A microscopic competition model and its dynamics analysis on network attacks

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCEConcurrency Computat.: Pract. Exper. 2010; 22:503–517Published online 23 September 2009 inWiley InterScience (www.interscience.wiley.com). DOI: 10.1002/cpe.1499

A microscopic competitionmodel and its dynamicsanalysis on network attacks

Yang Xiang1, Daxin Tian2,∗,† and Wanlei Zhou3

1School of Management and Information Systems, Centre for Intelligent andNetworked Systems, Central Queensland University, North Rockhampton 4702,Australia2School of Management and Information Systems, Central Queensland University,North Rockhamptom 4702, Australia3School of Information Technology, Deakin University, Burwood 3125, Australia

SUMMARY

Modeling network traffic has been a critical task in the development of Internet. Attacks and defenseare prevalent in the current Internet. Traditional network models such as Poisson-related models do notconsider the competition behaviors between the attack and defense parties. In this paper, we present amicroscopic competition model to analyze the dynamics among the nodes, benign or malicious, connectedto a router, which compete for the bandwidth. The dynamics analysis demonstrates that the model can welldescribe the competition behavior among normal users and attackers. Based on this model, an anomalyattack detection method is presented. The method is based on the adaptive resonance theory, which isused to learn the model by normal traffic data. The evaluation shows that it can effectively detect thenetwork attacks. Copyright © 2009 John Wiley & Sons, Ltd.

Received 30 December 2008; Revised 22 April 2009; Accepted 17 July 2009

KEY WORDS: computer network security; traffic modeling; network attack; DDoS; adaptive resonance theory

1. INTRODUCTION

The rapid development of Internet has caused an exponential growth in terms of size and complexityof networks in the world. It has been revealed that the network traffic has self-similarity propertiesin Ethernet traffic [1]. The interest in data collection, measurement and analysis of Internet traffichas been a very active research topic in the high-performance computing and communication field.Many others revealed similar properties in wide-area traffic, signaling traffic, high-speed network

∗Correspondence to: Daxin Tian, School of Management and Information Systems, Central Queensland University, NorthRockhamptom 4702, Australia.

†E-mail: [email protected]

Copyright q 2009 John Wiley & Sons, Ltd.

504 Y. XIANG, D. TIAN AND W. ZHOU

traffic and multimedia and video traffic [2–5]. They demonstrated that aggregated traffic in real-world networks has long-range dependence (LRD), and thus indicated the insufficiency of traditionalmodels such as the Poisson-related models. Although the Poisson-related models have been widelyused so far, they cannot precisely describe the real characteristics of network traffic. The LRDproperty of a traffic flow has important implications for the performance, design and dimensioningof networks. It is noted that the higher the self-similarity of the traffic, the more the networkperformance metrics such as link utilization and throughput that are affected [1].The modeling of Internet traffic represents a critical task in the design of Internet architectures.

The best effort services model of current Internet has inherently enabled many serious networkattacks, in particular, distributed denial of service (DDoS) attacks [6]. Although recently manynetwork defense systems have been proposed to address this problem, little research has beenconducted in modeling the dynamics between the attacks and defense. Huberman and Lukose [7]proved that since each Internet user consumes the bandwidth greedily, the congestion will appearwhen the bandwidth source cannot support those greedy requirements. The DDoS attacker is alsoa kind of user who tries to consume all the bandwidth, and thus the normal users cannot accessthe network. Besides the bandwidth, there are some other parameters, such as TCP/UDP controlpolicies, active queue management mechanisms, which affect the network behavior. Thus, we canbuild the network competition model based on the bandwidth plus those parameters. Inspired bythe social competition phenomenon in the real human society [7], we propose a new microscopiccompetition model in this paper. The NS2 simulation results prove that this new model can beused to describe the competition behavior among different nodes connected to a router from amicroscopic viewpoint. The competition model can help improve the network performance byadjusting bandwidths, transport protocols and active queue management mechanisms for differentnetwork nodes when the network is attacked. Based on this traffic model, we present an anomalyattack detection method based on the adaptive reasons theory (ART) [8] neural network. Theexperiments show that it can effectively detect DDoS attacks.The remainder of this paper is organized as follows. Section 2 discusses the related work. The

microscopic competition model and its dynamics analysis are presented in Section 3. The anomalyattack detection based on the ART neural network is given in Section 4. The experimental resultsare shown in Section 5. Section 6 concludes this paper.

