World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 Proactve Detecto of DDoS Attacks Utlzg k-nn Classfer a At-DDos Framework Hoa-Vu Nguye ad Yogsu Cho Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 Abstract Dstrbuted deal-of-servce (DDoS) attacks pose a serous threat to etwork securty. There have bee a lot of methodologes ad tools devsed to detect DDoS attacks ad reduce the damage they cause. Stll, most of the methods caot smultaeously acheve (1) effcet detecto wth a small umber of false alarms ad (2) real-tme trasfer of packets. Here, we troduce a method for proactve detecto of DDoS attacks, by classfyg the etwork status, to be utlzed the detecto stage of the proposed at-ddos framework. Itally, we aalyse the DDoS archtecture ad obta detals of ts phases. The, we vestgate the procedures of DDoS attacks ad select varables based o these features. Fally, we apply the k-earest eghbour (k-nn) method to classfy the etwork status to each phase of DDoS attack. The smulato result showed that each phase of the attack scearo s classfed well ad we could detect DDoS attack the early stage. Keywords dstrbuted deal-of-servce (DDoS), k-earest eghbor classfer (k-nn), at-ddos framework, DDoS detecto. I. INTRODUCTION ECURITY techologes have to keep pace wth the rapd Sdevelopmet formato techology ad etwork systems order to protect the systems from attacks. Network securty s oe of the most mportat sectos of the securty doma. Dstrbuted deal-of-servce (DDoS) attacks frst appeared Jue 1998 ad rapdly spread causg extesve damages. For stace, durg the week of 7 11th of February 2000, they emerged as the major attacks the ew category of attacks o the Iteret. They attacked may wellkow stes, cludg Yahoo, Buy, ebay, Amazo, Datek, E*Trade, ad CNN (Todd, 2000). Sce DDoS attacks are very powerful ad pose a serous threat to the etwork securty, t s mportat to uderstad how t works. DDoS attack volves the combed effort of several maches attackg a target system. I may cases, the attacker frst selects some maches havg securty vulerabltes as hadlers ad gas access to them. The, the attacker cotues to clude more maches as zombes through the hadlers. The zombes carry out the actual DDoS attacks by sgfcatly creasg the malcous traffc to a target system. As a result, the vctm mache loses all ts Hoa-Vu Nguye s wth the Departmet of Systems Maagemet Egeerg, Ije Uversty, 621-749, South Korea (e-mal: guyehoavu_t@yahoo.com). Yogsu Cho s wth the Departmet of Systems Maagemet Egeerg, Ije Uversty, 621-749, South Korea (phoe: +82-55-320-3117; fax: +82-55-320-3632; e-mal: yscho@ je.ac.kr). computg ad commucato resources. Although the techque of DDoS attacks s relatvely smple, t ca attack both the Iteret ad system resources. Sce the extet of damage by DDoS attacks has creased, may studes o the detecto mechasm have bee carred out. However, the exstg securty mechasms have faled to provde effectve defece agast these attacks or just ca oly provde defece agast specfc types of DDoS attacks. Some DDoS attack detecto methods are based o traceback, whle others are based o feature motorg of a router or a server. However, exstg methods have lmted success because they caot smultaeously acheve the objectves of (1) effcet detecto wth a small umber of false alarms ad (2) realtme trasfer of all packets. For stace, some methods, whch apply data mg techques, ca obta a hgh correcto rate detectg the attacks. However, these methods usually ca t be employed real-tme computg. Other methods, explotg the abormal crease some types of packets, mtgate oly some types of DDoS attacks. Furthermore, presetly, there exst few effectve ad detaled model frameworks avalable for the detecto ad preveto of DDoS attacks. I ths paper, we frst preset a geeral at-ddos framework that cotas two sequetal stages detecto ad preveto. The, we preset a method for proactve detecto of DDoS attack by classfyg the etwork status to be utlzed the detecto stage of the geeral at-ddos framework. More specfcally, we descrbe the two-stage vew of DDoS archtecture, the cotrol stage ad the attack