A Real Time System for Denial of service Attack Detection Based on Multivariate Correlation Analysis Approach

Transcription

1 International Conference on Electrical, Electronics, and Optimization Techniques (ICEEOT) A Real Time System for Denial of service Attack Detection Based on Multivariate Correlation Analysis Approach Miss Komal K. More 1 ME Student, Computer Department, GF s Godavari College of Engineering, Jalgaon, North Maharashtra University India. komalmorey@rediffmail.com Abstract Now-a-days, Denial of Service (DOS) attacks are emerging as most dangerous threat for variety of inter-connected web servers. Internet users require internet for performing different task such as online activities like general information surfing, online banking etc. DOS attack averts the users from using these amenities hence, it is essential to detect DOS attack. This paper demonstrates a novel approach named as Multivariate correlation analysis based denial of service attack detection system in real time. Our MCA approach makes use the principles of anomaly based detection system and to speed the process of MCA triangle area approach is implemented over the complete system. MCA calculates the geometrical co-relations between network traffic structures. The efficiency of the system is checked by three different datasets KDD cup 99 dataset, second is the advanced and improved NSL dataset and any real time dataset. Keywords Denial of Service, Triangle area map generation, multivariate correlation analysis. I. INTRODUCTION Internet is the backbone of global communication. The variety of web servers provide client-server service and are currently under the danger of most threating attack Denial-of-service. The DOS attack makes the target unserviceable from few minutes to few days or even for ever causing severe loss to amenities running over the target. Hence efficient identification of DOS attack is very crucial for the security of online services. DOS detection mechanism can be either host based or network based intrusion detection mechanism. The host based IDS are extra problematical since they are compactly tied with the operating system on the host system which they are guarding. NIDS based detection system observes network traffic transmitting on protected networks and detects the attacks and also ensures the safe transmission of data between web servers and clients with minimum response delay. Normally, NIDS are categorized into two varieties specifically Misuse Based Detection System [1] and Anomaly Based Detection System [2]. The first system identifies attacks by observing all the activities that are performed over network and compares the traffic with previous and current attack signs. Although it consist of great accuracy in detection of well-known attacks and comparative lower false positive rate, this mechanism has a major drawback that everyday newer variants of known and unknown attacks get introduced. Prof. Pramod B. Gosavi. 2 Information Technology Department, GF s Godavari College of Engineering, Jalgaon, North Maharashtra University India. pramodgosavi@rediffmail.com Hence, it needs continuous up-gradations in attack signature database, additionally which requires greatly system safety expert, while as our second approach is much more promising for detecting genuine traffic and attacks that works on the norms of detection which spots and ensigns every network activity showing noteworthy deviance from genuine traffic profiles as doubtful entities. This mechanism needs no network experts for its execution. It is more reliable IDS that exploit formerly unknown system susceptibility. There are various kinds of DOS host based or network based attacks available [3] gives a brief introduction of few popular DOS attacks like Neptune, Land, Back, POD, Teardrop, Smurf attack etc. for which our detection mechanism works effectively. In detection mechanisms legitimate traffic profiles plays a vital role, few variant techniques to generate legitimate profile are data mining based [4],fuzzy logic based [5], machine learning based [6] and statistical analysis based [7] profile generation methods which ordinarily suffers from higher unfair affirmative rates. It happens only for the reason that associations among features are ignored [8]. Next Section gives a brief literature survey of previously existing systems with the problem definition. Section 3, defines the proposed system with detailed system architecture. Figure 1 General system architecture II. LITERATURE SURVEY Latest readings have concentrated over the feature correspondence exploration. Yu et al. [9] recommended a procedure to dis-criminate Distributed DOS attacks from flashy troops by evaluating the stream association constant /16/$ IEEE