2. RELATED WORK

The study of network management and control based on the analysis of traffic flow measurementshas been a very active research topic. For example, He et al. [9] proposed a scheme which is calledTCP with traffic prediction. It presented that the correlation structure in LRD traffic can be detectedonline and used to predict the future traffic at least one round-trip time ahead. That was realizedby using traffic predictors that take into account the LRD characteristics and minimizes the linearmean square errors. The prediction results were then used to infer the optimal operational point atwhich a TCP connection should operate. Chandramathi and Shanmugavel [10] proposed a fuzzylogic system to predict the real-time cell loss probability for self-similar traffic in ATM networks.All the training data required for the system were computed from the mathematical expressionsderived for self-similar ATM traffic models. Based on some traffic traces captured in the framework

Copyright q 2009 John Wiley & Sons, Ltd. Concurrency Computat.: Pract. Exper. 2010; 22:503–517DOI: 10.1002/cpe

A MICROSCOPIC COMPETITION MODEL 505

of the METROPOLIS network monitoring project, paper [11] exhibited the highly oscillating natureof Internet traffic, thus explaining why it is almost impossible nowadays to guarantee a stablequality of service (QoS) over the Internet. Such oscillations provoke a huge decrease in the globalnetwork QoS and performance. Karim and Grout [8] introduced an algorithm, called CoLoRaDe, tocontrol the intensity of LRD traffic. Experimental results showed that the CoLoRaDe was capableof reducing the LRD of packet sequences received at the router buffer before they were transmittedto the core network (e.g. the Internet). As the main function of the CoLoRaDe algorithm was toreduce the LRD of traffic, it can contribute in reducing the network load, leading to an improvementin QoS for the future Internet.Recently, people have experienced a lot of trouble in the Internet services due to various network

attacks. For example, in the incidents of DDoS attacks against commercial Web servers such asYahoo, e-Bay and E-Trade, almost all the computer systems connected to the Internet are exposedto DDoS attacks [12]. One main reason for these kinds of destructions is that the performanceof various classes of traffic in the Internet is strongly correlated, and therefore the performancedegradation in one class due to an attack may negatively impact the performances of other servicesas well, therefore leading to several anomalies. One important method to resolve this problem is tounderstand the dynamics of traffic and its impact on the network elements, analyze network trafficinformation, and defend against the threats and attacks in networks. For example, paper by Roh andYoo [13] proposed an aggregate traffic measurement-based detection of network attack symptomson high-speed Internet backbone links. The proposed method deals with the network attacks fromthe viewpoints of the aggregate traffic level different from the existing works, in which networkattacks were dealt with on the individual packet or flow basis. Multi-Level Tree for Online PacketStatistics (MULTOPS) [14] is a heuristic algorithm and a data structure that the network devices(such as routers) can use to detect and eliminate attacks. In MULTOPS, nodes contain packet ratestatistics for subset prefixes at different aggregation levels. These nodes examine the disproportionbetween to-rate of the network traffic flows to a specific subnet and from-rate of the network trafficflowing from a specific subnet. This method also uses the characteristic of randomness of source IPaddresses. When DDoS attacks occur, there comes a big mismatch between to-rate toward the victimand from-rate flowing to the outside from the victim. Paper by Owezarski and Larrieu [15] proposedto use a measurement-based architecture (MBA) suited for dealing with actual non-stationary traffic,as well as traffic disruptions or anomalies.Traffic models play a significant role in the analysis of network traffic and network perfor-

