HIGH ACCURACY DETECTION OF DENIAL OF SERVICE ATTACK BASED ON TRIANGLE MAP GENERATION

Transcription

1 Available Online at International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014, pg RESEARCH ARTICLE ISSN X HIGH ACCURACY DETECTION OF DENIAL OF SERVICE ATTACK BASED ON TRIANGLE MAP GENERATION J.WELKIN EYES *1, S.KARTHIPREM #2, E.THANGADURAI #3 #1 Assistant Professor, Department of IT, Vivekananda College of Engineering for Women, Tiruchengode, TamilNadu, India *2 PG Scholar, Department of IT, Vivekananda College of Engineering for Women, Tiruchengode, TamilNadu, India {welkineyes@gmail.com} ABSTRACT A DoS attack is the most prevalent threat, viz., traffic in communication resources in order to make the service unavailable for legitimate users, since a decade and continues to be threatening. Denial-of-Service (DoS) attacks cause serious impact on these computing systems. In this project, neuro-fuzzy systems were proposed as subsystems of the ensemble. Sugeno type Neuro-Fuzzy Inference System has been chosen as a base classifier for our research. Single classifier makes error on different training samples. So, by creating the classifiers and combining their outputs, the total amount of error can be reduced and the detection accuracy can be increased. The proposed Adaptive Neuro-Fuzzy Inference based system will be able to detect an intrusion behavior of the networks. The experiments and the evaluations of the proposed method were performed with the KDD Cup 99 intrusion detection Dataset. The results show that our system outperforms two other previously developed state-of-the-art approaches in terms of detection accuracy. 1. Introduction A Denial-of-Service attack (DoS) is when someone tries to stop someone else from viewing parts of the internet. Peoples who have slower internet connections, such as dial-up, are affected more by attacks.a covariance matrix based approach was designed to mine the multivariate correlation for sequential samples in this triangle area map generation technique is introduced to speed up the process and A statistical normalization technique is used to eliminate the bias from the raw data and anomalies can be detected. By applying the principle of detection, which monitors the flags in any network activities presenting significant deviation from legitimate traffic profiles as 2014, IJCSMC All Rights Reserved 90

2 unwanted objects, anomaly-based detection techniques show more promising in detecting zero-day intrusions that exploit previous unknown system vulnerabilities. Anomaly-Based Intrusion Detection System is a system for detecting intrusions in the computer and misuse by monitoring system activity and classifying it as either normal or anomalous and the traffic attack, the system must be taught to recognize normal system activity; these cause more effect in the communication system. A covariance matrix based approach was designed to mine the multivariate correlation for sequential samples in this triangle area map generation technique is introduced to speed up the process and A statistical normalization technique is used to eliminate the bias from the raw data and anomalies can be detected. The DoS attack detection system presented here, it employs the principles of MCA and anomaly-based detection. They provide our detection system with capabilities of accurate characterization for traffic behaviors and anomaly detection respectively. A triangle area map generation technique is developed to speed up the process of multivariate correlation analysis.a technique called statistical normalization is used to eliminate the error from the raw data. Our proposed DoS detection system and the traffic data is evaluated using KDD Cup 99 dataset. Multivariate Correlation Analysis, in which the Triangle Area Map Generation module is applied to extract the correlations between two distinct features in the traffic record and High false positive, can be reduced. MCA-based detection system to protection line services against DoS attacks This, however, is a labor-intensive task and requires expertise in the targeted detection algorithm. Mainly, two phases (they are Training Phase and the Test Phase ) are involved in Decision Making. The Normal Profile Generation module is operated in the Training Phase to generate profiles for various types of legitimate traffic records, and the generated normal profiles are stored in a database. The Tested Profile Generation module is used in the Test Phase to build profiles for individual observed traffic records. Then, the tested profiles are handed over to the Attack Detection module that compares the individual tested profiles with the respective stored normal profiles. A threshold-based classifier is employed in the Attack Detection module to distinguish DoS attacks from legitimate traffic. A threshold-based classifier is