Network Attack Program
Final rept. Jun 1999-Aug 2000
TRW INC SUNNYVALE CA
Pagination or Media Count:
In our research we developed algorithms to detect attacks on large networks and their network components, such as routers. This approach differs from others that detect attacks on computers. The advantage to network attack detection is that it discovers distributed denial of service DDoS types of attacks that cannot be found with conventional techniques. The algorithms take advantage of changes in emergent properties of large networks to detect attacks. Emergent properties are the statistics of avalanches of lost packets in routers from overloads, and avalanches of communication links approaching their capacity. Statistical data is collected from existing simple network management protocol SNMP messages from network components. N-grams are used to detect the changes in the patterns of network management message conversations that are caused by the attacks. A fast large network simulation was developed using self-organizing system SOS techniques. This simulation utilized a very simple, but very fast, model that used only the most significant characteristics of the network. The core part of the simulation was less than 100 lines of code that simulated over 1,000,000 routers and links per second. In addition to testing the algorithm on real networks, the simulation will be needed for testing attacks that are impractical to implement on operational networks and for planning courses of action.
- Computer Systems Management and Standards