time series models and its relevance to modeling tcp syn
play

Time Series Models and its Relevance to Modeling TCP SYN based DoS - PDF document

Mar 05, 2024 •166 likes •363 views

Time Series Models and its Relevance to Modeling TCP SYN based DoS attacks Cyriac James, Hema A. Murthy Department of Computer Science & Engineering Indian Institute of Technology Madras, India June 23, 2011 Cyriac James, Hema A. Murthy

  1. Time Series Models and its Relevance to Modeling TCP SYN based DoS attacks Cyriac James, Hema A. Murthy Department of Computer Science & Engineering Indian Institute of Technology Madras, India June 23, 2011 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 1 / 35 Background: TCP SYN Attack A common DoS attack: TCP SYN Attack Limited backlog queue ( sysctl − a | grep ipv 4 .tcp max syn backlog ) Figure: SYN Attack Time out: 3, 6, 12, 24 and 48 seconds 1 1 V. Paxson and M. Allman, “RFC 2988 - Computing TCPs Retransmission Timer,” http://www.ietf.org/rfc/rfc2988.txt, Nov. 2000 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 2 / 35

  2. Outline Related Work Motivation for the Work Network Trace Representing Network Traffic as a Discrete Time Signal Time Series Models Analysis and Results Conclusion Cyriac James, Hema A. Murthy (IITM) June 23, 2011 3 / 35 Related Work Popular statistical work based on CUSUM algorithm by H. Wang et al - for the edge routers SYN - FIN 1 SYN - SYN/ACK 2 Drawbacks Series assumed to be i.i.d Traffic burstiness and non-stationarity: Local-Area Network 3 and Wide-Area Network 4 1 H. Wang, D. Zhang, and K. G. Shin, “Detecting syn flooding attacks,“ Proceedings of the IEEE INFOCOM, 2002 2 H. Wang, D. Zhang, and K. Shin, ”Syn-dog: Sniffing syn flooding sources,” ICDCS, 2002 3 W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, “On the self-similar nature of ethernet traffic,” in IEEE/ACM Transactions on Networking, 1994 4 V. Paxson and S. Floyd, “Wide-Area Traffic: The Failure of Poisson Modeling,“ in IEEE/ACM Transactions on Networking, 1995 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 4 / 35

  3. Related Work Later, there were quite a few work based on Box-Jenkins Time Series Models - solution at the victim server Modeling the outstanding TCP requests 1 Modeling the service rate 2 Based on modeling the flow level features 3 Modeling the web traffic 4 1 D. M. Divakaran, H. A. Murthy, and T. A. Gonsalves, ”Detection of SYN flooding attacks using linear prediction analysis,“ ICON, 2006 2 G. Zhang, S. Jiang, G. Wei, and Q. Guan, ”A prediction-based detection algorithm against distributed denial-of-service attacks,“ in Proceedings of IWCMC, 2009 3 J. Cheng, J. Yin, C. Wu, B. Zhang, and Y. Liu, ”DDoS attack detection method based on linear prediction model,“ in ICIC, 2009 4 W. U. Qing-tao and S. Zhi-qing, ”Detecting DD O S attacks against web server using time series analysis,“ Wuhan Univesity Journal of Natural Sciences, vol. 11, no. 1, pp. 175-180, 2006 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 5 / 35 Motivation for the Work Some of the major drawbacks of these work are: Assumptions of time invariance and stability of the process Window sizes of the order of seconds or lesser Can we have a model valid for a longer period? Lacks description on: Model identification Model validation Relevance of linear time series models? Cyriac James, Hema A. Murthy (IITM) June 23, 2011 6 / 35

  4. Network Trace Figure: Tenet Network Architecture Traces collected at the edge router using tcpdump Feature: SYN - SYN/ACK, also called half-open count Sampling Interval: 10 seconds Data Set-1: 26 th July 2010 to 30 th July 2010 Data Set-2: 23 rd August 2010 to 27 th August 2010 Data Set-3: 20 th September 2010 to 24 th September 2010 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 7 / 35 Representing Network Traffic as a Discrete Time Signal Representing Network Traffic as a Discrete Time Signal Cyriac James, Hema A. Murthy (IITM) June 23, 2011 8 / 35

