An adaptive detection method is proposed to detect SYN flooding attacks at source-end networks' This method can adjust itself to the frequent changes of network conditions. Key features of its design include: (1) creating a detection statistic based on the protocol behavior of TCP SYN-SYN/ACK pairs; (2) forming on-line estimations of the statistical characters of the detection statistic; (3) adjusting its detection threshold according to the variations of network traffic and the latest detection result; (4) decreasing disturbance of random abnormalities in the normal network traffic by consecutive cumulation of threshold violations. Performance analysis and simulation results show the minimum attack traffic that can be detected is about 30% of the legitimate traffic, under the requirements that the probability of false alarms be less than 10(-6), the probability of a miss during an attack be less than 10(-2) and the detection delay be within 7 sampling periods.

• 出版日期2008-1
• 单位西安电子科技大学