Model Based Prediction Technique for Denial of Service Attack Detection

Transcription

1 Model Based Prediction Technique for Denial of Service Attack Detection Tinju Grace Varghese, 4 th Semester Mtech Student, Caarmel Engineering College, Perunad Salitha M.K, Assistant Professor, Caarmel Engineering College, Perunad Abstract All the interconnected systems since the early days of commercially used internet, its system and network infrastructure have always been target of malicious parties. A denial of service attack is regarded as a major threat because of its ability to form a huge volume of unwanted traffic. It is hard to detect and respond to DoS attacks due to large and complex network environments. A prediction method is then proposed, in which the attacker behaviour can be predicted using a linear predictive coding. It uses a multivariate correlation analysis for accurate network traffic characterization by extracting the geometrical correlation between extracted and normalized network features.finally, the proposed prediction method is investigated to predict DoS attacks through simulation studies. Index terms Denial of service attack, multivariate correlations, linear predictive coding. I.INTRODUCTION As internet use is growing at an astounding rate, so also is the cyber-attacks by the hackers. These hackers exploit the flaws in the internet protocols, operating system and application software. So the Network security consists of policies to prevent and monitor unauthorized access, misuse and denial of service. Normally a packet contains IP address of the computer that originally sent it. But a sender IP address can be faked characterizing a spoofing attack which hides the source of the packets; for example in the case of denial of service attack. A potential solution involves intermediate internet gateways filtering or denying any packet deemed to be illegitimate. Denial-of-service (DoS) attacks are often annoying to the online users. DoS attacks severely degrade the performance of the victim and deny the service for a specific period of time from a few minutes to a long period of time. This causes serious damages to the services running on the victim.therefore, effective detection of Denial of service attacks are essential for easy access of services. Internet based denial of service attack can be classified into 2 ways namely direct denial of service attack and indirect denial of service attack. Direct denial of service attack model is focused to 34 take down a specific network or computer. Indirect denial of service attack model is more spreading and affects a large number of computers. So, efforts must be taken for the development of network based detection systems. These detection system monitor traffic transmitted over the protected network and ensure that the servers can dedicate themselves to provide good quality of service to the users with minimum delay in response. The different ways by which the network attack can be detected are mainly classified into two namely, misuse-based detection systems [1] and anomaly based detection systems [2]. Misuse based detection system detect network activities and look for matches in the existing attack signatures. Even though the misuse based detection systems can detect the existing attacks faster and low false positives, they are easily evaded by new attacks and variants of existing attacks. Another disadvantage of the system is that the signature database needs to be updated regularly and the updating process is manual and labour intensive. The disadvantages of the misuse based detection system led to the discovery of anomaly based detection system. It monitors and flags any network activities presenting significant deviation from the legitimate traffic as suspicious. II.RELATED WORKS The system based on techniques such as data mining [3], machine learning [4] and statistical analysis [5], [6] generally suffers from high false positives. This is due to the fact that it neglects the correlation between the features so the recent studies have focused on feature correlation analysis [7]. Yu et al. [8] proposed an algorithm to discriminate DDoS attacks from flash crowds by analysing the flow correlation coefficient among suspicious flows.it is found that DDoS attack flows possess higher similarity compared with that of flash crowd flows under the current conditions of botnet size and organization so a flow correlation coefficient is used as a metric to measure the similarity among suspicious flows to differentiate DDoS attacks from