2 amongst doubtful stream. In [10] a newer approach based on covariance matrix was planned to define the multivariate correlational analysis for the consecutive examples. Even though the tactic increases recognition precision, it is susceptible to those attacks which linearly altered entire supervised features. Moreover, this methodology could only tag the whole cluster of examined samples as genuine or attack traffic but could not tag the individual traffic records of the bunch. To tackle with the above difficulties, a triangle area map generation approach was offered in [11] which could produce superior discriminative features. But, this tactic has reliance on former information of malevolent activities. In recent times, Jamdagni et al. [12] developed a sophisticated geometrical configuration based investigation method, where Mahalanobis distance has considered for extracting the correlations among the carefully chosen packet payload features. This method effectively avoided previous method s complications, but it has its own drawback that it worked with the network packet payloads. In [13], Tan et al. suggested newer classy non-payload dependent DOS recognition tactic via Multivariate Correlational Analysis (MCA). Succeeding this evolving indication, in [14] the authors introduces the combination of triangle area with MCA-dependent recognition method to safeguard the online services from becoming a victim of DOS attacks. In [15] Z. Tan et al developed comprehensive structure with normal profile creation and attack recognition algorithm for our existing DOS detection approach. This method successfully eliminates the drawbacks of previous methods yet it has limitation that it has been implemented over a single KDD Cup 99 dataset [16] which is offline mode. Our proposed systems carry forwards the concept of [15], Additional to former work we test the detection system over offline datasets- KDD cup 99 as well as the improved NSL dataset [17] and few different random real time data-test-sets with increased threshold range from 1 to 4 The DOS attack recognition approach introduced in this paper works the principles of MCA and anomaly-dependent identification, which provides our detection mechanism with ability of exact classification for traffic behaviors and recognition of familiar and unfamiliar attacks. The TAM approach boosts up the procedure of MCA. A geometric regularization method is used to remove the unfairness from data. III. PROPOSED SYSTEM ARCHITECTURE Figure.2 shows flow of data from input (individual traffic record) to output phase (attack detection.) Initially the fundamental feature generation process takes place from incoming network traffic. Then in MCA phase TAM approach is applied over normalized/non-normalized network traffic which find and correlates the distinct features of traffic record. In the last step of decision making, under the training module normal profiles are generated and under the testing module observed profiles are passed over to attack recognition segment where the traffic records are compared with legitimate profiles based on threshold value dependent classifier. Our former work [3], and authors Tan et al. [15] describes system framework in detail. The individual traffic samples are considered for detection purpose rather than considering group of consecutive traffic samples, which are presumed to be from the similar class. Individual traffic sampling process provides following profits (i) Prompt attack detection. (ii) Individual tagging of each traffic record. (iii) Higher possibility of accurate classification. Basic Feature Generation Step 1 Fig. 2 System Architecture Step 2: MCA TAM Generation Normalization Training phase Test Phase Step 3: Decision IV. MULTIVARIATE CORRELATION ANALYSIS The behavior of legitimate and attack traffic is significantly different from each other which can be revealed through its geometric properties. Here we make use of MCA approach which implements tactics of triangle area to find the associative info among the observed traffic records. This approach has following benefits, (i) It resists line alterations of all declared features. (ii) It is free of past knowledge of inconsistent behaviors. (iii) It helps in quick recognition and it enables the distinction of discrete attack traffic records from the group. All extracted associative characteristics means TAMs are used for swapping with current important features of observed record. This helps in discovering legal and attack traffic. A TAM is then generated and arranged on the map reliant upon their unique index positions. Whole map is of n*n dimensional matrix. The diagonal elements are fixed to zero just because we worry merely regarding the correlations amongst each single pair of the distinctive features. Thus, when we compare any two TAMs we consider the map as two pictures which are proportional along with the diagonal. Any deviations found in upper part of matrix can also be recognized in lower part of the matrix below the diagonal. Thus, we consider either upper or lower triangle of TAM. For any dataset say X={x 1, x 2,.x n }, here x i =[ f 1i, f 2i f mi ] T, (1<=i<=n) displays, i th, m- dimensional traffic record, The correlations exist in a traffic i record (vector x i ) for lower triangle is given by TAM lower, for pre-mentioned dataset X can be represented as equation 1. i, X TAMlower = [TAM lower.,tam lower2..] (1) The procedure for normal legitimate profile generation is taken from [15]. Assume there is a set of g legitimate training 1 2 g traffic records X normal = {x normal, x normal,, x normal }.The triangle-area-based MCA tactic is implemented to examine the records. The lower triangles TAM of the set of g genuine records are indicated by equation 1. Mahalanobis Distance

