Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs

Tao Peng1 , Christopher Leckie1,2 , and Kotagiri Ramamohanarao1,2

1

ARC Special Research Center for Ultra-Broadband Information Networks Department of Electrical and Electronic Engineering The University of Melbourne Victoria 3010, Australia {t.peng,c.leckie}@ee.mu.oz.au http://www.ee.mu.oz.au/cubin 2 Department of Computer Science and Software Engineering The University of Melbourne Victoria 3010, Australia rao@cs.mu.oz.au

Abstract. We propose a distributed approach to detect distributed denial of service attacks by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the trac volume, our scheme is very eective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack trac. In a multi-agent scenario, we show that by sharing the distributed beliefs, we can improve the detection eciency.

Introduction

A denial-of-service (DoS) attack is a malicious attempt by a single person or a group of people to cripple an online service. The impact of these attacks can vary from minor inconvenience to users of a website, to serious nancial losses for companies that rely on their on-line availability to do business. As emergency and essential services become more reliant on the Internet as part of their communication infrastructure, the consequences of denial-of-service attacks could even become life-threatening. There are many indications that since September 11, the number of DoS attacks have greatly increased [3]. Attackers can instruct computers under their control to send bogus data to a victim. Simultaneously, the resulting trac can clog links, and cause routers near the victim or the victim itself to fail under the load. The type of DoS attack that causes problems by overloading the victim with useless trac is known as a bandwidth attack. This paper focuses on curtailing bandwidth attacks. A key problem to tackle when solving bandwidth attacks is attack detection. There are two challenges for detecting bandwidth attacks. The rst challenge is

Tao Peng et al.

how to detect malicious trac close to its source. This is particularly dicult when the attack is highly distributed, since the attack trac from each source may be small compared to the normal background trac. The second challenge is to detect the bandwidth attack as soon as possible without raising a false alarm, so that the victim has more time to take action against the attacker. Previous approaches rely on monitoring the volume of trac that is received by the victim [10]. Due to the inherently bursty nature of Internet trac, a sudden increase in trac may be mistaken as an attack. If we delay our response in order to ensure that the trac increase is not just a transient burst, then we risk allowing the victim to be overwhelmed by a real attack. Moreover, some persistent increases in trac may not be attacks, but actually ash crowd events, where a large number of legitimate users access the same website simultaneously. We need to distinguish between these events. A better approach is to monitor the number of new source IP addresses, rather than the local trac volume. Jung et al. [7] have observed that during bandwidth attacks, most source IP addresses are new to the victim, whereas most source IP addresses in a ash crowd appeared at the victim before. Previously, this observation has been used as the basis for a mechanism to lter out attack trac at the victim [13]. In our previous paper [12], we proposed to monitor the number of new IP addresses in a given time period in order to detect bandwidth attacks. In this paper, we proposed a distributed detection scheme based on the source IP address monitoring. Our main contribution in this paper is that we describe how machine learning can be used to improve the eciency of a multi-agent system for distributed attack detection. We show that this approach is much more eective than earlier schemes, especially when there are multiple attack sources and the attack trac is highly distributed. We adapt the detection scheme proposed by Wang et al. [16], which is based on an advanced non-parametric change detection scheme, CUSUM, and demonstrate that this approach detects a wide range of attacks quickly and with high accuracy. The rest of the paper is organized as follows. Section 2 gives an overview of our solution to this problem. Section 3 explains the methodologies we used for attack detection. Section 4 presents the simulation results of our detection mechanism. Section 5 discusses related work.

Our Solution: Source IP Address Monitoring

We propose a scheme called Source IP address Monitoring (SIM) to detect the Highly Distributed Denial of Service (HDDoS). This detection scheme uses an intrinsic feature of HDDoS attacks, namely the huge number of new IP addresses in the attack trac to the victim. This novel approach has the advantage that it can detect attacks close to their sources in the early stages of the attack. SIM contains two parts: o-line training, and detection and learning. The rst part is the o-line training, where a learning engine adds legitimate IP addresses into an IP Address Database (IAD) and keeps the IAD updated by

Title Suppressed Due to Excessive Length

adding new legitimate IP addresses and deleting expired IP addresses. This is done o-line to make sure the trac data used for training does not contain any bandwidth attacks. A simple rule can be used to decide whether a new IP address is legitimate or not. For example, a TCP connection with less than 3 packets is considered to be an abnormal IP ow. How to build an ecient IAD is discussed in detail in [13]. The second part is detection and learning. During this period, we collect several statistics of incoming trac for the current time interval n . For example, by analyzing the number of new IP addresses, we can detect whether a HDDoS attack is occurring. In [12], more details are discussed. More importantly, in a multi-agent scenario, the detection performance can be improved by sharing the information among the agents using a machine learning scheme.

