Abstract-- We investigate statistical anomaly detection algorithms for detecting SYN flooding, which is the most common type of Denial of Service (DoS) attack. The two algorithms considered are an adaptive threshold algorithm and a particular application of the cumulative sum (CUSUM) algorithm for change point detection. The performance is investigated in terms of the detection probability, the false alarm ratio, and the detection delay. Particular emphasis is on investigating the tradeoffs among these metrics and how they are affected by the parameters of the algorithm and the characteristics of the attacks. Such an investigation can provide guidelines to effectively tune the parameters of the detection algorithm to achieve specific performance requirements.
Vasilios A. Siris, Fotini Papagalou