3 (MD) is assumed for measuring divergence amongst traffic records because it has fruitfully used in group analysis, sorting and multivariate recognition methods. Algorithm for normal profile generation is given below: Step 1: Inset the network traffic records. Step 2: Obtain the innovative features of singular records. Step 3: Employ the idea of triangle area to find the correlations among the j th and k th features in the vector x i. Step 4: Normal profile generation i. Create triangle area map of every single record. ii. Make the co-variance matrix. iii. Estimate MD amongst legal record s TAM and input records TAM iv. Calculate mean. v. Calculate standard deviance. vi. Return pro. Step 5: Attack Detection. i. Input: observed traffic, normal profile and alpha. ii. Generate TAM for i/p traffic iii. Calculate MD between normal profile and i/p traffic iv. If MD < threshold Recognize Normal Else Detect attack V. DETECTION MECHANISM This part of the paper, we present the anomaly detector which is based upon certain threshold value. Its normal profiles are created by using genuine traffic records and are consumed for forthcoming evaluations with new incoming examined traffic. The divergence among new received record and corresponding normal profile is investigated by the detector. If the difference is more than a pre-defined threshold, then traffic record is marked as an attack. Else, it is tagged as legal traffic record. Normal profiles and thresholds are having straight impact over the performance of threshold dependent recognizer. We apply the TAM- based MCA technique for analyzing legal traffic and generated maps are utilized for supplying good quality features for normal profile creation. In [15], the threshold equation is presented that distinguish legal and illegal traffic records. = μ + σ * α (2) In normal distribution, α is ranged from 1 to 4, which shows detection accuracy within a certain level of confidence which may vary between 68% %. Hence, if the Mahalanobis Distance between any observed traffic - x observed and corresponding normal profile is larger than threshold, it will be flagged as an attack. Attack recognition is covered in the next section. VI. ATTACK DETECTION AND EVALUATION A. Algorithm for Attack Detection Step1: Mission is to sort new packets as they come, i.e., decide under which group label they fit, dependent upon the presently existing traffic record. Step2: Formulate the probability, so that we are ready for sorting a new Packet. Step 3: Then we estimate the total number of points in the packet belonging to every record. Step 4: Last ordering is done by mixing both sources of information, i.e., the earlier and to form a later possibility. B. Mathematical modeling Let S be the scheme which we practice to discover the DOS attack recognition method. They equip projected recognition method with capabilities of exact categorization for traffic conducts and recognition of known and unknown attacks. Input: Prearranged an random dataset X = {x1, x2,, xn} Output: DP (Detected Packets) : DP={N,M} Where, N is regular packets and M is the malevolent packets. Process: S= {D, MVC, NP, AD, DP} Where, S= System. D = Dataset, MVC = Multivariate correlation analysis. NP = Normal profile generation. AD =Attack detection. DP= Detected packets. C. Evaluation and Analysis Estimation of attack recognition is done by using NSL and KDD dataset. Normal Profile is constructed using Training dataset. Test profile is built by means of Test dataset. The Mahalanobis Distance is evaluated for both Normal and Test Profiles. series is produced with µ + σ *α and µ - σ *α for the normal Distributions, worth of α ranges from 1 to 4. Recognition rate and false positive rate is estimated for the all rates of α. Evaluation report gives data for (i) KDD cup 99 original dataset (ii) KDD normalized dataset (iii) NSL dataset non normalized i.e. original dataset (iv) NSL dataset normalized (v) Real Time dataset non-normalized i.e. randomly selected any dataset. Further, we display Detection and False positive rates and accuracy for above values. In addition to above values we show the roc curves for the same. During the investigations of KDD and NSL datasets, legal UDP, ICMP and TCP traffics are considered and the following six types of attacks namely Teardrop attack, Smurf attack, Ping of Death (Pod) attack, Neptune attack, Land attack and Back attack. All traffic records are filtered first and then organized in seven groups as labeled above. Whole evaluation process is shown as below, the projected Triangle area map generation dependent MCA tactic is evaluated for its ability of net traffic classification. Later, a 10-fold cross authentication process is implemented for the sole purpose of evaluating the attack recognition performance of our offered system, and whole figures subgroup is used in this job. During the training phase, only the normal records are used up. Legitimate normal profiles are generated as per the normal profile generation algorithm used in section 4 of MCA. The equivalent thresholds are found rendering to given factor α varying within 1 to 4 with 0.5 as incremental value. In the test phase normal as well as attack traffic records are considered