employed in the Attack Detection module to distinguish DoS attacks from legitimate traffic. Threshold classifier doesn t support nonlinear data, so its create low detection accuracy. Detection accuracy becomes low in the threshold value.for this low process, our proposed system introduced Neuro-fuzzy classifier, Neuro-fuzzy hybridization is widely termed as Fuzzy Neural Network (FNN) or Neuro-Fuzzy System (NFS) in the literature. Neuro-fuzzy system (the more popular term is used henceforth) incorporates the human-like reasoning style of fuzzy systems through the use of fuzzy sets and a linguistic model consisting of a set of IF-THEN fuzzy rules. By using the proposed classifier High detection accuracy and Low computational overhead can be achieved. 2. Sample-by-sample Detection The group-based detection mechanism maintained a higher probability in classifying a group of sequential network traffic samples than the sample-by-sample detection mechanism.this restricts the applications of the group-based detection to limited scenarios, because at-tacks occur unpredictably in general and it is difficult to obtain a group of sequential samples only from the same distribution. To remove this restriction, our system in this paper investigates traffic samples individually. This offers benefits that are not found in the group-based detection mechanism.1.attacks can be detected in the group-based detection mechanism 2.intrusive traffic samples can be labeled as unique 3. Correctly classifying a sample into its population is higher than the one achieved using the group-based detection mechanism. To understand the merits, we illustrate them through a mathematical example which assumes traffic samples are independent and identically distributed and legitimate traffic and illegitimate traffic follow normal distributions X 1 Y(μ 1,σ 2 1) and X 2 Y(μ 2,σ 2 2) respectively. Sample-by-sample labeling and the group-based labeling are used to identify the correct distribution for the individuals from a group of k independent samples {a 1, a 2,,a k } The threshold value for classifying a sample into one of the two distributions Y (μ1,σ21) and Y(μ2,σ2). The sampleby-sample labeling can always achieve better detection precision than the group-based labeling. 2014, IJCSMC All Rights Reserved 91

3 3. Multivariate Correlation Analysis The coefficient of multiple correlations is a measure of how well a given variable can be predicted using a linear function of a set of other variables. It is measured by the square root of determination, but under the particular assumptions the best possible linear predictors are used and the intercept is included, whereas the coefficient of determination is defined for more general cases, including nonlinear prediction which the predicted values have not been derived from a model-fitting procedure. The multiple correlation takes values between zero and one; a higher value indicates a better predictability of the dependent variable from the independent variables, with a value indicating that the predictions are exactly correct and a value of zero indicating that no linear combination of the independent variables is a better predictor than is the fixed mean of the dependent variable. To describe these statistical properties, we present a novel Multivariate Correlation Analysis (MCA) approach. By using This MCA approach triangle area for extracting the correlative information between the features within an observed data object (traffic record). The details are presented in the following. We had apply the concept of triangle area to extract the geometrical correlation between the i th and j th features in the v i. When comparing the two Triangle area map, we can imagine the map into two images symmetric along their main diagonals. Any differences were identified on the upper triangles of the images, and can be found on their lower triangles as well. Therefore, to perform a quick comparison of the two TAM, we can choose to investigate either the upper triangles or the lower triangles of the TAM only. This produces the same result as comparing using the entire TAM (therefore, the correlations residing in a traffic record (vector v i ) can be represented effectively and correctly by the upper triangle or the lower triangle of the respective. 4. Detection Mechanisms Threshold-based anomaly detector, was proposed in this whose normal profiles are generated using purely legitimate network traffic records for future comparisons with new incoming investigated traffic records. The Difference between a new incoming traffic record and the normal profile is examined by the proposed detector. If the Difference is greater than a pre-classified threshold, the traffic record is report as an attack. Otherwise, it is flagged as a legitimate traffic record. Clearly, normal profiles and thresholds have direct influence on the performance of a threshold-based detector. A low quality normal profile causes an inaccurate Behavior to legitimate network traffic. For this process, we first apply the proposed triangle-area-based MCA approach to analyze legitimate network traffic, and the generated TAM are then used to give quality features for normal profile generation. 