Danger theory based SYN flood attack detection in autonomic network

Abstract

In the context of autonomic environment, we present a simple yet, effective Danger Theory based method to detect TCP SYN Flooding attack. An autonomous communication network consists of self-managed (i.e. self-configuring, self-awareness, self-optimization, self-healing and self-protection, collectively denoted as self-*) entities. These self-* properties ensure functioning of the network without or very minimum human intervention. In such an environment, security of the system is very challenging as there is no dedicated authority to monitor malicious activities and each entity, the computing device, has to monitor itself. Denial of service (DoS) attack, in particular flooding attack, is one of the most frequent and devastating attacks on networks. Traditionally, the detection of flooding attacks is achieved by a network-based intrusion detection system (IDS), mainly relying on the statistical characteristics of network data with fine tuning from a human administrator by monitoring the traffic continuously. Obviously, such facility is not assumed in autonomic networks. We, therefore, propose a danger theory based approach that can detect DoS attack in an automatic manner. The proposed scheme is able to detect SYN flood attack in its early stage, thereby enabling to control the damage. To empirically validate our proposal, we conduct experiments in a simulated environment and the results are encouraging. We assert that the work will be useful in designing the security of autonomic networks.