Detection of Unknown DoS Attacks by Kolmogorov-Complexity Fluctuation

  • Takayuki Furuya
  • Takahiro Matsuzaki
  • Kanta Matsuura
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3822)


Detection of unknown Denial-of-Service (DoS) attacks is a hard issue. What attackers do is simply to consume a large amount of target resources. This simple feature allows attackers to create a wide variety of attack flows, and hence we must find a sophisticated general metric for detection. A possible metric is Kolmogorov Complexity (KC), a measure of the size of the smallest program capable of representing the given piece of data flows because DoS attacks, known or unknown, are anyway launched by computer programs. However, there are no established DoS-detection methods which make use of this possibility. And to make matters worse, it is well known that KC cannot be rigorously computed. In this paper, we compare three different KC estimation methods including a new proposal of our own, and propose a new DoS-detection method by monitoring fluctuation of KC differentials.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Distributed Denial of Service (DDoS) Attacks/tools,
  2. 2.
    Lau, F., Rubin, S.H., Smith, M.H., Trajovic, L.: Distributed Denial of Service Attacks. In: Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, October 2000, pp. 2275–2280 (2000)Google Scholar
  3. 3.
    Leiwo, J., Aura, T., Nikander, P.: Towards Network Denial of Service Resistant Protocols. In: Proceedings of the 15th International Information Security Conference (IFIP/SEC 2000), August 2000, pp. 301–310. Kluwer, Dordrecht (2000)Google Scholar
  4. 4.
    Matsuura, K., Imai, H.: Modified Aggressive Modes of Internet Key Exchange Resistant against Denial-of-Service Attacks. IEICE Transactions on Information and Systems E83-D(5), 972–979 (2000)Google Scholar
  5. 5.
    Mirkovic, J., Reiher, P.: A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–54 (2004)CrossRefGoogle Scholar
  6. 6.
    Alifri, H.: Ip Traceback: A New Denial-Of-Service Deterrent? IEEE Security & Privacy 1(3) (2003)Google Scholar
  7. 7.
    Tupakula, U.K., Varadharajan, V.: A Practical Method to Counteract Denial of Service Attacks. In: Proceedings of the 26th Australasian Computer Science Conference (ACSC 2003), February 2003, vol. 16 (2003)Google Scholar
  8. 8.
    Peng, T., Leckie, C., Ramamohanarao, K.: Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. Manuscript, ARC Special Research Center for Ultra-Broadband Information NetworksGoogle Scholar
  9. 9.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2827 (May 2000)Google Scholar
  10. 10.
    Denning, D.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  11. 11.
    Thottan, M., Ji, C.: Proactive Anomaly Detection Using Distributed Intelligent Agents. IEEE Network 12(5), 21–27 (1998)CrossRefGoogle Scholar
  12. 12.
    Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. Supplement to IEEE Computer, Security & Privacy, 27–30 (2002)Google Scholar
  13. 13.
    Krügel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Proceedings of the 2002 ACM Symposium on Applied Computing, March 2002, pp. 201–208 (2002)Google Scholar
  14. 14.
    Siaterlis, C., Maglaris, B.: Towards Multisensor Data Fusion for DoS Detection. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 439–446 (2004)Google Scholar
  15. 15.
    Kulkarni, A.B., Bush, S.F., Evans, S.C.: Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. Tech. Report, GE Research & Development Center, 2001CRD176 (Class 1) (December 2001)Google Scholar
  16. 16.
    Cover, T., Thomas, J.: Elements of Information Theory, pp. 144–153. John Wiley & Sons, Inc, New York (1991)zbMATHCrossRefGoogle Scholar
  17. 17.
    Li, M., Vitanyi, P.: An Introduction to Kolmogorov Complexity and Its Applications. Springer, Berlin (1993)zbMATHGoogle Scholar
  18. 18.
    Evans, S.C., et al.: Kolmogorov Complexity Estimation and Analysis. Tech. Report, GE Research & Development Center, 2002GRC177 (Class 1) (October 2002)Google Scholar
  19. 19.
  20. 20.
  21. 21.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proceedings of the 11th ACM conference on Computer and Communications Security, October 2004, pp. 2–11 (2004)Google Scholar
  22. 22.
    Tongshen, H., Xiamin, Qingzhang, C., Kezhen, Y.: Design and Implement of Firewall-Log-Based Online Attack Detection System. In: Proceedings of the 3rd International Conference on Information Security (InfoSecu 2004), November 2004, pp. 146–149 (2004)Google Scholar
  23. 23.
    Mirkovic, J., et al.: A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. Tech. Report, UCLA CSD, CSD-TR-020018 (2002)Google Scholar
  24. 24.
    Cheung, S., Levitt, K.N.: Protecting Routing Infrastructures from Denial of Service Using Cooperative Intrusion Detection. In: Proc. of New Security Paradigms Workshop 1997, September 1997, pp. 94–106 (1997)Google Scholar
  25. 25.
    Sun, J., Jin, H., Chen, H., Zhang, Q., Han, Z.: A compound intrusion detection model. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 370–381. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Xu, W., Wood, T., Trappe, W., Zhang, Y.: Wireless Monitoring and Denial of Service: Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service. In: Proceedings of the 2004 ACM Workshop on Wireless Security, October 2004, pp. 80–89 (2004)Google Scholar
  27. 27.
    Kargl, F., Maier, J., Weber, M.: Protecting Web Servers from Distributed Denial of Service Attacks. In: Proceedings of the 10th International Conference on World Wide Web, pp. 514–524 (2001)Google Scholar
  28. 28.
    Hussain, A., Heidemann, J., Papadopoulos, C.: Denial-of-Service: A Framework for Classifying Denial of Service Attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, August 2003, pp. 99–110 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Takayuki Furuya
    • 1
  • Takahiro Matsuzaki
    • 1
  • Kanta Matsuura
    • 1
  1. 1.Institute of Industrial ScienceThe University of TokyoTokyoJapan

Personalised recommendations