mance. Accurate models can provide information about complicated signals and system perfor-mance through both analysis and simulation. Several methods for generating pseudorandomself-similar models have been proposed. For example, fractional Brownian motion (FBM) [16]has been broadly used to model fractal random processes, the FBM model is based on Gaussiandistribution, which means that there must exist some negative signals. The FARIMA model [17]which is a generalization of the autoregressive integrated moving average process, can captureboth short-range dependence and LRD at the same time. In current communication networks,traffic has shown the self-similarity features and characteristics of black and brown noise. Thenon-stationary signals originate from the complex dynamic behavior of the underlying dynamicsystems, which should be best described in terms of some nonlinear differential equation. However,in most cases, the particular differential equation is either completely unknown or very difficult toestimate.



Understanding and solving the performance-related issues of current and future networks requiresthe availability of realistic, but still simple and manageable traffic models. Currently, researchershave proposed a number of models from single flow models for predicting the throughput of asingle flow [18,19] to nonlinear fluid models based on control theory [20]. The emphasis of thesemodels is on network traffic-related characteristics such as the proportion of certain packet types orIP addresses. When the network traffic becomes abnormal (e.g. a sudden increase of TCP packetshaving SYN flag flowing toward the same destination address could indicate an SYN flood DDoSattack), the network models then identify the attacks. In the following sections, we present ourmicroscopic competition model and its applications on attack detection.

3. THE MICROSCOPIC COMPETITION MODEL

3.1. Basic model

Let throughput (the rate of data successfully delivered) of a link connected to router R be � and itsmaximum bandwidth (capacity of the link) be C . If there is no control mechanism and no bandwidthlimit, the throughput will increase according to the input rate. If we define the increase rate of theinput data rate as a, (a>0), then we have

Q� = d�

dt=a (1)

If there is active queue management mechanism such as RED [21] in place and the maximumbandwidth is C , then

Q� = d�

dt=a�

(1− �

C

)(2)

where a changes according to �. It represents that over a single link without any inference, at eachpacket arrival epoch, the throughput is updated according to the above differential equation. Nowif a router is connected with more than one upstream link and each link has different maximumbandwidths, as shown in Figure 1, then each node will compete for the bandwidth of the downstreamlink. We define the competition rate (the capability of a link to occupy the overall bandwidth, whichis no more than its own bandwidth) as b, and bij as the competition rate from node i to node j ; Ciis the maximum bandwidth of the node i ; �i is the throughput of the node i . If there are 2 nodesA1 and A2, for example, then we have the competition model as

Q�1 = a1�1

(1− �1+b12�2

C1

)Q�2 = a2�2

(1− �2+b21�1

C2

) (3)

If there are n upstream nodes in the system, then the above equation can be written as

Q�i =ai�i

(1− �i +

∑nj=1 bij� j

Ci

)(4)



An

Cn

CBB

R

A1 C1

1

n

B

Figure 1. Network topology with n nodes. Node B is the downstream node.

3.2. Dynamics analysis

The aim of stability analysis is to find the changing process and the final state of a network in acertain period. For example, on the Internet, some route may be keeping, increasing or decreasinga throughput rate, or fluctuating. The stability analysis of Equation (3) is as follows. Let X =a1t ,�1=C1Y1, �2=C2Y2. We then have

QY1 = Y1(1−Y1−�1Y2)QY2 = a2

a1Y2(1−Y2−�2Y1)

(5)

whereQY =dY/dX , �1=b12C2/a1C1, �2=b21C1/a2C2. The stable points (the stable states after

the network running a certain period) of the above equation are (0, 0), (0, 1), (1, 0), and(1−�11−�1�2

,1−�21−�1�2

)

For point (0, 0), the linearized equation of (5) is

QZ1 = Z1

QZ2 = Z2

(6)

The determinant of the coefficient matrix of (6) �=1>0 and the trace T =2>0. Therefore, themodel at point (0, 0) is unstable.For point (0, 1), the linearized equation of (5) is

QZ1 = (1−�1)Z1

QZ2 = −a2

a1�2Z1− a2

a1Z2

(7)

Then we have�=(a2/a1)(�1−1), T =1−�1−a2/a1. Therefore, the model at point (0, 1) is asymp-totic stable when �1>1.



