Abstract
This paper summarizes our approach of detecting denail of QoS attacks on DiffServ networks. Our approach focuses on online quick detection, scalability to large networks, and a low false alarm generation rate. Sensors sample QoS metric at strategic points and we detect anomalies in sampled network flow statistics using the \chi2 and EWMA Control Chart test methods. We also use rule-based intrusion detection of SLAs as a complement to these techniques. We have tested our intrusion detection approach using emulation on a testbed, and using simulation. Attacks are detected 100% of the time, and require from under a minute to approximately 15 minutes to detect. The false alarm rate at the sensitivity level used to achieve these detection results is less than 1%. These results make our work a strong candidate for deployment.