4 and as per our detection algorithm the observed traffic samples are investigated against the corresponding normal profiles which are generated using legitimate network traffic records conceded using similar sort of Transport Layer Protocol, Next we recognize False positive and True negative rate, also we detect the Accuracy and Detection Rate. Our system is essentially needed for obtaining greater recognition precision. D. Result analysis of Original data Table 3 Average Detection Performance of system on original NSL data. Types of Normal Teardrop Smurf Pod Neptune Land Back Table 1 shows typical true negative rate for valid records and Table 2 shows normal detection rates and overall false positive rates for discrete type of denial of service attacks on KDD cup 99 dataset. Table 1 Average Recognition Performance of recommended method on original data against diverse thresholds over KDD dataset Types of Normal Teardrop Smurf Pod Neptune Land Back Our projected system shows cheering performance in most circumstances. Accurate sorting rate of normal records increases from 98.88% to with increasing thresholds. Smurf and POD attack traffic attains almost 100% exposure rates. Back attacks detection rates fall from 99.87% to 98.69% with increasing thresholds and remaining attacks shows severe deteriorations as threshold value increases from 1σ to 4σ. The overall false positive rate and detection rates are calculated over entire traffic records irrespective their categories of occurrences with increase in threshold there is a gradual fall in false positive rate from 3.49% to 1.86%. Accordingly recognition rate also falls from 95.31% to 89.83%. Table 2 Detection Rate and False Positive Rate Achieving by the proposed system on original data over KDD dataset FPR DR Accuracy Table 3 shows classic TNR for legal traffic and Table 4 represent FPR and recognition rates for distinct form of DOS attacks on advance and improved NSL kdd dataset. Our suggested system illustrates positive performance in maximum situations. Exact categorization rate of normal traffic records upsurges from 99.12% to 99.77% with growing thresholds. Further, the Smurf and POD attack gets full 100% detection rates at all threshold values. Next, the Back attack attains almost 100% recognition ratio with increasing thresholds and remnant attacks displays thoughtful drops in recognition as threshold rate upturns from 1σ to 4σ. General false positive and attack discovery rates are considered over total traffic records regardless their classes, with increase in threshold there is a slower reduction in false positive rate from 3.49% to 1.86%. As a result attack detection rate correspondingly drops from 95.31% to 89.83%. Table 4 Detection Rate and FPR Accomplished by the proposed system on original data over NSL dataset FPR DR Accuracy The investigation of above tables shows visibly that huge numbers of valid traffic records are covered by the higher threshold and additionally, more attack traffic records are inaccurately accepted as valid traffic in interim. E. Drawbacks of current system and its solutions Overhead results displays degradation in detection of Teardrop, Neptune and Land attacks; this is because of the data which is considered in investigations, where fundamental features used in original data are measured on different rules. Furthermore the alterations appearing in certain additional more vital features with far minor features can barely affects the differentiating process of legal and attack traffic, since the divergence is ruled by the features with greater values. Still, if the original data holds zero values in any of the features (both the vital and the less vital features), and they obscure our MCA and create several new produced features equal to zeros. This significantly lowers the distinctive power of the new feature set, which is not supposed to happen. Superficially, correct data regularization method should be hired to eradicate the bias. We use statistical normalization technique [18] for this task, which takes mutually the mean scale of characteristic values and their statistical distribution into account. In addition, statistical normalization has been proven refining detection performance of distance-based classifiers and outstripping other normalization method, F. Results of Normalized data. A tenfold cross-validation process is implemented over normalized data using the above-mentioned statistical