Methodology

Our detection mechanism has two key parts. The rst is a scheme for individual detection agents to detect the abnormal network behavior. The second is to develop a rule to decide when to broadcast the warning message.

+h 0 Zn a+h 0 a= y n m

n
n

N 0 n

Fig. 1. The CUSUM algorithm

Fig. 2. Distributed detection model

3.1

The CUSUM Algorithm

Let Xn represent the fraction of new IP addresses during time interval n . Consider the illustrative example in Figure 1. For the random sequence {Xn }, there is a step change of the mean value at m from to + h. We require an algorithm to detect changes of at least step size h and estimate m in a sequential manner so that the detection delay and false positive rate are both minimized. In our experiment, we applied the non-parametric CUSUM (Cumulative Sum) method [2] in our detection algorithm. This general approach is based on the

Tao Peng et al.

model presented in Wang et al. [16] for attack detection using CUSUM. The main idea behind the non-parametric CUSUM algorithm is that we accumulate values of Xn that are signicantly higher than the mean level under normal operation. One of the advantages of this algorithm is that it monitors the input random variables in a sequential manner so that real-time detection is achieved. Let us begin by dening our notation before we give a formal denition of our algorithm. As we mentioned before, Xn represents the fraction of new IP addresses in the measurement interval n . The top graph in Figure 1 shows an illustrative example of {Xn }. In normal operation, this fraction will be close to 0, i.e. E(Xn ) = 1, since there is only a small proportion of IP addresses that are new to the network under normal conditions [7] [13]. However, one of the assumptions for the nonparametric CUSUM algorithm [2] is that mean value of the random sequence is negative during normal conditions, and becomes positive when a change occurs. Thus, without loss of any statistical feature, {Xn } is transformed into another random sequence {Zn } with negative mean a, i.e. Zn = Xn , where a = (See the middle graph of Figure 1). Parameter is a constant value for a given network condition, and it helps to produce a random sequence {Zn } with a negative mean so that all the negative values of {Zn } will not accumulate according to time. When an attack happens, Zn will suddenly become large and positive, i.e. h + a > 0, where h can be viewed as a lower bound of the increase in Zn during an attack. Hence, Zn with a positive value (h + a > 0) is accumulated to indicate whether an attack happens or not (See the bottom graph of Figure 1). One thing worth noting is that h is dened as the minimum increase of the mean value during an attack and it is not the threshold for the bandwidth attack detection. The attack detection threshold N is used for the yn , accumulated positive values of Zn , which is illustrated in Figure 1. Our change detection is based on the observation of h . For eciency, we use the recursive version of non-parametric CUSUM algorithm [1][2][16] which is shown as follows: yn = (yn1 + Zn )+ , y0 = 0, (1) where x+ is equal to x if x > 0 and 0 otherwise. A large yn is a strong indication of an attack. As we see in the bottom graph of Figure 1, yn represents the cumulative positive values of Zn . We consider the change to have occurred at time N if yN N . The decision function can be described as follows: dN (yn ) = 0 if yn N ; 1 if yn > N .

N is the threshold for attack detection and dN (yn ) represents the decision at time n: 1 if the test statistic yn is larger than N , which indicates an attack, and 0 otherwise, which indicates the normal operation. Further details can be found in [12].

