An unknown input sliding observer for anomaly ... - Semantic Scholar

An unknown input sliding observer for anomaly detection in TCP/IP networks Sandy Rahmé1,2

Yann Labit1,2 Frédéric Gouaisbaut1,2 CNRS; LAAS; 7, avenue du Colonel Roche, F-31077 Toulouse, France. Université de Toulouse; UPS, INSA, INP, ISAE ; LAAS ; F-31077 Toulouse, France. {srahme, ylabit, fgouaisb}@laas.fr 1

2

Abstract—This paper deals with the issue of anomaly detection in TCP/IP networks based on a control theory approach. Using a previously developed sliding mode observer, an improvement of the anomaly detection and reconstruction is proposed. More specifically, the ability of distinguishing false/true positives and false/true negatives in a prescribed finite time is ensured thanks to the design of an unknown input observer combined to some low pass filters. A high Quality of Service (QoS) is thus guaranteed to the network. To elucidate the proposed method, a network topology is then tested via Simulink as well as via the Network Simulator NS-2. Finally, detailed results analysis confirm the enhancement brought to the detection of an anomaly flowing through the network.

I.

INTRODUCTION

Nowadays, anomaly detection draws the attention of the network community. Network anomalies typically refer to circumstances when network operations deviate from normal network behavior. Detecting anomalies such as malfunctioning network devices, network overload, flash crowds, worms, port scans, risky internal user behavior, malicious distributed (or not) Denial of Service Attacks (D-DoS), network intrusions, etc. that disrupt the normal delivery of network services has become an important key issue for the network community. Regardless of whether the anomalies are malicious or legitimate, it is important to analyze them: they can create congestion in a router reducing significantly the QoS. Some of them can have a dramatic impact on a whole network. Anomaly detection techniques can be categorized into Intrusion Detection Systems (IDS) and Anomaly Detection Systems (ADS). Intrusion Detection Systems use patterns of well-known attacks to identify known intrusions. Signature detection paradigm can accurately and efficiently detect instances of known attacks, but its main disadvantage is the disability of detecting ”zero-day” attacks (unknown attacks). The use of statistical profiles of the traffic can also be used. But nowadays, approaches which used the statistics are mainly limited to first order (average and standard deviation). The very strong natural variability of the traffic [1] produced a strong fluctuation of these measurements, thus inducing very high level of false positives (false alarms) and false negatives (missed detections) which persent the most critical problem in detection. Recent studies take into account a richer form of the statistical traffic structure (correlation, spectral density...) [2], [3], [4], [5], [6] and references therein. Anomaly Detection System is ”only” concerned in the activities that deviate significantly from the normal network operations. While an IDS looks mainly for a misuse signature,

the ADS looks for a strange event which leads to unapproved network changes. The construction of such detectors starts by creating a model of what constitutes normal for the observed network, and then deciding on what percentage an activity must be flagged as abnormal. The main advantage of anomaly detection is that it does not require prior knowledge of intrusion and can thus detect new intrusions. In this paper we are concerned in the anomaly detection issue adopting the control theory approach. This framework has been barely adopted. For instance, in [7] an over simplified model is employed to construct a flatness based observer and in [8] sliding mode observer is proposed. This work related to the ADS paradigm, is based on a simplified model [9] describing the average dynamics of the TCP network. After ensuring that the congestion window size and the queue length at the router are well estimated, we propose to reconstruct an anomaly flowing in the network. As in our previous work [8], sliding mode observer is chosen due to its design simplicity and its robustness with respect to parameter variations and perturbations. In control theory, observers based on variables structures have been widely studied in [10], [11], [12], [13], [14]. This work, an extension of [8], proposes a higher order filter for anomaly detection and reconstruction. This latter showed its efficiency in improving the reactivity of the detectors face to the anomaly and inducing lower amount of false positives and false negatives. The paper is organized as follows. Section II introduces the problem statement which is a TCP network composed of a single router and several homogeneous sources. A short review of the sliding mode observer previously designed is also presented. In section III, a network topology is tested via Simulink, then the efficiency of the high order low pass filters in detecting and estimating anomalies is studied. Section IV presents simulation results via NS-2 based on sliding mode observer associated with various types of AQM. The different filters are then comparatively analyzed for anomaly estimation. II. O BSERVING