For point (1, 0), the linearized equation of (5) is

QZ1 = −Z1−�1Z2

QZ2 = −a2

a1�2Z2

(8)

Then we have �=(a2/a1)�2, T = −1−a2/a1. Therefore, the model at point (1, 0) is asymptoticstable when �2>0.For point (

1−�11−�1�2

,1−�21−�1�2

)

the linearized equation of (5) is

QZ1 = �1−1

1−�1�2Z1−�1

1−�11−�1�2

Z2

QZ2 = −a2

a1�2

1−�21−�1�2

Z1+ a2a1

�2−1

1−�1�2Z2

(9)

Then we have

�= a2a1

(�1−1)(�2−1)

1−�1�2, T=

(�1−1)+ a2a1

(�2−1)

1−�1�2

Therefore, the model at point (1−�11−�1�2

,1−�21−�1�2

)

is asymptotic stable when 0<�1<1 and 0<�2<1, or 0<�1<1, �2>1/�1 and (�1−1)+(a2/a1)(�2−1)>0, or 0<�2<1, �1>1/�2 and (�1−1)+(a2/a1)(�2−1)>0.

4. ANOMALY ATTACK DETECTION

In our model proposed above, we can use regression analysis on statistical samples based on realnetwork data to determine the increasing rate a and the competition rate b. However, as networktraffic is highly nonlinear, explicitly using the increasing rate a and the competition rate b might notbe a good solution to precisely describe real network situations. In this paper, we use an adaptiveresonance theory (ART) [8] neural network to do the regression analysis. The main idea is to firsttrain the neural network through traffic data; when the neural network is stable, the neuron weightcan be regarded to get the value of the increasing rate a and the competition rate b. Then we can usethe stable neural network to represent the model, which can be used to detect the attack behavior.The ART architecture is shown in Figure 2.



reset controlLayer 2 neurons

Layer 1 neurons

Orienting

subsystem

Input matrix

Figure 2. The architecture of ART.

Layer 1 is trained with outstar rule

εdn1(t)dt

= −n1(t)+(+b1−n1(t))(p+W21a2(t))−(n1(t)+−b1)(−W1a2(t)) (10)

dw21j (t)

dt= a2j (t)(−w21

j (t)+a1(t)) (11)

where n1 is the input vector of Layer 1, a1 is the output vector of Layer 1, a2 is the output vectorof Layer 2, +b1 is the inhibitory bias, −b1 is the excitatory bias, p is the input vector, −W1 isoff-surround pattern, w21

j is the column jof outstar weight matrix W21.In the steady state, the output of Layer 1 will be

a1=p∩w21j (12)

where ∩ represents the logical AND operation.Layer 2 is trained with instar rule

εdn2(t)dt

= −n2(t)+(+b2−n2(t))(+W2f2(n2(t))+W12a1)−(n2(t)+−b2)(−W2f2(n2(t))) (13)

d(iw12(t))

dt= a2i (t)(k(

+b− iw12(t))(+Wa1(t))−(iw12(t)+−b)(−Wa1(t))) (14)

where f2() is the transfer function, +W are on-center pattern, −W is off-surround pattern, k is thelearning law parameter.The steady-state operation of Layer 2 is

a2i ={1 if((iw12)Ta1= max(( jw12)Ta1))

0 else(15)

where a2i is the element i of a2, which is the output vector of Layer 2, w12 is instar weight matrix,

iw12 is row vector.



The orienting subsystem will reset Layer 2 if

s1∑i=1

a1i

/s1∑i=1

pi ≺� (16)

where � is called the vigilance parameter.In the learning algorithm, s1 is the length of input vector, � is learning law parameter.Step 1: Initialization of the parameters � and � (which are decided by the experience), weight

matrices w12 and w21, w12i, j =�/�+s1−1; w21

i, j =1.

