Proceedings International Conference On Advances In Engineering And Technology
www.iaetsd.in
A Survey on Detecting Denial-of-Service Attacks Balaji V
Dr. V Jeyabalaraja
M.E Computer Science And Engineering Velammal Engineering College Surapet, Chennai balaji.venkat90@gmail.com
Professor, Dept of CSE Velammal Engineering College Surapet, Chennai jeyabalaraja@gmail.com
Abstract—Modern World Systems such as Web servers, database servers, cloud computing environment etc, are now under threads from network attackers. One of most threat is Denial-of-Service (DoS) attacks cause serious impact on these computing systems. In this paper, we present a detection mechanism for DoS attack that uses Multivariate Correlation Analysis (MCA) for analyzing network traffic characterization by studying the geometrical correlations between network traffic features. Our MCA-based DoS attack detection mechanism employs the principle of anomaly-based detection in attack recognition. Thus making it easier for detecting known and unknown attacks by learning patterns of legitimate network traffic. Further a triangle area based approach is employed to speed up the process of MCA. The propsed system is effectively checked using KDD Cup 99 Dataset. Keywords—Denial-Of-Service attack , multivariate correlations, triangle area.
I. INTRODUCTION Denial-Of-Service (DoS) attacks are one type of aggressive and menacing intrusive behavior to online servers. DoS attacks denies the availability of a victim, which can be a host, a router, or an entire network. They impose high intrusion tasks to the victim by exploiting its system vulnerability or flooding it with huge amount of useless packets. The victim can be forced out of service from a few minutes to several days. Effective detection of DoS attacks is essential to the protection of online services. DoS attack detection focuses on the development of networkbased detection mechanisms. The systems based on these mechanisms reside on a network to monitor transmitting traffic. This releases the online servers from monitoring attacks and ensures that they can dedicate themselves to provide quality services with optimum response delay. Moreover, the network-based detection systems are loosely coupled with the operating systems running on the host machines which they are protecting, such that configuration of this type of detection systems is less complicated than the host based detection systems.
anomaly-based detection system [2]. Misuse based detection system detects attacks by monitoring network activities and looks for matches with the existing attack signatures. In spite of having high detection rates to the known attacks and low false positive rates, misuse based detection systems can be easily evaded by any new types of attacks and also variants existing attacks. Furthermore, manual work is needed to keep signature database updated because signature generation heavily involves network security expertise. Looking at the principle of detection, which monitors and flags any network activities showing significant deviation from legitimate traffic profiles as suspicious objects, anomaly based detection techniques show more promising in detecting intrusions that exploit previous unknown system vulnerabilities. Moreover, it is not constrained by the expertise in network security, due to the fact that the profiles of legitimate behaviors are developed based on techniques, such as data mining [3], [4], machine learning, and statistical analysis. However, these proposed systems commonly suffer from high false-positive rates because the correlations between features/attributes are intrinsically neglected or the techniques do not manage to fully exploit these correlations. The DoS attack detection system presented in this paper describes the principles of MCA and anomaly based detection. The detection mechanism involves accurate characterization for traffic behaviors and detection of known and unknown attacks, respectively. A triangle area map is developed to enhance and to speed up the process of MCA. A statistical normalization method is used to eliminate the bias from the raw data. Our proposed DoS detection system is evaluated using KDD Cup 99 data set II. SYSTEM ARCHITECTURE The overview of our proposed DoS attack detection system architecture is given in this section, where the system framework and the sample-by-sample detection mechanism are discussed.