stage. The, we vestgate the procedures of DDoS attacks to select feature varables that are mportat recogzg DDoS attacks, sce they are to be abormally chaged wheever the attack happes. Fally, we apply the k-earest eghbor (k-nn) method to classfy the status of etworks for each phase of the DDoS attack. The smulato result has show that the phases of the attack have bee classfed well ad DDoS attacks could be detected the early stage, wth effcecy. I sum, we propose a geeral at-ddos framework ad a automated method for the early detecto of DDoS attacks. We apply the k-nn method for DDoS attack detecto wth flexble adjustmet of feature varables. I addto, we provde a sutable method for mappg a documet to a elemet that descrbes the perod of packet trasfer a etwork. The rest of the paper s orgazed as follows. Secto II summarzes prevous studes the area of DDoS attack detecto. I secto III, we aalyze the DDoS archtecture Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 537
World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 ad troduce a geeral at-ddos framework. Next, secto IV, we descrbe the proposed method for the early detecto of DDoS attacks detal. Secto V presets the data collected ad the smulated results. Fally, secto VI, we coclude our works wth drectos of further studes. II. RELATED STUDIES Thus far, may results related to DDoS attack defece have bee reported. We ca classfy DDoS attack defece methods to cogesto-based, aomaly-based, source-based methods, ad others. Exstg methods ether belog to ay oe of these categores or are a combato of them [1]-[9]. Mahaja et al. (2001) [11] ad Ioads ad Bellov (2002) [6] have proposed a aggregate-based cogesto cotrol (ACC) that decreases DDOS attack traffc o the bass of the cogesto level. The detecto algorthm ACC determes the destato addresses of the vctm maches o the bass of the destato of a etwork prefx of packets dropped at the observed router durg a very short perod. ACC wll set the destato address to lst f the umber of dropped packets wth a specfc destato address s greater tha the average umber. If the arrval rate of a etwork prefx exceeds the threshold, ACC marks all traffc to ths etwork prefx as DDoS attack traffc ad respods to all comg traffc set to ths etwork prefx. Cabrera et al. (2001) [1] ad May et al. (2001) [12] have proposed a method based o etwork maagemet formato to detect DDoS attacks. The local Smple Network Maagemet Protocol (SNMP) agets update the varables a maagemet formato base (MIB) perodcally. Hece, the etwork maagemet system aalyses the MIB varable correlatos durg the attack preparato, attack, ad ormal state to detect DDoS attacks. Ths method s effcet oly f the vctm host ad attacker are o the same etwork. It s uable to solve the problem whe the vctm ad attacker are o dfferet etworks. Yaar et al. (2003) [20] have preseted a method based o IP traceback ad packet flterg to mtgate DDoS attack traffc. Packet markg detfes the paths followed by the attack traffc by sertg marks packets. They troduced tellget packet flterg method to flter out the ogog attack traffc. However, the legth of IP detfcato feld s lmted to oly 16 bts ths method, whch s ot suffcet for storg the etre path. I addto, certa codg schemes have to be appled to shorte the legth of marks. Gavrls ad Dermatas (2005) [3] have preseted a DDoS attack detector publc etworks utlzg the radal bass fucto eural etwork (RBFNN), whch s orgally troduced by Hayk (1994) [5]. Ther method s based o the statstcal features estmated short tme wdow aalyss of the comg data packets. Ths method s supported by three modules as: a data collector, features estmator, ad DDoS detector. The DDoS detector s a two-layer eural etwork wth e feature vectors that are used to actvate a two-output RBF etwork at each tme frame. The most actve output euro detects the presece of a DDoS attack or characterzes the tme frame as ormal traffc. Ths approach s hghly effcet, but has some weak pots such as log computg tme. Lee (2006) [9] has preseted a mproved markg techque that detfes DDoS traffc wth tme to lve (TTL) formato