TCP NETWORKS

In this paper, a network topology consisting of N homogeneous sources connected to a destination through a router is considered. As in our previous work [8], a simplified fluid flow model of TCP networks developed by [9] is considered. It is

described by the following nonlinear differential equations:  W (t)W (t−h) 1 ˙   W (t) = R(t) − 2R(t−R(t)) p(t − R(t)) (t) (1) N − C + d(t) q(t) ˙ = WR(t)   q(t) R(t) = C + Tp

where W is the TCP congestion window size [packets], q is the queue length of the router buffer [packets] and R(t) the round trip time (RTT) [s] is a function of the link capacity C [packets/s] and the propagation delay Tp [s]. N represents the number of TCP sources (load factor). The variable p is the dropping probability of a packet entering the buffer queue. The signal d(t) represents additional traffics in the router level, thus presents a distributed anomaly in the TCP network. In this article, it is assumed that d(t) is bounded by an upper bound dmax . The design of an observer for the system (1) using control theory approach requires linearization and some simplification of the latter [15]. The linearized fluid-flow TCP system around the equilibrium point  2  W0 p0 = 2 (2) W0 = RN0C  R0 = qC0 + Tp is represented by a time-delay system as: x(t) ˙ = Ax(t) + Ad x(t − h) + Bu(t − h) + Bd d(t) x0 (θ) = φ(θ), with θ ∈ [−h, 0]

(3)

where A=

" "

− RN2C

− R12C

N R0

−1 # R0

0

0

2

#

, Ad =

"

− RN2C 0

0

1 R20C

0

#

,

R 0C , Bd = [0 1]T , B = − 2N 2 0 δW (t) x(t) = the state vector and u(t) = δp(t) the input. δq(t) It is assumed that the dropping probability d(t) is given with the help of an appropriate AQM. We aim at conceiving a sliding mode observer for the system (3). Recalling the work of [8], the main idea of a sliding observer is to force the error between the state of the system and the state of the observer to converge to a predefined manifold called ”sliding surface”. On this manifold, faults or anomaly traffics in the case of TCP network can be detected from the equivalent discontinuous injection signal by the use of a low pass filter [10]. First of all, it is assumed that q(t) is measured and the system (3) is rewritten as:   x˙1 (t) = Mx1 (t) + Md x1 (t − h) + Dy(t) + Ddy(t − h) +Ed u(t − h)  y(t) ˙ = Gx1 (t) + Hy(t) + d(t) (4) where 1 1 N M = Md = − 2 , D = − 2 , Dd = 2 , R0C R0C R0C 2 N 1 R0C , G= , H =− Ed = − 2N 2 R0 R0

and the subset of the vector state y(t) is separated from the unknown subset. As demonstrated in [16], the sliding motion will be less limited on a known than on a partially known state information. Considering the latter first order system model (4), a sliding mode observer can be designed as:   x˙ˆ1 (t) = M xˆ1 (t) + Md xˆ1 (t − h) + Dy(t) + Dd y(t − h) +Ed u(t − h)  ˙ y(t) ˆ = Gxˆ1 (t) + Hy(t) + L(y(t) ˆ − y(t)) + ν (5) with L is the linear gain of the observer and ν a discontinuous function defined as: −ksign(py (y(t) ˆ − y(t))), if y(t) ˆ 6= y(t), ν= (6) 0 otherwise. Errors dynamics with respect to (4) are then governed by the equations: e˙x (t) = Mex (t) + Md ex (t − h) e˙y (t) = Gex (t) + Ley (t) + ν − d(t)

(7a) (7b)

where ex (t) = xˆ1 (t) − x1 (t) and ey (t) = y(t) ˆ − y(t). In order to prove the stability of the sliding observer, we propose the following theorem. Theorem 1 Given scalars py > 0, L < 0 and an appropriate discontinuous function ν defined by (6), the system (7) is asymptotically stable for all delay h > 0. Proof: see [8]. Once the stability of the observer is guaranteed i.e. the sliding motion has been achieved so that ey = e˙y = 0, equation (7b) becomes 0 = Gex (t) + νeq − d(t). The equivalent control νeq (t) converges to d(t) after the convergence of ex towards zero [17]. The function νeq (t) switches with infinite frequency, consequently low pass filters can reconstruct the anomaly traffic and more precisely high order ones [10]. In the following section, we present a comparative analysis of the anomaly estimations obtained by the use of first order filter and a third order one via Simulink and the Network Simulator NS-2 [18]. Distributed Anomaly Flows

1

15Mbps

AQM

Regulation

OBS

Detection

+

15Mbps

Sources

50ms

Router

60

Receiver

50ms

Fig. 1: Network configuration

50

50 real

real estimated

40

40

30

30

d(t) real/estimated (pkts/s)


estimated

20

20

10

10

0

0

−10

0

500

1000

1500 2000 Time (s)