Generally, network-based detection are classified into two types, namely misuse-based detection system [1] and
ISBN NO: 978 - 1503304048
International Association of Engineering & Technology for Skill Development 58
Proceedings International Conference On Advances In Engineering And Technology
www.iaetsd.in
Fig 1. System Architecture The whole detection process consists of three major steps as shown in Fig. 1. Step 1: The basic features are generated from observed network are used to form traffic records for a well-defined time period. Observing and analyzing at the destination network reduce the overhead of detecting abnormal traffic by concentrating only on relevant inbound traffic. This also enables us provide protection which is the best fit for the targeted internal network because legitimate traffic profiles used are developed for a smaller number of network services. Step 2: Multivariate Correlation Analysis, in which the “Triangle Area Map Generation” method [5] is applied to determine the correlations between two distinct features within each traffic record coming from the first step or the traffic record normalized by the “Feature Normalization” module in this step. The occurrence of intrusions cause changes to these correlations so that the changes can be used as indicators to identify the malicious activities. All the extracted correlations, namely triangle areas stored in Triangle Area Maps (TAMs), are then used to replace the original basic features or the normalized features to represent the traffic records. This provides a better discriminative information to differentiate between legitimate and illegitimate traffic records. Step 3: The anomaly-based detection mechanism is widely used in Decision Making. It performs the detection of any DoS attacks without requiring any attack relevant knowledge. Furthermore, the labor-intensive analysis of data and the frequent update of the attack signatures in the case of misusebased detection are avoided. Meanwhile, the mechanism enhances the robustness of the proposed detectors and makes them harder to be evaded because attackers need to generate attacks that match the normal traffic profiles built by a specific detection algorithm. This, however, is a labor-intensive task and requires expertise in the targeted detection algorithm. There are two phases (i.e., the “Training Phase” and the “Test Phase”) are involved in Decision Making. The “Normal Profile Generation” module is operated in the “Training Phase” to generate profiles for various types of legitimate
ISBN NO: 978 - 1503304048
traffic records, and the generated normal profiles are stored in a database. The “Tested Profile Generation” module is used in the “Test Phase” to build profiles for individual observed traffic records. Then, the tested profiles are handed over to the “Attack Detection” module, which compares the individual tested profiles with the respective stored normal profiles. A threshold-based classifier is employed in the “Attack Detection” module to distinguish DoS attacks from legitimate traffic. The group-based detection mechanism has a higher rate in classifying a group of sequential network traffic samples than the sample-by-sample detection mechanism. Whereas the proof was based on an assumption that the samples in a tested group were all from the same distribution (class). This restricts the applications of the group-based detection to limited scenarios, because attacks occur unpredictably in general and it is difficult to obtain a group of sequential samples only from the same distribution. To remove these types of restriction, our system in this paper investigates traffic samples individually. This offers great outcome that are not found in the groupbased detection mechanism. For example, 1) attacks can be detected by comparing with the group-based detection mechanism, 2) intrusive traffic samples can be named individually, and 3) the probability of classifying a sample accurately into its population is higher than the one achieved using the group-based detection mechanism in a general network scenario.
III. MULTIVARIATE CORRELATION ANALYSIS DoS attack traffic behaves in a different way compared with legitimate network traffic and the behavior of network traffic is represented by its statistical properties. To well describe these statistical properties, we present Multivariate Correlation Analysis (MCA) approach in this section. This MCA approach employs a triangle area map for extracting the correlative information between the features within an observed data object (i.e., a traffic record). The Triangle area map approach is used to extract the hidden correlations between two distinct features within each traffic record
International Association of Engineering & Technology for Skill Development 59
Proceedings International Conference On Advances In Engineering And Technology
www.iaetsd.in
coming from the first step. All extracted correlations, i.e. triangle areas, are then used to replace the existing basic features to represent the traffic records. This provides a unique way to differentiate between legitimate traffic and illegitimate records. In order to make a complete analysis, all possible permutations of any two distinct features are extracted and the corresponding triangle areas are computed.
This is because MD has been successfully and widely used in cluster based analysis, classification and multivariate detection techniques. Unlike Euclidean distance and Manhattan distance, it evaluates distance between two multivariate data objects by taking the correlations between variables into account and eliminating the dependency on the scale of measurement during the calculation.
A Triangle Area Map (TAM) is constructed and all the triangle areas are arranged on the map depending on their indexe values. The values of the elements on the diagonal of the map are set to zeros because we only care about the correlation between each pair of distinct features. The entire map has a size of m×m.