Step 2: Get the new input, a1=p.Step 3: Compute the input to Layer 2, x=w12a1.Step 4: Rank the elements of x from big to small.Step 5: Activate the neuron in Layer 2 with the largest input (assume x j is the largest) and adjust

the Layer 1 output, a1=w21j ∩p.

Step 6: The orienting subsystem determines the degree of match between the expectation and theinput pattern

a0=

⎧⎪⎪⎨⎪⎪⎩1 if

(s1∑i=1

a1i

/s1∑i=1

pi ≺�

)

0 else

Step 7: If a0=1, then x j = −1, and return to step 5. If a0=0, then continue with step 8.

Step 8: Update row j of w12 and column j of w21, jw12=�a1/�+∑s1i=1 ai −1; w21

j =a1.Step 9: Return to step 2.The network traffic can be described in formal terms by the time series as , which represents

the counts of packets (also called the ‘arrivals’) for the sth time slot of length T . This is the timeinterval over which the flow trace has been originally aggregated and represents the minimumtime resolution allowed in the analysis. As such, as can also be given the meaning of a flow rate,expressed in the number of packets per time slot [22]. Since the traffic is numeric values, weadopt the Fuzzy ART [23] method to calculate similarly the Euclidean distance as the measure fordetecting the network attack symptoms

d(x,y)=(

l∑i=1

|xi − yi |2)1/2

(17)

The sth time slot is a basic unit for traffic measurement. Let as be the traffic volume of the trafficmeasured during sth time slot. Let mT be the detection period, which is the time duration thatthe detection algorithm is applied to. That is, each detection period consists of unoverlapped mconsecutive T . We also define the traffic volumes measured during the mth detection period asthe vectors Vm =[VT ,VT+1, . . . ,VmT ]. Then we can use Vm as the input vector to train the neuralnetwork.



5. EXPERIMENTS

5.1. Model simulation

Network simulator ns-2 is used to conduct the experiment for evaluating our competition model.The experiment is based on a 2-node topology. Node A1 is the normal user using TCP protocol andnode A2 is the attacker using UDP protocol. We consider the scenario when C1+C2>Cdownstream,which is a likely scenario during a DDoS attack. Both drop-tail and REDmechanisms are simulated.The parameters in Figure 3 are C1=4Mbps, C2=2Mbps and Cdownstream=2Mbps, respectively. Theparameters in Figures 4 and 5 are C1=1Mbps, C2=4Mbps and Cdownstream=2Mbps, respectively.In Figures 3 and 4, the drop-tail mechanism is enabled. In Figure 5, the RED mechanism is enabled.

0

50

100

150

200

250

0

(a)

(b)

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)

TCP (Normal)

UDP (Attack)

0

50

100

150

200

250

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)

TCP (Normal)UDP (Attack)

4 8 12

0 4 8 12

Figure 3. Throughputs of nodes A1 and A2 when C1>C2, drop-tail mechanism: (a) node A1 startsfirst and (b) node A2 starts first.



0

50

100

150

200

250

0

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)


0

50

100

150

200

250

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)


4 8 12

0

(b)

(a)

4 8 12

Figure 4. Throughputs of nodes A1 and A2 when C1<C2, drop-tail mechanism: (a) node A1 startsfirst and (b) node A2 starts first.

From Figure 3 we find that although C1>C2, the attacker node A2 still occupies most of thebandwidth, regardless of whether normal user A1 starts before or after the attacker A2. This revealsthat UDP user’s competition rate b is higher than that of the TCP user. From Figure 4 we find thatunder drop-tail mechanism, the normal user A1 cannot compete with the attacker A2, regardless ofwhether it occupies the bandwidth before or after the attacker starts. In each case the throughputof node A1 decreases to zero after a certain period of time. The attacker A2 occupies all the band-width. In Figure 5, the normal user uses the RED mechanism to control congestion. It shows thatalthough the throughput of node A1 decreases corresponding to the attack from A2, the normaluser can still transmit data. This also demonstrates the benefits from the active queue manage-ment. The simulation on the model reveals that the model can effectively describe the competitionbehavior among the network nodes, and the trend on network traffic is concordant with the previousliterature.