2500

3000

−10 1000

3500

1500

2000

2500

3000

3500 Time (s)

4000

4500

5000

5500

6000

(a) First order filter 50

50 real

real estimated

40

40

30

30



estimated

20

20

10

10

0

0

−10

0

500

1000

1500 2000 Time (s)

2500

3000

3500

−10 1000

1500

2000

2500

3000

3500 Time (s)

4000

4500

5000

5500

6000

(b) Third order filter

Fig. 2: Constant and variable bit rate anomalies estimation.

III. S IMULINK

VALIDATION

A. Network topology In the following the non linear time-delay model of the TCP network (1) is considered with N = 60 TCP sources, C = 3750 packets/s, and T p = 0.2s. Figure 1 shows the network topology adopted. The observer mechanism is designed to detect the congestion window of the TCP network using, as inputs, the actual and retarded measured values of queue length on the router and the dropping probability of a packet. This latter quantity can be obtained at the router level depending on the AQM adopted. Using Simulink, several AQMs associated to the proposed monitoring scheme can be simulated. In the case of figure 1, we have chosen the state feedback based AQM developped in [19]. Nevertheless, this architecture can also be developed for other AQMs as we shall present in the next section dedicated to NS-2 simulations. In the observer design, as the only assumption is the known amplitude upper bound, enlarged class of anomalies can be detected. Assuming the convergence of the observer, anomalous traffic d(t) having constant and variable bit rate are considered.

The network is tested for periodic anomalies with different amplitudes varying from one interval (ON-period) to another as shown in figure 2. We justified the shape of these anomalies regarding the work in [20] using real (D)DoS softwares like Trinoo [21] and TFN2K [22], the nearest as possible from existing softwares and some experimentations with them [20]. The anomaly’s ON-period is equal to 5 minutes and its OFFperiod is 1 minute. Analysis of the detection mechanism as well as the convergence time required to reach ideal anomaly values are presented afterwards for both first order and third order low pass filters. B. Results analysis After simulating with different high order low pass filters, the third order filter was the first one able to reduce the chattering phenomenon while detecting anomalies without losing their real shapes. From the comparative graphs presented in figure 2, we can see that the third order filter reveals higher detection speed and smoother oscillations than the first order filter for the proposed anomaly shapes. By the use of this high order filter, the estimation is very close to the ideal anomaly shape.

Before going further into analyzing the graphs, let us recall that the detection mechanism supposes an ideal sliding mode observation which is the state estimation defined by the congestion window and the queue length of the router. When the state of the anomaly changes, system dynamics (7) converge to the sliding surface in a finite time. More specifically, using technics developed in [8], stability of the state error (7a) is ensured within 5s. Then, the output error (7b) will be stabilized with respect to the equation: 2p tconvey = Py ey (t0 ). β

where t0 is the time when the anomaly appears in the ONperiodpor turns back to zero in the OFF period. β = 2 Py (G|ex |max + dmax − k) is obtained such that the p dynamics of the Lyapunov function defined by V˙ (t) < −β V (t) guarantees the stability of the output error ey . The state error ex is asymptotically stable, thus bounded by |ex |max , and dmax is the upper bound of d(t). We can find that the stabilizing time of ey is equal to 0.6s in the worst case. As soon as the observation mechanism is maintained, the low pass filter will have a major effect on the convergence rate of the anomaly reconstruction. We must note that the chattering phenomenon is intrinsic to the sliding mode control and observation. This means a persisting oscillations around the sliding surface. Therefore, in our experiments, the estimation curves reveal high frequency oscillations around the mean values. It is worth noticing that amplitude and frequency of oscillations are highly related to the choice of the sampling period. For the approximation of the convergence time, one solution adopted is to consider the first time at which oscillations join the real anomaly shape. In other words, we can fix a threshold above (respectively below) which anomaly detection are considered as well estimated in the anomaly’s ON-period (respectively OFF-period). In the paper, our main purpose is to prevent the network from an anomaly flowing through and to reconstruct its shape as ideally as possible. With the aim of reconstructing, we are interested in defining within the anomaly’s ON-period, the time ton required to start deducing the real anomaly shape. For the prevention intent, an alarm system associated to the low pass filter is launched whenever the anomaly is positive. Taking into consideration the threshold fixed in the anomaly’s OFF-period, the alarm system must be designed to detect anomaly higher than the threshold. In order to study the effectiveness of the alarms induced by the anomaly detector, we are interested in calculating within the anomaly’s OFF-period, the instant to f f going from which we guarantee the absence of an anomaly, hence the absence of false positives. Let us analyze these mechanisms of detecting and reconstructing anomaly for each low pass filter. a) First order low pass filter: Consider the first order filter of a time constant τ. Since the approximation of its output has an exponential form, ton and to f f is defined from the following equations: ton to f f