  5. Representing Network Traffic as a Discrete Time Signal Discrete Time Signal Discrete Signal 18 16 14 12 Amplitude 10 8 6 4 2 0 2 4 6 8 10 12 14 16 18 20 Time Figure: Network Signal No access to input signals Consider the series as a sequence of impulse responses µ t , for time t ≥ 0 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 9 / 35 Representing Network Traffic as a Discrete Time Signal Stability of the System For a linear system, Total Response = Zero-State Response + Zero-Input Response 1 External Stability: Zero-State Response Internal Stability: Zero-Input Response Internal Stability ⇒ External Stability 1 For internal stability, Impulse response must die-off ∞ � | µ j | < ∞ (1) j =0 µ j : Impulse response at j th time lag 1B. P . Lathi. “Principles of Linear Systems and Signals”, Oxford University Press, 2009 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 10 / 35

  6. Time Series Models Box-Jenkins Time Series Models Cyriac James, Hema A. Murthy (IITM) June 23, 2011 11 / 35 Time Series Models Time Series Models Idea from the observations of Yule 1 x t = a t + α 1 a t − 1 + α 2 a t − 2 + ... (2) x t : Output Signal at time t a t , a t − 1 , ... : Random shocks or white noise process α 1 , α 2 ... : Model coefficients Also called Linear Filter Model Stationarity: First and Second order moments finite and independent of time 2 LTI and Stability ⇔ Stationarity Can be used to build models for prediction 1G. U. Yule, “On a method of investigating periodicities in distributed series, with special reference to Wolfer’s sunspot numbers”, Philos. Trans. Roy. Soc. A226, 267-298, 1927 2G. E. P . Box, G. M. Jenkins, and G. C. Reinsel. “Time Series Analysis: Forecasting and Control”, Pearson Education, 1994 Cyriac James, Hema A. Murthy (IITM) June 23, 2011 12 / 35

  7. Time Series Models Auto-Regressive(AR) Model An AR model can be written as x t = α 1 x t − 1 + α 2 x t − 2 + .... + α p x t − p + a t (3) x t , x t − 1 , ... : Output values α 1 , α 2 , ... : Model coefficients, where p is the model order a t : Random shock at time t Can be written as an infinite series of random shocks Consider an AR(2) model: x t = α 1 x t − 1 + α 2 x t − 2 + a t (4) x t − 1 = α 1 x t − 2 + α 2 x t − 3 + a t − 1 (5) x t − 2 = α 1 x t − 3 + α 2 x t − 4 + a t − 2 (6) . . . x t = a t + ψ 1 a t − 1 + ψ 2 a t − 2 + ..... (7) Cyriac James, Hema A. Murthy (IITM) June 23, 2011 13 / 35 Time Series Models Auto-Regressive(AR) Model Computing ACF: E ( x t x t − k ) = E ( a t x t − k + ψ 1 a t − 1 x t − k + ψ 2 a t − 2 x t − k + ..... ) (8) γ k = E ( x t − k a t − 1 ) + ψ 1 E ( x t − k a t − 1 ) + ψ 2 E ( x t − k a t − 2 ) + .... (9) where γ K is the autocovariance. Above equation can be generalised into: ∞ γ k = σ 2 � ψ j ψ j + k (10) a j =0 σ 2 a : Variance of a t with mean zero In terms of the impulse response (ACF), it becomes σ 2 � ∞ j =0 ψ j ψ j + k a ρ k = (11) γ 0 Hence, an AR process is an infinite impulse response system For stability ⇒ � ∞ j =0 | ψ j | < ∞ Cyriac James, Hema A. Murthy (IITM) June 23, 2011 14 / 35

  8. Time Series Models Auto-Regressive(AR) Model Multiply with x t − k on Equation (4) and take expectation on both sides: γ k = α 1 γ k − 1 + α 2 γ k − 2 (12) Dividing by γ 0 , (12) becomes: ρ k = α 1 ρ k − 1 + α 2 ρ k − 2 (13) ρ k − α 1 ρ k − 1 − α 2 ρ k − 2 = 0 (14) Characteristic equation: λ 2 − α 1 λ − α 2 = 0 (15) The general solution is of the form: ρ k = C 1 ( λ 1 ) k + C 2 ( λ 2 ) k (16) λ 1 , λ 2 : Roots (if distinct) C 1 and C 2 : Arbitary constants For Stability ⇒ | λ 1 | < 1 and | λ 2 | < 1 Yule-Walker Equation - Estimating model coefficients Cyriac James, Hema A. Murthy (IITM) June 23, 2011 15 / 35 Time Series Models Moving Average(MA) Model An MA model can be written as x t = a t − ψ 1 a t − 1 − ψ 2 a t − 2 − ... − ψ 2 a t − q (17) x t : Output Signal at time t a t , a t − 1 , ... : Random shocks or white noise process ψ 1 , ψ 2 ..., ψ q : Model coefficients, where q is the model order Finite linear filter model Can be written as an infinite series of past values Consider an MA model of order 1 x t = a t − ψ 1 a t − 1 (18) Cyriac James, Hema A. Murthy (IITM) June 23, 2011 16 / 35

