Computer Networks 48 (2005) 235–245

www.elsevier.com/locate/comnet

Real-time detection of distributed denial-of-service

attacks using RBF networks and statistical features
Dimitris Gavrilis, Evangelos Dermatas *

Department of Electrical Engineering and Computer Technology, University of Patras, Kato Kastritsi, 26500 Patras, Greece

Received 17 July 2003; received in revised form 12 April 2004; accepted 6 August 2004
Available online 21 December 2004

Responsible Editor: Z.-L. Zhang

Abstract

In this paper we present and evaluate a Radial-basis-function neural network detector for Distributed-Denial-of-Ser-
vice (DDoS) attacks in public networks based on statistical features estimated in short-time window analysis of the
incoming data packets. A small number of statistical descriptors were used to describe the DDoS attacks behaviour,
and an accurate classification is achieved using the Radial-basis-function neural networks (RBF-NN). The proposed
method is evaluated in a simulated public network and showed detection rate better than 98% of DDoS attacks using
only three statistical features estimated from one window of data packets of 6 s length. The same type of experiments
were carried out on a real network giving significantly better results: a 100% DDoS detection rate is achieved followed
by a 0% of false alarm rate using different statistical descriptors and training conditions for the RBF-NN.
Ó 2004 Elsevier B.V. All rights reserved.

Keywords: Intrusion detection; Denial-of-service attacks; RBF networks; Neural networks; Computer security

1. Introduction lars. Major commercial web sites have been dis-

In recent years there has been a sudden increase
of Network-based intrusion and Distributed De-
nial of Service (DDoS) attacks. Especially after
the year 2000 the problem has grown enormously,
increasing the costs of losses to billions of US dol-
*
Corresponding author. Tel.: +30 261 099 6476.
E-mail addresses: gavrilis@george.wcl2.ee.upatras.gr (D.
Gavrilis), dermatas@george.wcl2.ee.upatras.gr (E. Dermatas).
abled for several hours due to such attacks. The
DDoS attacks usually do not take advantage of
some security flaw but instead they make legiti-
mate use of a service until all the resources that
this service uses are exhausted [14]. The attacker
increases the number of network processes requir-
ing significant computer resources: CPU load,
memory, disk space, and network bandwidth. This
characteristic of those attacks makes them difficult
to detect especially in large commercial networks

