scispace - formally typeset
Proceedings ArticleDOI

A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier

17 Feb 2011-pp 1-10
TL;DR: The approach to a carefully engineered, practically realised system to detect DoS attacks using a Naìve Bayesian(NB) classifier is described, which includes network modeling for two protocols - TCP and UDP.

...read more

Abstract: Denial of Service(DoS) attacks pose a big threat to any electronic society. DoS and DDoS attacks are catastrophic particularly when applied to highly sensitive targets like Critical Information Infrastructure. While research literature has focussed on using various fundamental classifier models for detecting attacks, the common trend observed in literature is to classify DoS attacks into the broad class of intrusions, which makes proposed solutions to this class of attacks unrealistic in practical terms. In this work, the approach to a carefully engineered, practically realised system to detect DoS attacks using a Naive Bayesian(NB) classifier is described. The work includes network modeling for two protocols - TCP and UDP.

...read more

Topics: Robust random early detection (62%), Network security (54%), Naive Bayes classifier (53%) ...read more
Citations
More filters

Journal ArticleDOI
TL;DR: This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools.

...read more

Abstract: Threats of distributed denial of service (DDoS) attacks have been increasing day-by-day due to rapid development of computer networks and associated infrastructure, and millions of software applications, large and small, addressing all varieties of tasks. Botnets pose a major threat to network security as they are widely used for many Internet crimes such as DDoS attacks, identity theft, email spamming, and click fraud. Botnet based DDoS attacks are catastrophic to the victim network as they can exhaust both network bandwidth and resources of the victim machine. This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools. A detailed discussion of several botnet architectures, tools developed using botnet architectures, and pros and cons analysis are also included. Furthermore, a list of important issues and research challenges is also reported.

...read more

163 citations


Journal ArticleDOI
TL;DR: An overview of the use of similarity and distance measures within NIAD research is presented and a theoretical background in distance measures is provided and a discussion of various types of distance measures and their uses are discussed.

...read more

Abstract: Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple $k$ -means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

...read more

137 citations


Cites methods from "A system approach to network modeli..."

  • ...[81] propose a lightweight DoS classifier framework to operate on both the TCP and User Datagram Protocol (UDP) protocols....

    [...]


Journal ArticleDOI
TL;DR: It is demonstrated that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version.

...read more

Abstract: Nowadays, a significant part of all network accesses comes from embedded and battery-powered devices, which must be energy efficient. This paper demonstrates that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version. The paper has four main contributions: (i) a new feature extraction algorithm, with low processing demands and suitable for hardware implementation; (ii) a feature selection method with two objectives—accuracy and energy consumption; (iii) detailed energy measurements of the feature extraction engine and three machine learning (ML) classifiers implemented in SW and HW—Decision Tree (DT), Naive-Bayes (NB), and k-Nearest Neighbors (kNN); and (iv) a detailed analysis of the tradeoffs in implementing the feature extractor and ML classifiers in SW and HW. The new feature extractor demands significantly less computational power, memory, and energy. Its SW implementation consumes only 22 percent of the energy used by a commercial product and its HW implementation only 12 percent. The dual-objective feature selection enabled an energy saving of up to 93 percent. Comparing the most energy-efficient SW implementation (new extractor and DT classifier) with an equivalent HW implementation, the HW version consumes only 5.7 percent of the energy used by the SW version.

...read more

69 citations


Cites methods from "A system approach to network modeli..."

  • ...[53] developed a DoS detection system with an NB classifier in a Virtex 4 FPGA....

    [...]


Proceedings ArticleDOI
13 Feb 2012-
TL;DR: An adaptive network intrusion detection system, that uses a two stage architecture, where in the first stage a probabilistic classifier is used to detect potential anomalies in the traffic and in the second stage a HMM based traffic models are used to narrow down the potential attack IP addresses.

...read more

Abstract: Any activity aimed at disrupting a service or making a resource unavailable or gaining unauthorized access can be termed as an intrusion. Examples include buffer overflow attacks, flooding attacks, system break-ins, etc. Intrusion detection systems (IDSs) play a key role in detecting such malicious activities and enable administrators in securing network systems. Two key criteria should be met by an IDS for it to be effective: (i) ability to detect unknown attack types, (ii) having very less miss classification rate. In this paper we describe an adaptive network intrusion detection system, that uses a two stage architecture. In the first stage a probabilistic classifier is used to detect potential anomalies in the traffic. In the second stage a HMM based traffic model is used to narrow down the potential attack IP addresses. Various design choices that were made to make this system practical and difficulties faced in integrating with existing models are also described. We show that this system achieves good performance empirically.

