Statistical Detection for Network Flooding Attacks

全文

(1)Statistical Detection for Network Flooding Attacks C. S. Chao, Y. S. Chen, and A.C. Liu Dept. of Information Engineering, Feng Chia Univ., Taiwan 407, ROC. Email: [email protected] quality becomes higher and higher day by day.. Abstract In order to meet the high demands of. However, the occurrences of network attacks and. network availability and reliability, today’s IDS. virus become the most serious problems at. (Intrusion Detecting System) is often constructed. present. Disaster events such as attacks or virus. in major portal to protect the managed network. not only cause servers’ crash but also bring. from attacks. Generally, current IDS use the. serious degradation of performance and quality. pattern matching method as the primary scheme. of service in correlated network segments.. to detect attacks. However, after integrating IDS. Therefore, an effective monitor system for. into router, the pattern matching method may. adaptive scale of over all networks is essential.. cause extreme computing load to router which. For security, element venders like CISCO. deviates working correctly, even crashing, when. and NetScreen incorporate intrusion detection. under attacking. In this research, the analysis of. system (IDS) with their products to provide first. network traffic variation is combined with the. line protection. By applying such integrated. pattern matching method for decreasing the load. elements, a regional detection and monitoring. arose from the attached IDS of the router. In. system can be easily constructed. Current IDS. addition, an overall monitoring system is. technique can de divided into following types:. designed to cooperate with the backbone routers. z. Pattern matching. which equipped our attack detecting mechanism.. Pattern matching method often applies. Network managers can not only realize an. many rules generated by analyzing each attack.. occurrence of an attack but also where the attack. IDS would check every packet with these. passes through the network by using this system.. pre-defined rules to determine whether an attack. Besides, the firewall would be also built into the. occurs or not. Most IDSs use pattern matching as. router which can be started by managers to. main detection method. The most serious. provide first line protection after an attack is. problems of pattern matching are its low. detected.. processing speed and unable to detect novel. Keywords:. abrupt. abnormal. detection,. attack.. In. order. to. improve. 1. processing. 2. statistical reference window, network flooding. performance, Fisk and Coit have individually. attacks, event correlation, network management. proposed several new methods in order to speed up pattern comparing. Also, Snort 2.03 also uses. 1. Introduction Due. to. the. explosive. rule optimizer and rule classifier for the purpose growth. of. network-related technology and generalization of the Internet, the demand of the Internet service. of detecting faster. z. Abnormal behavior detection Abnormal. behavior. detection. is. an.

(2) unpopular method that detects the abnormal. content of HTTP connection protocol, thus. behavior with statistic. This method usually is. abnormal. used in network management for fault detection. determined. But sometimes this kind of attack. or prediction. In 1990, Maxion et al.4 monitored. may pass through pattern matching IDS.. the. Mellon. Therefore, abnormal protocol detection IDS can. University for about 7 months and used those. be used to complement the insufficient ability of. data to construct a traffic model to predict the. pattern matching IDS to discover the attack. traffic amount in next time slot. Then they set an. behavior violating connection protocol.. appropriate threshold for the next time slot to. z. network. traffic. in. Carnegie. protocol. attacks. can. be. easily. Visualization. 5. Hiraishi et al.7 used “Hyperbolic Tree” to. collected all the logs for fault verifying and used. visualized the log data after a user login.. Bayesian network to calculate the probability of. Managers can understand all the action and. check if traffic change abnormally. Hood et al.. 6. fault occurrence in each time slot. Thotton et al.. information. used first order auto-regressive model to. “Hyperbolic Tree” and can easily discover. calculate. Generalized. invalid actions when the branches connect to. likelihood ratio was used to determine the degree. “Danger” group grow explosively. Erbacher et. of a parameter change. At the end, Thotton et al.6. al.8 used two basic components to construct a. used spatial correlation to combine all parameter. connection graph for a managed host. The first. they chose to check if a fault happened.. part was an arrow that showed a connection. Unfortunately abnormal behavior detection is. before or after authentication, and the second. hard to verify whether the detected