Efficient detection of DDoS attacks with important attributes
01 Oct 2008-pp 61-67
TL;DR: A system that only extracts several important attributes from network traffic for DDoS attack detection in real computer networks is introduced and empirical results show that only using the most important 9 attributes, the detection accuracy remains the same or has some improvements compared with that of using all the 41 attributes based on Bayesian Networks and C4.5 methods.
Abstract: DDoS attacks are major threats in current computer networks. However, DDoS attacks are difficult to be quickly detected. In this paper, we introduce a system that only extracts several important attributes from network traffic for DDoS attack detection in real computer networks. We collect a large set of DDoS attack traffic by implementing various DDoS attacks as well as normal data during normal usage. Information Gain and Chi-square methods are used to rank the importance of 41 attributes extracted from the network traffic with our programs. Bayesian networks as well as C4.5 are then employed to detect attacks as well as to determine what size of attributes is appropriate for fast detection. Empirical results show that only using the most important 9 attributes, the detection accuracy remains the same or even has some improvements compared with that of using all the 41 attributes based on Bayesian Networks and C4.5 methods. Only using several attributes also improves the efficiency in terms of attributes constructing, models training as well as intrusion detection.
Citations
More filters
10 Oct 2010
TL;DR: This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches.
Abstract: Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.
689 citations
Cites methods from "Efficient detection of DDoS attacks..."
...To extract from an actual traffic the features used in this dataset, it would be necessary to preprocess the packets flowing to the victim....
[...]
TL;DR: An ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection that can effectively reduce the number of features and has a high detection rate and classification accuracy when compared to other classification techniques.
Abstract: Widespread adoption of cloud computing has increased the attractiveness of such services to cybercriminals. Distributed denial of service (DDoS) attacks targeting the cloud’s bandwidth, services and resources to render the cloud unavailable to both cloud providers, and users are a common form of attacks. In recent times, feature selection has been identified as a pre-processing phase in cloud DDoS attack defence which can potentially increase classification accuracy and reduce computational complexity by identifying important features from the original dataset during supervised learning. In this work, we propose an ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection. We then perform an extensive experimental evaluation of our proposed method using intrusion detection benchmark dataset, NSL-KDD and decision tree classifier. The findings show that our proposed method can effectively reduce the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.
255 citations
TL;DR: In this article, an ensemble-based multi-filter feature selection method was proposed to reduce the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.
Abstract: Increasing interest in the adoption of cloud computing has exposed it to cyber-attacks. One of such is distributed denial of service (DDoS) attack that targets cloud bandwidth, services and resources to make it unavailable to both the cloud providers and users. Due to the magnitude of traffic that needs to be processed, data mining and machine learning classification algorithms have been proposed to classify normal packets from an anomaly. Feature selection has also been identified as a pre-processing phase in cloud DDoS attack defence that can potentially increase classification accuracy and reduce computational complexity by identifying important features from the original dataset, during supervised learning. In this work, we propose an ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection. An extensive experimental evaluation of our proposed method was performed using intrusion detection benchmark dataset, NSL-KDD and decision tree classifier. The result obtained shows that our proposed method effectively reduced the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.
187 citations
01 Jan 2018
TL;DR: The extreme gradient boosting (XGBoost), as detection method in SDN based cloud, is used and results validate that the method performs higher accuracy, lower false positive rate, fast-speed and has scalability.
Abstract: The marriage of cloud and software defined network (SDN) can work out the challenge which exist in the typical cloud platform such as the private cloud isolation of user, network flow control. But in SDN based cloud, the SDN controller which manages the whole system is vulnerable to distributed-denial-of-service (DDoS) attack, causing paralysis of the entire network. It is critical for SDN controller to be quick-speed, low false positive, and high precise against attack detection. In this paper, we use the extreme gradient boosting (XGBoost), as detection method in SDN based cloud. In addition, we use the POX as SDN controller, build SDN topology using Mininet and simulate real DDoS attack environment by attack tool Hyenae. The XGBoost classifier uses the flow packet data set collected by TcpDump for DDoS detection and compares it with other classifiers. The detection results validate that our method performs higher accuracy, lower false positive rate, fast-speed and has scalability.
152 citations
Cites methods from "Efficient detection of DDoS attacks..."
...Referring to [13], we selected 9 important features (As shown in Table 1, the characteristics of the blue background are the features selected for us), which have the maximum information gain and chi-square statistic for DDoS detection, including TABLE I ALL 41 FEATURES IN THE FOUR TYPES...
[...]
25 Apr 2016
TL;DR: It is argued that Software-Defined Networking (SDN) form propitious environments for the design and implementation of more robust and extensible anomaly classification schemes.
Abstract: Anomaly traffic detection and classification mechanisms need to be flexible and easy to manage in order to detect the ever growing spectrum of anomalies. Detection and classification are difficult tasks because of several reasons, including the need to obtain an accurate and comprehensive view of the network, the ability to detect the occurrence of new attack types, and the need to deal with misclassification. In this paper, we argue that Software-Defined Networking (SDN) form propitious environments for the design and implementation of more robust and extensible anomaly classification schemes. Different than other approaches from the literature, which individually tackle either anomaly detection or classification or mitigation, we present a management framework to perform these tasks jointly. Our proposed framework is called ATLANTIC and it combines the use of information theory to calculate deviations in the entropy of flow tables and a range of machine learning algorithms to classify traffic flows. As a result, ATLANTIC is a flexible framework capable of categorizing traffic anomalies and using the information collected to handle each traffic profile in a specific manner, e.g., blocking malicious flows.