Title Suppressed Due to Excessive Length

3.2

Detection by sharing the distributed beliefs

As the distributed denial of service (DDoS) attack trac transmits across the Internet towards the victim, the victim can detect the attack easily by observing the degraded services. However, it is hard for the victim to locate the attack sources to lter the DDoS attack trac. The key role for the intrusion detection system is to detect the DDoS attack trac as close to the attack source as possible. As we analyzed before, the DDoS attack trac will cause the increase of a large number of new IP addresses. However, since the transit network will only see part of the DDoS attack trac, the number of increased new IP addresses might not be large enough to raise a alarm. As shown in Figure 2, let yl and yr be the detection variables that Intrusion Detection System (IDS) agent L and R will observe and let Nl and Nr be the detection thresholds for the IDS agent L and R respectively. Then, yl < Nl and yr < Nr . Thus, each agent acting in isolation has insucient evidence to consider the trac to be suspicious. In order to detect this distributed denial of service attack, the two agents need to cooperate by sharing their beliefs about potentially suspicious trac. This raises two challenges. First, we need a framework for combining dierent agents beliefs about the incoming trac. Second, we need a function that decides when to share beliefs about the incoming trac. Combining beliefs It is important that our model for combining beliefs should use summary information about the trac rather than raw measurements about each new IP address in the incoming trac, in order to minimize the communication overhead. Without loss of generality, we consider there are two transit networks where the DDoS attack passing through, each with its own intrusion detection agent. It is a trivial matter to apply our model to larger numbers of agents. Let DL and DR denote the set of hosts in the left and right transit networks, respectively. Let Pn (DL ) and Pn (DR ) represent the percentage of new IP addresses that pass the transition network L and R. As we analyzed in Section 3.1, the decision function is based on monitoring the percentage of new IP addresses during the designated time interval. If one IDS agent can update the percentage of new IP addresses by sharing the distributed beliefs, it can recalculate the detection variable yn using CUSUM algorithm. Therefore, the IDS agent can make a decision by combining beliefs from other IDS agents. The rst step to realize our distributed model is to calculate the percentage of new IP addresses by sharing the distributed beliefs. Let F L and F R represent the collection of the frequent IP addresses which are stored in the IP Address Database (IAD). Let ML and MR represent the collection of the incoming IP addresses during the monitoring period. Thus, we have Pn (DL ) = R R R |ML ||ML F L | and Pn (DR ) = |M ||M | F | . Ideally, when we combine the |F L | |F R belief, the percentage of new IP addresses to two transition network should be L R L L MR F R )| . However, in order to get an accuPn (D) = |M M ||(ML F R | ) (F |F rate value of Pn (D) we need raw measurement, for example, ML and F L , which takes a huge communication overhead. In order to simplify the implementation

Tao Peng et al.

of this scheme, we make the following assumptions. First, the IADs of the two transition networks have a big overlap, i.e., |F L F R | max(|F L |, |F R |) . Second, ML and MR are disjoint collections. Thus, the simplied calculation is L R ||ML F L ||MR F R | . Pn (D) = |M |+|M max(|F L |,|F R |) Given this method for combining beliefs about the incoming trac from dierent agents, we need to formulate a technique for deciding when to broadcast this information, and hence combine beliefs between agents. Learning when to broadcast the warning message Our aim is to nd a decision function that can be used by agents to decide when they should share the beliefs. Agents should share information when there is a signicant change in belief that is likely to help conrm a hypothesis. Our approach is based on the learning scheme described in [9]. We have used a decision function based on the CUSUM algorithm described in the previous sections. Recall that an agent L considers an attack happens if Nl < y l . Our decision function should trigger a broadcast before the agent has conrmed that the incoming trac is attack trac. The key issue is how small this dierence in likelihoods should be before we broadcast. We introduce a parameter T that represents the threshold at which we should broadcast. Thus, our decision function is: Broadcast if Nl yl < T. If T is large then the agent will broadcast early, when it has seen few new IP addresses and yl is small. Conversely, if T is small, then the agent will delay broadcasting until it has seen sucient new IP addresses to increase yl in comparison to Nl . The aim of learning is to nd an optimum broadcast threshold T , so that we avoid wasting broadcasts while minimizing the detection delay. We need to adjust T in response to feedback about how our multi-agent system performs in comparison to a centralized monitoring approach. Each time a DDoS attack occurs, we record how many new IP addresses (m ) were needed before our multi-agent system detected the DDoS attack. We can also determine how many new IP addresses (s ) would have been needed by a centralized system using a single agent to analyze all the incoming IP addresses. Note that m s . We refer to the dierence = m s as the conrmation delay of using a distributed approach. We can also record whether an agent issued a broadcast in the course of analyzing the number of new IP addresses of the incoming trac. Let = 1 if a broadcast was made, otherwise = 0. In order to measure the performance of our multi-agent system, we can av erage and over a large number of DDoS attacks. Let and denote the average conrmation delay and the average number of broadcasts over a set of

