Research on the Detection of denial service attack based on the correlation of changing points

Abstract

The attack detection method of the coherency based on changing point by of multiple message types variables computed CUSUM accumulated value, and according to the changeable correlation analysis, set a reasonable threshold for many types of flooding attack detection, through the experiment on the performance index of the anomaly detection system in the evaluation. In this paper, the attack detection method based on the correlation of the changing point is proposed by calculating the CUSUM cumulative value of the plurality of message type variables, and correlation analysis based on the changing point to set a reasonable threshold to detect multiple types of flooding attacks and to evaluate the anomaly detection system performance. Introduction With the widely spread use of the changing point detection algorithm in speech processing, image processing, biological signal automatic analysis, digital signal transmission system, security system detection and other fields, more and more researchers put the changing point theory into the use of the security system. The idea of changing point theory is to describe a statistical model of the information system first, then a sudden change of the model caused by the attack and error, which occurs at the time of the unknown. There are two kinds of methods for detection of point mutations, including batch detection of fixed size (batch detection) and sequence variable (sequential change point detection). Due to the time sensitivity of the VoIP system, the sequence of change point detection method is mainly used. When it happens, the model can be rapidly detected while the false alarm rate is maintained at a given level. There are two kinds of sequence point change algorithm, CUSUM (sum cumulative) detection and Shiryaev-Pollak detection process. Because of its robustness, low cost and easy implementation, the CUSUM algorithm is widely used in intrusion detection. CUSUM algorithm is also used in the detection process in this paper. The fast sequence changing point method includes two performance indexes: optimization and equalization, that is, the average detection delay and false alarm rate. In changing point detection algorithm, the false alarm rate is determined to solve the optimization problem so that the average detection delay is minimized. There are two traditional methods to solve optimal equilibrium problems---the minimax method and the worst case delay. Since the complete call setup is realized by a three-way handshake, therefore variables (SYN, FIN) and (INVITE, 200OK) news only take dialogue process into account instead of the task to establish a process. The INVITE task is completed till the ACK message is received. Hence ACK message must be considered. The common parameter distribution can not describe the changing law of the SIP message flow. The performance metric must be comprehensively consideration from every aspect. We must fully protect the VoIP network from the proxy server, user agent, and registered proxy server on DOS flooding attack. International Conference on Computational Science and Engineering (ICCSE 2015) © 2015. The authors Published by Atlantis Press 70 Improved detection algorithm Traditional change point algorithm Changing point technology is realized by CUSUM technology. Traditional change point technology is described as follows: At fixed time interval t2, t1,..., the TN detection system of the observation sequence is N1, N2,... , Nn. Attack activity at the time point of TK will be caused by the change of the statistical data of the flow parameters. Assuming that the average value of the change point is μk, and the average value is K X . The CUSUM value Sk is shown in the formula (1): } , 0 max{ 1 K K K K K X N S S         (1) Nk is adjustable parameter, the value is between (0, 1), and the Xk is the upper bound of the value. The choice of a parameter affects the performance of the algorithm; the false alarm rate is increased if it’s too big or too small. A value can be set to a constant by experiment and can be calculated by formula (2).