abnormal. part was a circle that every arrow directed to.. behavior is really abnormal or not. Therefore,. They defined several kinds of arrows for Telnet,. managers need to check log or some other record. FTP, network file system (NFS), initial inetd. to verify the abnormal behavior. But abnormal. connection and port scan separately. All the. behavior detection is very suitable for doubting. connection in that host can be observed easily by. an error occurs.. observing the connection graph. If there is an. z. attack to that host, then we can easily discover it. white. noise. series.. Abnormal protocol detection Abnormal. protocol. detection. method. focuses on observing the structure and content of. of. each. user. by. observing. by monitoring the change in the graph in visual IDS.. connection, most abnormal protocol attacks are. In general, current IDSs use pattern. aimed at connection protocol such as Telnet,. matching method as main detection method.. HTTP, RPC, SMTP, and Rlogin. If we define the. Consequently, in this research, pattern matching. rules for connection protocol in detector, it is. is chosen as a main detection method, and is. very easy to determine the invalid connection. built in router. After integrating IDS into router,. traffic such as unexpected data, unnecessary. pattern matching method may cause router too. character and invalid character. That’s why. heavy load to work. In order to decrease the load. abnormal protocol attacks can be determined, for. caused by IDS, we try to combine pattern. instance, CodeRed worm, which tries to use. matching method and change detecting method. GET command to ask the infected server to. to detect flooding attack. If the pure pattern. execute malevolence program. IDS checks the. matching method causes too heavy load in router,.

(3) the combination method of change detecting and. prepare defense works.. pattern matching will be used.. t1. 2. Disaster Events Detecting. t2. t3. 1 3. As described in section 1, disaster events. 2. 4. 5. May be affected in next time slot t3. would propagate over several network segments. Figure 1. Propagation of attack traffic. and all the range they pass through would be affected. Therefore, constructing a management. As figure 1 shows, the attack traffic passes. system to monitor the entire managed network. through link (1->3) and (2->3) in time t1, and. for understanding the range that attacks affect is. gets across element 3 to element 4 in time t2.. very important. For this kind of management. Thus, we can infer that the downstream of. system, the detection and reasoning can be from. element 4 – link (4->5) will become the next. point perspective to line perspective and from. path that attack traffic might pass through.. line perspective to surface perspective.. Managers must complete defense works in time. z. Line perspective. to prevent the network segment after element 5. When an attack occurs, the flooding traffic. from being affected.. would pass through many network elements and. In order to avoid the manager being unable. cause the value of specific packet statistic to. to obtain information because of congestion. grow explosively. The traffic statistic of each. caused by attack, out-of-bound management. interface of every network element will be. architecture represented in figure 2 is adopted.. monitored. SNMP protocol can easily provide us. Every managed element should directly connect. the information for determining whether the. to manager to form an independent managed. traffic rises abnormally or not. And the category. domain. No host can transfer data to managed. of attack can be reasoned by verifying the packet. domain besides manager and managed element,. type of traffic with abrupt change, then pattern. that is, only management traffic can exist in that. matching method would be triggered by system. domain. By adjusting the routing table in each. to do further detection.. router, we can easily create an independent. z. domain for management.. Line perspective After detecting the anomaly in an interface,. Manager Domain. the direction of attack traffic needs to be ascertained.. Each. attack. flow. would. (LAN) Out-Of-Band. be. Real-World Network. transmitted from one element to another element until the traffic reaches the target host. Therefore, the direction of attack traffic can be reasoned by monitoring the incoming and outgoing traffic of Figure 2. Management architecture. each interface in every network element. z. Surface perspective. When an attack occurs, managers would. After having all attack traffic direction, we. receive large amount of alarms. Therefore,. can go a step further to infer the location that the. managers need some information to recognize. attack traffic is going to affect. Thus, the. these. managers of downstream can be notified to. differentiate which element and interface these. alarms. and. correlate.. In. order. to.