1389-1286/$ - see front matter Ó 2004 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2004.08.014
236 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
such as yahoo.com or amazon.com where they
serve hundreds or maybe thousands of users per
minute. When the flow of packets on a network
suddenly increases we cannot be certain that it is
because of a DDoS attack that is in progress or be-
cause too many users happen to use that service at
that time [16]. Commercial DDoS detection sys-
tems [13,16–19] have high false-alarm rates, pro-
ducing hundreds of false alarms per day because
it is often difficult to select manually the identifica-
tion conditions for a great number of attacks and
their variants [17–19,2].
1.1. Network-based intrusion and DDoS attacks
A great number of methods for recognizing
intrusion and DDoS attacks have already been
presented (4–25). In [4], the Articon-Intergralis
group discusses the specification and test process
of Intrusion Detection Systems and proposed a
detailed topology, machines and attacks scenarios
that were used to make the assessment. The Net-
work Intrusion Detection System technology is
described in [5], comparing the most popular
methods: Pattern-searching and protocol analysis.
The protocol analysis usually can be used to detect
the true signature of the intrusion when it is hidden
in the protocol. In this case most of the pattern-
search methods fail to detect the intrusion. A com-
mon protocol analysis is based on a decision tree.
The computational effort of the tree search in-
creases significantly in case of intrusion or DDoS
attacks. In this case the Network Intrusion Detec-
tion System would overload and eventually
shutdown.
An intrusion detection approach has been pro-
posed by Me (in [6]) based on predefined attack
scenarios and using a genetic algorithm. Taking
into account that pattern-searching methods are
NP-Complete problems, a genetic algorithm is
used to reduce the computations in Ôthe security
audit trail analysis problemÕ. The experimental
evaluation showed successful detection of the at-
tacks after 20 generations, giving a detection rate
of 99% after 100 generations. If the attacks coded
in the Attacks–Events matrix grows, the final gen-
eration number has to increase to keep the detec-
tionÕs quality at the same level.
In [1], Mell et al. describes an intrusion detec-
tion system (IDS) to become resistant to flooding
DoS attacks using a combination of techniques:
the critical IDS components are made invisible to
the attacker, critical IDS components are made
adaptive to flooding DoS attacks. The authors
do not prevent an attacker from launching attacks
but instead makes the significant targets invisible
which forces the attacker to fire blindly.
Recently neural network architectures for intru-
sion detection have been proposed [12,20,22,21]. A
backpropagation neural network (multilayer per-
ceptron) has been presented by Ryan et al. [3].
The neural network is trained to identify users
based on what commands they use during a day.
In a system of 10 users and a dataset collected
for 12 days, the neural network was 96% accurate
in detecting anomalous behaviour, with a false
alarm of 7%. In [7] an adaptive intrusion detection
system for TCP/IP networks is described based on
neural networks. The training process is based on
previous well-known intrusion profiles, and the
adaptation capabilities is realized by re-training
the neural network using new profiles. The system
is based on the fact that an intrusion can be de-
tected from an analysis of predetermined models
for both normal and intrusion actions. The best
performance of approximately 95% has been
achieved using a two hidden-layer perceptron neu-
ral network (20-5-1 neurons per layer) trained by
the error backpropagation algorithm.
The well-known K-nearest Neighbor Classifier
KNNC has been evaluated in [8], to categorize a
process into normal or intrusive class using system
calls over each program execution. The computa-
tional load of the KNNC is partially faced by pro-
cessing the restricted set of system calls (less than
100 in DARPA BSM data), while a typical Pat-
tern-searching intrusion detection system in shell
level could have over 15,000 unique words. The
KNNC calculates the similarity between the new
process and each training process instance using
the assumption that the process belonging to the
same class will cluster together in the vector space.
The KNNC is applied to the 1998 DARPA data.
The audit data were collected on a traffic simulator
of an Air Force Local Area Network. The system
is extensively evaluated giving an excellent detec-
 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
tion rate. When the number of simultaneously pro-
cesses increases, the detector is computationally
expensive for real-time implementation in some
computers. In the same dataset (1998 DARPA) a
statistical traffic model for detecting novel attacks
has been presented in [15]. The model effectiveness
in discriminating normal connections from DoS
attacks is quantified by plotting the Receiver
Operating Characteristics curves. The kolmogo-
rov–Smirnov test is used as a classifier between
the normal and the attack conditions by process-
ing the statistical differences of the number of