= tconv + 3τ thresho f f = tconv − τ log d(t ˆ ) 0o f f

(8)

The convergence rate of the observer tconv is taken into consideration each time the anomaly varies. In the equation of ton , 3τ is the approximated time taken by the filter to reach 95% of the real anomaly. In to f f , thresho f f is the threshold ˆ 0 ) is the estimated anomaly fixed in the OFF-period and d(t of f at t0o f f the time of disappearance of the real anomaly. In our simulations, while taking τ = 15s, we find from (8) that ton is higher than 45s. Besides, for thresho f f = 0.1 packets/s ˆ 0 ) = 5 packets/s, to f f = 58.68s. Furthermore, for and for d(t of f an estimated anomaly reaching 5 packets/s on the anomaly disappearance time, anomaly detector will take almost one ˆ 0 ) = 10 packminute in inducing false positives and for d(t of f ets/s, false alarms will remain for to f f = 69s. These durations are also seen in figures 2(a). The mechanism of detecting and reconstructing anomalies are very long especially while comparing with the convergence time of the sliding mode observer. As a result, the anomaly estimation is not well appreciated with the first order filter. b) Third order low pass filter: Considering a third order 1 filter of a transfer function (1+τs) 3 and a time constant τ = 2s, the output is exponential. Then anomaly reconstruction and detection times (ton and to f f ) within the ON and OFF-periods are respectively of the form: 1

0.95 = tconv − 81 (−8 + 8e− 2 (ton −t0on ) 1 1 +4te− 2 (ton −t0on ) + t 2 e− 2 (ton −t0on ) ) thresh o f f ˆ 0 ) d(t of f

= tconv + 18 (8e +4te

− 21 (to f f −t0o f f )

− 21 (to f f −t0o f f )

+ t 2e

− 21 (to f f −t0o f f )

(9) )

where t0on and t0o f f are respectively the instants of appearance and disappearance of the anomaly. As previously, the ton is the time needed for an estimation reaching 95% of the real anomaly. From equation (9), we know that the reconstruction in the ON-period takes about 12.5s after the observer convergence to define the real anomaly shape. In figures 2(b), it is shown that the anomaly estimation follows correctly the ideal one with a significant reduction of the chattering phenomenon around the real anomaly shape. These weak oscillations allow us to reduce the threshold in the OFF-period which will give a more precise detection. Therefore, taking in equation (9) thresho f f = 0.01 packets/s, an anomaly of a initial value of 5 packets/s will induce false positives for only 20.8s and for an initial anomaly of 10 packets/s false positives will last for 22.45s. The latter time convergence analysis of the low pass filters prove that the third order filter enables an interesting estimation via Simulink. Figure 3 shows for one period of CBR anomaly traffic with a rate of 5 packets/s different types of alarms (false negatives, true positives and false positives) and their durations corresponding to the use of the first and third order filters. IV. NS-2 VALIDATION The network consists of 60 TCP sources generating long lived TCP flows (FTP connections) to a receiver through a congested router, i.e. a bottleneck. Link bandwidth is fixed to 15Mbps (corresponds to C = 3750 packets/s). Anomaly traffic is generated by 60 sources injecting packets into the

20

20 real

real estimated

15

15

10

10



estimated

5

0

−5

−10

False Positives (55s)

True Positives (296.86s)

False negatives (3.14s)

0

−5

−10

−15

−20 1400

5

False negatives (1.56s)

False positives (20s)

True positives (298.44s)

−15

1450

1500

1550

1600 Time (s)

1650

1700

1750

1800

−20 1400

1450

(a) First order filter

1500

1550

1600 Time (s)

1650

1700

1750

1800

(b) Third order filter

Fig. 3: Alarms induced with low pass filters.