0

50

100

150

200

250

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)

TCP (Normal)

UDP (Attack)

0

50

100

150

200

250

0

Time (100 ms)

Th

rou

gh

pu

t (P

acke

ts)

TCP (Normal)

UDP (Attack)

4 8 12

0

(a)

(b)

4 8 12

Figure 5. Throughputs of nodes A1 and A2 when C1<C2, RED mechanism: (a) node A1 startsfirst and (b) node A2 starts first.

5.2. Attack detection simulation

The testing environment is shown in Figure 6, where an FTP application is running between Client0 and Client 3 through a TCP connection with packet size 552; Client 1 and Client 4 build aUDP connection with CBR application, the packet size is 1000 bytes and the time interval betweentransmissions of packets is 0.1. The attackers Client 2 and Client 5 flood UDP packets to disturbthe normal transmission, the transmission interval is 0.001. The normal traffic and traffic underattack are shown in Figure 7, where the data delivery ratio is the number of packets received bythe destination to the number of packets sent by the source.From Figure 7 we can find that when attacks happen at time 10–20, 60–70, 100–110, 170–180,

210–220, the delivery ratio is very low. We first use the ART neural network learning the normal



Client 0

Client 1

Client 2

Client 3

Client 4

Client 5

Router 1 Router 2

Figure 6. The testing environment.

0 50 100 150 200 2500

0.2

0.4

0.6

0.8

1

Time (s)

Dat

a D

eliv

ery

Rat

io

traffic under attack normal traffic

Figure 7. The data delivery ratio of normal and attack traffic.



Table I. Detection results.

Threshold Alarm points

0.01 20,80, 120, 180, 200, 220, 2400.05 20, 80, 120,180, 2200.10 20, 80, 120,180, 2200.15 20, 80, 120,180, 2200.20 20, 80, 120,180, 2200.25 20, 80, 1200.30 80, 1200.35 none

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0.01

Threshold

Err

ors

Rat

e

False Positive False NegativeAll Errors

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Figure 8. The detection false rates.

traffic, and then use the stable neural network to detect whether an attack is happening. The detectionresults under different threshold values are shown in Table I. This table shows when the thresholdchanges, how the system can respond to the attacks. As time is the important factor in all defensesystems, our method can indicate the certain time point of alarm.FromTable I we can find that when threshold is 0.01, themethod falsely alarms an attack happened

at 200 and 240; when threshold is 0.25, the method does not detect the attacks happened during170–180 and 210–220; when threshold is 0.30, the method does not detect the attacks happenedduring 10–20, 170–180 and 210–220; when threshold is larger than 0.30, the method can not detectany attacks.IDS errors consist of false positive errors and false negative errors. The false positive errors occur

because IDS misinterprets normal packets as an attack, the false negative errors occur because anattacker is misclassified as a normal user. With different threshold, the detection error is shown inFigure 8.We find that the performance of the method is sensitive according to intrusion threshold. As the

threshold value increases, false positive errors increase, while false negative errors decrease. Since



a false negative error is more important in IDS, we focus on the decrease of false negative errorsaccording to the change in the threshold value. In this test, the optimal threshold value is 0.1–0.2.

6. CONCLUSIONS

In this paper we present a traffic competition model which can well describe the dynamics amongthe normal users and attackers. The application of this model is that we use neural network to learnthe model behavior and detect network attacks, in particular, DDoS attacks. From the experimentswe find that the model can effectively detect the network attacks. Future work is needed to findsolutions to define detection thresholds.

REFERENCES

1. Leland WE, Taqqu MS, Willinger W, Wilson DV. On the self-similar nature of ethernet traffic (extended version).IEEE/ACM Transactions on Networking 1994; 2(1):1–15.