4.2 Threshold Selection The threshold is used to identify and differentiate attack traffic from the legitimate one. Threshold = μ + σ ∗ α.
Our MCA approach introduces the some unique benefits to data analysis. The hidden correlations between distinct features in each pairs are analysed through the geometrical structure analysis. Changes to these may occur when anomaly behaviors appear in the traffic, and lead to significant changes occurring between the hidden correlations and the historical models. This plays a vital role in triggering an alert to our detection system. Moreover, the triangle area map based approach facilitates our MCA method to withstand the issue of linear change of all features.
IV. DETECTION MECHANISM A mechanism efficient in detecting any known and unknown DoS attacks will be well served. To match the anticipation, we propose, a threshold-based anomaly detector, whose norm profiles (i.e. legitimate traffic profiles) are extracted using pure legitimate network traffic records and used for future comparisons with new incoming investigated traffic records. The dissimilarity between a new incoming traffic record and the respective normal profile is examined by the proposed detection mechanism. If the dissimilarity is more than a pre-determined threshold, the traffic record is viewed as an attack. Else, it is categorized as a legitimate traffic record. Normal profiles and thresholds have direct effect on the performance of a threshold-based detector. A low quality normal profile causes an inaccurate characterization to legitimate network traffic. Thus, we first apply the proposed triangle area- based MCA approach to analyze legitimate network traffic, and the generated TAMs are then employed to supply quality features for normal profile generation. 4.1 Normal Profile Generation Assume there is a set of n legitimate training traffic records Xnormal = {xnormal 1 , xnormal 2 , · · · , xnormal n }.The triangle-area-based MCA approach is implemented to analyze the records. The generated lower triangles of the TAMs of the set of n legitimate training traffic records are denoted by XnormalTAMlower={TAMnormal,1lower,TAMnormal,2lowe r,··· , TAMnormal,glower}. Mahalanobis Distance (MD) is adopted to measure the dissimilarity between traffic records.
ISBN NO: 978 - 1503304048
For a normal distribution, α is usually ranged from values 1 to 3. This means that decision based on detection can be made with a certain level of confidence varying from 68% to 99.7% in association with the selection of different values of α. Thus, if the MD between an observed traffic record and the respective normal profile is higher than the threshold, it will be flagged as an attack. 4.3 Attack Detection To detect DoS attacks, the lower triangle(TAMobservedlower) of the TAM of an observed record (Tobserved) are generated using the proposed triangle-area-based MCA approach. Then, the MD between the TAMobserved lower and the TAMnormal lower stored in the respective pre-generated normal profile are evaluated. The detailed detection algorithm is below. Algorithm for attack detection based on Mahalanobis distance. Require: Observed traffic record Tobserved, normal profile Parameters : (N(μ, σ2), TAMnormal lower , Cov) and parameter α 1: Generate TAMobserved lower for the observed traffic record Tobserved 2: MDobserved ← MD(TAMobserved lower ,TAMnormal lower ) 3: if (μ − σ ∗ α) ≤ MDobserved ≤ (μ + σ ∗ α) then 4: return Normal 5: else 6: return Attack 7: end if
V. SYSTEM EVALUATION The evaluation of the system is conducted on KDD CUP 99 dataset [6]. The 10 percent labeled data of KDD CUP 99 dataset is employed, where three different types of legitimate traffic (TCP, UDP and ICMP traffic) and six different types of DoS attacks (Teardrop, Smurf, Pod, Neptune, Land and Back attacks) are available in the dataset. They are the targeted
International Association of Engineering & Technology for Skill Development 60
Proceedings International Conference On Advances In Engineering And Technology records in this evaluation and first filtered. Then, they are further grouped into several clusters according to their labels. A 10-fold cross-validation is conducted to analyse and evaluate the system, and the entire filtered data subset is used for validation. Evaluation results are shown as graphs. Moreover, we come across some weakness in the current system and suggest a solution. In addition, the results of the enhanced system and the performance comparisons with two state-of-the-art approaches are the presented to prove the effectiveness of the solution. 5.1 Evaluation Metrics True Negative Rate (TNR), Detection Rate (DR), False Positive Rate (FPR) and Accuracy (i.e. the proportion of the overall samples which are classified correctly) are four important parametrics for evaluating a DoS attack detection system. Systems which can give a high detection rate and also a low false positive rate (namely a high detection accuracy rate) are highly rated in detection mechanisms. To technically reveal the performance of the proposed DoS attack detection system, Receiver Operating Characteristics (ROC) curve is employed to reveal the relationship between DR and FPR.