bytes from the responder, and the byte ratio re-
sponder–originator.
Recently, Streilein et al. [21] presents neural net-
work classifiers based on the multilayer perceptron
for accurately detection of several classes of
attacks including stealthy probes and novel
DDoS attacks. The neural-based detection system
achieves a recognition rate of 100% with a false
alarm of 0.1% when tested against stealthy attacks
in the DARPA 1999 IDS Evaluation data. From
the original extended set of features, the authors
eliminate the least effective, proposing a minimal
set of five only features.
1.2. The DDos attacks
As reported in [23], where a structural approach
of the DDoS attacks and the defense mechanisms
can be found, DDoS attacks can be classified in
five categories. The most important are the TCP
Flooding, UDP Flooding, ICMP Flooding and
Smurf attacks. The first three attempt to flood a
network with TCP [10,11], UDP and ICMP traffic
respectively so as to exhaust the networkÕs or the
serverÕs resources. The latter works in a different
manner and does not pose a threat when certain
modifications are made in the networkÕs devices.
The DoS attacks performed using ICMP messages
usually succeed because the victim host does not
maintain enough information on the messages
communication [9]. However, with the appropriate
modifications, it can be prevented. The most
important work is concentrated in the first type
of attack because TCP is the most widely used pro-
tocol and WWW is the most widely used service on
the Internet. The same mechanism can be applied
237
successfully both in UDP and ICMP protocols.
In a great number of Internet sites, DDoS attack
tools are available.
After an analysis of the available tools that
perform DDoS attacks, it is found that a DDoS
attack has the following characteristics:
(a) The source IP of the packets is set random.
(b) The source and the destination port of the
packets is set random.
(c) Some of the flags (URG, ACK), fragmenta-
tion, TCP options, TTL and the clientÕs
SEQ number are assigned by a pseudorandom
generator.
In most tools, multiple instances of the applica-
tion (usually residing on multiple machines), com-
municate with each other and coordinate during
the attack. The packets can be sent to the target(s)
in bursts or in a continuous flow.
2. System innovations
Every robust DDoS detection system must sat-
isfy some important specifications: (a) very high
detection rates with minimal false alarm rates,
(b) real-time detection with low memory and
cpu-time requirements, (c) invariant in evolution-
ary trends in DDoS attacks, network topology
and the variations of the normal data-exchange
rates, (d) minimum interference of the DDoS
detector in the traffic. In the direction of building
efficient DDoS detectors, we present a system pro-
viding a number of important innovations:
(a) A small and a robust number of normalized
statistical features is used for monitoring the
statistical properties of the data exchange
packets in the network. The computational
effective features set is used to recognize in
real-time the normal network traffic from sud-
denly increased packet flow from a DDoS
attack in very short time intervals.
(b) The features space present reduced variance
in different DDoS attacks giving very high
detection rates, which is almost independent
of the DDoS implementation details.
238 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
(c) Even in the case of very-fast networks, accu-
rate estimation of the statistical features can
be obtained by processing a subset of the
packets transferred on the network.
(d) Even in the case of complex distribution of
the features vector, the effective Radial-
Basis-Function neural network (RBF-NN) is
used to recognize DDoS attacks from the nor-
mal traffic. The well-developed theoretical
analysis of the RBF-NN [24] introduces a
number of significant advantages over multi-
layer perceptrons. The RBF-NN detector is
a two layer neural network. In the first (hid-
den) layer the neurons implement a radial
function while the output neurons implement
a weighted sum of hidden neuron outputs.
The excellent approximation properties of
the RBF-NN allows for complex non-linear
mapping by modifying only the number of
hidden neurons, which simplifies the compu-
tational complexity in both the activation
and training process. Moreover, extremely
faster learning rates, smaller approximation
errors with extremely low probability to con-
verge in local minima has been measured in a
great number of applications.
3. System description
The system consists of three sequentially con-
nected modules:
Data collector. A sniffer captures the following
data fields for each packet: Source Port, SEQ
number of client, Window size, and the Syn,
Ack, Fin, Psh, Urg, Rst flags. The timestamp
for each packet is also recorded in order to
group the packets into overlapping timeframes.
The number of the distinct Source Ports, and
Window size numbers are estimated for each
timeframe. The SEQ number is a 32-bit random
number produced by the client as an identifica-
tion for a certain TCP connection. The estima-
tion of the distinct SEQ numbers requires
significant memory space and computing power.
Experimental results showed that, although the