(4) alarms belong to, we define the alarm format as the figure 3 shows. Time Stamp. Type. Category. Element & Interface. Master commands slaves initials attack. Master initials the installation of slave. Connect Element & Interface. Master completes the installation of slave. Figure 3. Alarm format. Slaves start sending traffic to target. Traffic reach the target. The target is shut down. Figure 4. DDoS attack timing outline. Each field is described as follows: z. Timestamp: Recording the time that the alarm is generated;. z. Change detecting. Type: Recording the type of alarm, “Send”. Pattern matching. L. Category: Recording the category of attack;. z. Element & Interface: the element and. Change detecting Choose corresponding rule. or ‘Receive; z. Change detecting. B. E. Change detecting Pattern matching Generating Last alarm. Generating Begin alarm. L. Change detecting Pattern matching. Change detecting Pattern matching. Generating Generating Last alarm Last alarm. L. B. interface that the alarm belongs to; z. Connect Element & Interface: Recording the. L. Change detecting Pattern matching Generating End alarm. E Clear rules. Figure 5. Example of detecting timing outline. element and interface at the other end of. Figure 5 is a simple example of detecting. link, this information can help us quickly. disaster events. After detecting an abrupt change,. find out the corresponding alarm if it is. corresponding rules will be chosen to check. generated.. corresponding packets. For instance, when an. The entire steps of location correlation are listed. abrupt change of TCP traffic is detected, only. as follow:. TCP-related rules will be chosen and only TCP. 1.. Collecting all alarms in time t;. packets will be determined. If an attack is. 2.. Paring. these. alarms. according. the. detected, a “Begin” alarms will be generated. In. connection correlation;. the following time slot, although no change is. 3.. Finding out all anomaly links;. detected, pattern matching method will still be. 4.. Classifying anomaly link according to attack. triggered to check if attack last. If the attack still. type;. last, a “Last” alarm will be generated. After. Mapping anomaly link and direction into. another abrupt change is detected and no attack. topology.. packet is determined, an “End” alarm will be. 5.. In time consideration, in 2001, Chao et al.. 9. have proposed that some faults can be modeled by two or three states finite state machine. A fault can be divided into “Start,” ”Last,” and “Stop” states. In the same year, Cabrera et al.10 have reported the time line of a DDoS attack as shown in figure 4. As figure 4 shows, an attack start at t3 until the target is shutdown at t5. Thus it can be seen, DDoS attack also can be modeled by three state finite state machine with “START,” “LAST,” and “STOP” states.. generated and corresponding rule will be cleared.. 3. Change Detection In order to detect the abrupt change accurately, the time series data of each kind of packets would be processed by several change detecting methods. The accuracies of these methods were compared in section 4. 3.1 Series Segmentation These time series data would be divided into “reference window” and “test window”.