at the routers by applyg the support vector mache (SVM) module to cotrol malcous traffc ad maage DDoS attack packets effcetly. Ths method ca flter malcous traffc wth the SVM cogesto sgature ad mproves the badwdth of the etre etwork. Hece, t s possble to restructure the path to the source of DDoS attacks wth a small umber of markg packets. A dsadvatage of ths method s the requremet of addtoal memory at the routers for the DDoS-related detfcato performed by the SVM-based flterg module. Xu et al. (2007) [19] have proposed a ovel DDoS detecto method based o hdde Markov models (HMMs) ad cooperatve reforcemet learg whch a dstrbuted cooperato detecto scheme usg source IP address motorg s employed. To realze earler detecto of DDoS attacks, the detectors are dstrbuted at termedate etwork odes or ear the sources of DDoS attacks ad HMMs are used to establsh a profle for the ormal traffc o the bass of the frequeces of the ew IP addresses. A cooperatve reforcemet learg algorthm computes the optmzed strateges for formato exchage amog the dstrbuted multple detectors so that the detecto accuraces ca be mproved wthout hgh load o formato commucato amog the detectors. However, the evaluato of the HMM-based approach the real-tme DDoS detecto cases s ot cluded ths paper, requrg addtoal algorthms to be appled to realze a better balace betwee detecto accuracy ad commucato load. The abovemetoed methods ad others focus much o the chage traffc flow. Methods based o data mg are sutable for detecto, but they stll ca t esure frequet trasfer of packets. As lke the methods based o eural etworks, t s ot easy to apply HMMs the real world due to log computato tme. O the other hads, some methods ca be appled oly to specfc types of DDoS attacks, that s they are of lmted usefuless ad effcecy. To overcome these lmtatos of exstg methods, we apply the k-nn classfer whch s proved to be useful ad very effcet whe to classfy documets [4]. The way of applyg the k-nn method, for the early detecto of DDoS attacks, s to be descrbed detal secto IV. III. DDOS ATTACH ARCHITECTURE AND ANTI-DDOS FRAMEWORK I ths secto, we descrbe the characterstcs of DDoS attacks wth two-stage vew of DDoS archtecture, the cotrol stage ad the attack stage. Ad the, we troduce a smple at-ddos framework that comprses stages of detecto ad preveto of DDoS attacks A. DDoS Attack Archtecture DDoS attacks frst appeared Jue 1998. The attacks start by breakg to hudreds or thousads of maches (hadlers) over the Iteret. The, the attacker stalls DDoS software o the maches, allowg them to cotrol all the Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 538
World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 attacked maches (zombes or agets) to lauch coordated attacks o target stes. These attacks typcally exhaust the etwork badwdth, router processg capacty, or etwork stack resources, ad dsrupt the etwork coectvty to the vctms. Dfferet types of DDoS attacks have bee developed, whch ca be classfed as TCP flood, UDP flood, ICMP flood, ad smurf [18]. The geeral archtecture of DDoS attacks determed by L ad Tseg (2004) [10] s show Fg. 1. B. At-DDoS Framework I the securty doma, the truso detecto system (IDS) ad truso preveto system (IPS) are well kow [2]- [17]. I smlar way, we costruct our at-ddos framework cotag two sequetal stages of DDoS attack detecto ad DDoS attack preveto. However, we eed to dfferetate DDoS attacks from trusve actvtes. The deftos of detecto ad preveto the cotext of DDoS attacks are dfferet from those the cotext of trusve actvtes. Fg. 2 shows all the compoets each stage of the at-ddos framework detal. Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 Fg. 1 Geeral archtecture of DDoS attacks The geeral archtecture of the DDoS attack show Fg. 1 ca be dvded to two stages: Cotrol stage Attack stage I cotrol stage, a sca s performed o a large scale o the etwork to fd a lst of vulerable hosts. Geerally, the vulerable hosts cosst of hadlers ad agets, where the hadlers (the frst level vulerable hosts) are cotrolled by the attackers ad the agets (the secod level vulerable hosts) are cotrolled by attackers through hadlers. The traffc of commucato the cotrol stage takes place through sgal trasmsso from a attacker to a hadler; however, the commucato betwee the hadlers ad agets s bdrectoal. The two levels of topology the locatos of attackers ca be hdde. At the ed of the cotrol stage, the vulerable hosts are used to lauch dstrbuted attackg traffc the attack stage. The attackg traffc cludg UDP flood, ICMP flood, Smurf, TCP SYN, TCP ACK, TCP RST, ad TCP SYN/ACK ca overwhelm the vctm [18]. There are two dfferet types of attack techques followed by DDoS attacks: badwdth cosumpto ad resource cosumpto. I badwdth cosumpto, the attackg traffc lauched by the compromsed hosts, whch are cotrolled by the attackers, s aggregated to a sgle large flood that overwhelms the vctm. I resource cosumpto, the attackers ca use the leak of the etwork protocol or the system securty, such as the techques of SYN flood, lad, ad Teardrop. Ths results the starvato of system resources (CERT/CC, 2003). As the DDoS attack tools have become more complcated the recet years, t s becomg more dffcult to ecouter the upto-date characterstcs of DDoS attacks. Fg. 2 A smple at-ddos framework I case of DDoS attacks, t s dffcult to protect a system some tme after the attacker tated attacks as show fgure 1. Hece, we should detect the DDoS attacks the early stage. The frst stage of the at-ddos framework carres out the early detecto of DDoS attacks, whch wll be descrbed detal secto IV. I case pre-attack or realattack of etwork status s detected, detaled etwork status formato s trasferred to the preveto stage to mtgate DDoS attacks. I ths paper, we just focus o the early detecto of DDoS attacks wthout dggg to detaled mechasm of prevetg DDoS attacks. That s our at- DDoS attack framework oly mtgates the DDoS attack wthout determg the exact attacker host. There already exst may methods of prevetg DDoS attacks [15]. IV. K-NN METHOD FOR EARLY DETECTION OF DDOS ATTACKS Lee (2007) [8] has proposed a effcet method for proactve detecto of DDoS attacks usg cluster aalyss. I hs study, he aalysed detal the characterstcs of the selected varables, whch are used for clusterg by usg the cubc clusterg crtero (CCC). We wll use these features our method. Lee dvded DDoS attacks to three phases so the status of etwork wll be four types. However, as metoed before, we have decded to classfy the status of etwork to three classes: Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 539
World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 Pre-attack: cludes the frst two phases. o Phase 1 of DDoS attack selecto of hadlers ad agets o Phase 2 of DDoS attack commucato ad compromse Attack: cludes phase 3 of DDoS attack attack Normal status of etwork Moreover, sce these classes are well dvded, we decde to apply a classfyg method for the early detecto of DDoS attacks. By employg the classfyg method, the detecto wll becomes more accurate ad take shorter tme for computg tha the case whe the clusterg method s appled. I the classfyg module, we choose the k-nn method to classfy because t acheves the two objectves: accurate detecto rate ad short tme computg. The k-nn method had bee devses a log tme back ad s stll useful. For stace, the k-nn method s used to classfy documets by Reuters News, whch s oe of the most famous ews ageces across the world [4]. A. Selecto Features for Detectg DDoS We studed the procedures of DDoS attacks to prmarly select the packets ad traffc parameters that chage uusually each phase of the attack. Lee (2007) [8] has metoed some parameters such as source/destato IP addresses, port umbers, ad packet types (ICMP, TCP SYN, UDP) that wll used as features to detect DDoS attacks. I the pre-attack phase, the attacker spreads packets to fd the maches that have securty vulerabltes to trude them ad ga access to them. Durg ths perod, the destato IP address wll be dstrbuted radomly. However, the last phase of attack lauchg DDoS attack the destato IP address wll rema fxed or rarely chage. To measure ths chage, Lee (2007) [8] had suggested usg the cocept of etropy. If the formato source has depedet symbols each wth a probablty of choce P, the etropy H s defed as follows: H = P log 2 P 1 (1) The other characterstc s the occurrece rate of a type of packet. These characterstcs have bee exploted ad varous methods have bee developed to detect DDoS attacks. Durg the lauch of DDoS attacks, there are some types of packets (DDoS attacks usg a specfc packet type) that chage abormally. Fally, we use the followg features of packet trasfer, whch Lee (2007) [8] had preseted: Etropy of source IP address ad port umber Etropy of destato IP address ad port umber Etropy of packet type Occurrece rate of packet type (ICMP, UDP, ad TCP SYN) Number of packets We use these features as the gradets of the vector descrbg a perod of etwork status. Next, we dscuss the method that s used for classfcato. B. K-NN Classfer Frst, we select the features for detectg DDoS attacks ad classfy the etwork status to three classes. Next, we cosder the classfcato of the curret etwork status to oe of the classes. There are may well-kow methods for classfyg documets such as SVM, NN, fuzzy logc, ad rough set [14]. We choose the k-nn method because ths method has features that are sutable for our goals. These features are: easy mplemetato, short tme computato, ad hgh accuracy. The k-nn algorthm s a smlarty-based learg algorthm ad s kow to be hghly effectve varous problem domas, cludg classfcato problems. Gve a test elemet dt, the k-nn algorthm fds ts k earest eghbors amog the trag elemets, whch form the eghborhood of dt. Majorty votg amog the elemets the eghborhood s used to decde the class for dt. For the example show Fg. 3, we frst fd k elemets that are earest to the elemet to be classfed. From the k earest elemets, we determe the most sutable class for the test elemet [4]-[16]. Fg. 3 Fdg k elemets that are earest to the test elemet, k = 5 The term ear ca be defed as the degree of smlarty betwee two elemets. There are several techques to compute the smlarty degree betwee two elemets. However, the algorthm based o the cose formula s most popular method used for estmatg the smlarty degree. I ths study, we use ths algorthm to compute the smlarty degree. Besdes, we also use the vector space model (VSM) to descrbe each elemet. Hece, each elemet s expressed as a vector that has compoets. The example s gve below. For the 2 elemets X = {x 1, x 2,, x } ad Y = {y 1, y 2,, y }, W = {w 1, w 2,, w } s the weghted vector ad w s the weght of the compoet the geeral vector. The, we compute the smlarty betwee two elemets X ad Y as follows: Smlarty(X, Y) = Cose(X, Y, W) = 1 1 ( x w ) ( y 2 ( x w ) 1 w ) 2 ( y w ) Usg the abovemetoed cose formula, we ca fd the (2) Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 540
World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 k earest elemets. Next, we have to determe the most sutable class for these elemets. We cout the rate of each class types to determe the class that has the hghest rate. Ths s the class whch the test elemet ca be placed. C. Early Detecto of DDoS Attacks Usg k-nn Classfer We use the e features that have bee dscussed part A to classfy the etwork status. Each varable s ormalzed to elmate the effect of dfferece betwee the scales of the varables, as proposed by Lee et al. (2007) [8]. Wth ormalzato, varables become z x x (3) where x, x,, deotes the value of each feature, the mea of the sample dataset, ad the stadard devato, respectvely. To classfy the curret etwork status, we use the k-nn classfer, whch has bee explaed prevously. Frstly, we tra three datasets ormal, pre-attack, ad attack datasets. Each elemet each dataset has e compoets that are computed from the data log for the perod. We compute the curret etwork status as a elemet wth e compoets perod. Fally, we apply the dstace formula (3) to fd the k earest eghbors of the curret etwork status. We set a label for the curret etwork status based o the majorty of the elemets belogg to a class, whch most elemets amog the k elemets are foud. Hece, ths