Abstract: This paper proposes a novel detection scheme against SYN Flooding attacks. The core detection mechanism of the system is based on the protocol behavior of TCP SYN-FIN(RST) pairs, and monitors the balance between SYN and FIN(RST) pairs of incoming TCP traffic and uses the non-parametric CUSUM algorithm to detect the change of the difference between the number of SYN and FIN(RST) packets. This algorithm doesn’t require a detailed model of normal and attack traffic. It can improve the detection accuracy and the rate of the on-line detection while reducing the computing overhead.

Key words: SYN Flooding attack; CUSUM algorithm; Stub networks; Threshold

摘要： 针对危害性极大的SYN Flooding 攻击，提出了一种新的检测方法。该方法监控进入网络的TCP 业务的SYN 包与FIN(RST)包的平衡性,并使用非参数累积和(CUSUM)算法来检测SYN 包与FIN(RST)包数量的均衡性的变化。该方法不需要正常业务和攻击业务的详细模型，能提高检测的准确性和在线检测速度，降低运算开销。

关键词: SYN Flooding 攻击；CUSUM 算法；终端网络；门限