(5) respectively. before. processed. by. change. change is detected in that time. The. detecting method. In this research, two different. detection procedure will be restarted at. methods were used to decide the reference. the change point.. window size. The first one is “Fixed” and the second one is “Variance”. z. Initially, choose two window with the same size Partition point. In Time T. Fixed window size: The size of reference window is fixed in. No change occur, reference window extend Partition point. In Time T + t. each comparison. Also, the size of reference window is the same as the size of test window.. No change occur, reference window extend continually Partition point. In Time T + 3t. The window size is decided by user. In our. A change occur, choose a new reference window Change point. In Time T + 4t. Partition point. experiment, we compare the accuracies of different window size to decide how many. Figure 6. Various Window Sizes. samples per window. z. Variance window size: The size of reference window is variable;. 3.2 Detecting Methods z. Log likelihood ratio test with first order Auto-Regressive model. the time series data of test window is not only. In. compared with the same length data, but also data with double size, triple size and even multiple size of test window. The method we use to decide reference is described as following three steps: a.. Initially, the size of reference window and test window is the same. Suppose the starting point of reference window is time T, the ending point of reference window. our. experiment,. the. segmentation. 11. method proposed by Hood et al. was used to be a change detector. After modeling two adjacent window with AR(1), two white noise series will be generated. The joint probability of that a change is detected l and the joint probability of that no change is detected l0 can be calculate. The joint probability l is displayed as follows: l=(. and starting point of test window are time. 1 2πσ R2. ) NR (. 1 2πσ T2. ) NT exp(. − NRσ R2 − NTσ T2 ) exp( ) 2 2σ R 2σ T2. Eq. (3.1),. T + t, and the stopping point of test. b.. window is time T + 2t. Time T + t can be. where NR and NT are the numbers of random. looked on as a partition point between. variable of white noise series of reference. reference window and test window.. window and test window individually. The. While comparing reference window with. probability of that no change is observed. test window, if the variation degree is not. between two windows is:. over the threshold, the partition point will shift to the end of test window. The. l0 = (. 1 2πσ. 2 p. ) NR + NT exp(. − ( NR + NT )σ 2p 2σ 2p. ). Eq. (3.2),. system would get the next test window.. c.. This step repeats until the variation degree. where σ 2p is the pooled variance. The log. is over threshold.. likelihood ratio is used to calculate the change. When variation degree exceeds threshold,. degree as follows:. the change point will be set in the. η = ( NR + NT ) logσ p − NR logσ R − NT logσ T. partition point. That means an abrupt. Eq. (3.3)..

(6) Another two trivial methods, standard. t=−. log(1 − p ). derivation comparison and average comparison, are also used in our experiment. The change degree of standard derivation comparison (σ ) higher. η=. Eq. (4.1),. λ. where λ is average arrival rate to send packet. Background Traffic : simulate normal traffic Attack Traffic. (σ ) lower. Eq. (3.4),. and the change degree of average comparison Averagehigher. η=. Averagelower. Eq. (3.5).. 4. Performance Evaluation In order to monitor the behavior of attack,. Figure 7. Experimental Environment. we constructed a small network with 3 PC routers, 4 PCs, 2 switches and 1 hub shown in figure 7. The hardware, software and setting we. Figure 8 is an example of Poisson traffic. As we can see, the traffic seems too stable and unlike real world traffic. Therefore, the second. used are listed in table 1:. kind background traffic WWW proposed by S. Table 1. Experimental Environment Description Hardware. P200 + 64MB Memory. OS. Redhat linux 7.3. Routing daemon. Gated. Routing Protocol. RIP. Flow calculator. NeTraMet (Flow Meter MIB). Background Traffic. Poisson. 200,400,600,800,1000 pkts/s. WWW. 40,80,120,160,200 users. Attack. Deng12 was used and is shown in figure 9.. Figure 8. Poisson Traffic. 1000,2000 pkts/s. Window size. 5,10,15,20,30 samples. Threshold. 2,3,5,10. Figure 9. WWW Traffic WWW traffic is generated by n sources. Figure. 7. displays. our. experimental. environment. There is bi-direction background traffic in backbone to simulate common traffic.. with On and Off state. Weibull distribution was used to calculate the On period time shown in equation 4.2.. In this experiment, the attack was generated by 1. two attackers. Three change detecting methods described in section 3 were used to detect abrupt change caused by attack. In order to simulate multi-node environment, a multi-process packet generator and DDoS tools were constructed. We use two kinds of background traffic. The first one is Poisson, the inter-arrival rate follows Poisson distributed. The inter-arrival time will be. t = θ [ − ln(1 − p )] k. Eq. (4.2),. where θ = e 4.5 , k = 0.88 and the value of p is random. In On period, S. Deng12 also used Weibull distribution with different parameters to calculate the packet inter-arrival time. The parameters are listed as follows:.