SEQ number varies across clients, the upper
16 bits are adequate in estimating the SEQ num-
bersÕ feature. The upper 16 bits can store the nec-
essary information in an array of 65,535 bytes
long.
The statistics gathered for each timeframe are
the frequency of occurence for each of the follow-
ing six flags to be set: Syn, Ack, Fin, Psh, Urg, Rst.
In extended experiments it has been found that
these flags contain significant information related
to the presence of a DDoS attack. The Source IP
Address is not used in the recognition process,
even if it provides significant information, because
it requires substantial amount of computing power
to store the individual addresses. Additionally, it is
also decided not to use the packet length informa-
tion because it would make the DDoS detector
system service specific (e.g. only for www). In the
same experiments it is showed that other data
transferred by the TCP/IP packets, such as the
Time-to-Live field, do not contain information
related to the presence of a DDoS attack.
Features estimator. The frequency of flags and
the number of the distinct values for the Source
Ports, SEQ number, and Window size are esti-
mated for each timeframe. The statistical features
for each timeframe for the six flags are the proba-
bility of the flag to be set. The number of the dis-
tinct values is divided by the total number of
packets for a certain timeframe for the SEQ num-
ber, the Window Size and the Source Port.
DDoS detector. The nine-features vector were
used to activate a two-output RBF network at
each timeframe. The most active output neuron
detects the presence of a DDoS attack or charac-
terizes the timeframe as normal traffic. In the
experiments it is shown that a small number of
hidden neurons can be used to achieve high detec-
tion rates of DDoS attacks. Moreover, the RBF-
NN classification capabilities are studied using
an extremely small input vector containing only
three features.
4. The RBF-NN training process
The gathered data were used to create two dif-
ferent training scenarios. In the first scenario the
DDoS detector is trained using normal www and
 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 1. Time frames and a DDoS attack in the bold line:
normal traffic (0), DDoS and normal traffic (1).
pure DDoS traffic. In the second scenario the pure
DDoS traffic was replaced by the data collected
when the DDoS hits the server which serves the
normal traffic. In both training scenarios different
normal and combined traffic is used to estimate
the RBF-NN efficiency, as shown in Fig. 1.
The networkÕs efficiency was measured for a dif-
ferent number of hidden neurons ranging from 1
to 20. A mixture of Gaussian functions was used
as the RBFÕs non-linear function. The mean and
variance for the Gaussian function was estimated
using the K-means clustering algorithm [24]. It is
well-known that the K-meansÕ initial centers signif-
icantly influences the quality of the training pro-
cess. A good selection of the initial centers led to
significantly better classification rates for different
network topologies. Therefore, the K-means cen-
ters which minimizes the quantization error from
the training data are selected from a set of multiple
local minimum set of centers. Multiple local mini-
mum solutions are created by applying the K-
means algorithm using different initialization.
During the center re-estimation process of the
K-means algorithm the variance of some flags
was zero (e.g. RST, URG flags) or very close to
zero. In this case, the algorithm fails to continue
or convergence to an extremely bad local mini-
mum, decreasing significantly the classification
efficiency of the RBF-NN. To overcome this prob-
lem, a minimum value for the estimated variance
was experimentally derived, giving significantly
better classification rates.
5. Experimental evaluation
The evaluation process is divided in three steps:
in the first step the packets are captured from the
239
network using a linux based sniffer placed on a
monitoring host, which is based on the popular
libpcap library and while in capture mode a filter
was used to monitor traffic for the www service
only. In the second step, the captured packets for
some scenario are grouped into timeframes and
the statistical features for each timeframe and
overlaptime sizes are produced. The data were
grouped into 18 different timeframes ranging from
5 to 18 s, with an overlap time from 1 to 6 s. In the
final step, the features data were used to train and
evaluate the RBF-NN.
The DDoS attack was carried out using the pro-
gram Tribe Flood Network (TFN2k). The sniffer
recorded an actual attack, normal www requests
only and traffic generated only by the TFN2k pro-
gram. It is possible that the sniffer could ‘‘miss’’
some packets especially when the packet rate is
very high. The missing data does not influence
the systemÕs performance due to the statistical
nature of the features.
5.1. The features set
Two different features sets were used to evaluate
the RBF-NN detection efficiency depending on the
number of features used to build the input vector.
In many cases the original set of 9 statistical fea-
tures surpassed the 98% of correct classification.
During experiments, it is also noticed that many