5 normalization system. The performance dependent on the normalized data is given in Table 5, the results reveal that the statistics have noteworthy impact on our recognition scheme, whose performance rises vividly when considering normalized data as the I/Ps. The previously miss-classified attacks are now entirely categorized appropriately by the scheme along the growth of threshold. Except the Back attack which shows detection gradually increasing from 98.1% to 99.45% with higher threshold values, other DOS attacks are recognized almost to 100% with increasing threshold. Table 5 Average Detection Performance of proposed system on Normalized data against different thresholds over KDD dataset Types of Normal Teardrop Smurf Pod Neptune Land Back The failure of the geometric standardization procedure over Back attacks is produced by the point that the non-normalized characteristics of Back attacks at first drop in similar manner as that of the valid records hence back attack could not achieve 100% detection. Table 6 provides FPR and DR rates for normalized data. Table 6 Detection and False Positive rate over normalized KDD dataset FPR DR Accuracy The false positive ration shows significant fall from 1.09 to Detection ratio is achieved almost 100% but has a fall of 2% with higher thresholds. Then table 7 and 8 shows the similar evaluations over normalized NSL dataset. Table 7 Average Detection Performance of proposed system on Normalized data against different thresholds over NSL dataset Normal Teardrop Smurf Pod Neptune Land Back The normal attacks true negative ratio show improvement in detection from 98.12% to 99.47% with growing threshold remaining attacks attain 100% discovery regardless of threshold, only back attack as explained above attains slow fall in detection from 99.65% to 95.42% with steadily increasing threshold range. Then the false positive rate shows decreasing rate from1.07% to 0.32% with rising thresholds. The detection rate falls by 0.5% from 100% to 99.95% at severe threshold values. Table 8 False positive and detection rates over normalized NSL FPR DR Accuracy G. Results of Real World data analysis. The KDD and NSL datasets provides firm base for legitimate traffic records, generation of normal profiles etc. we know that particularly which traffic record is genuine and which is attack, but in real time we do not have any base to make such comparisons, hence we cannot compare accuracy of the proposed system with earlier state-of-art systems at different thresholds. Here we consider a random dataset captured with the help of wire shark application at run time. We analyzed multiple datasets from which one of the random dataset is taken which consists of minimum two hundred records; the results are calculated by our proposed system are then manually each record is verified and finally, the results are shown in table 9 and false positive and recognition accuracy is presented in our 10 th table. Then, yet the results may vary with diverse sample of real world dataset of varying size. Table 9 Evaluation of Real Time data Normal Teardrop Smurf Pod Neptune Land Back Table 9 reveals very promising results regarding the normal attack detection ratio that upsurges from 99% to 100% with severe threshold, Pod, Neptune, and Land attack shows 100% discovery regardless of varying threshold ratio. Back attack achieves nearly 100% attack recognition rate. Only the teardrop and Smurf attack has a drop down rate of 1% when the threshold value gets higher than 3σ. Such things happen because of difference among original and normalized data. In both cases some of features/ feature values may change which are responsible for constructing different normal profile and observed profiles. Next table expose the false positives, attacks recognition and precision ratio. The false positive proportion shows significant reduction from 0.5 to 0.1%; Table 10 Recognition and false positive ratio obtained by our system on real time data FPR DR Accuracy

6 When there is up-surging threshold ratio, and so far the detection ratio maintained nearly 100% with a minor drop down ratio of 0.5% when threshold reaches to its rigorous value of 4σ. VII. PERFORMANCE ANALYSIS AND RESULT A. Performance Analysis through ROC Curves The Roc curves for original and normalized data are displayed in this section of our paper. X-axis represents false positive rates and Y-axis represents percentage of detection, Fig.3 discloses the association among the FPR and DR. The recognition ratio progresses when huge amount of false positives are accepted. Fig. 3a displays the curve examining the non-normalized data for KDD cup 99 dataset using our suggested scheme which illustrations a climbing tendency. The curl rises progressively from % to % DR. Similarly, in fig. 3b the curve for normalized data represents a fine growth from 98 % to 100 % DR (a) ROC curve for analyzing original KDD data (b) ROC curve for analyzing normalized KDD data Fig. 3 ROC curves for the detection of DOS attacks The fig. 4a demonstrates the ROC curve for NSL nonnormalized data which shows a steady rise from 87.26% to 89.32% and with a drastic increase it finally reaches 96.13% DR. Fig. 4b illustrates the ROC curve for NSL normalized data. It shows the growing trend between 99.95% DR to 100% DR (a) Roc curve for non- normalized NSL data (b) Roc curve for normalized NSL data Fig. 4 ROC curves for the detection of DOS attacks Roc curve given in fig 5 illustrates the arc for Real time data, which shows a steady growth in attack recognition rate from 99.95% 100 % while more dishonest affirmative traffic records are endured B. Alert Types: True Positive: Attack Alert i.e., the true attack which initiates an IDS to create an alarm. False Positive: No attack Alert i.e. an incident indicating IDS to ring an alarm when no attack has taken place.

