System (IDS) must be deployed. In general, IDS is notorious for its enormous resource consumption because it requires deep packet inspection and flow state maintenance. In our previous work [2], we introduced a technique for detecting DoS activities using Blind Classification (BLINC) [3]. The key advantage of the proposed system is its lightweight. It can identify a group of hosts associated with DoS activities without analyzing packet content, packet size, or packet statistics. Preliminary results reveal that our method can identify all occurrences and all hosts associated with attack activities, with a low percentage of false positives. However, we found that the accuracy of detection depends on many variables such as threshold and intensity of background traffic. 978-1-4244-2677-5/08/$25.00 ©2008 IEEE In this paper, we propose a system for lightweight detection of DoS attacks, called LD 2 , based on the technique introduced in [2]. We systematically study effect of background traffic intensity and define appropriate threshold levels for each DoS attack. We benchmark performance of LD 2 , in terms of detection accuracy, CPU utilization, and memory requirement, against Snort [4], a well-known IDS software. Results show that LD 2 can accurately identify all occurrences and all hosts associated with attack activities. Although LD 2 uses higher CPU cycles than Snort, it consumes much less memory than Snort. We implement the LD 2 system as a plug-in to a popular monitoring software called ntop [5]. This paper is organized as follows. Section 2 outlines the previous studies in the area of DoS attack detection, IDS, and Blind Classification. Section 3 describes the structure of our proposed system. The appropriate threshold level for each attack is determined in Section 4. Section 5 evaluates performance of our LD 2 system. Section 6 discusses issues and concludes the paper. 2. RELATED WORK A. Intrusion Detection System (IDS) An intrusion detection system (IDS) [6] is designed to analyze computer and network activities to detect intrusion attempts as they occur. IDSs can detect DoS attacks either by using traffic signatures or by recognizing anomalies in system behaviors. Signature-based IDS uses the signatures of the well-known attacks to determine if the packet represents a suspicious activity. On the other hand, anomaly-based IDS will detect abnormal behaviors by monitoring network traffic and comparing it with the baseline behaviors. The baseline will identify what is “normal” for that network. Then the system can trigger an alert when it finds a significantly deviation from the baseline. A hybrid IDS that uses both technologies is also possible, where both signatures and baseline behaviors are used together either in series or in parallel. A signature-based model is common in commercial IDSs. Signature-based IDS uses known signatures, so it may not be able to catch new attacks. However, the accuracy is high and the false positive rate is relatively low. On the other hand, anomaly-based IDS can detect unknown attacks, but it may result in a high false positive rate. That is, it may flag a normal activity as an intrusion. It remains a challenge