ads the recogto of the curret etwork status ad early detecto of DDoS attacks. The detals of the detecto of DDoS attacks are show Fg. 4. Fg. 4 Geeral model for detectg precursor of DDoS attacks stall Troja mstream DDoS software, ad lauch a DDoS attack o a off-ste server. The fve phases of the attack scearo are: 1- IPsweep of the AFB from a remote ste 2- Probe of lve IP's to look for the sadmd daemo rug o Solars hosts 3- break-s va the sadmd vulerablty, both successful ad usuccessful o those hosts 4- Istallato of the Troja mstream DDoS software o three hosts at AFB 5- Lauch of DDoS attacks Fg. 5 Archtecture of etwork used to obta dataset A attack has fve phases. However, ths study, we slghtly regroup these phases to two groups: Pre-attack phase: cludes the frst four abovemetoed phases Attack phase: cludes the last phase We also have the dataset for the ormal etwork status. Hece, we have three groups of datasets for trag ad testg. All elemets a group are traed as metoed secto IV, part C. The followg elemets are obtaed. Normal class: N1, N2,..., NL Pre-attack class: P1, P2,..., PL Attack class: R1, R2,..., RL where N = (x 1, x 2,, x 9 ), P = (y 1, y 2,, y 9 ), ad R = (z 1, z 2,, z 9 ). The testg dataset wll be obtaed depedetly from the trag dataset to esure the accuracy of the process. The steps volved the expermet are llustrated detal Fg. 6. V. SIMULATION RESULTS Usg the 2000 DARPA truso detecto scearo specfc data set (MIT Lcol Lab, 2000) [13], we employ the proposed method for early detecto of DDoS attacks. Ths dataset cludes a DDoS attack lauched by a ovce attacker. Ths attack s carred out over multple etworks ad audt sessos. These sessos have bee grouped to 5 attack phases over the course of whch the adversary probes break, Fg. 6 Scheme of expermet The result obtaed from the expermet s preseted TABLE I. Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 541
World Academy of Scece, Egeerg ad Techology Iteratoal Joural of Computer, Electrcal, Automato, Cotrol ad Iformato Egeerg Vol:4, No:3, 2010 Iteratoal Scece Idex, Computer ad Iformato Egeerg Vol:4, No:3, 2010 waset.org/publcato/9510 Network status class Number of test elemets TABLE I CLASSIFICATION RESULT Correct classfcato Normal 3000 2790 210 Pre-attack 2500 2174 326 Attack 1500 1468 32 Icorrect classfcato Sum 7000 6432(91.886%) 568 (8.114%) The result of the expermet shows that our method s effcet eough for early detecto of DDoS attacks. It ca classfy all elemets well a sutable computg tme. VI. CONCLUSIONS I ths study, we have troduced a geeral at-ddos framework, whch ca be appled ad developed the real world. We have also preseted a sutable method for the early detecto of DDoS attacks usg the k-nn classfer. Ths method ca also be appled to the frst stage of our at-ddos framework. May studes o DDoS attack detecto have bee carred out; however, they focus oly o the chage etwork traffc. The methods based data mg are sutable for the detecto; however, they do ot esure real-tme trasfer of packets. Our method frst selects e features of packet/traffc that are wdely foud varous phases of the attack. The, the curret etwork status s classfed to determe the class to whch t belogs to. Hece, our method ca classfy the curret etwork status well to detect DDoS attacks early. To evaluate ths detecto method, we aalyzed the MIT Lco Lab Dataset (2000 DARPA: Scearo DDoS 1.0) [13] ad the dataset for the ormal etwork status. The result shows that our method ca classfy the DDoS phases correctly ad effcetly detect DDoS attack early. Besdes, the method beg smple ca be easly mplemeted. Short computg tme ad real-tme trasfer of packets ca be acheved. I the future, we wll carry out a detaled aalyss of the features of DDoS attacks usg more advaced k-nn method or other methods ad obta a better result. Fally, we wll apply the method practcal stuatos ad study the behavor of DDoS attacks ad make modfcatos f possble. Moreover, we wll develop a sutable ad effcet method for the secod stage of the at-ddos framework. ACKNOWLEDGMENT Ths work was supported by the Korea Scece ad Egeerg Foudato (KOSEF) grat fuded by the Korea govermet (MOST) (No. R01-2007-000-21070-0). REFERENCES [1] J.B.D. Cabrera, et al. Proactve detecto of dstrbuted deal of servce attacks usg MIB traffc varables a feasblty study, Proceedgs of the seveth IFIP/IEEE Iteratoal Symposum o Itegrated Network Maagemet, Seattle, May, 2001, pp. 1 14. [2] S. Chebrolu, A. Abraham, ad P. J. Thomas, Feature deducto ad esemble desg of truso detecto systems, Computers & Securty, Vol. 24, ssue 4, pp. 295 307. 