2. Paxson V, Floyd S. Wide area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Network 1995;3:226–344.

3. Beran J, Sherman R, Taqqu MS, Willinger W. Long-range dependence in variable-bit-rate video traffic. IEEE Transactionson Communication 1995; 43:1566–1579.

4. Crovella ME, Bestavros A. Self-similarity in world wide web traffic: Evidence and possible causes. IEEE/ACMTransactions on Network 1997; 5:835–846.

5. Duffy DE, McIntosh AA, Rosenstein M, Willinger W. Statistical analysis of CCSN/SS7 traffic data from workingsubnetworks. IEEE Journal on Selected Areas in Communications 1994; 12(3):544–551.

6. Xiang Y, Zhou W. Mark-aided distributed filtering by using neural network for DDoS defense. IEEE GLOBECOM,St. Louis, MD, U.S.A., vol. 3, 2005; 1701–1705.

7. Huberman BA, Lukose RM. Social dilemmas and internet congestion. Science 1997; 277(5325):535–537.8. Rezaul KM, Grout V. CoLoRaDe: A novel algorithm for controlling long-range dependent network traffic. Proceedings

of the Sixth International Conference on Networking (ICN 2007), Sainte-Luce, Martinique, 2007; 57–62.9. He G, Gao Y, Hou JC, Park K. A case for exploiting self-similarity of network traffic in TCP congestion control.

Computer Networks 2004; 45(6):743–766.10. Chandramathi S, Shanmugavel S. Estimation of cell loss probability for self-similar traffic in ATM networks—A fuzzy

approach. Applied Soft Computing 2003; 3(2):71–83.11. Owezarski P, Larrieu N. Internet Traffic Characterization—An Analysis of Traffic Oscillations (Lecture Notes in Computer

Science, vol. 3079). Springer: New York, 2004; 96–107.12. Garber L. Denial-of-service attacks rip the internet. IEEE Computer 2000; 33(4):12–17.13. Roh B, Yoo SW. A novel detection methodology of network attack symptoms at aggregate traffic level on high speed

internet backbone links. Proceedings of the International Conference on Telecommunications, Fortaleza, Brazil, 2004;1226–1235.

14. Gil TM, Poletto M. MULTOPS: A data-structure for bandwidth attack detection Proceedings of the 10th USENIX SecuritySymposium, Washington, DC, U.S.A., 2001; 23–38.

15. Owezarski P, Larrieu N. Measurement based approach of congestion control for enforcing a robust QoS in the Internet.Proceedings of the International Conference on Internet Surveillance and Protection, Cote d’Azur, France, 2006; 1–6.

16. Riedi R, Crouse MS, Ribero V, Baraniuk RG. A multifractal wavelet model with application to network traffic. IEEETransactions on Information Theory 1999; 45(3):992–1018.

17. Hosking JRM. Modeling persistence in hydrological time series using fractional differencing. Water Resources Research1984; 20:1898–1908.

18. Tinnakornsrisuphap P, La RJ. Asymptotic behavior of heterogeneous TCP flows and RED gateway. IEEE/ACMTransactions on Networking 2006; 14(1):108–120.

19. Altman E, Avrachenkov K, Barakat C. A stochastic model of TCP/IP with stationary random losses. IEEE/ACMTransactions on Networking 2005; 13(2):356–369.

20. Misra V, Gong W, Towsley D. Fluid-based analysis of a network of AQM routers supporting TCP flows with anapplication to RED. ACM SIGCOMM, Stockholm, Sweden, 2000; 151–160.



21. Floyd S, Jacobson V. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking1993; 1(4):397–413.

22. Giorgi G, Narduzzi C. Rate-interval curves—A tool for the analysis and monitoring of network traffic. PerformanceEvaluation 2008; 65:441–462.

23. Carpenter GA, Grossberg S, Markuzon N, Reynolds JH, Rosen DB. Fuzzy ARTMAP: A neural network architecturefor incremental supervised learning of analog multidimensional maps. IEEE Transactions on Neural Networks 1992;3(5):698–713.


Documents

A microscopic competition model and its dynamics analysis on network attacks