4.1 THRESHOLD SELECTION The threshold is used to differentiate attack traffic from the legitimate one. For a normal distribution, α is normally ranged from 1 to 3. This means that detection decision can be made with a certain level of confidence varying from 68% to 99.7%in association with the selection of different values. Thus, if the MD between an observed traffic record x observed and the respective normal profile is greater than the threshold value, it will be considered as an attack. 5. Evaluation of the MCA-Based DOS Attack Detection System Testing our approach on KDD Cup 99 dataset contributes a convincing evaluation and makes the comparisons with other state-of-the-art techniques. Additionally, our detection system innately withstands the negative impact introduced by the dataset because its profiles are built purely based on legitimate network traffic. During the evaluation, the 10 percent labeled data of KDD Cup 99 dataset is used, where three types of legitimate traffic (TCP, UDP and ICMP traffic) and six different types of DoS attacks (Teardrop, Smurf, Pod, Neptune, Land and Back attacks) are available in the communication path. All of these records are first filtered and then are further grouped into seven clusters according to their labels (see Table 9 in Appendix 4 in the supplemental file to this paper for details) form. The overall evaluation process is detailed as follows. First, the proposed triangle-area-based MCA approach is assessed for its capability of network traffic characterization. Second, a 10-fold cross-validation is conducted to evaluate the detection performance of the proposed MCA-based detection system, and the entire filtered data subset is used in this task. In the training phase, we employ only the Normal records in the data set. Normal profiles are built with respect to the different types of legitimate traffic using the algorithm. The 2014, IJCSMC All Rights Reserved 92

4 corresponding thresholds are determined according to given the parameter α varying from 1 to with an increment of 0.5. During the test phase, both the Normal records and the attack records are taken into account. As given in Fig. 3, the observed samples are examined against the respective normal profiles which are built based on the legitimate traffic records carried using the same type of Transport layer protocol. Third, four metrics, namely True Negative Rate (TNR), Detection Rate (DR), False Positive Rate (FPR) and Accuracy (i.e. the proportion of the overall samples which are classified correctly), are used to evaluate by the proposed MCA-based detection system. To be a good candidate, our proposed detection system is required to achieve high detection accuracy. 5.1 Results and Analysis on Normalized Data The results shows that the data does have significant influence on our detection system, whose overall performance increases in accuracy when taking the normalized data as the inputs and now completely classified correctly by the system based the increase of the threshold value maximum 98.75% detection accuracy range without the fixed threshold value. Performance Comparisons The ROC curves of the previous two evaluations are shown in the Fig. 5. The relationship between DR and FPR is clearly revealed in the ROC curves. The DR increases when larger numbers of false positive are tolerated. In Fig. 5a, the ROC curve for analyzing the original data using our proposed detection system shows a rising trend. The curve climbs gradually from 86.98% DR to 89.44% DR, and finally reaches to 95.11% DR the ROC curve for analyzing the normalized data presents a resembling pattern but jumps dramatically from 99.97% DR to 99.99% DR after experiencing slow progress as shown in Fig our proposed MCA-based detection system (95.20% for the original data and 99.95% for the normalized data). 5b. Fig.5. ROC curves for the detection of DoS attacks 6. Neuro Fuzzy A neuro-fuzzy system is a fuzzy system that uses a learning algorithm derived from or inspired by neural network theory to determine its parameters (fuzzy sets and fuzzy rules) by processing data samples. In artificial intelligence, neuro-fuzzy refers to combinations of artificial neural networks and fuzzy logic. Neuro-fuzzy was proposed by J. S. R. Jang. Neuro-fuzzy hybridization results in a hybrid intelligent system that synergizes these two techniques by combining the human-like reasoning style of fuzzy systems with the learning and connectionist structure of neural networks. Neuro-fuzzy hybridization is also termed as Fuzzy Neural Network (FNN) or Neuro-Fuzzy System (NFS) in the literature. Neuro-fuzzy system (the more popular term is used henceforth) incorporates the human-like 2014, IJCSMC All Rights Reserved 93