of the fields of the input vector such as the Time-
to-Live, the Window Size and some of the Flags
did not contain sufficient information to contrib-
ute in the DDoS detection process. This along with
the excellent system performance led to an evalua-
tion using the reduced set of the 3 input vector
(Source Port, SEQ number, Syn flag). This set of
features can be estimated in real-time using con-
ventional low-cost computing systems. We consid-
ered those three features to be the most important
except the Source IP Address which we did not use
in order to allow minimum computing resources
in both computational complexity and memory
requirements in the RBF-NN-based DDoS detec-
tion system. The correct classification rate was
in most cases as close as the 9 features rate. This
figure verified the initial assumptions about the
nature of the input fields.
240 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
5.2. The experiments
The proposed RBF-NN detector was trained
and evaluated in two experiments.
In the first experiment, a 100 Mbps network
was setup and the Web Application Stress Tool
from Microsoft Corp. was used to simulate the cli-
ents. An entire web site was mirrored on the test
server and actual users surfed the site. The users
responseÕs, pages they surfed, delay time between
hits etc, are recorded and saved as user profiles
using the Web Application Stress Tool (a tool that
sends HTTP requests on a web server using actual
profiles).
The SEQ numbers and the Source Ports for a
recorded session did not correspond to the real
ones because they were produced by the same
client machine (that simulated thousands of dif-
ferent clients). In order to overcome this prob-
lem, the distinct TCP sessions are recognised
and the SEQ and Source Port numbers are
modified according to the protocol rules. While
parsing the file containing the captured packets,
each distinct connection is recognised using the
information provided by the source port and
the clientÕs SEQ number. After a connection
has been found, a random number is generated
which replaces the clientÕs SEQ number. The
new SEQ number is modified in the same way
with the old one during data exchange between
the client and the server thus following the
TCP/IP protocol rules. Several experiments were
conducted, producing normal www traffic of
1 min total length, DDoS traffic of 1 min total
length and combined traffic of 3 min total
length.
In the second experiment, a DDoS attack was
launched on the main web server of the univer-
sity of Patras central library. This is probably
the web server with most hits in the university
as it serves over 25.000 users. The recorded pack-
ets for the normal traffic were 78,361 (60 min
duration). For the DDoS attack were 73,677
(1 min duration) and for the combined traffic
822,655 (6 min duration). During the combined
traffic experiment, in the first 3 min there was
normal traffic and after the 3rd minute the at-
tack started.
6. Experimental results on the simulated network
The RBF-NN has better classification rate in
the first experiment when the second training sce-
nario (Sen2) is used to estimate the NN synaptic
weights against the first training scenario (Sen1),
as shown in Fig. 2 and 3 where the correct classi-
fication rate for both features sets (9in-original fea-
tures vector and 3in-reduced features vector) is
plotted for different timeframe sizes. These results
are typical in pattern recognition experiments
where the second training scenario describes better
the pattern distribution in the features space than
the training data of the first scenario. In the second
scenario simultaneous normal traffic and a DDoS
attack is recorded: the training and the evaluation
data describe the same type of traffic. In the case
where the overlap time was 2 s (Fig. 2) and the
RBF-NN is trained with the second dataset, al-
most 20% better classification rate is obtained in
regard to the rate obtained by the RBF-NN
trained by the first dataset. In addition, a compar-
ison between the two figures showed better classi-
fication rates in case where the overlap step is set
to 1 s step, giving the best results when the RBF-
NN is trained by the second dataset.
In both training datasets, the 3 features RBF-
NN is expected to behave worse than the RBF-
NN processing the 9-features vector. However,
the experimental results (Figs. 2 and 3) showed
better classification rate for the 3-features vector.
This unexpected behaviour is caused by the
insufficient number of training examples. In
regression problems, where a great number of
unknown parameters are met, the size of the
training data must be increased enormously to
obtain sufficient generalization capabilities. In
the case of the 9-features input vector, the num-
ber of training examples are insufficient to em-
body generalization capabilities to the synaptic
weights.
As the timeframe increases, the correct classifi-
cation rate is expected to improve. In general, that
is the case mostly carried out in the experiments
using the training data derived by the first scenario
(Fig. 4). Classification rates better than 94% were
achieved using the complete set of features and
timeframe sizes greater than 10 s. A totally differ-
 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245 241

