A cascade architecture for DoS attacks detection based on the wavelet transform.

In this paper we propose an automated system able to detect volume-based anomalies in network traffic caused by Denial of Service (DoS) attacks. We designed a system with a two-stage architecture that combines more traditional change point detection approaches (Adaptive Threshold and Cumulative Sum) with a novel one based on the Continuous Wavelet Transform. The presented anomaly detection system is able to achieve good results in terms of the trade-off between correct detections and false alarms, estimation of anomaly duration, and ability to distinguish between subsequent anomalies. We test our system using a set of publicly available attack-free traffic traces to which we superimpose anomaly profiles obtained both as time series of known common behaviors and by generating traffic with real tools for DoS attacks. Extensive test results show how the proposed system accurately detects a wide range of DoS anomalies and how the performance indicators are affected by anomalies characteristics (i.e. amplitude and duration). Moreover, we separately consider and evaluate some special test-cases. [ABSTRACT FROM AUTHOR]