Title Suppressed Due to Excessive Length

DDoS attacks. Given that we want to minimize both these quantities, we dene our feedback function as f (T ) = u()2 + v( )2 ,

where u and v can be any functions. In our case, we have used the identity function for u and v. For a given setting of the threshold T in our decision function, we can observe the feedback function f (T ) by averaging over a set of DDoS attacks. Consequently, we can use f (T ) as our objective function to optimize T . This is an example of a stochastic optimization problem, where the objective function and its gradient can only be estimated by observation. We can solve this problem using a technique known as stochastic approximation (see [14] for an overview). We use the current value of Tk at the k th iteration to estimate Tk+1 using: Tk+1 = Tk ak gk (Tk ), where gk (Tk ) is an estimate of the gradient of the objective function at f (Tk ), and ak is a step size co-ecient. The gradient is estimated using perturbations ck around Tk : f (Tk + ck ) f (Tk ck ) . gk (Tk ) = 2ck We choose the perturbations and step size based on a scheme by Spall [15]. Based on Spalls recommendations, we found that a global minimum was obtained using ak = 10/ k and ck = 1/ k. Using this scheme, we can learn an optimum value of T that minimizes both the communication overhead and the conrmation delay. In our test domain, we observed that there was a well-dened global minimum for T . We have used this approach in a centralized learning scheme, where each agent uses the same threshold value. It is a simple matter for agents to archive measurements of conrmed attacks, so that they can be downloaded later as training examples for learning. In order to provide a basis for comparison with our machine learning approach, we have developed a default decision function that is based on random broadcasts. Our default decision function is to broadcast after an agent has received M new measurements relating to a hypothesis, where M is uniformly distributed U nif orm(1, Mmax ). Random broadcasts: Broadcast belief in a hypotheses each time the detection variable reaches M , where M := U nif orm(0, Mmax ) is reset after each broadcast. We use this decision function as a benchmark to explore the trade-o between communication overhead and conrmation delay by varying Mmax .

Performance Evaluation

To evaluate the ecacy of our detection scheme SIM, we created dierent types of DDoS attack trac and merged them with the normal trac. SIM was then

Tao Peng et al.

applied to detect the attacks from the merged trac. The normal trac traces used in our study are collected at the University of Auckland [6] with an OC3 (155.52 Mbps) Internet access link in March 2001. 4.1 Performance of SIM

To test the detection sensitivity for DDoS attacks with dierent numbers of new IP addresses, we conducted the following experiment. We used the incoming trac to the University of Auckland as the background trac for the last-mile router detection evaluation, and outgoing trac from the University of Auckland as the background trac for the rst-mile router detection evaluation. As mentioned before, our detection algorithm is not aected by whether the attack trac is bursty or constant since the detection is based on the cumulative eect of the attack trac. For the simplicity of the experiment design, we assume the attack trac rate to be constant. The attack period is set to be 5 minutes, which is a commonly observed attack period in the Internet [11]. The attack trac rate for the last-mile router is set to be 500 Kbps 3 in order to constitute an eective bandwidth attack to medium-size victim networks, which in our case is the network of the University of Auckland. Let W represent the number IP addresses in the attack trac which are new to the network. The detection performance for the rst and last-mile routers using dierent values of W are shown in Tables 1 and 2. As we can see from the simulation results, our detection algorithm is very robust in both the rst-mile and last-mile routers. For the last-mile router, we can detect the DDoS attack with W = 18 within 81.1 seconds with 100% accuracy, and detect the DDoS attack with W = 15 within 127.3 seconds with 90% accuracy. Given the attack trac length is no more than 5 minutes, only the attack trac with W < 18 has the possibility of sometimes avoiding our detection. However, by forcing the attacker to use a small number of new IP addresses, we can detect the attack by observing the abrupt change in the number of packets per IP source address. For the rst-mile router, we can achieve 99% detection accuracy even when there are only 2 new IP addresses in the attack trac. This is because the background trac for the rst-mile router is very clear. Generally, there will be very few IP addresses that are new to the network since all the valid IP packets originated from within the same network. Since the IP addresses in the IP Address Database (IAD) will expire and be removed after a certain time period, the IP addresses within the subnetworks which have not been used recently will be new to IAD. This is very similar to ingress ltering [4]. However, ingress ltering cannot detect the attack when the spoofed IP addresses are within the subnetworks. In contrast, our rst-mile router detection algorithm can detect the spoofed IP addresses within the subnetworks if they are new to the IAD. In our experiment we used a conservative detection interval n = 10s. If we decrease
3

We set the attack trac volume to be low in order to test the sensitivity and robustness of our scheme.