VI. COMPUTATIONAL COMPLEXITY AND TIME COST ANALYSIS We conduct an analysis on the computational complexity and the time cost of our proposed MCA-based detection system. On one hand, as discussed in, triangle areas of all possible combinations of any two distinct features in a traffic record have to be calculated when processing our proposed MCA. The former technique analyses the geometrical correlations hidden in individual pairs of two distinct features within each network traffic record, and offers more accurate characterization for network traffic behaviors. The latter technique facilitates our system to be able to distinguish both known and unknown DoS attacks from legitimate network traffic. Moreover, time cost is evaluated to show the contribution of our proposed MCA towards detection mechanism of DOS attacks. Our proposed MCA can proceed approximately 23,092 traffic records per second. In contrast, the MCA based on euclidean distance map can achieve relatively 12,044 traffic records per second, which is almost half of what is achieved by our proposed MCA.
VII. CONCLUSION This paper has proposed a threshold-based DoS attack detection system which is employed by the triangle area based multivariate correlation analysis technique and the anomalybased detection technique. The previously used method extracts the geometrical correlations that are invisible in
ISBN NO: 978 - 1503304048
www.iaetsd.in
individual pairs of two distinct features within each network traffic records, and offers more accurate differentiation for network traffic behaviors. The latter technique enables our system to distinguish both known and unknown DoS attacks from legitimate network traffic. Evaluation has been conducted on the KDD CUP 99 dataset to verify the effectiveness and acuuracy rate of the proposed system. The results proves that when working with nonnormalized data, our detection system achieves maximum 95.20% detection accuracy though its performances degrades in detecting ceratain types of DoS attacks. The problem, however, can be solved by employing statistical normalization technique to eliminate the bias from the dataset. The results of evaluating with the normalized data show a more satisfying detection accuracy of 99.95% and nearly 100.00% detection rates for wide range of DoS attacks. Besides, the comparison result proves that our detection system outperforms two stateof-the-art approaches in terms of detection accuracy. However, the false positive rate of our detection system needs to be further reduced in order to release network administrators from being disrupted by frequent shown false alarms. Thus, we will employ more sophisticated classification techniques in our future work to reduce the false positive rates. To be part of the future work, we will further put to test our DoS attack detection mechanism using real-world data and employ more sophisticated classification techniques to further eliminate the false-positive rate. VIII. REFERENCES [1] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, vol. 31, pp. 2435-2463, 1999. [2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E. Vzquez, “Anomaly-Based Network Intrusion Detection: Techniques, Systems and Challenges,” Computers and Security, vol. 28, pp. 18-28, 2009. [3] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, “DDoS Attack Detection Method Using Cluster Analysis,” Expert Systems with Applications, vol. 34, no. 3, pp. 1659-1665, 2008. [4] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, “Intrusion Detection Using Fuzzy Association Rules,” Applied Soft Computing, vol. 9, no. 2, pp. 462-469, 2009. [5] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R.P. Liu, “Triangle- Area-Based Multivariate Correlation Analysis for Effective Denialof-Service Attack Detection,” Proc. IEEE 11th Int’l Conf. Trust, Security and Privacy in Computing and Comm., pp. 33-40, 2012. [6] M. Tavallaee, E. Bagheri, L. Wei, and A.A. Ghorbani, “A Detailed Analysis of the KDD Cup 99 Data Set,” Proc. IEEE Second Int’l Conf. Computational Intelligence for Security and Defense Applications, pp. 1-6, 2009.
International Association of Engineering & Technology for Skill Development 61