bottleneck. In our simulations, two types of anomaly shapes are introduced at the interval 50 − 100s: CBR Constant Bit Rate traffic, a UDP protocol in NS and TBR Triangular Bit Rate, a protocol that we have implemented to simulate the triangular shape as seen before in Simulink tests. The proposed linear observer (5) is added in the router to estimate the congestion window as well as the filter to reconstruct the anomaly. The observer have been tested over AQM RED [23], BLUE [24], PI [15] and Gain-K [19] to regulate the queue length of the router to the desired level qre f = 175 packets while the maximal buffer size is set to 800 packets. Simulink experiments showed that the third order low pass filter associated with our observer has a better performance in detecting anomaly than the first order low pass filter. In NS-2, third order filter proves in figure 4 its efficiency in detecting in a shorter time the presence of an anomaly in the network. Moreover, a faster response for the disappearance of the anomaly is noticed. Besides of the convergence rate criteria, the oscillations are reduced by the third order which allows a better tracking of the ideal anomaly and a higher precision in revealing the anomaly profile sent by the sources. From a practical point of view, from the graphs in figure 4, we are able to deduce the duration through which anomaly are missed by the detector (false negatives) and the persistence of inducing false alarms (or false positives). Thus, we can compute after the false positives the time from which we are totally sure that no more anomaly traffic is flowing. TABLE I: Persistence of False negatives and positives for CBR traffic (in seconds).

RED BLUE PI Gain-K

False negatives 1st order 3rd order filter filter 4.41 1.52 4.56 1.81 5.93 1.71 5.97 3.28

False positives 1st order 3rd order filter filter 13.68 5.04 22.2 6.14 32.55 7.01 27.24 8.38

In the detailed tables below I and II, we present durations of different alarms launched while detecting CBR and TBR

TABLE II: Persistence of False negatives and positives for TBR traffic (in seconds).

RED BLUE PI Gain-K

False negatives 1st order 3rd order filter filter 22.6 15.05 22.7 12.34 22.4 20.39 20.06 19.41

False positives 1st order 3rd order filter filter 13.3 3.98 21.5 13.17 16.4 11.22 13.47 8.44

anomaly traffic using first and third order low pass filters in the presence of different AQMs regulating the queue length of the bottleneck. Numerical values in these tables put into relief the efficiency of the third order filter detection proposed for all the AQMs chosen. While comparing between these AQMs, the best performance of the third order filter is in association with the RED for both CBR and TBR traffic. The comparative graphs between the AQMs show in figure 5 the detection results for each type of anomaly. V. C ONCLUSION In this paper, we have presented an efficient technique for anomaly detection in TCP/IP network. The methodology is based on a control theory approach, a sliding mode observer. The scheme of the methodology consists of the following two parts: 1) improving the anomaly estimation/reconstruction of [8] and 2) distinguishing positives and negatives (false and true ones). A Quality of Service (QoS) is thus guaranteed thanks to the low pass filter order. To sum up, our analysis shows that the proposed technique can limit periods of false positives and false negatives. False negatives are the most dangerous false for networks. Our approach is limited by the disability of distinguishing completely anomaly protocols (non-TCP flows only). Besides, during a false negative period, the approach can be considered as unoperational. However, our scheme does make the anomaly estimation in a controlled time: we know exactly when the anomaly detection system is again operational (or not).

real estimation with first order filter estimation with third order filter

3000

2000

d(t) [pkts/s]

2000

d(t) [pkts/s]


3000

1000 0 -1000

1000 0 -1000

-2000

-2000 0

50

100

150

200

0

50

Time [s]

100

150

200

Time [s]

(a) RED real estimation with first order filter estimation with third order filter

3000

2000

d(t) [pkts/s]

2000

d(t) [pkts/s]


3000

1000 0 -1000

1000 0 -1000

-2000

-2000 0

50

100

150

200

0

50

Time [s]

100

150

200

Time [s]

(b) BLUE real estimation with first order filter estimation with third order filter

3000

2000

d(t) [pkts/s]

2000

d(t) [pkts/s]


3000

1000 0 -1000

1000 0 -1000

-2000

-2000 0

50

100

150

200

0

50

Time [s]

100

150

200

Time [s]

(c) PI real estimation with first order filter estimation with third order filter

3000

2000

d(t) [pkts/s]

2000

d(t) [pkts/s]


3000

1000 0 -1000

1000 0 -1000

-2000

-2000 0

50

100

150

200

0

50

Time [s]

100 Time [s]

(d) Gain-K

Fig. 4: CBR and TBR detections with different AQMs.