5 reasoning style of fuzzy systems through the use of fuzzy sets and a linguistic model consisting of a set of IF-THEN fuzzy rules it has the set of rules and procedures. The main strength of neuro-fuzzy systems is that they are universal approximates with the ability to solicit interpretable IF-THEN rules. 6.1 FUZZY SYSTEM Fuzzy system can handle fuzzy logic and fuzzy set theory. A fuzzy system demands linguistic rules instead of learning examples as prior knowledge of this. Furthermore the input and output variables have to be described linguistically in the system. If the knowledge is incomplete or wrong, then the fuzzy system must be tuned to the trusted part. Since there is not any formal approach for it, the heuristic way is performed in a tuning. This is usually very time consuming and error-prone in the fuzzy system. 6.2 HYBRID FUZZY NEURAL NETWORK Hybrid neuro-fuzzy systems are homogeneous and usually resemble neural networks. The fuzzy system is introduced as special kind of neural network for the accuracy pattern. The advantage of such hybrid NFS is its architecture since both fuzzy system and neural network do not have to communicate any more with each other in the same network. They are one fully fused entity in network. These systems can learn online and offline by this. The rule base of a fuzzy system is interpreted as a neural network based on IF-THEN rule. Fuzzy sets can be regarded as weights as the input and output variables and the rules are modeled as neurons. Neurons can be inserted or removed in the learning process. Finally, the neurons of the network represent the fuzzy knowledge based. Obviously, the major drawbacks of both underlying systems are thus overcome here. In order to build a fuzzy controller in this, the membership functions which express the linguistic terms of the inference rules have to be defined here. In fuzzy set theory, there does not exist any formal approach to define neuro fuzzy functions. Any shape (e.g., triangular, Gaussian) can be considered as membership function with an arbitrary set of parameters specified. Thus the optimization of these functions in terms of generalizing the data is very important for fuzzy system. Neural networks can be used to solve these problems, so we specify neuro technique 6.3 SUGENO MODEL The Sugeno Fuzzy model (also known as the TSK fuzzy model) was proposed by Takagi, Sugeno, and Kang to develop a systematic approach to generating fuzzy rules from a given input-output dataset record. A typical fuzzy rule in a Sugeno fuzzy model has the form of function Where A and B are fuzzy sets in the antecedent, while z=f(x,y) is a crisp function in the consequent relation. Usually f(x, y) is a polynomial in the input variables x and y, but it can be any function as long as it can appropriately describe the output of the model within the fuzzy region specified by the antecedent of the IF-THEN-ELSE rule. When f(x, y) is a first-order polynomial, the result of the fuzzy inference system is called a first-order Sugeno fuzzy model, which was originally proposed. When f is a constant, we then have a zero-order Sugeno fuzzy model, which can also be viewed as a special case of the Mamdani Fuzzy inference system, the each rule s consequent is specified by a fuzzy singleton (or a pre-defuzzified consequent), or a special case of Tsukamoto fuzzy model, in which the each rule s consequent is specified by an MF of a step function centre at the constant. The output of a zero-order Sugeno model is a smooth function of its input variables as long as the neighboring MFs in the antecedent have enough overlap. It can also defined, the overlap of MFs in the consequent of a Mamdani model does not have a decisive effect on the smoothness; it is the overlap of the antecedent MFs that determines the smoothness of the resulting input-output behavior. 2014, IJCSMC All Rights Reserved 94

6 7. Conclusion In this paper we have presented a MCA-based DoS attack detection system in which triangle-area-based MCA technique and the anomaly-based detection technique is used. The technique extracts the geometrical correlations hidden in individual pairs of two distinct features within each network traffic record, and gives more accurate characterization for network traffic behaviors. The statistical analysis and triangle area map generation technique facilitates our system to be able to distinguish both known and unknown DoS attacks from legitimate network traffic. Evaluation has been conducted using KDD Cup 99 dataset it contains the traffic record. For producing accurate detection in the fixed threshold value the neuro-fuzzy