Fig. 2. Correct classification rate for the simulated network and 2 s overlapping step.

Fig. 3. Correct classification rate for the simulated network and 1 s overlapping step.
242 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 4. Correct classification rate for the simulated network using the first training scenario.
ent figure is met in case where the RBF-NN is
trained using the second scenario training data
(Fig. 5). Generally, the correct classification rate
decreases when the timeframe size increases. The
best classification rate of 99% was achieved using
a 6 s window timeframe and the original set of
9-features vector. A small timeframe is more pref-
erable in applications because the features estima-
tion module is faster.
Generally, it is easier to achieve the first sce-
nario dataset because the only required informa-
tion is normal and pure DDoS traffic data, while
in the case of the second scenario, a combined traf-
fic signature is needed. The best correct classifica-
tion rate of 94.5% was achieved using the first
scenario data, the original features vector consist-
ing of 9 components, a 12 s timeframe and 1 s
overlap step. In the same conditions, the DDoS
detection rate was 91.8% when the 3 features vec-
tor is used. In the second scenario the best correct
identification rate was 98.97% (6 s timeframe and
1 s step) for both feature vectors. In any case, the
correct classification rate did not fall under 92%
(16 s timeframe and 2 s step).
In Fig. 6 the correct classification versus the
number of RBF weights are showed. The number
of RBF weights that are capable to produce cor-
rect classification rates more than 99%, vary from
70 to 90 and refer to a RBF-NN trained with the
second scenario data.
The DDoS detection errors occurred only at the
timeframes where the attack begins or at the time-
frame where the attack ends (Fig. 1, timeframes
no: 5, 43, 75), In these timeframes transition phe-
nomena distort the statistical features. In time-
frames 5 and 75 the DDoS starts to hit the
network, while in those timeframes some DDoS
packets remains in the traffic.
7. Experimental results on the real network
In the case of the real network (second experi-
ment), the results are surprisingly better. The iden-
 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 5. Correct classification rate for the simulated network using the second training scenario.
tification rate of the RBF-NN was 100% when the
number of hidden neurons are greater than 3, as
shown in Fig. 6 (D1-Simulated and D2-real net-
work). The results show that in the worst case,
when the RBF-NN is trained using the first sce-
nario data, the correct identification was better
than 98%. If the RBF-NN is trained using the sec-
ond scenario data the correct identification rate
was 100% in all timeframes and overlapping steps.
8. DDoS detection on the UDP protocol
While all our experiments so far, are concerned
with the TCP/IP protocol, the same recognition
mechanism should also detect DDoS attacks in
the UDP protocol. To evaluate the DDoS detector
preliminary experiments were carried out using the
RBF-NN and only two features: the Source-port
and the Time-to-Live which are both used in the
UDP protocol. A 3 up to 20 hidden neuron
RBF-NN was trained using 186 examples, and
the detector was evaluated using a different set of
243
195 examples, established on the simulated net-
work. The correct classification rate in all experi-
ments was better than 83.59% reaching its
maximum (87.69%) when 8 hidden neurons were
used. The experimental results were almost as
good as with the TCP protocol but with a slight
smaller efficiency.
9. Conclusions
The DDoS attacks are becoming one of the
InternetÕs most critical problems. With the Inter-
netÕs speeds increasing, the need for lighter and
more efficient detection systems is necessary. It is
shown that the proposed method can successfully
identify known DDoS attacks with very high
detection rates. It can be easily implemented and
integrated into any network because it is a passive
monitoring system requiring very few computing
resources since it uses statistical features.
Today, the most widely method used for pre-
venting Denial of Service attacks is to block all
244 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 6. Correct classification rate versus the number of weights for the best timeframe configuration, the simulated (D1) and the real
(D2) network.
packets that donÕt belong to an established con-
nection when a DDoS attack has been recog-
nized. This procedure takes place within a time
frame where the DDoS detector monitors the
network by allowing all packets to pass. If a
DDoS is detected, all packets that donÕt belong
to an established connection are blocked. Thus,
the proposed method can be easily integrated
with existing technologies to prevent such
attacks.
A most challenging task is to effectively block a
DDoS attack without interfering with normal traf-
fic. The task of selectively blocking packets that
are presumed to belong to an attack session is ex-
tremely difficult and has never been attempted.
Also the use of more advanced DDoS tools than
those that exist today, must be considered.
Another method of preventing an attack is to
search for patterns in the network packets when
a DDoS attack has been recognized and then to
