TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED DENIAL-OF-SERVICE ATTACK DETECTION

Transcription

1 International Journal of Computer Engineering and Applications, Volume IX, Issue VI, June ISSN TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED Sumaiya Samreen 1 and Dr. Shubhangi D C 2 1 Student, 2 Professor Department of Computer Science and Engineering, VTU RO, Kalaburagi, India ABSTRACT: The world of information has become immensely open with the widespread growth in IT industry. This growth, while it has opened the doors for infinite developments, has also paved the path for welcoming a variety of threats that attack the data and the systems worldwide. Among many such attacks one of the most menacing and aggressive attacks is the Denial of Service attack. In this paper, a proposal is made for DoS attack detection using Anomaly based technique. We also propose the use of Multivariate Correlation Analysis (MCA) that extracts the geometrical correlations between multiple network traffic features to determine the anomalous patterns that can signal a potential attack. Furthermore, to power up the MCA process we make use of Triangle Area Map technique. Evaluation of the overall process is performed using the KDD Cup 99 Data set. The proposed MCA system is examined for both non-normalized and normalized data sets. With our proposed system the detection rates and the false positive rates are much better than the other state-of-the-art detection systems. Keywords: Denial-of-Service attacks, Multivariate Correlation Analysis, Triangle Area Maps, Anomaly Based Intrusion Detection System, and False Positive Rates. [1] INTRODUCTION Ease of access and sharable nature of the internet has widely opened the doors for many threats that can have drastic effects on the computer Systems. Among multiple threats that abuse, corrupt and deteriorate the computer systems, Denial of Service attacks are the most menacing and aggressive attacks. DoS attacks are a class of attacks initiated by an individual or a group of individuals exploiting the aspects of the Internet Protocol to deny other users from legitimate access to systems and information. These attacks tend to temporarily paralyze the victim, which can be a user, a host, a router or an entire network. Online Servers, Database Servers, Cloud Servers etc, are the most common victims of DoS attacks. Most of the existing systems have security flaws that render them susceptible to penetrations, intrusions and other forms of abuse; Denial of Service attacks is one of the most difficult attacks to defend against. Damages can be significant for e-commerce and eservices where huge monetary values are at stake all the time and Server and system unavailability can result in loss of millions of dollars. Previously, DoS attacks targeting specific hosts did not present risks of penetrations or data tampering thus were often not rated high in priority. However, DoS attacks can generate huge audit logs or use up Sumaiya Samreen and Dr. Shubhangi D C 31

2 TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED computing resources, which can become a nuisance or loss to businesses. DoS attacks have become a serious threat for applications that require high availability and thus needs to be mitigated effectively. There are many state-of-the-art DoS attack detection techniques that can fairly detect the ongoing attacks, but they suffer from low accuracy and low detection rates with high false alarm rates. [2] RELATED WORK Research done until time now has shown that Denial of Service attack cannot be merely resolved with single product solution, but rather a holistic approach is required to look into all elements of the computing, networking and system, including the design, implementation and maintenance, to ensure all measures are applied to reduce the single point of failure and to ensure resistance to attacks.. [1] Presents a detailed analysis of DoS attack detection based on computer vision techniques, [2], [3], [4] Shows the studies related to Misuse based detection systems and Anomaly-Based detection systems. The most important advantage of anomaly-based detection is the ability to detect novel attacks for which signatures have not yet been defined. Nevertheless, these algorithms require a set of purely normal data from which they train their model; if the training data is already impure and contains traces of intrusions, the algorithm may not detect future instances of these attacks as it assumes them to be normal. Legitimate profile generation for Anomaly-Based systems involve data mining techniques [5], [6], machine learning methodologies [7], [8] and statistical analysis [9], [10]. A more enhanced version of the anomaly based technique is proposed in [11] which inspire using Principle Component Analysis to provide better detection results. [12] Presents a payload-based anomaly detector (PAYL), for intrusion detection. PAYL models the normal application payload of network traffic in an unsupervised and fully automatic fashion. But PAYL is a very complex process as it involves extraction of IP payload and its characterization. [13] Shows that the anomaly detectors suffer from high false positive alarm rates because the correlation between the attributes or features is neglected or are not exploited significantly. Current studies are booming with a focus on leveraging the concept of extraction of discriminate features and feature correlation analysis [14]. [15] Proposes feature selection techniques that select effective features or attributes which discriminate the normal traffic from that of attack traffic. In [16], flow correlation coefficient, a theoretic parameter, is used to differentiate DoS attack from flash Crowd and trace the sources of the DoS attack. Further developments led to the addition of data mining principles to enhance the detection accuracy. Naïve Bayes classifiers were used in [17] to classify the training data and the test data with the help of K-means clustering approach. Multivariate Correlation Analysis (MCA) in [18], [19] extracts features from the network traffic and gauges the correlative information hiding among the features. To enhance the detection rates in our proposed system we use Anomaly-Based scheme combined with MCA that mines crucial correlations hidden among the features, and which is capable of characterizing both known and unknown network traffic attacks. We propose the use of triangle area generation method that builds triangle area maps to boost up the entire MCA process. KDD Cup 99 Dataset [20] is then used to evaluate the MCA process for both normalized and non- 32