systems were proposed as subsystems of the ensemble. Sugeno type Neuro-Fuzzy Inference System has been chosen as a base and by using this classifier the system gives high accuracy detection and low computational overload has been obtained. REFERENCES 1. A. Valdes and K. Skinner, "Adaptive, Model-Based Monitoring for Cyber Attack Detection," presented at Recent Advances in Intrusion Detection, Toulouse, France, K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law in-ternets. In Proceedings of ACM SIGCOMM 2001, San Diego, CA, August Blazek, R., H. Kim, B. Rozovskii, and A. Tartakovsky, A Novel Approach to Detection of Denial-of- Service Attacks via Adaptive Sequential and Batch-sequential Change-Point Detection Methods, Proc. of the 2001 IEEE Workshop on Information Assurance and Security, June Eleazar Eskin, Matthew Miller, Zhi-Da Zhong, George Yi, Wei-Ang Lee, Salvatore Stolfo, Adaptive Model Generation for Intrusion Detection Systems,IEEE Computer Society, Y. Chen and K. Hwang, Collaborative Change Detection of DDoS Attacks on Community and ISP Networks, IEEE Int l Symp. on Collaborative Technologies and Systems (CTS 2006), Las Vegas, May 15-17, Proc. of the 2nd ACM SIGCOMM Workshop on Internet Measurements, (2002) 6. Greg Vert Deb orah A. Frincke Jesse C. McConnell, A Visual Mathematical Mo del for Intrusion Detection, IEEE Fourth Computer Security Applications Conference, J. Ioannidis and S. M. Bellovin, Implementing Pushback: Router-Based Defense against DDoS Attacks, Network and Distributed System Security Symposium. (NDSS), San Diego, CA. Feb. 6-8, W. Streilein, R.K. Cunningham, S.E. Webster, Improved detection of low-profile probe and novel denialof-service attacks (2002), Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, Maryland, June 2002, pp Akella, A. et al. (2003). Detecting DDoS Attacks on ISP Networks. In ACM SIGMOD/PODS Workshop on management and processing of data streams (MPDS) FCRC. 10. Feinstein, L. et al. (2003). Statistical approach to DDoS attack detection and response. In Proceedings of the DARPA information survivability conference and exposition (pp ). 11. C. Jin, H. Wang, and K. Shin, Hop-count Filtering: An Effective Defense against Spoofed DDoS Traffic, Proc. of the 10th ACM Conference on Computer and Communications Security, 2003, pp C. F. Tsai and C. Y. Lin, A Triangle Area Based Nearest Neighbors Approach to Intrusion Detection, Pattern Recognition, vol. 43, pp , A. A. Cardenas, J. S. Baras, and V. Ramezani, Distributed change detection for worms, DDoS and other network attacks, The American Control Conference, Vol.2, pp , Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, PacketScore: Statistics-Based Overload Control Against Distributed Denial of-service Attacks, Proc. INFOCOM, Y. Chen, Y. K. Kwok, and K. Hwang, MAFIC: Adaptive Packet Dropping for Cutting Malicious Flows to Pushback DDoS Attacks, IEEE International Workshop on Security in Distributed Computing Systems (SDCS-2005), Yu Chen, Yu-Kwong Kwok, and Kai Hwang, University of Southern California, Los Angeles, Filtering Shrew DDoS Attacks Using A New Frequency-Domain Approach, on June 20, D. Gavrilis and E. Dermatas, Real-time Detection of Distributed Denial-of-service Attacks Using RBF Networks and Statistical Features, Computer Networks, vol. 48, no. 2, pp , , IJCSMC All Rights Reserved 95

7 17. C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of DDoS Attacks over Multiple Network Domains, Parallel and Distributed Systems, IEEE Transactions on, vol. 18, pp , Ahmed T., Coates M., Lakhina A.: Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares. Proc. of 26th IEEE International Conference on Computer Communications (2007) 19. K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, DDoS attack detection method using cluster analysis, Expert Systems with Applications, vol. 34, no. 3, pp , Barford P., Kline J., Plonka D., Ron A.: A Signal Analysis of Network Traffic Anomalies., vol. 18, pp W. Hu, W. Hu, and S. Maybank, AdaBoost-Based Algorithm for Network Intrusion Detection, Trans. Sys. Man Cyber. Part B, vol. 38, no. 2, pp , Y.Dhanalakshmi 1 and Dr.I. Ramesh Babu, Intrusion Detection Using Data Mining Along Fuzzy Logic and Genetic Algorithms, IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.2, February Marina Thottan, Guanglei Liu, Chuanyi Ji, Anomaly Detection Approaches for Communication Networks, IEEE/ACM Tran. Networking (2009) 24. Zhong,R and Yue,G. (2010) DDoS detection system based on data mining. Proceedings of the 2 nd International Symposium on Networking and Network Security, Jinggangshan, China, 2 4 April, pp Academy Publisher. 25. Lifang Zi, John Yearwoody, Xin-Wen Wuz, Adaptive Clustering with Feature Ranking for DDoS Attacks Detection Fourth International Conference on Network and System Security,, Vol. 8, Issue 5, No 1, , IJCSMC All Rights Reserved 96