A system approach to network modeling for DDoS detection using a Naìve Bayesian classifier
17 Feb 2011-pp 1-10
TL;DR: The approach to a carefully engineered, practically realised system to detect DoS attacks using a Naìve Bayesian(NB) classifier is described, which includes network modeling for two protocols - TCP and UDP.
Abstract: Denial of Service(DoS) attacks pose a big threat to any electronic society. DoS and DDoS attacks are catastrophic particularly when applied to highly sensitive targets like Critical Information Infrastructure. While research literature has focussed on using various fundamental classifier models for detecting attacks, the common trend observed in literature is to classify DoS attacks into the broad class of intrusions, which makes proposed solutions to this class of attacks unrealistic in practical terms. In this work, the approach to a carefully engineered, practically realised system to detect DoS attacks using a Naive Bayesian(NB) classifier is described. The work includes network modeling for two protocols - TCP and UDP.
Citations
More filters
TL;DR: This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools.
Abstract: Threats of distributed denial of service (DDoS) attacks have been increasing day-by-day due to rapid development of computer networks and associated infrastructure, and millions of software applications, large and small, addressing all varieties of tasks. Botnets pose a major threat to network security as they are widely used for many Internet crimes such as DDoS attacks, identity theft, email spamming, and click fraud. Botnet based DDoS attacks are catastrophic to the victim network as they can exhaust both network bandwidth and resources of the victim machine. This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools. A detailed discussion of several botnet architectures, tools developed using botnet architectures, and pros and cons analysis are also included. Furthermore, a list of important issues and research challenges is also reported.
206 citations
TL;DR: An overview of the use of similarity and distance measures within NIAD research is presented and a theoretical background in distance measures is provided and a discussion of various types of distance measures and their uses are discussed.
Abstract: Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple $k$ -means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.
180 citations
Cites methods from "A system approach to network modeli..."
...[81] propose a lightweight DoS classifier framework to operate on both the TCP and User Datagram Protocol (UDP) protocols....
[...]
TL;DR: It is demonstrated that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version.
Abstract: Nowadays, a significant part of all network accesses comes from embedded and battery-powered devices, which must be energy efficient. This paper demonstrates that a hardware (HW) implementation of network security algorithms can significantly reduce their energy consumption compared to an equivalent software (SW) version. The paper has four main contributions: (i) a new feature extraction algorithm, with low processing demands and suitable for hardware implementation; (ii) a feature selection method with two objectives—accuracy and energy consumption; (iii) detailed energy measurements of the feature extraction engine and three machine learning (ML) classifiers implemented in SW and HW—Decision Tree (DT), Naive-Bayes (NB), and k-Nearest Neighbors (kNN); and (iv) a detailed analysis of the tradeoffs in implementing the feature extractor and ML classifiers in SW and HW. The new feature extractor demands significantly less computational power, memory, and energy. Its SW implementation consumes only 22 percent of the energy used by a commercial product and its HW implementation only 12 percent. The dual-objective feature selection enabled an energy saving of up to 93 percent. Comparing the most energy-efficient SW implementation (new extractor and DT classifier) with an equivalent HW implementation, the HW version consumes only 5.7 percent of the energy used by the SW version.
85 citations
Cites methods from "A system approach to network modeli..."
...[53] developed a DoS detection system with an NB classifier in a Virtex 4 FPGA....
[...]
TL;DR: This review paper focuses on the most common defense methods against DDoS attacks that adopt artificial intelligence and statistical approaches and classifies and illustrates the attack types, the testing properties, the evaluation methods and the testing datasets that are utilized in the methodology of the proposed defense methods.
