Statistical Packet Acceptance Defense Engine

1 Abstract— A security engine should detect network traf- fic attacks at line-speed. "Learning" capabilities can help detecting new and unknown threats even before a vulner- ability is exploited. The principal way for achieving this goal is to model anticipated network traffic behavior, and to use this model for identifying anomalies. This paper focuses on denial of service (DoS) attacks and distributed DoS (DDoS). Our goal is detecting and prevent- ing of attacks. The main challenges include minimizing the false-positive rate and the memory consumption. SPADE: a Statistical Packet Acceptance Defense Engine is presented. SPADE is an accurate engine that uses an hierarchical adaptive structure to detect suspicious traffic using a relatively small memory footprint, therefore can be easily applied on hardware. SPADE is based on the assump- tion that during DoS/DDoS attacks, a significant portion of the traffic that is seen belongs to the attack, therefore, SPADE applies a statistical mechanism to primarily filter the attack's traffic.