Title Suppressed Due to Excessive Length

the detection interval by using more computing resources, we can reduce the detection time accordingly.
Table 1. Detection performance of Table 2. Detection performance of rst-mile router last-mile router W Accuracy Detection Time 2 99% 69.7s 4 100% 20.1s 6 100% 18.9s 8 100% 10s 10 100% 10s W Accuracy Detection Time 15 90% 127.3s 18 100% 81.1s 40 100% 18.9s 60 100% 10s 200 100% 10s

4.2

Performance of combining beliefs

10 9 Average number of broadcasts 8 7 6 5 4 3 2 Optimum threshold 1 0 0 5 10 15 Random broadcasts (small M )

max

Random broadcasts Optimized broadcasts

0.06

0.05 Broadcast threshold

35

0.04

0.03

Random broadcasts (large M )

max

0.02

0.01

20

25

30

0 1

Average confirmation delay (number of new IP addresses)

5 6 Iteration

10

Fig. 3. model

The

distributed

detection

Fig. 4. Convergence of the distributed detection model

We have evaluated our learning technique by testing its performance on a set of simulated distributed denial of service attacks, and comparing its performance to a default decision function that is based on random broadcasts. We measure the performance of these two approaches in terms of the average conrmation delay and the average number of broadcasts made by our multi-agent system on the set of simulated DDoS attcks. We introduce two types of costs for learning. The rst cost is the cost of sharing information by broadcasting. The second cost is conrmation delay. When an attacker starts a DDoS attack, it is initially classied as normal until it has created enough new IP addresses to be classied as an attack. The same attack takes longer to detect in a multi-agent system compared to a centralized system, because each agent sees only a subset of the attack trac. Given enough new IP addresses, the multi-agent system will reach the same conclusion as the centralized system. Hence, it is important to measure this conrmation delay.

10

Tao Peng et al.

In order to measure these two costs, we have tested our multi-agent approach on a set of known DDoS attacks, and compared its performance to our centralized approach. We have generated DDoS attacks with suciently large volume so that they are always detected by the centralized approach, and almost always detected by the multi-agent approach. On the rare occasions when our multiagent approach is unable to detect the DDoS attack in the given number of new IP addresses, the cost of misclassication is reected by setting the conrmation delay to the total length of the DDoS attack. We have based our simulated DDoS attacks on the Auckland traces. In the data traces, all the IP addresses have been mapped into 10.*.*.* using one-toone hash mapping for privacy. Let IP prex 10.1.*.* represent transit network L and IP prex 10.2.*.* represent transit network R. For all the trac with the destination IP address 10.1.*.* and 10.2.*.* are analyzed by the intrusion detection agent L and R respectively. Each agent monitors the percentage of new IP addresses and calculates the CUSUM variable yn to decide whether it is an attack. If any evidence has been broadcast from the other agent, then it is included in this evaluation. The agent also uses its decision function to determine if it should share its beliefs with the other agent. Once an agent has conrmed that the trac is attack trac, we record the total number of new IP addresses that were generated by the DDoS attack before it was detected, as well as the number of broadcasts received by the agent before it reached its conclusion. We also determined the number of new IP addresses that would have been required by a centralized agent in order to conrm that a DDoS attack happens. The dierence between the number of new IP addresses needed by the multi-agent system and the centralized system represents the conrmation delay in using a distributed approach. We used this procedure to evaluate our optimized and default decision functions in terms of the number of broadcasts needed and the conrmation delay. For the optimized decision function, our feedback function f (T ) was averaged over 1000 trials, where each trial is dened as a new simulated DDoS attack with a random assignment of attack trac volume. It was necessary to average over a large number of trials in order to eliminate random variations in individual DDoS attacks. For the default decision function using random broadcasts, we tried 17 dierent settings of Mmax from 0.01 to 0.05. At each setting, we averaged the results over 1000 random trials. The results are shown in Figure 3. Each point in the graph corresponds to the average of 1000 trials using the indicated decision function. The 95% condence intervals for these averages are shown at each point. Note that there are separate condence intervals for the average number of broadcasts and the average conrmation delay, since these are both dependent variables of the given settings of the decision function. The results using random broadcasts form a curve, with small values of Mmax on the left, and large values on the right. If an optimized decision function is to be considered acceptable, it should fall below the envelope formed by the random broadcasts.

Title Suppressed Due to Excessive Length

11

Our learning technique found an optimum value of T = 0.03, which resulted in an average of 1.1 broadcasts per agent and an average conrmation delay of 20 new IP addresses. The optimization converged after 10 iterations, as shown in Figure 4. Figure 3 shows the trajectory of successive Tk values moving from right to left, with the results for the optimum value of Tk indicated. Note that all the values of Tk performed better than the random broadcasts. In summary, our results demonstrate that we can learn a decision function for when to share beliefs without requiring any prior knowledge of the domain. Furthermore, we can learn a decision function that outperforms a default decision function based on random broadcast periods.