(7) θ = 1 .5 k = 0 .5. than others in detecting change caused by attack.. .. The experiment result can only reply to a stable. p : random. network environment. If the background traffic. The Off period time is calculated by using Pareto. is non-stable, the result may be different.. distribution, the equation and parameters are. t = (1 − p). −. Accuracy. listed as follows: 1. α. ,. where α = 0.5 . In. our. 1.2 1 0.8 0.6 0.4 0.2 0. m1-30-5 m2-30-5 m3-30-2 m4-30-2 200. experiments,. the. comparisons. 400. 600. 800. m5-30-5. 1000 10002. m6-20-5. Background Traffic. between the accuracies of every method with different parameter were proceeded. The best. Figure 10. The best result of each detecting method in Poisson background traffic. result of each method is showed figure 10 and figure 11. For example, in figure 10, “m2-30-5”. 1.2. 30 and threshold 3 are best settings of method 2.. . m4-30-3. 0.4. m5-15-3. 0.2. m6-20-2 80. m2: Log likelihood ratio test with AR(1). m3:. average. comparing. with. 120. 160. 200. users. m1: Log likelihood ratio test with AR(1). with variance reference window size . m3-30-2. 0.6. 40. with fixed reference window size . m2-30-2. 0.8. 0. Method 1 ~ 6 are described as follows: . accuracy. window in threshold 5. That is, the window size. m1-30-5. 1. means using method 2 with 30 samples per. Figure 11. The best result of each detecting method in WWW background traffic Figure 11 depicts the best result of each. fixed. detecting method in WWW background traffic.. reference window size. From this experiment, we found the log. m4: average comparing with variance. likelihood ratio test can’t provide a good. reference window size. detection. m5: standard derivation comparing with. background traffic. As we can see, the accuracies. fixed reference window size. of method 3 and method 4 with 30 samples per. m6: standard derivation comparing with. test window and method 5 with 15 samples per. variance reference window size. test window in threshold 3 are higher than 80%.. Figure 10 represents the best result of each. The best one of each method is method 4.. of. abrupt. change. with. WWW. detecting method. In this experiment, the attack traffic is 2000 pkts/s, but we find most methods. 5. Comparison of Detecting Methods. have good accuracies because the difference. In this section, we showed the comparison. between attack and background traffic is very. between. large. Therefore, we decrease the attack traffic to. combination method of change detecting and. 1000 pkts/s and use 1000 pkts/s background. pattern matching. We would discuss two. traffic. The result is showed in “1000-2”. In. conditions – normality and under attack. In. figure 10, we can see the method 2 and method 5. traditional pattern matching method, the content. with window size 30 and threshold 5 are better. of each packet would compare with every rule in. pattern. matching. method. and.