150

200

real RED PI Gain-K

3000

d(t) [pkts/s]

2000 1000 0 -1000 -2000 0

50

100 Time [s]

150

200

(a) CBR real RED PI Gain-K

3000

d(t) [pkts/s]

2000 1000 0 -1000 -2000 0

50

100

150

200

Time [s]

(b) TBR

Fig. 5: Third order low pass filter detections with different AQMs.

Our simulations via Simulink and NS-2 prove that our sliding mode observer for anomaly detection technique can collaborate with different Active Queue Management (AQM) mechanisms like RED, BLUE, PI and Gain-K, under different non-TCP flows (CBR and TBR for examples). R EFERENCES [1] K. Park, G. Kim, and M. Crovella, “On the relationship between file sizes, transport protocols, and self-similar network traffic,” in International Conference on Network Protocols, Oct 1996, p. 171. [2] A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in SIGCOMM, Karlsruhe, Germany, Aug 2003, pp. 99–110. [3] N. Ye, “A markov chain model of temporal behavior for anomaly detection,” in Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174. [4] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide traffic anomalies,” in ACM SIGCOMM, Portland, 2004, pp. 219–230. [5] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of network traffic anomalies,” in Internet Measurement Workshop, 2002, pp. 71–82. [6] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites,” in Proceedings of the International World Wide Web Conference, 2002, pp. 252–262. [7] M. Fliess, C. Join, and H. Mounier, “An introduction to nonlinear fault diagnosis with an application to a congested internet router,” Lecture notes in Control and Information Systems, pp. 327–344, 2005. [8] S. Rahmé, Y. Labit, and F. Gouaisbaut, “Sliding mode observer for anomaly detection in tcp/aqm networks,” To appear in the International Conference on Communication Theory, Reliability, and Quality of Service, CTRQ, 2009.

[9] V. Misra, W. Gong, and D. Towsley, “Fluid-based analysis of a network of aqm routers supporting tcp flows with an application to red,” in ACM SIGCOMM, Aug. 2000, pp. 151–160. [10] V. Utkin, Sliding Modes in Control and Optimization. Berlin, Germany: Springer-Verlag, 1992. [11] W. Perruquetti and J.-P. Barbot, Sliding Mode Control in Engineering. New York: Marcel Dekker, Inc, 2002. [12] C. Tan and C. Edwards, “An lmi approach for designing sliding mode observers,” International Journal of Control, vol. 74, pp. 1559–1568, June 2001. [13] A. Seuret, “Commande et observation des systèmes a` retards variables: Théorie et applications,” Ph.D. dissertation, Ecole Centrale de Lille Université des Sciences et Technologie de Lille, Lille I, Oct. 2006. [14] S. Spurgeon, “Sliding mode observers: a survey,” International Journal of Systems Science, vol. 39, pp. 751–764, Aug 2008. [15] C. Hollot, V. Misra, D. Towsley, and W. Gong, “Analysis and design of controllers for aqm routers supporting tcp flows,” Automatic Control, IEEE Transactions on, vol. 47, pp. 945–959, Jun 2002. [16] J. Slotine, J. Hedrick, and E. Misawa, “On sliding observers for nonlinear systems,” in American Control Conference, 1986, pp. 1794–1800. [17] C. Edwards, S. Spurgeon, and R. Patton, “Sliding mode observers for fault detection and isolation,” Automatica, vol. 36, pp. 541–553, 2000. [18] E. Altman and T. Jiménez, “Ns simulator for beginners,” Lecture notes, Dec. 2003, uRL: http://wwwsop.inria.fr/maestro/personnel/Eitan.Altman/COURS-NS. [19] Y. Ariba, Y. Labit, and F. Gouaisbaut, “Network anomaly estimation for tcp/aqm networks using an observer,” 3rd ACM International Workshop on Feedback Control Implementation and Design in Computing Systems and Networks, pp. 3818–3823, June 2008. [20] Y. Labit and J. Mazel, “Hidden: Hausdorff distance based intrusion detection approach dedicated to networks,” ICIMP 2008, pp. 11–16, July 2008. [21] D. Dittrich, “The dos project’s trinoo distributed denial of service attack tool,” http://staff.washington.edu/dittrich/misc/tinoo.analysis. [22] TFN2k, http://packetstormsecurity.org/distributed/TFN2k Analysis1.3.txt. [23] S. Floyd and V. Jacobson, “Random early detection gateways for congestion avoidance,” Networking, IEEE/ACM Transactions on, vol. 1, pp. 397–413, Aug 1993. [24] W. chang Feng, D. D. Kandlur, D. Saha, and K. G. Shin, “Blue: A new class of active queue management algorithms,” 1999.