Usenix Security Symposium

	   Detection of Denial-of-QoS Attacks Based On Statistics And
			      EWMA Control Charts

	      Vinay A. Mahadik, Xiaoyong Wu and Douglas S. Reeves

In this paper, we describe a method of detecting
denial of Quality of Service attacks on DiffServ networks.
Our approach focusses on real time and
quick detection, scalability to large networks, and a
negligible false alarm generation rate. Sensors sample
QoS parameters like bit rate, packet dropping
rate, and jitter of specific Virtual Leased Line (VLL)
flows at predefined strategic points in their paths.
We detect anomalies in sampled network flow statistics
using the EWMA Control Chart test for the
highly stationary measures and for the rest adapt
SRI’s chi-squared statistic based NIDES approach. Our implementation
shows that the method has a 100%
detection rate for attacks above its threshold level
- those attacks that produce statistically significant
QoS degradation. The detection time is low and
less than about 15 minutes. The maximum inherent
false alarm generation rate for both the tests
and any of the monitored measures combined is of
the order of 1 false alarm in 1000 valid status alerts
of either normal or under attack. We believe that
given the results of the tests on our implementation
of the attacks and the detection system, the method
is a strong candidate for QoS intrusion detection for
a low-cost commercial deployment.