(8) ni. IDS after decoding shown as figure 12.. Ri. ∑∑ a j =1 k =1. TCP. TCP. TCP. UDP. UDP. ICMP. UDP ICMP ICMP. packets. rules. Figure 12. Traditional pattern matching method. is the number of matching times of. k. category i for all packets in category I and x. ni. Ri. ∑∑∑ a i =1 j =1 k =1. is the number of matching times of. k. category i for every packet. In pattern matching Since decoding is an essential step for every. methods, the equation of matching times in. method, therefore, we only choose the matching. normal condition is the same as the number of. times in the comparison. The total number of. matching times when the network is under attack,. matching times of traditional pattern matching. because whether an attack occurs or not, these. method can be written as:. two methods always check every packet.. R. T = N ∑ ai. The. Eq. (5.1),. combination. method. of. change. detecting and pattern matching only calculates. i =1. where N is total number of packets, R is total. the amount of each category of packet and detect. number of rules and ai is the number of item of. if an abrupt change occurs or not, therefore,. rule i. In order to decrease the frequency of. matching only is used for packet classification.. matching, a new pattern matching method. The number of action after decoding is:. T = N ( s + 1). classifies all packets before matching. The content of each packet only compares with corresponding rules as figure 13 shows. For instance, TCP packet only compares with TCP-related rules. TCP. Eq. (5.3),. where N is total number of packets, s is matching times of packet classification. In equation 5.3, the additional 1 is the action of packet counted after classification. And. UDP. ICMP. packets. after a change is detected, the pattern matching method is triggered for 5 seconds every 2.5. TCP. TCP. UDP. UDP ICMP ICMP. rules. minutes to check if really an attack has taken. Figure 13. Improved pattern matching method. place until no attack packet is detected. And only. The number of matching times can be written as:. attack-related rules would be chosen as figure 14. x. ni. shows. For instance, if a change was detected in. Ri. T = N * s + ∑∑∑ a k. Eq. (5.2),. i =1 j =1 k =1. where N is total number of packets, s is. TCP packet, only TCP-related rules were chosen. Thus, if a UDP or ICMP packet comes, it would be ignored.. matching times of packet classification, ak is the. TCP. number of item of rule k, Ri is the number of rules of category i, ni is the number of packets of category i, and x is the number of classification. In equation 5.2, N*s means the total number of matching times in packet classification.. TCP. UDP. ICMP. packets. rules. TCP. Figure 14. Pattern matching method combined with change detecting method The number of action can be expressed as:. Ri. ∑a k =1. k. indicates the number of matching times. of category i for one packet in category i,. x. mi. ri. T = N ( s + 1) + ∑∑ ( pi ∑ al ) i −1 j =1. l =1. Eq. (5.4),.

(9) x. where. ∑ mi = λ t , N is total number of packets, i =1. should be compared is also less than pattern matching method because the packets collecting. s is matching times of packet classification, al is. time is only 1/30. Thus, total matching times as. the number of item of rule l, pi is probability of. well as its load will be reduced very much.. that a change is detected for packet category i, ri. 6. System Implementation. is the number of rules of category i, x is the number of classification, mi is the number of packets of category i, λ is average packet arrival rate, t is time of using pattern matching method. ri. ( pi ∑ al ) is the expected value of the l =1. number of matching times for one packet in category i. In this method, the content of each Figure 15. Topology view. packet only compares with rules corresponding to the type of burst traffic. For example, the. In our implementation, the management system. content of TCP packet is only compared with. can be divided into two parts. One is Monitor. TCP-related rules, if category of the current. constructed in Manager and the other is Detector. burst traffic is TCP, the TCP-related rules are. constructed in PC routers. The topology view of. chosen and the number of matching times is. Monitor is showed in figure 15, before Monitor. rt. ∑a l =1. l. (at is the number of item of TCP-related. started,. a. topology. description. must. be. constructed first. When monitor is started,. rule and rt is the number of TCP-related rule).. topology description would be used to construct. But if the category of current burst traffic is UDP. a topology list that contains each element and. or ICMP, and the number of matching times is 0.. interface showed as tree structure in topology. Hence the exception of number of matching. view. The topology list can be clicked to get. times. is. more detail information about each interface.. pt ∑ a l + pu * 0 + pi * 0 = pt ∑ al . The number. of packet that needs to be compared with rules is. alarms into topology after classifying. The. λt. In our experiment, t is 5, that’s because we. symbol R means that abnormal input traffic is. only compare with rules for 5 seconds every. detected in this interface and the symbol S, the. 2.5monites. So the time the combination method. abnormal output traffic. By observing the. needs to collect packets for comparing with rules. topology view in Monitor, we can understand all. is much smaller than the time pattern matching. the condition of managed network.. for. a. TCP. packet. rt. rt. Monitor is responsible for collecting alarms. l =1. l =1. generated by each element and mapping these. method needs. For each packet, the number of. After clicking interface in topology list,. matching times of combination method are less. detail information could be grabbed as figure 16. than the number of matching times of new. shows. When the amount of packet of flow is. pattern matching method, because pi must <=1,. over threshold, for example 1/15 of TCP traffic,. rt. Ri. the flow will be showed in interface view. In this. l =1. k =1. view, the flows of all detected attacks will be. pt ∑ at < ∑ a k . The amount of packets that.