2005. [3] D. Gavrls, ad E. Dermatas, Real-tme detecto of dstrbuted dealof-servce attacks usg RBF etworks ad statstcal features, Computer Networks, Vol. 48, ssue 2, pp. 235 245. 2005. [4] G. Guo, H. Wag, D. Bell, Y. B, ad K. Greer, Usg knn model for automatc text categorzato, Soft Computg - A Fuso of Foudatos, Methodologes ad Applcatos, Vol. 10, No. 5, pp. 423-430. 2006. [5] S. Hayk, Neural Networks: A Comprehesve Foudato, Upper Saddle Rver, Pretce Hall, New Jersey, 1994. [6] J. Ioads, ad S. M. Bellov, Implemetg pushback: router-based defese agast DDoS attacks, Preseted at Network ad Dstrbuted System Securty Symposum, 2002. [7] M. Km, H. Na, K. Chae, H. Bag, ad J. Na, A Combed Data Mg Approach for DDoS Attack Detecto, ICOIN 2004, LNCS 3090, Sprger-Verlag, Berl Hedelberg, pp. 943 950. [8] K. Lee, J. Km, K. H. Kwo, Y. Ha, ad S. Km, DDoS attack detecto method usg cluster aalyss, Expert Systems wth Applcatos, 2007, Vol. 34, pp. 1659 1665. [9] H. W. Lee, SVM Based Packet Markg Techque for Traceback o Malcous DDoS Traffc, ICOIN 2006, LNCS 3961, Sprger-Verlag, Berl Hedelberg, pp. 754 763. [10] S. C. L, ad S. S. Tseg, Costructg detecto kowledge for DDoS truso tolerace, Expert Systems wth Applcatos, 2004, Vol. 27, pp. 379 390. [11] R. Mahaja, S. M. Bellov, S. Floyd, J. Ioads, V. Paxso, ad S. Sheker, Cotrollg hgh badwdth aggregate the etwork, ACM SIGCOMM Computer Commucato Revew, 2002, Vol. 32, No. 3 pp. 62-73. [12] J. May, J. Peterso, ad J. Bauma, Attack detecto large etworks, Proceedgs of the DARPA Iformato Survvablty Coferece & Exposto II (DISCEX 01), 2001, Vol. 1, pp.15 21. [13] MIT Lcol Lab, 2000, DARPA truso detecto scearo specfc datasets, http://www.ll.mt.edu/ist/deval/data/2000/2000_data_dex.html. [14] T. M. Mtchell, Mache Learg, MacGraw Hll, New York, 1996. [15] K. Park, ad H. Lee, A proactve approach to dstrbuted DoS attack preveto usg route-based packet flterg, Tech. Rep. CSD-00-017, Departmet of Computer Sceces, Purdue Uversty, 2000. [16] F. Sebasta, Mache learg automated text categorzato, ACM Computg Surveys, Vol. 34, ssue 1, Cosglo Nazoale delle Rcerche, Italy, 2002, pp. 1 47. [17] A. Sharma, A. K. Pujar, ad K. K. Palwal, Itruso detecto usg text processg techques wth a kerel based smlarty measure, Computers & Securty, 2007, Vol. 26, ssue 7 8, 2007, pp. 488 495. [18] B. Todd, Dstrbuted Deal of Servce Attacks, 2000. http://www.luxsecurty.com/resource_fles/truso_detecto/ddosfaq.html [19] X. Xu, Y. Su, ad Z. Huag, Defedg DDoS Attacks Usg Hdde Markov Models ad Cooperatve Reforcemet Learg, Yag C.C. et al. (Eds.): PAISI 2007, LNCS 4430, Sprger-Verlag, Berl Hedelberg, pp. 196 207. [20] A. Yaar, A. Perrg, ad D. Sog, P: a path detfcato mechasm to defed agast DDos attack, Proceedgs of the IEEE Symposum o Securty ad Prvacy, 2003, pp. 93 107. Hoa-Vu Nguye s a graduate studet the Departmet of Systems Maagemet & Egeerg, Ije Uversty, South Korea. He receved hs B.S. degree from the Departmet of Iformato Techology, Hao Uversty of techology, Vetam. Hs research terests are etwork securty, software egeerg, atural laguage processg, ad busess process maagemet. Yogsu Cho s the Drector of BPM Laboratory ad a Professor the Departmet of Systems Maagemet & Egeerg at Ije Uversty, South Korea. He receved hs B.S. degree Idustral Egeerg from Seoul Natoal Uversty ad hs M.S. ad Ph.D. degrees Idustral Egeerg from Korea Advaced Isttute of Scece ad Techology. Hs research terests clude workflow & busess process maagemet, servce oreted archtecture, ad multple-crtera decso makg. Iteratoal Scholarly ad Scetfc Research & Iovato 4(3) 2010 542