Abstract: Until now, an effective defense method against Distributed Denial of Service (DDoS) attacks is yet to be offered by security systems. Incidents of serious damage due to DDoS attacks have been increasing, thereby leading to an urgent need for new attack identification, mitigation, and prevention mechanisms. To prevent DDoS attacks, the basic features of the attacks need to be dynamically analyzed because their patterns, ports, and protocols or operation mechanisms are rapidly changed and manipulated. Most of the proposed DDoS defense methods have different types of drawbacks and limitations. Some of these methods have signature-based defense mechanisms that fail to identify new attacks and others have anomaly-based defense mechanisms that are limited to specific types of DDoS attacks and yet to be applied in open environments. Subsequently, extensive research on applying artificial intelligence and statistical techniques in the defense methods has been conducted in order to identify, mitigate, and prevent these attacks. However, the most appropriate and effective defense features, mechanisms, techniques, and methods for handling such attacks remain to be an open question. This review paper focuses on the most common defense methods against DDoS attacks that adopt artificial intelligence and statistical approaches. Additionally, the review classifies and illustrates the attack types, the testing properties, the evaluation methods and the testing datasets that are utilized in the methodology of the proposed defense methods. Finally, this review provides a guideline and possible points of encampments for developing improved solution models of defense methods against DDoS attacks.
83 citations
Cites methods from "A system approach to network modeli..."
...• Bayesian networks classifier is used to (1) detect and recognize DDoS attack in real-time as in [51]; (2) detect and defense against collective DDoS attack on HTTP as in [52] and (3) assess the reliability of access routers when forwarding packets to detect and mitigate DDoS attack as in [50]....
[...]
...[51] present a real-time, lightweight technique for identifying a DoS attack by using a naive Bayesian classifier, which is used to classify network packets into poor or good....
[...]
TL;DR: This paper surveys existing studies about security-related data collection and analytics for the purpose of measuring the Internet security and proposes several additional requirements for security- related data analytics in order to make the analytics flexible and scalable.
Abstract: Attacks over the Internet are becoming more and more complex and sophisticated. How to detect security threats and measure the security of the Internet arises a significant research topic. For detecting the Internet attacks and measuring its security, collecting different categories of data and employing methods of data analytics are essential. However, the literature still lacks a thorough review on security-related data collection and analytics on the Internet. Therefore, it becomes a necessity to review the current state of the art in order to gain a deep insight on what categories of data should be collected and which methods should be used to detect the Internet attacks and to measure its security. In this paper, we survey existing studies about security-related data collection and analytics for the purpose of measuring the Internet security. We first divide the data related to network security measurement into four categories: 1) packet-level data; 2) flow-level data; 3) connection-level data; and 4) host-level data. For each category of data, we provide a specific classification and discuss its advantages and disadvantages with regard to the Internet security threat detection. We also propose several additional requirements for security-related data analytics in order to make the analytics flexible and scalable. Based on the usage of data categories and the types of data analytic methods, we review current detection methods for distributed denial of service flooding and worm attacks by applying the proposed requirements to evaluate their performance. Finally, based on the completed review, a list of open issues is outlined and future research directions are identified.
82 citations
Cites methods from "A system approach to network modeli..."
...[54] proposed a real-time detection method using a Naive Bayes classifier....
[...]
References
More filters
23 Jul 2002
TL;DR: This paper proposes a learning algorithm that constructs models of normal behavior from attack-free network traffic that can be combined to increase coverage of traditional intrusion detection systems.
Abstract: Traditional intrusion detection systems (IDS) detect attacks by comparing current behavior to signatures of known attacks. One main drawback is the inability of detecting new attacks which do not have known signatures. In this paper we propose a learning algorithm that constructs models of normal behavior from attack-free network traffic. Behavior that deviates from the learned normal model signals possible novel attacks. Our IDS is unique in two respects. First, it is nonstationary, modeling probabilities based on the time since the last event rather than on average rate. This prevents alarm floods. Second, the IDS learns protocol vocabularies (at the data link through application layers) in order to detect unknown attacks that attempt to exploit implementation errors in poorly tested features of the target software. On the 1999 DARPA IDS evaluation data set [9], we detect 70 of 180 attacks (with 100 false alarms), about evenly divided between user behavioral anomalies (IP addresses and ports, as modeled by most other systems) and protocol anomalies. Because our methods are unconventional there is a significant non-overlap of our IDS with the original DARPA participants, which implies that they could be combined to increase coverage.
315 citations
"A system approach to network modeli..." refers methods in this paper
...In many practical applications, one can work with the NB model without believing in Bayesian probability or using any Bayesian methods....