(10) shown first, then followed the flow exceed. we proposed should be looked on as first line. threshold. Every flow showed in this view will. protection. For specific service, host IDS should. be check with normal rules to determine whether. be adopted to provide advanced protection.. the flow is allowed in the network segment or not. If not, the state column will show “Abnormal”. For every flow, the “Drop” bottom can be click to trigger firewall to drop the packet of that flow. When an attack is detected, the interface that is closest to source can be found from monitor. That flow can be drop from that interface to protect the managed network.. Figure 16. Interface information. 7. Conclusion In this paper, we integrate the IDS into router, and propose management architecture to detect attack in large scale network. In order to avoid effect from the heavy load caused by pattern matching method, we combine change detecting method with pattern matching to release the heavy load of IDS. The most serious disadvantage of our combination. method. is. change. detection.. Because the pattern matching method is only triggered after detecting abrupt change, most packets would be ignored. Thus, the detecting method is only useful for detecting flooding attack. In high utilization links, the detecting method won’t detect any abrupt change even an attack occurs because the change degree is not large enough. Therefore, the management system. References 1. M. Fisk, and G. Varghese, Fast Content-Based Packet. Handling for Intrusion Detection. UCSD Technical Report CS2001-0670, May 2001. 2. C.J. Coit, S. Staniford, and J. McAlerney, Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. DARPA Information Survivability Conference and Exposition (DISCEX II'01), Volume I-Volume 1, June 12 - 14, 2001. 3. Snort 2.0, Open Source Network Intrusion Detection System, http://www.snort.org. 4. R.A. Maxion, and F.E. Feather, A case study of Ethernet Anomalies in a Distributed Computing Environment. IEEE Transactions on Reliability, Vol 39, No. 4 October, 1990. 5. C.S. Hood, and C. Ji, “Proactive Network Fault Detection”, INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies, Volume: 3, 7-12 Apr 1997, 1147 -1155. 6. M. Thottan, and C. Ji, Adaptive Thresholding for Proactive Network Problem Detection. IEEE International Workshop on Systems Management, 22-24 April 1998, Page(s): 108 -116. 7. H. Hiraishi, and F. Mizoguchi, Design of a visual browser for network intrusion detection. Infrastructure for Collaborative Enterprises, 2001. WET ICE 2001, Page(s): 132 -137. 8. R.F. Erbacher, K.L. Walker, and D.A. Frincke, Intrusion and misuse detection in large-scale systems. Computer Graphics and Applications, IEEE, Volume: 22 Issue: 1, Jan/Feb 2002, Page(s): 38 -47. 9. C.S. Chao, D.L. Yang, and A.C. Liu, A time-aware fault diagnosis system in LAN. Integrated Network Management Proceedings, 2001, Page(s): 499 -512. 10. J.B.D. Cabrera, L. Lewis, X. Qin, W. Lee, R.K. Prasanth, B. Ravichandran, and R.K. Mehra, Proactive detection of distributed denial of service attacks using MIB traffic variables - a feasibility study. Integrated Network Management Proceedings , Page(s): 609 -622. 11. C.S. Hood, and C. Ji, Beyond thresholds: an alternative method for extracting information from network measurements. Global Telecommunications Conference, 1997, Volume: 1, 3-8 Nov 1997, Page(s): 487 -491. 12. S. Deng, Empirical Model of WWW Document Arrival at Access Link. ICC 96, Conference Record, Converging Technologies for Tomorrow's Applications. 1996 , Volume: 3 , 23-27 June 1996..

(11)