...read more

59 citations


7


Cites background or methods from "A system approach to network modeli..."

  • ...In the remainder of this section, we describe parameters that were used to build our model and other design considerations that shaped our model design....

    [...]

  • ...Traffic to particular ports are then source separated and trained by separate models for each port....

    [...]


Journal ArticleDOI
Xuyang Jing1, Zheng Yan1, Witold Pedrycz2Institutions (2)
TL;DR: This paper surveys existing studies about security-related data collection and analytics for the purpose of measuring the Internet security and proposes several additional requirements for security- related data analytics in order to make the analytics flexible and scalable.

...read more

Abstract: Attacks over the Internet are becoming more and more complex and sophisticated. How to detect security threats and measure the security of the Internet arises a significant research topic. For detecting the Internet attacks and measuring its security, collecting different categories of data and employing methods of data analytics are essential. However, the literature still lacks a thorough review on security-related data collection and analytics on the Internet. Therefore, it becomes a necessity to review the current state of the art in order to gain a deep insight on what categories of data should be collected and which methods should be used to detect the Internet attacks and to measure its security. In this paper, we survey existing studies about security-related data collection and analytics for the purpose of measuring the Internet security. We first divide the data related to network security measurement into four categories: 1) packet-level data; 2) flow-level data; 3) connection-level data; and 4) host-level data. For each category of data, we provide a specific classification and discuss its advantages and disadvantages with regard to the Internet security threat detection. We also propose several additional requirements for security-related data analytics in order to make the analytics flexible and scalable. Based on the usage of data categories and the types of data analytic methods, we review current detection methods for distributed denial of service flooding and worm attacks by applying the proposed requirements to evaluate their performance. Finally, based on the completed review, a list of open issues is outlined and future research directions are identified.

...read more

47 citations


Cites methods from "A system approach to network modeli..."

  • ...[54] proposed a real-time detection method using a Naive Bayes classifier....

    [...]


References
More filters

Journal ArticleDOI
Jelena Mirkovic1, Peter Reiher2Institutions (2)
01 Apr 2004-
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.

...read more

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

...read more

1,747 citations


"A system approach to network modeli..." refers background in this paper

  • ...A taxonomy of DDoS attacks and defence mechanims has been documented in [18]....

    [...]


Proceedings ArticleDOI
22 Apr 2003-
TL;DR: Methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes and how the detectors can be extended to make effective response decisions are presented.

...read more

Abstract: The nature of the threats posed by distributed denial of service (DDoS) attacks on large networks, such as the Internet, demands effective detection and response methods. These methods must be deployed not only at the edge but also at the core of the network This paper presents methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. The DDoS attacks show anomalies in the characteristics of the selected packet attributes. The detection accuracy and performance are analyzed using live traffic traces from a variety of network environments ranging from points in the core of the Internet to those inside an edge network The results indicate that these methods can be effective against current attacks and suggest directions for improving detection of more stealthy attacks. We also describe our detection-response prototype and how the detectors can be extended to make effective response decisions.

...read more

536 citations


5


"A system approach to network modeli..." refers methods in this paper

  • ...The include statistical approaches, like [6], which proposes a Chi-Square-Test on the entropy values of the packet headers....

    [...]


Proceedings Article
01 Jan 1999-
TL;DR: V WR FOL HQWV PDNLQJ VHUYLFH UHTXHVWV 7R FRPSOHWH LWV UH TXHVW D FOLHQW PXVW VROYH LWV SX]]OH FRUUHFWO\,Q WKLV SDSHU ZH GHVFULEH WKH F OLHQW SX]DWLRQ DQG JLYH D ULJRURXV SURRI

...read more

519 citations


"A system approach to network modeli..." refers background in this paper

  • ...Some examples include hash pre-image based client puzzles as proposed in [4] and [5]....

    [...]


Book ChapterDOI
03 Apr 2000-
Abstract: Denial of service by server resource exhaustion has become a major security threat in open communications networks. Public-key authentication does not completely protect against the attacks because the authentication protocols often leave ways for an unauthenticated client to consume a server's memory space and computational resources by initiating a large number of protocol runs and inducing the server to perform expensive cryptographic computations. We show how stateless authentication protocols and the client puzzles of Juels and Brainard can be used to prevent such attacks.

...read more

408 citations



Performance
Metrics
No. of citations received by the Paper in previous years
YearCitations
20212
20202
20194
20185
20173
20163