Related Work

Gil proposes a scheme called MULTOPS [5] to detect DoS attacks by monitoring the packet rate in both the up and down links. However, MULTOPS assumes that packet rates between two hosts are proportional and the IP addresses are not spoofed. Wang et al. [16] developed a scheme to detect SYN ood attacks by observing the ratio of SYN packets to FIN packets. However, the attacker can bypass the detection by sending SYN and FIN packets together. Distributed intrusion detection has been studied in a number of systems. Krugel et al. [8] have developed a system for distributed pattern detection, and analyzed its throughput and bandwidth requirements. In contrast to our probabilistic approach, they use constraint-based correlation. Consequently, they do not model uncertain beliefs.

Conclusion

In this paper we proposed a multi-agent scheme to detect distributed denial of service attacks by monitoring the increase of new IP addresses. We have also presented a machine learning scheme to optimize the communication between the agents while sharing the distributed beliefs. We demonstrated the eciency and robustness of this scheme by using tracedriven simulations. The experimental results in the Auckland traces show that we can detect DDoS attacks with 100% accuracy using as few as 18 new IP addresses in the last-mile router and DDoS attacks using as few as 2 new IP address in the rst-mile router. Our online detection algorithm is fast and has a very low computing overhead. Furthermore, our rst-mile router SIM has the advantage over ingress ltering [4] that it can detect attack trac with spoofed source IP addresses within the subnetworks. We have evaluated our learning technique using extensive simulations of DDoS attacks based on packet trace data from a real network. This evaluation demonstrated that we can reduce both the delay and communication overhead required to detect network intrusions, in comparison to a default decision function that relies on arbitrarily chosen broadcast periods.

12

Tao Peng et al.

Acknowledgement
We thank the Waikato Applied Network Dynamics Research Group for their data traces. This work was supported by the Australia Research Council.

References
1. M. Basseville and I. V. Nikiforov. Detection of Abrupt Changes: Theory and Application. Prentice Hall, 1993. 2. B. E. Brodsky and B. S. Darkhovsky. Nonparametric Methods in Change-point Problems. Kluwer Academic Publishers, 1993. 3. Anirban Chakrabarti and G. Manimaran. Internet infrastructure security: A taxonomy. IEEE Network, 16:13 21, 2002. 4. P. Ferguson and D. Senie. Network ingress ltering: Defeating denial of service attacks which employ IP source address spoong. RFC2267, IETF, January 1998. 5. Thomer M. Gil and Massimiliano Poletto. Multops: a data-structure for bandwidth attack detection. In Proceedings of the 10th USENIX Security Symposium, 2001. 6. Waikato Applied Network Dynamics Research Group. Auckland university data traces. http://wand.cs.waikato.ac.nz/wand/wits/. 7. Jaeyeon Jung, Balachander Krishnamurthy, and Michael Rabinovich. Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. Proceeding of 11th World Wide Web conference, 2002. May 7-11, 2002, Honolulu, Hawaii, USA. 8. C. Krugel and T. Toth. Distributed pattern detection for intrusion detection. In Proceedings of Network and Distributed System Security Symposium, 2002. 9. C. Leckie and R. Kotagiri. Learning to share distributed probabilistic beliefs. In Proceedings of the Nineteenth International Conference on Machine Learning (ICML-2002), Sydney, Australia, July 2002. 10. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. Technical report, AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research, February 2001. 11. David Moore, Georey M. Voeker, and Stefan Savage. Inferring internet Denial-ofService acitivity. In Proceedings of the USENIX Security Symposium, pages 922, August 2001. 12. Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Detecting distributed denial of service attacks using source IP address monitoring. draft, November 2002. 13. Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Prevention from distributed denial of service attacks using history-based IP ltering. In Proceeding of ICC 2003 (to appear), Anchorage, Alaska, USA, August 2003. 14. J.S. Rustagi. Optimization techniques in statistics. Boston : Academic Press, 1994. 15. J.C. Spall. Implementation of the simultaneous perturbation algorithm for stochastic optimization. In IEEE Trans. on Aerospace and Electronic Systems, volume 34, pages 817823, 1998. 16. Haining Wang, Danlu Zhang, and Kang G. Shin. Detecting SYN ooding attacks. In Proceedings of IEEE Infocom2002, June 2002.