Timing considerations in detecting resource starvation attacks using statistical profiles
Resource starvation Denial of Service (DoS) attacks cause the attacked services to be denied to legitimate users. This paper introduces an approach to proactively detect such a DoS attack in its early development stages and therefore avoid damage. Our approach uses the set of data in the Management Information Base (MIB) retrieved by the Simple Network Management Protocol (SNMP). MIB traffic data (such as origin/destination; TCP connection state) and process table content (memory/CPU utilisation by specific processes) are used to construct performance profiles over long and short time scales. We define appropriate indicators and identifiable steps (check points) where resource starvation DoS attacks are recognised and stopped before they affect a system. By detecting in the early development stages, it is possible to avoid service interruption, system availability problems and other related effects, such as system and bandwidth performance degradation caused by legitimate operations.