101 citations
Cites background from "Efficient detection of DDoS attacks..."
...Despite the high accuracy and performance obtained with some techniques, machine learning algorithms tend to suffer from several limitations: (i) the difficulty of determining the best set of discriminators to classify flows [13]; (ii) the availability of labeled training data for classification [8] [14]; (iii) the trade-offs between different machine learning algorithms regarding accuracy and performance [14]; (iv) the sheer amount of traffic data that makes it difficult to handle and to promptly detect malicious activities [15] [10]; (v) the availability of a high amount of resources, such as management systems and middleboxes, to collect traffic information [16]....
[...]
..., Distributed Denial of Service (DDoS) attacks [10], [11]....
[...]
References
More filters
01 Jan 1994
TL;DR: In his new book, C4.5: Programs for Machine Learning, Quinlan has put together a definitive, much needed description of his complete system, including the latest developments, which will be a welcome addition to the library of many researchers and students.
Abstract: Algorithms for constructing decision trees are among the most well known and widely used of all machine learning methods. Among decision tree algorithms, J. Ross Quinlan's ID3 and its successor, C4.5, are probably the most popular in the machine learning community. These algorithms and variations on them have been the subject of numerous research papers since Quinlan introduced ID3. Until recently, most researchers looking for an introduction to decision trees turned to Quinlan's seminal 1986 Machine Learning journal article [Quinlan, 1986]. In his new book, C4.5: Programs for Machine Learning, Quinlan has put together a definitive, much needed description of his complete system, including the latest developments. As such, this book will be a welcome addition to the library of many researchers and students.
8,046 citations
Proceedings Article•
08 Jul 1997
TL;DR: This paper finds strong correlations between the DF IG and CHI values of a term and suggests that DF thresholding the simplest method with the lowest cost in computation can be reliably used instead of IG or CHI when the computation of these measures are too expensive.
Abstract: This paper is a comparative study of feature selection methods in statistical learning of text categorization The focus is on aggres sive dimensionality reduction Five meth ods were evaluated including term selection based on document frequency DF informa tion gain IG mutual information MI a test CHI and term strength TS We found IG and CHI most e ective in our ex periments Using IG thresholding with a k nearest neighbor classi er on the Reuters cor pus removal of up to removal of unique terms actually yielded an improved classi cation accuracy measured by average preci sion DF thresholding performed similarly Indeed we found strong correlations between the DF IG and CHI values of a term This suggests that DF thresholding the simplest method with the lowest cost in computation can be reliably used instead of IG or CHI when the computation of these measures are too expensive TS compares favorably with the other methods with up to vocabulary reduction but is not competitive at higher vo cabulary reduction levels In contrast MI had relatively poor performance due to its bias towards favoring rare terms and its sen sitivity to probability estimation errors
5,366 citations
Proceedings Article•
21 Aug 2003TL;DR: A novel concept, predominant correlation, is introduced, and a fast filter method is proposed which can identify relevant features as well as redundancy among relevant features without pairwise correlation analysis.
Abstract: Feature selection, as a preprocessing step to machine learning, is effective in reducing dimensionality, removing irrelevant data, increasing learning accuracy, and improving result comprehensibility. However, the recent increase of dimensionality of data poses a severe challenge to many existing feature selection methods with respect to efficiency and effectiveness. In this work, we introduce a novel concept, predominant correlation, and propose a fast filter method which can identify relevant features as well as redundancy among relevant features without pairwise correlation analysis. The efficiency and effectiveness of our method is demonstrated through extensive comparisons with other methods using real-world data of high dimensionality
2,251 citations
"Efficient detection of DDoS attacks..." refers background in this paper
...978-1-4244-3309-4/08/$25.00 ©2008 IEEE Keywords: Intrusion detection system; DDoS attack detection; attribute selection; Bayesian networks; C4.5...
[...]
01 Jan 2007
TL;DR: In this paper, the authors examine a graphical representation of uncertain knowledge called a Bayesian network, which is easy to construct and interpret, yet has formal probabilistic semantics making it suitable for statistical manipulation.
Abstract: We examine a graphical representation of uncertain knowledge called a Bayesian network. The representation is easy to construct and interpret, yet has formal probabilistic semantics making it suitable for statistical manipulation. We show how we can use the representation to learn new knowledge by combining domain knowledge with statistical data.
1,600 citations
14 May 1999
TL;DR: A data mining framework for adaptively building Intrusion Detection (ID) models is described, to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities.
Abstract: There is often the need to update an installed intrusion detection system (IDS) due to new attack methods or upgraded computing environments. Since many current IDSs are constructed by manual encoding of expert knowledge, changes to IDSs are expensive and slow. We describe a data mining framework for adaptively building Intrusion Detection (ID) models. The central idea is to utilize auditing programs to extract an extensive set of features that describe each network connection or host session, and apply data mining programs to learn rules that accurately capture the behavior of intrusions and normal activities. These rules can then be used for misuse detection and anomaly detection. New detection models are incorporated into an existing IDS through a meta-learning (or co-operative learning) process, which produces a meta detection model that combines evidence from multiple models. We discuss the strengths of our data mining programs, namely, classification, meta-learning, association rules, and frequent episodes. We report on the results of applying these programs to the extensively gathered network audit data for the 1998 DARPA Intrusion Detection Evaluation Program.
1,288 citations
"Efficient detection of DDoS attacks..." refers background in this paper
...978-1-4244-3309-4/08/$25.00 ©2008 IEEE Keywords: Intrusion detection system; DDoS attack detection; attribute selection; Bayesian networks; C4.5...
[...]