  9. Time Series Models Moving Average(MA) Model Multiply with x t − k on equation (18) and take expectation on both sides, γ k = E ( a t x t − k − ψ 1 a t − 1 x t − k ) γ 0 = E ( a t x t − ψ 1 a t − 1 x t ) (19) γ 0 = E ( a t ( a t − ψ 1 a t − 1 ) − ψ 1 a t − 1 ( a t − ψ 1 a t − 1 ) (20) γ 0 = σ 2 a + ψ 2 1 σ 2 (21) a γ 1 = − ψ 1 σ 2 (22) a γ 2 = 0 (23) γ k = 0 for all values of k > 1 Hence, an MA process is a finite impulse response system Time invariant MA process is always stationary Cyriac James, Hema A. Murthy (IITM) June 23, 2011 17 / 35 Time Series Models Duality Property: For Model Identification For an AR(p) process, ACF converges slowly, but PACF cut-off after lag p For an MA(q) process, PACF converges slowly, but ACF cut-off after lag q Cyriac James, Hema A. Murthy (IITM) June 23, 2011 18 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modeling time series with hidden Markov models Advanced Machine learning 2017 Nadia Figueroa,

Modeling time series with hidden Markov models Advanced Machine learning 2017 Nadia Figueroa,

Modeling time series with hidden Markov models Advanced Machine learning 2017 Nadia Figueroa, Jose Medina and Aude Billard Time series data Barometric pressure Temperature Data Humidity Time Whats going on here? Modeling time series

664 views • 54 slides
Table of contents Inference of high-dimensional VAR models Linear time series 1 Basics

Table of contents Inference of high-dimensional VAR models Linear time series 1 Basics

Linear time series Structural analysis with VAR models Estimation of VAR models Numerical examples Table of contents Inference of high-dimensional VAR models Linear time series 1 Basics Univariate time series Seminar: Multivariate time

222 views • 5 slides
Section 1 Time Series Modeling 1 / 37 Time Series Modeling ST 810-006 Statistics and Financial

Section 1 Time Series Modeling 1 / 37 Time Series Modeling ST 810-006 Statistics and Financial

ST 810-006 Statistics and Financial Risk Section 1 Time Series Modeling 1 / 37 Time Series Modeling ST 810-006 Statistics and Financial Risk Time Domain Approach The time domain approach to modeling a time series { Y t } focuses on the

789 views • 39 slides
Introduction to time series and stationarity F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON

Introduction to time series and stationarity F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON

Introduction to time series and stationarity F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton Climate informatics researcher Motivation Time series are everywhere Science T echnology Business Finance Policy FORECASTING

693 views • 38 slides
1 Inference and estimation in probabilistic time series models David Barber, A. Taylan Cemgil

1 Inference and estimation in probabilistic time series models David Barber, A. Taylan Cemgil

1 Inference and estimation in probabilistic time series models David Barber, A. Taylan Cemgil and Silvia Chiappa 1.1 Time series The term time series refers to data that can be represented as a sequence. This includes for example

323 views • 31 slides
Time Domain Models Box &amp; Jenkins popularized an approach to time series analysis based on

Time Domain Models Box &amp; Jenkins popularized an approach to time series analysis based on

Time Domain Models Box &amp; Jenkins popularized an approach to time series analysis based on Auto-Regressive Integrated Moving Average (ARIMA) models. 1 Autoregressive Models Autoregressive model of order p (AR( p )): x t =

212 views • 18 slides
Modeling and inferring epidemic dynamics from: viral phylogenies and inference time series

Modeling and inferring epidemic dynamics from: viral phylogenies and inference time series

Introduction Main purposes Modeling epidemics Results Bibliography Modeling and inferring epidemic dynamics from: viral phylogenies and inference time series Miraine Dvila Felipe Supervisors: Amaury Lambert and Bernard Cazelles LPMA -

425 views • 30 slides
Welcome to the Course! ARIMA Modeling with R About Me Professor of Statistics

Welcome to the Course! ARIMA Modeling with R About Me Professor of Statistics

ARIMA MODELING WITH R Welcome to the Course! ARIMA Modeling with R About Me Professor of Statistics Co-author of two texts on time series astsa- package ARIMA Modeling with R Time series are everywhere!