7 False Negative: Attack No Alert i.e. when no alarm is raised up even when an attack has been done. True Negative: No attack No Alert i.e., when no attack has done and no recognition has made. Detection Rate: The recognition rate is well-defined as the number of invasion occurrences detected by the structure (True Positive) divided by the total number of intrusion instances available in the test dataset. False Alarm Rate: Defined as total number of normal records categorized as attacks (False Positive) divided by the total number of normal patterns. VIII. CONCLUSION AND FUTURE WORK This paper provides an innovative approach dependent upon multiversity co-relational investigation for finding Denial of service attacks which separates both known/unknown DOS attacks from lawful network traffic records. Essential geometrical co-relational features are pulled out from singular pairs of two dissimilar features, the triangle area map tactic aids to boost up the process speed. We successfully implemented and tested the proposed system over offline and real world datasets with almost 100% detection accuracy which significantly decreased false positive rate to almost 0.1 % and more accurate attack detection with increased threshold value ranging between 1σ to 4σ. We have not considered time constraint during implementation of real time approach, thus we can define the future scope of this approach as implementation of the system over real world data with considering time constraint (time complexity) and finding more enhanced and refined traffic categorization method to reduce the false-positive recognition rate. Acknowledgment Authors would like to thank G.F s College of Engineering and Technology which provided all the essential facilities. The author is highly thankful to Prof. P. B. Gosavi for his continual valuable guidance, support and encouragement throughout the work. References [1] V. Paxson, Bro: A System for Detecting Network Intruders in Realtime, Computer Networks, vol. 31, pp , 1999 [2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E. Vzquez, Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges, Computers & Security, vol. 28, pp , [3] Komal More, and P.B. Gosavi A Survey On Effective Way Of Detecting Denial-Of-Service Attack Using Multivariate Correlation Analysis.. IEEE International Conference on Applied and Theoretical Computing and Communication Technology icatcct, OCT-2015 pg [4] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, DDoS attack detection method using cluster analysis, Expert Systems with Applications, vol. 34, no. 3, pp , [5] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, Intrusion detection using fuzzy association rules, Applied Soft Computing, vol. 9, no. 2, pp , [6] W. Hu, W. Hu, and S. Maybank, AdaBoost-Based Algorithm for Network Intrusion Detection, Trans. Sys. Man Cyber. Part B, vol. 38, no. 2, pp ,2008. [7] C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of DDoS Attacks over Multiple Network Domains, Parallel and Distributed Systems, IEEE Transactions on, vol. 18, pp , 200 [8] S. T. Sarasamma, Q. A. Zhu, and J. Huff, Hierarchical Kohonenen Net for Anomaly Detection in Network Security, Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, vol. 35, pp , [9] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, Parallel and Distributed Systems, IEEE Transactions on, vol. 23, pp , [10] S. Jin, D. S. Yeung, and X. Wang, Network Intrusion Detection in Covariance Feature Space, Pattern Recognition, vol. 40, pp , [11] C. F. Tsai and C. Y. Lin, A Triangle Area Based Nearest Neighbors Approach to Intrusion Detection, Pattern Recognition, vol. 43, pp , [12] A. Jamdagni, Z. Tan,X. He, P. Nanda, and R. P. Liu, RePIDS: A multi tier Real-time Payload-based Intrusion Detection System, Computer Networks, vol. 57, pp , [13] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, Denial of-service Attack Detection Based on Multivariate Correlation Analysis, Neural Information Processing, 2011, pp [14] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, Triangle-Area- Based Multivariate Correlation Analysis for Effective Denial of-service Attack Detection, The 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, Liverpool, United Kingdom, 2012, pp [15]Zhiyuan Tan, Aruna Jamdagni, Xiangjian He, Priyadarsi Nanda, Member, IEEE, and Ren Ping Liu, Member, IEEE, A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis IEEE Transactions on Parallel and Distributed Systems, Vol., NO., 2013 [16] M. Tavallaee, E. Bagheri, L. Wei, and A. A. Ghorbani, A Detailed Analysis of the KDD Cup 99 Data Set, Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, 2009, pp. 1-6 [17] L.Dhanabal, Dr. S.P. Shantharajahn A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms International Journal of Advanced Research in Computer and Communication Engineering Vol.4, Issue 6, June [18] W. Wang, X. Zhang, S. Gombault, and S. J. Knapskog, Attribute Normalization in Network Intrusion Detection, The 10 th International Symposium on Pervasive Systems, Algorithms, and Networks (ISPAN), 2009, pp