Network Intrusion Detection for DistributedDenial of Service and Distributed ScanningStudent: Chang-Han Jong Advisor: Dr. Shiuh-Pyng ShiehDepartment of Computer Science and Information Engineering,National Chiao-ling UniversityAbstractIll this thesis, we analyze two kinds of network attacks, distributed denial of service (DDoS) and distributed scanning (DS) and then propose a nehvork intrusion detection scheme. The scheme focuses on monitoring the vaiiance of the packet fields. The sets of anomaly packet fields are attack signatures, which can be used to identify the attack types. In the process of analyzing packet field variation, the alleged packets can be logged for forensics. We also discuss the design piinciples of the fiinction that present the traffic chaiacteristic and two tecliiiiques based on probability and hash fimction to improve tluougliput. We implement tlie prototype of the proposed scheme, and the experiments showed that the prototype detects successfiilly dozens of DDoS/DS attack types without predefined network attack patterns.#List of ContentsCHAPTER 1 INTRODUCTION781.1 Background781.1.1 Intrusion Scenario781.1.2 Intrusion Detection9401.2 MOTIATIONS10441.3 Contribution121.4 Synopsis12CHAPTER 2 RELATED WORK13442.1 Intrusion Detection13442.2 grids2.3 Packet Aggregation172.4 Detecting Anomaly Traffic by Entropy1902.5 DETECTING ANOMALY BY kRIANCE OF TRAFFIC QUANTITY2024-2.6 Chapter Summary2024：CHAPTER 3 ANALYSIS OF DDOS/DS ATTACKS22233.1 Distributed Denial of Service2223.2 Distributed Scanning25263.3 Attack Programs28293.4 Chapter Summary3034-CHAPTER 4 PROPOSED SCHEME31324.1 Overview324.2 Stage 1： Packet Classification39404.3 Stage 2： Traffic Dispersion Function44454.3.1 Preliminary45464.3.2 Properties of Traffic DispersionFunction45464.3.3 Theorem 149504.3.4 Proposed Traffic Dispersion Function4904.4 Stage 3: ariance-based Anomaly Detection50514.5 Chapter Summary525CHAPTER 5 PROTOTYPE AND DISCUSSION53S45.1 Prototype and Experiments53545.2 Anomaly Distribution of Packet Fields61625.3 ADVANTAGES63645.4 DIS AD ANTAGES66675.5 Comparison676S5.6 Chapter Summary7172CHAPTER 6 CONCLUSION727aREFERENCES7APPENDIX TCP/IP FIELDS81K2List of ContentsFigure 1-1 Intrusion Scenario8Figure 4-1 Overxiew of the Proposed Scheme32Figure 4-2 Attack Signature33Figure 4-3 Attack Path Identification34Figure 4-4 Architecture35Figure 4-5 Example of the Proposed Scheme Flow38Figure 4-6 Digest of the Packet40Figure 5-1 Prototype53Figure 5-2 Data Structure of the Prototype55List of ContentsTable 3-1 Common DDoS Tools, by Vicki Irwin2324Table 3-2 Web TCP Chargen Attack2526Table 3-3 Scanning a open port 79 via http proxy2627Table 3-4 Scanning a non-open port 81 via http proxy272Table 3-5 Fixed Aalue Field in Attack Program2829Table 3-6 Random Aalue Field in Attack Program290Table 3-7 Certain-function-made Field in attack Program290Table 4-1 The Flow of the Proposed Scheme373STable 4-2 Result of Stage 141_42Table 4-3 algorithm of Mapping41.42Table 4-4 algorithm of Packet Digest41.45Table 4-5 algorithm of Classification424Table 4-6 algorithm for Probability-based Mergng4344Table 4-7 algorithm for Hash-based Merging4445Table 4-8 Notation454Table 4-9 assumption454Table 4-10 Aggregative4647Table 4-11 Insensitiat4647Table 4-12 Over-Coverage74STable 4-13 Theorem I: Aggregative4950Table 4-14 Theorem I: Insensitive4950Table 4-15 Theorem I: Otr-Cotrage4950Table 4-16 Proposed Traffic Dispersion Function504-TABLE 4-17 ALGORITHM OF ARIANCE-BASED ANOMALY DETECTION512Table 4-18 algorithm of Cooperative Response525Table 5-1 Sample Attack Parameters575sChapter 1IntroductionComputer and netwoik secmity are important issues in todays e-business world. The secmity officer often uses filter technology to make the computer systems or network obey the secmity policy. Filter technology. in the realm of networks, is the filewall. Even with the filter teclmology. we have no idea if the filter works as we tliiiik or if the filter is well configured. The intiiision detection scheme is then used to verify the secmity policy BaceOO. It detects the malicious behavior of the computer systems or the networks. Network anomaly detection is one kind of intiiision detection. It detennines the network anomaly if the cuiTent behavior of network traffic is far from the historical ones recorded by the profiles.With the advance of nehvork attacks, distributed denial of service (DDoS) and distributed scamiiiig (DS), perfbnned by multiple hosts, are among become the most serious problems in computer and nehvork security fbr the difficulties in detecting and tracing. Therefore, in this thesis, we discuss about the detection issues of the distributed denial of service and distributed scamii