3 International Journal of Computer Engineering and Applications, Volume IX, Issue VI, June ISSN normalized profiles. Our proposed systems shows great detection rates and has significantly low or zero false alarm rates and proves to be much efficient than the existing state-of-the-art systems. [3] SYSTEM ARCHITECTURE System architecture of DoS detection is essentially divided into three steps as shown in fig 1. Step 1: Basic feature generation from ingress network traffic. Step 2: Multivariate Correlation Analysis and Triangle area map generation for individual records. Step 3: Decision Making and Attack detection To achieve high level of attack detection, the framework should be based on a feature space that provides a good characterization of anomalous activity. In Step1 the incoming or the ingress network traffic is used to extract the basic features that define the network traffic flow in a well defined manner. These features are carefully selected so that we obtain non redundant and non biased features. The quality of the feature has a significant impact on the performance of detection techniques. The features that fail to provide accurate characterization for network traffic records make the techniques suffer from low accuracy. In step 2 the MCA process takes the raw/original features or the normalized features and applies Triangle area map generation method for each individual record. The Triangle Area Maps (TAMs) generated in this step form the traffic records that are fed to the Decision Making step. Step 3, has three phases, Training phase, Test phase and Attack Detection phase. The TAMs generated in step 2 are used to build a normal profile during the training phase. This normal profile represents the normal behaviour of the traffic flow, or it represents a model network traffic that is considered to be legitimate. These normal profiles are preserved in a database. During the test phase, the Test generation profile takes in the incoming TAMs to build a test profile. In the Attack Detection phase, the test profiles are compared with the normal profiles stored in the database. A threshold based classifier is used in this phase. If the deviation between the normal profile and the test profile is significantly greater than the threshold then the system is considered to be under DoS attack. Figure:1 Framework of DoS attack Detection Sumaiya Samreen and Dr. Shubhangi D C 33