[...]
...A Naı̀ve Bayes(NB) classifier is a simple probabilistic classifier based on applying Bayes’ theorem with naive independence assumptions....
[...]
...A practical approach to network modeling for DoS attacks using Naı̀ve Bayesian Classifiers has been proposed....
[...]
...Other classification algorithms such as Support Vector Machines [11], Genetic Algorithms [12], Artificial Neural Networks (ANN) [13] [14] and Bayesian Learning [15] have also been applied....
[...]
...A Naı̀ve Bayes classifier assumes that the presence (or absence) of a particular feature of a class is unrelated to the presence (or absence) of any other feature....
[...]
TL;DR: A new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data.
Abstract: In this paper, a new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data that make the detection model complex. The proposed algorithm also addresses some difficulties of data mining such as handling continuous attribute, dealing with missing attribute values, and reducing noise in training data. Due to the large volumes of security audit data as well as the complex and dynamic properties of intrusion behaviours, several data miningbased intrusion detection techniques have been applied to network-based traffic data and host-based data in the last decades. However, there remain various issues needed to be examined towards current intrusion detection systems (IDS). We tested the performance of our proposed algorithm with existing learning algorithms by employing on the KDD99 benchmark intrusion detection dataset. The experimental results prove that the proposed algorithm achieved high detection rates (DR) and significant reduce false positives (FP) for different types of network intrusions using limited computational resources.
167 citations
"A system approach to network modeli..." refers background in this paper
...Recent works [19] [20] have discussed use of bayesian classifiers towards intrusion detection in general, which includes DoS attacks....
[...]
15 Jun 2005
TL;DR: This paper focuses on machine learning techniques for detecting attacks from Internet anomalies and proposes a machine learning framework that outperforms currently employed real-world NIDS.
Abstract: In today's world of computer security, Internet attacks such as Dos/DDos, worms, and spyware continue to evolve as detection techniques improve. It is not easy, however, to distinguish such new attacks using only knowledge of pre-existing attacks. In this paper the authors focused on machine learning techniques for detecting attacks from Internet anomalies. The machine learning framework consists of two major components: genetic algorithm (GA) for feature selection and support vector machine (SVM) for packet classification. By experiment it is also demonstrated that the proposed framework outperforms currently employed real-world NIDS.
154 citations
"A system approach to network modeli..." refers methods in this paper
...Other classification algorithms such as Support Vector Machines [11], Genetic Algorithms [12], Artificial Neural Networks (ANN) [13] [14] and Bayesian Learning [15] have also been applied....
[...]
20 Jun 2004
TL;DR: The covariance model in this paper to some extent verifies the effectiveness of multivariate correlation analysis for DDoS detection and proposes an example, a covariance analysis model for detecting SYN flooding attacks.
Abstract: This paper discusses the effects of multivariate correlation analysis on the DDoS detection and proposes an example, a covariance analysis model for detecting SYN flooding attacks. The simulation results show that this method is highly accurate in detecting malicious network traffic in DDoS attacks of different intensities. This method can effectively differentiate between normal and attack traffic. Indeed, this method can detect even very subtle attacks only slightly different from the normal behaviors. The linear complexity of the method makes its real time detection practical. The covariance model in this paper to some extent verifies the effectiveness of multivariate correlation analysis for DDoS detection. Some open issues still exist in this model for further research.
147 citations
"A system approach to network modeli..." refers methods in this paper
...The include statistical approaches, like [6], which proposes a Chi-Square-Test on the entropy values of the packet headers....
[...]
TL;DR: The proposed Radial-basis-function neural network detector for Distributed-Denial-of-Service (DDoS) attacks in public networks based on statistical features estimated in short-time window analysis of the incoming data packets showed detection rate better than 98% of DDoS attacks.
97 citations
"A system approach to network modeli..." refers methods in this paper
...Other classification algorithms such as Support Vector Machines [11], Genetic Algorithms [12], Artificial Neural Networks (ANN) [13] [14] and Bayesian Learning [15] have also been applied....
[...]