Mohammed Alahmadi, Newcastle University Science Square, United Kingdom

Distributed Denial of Service (DDOS) attacks pose a persistent threat to network security by interrupting server functions. One common DDOS attack is the SYN-flood attack, which targets the three-way handshake process of TCP protocol. This technique overwhelms a system by sending a vast number of SYN messages, thereby exhausting its computational and communicative resources. A visual simulation for this scenario offers deeper insights into the intricacies of the TCP-SYN-flood attack. This paper presents a novel approach that combines TCP protocol anomaly detection with visual analysis through Communication Structured Acyclic nets (CSA-nets). The strategy provides a clear visualisation of attack behaviours, granting a deeper understanding of DDOS patterns and their underlying causes. A new concept of TCCSA-nets is introduced. TCCSA-nets allow elaborating on the system's performance and emphasizing the system's operations in real-time. This approach allows for the classification of messages as abnormal if their dura- tion exceeds a predetermined time limit. Messages within this time frame are considered normal communication. The effectiveness of this approach was tested on public datasets, demonstrating its capability in detecting SYN-flood attacks.

Formal model, modelling, visualising, analysing, cybersecurity, protocols, threshold detection