A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier
17 Feb 2011-pp 1-10
TL;DR: The approach to a carefully engineered, practically realised system to detect DoS attacks using a Naìve Bayesian(NB) classifier is described, which includes network modeling for two protocols - TCP and UDP.
Abstract: Denial of Service(DoS) attacks pose a big threat to any electronic society. DoS and DDoS attacks are catastrophic particularly when applied to highly sensitive targets like Critical Information Infrastructure. While research literature has focussed on using various fundamental classifier models for detecting attacks, the common trend observed in literature is to classify DoS attacks into the broad class of intrusions, which makes proposed solutions to this class of attacks unrealistic in practical terms. In this work, the approach to a carefully engineered, practically realised system to detect DoS attacks using a Naive Bayesian(NB) classifier is described. The work includes network modeling for two protocols - TCP and UDP.
Citations
More filters
TL;DR: This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools.
Abstract: Threats of distributed denial of service (DDoS) attacks have been increasing day-by-day due to rapid development of computer networks and associated infrastructure, and millions of software applications, large and small, addressing all varieties of tasks. Botnets pose a major threat to network security as they are widely used for many Internet crimes such as DDoS attacks, identity theft, email spamming, and click fraud. Botnet based DDoS attacks are catastrophic to the victim network as they can exhaust both network bandwidth and resources of the victim machine. This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools. A detailed discussion of several botnet architectures, tools developed using botnet architectures, and pros and cons analysis are also included. Furthermore, a list of important issues and research challenges is also reported.
206 citations
TL;DR: An overview of the use of similarity and distance measures within NIAD research is presented and a theoretical background in distance measures is provided and a discussion of various types of distance measures and their uses are discussed.
Abstract: Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple $k$ -means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.
180 citations
Cites methods from "A system approach to network modeli..."
...[81] propose a lightweight DoS classifier framework to operate on both the TCP and User Datagram Protocol (UDP) protocols....
[...]
TL;DR: It is demonstrated that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version.
Abstract: Nowadays, a significant part of all network accesses comes from embedded and battery-powered devices, which must be energy efficient. This paper demonstrates that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version. The paper has four main contributions: (i) a new feature extraction algorithm, with low processing demands and suitable for hardware implementation; (ii) a feature selection method with two objectives—accuracy and energy consumption; (iii) detailed energy measurements of the feature extraction engine and three machine learning (ML) classifiers implemented in SW and HW—Decision Tree (DT), Naive-Bayes (NB), and k-Nearest Neighbors (kNN); and (iv) a detailed analysis of the tradeoffs in implementing the feature extractor and ML classifiers in SW and HW. The new feature extractor demands significantly less computational power, memory, and energy. Its SW implementation consumes only 22 percent of the energy used by a commercial product and its HW implementation only 12 percent. The dual-objective feature selection enabled an energy saving of up to 93 percent. Comparing the most energy-efficient SW implementation (new extractor and DT classifier) with an equivalent HW implementation, the HW version consumes only 5.7 percent of the energy used by the SW version.
85 citations
Cites methods from "A system approach to network modeli..."
...[53] developed a DoS detection system with an NB classifier in a Virtex 4 FPGA....
[...]
TL;DR: This review paper focuses on the most common defense methods against DDoS attacks that adopt artificial intelligence and statistical approaches and classifies and illustrates the attack types, the testing properties, the evaluation methods and the testing datasets that are utilized in the methodology of the proposed defense methods.
Abstract: Until now, an effective defense method against Distributed Denial of Service (DDoS) attacks is yet to be offered by security systems. Incidents of serious damage due to DDoS attacks have been increasing, thereby leading to an urgent need for new attack identification, mitigation, and prevention mechanisms. To prevent DDoS attacks, the basic features of the attacks need to be dynamically analyzed because their patterns, ports, and protocols or operation mechanisms are rapidly changed and manipulated. Most of the proposed DDoS defense methods have different types of drawbacks and limitations. Some of these methods have signature-based defense mechanisms that fail to identify new attacks and others have anomaly-based defense mechanisms that are limited to specific types of DDoS attacks and yet to be applied in open environments. Subsequently, extensive research on applying artificial intelligence and statistical techniques in the defense methods has been conducted in order to identify, mitigate, and prevent these attacks. However, the most appropriate and effective defense features, mechanisms, techniques, and methods for handling such attacks remain to be an open question. This review paper focuses on the most common defense methods against DDoS attacks that adopt artificial intelligence and statistical approaches. Additionally, the review classifies and illustrates the attack types, the testing properties, the evaluation methods and the testing datasets that are utilized in the methodology of the proposed defense methods. Finally, this review provides a guideline and possible points of encampments for developing improved solution models of defense methods against DDoS attacks.
