Stevens Institute of Technology Engineering & Science News

About Engineering & Science

Overview

News & Events
Current News Current Events Archive News Search

Worldwide Partnerships
Overview Academic Partners Corporate Partners Government Partners

Visit Stevens

Faculty & Staff
Directory Adjunct Faculty Guide Search

Dean's Office

Alumni
Overview Professional Associations Clubs Alumni Gallery


History
Overview Alexander Calder Bubble Wrap Frederick Winslow Taylor

Contact/Search
Site Search SES Faculty/Staff Directory Institute Directory

©Copyright 2007 Stevens Institute of Technology

Schaefer School of Engineering & Science News & Events

Back

March 5, 2008

An Entropy Based Method to Detect Spoofed Denial of Service Attacks

Dr. Willa Ehrlich
Dr. Danielle Liu
Dr. Kenichi Futamura

AT&T Labs

Abstract

A Spoofed Denial of Service (DoS) System is described that analyzes a level of entropy in distributions of source and destination IP address aggregate flow share, for IP traffic traversing one or more links. A source IP address aggregate entropy time series and a destination IP address aggregate entropy time series are derived and then adaptive thresholding is applied to each time series to identify upper and lower entropy thresholds for current measurements. Given current traffic traversing the set of monitored links, current source and destination entropy values are computed on a near real-time basis. If the entropy of the current distribution of destination IP address aggregates flow share falls below the destination entropy time series €™ identified lower entropy threshold, a possible Denial of Service attack may be declared. If, in addition, the decline in entropy in the destination entropy time series is accompanied by a rise in the entropy of the current distribution of source IP address aggregates flow share and the current source entropy is greater than the source entropy time series €™ identified upper entropy threshold, a Spoofed Denial of Service attack may be declared. We document an application of this approach to identifying Spoofed Denial of Service attacks on Peering Links monitored by the AT&T Common IP Backbone Tier 1 ISP.

Speaker Bio

Willa Ehrlich:

   Willa Ehrlich is currently a Senior Security Analyst in the AT&T Security Center of Excellence where she has developed algorithms for detecting worm propagations, Denial of Service events, source spoofing and dynamically characterizing Internet hosts' traffic profiles. She is currently working with Dr. David Hoeflin and Dr. Danielle Liu on developing an algorithm for applying link analysis and multivariate techniques to detecting e-mail spamming machines. Dr. Ehrlich received her PhD in Psychology from University of Minnesota in 1974. She was an Instructor at Brown University, Department of Psychiatry and Human prior to joining Bell Laboratories in 1983. She was a Distinguished Member of Technical Staff at Bell Laboratories and Technology Consultant at AT&T Labs where she evaluated systems €™ functionality, reliability, performance and scalability.
    Dr. Ehrlich has presented her work on internet security, testing and software reliability engineering at workshops, international software engineering conferences, and to Bell Labs/AT&T Labs technical staff members. She has authored/co-authored over 20 scientific publications.

Danielle Liu:

    Danielle Liu received her Ph.D. in Industrial Engineering at University of Arizona in 1993. She was a visiting professor at Department of Electrical Engineering at Case Western Reserve University for one year before joining Bell labs in 1994. Danielle has worked on various projects in AT&T including Internet traffic characterization, IP QoS, WiMAX and IP security. She is currently working on email SPAM detection and network capacity planning. Dr. Liu is the author of over 20 papers on queueing theory and applications, network traffic modeling and engineering, and IP security. Dr. Liu is a member of IEEE. She also serves as an editor for the journal of Queueing Systems: Theory and Applications.

Kenichi Futamura:

    Kenichi Futamura received M.S. degrees in Mathematics (1994) and Statistics (1994) and a Ph.D. in Operations Research (1996) at Stanford University. Since joining AT&T Labs in 1995, he has investigated various areas including credit risk management, performance analysis, network grooming, access optimization, and internet security. His recent security efforts include developing several intrusion detection tools for the AT&T Internet Protect platform,including WARD, a worm detection tool. Currently, he is a Principal Technical Staff Member, working on anomaly detection, intrusion correlation, and capacity planning.

For more information, please contact:

Yingying Chen
Assistant Professor & NIS Graduate Program Director
Burchard
Room 210
Phone: 201.216.8066
Fax: 201.216.8246
yingying.chen@stevens.edu

Send this page to a friend

	Stevens Main Site • Web Campus • Office of the Provost • College of Arts & Letters • School of Technology Management • SES Webmaster
Stevens Institute of Technology \| 1 Castle Point on Hudson, Hoboken, NJ 07030 \| Phone: 201.216.5263 \| Fax: 201.216.8909