4 TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED [4] MULTIVARIATE CORRELATION ANALYSIS The network traffic tends to possess statistical properties that reflect its behaviour. When a victim is under DoS attack, its traffic behaviour tends to deviate significantly from that of the normal traffic behaviour. Thus, using statistical properties we can reveal many differences in multivariate correlations that can be monitored to predict any potential attacks. In [19], Given an arbitrary dataset X = [x 1, x 2 x n] where x i= [f 1 i, f 2 i,, f n i ] (1 i n) represents the i th m- dimensional traffic record. Where is the value of the l th feature in the i th traffic record, l and i are varying from 1 to m and from 1 to n respectively. For determining the inner correlations of the i th traffic record on a multi-dimensional space, the record x i is first transformed into a new m-bym feature matrix x i by projecting it on a (i, j) th two-dimensional Euclidean Subspace as S i,j,k = [c j c k]x i. The vectors c j=[e j,1 e j,2 e j,3 e j,m] and c k=[e k,1 e k,2 e k,3 e k,m] have all zeros apart from (j, j) th and (k, k) th elements. S i,j,k is a two-dimensional column vector. On the Cartesian coordinate system, a triangle Δf i i j Οf k is formed by taking the origin and the projected points of the coordinates (f i j, f i k ) on the j-axis and k-axis. Its area TArea i j,k is defined as: TArea i j,k=( (f j i,0)-(0,0) (0, f k j )-(0,0) )/2 (1) Where 1 i n, 1 j m, 1 k n and j k. A Triangle Area Map is constructed by arranging the triangle areas on the map with respect to their indexes. For example, For example, the Tmap i j,k is positioned on the j th row and the k th column of the map Tmap i, which has a size of m m. The Tmap i is a symmetric matrix having elements of zero on the main diagonal. Therefore, to perform a quick comparison of the two TAMs, we can choose to investigate either the upper triangles or the lower triangles of the Tmaps only. Therefore, the correlations residing in a traffic record (vector xi) can be represented effectively and correctly by the upper triangle or the lower triangle of the respective Tmap i. For consistency, we consider the lower triangles of Tmaps in the following sections. The lower triangle of the Tmap i is converted into a new correlation vector Tmap i lower denoted as: Tmap i = [TArea i 2, 1 TArea i 3,1 TArea i m, 1 TArea i 3, 2 TArea i 4, 2 TArea i m,2 TArea i m,m 1]. These Tmaps can be represented geometrically as: Xmap = {Map 1, Map 2, Map 3,, Map l }. Using this MCA approach along with triangle-area-based technique reveals the correlations between distinct pairs of features. Changes to these correlations as a result of network traffic anomaly, can be seen as the best indicators to a possible attack. [5] ATTACK DETECTION MECHANISM [5.1] NORMAL PROFILE GENERATION The generation of the normal profile proceeds as follows. Given a set of l legitimate training traffic records Xnorm= {x1, x2,, xl} we apply the Triangle-Area-Based MCA to each record. The lower triangle of l legitimate training traffic records are denoted by Xmap = {NMap 1, NMap 2, NMap 3,, NMap l }.The dissimilarity between the traffic records is measured using the Mahalanobis Distance (MD) which is a good multivariate outlier detection technique. MD tends evaluate the distance between two records by taking into account the correlations between the variables. The input to the algorithm is the lower triangle of the legitimate traffic, Xmap. The 34

5 International Journal of Computer Engineering and Applications, Volume IX, Issue VI, June ISSN output of the algorithm is the normal profile Norm. Step 1 calculates the Expectation E of l legitimate training traffic records. Algorithm: Normal Profile Generation Input: NMap with l elements Output: Normal Profile Norm NMap i l i=1 1. E(NMap) 1 l 2. Generate the Covariance matrix Cov using (2) 3. for i=1 to l do 4. MDNorm i MD(NMap i, E(NMap)) 5. end for 6. µ 7. σ 1 l 1 l 1 MDNorm i l i=1 l i=1 (MDNorm i μ)² 8. Norm (N(μ, σ2),e(nmap), Cov) 9. return Norm The second step calculates the covariance matrix Cov that is required for the Mahalonobis Distance (MD) calculation. Steps 3-5 have a for loop that calculates Xmap and the expectation E(Xmap) of the l legitimate training traffic records. Cov = (2) (3) MDNorm i = (4) MDObserved= (5) [5.2] SELECTION OF THRESHOLD Threshold is a quantitative point above or below which a certain action is triggered. The proposed scheme uses threshold based techniques to differentiate normal profiles from the attack profiles. The Threshold values are selected such that they form a better classifier of records. The equation to set the threshold is: Threshold= μ + σ *α. (6) [5.3] ATTACK DETECTION Sumaiya Samreen and Dr. Shubhangi D C 35