83 citations
Cites methods from "A system approach to network modeli..."
...• Bayesian networks classifier is used to (1) detect and recognize DDoS attack in real-time as in [51]; (2) detect and defense against collective DDoS attack on HTTP as in [52] and (3) assess the reliability of access routers when forwarding packets to detect and mitigate DDoS attack as in [50]....
[...]
...[51] present a real-time, lightweight technique for identifying a DoS attack by using a naive Bayesian classifier, which is used to classify network packets into poor or good....
[...]
TL;DR: This paper surveys existing studies about security-related data collection and analytics for the purpose of measuring the Internet security and proposes several additional requirements for security- related data analytics in order to make the analytics flexible and scalable.
Abstract: Attacks over the Internet are becoming more and more complex and sophisticated. How to detect security threats and measure the security of the Internet arises a significant research topic. For detecting the Internet attacks and measuring its security, collecting different categories of data and employing methods of data analytics are essential. However, the literature still lacks a thorough review on security-related data collection and analytics on the Internet. Therefore, it becomes a necessity to review the current state of the art in order to gain a deep insight on what categories of data should be collected and which methods should be used to detect the Internet attacks and to measure its security. In this paper, we survey existing studies about security-related data collection and analytics for the purpose of measuring the Internet security. We first divide the data related to network security measurement into four categories: 1) packet-level data; 2) flow-level data; 3) connection-level data; and 4) host-level data. For each category of data, we provide a specific classification and discuss its advantages and disadvantages with regard to the Internet security threat detection. We also propose several additional requirements for security-related data analytics in order to make the analytics flexible and scalable. Based on the usage of data categories and the types of data analytic methods, we review current detection methods for distributed denial of service flooding and worm attacks by applying the proposed requirements to evaluate their performance. Finally, based on the completed review, a list of open issues is outlined and future research directions are identified.
82 citations
Cites methods from "A system approach to network modeli..."
...[54] proposed a real-time detection method using a Naive Bayes classifier....
[...]
References
More filters
01 Apr 2004
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.
1,866 citations
"A system approach to network modeli..." refers background in this paper
...A taxonomy of DDoS attacks and defence mechanims has been documented in [18]....
[...]
22 Apr 2003
TL;DR: Methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes and how the detectors can be extended to make effective response decisions are presented.
Abstract: The nature of the threats posed by distributed denial of service (DDoS) attacks on large networks, such as the Internet, demands effective detection and response methods. These methods must be deployed not only at the edge but also at the core of the network This paper presents methods to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. The DDoS attacks show anomalies in the characteristics of the selected packet attributes. The detection accuracy and performance are analyzed using live traffic traces from a variety of network environments ranging from points in the core of the Internet to those inside an edge network The results indicate that these methods can be effective against current attacks and suggest directions for improving detection of more stealthy attacks. We also describe our detection-response prototype and how the detectors can be extended to make effective response decisions.
558 citations
"A system approach to network modeli..." refers methods in this paper
...The include statistical approaches, like [6], which proposes a Chi-Square-Test on the entropy values of the packet headers....
[...]
Proceedings Article•
01 Jan 1999
TL;DR: V WR FOL HQWV PDNLQJ VHUYLFH UHTXHVWV 7R FRPSOHWH LWV UH TXHVW D FOLHQW PXVW VROYH LWV SX]]OH FRUUHFWO\,Q WKLV SDSHU ZH GHVFULEH WKH F OLHQW SX]DWLRQ DQG JLYH D ULJRURXV SURRI
528 citations
"A system approach to network modeli..." refers background in this paper
...Some examples include hash pre-image based client puzzles as proposed in [4] and [5]....
[...]
03 Apr 2000
TL;DR: In this paper, the authors show how stateless authentication protocols and the client puzzles of Juels and Brainard can be used to prevent denial of service by server resource exhaustion in open communications networks.
Abstract: Denial of service by server resource exhaustion has become a major security threat in open communications networks. Public-key authentication does not completely protect against the attacks because the authentication protocols often leave ways for an unauthenticated client to consume a server's memory space and computational resources by initiating a large number of protocol runs and inducing the server to perform expensive cryptographic computations. We show how stateless authentication protocols and the client puzzles of Juels and Brainard can be used to prevent such attacks.
409 citations
Proceedings Article•
01 Jan 2002
332 citations