421 views • 28 slides
Time Series Modeling Shouvik Mani April 5, 2018 15-388/688: Practical Data Science Carnegie

Time Series Modeling Shouvik Mani April 5, 2018 15-388/688: Practical Data Science Carnegie

Time Series Modeling Shouvik Mani April 5, 2018 15-388/688: Practical Data Science Carnegie Mellon University Goals After this lecture, you will be able to: Explain key properties of time series data Describe, measure, and remove trend

789 views • 46 slides
Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

R and Time Series Data Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting Yanchang Zhao Time Series Clustering Time Series RDataMining.com Classification http://www.rdatamining.com/ R Functions

1.91k views • 42 slides
Modeling Relevance Gain Evaluation, session 4 CS6200: Information Retrieval Expected Relevance

Modeling Relevance Gain Evaluation, session 4 CS6200: Information Retrieval Expected Relevance

Modeling Relevance Gain Evaluation, session 4 CS6200: Information Retrieval Expected Relevance Gain All of the measures weve seen so far can be expressed in a different way, Let P ( i ) := prob. user reads doc i based on a user model. r )

209 views • 9 slides
Fitting time series models F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton

Fitting time series models F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton

Fitting time series models F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton Climate informatics researcher Creating a model from statsmodels.tsa.arima_model import ARMA model = ARMA(timeseries, order=(p,q)) FORECASTING USING

863 views • 43 slides
Seasonal time series F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton Climate

Seasonal time series F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton Climate

Seasonal time series F ORECAS TIN G US IN G ARIMA MODELS IN P YTH ON James Fulton Climate informatics researcher Seasonal data Has predictable and repeated patterns Repeats after any amount of time FORECASTING USING ARIMA MODELS IN PYTHON

539 views • 50 slides
Outline 1 What are Graphical Models? Infering Graphical Models from Time Series Graph Theory 2

Outline 1 What are Graphical Models? Infering Graphical Models from Time Series Graph Theory 2

Outline Outline Outline 1 What are Graphical Models? Infering Graphical Models from Time Series Graph Theory 2 Modelling, Simulating, and Inference of Complex Biological Graphs and Digraphs Systems Dags 3 Probability Theory Speaker:

359 views • 7 slides
Time-series-based Ensemble Modeling for Bio-Medical Applications Maciej Ogorzaek 1 , 2 in

Time-series-based Ensemble Modeling for Bio-Medical Applications Maciej Ogorzaek 1 , 2 in

Time-series-based Ensemble Modeling for Bio-Medical Applications Maciej Ogorzaek 1 , 2 in collaboration with: Christian Merkwirth, Grzegorz Surowka, Leszek Nowak, Katarzyna Grzesiak-Kopec 1 Joerg Wichard 3 1 Department of Information

901 views • 74 slides
Introduction to Time Series Data and Analysis Simon Taylor Department of Mathematics and

Introduction to Time Series Data and Analysis Simon Taylor Department of Mathematics and

Introduction to Time Series Data and Analysis Simon Taylor Department of Mathematics and Statistics 20 April 2016 Contents What is Time Series Data? Analysis Tools Trace Plot Auto-Correlation Function Spectrum Time Series Models Moving

876 views • 18 slides
Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also

Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also

Presented by Jason A. Donenfeld February 28, 2017 Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 , no academic affiliation. Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, though quite a bit of

432 views • 31 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60 th IETF Meeting, San Diego 1 Problem Statement Requirements RFC 3654 Protection against

629 views • 7 slides
Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question: How to get

457 views • 21 slides
Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of Transportation Presented by: Tony Wysocki | Program Director, Surface Transportation Audits Mike Masoudian | Project Manager, Surface Transportation Audits

800 views • 44 slides
RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing

RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing

RAD Presentation Lafayette, LA June 21, 2015 Rental Assistance Demonstration Public Housing Inventory ~ 1.15 million units across 3,100+ PHAs; 16,000+/- projects Capital repair needs in excess of $25.6B across portfolio ($23,365/unit)

674 views • 44 slides
John Milton Washington DOT Experience Launching an Enterprise Risk Management Program Lessons

John Milton Washington DOT Experience Launching an Enterprise Risk Management Program Lessons

Launching an ERM John Milton Washington DOT Experience Launching an Enterprise Risk Management Program Lessons learned Lynn Peterson Risk and Asset Management Peer Exchange John Milton, Ph.D. PE Director - Quality Assurance and Secretary

1.03k views • 24 slides
TRaX programming examples Using global memory Non-recursive tree traversal TRaX programming

TRaX programming examples Using global memory Non-recursive tree traversal TRaX programming

TRaX programming examples Using global memory Non-recursive tree traversal TRaX programming recap Local memory (private to every thread) Handled by compiler (stack space) You will never need to explicitly deal with it Global

656 views • 44 slides

More recommend