I. introduction
The security weaknesses such as the design of Internet protocols, security holes of the sever system and the miss configuration of the server system have caused to generate the indiscriminate DoS/DDoS attacks. These attacks focus on well-known port numbers such as HTTP, DNS and SMTP[1] and cause critical damages for the server system, finally causing leak of confidential information and system failure. To prevent such system failure or server stoppage, the automatic early detection against attacks is required. In addition, if the source IP address is spoofed[2] [3], the automatic detection system for preventing attacking packets is difficult to construct.