block the packets that follow a specific statistical
pattern. This can be successfully implemented if
we assume known DDoS attacks. Each of those
tools has a specific signature that allows it to be
detected. However, someone could write a new
tool that follows a different pattern. In such a case,
if a DDoS detector isolates the DDoS packets, the
development of automatic blocking methods for
the DDoS packets can be used to eliminate the
influence of the DDoS attacks especially in large
networks.
References
[1] P. Mell, D. Marks, M. McLarnon, A denial-of-service,
Computer Networks 34 (2000) 641–658.
[2] T. Ptacek, T. Newsham, Insertion, Evasion, and Denial-of-
Service: Eluding Network Intrusion Detection, Secure
Networks Inc., 1998.
[3] J. Ryan, M. Lin, R. Miikkulainen, Intrusion detection
with neural networksAdvances in Neural Information
Processing Systems, vol. 10, MIT Press, Cambridge, MA,
1998.
[4] R. Barder, The evolution of intrusion detection systems—
the next step, Computer & Security 20 (1) (2001) 132–145.
 D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
[5] R. Graham, NIDS-pattern search vs. protocol decode,
Computer & Security 20 (1) (2001) 37–41.
[6] L. Me, GASSATA, A genetic algorithm as an alternative
tool for security audit trails analysis, First International
Workshop on the Recent Advances in Intrusion Detection,
Belgium, 1998.
[7] J. Bonifacio, A. Casian, CPLF de A. Carvalho, E. Moreira,
Neural networks applied in intrusion detection systems, in:
Proceedings of the Word Congress on Computational
Intelligence—WCCI, Anchorage, USA, 1998, pp. 205–210.
[8] Y. Liao, R. Vemuri, Use of K-nearest neighbor classifier
for intrusion detection, Computer & Security 21 (5) (2001)
439–448.
[9] M. Baltatu, A. Lioy, F. Maino, D. Mazzocchi, Security
issues in control, management and routing protocols,
Computer Networks 34 (2000) 881–894.
[10] Y.W. Chen, Study on the prevention of SYN flooding
by using traffic policing, IEEE Symposium on Network
Operations and Management, 2000, pp. 593–604.
[11] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram,
D. Zamboni, Analysis of a denial-of-service attack on
TCP, in: Proceedings of the IEEE Computer Society
Symposium on Research in Security and Privacy, USA,
1997, pp. 208–223.
[12] R. Lippmann, R. Cunnigham, Improving intrusion detec-
tion performance using Keyword selection and neural
networks, Computer Networks 34 (2000) 596–603.
[13] W. Scwartau, Surviving denial-of-service, Computers &
Security 18 (2) (1999) 124–133.
[14] F. Lau, S. Rubin, M. Smith, L. Trajkovic, Distributed
denial-of-service attacks, in: Proceedings of the IEEE
International Conference on Systems, Man and Cybernet-
ics, vol. 3, 2000, pp. 2275–2280.
[15] J. Cabrera, B. Ravichandran, R. Mehra, Statistical traffic
modeling for network intrusion detection, IEEE Interna-
tional Workshop on Modeling, Analysis, and Simulation
of Computer and Telecommunication Systems, 2000, pp.
466–473.
[16] D. Cox, K. McClanahan, Method for blocking denial of
service and address spoofing attacks on a private network,
Patent WO9948303, Cisco Tech Ind (US), 1999.
[17] K. Narayanaswamy, T. Ross, B. Spinney, M. Paquette, C.
Wright, System and process for defending against denial of
service attacks on network nodes, Patent WO0219661, Top
Layer Networks Inc. (US), 2002.
[18] R. Maher, V. Bennett, Method for preventing denial of
service attacks, Patent WO0203084, Netrake Corp (US),
2002.
245
[19] J. Belissent, Method and apparatus for preventing a denial
of service (DOS) attack by selectively throttling TCP/IP
requests, Patent WO0201834, Sun Microsystems Inc. (US),
2002.
[20] A. Bivens, C. Palagiri, R. Smith, B. Szymanski, M.
Embrechts, Network-based intrusion detection using neu-
ral networks (2002), Artificial Neural Networks In Engi-
neering November 10–13, St. Louis, Missouri, 2002.
[21] W. Streilein, R.K. Cunningham, S.E. Webster, Improved
detection of low-profile probe and novel denial-of-service
attacks (2002), Workshop on Statistical and Machine
Learning Techniques in Computer Intrusion Detection,
Baltimore, Maryland, June 2002, pp. 11–13.
[22] H. Debar, M. Baker, D. Siboni, A neural network
component for an intrusion detection system, in: Proceed-
ings of the IEEE Computer Society Symposium on
Research in Security and Privacy, 1992.
[23] C. Douligeris, A. Mitrokotsa, DDoS attacks and defense
mechanisms: classification and state-of-the-art, Computer
Networks 44 (5) (2004) 643–666.
[24] S. Haykin, Neural Networks: A Comprehensive Founda-
tion, Predice Hall, Upper Saddle River, NJ, 1994.
Dimitris Gavrilis received the Diploma
in Electrical Engineering from the
University of Patras in 2002. He is
currently a Ph.D. candidate in the
Department of Electrical and Com-
puter Engineering of the University of
Patras. His research interest areas
include computer security, intrusion
detection, pattern recognition and
information extraction.
Evangelos Dermatas is Assistant Pro-
fessor at the Department of Electrical
and Computer Engineering of the
University of Patras, Patras, Hellas.
He received his Diploma and Ph.D.
degrees from the Department of Elec-
trical Engineering of the University of
Patras, Patras, Hellas in 1985 and 1991
respectively. His research interest areas
include: statistical signal processing,
pattern recognition, computer security
and information extraction.