6 TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED In order to detect DoS attacks, MCA and triangle-area-based methods are applied to the incoming traffic records to from the TAM Omap for the observed traffic record X O. The Mahalanobis distance between the Omap and Expectation (NMap) stored in the normal profile Norm is computed using (4) Algorithm: Attack Detection Input: Observed traffic record X O, normal profile Pro: ( N(μ, σ2),e(nmap), Cov ) and parameter α Output: Returns the flag Attack if there is an illegitimate record, else returns Normal flag for normal records 1. Generate Omap for the observed traffic record X O 2. MDObserved MD(Omap, NMap) 3. if (μ σ * α) MDObserved (μ + σ * α) then 4. return Normal 5. else 6. return Attack 7. end if [6] RESULTS AND ANALYSIS The proposed scheme is evaluated using the KDD Cup 99 Data Set [20]. It consists of millions of records obtained by monitoring the network traffic over a certain period of time. Since the data set is too huge to be used, we only use the 10percent data of labeled KDD Cup Set which is available publicly, for the purpose of evaluating our proposed system. It consists of three types of legitimate traffic records for UDP, TCP and ICMP traffic and six different types of DoS attacks like Teardrop, Smurf, Pod, Neptune, Land and Back attacks. The evaluation proceeds by first determining the capability of MCA in distinguishing the network traffic efficiently. Later, four matrices namely, True Negative Rate (TNR), Detection Rate (DR), False Positive Rate (FPR) and Accuracy are considered to evaluate the detection accuracy. Figure: 2. Images of TAMs of Normal TCP traffic, Back, Land and Neptune attacks generated using original data. The greater the value of the element, the greater the brightness is. The overall FPR and DR are highlighted in Table 1. Regardless the types of attacks, the overall FPR and DR are computed 36

7 International Journal of Computer Engineering and Applications, Volume IX, Issue VI, June ISSN over all traffic records. With the values of thresholds varying from 1 σ to 3 σ, the FPR tends to decrease from 1.26% to 0.53%, while DR and accuracy tends to deteriorate from 95.11% to 86.98% and 95.20% to 87.28%. The major drawback of raw or original data here is the fact that different features have values with different scales varying from large values to small values. With such data the correlation coefficients tend to be inappropriate to be taken into account. This is the reason for the serious degradation of the detection rates for teardrop and back attacks. TABLE 1 Detection Rate and False Positive Rates Achieved by the Proposed System on Original Data Threshold 1 σ 1.5 σ 2 σ 2.5 σ 3 σ FPR 1.36% 0.97% 0.87% 0.75% 0.54% DR 95.50% 89.56% 88.11% 87.61% 86.99% Accuracy 95.20% 89.67% 88.38% 87.79% 87.28% [6.2]RESULTS AND ANALYSIS ON NORMALIZED DATA Table 2 shows the Average Detection Performance of the Proposed MCA Scheme on Normalized data. The benefits of normalizing the raw data are clearly visible in Table 2 where the detection rate and accuracy has increased dramatically. The overall FPR has also become much better as a result of normalizing the data. TABLE 2 Detection Rate and False Positive Rate Achieved by the Proposed System on Normalized Data Threshold 1 σ 1.5 σ 2 σ 2.5 σ 3 σ FPR 2.64% 2.03% 1.68% 1.44% 1.25% DR % 99.99% 99.97% 99.97% 99.96% Accuracy 99.98% 99.95% 99.93% 99.93% 99.93% [6.3]PERFORMANCE COMPARISONS The performance of the two evaluations on original data and normalized data with respect to the bar charts is shown in Fig. 3 and Fig. 4 respectively. The relationship between DR FPR and Accuracy is clearly revealed in these figures. The DR increases when false positives are tolerable. Sumaiya Samreen and Dr. Shubhangi D C 37

8 TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED Figure: 3. DR v/s FPR for original data Figure: 4. DR v/s FPR for original data [7] CONCLUSION Anomaly-Based NIDS powered by MCA and triangle area based technique is proposed in this paper, to bring up an efficient DoS attack detection System. The Anomaly-based systems are capable of detecting both known and unknown attacks unlike the Signature based systems. The MCA approach is used in this process to find the correlations between the multiple network traffic features that define a particular connection. The normal traffic is monitored to build a normal profile that is stored in the database. The observed profile of the incoming network traffic is then compared with the normal profile to find any deviations. If there are any such deviations and if the deviations cross the predetermined threshold value, the system would be considered to be under DoS attack. To power up the MCA process and to increase its efficiency, we propose Triangle Area based attack detection technique that enhances the MCA s efficiency by a great level. After evaluating our proposed scheme by using KDD Cup 99 dataset and analyzing its detection accuracy over original data and normalized data, we can conclude that this technique is the most efficient DoS attack detection technique among the many state-of-the-art attack detection techniques available today. For future enhancements we would like to work on the real world data rather than the publicly available KDD Cup 99 Dataset which is considered to have redundant records. Additionally speeding up the generation of Triangle area maps will be an important issue along with the focus on reducing FPR to a certain more degree. REFERENCES [1] Zhiyuan Tan, Aruna Jamdagni, Priyadarsi Nanda, Ren Ping Liu and Jiankun Hu Detection of Denial-of-Service Attacks Based on Computer Vision Techniques, IEEE TRANSACTIONS ON COMPUTERS. [2] V. Paxson, Bro: A System for Detecting Network Intruders in Realtime, Computer Networks, vol. 31, pp , 1999 [3] D. E. Denning, An Intrusion-detection Model, IEEE Transactions on Software Engineering, pp ,

9 International Journal of Computer Engineering and Applications, Volume IX, Issue VI, June ISSN [4] ] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E.Vzquez, Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges, Computers & Security, vol. 28, pp , [5] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, DDoS attack detection method using cluster analysis, Expert Systems with Applications, vol. 34, no. 3, pp , [6] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, Intrusion detection using fuzzy association rules, Applied Soft Computing, vol. 9, no. 2, pp , [7] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic flooding attack detectionwith SNMP MIB using SVM, Computer Communications, vol. 31, no. 17, pp , [8] W. Hu, W. Hu, and S. Maybank, AdaBoost-Based Algorithm for Network Intrusion Detection, Trans. Sys. Man Cyber. Part B, vol.38, no. 2, pp , [9] C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of DDoS Attacks over Multiple Network Domains, Parallel and Distributed Systems, IEEE Transactions on, vol. 18, pp , [10] G. Thatte, U. Mitra, and J. Heidemann, Parametric Methods for Anomaly Detection in Aggregate Traffic, Networking, IEEE/ACM Transactions on, vol. 19, no. 2, pp , [11] Yuh-Jye Lee, Yi-Ren Yeh, and Yu-Chiang Frank Wang, Anomaly Detection via Online Oversampling Principal Component Analysis, IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, 2012 [12] Ke Wang, Salvatore J. Stolfo, Anomalous Payload-based Network Intrusion Detection, [13] S. T. Sarasamma, Q. A. Zhu, and J. Huff, Hierarchical Kohonenen Net for Anomaly Detection in Network Security, Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, vol. 35, pp , [14] Eunhye Kim, Seungmin Lee, Kihoon Kwon and Sehun Kim, Feature Construction Scheme for Efficient Intrusion Detection System, JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 26, (2010) [15] S. Jin, D. S. Yeung, and X. Wang, Network Intrusion Detection in Covariance Feature Space, Pattern Recognition, vol. 40, pp , [16] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, Parallel and Distributed Systems, IEEE Transactions on, vol. 23, pp , [17] Uma Subramanian and Hang See Ong, Analysis of the Effect of Clustering the Training Data in Naive Bayes Classifier for Anomaly Network Intrusion Detection, Journal of Advances in Computer Networks, Vol. 2, No. 1, March [18] C. F. Tsai and C. Y. Lin, A Triangle Area Based Nearest Neighbors approach to Intrusion Detection, Pattern Recognition, vol. 43, pp , [19] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, Denialof-Service Attack Detection Based on Multivariate CorrelationAnalysis, Neural Information Processing, 2011, pp [20] M. Tavallaee, E. Bagheri, L. Wei, and A. A. Ghorbani, A Detailed Analysis of the KDD Cup 99 Data Set, The The Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, 2009, pp Sumaiya Samreen and Dr. Shubhangi D C 39

10 TRIANGLE AREA MAP POWERED MULTIVARIATE CORRELATION ANALYSIS FOR ANOMALY BASED Author[s] brief Introduction SUMAIYA SAMREEN Received Bachelor of Engineering Degree in Computer Science & Engineering in Currently a student of M.Tech Degree program of Computer Science & Engineering at VTU PG Center Regional Office, Kalaburagi. Address: DR. SHUBHANGI D. C. Received engineering degree B.E. in Electronics & communication in 1995, M.Tech in Computer Science & Engg. In 2001, and completed the Ph.D. in Computer Science and Engineering in July She had worked as Asst. Professor and professor in the various engineering colleges. She is currently working as professor and HOD of M.Tech. CSE PG Course in Visvesvaraya Technological University, Centre of PG Studies, Regional Office, Gulbarga. Her current Research includes pattern recognition, pattern classification, machine learning techniques and Image processing. She had published twenty eight papers in International Journals and six papers in International Conferences. 40