2 genuine flashcrowds. But it has the following issues such as the trade-off between detection accuracy and cost and also once the detection strategy is known to attackers, it may develop new strategies to disable the detection. A covariance matrix-based approach was designed in [9] to mine the multivariate correlation for sequential samples. Although the approach improves the detection accuracy, it is vulnerable to attacks that linearly change all monitored features. To deal with the above problems; an approach based on triangle area was presented in [10] to generate better discriminative features. However, this approach has dependence on prior knowledge of malicious behaviors. More recently, Jamdagni et al. [11] developed a refined geometrical structure based analysis technique, where Mahalanobis distance (MD) was used to extract the correlations between the selected packet payloads. In the paper, a 3-Tier Iterative Feature Selection Engine (IFSEng) for feature subspace selection is used. Principal Component Analysis (PCA) technique is used for the pre-processing of data. Mahalanobis Distance Map (MDM) is used to discover hidden correlations between the features and between the packets. Mahalanobis Distance (MD) dissimilarity criterion is used to classify each packet as either a normal or an attack packet. But the disadvantage of the system is that it has high false positives and less accuracy. In [12], Tan et al. proposed a more sophiscated non payload based DoS detection approach using multivariate correlation analysis. Most existing IDS are optimized to detect attacks with high accuracy. However, it still has various disadvantages that have been outlined in a number of publications and a lot of work has been done to analyse IDS in order to direct future research. Besides others, major drawback is the large amount of alerts produced. Network intrusion detection systems and network prevention systems are placed at the ingress and egress points of the network in order to detect and prevent the anomalous traffic. As the resources of the interconnected system such as the web servers, database servers, cloud computing severs, etc. are located in the service providers local area networks that are commonly constructed using the same or alike network underlying infrastructure and are compliant with the underlying network model, the model based detection system can provide effective protection to all of these systems by considering their commonality. 35 III.SYSTEM ARCHITECTURE The Fig 1 depicts the system architecture of the proposed work. The whole detection process consists of three steps. The sample by sample detection mechanism is involved in the whole detection process. Fig 1: System Architecture In the first step, the basic features are extracted from the network traffic and form a traffic record for a specified period of time. The features extracted include the number of requests from each id, download size, protocol etc. Once the features are extracted, it needs to be normalized to avoid the abnormalities from the raw data. The second step is multivariate correlation analysis [13] which is applied to extract the correlations between two distinct features within each traffic record coming from the first step. The occurrence of network intrusions causes changes to this correlation so that the changes can be used as indicators to identify intrusive activities. In the third step, a model based prediction technique is used from which the attacker behaviour can be found based on historical data. It relies on the dynamic models of the process. It has the ability to anticipate the future events and can control actions accordingly. This helps in the early detection of attacks. IV.SAMPLE BY SAMPLE DETECTION Jin et al. [9] proved that the group based detection mechanism maintained a higher probability in classifying a group of sequential network traffic samples than the sample by sample mechanism. It was proved based on the assumption that the samples in a group were all from the same class. This restricts the application of group based detection to limited scenarios, because attacks can occur unpredictably and it is difficult to obtain a

3 group of sequential samples only from the same class. To overcome this limitation, the proposed work investigates the samples individually. As a result of sample by sample detection, attacks can be detected in a prompt manner, intrusive samples can be labelled individually and the probability of correctly classifying a sample into its population is higher than the one achieved using the group based detection mechanism. The sample by sample detection mechanism is illustrated through mathematical example in [9]. The dataset is first selected and read the features from it. The dataset includes the following features such as network id, time of access, data accessed, client supported type, status and the number of bytes of data accessed. From the dataset, 100 rows of data are selected and the corresponding network id, status of request, data size and client supported type are analysed. In addition to this, total bytes of data downloaded are also calculated. Basic features generated from the network traffic are used to form traffic records for a well-defined time interval. Features like message size, protocol usage and number of request are extracted. The number of requests coming from unique network id and total data access by unique network id is also calculated. V.MULTIVARIATE CORRELATION ANALYSIS The coefficient of multiple correlations is a measure of how well a given variable can be predicted using a linear function of a set of other variables. It is measured by the square root of determination, but under the particular assumptions the best possible linear predictors are used and the intercept is included, whereas the coefficient of determination is defined for more general cases, including nonlinear prediction in which the predicted values have not been derived from a model-fitting procedure. The multiple correlation takes values between zero and one; a higher value indicates a better predictability of the dependent variable from the independent variables, with a value indicating that the predictions are exactly correct and a value of zero indicating that no linear combination of the independent variables is a better predictor than is the fixed mean of the dependent variable. Multivariate correlation analysis is done in which triangle area map generation is applied to extract the correlations between two distinct features within each traffic record coming from the previous step. 36 The occurrence of network intrusions cause changes to these correlations so that the changes can be used as indicators to identify the intrusive activities. Algorithm for normal profile generation: Step 1: Begin for loop. Step 2: Divide sample into 9 slices. Step 3: Calculate each slice correlation. Step 4: End for loop. Step 5: Estimate mean and standard deviation. Step 6: Profile generated by storing mean and standard deviation in a variable. VI.PREDICTION TECHNIQUE Once a prediction model is trained, it can then be used for predicting the unknown values of the target output. Modelling techniques consist of two main phases: training and testing. In the training phase, prediction models are derived from a training data set that contains previously executed queries(i.e., training workload) and the observed performance values(i.e., execution times). In this phase, queries are represented as a set of features with corresponding performance values. The goal in training is to create an accurate and concise operational summary of the mapping between the feature values and the observed performance data points. The prediction models are then used to predict the performance of unforeseen queries in the test phase. In the fourth step, LPC technique is used to compute the mean, standard deviation and it can be used to predict the model. Prediction error is the difference between actual and expected results. The abnormal traffic can be analysed using the prediction error. To improve the detection efficiency, trained neural networks are used. Four metrics namely, true negative rate (TNR), detection rate (DR), false positive rate (FPR) and accuracy is used to evaluate the overall performance of the proposed system. Algorithm for prediction technique: Step 1: Collect network traffic packets and flow information in real-time. Step 2: Pre-process network traffic by estimating the mean and standard deviation. Step 3: By using the prediction model, predict the network traffic. Step 4: Find out the prediction error by: Err (n) = X (n) X p (n) X p (n) = -A (2)*X (n-1) A (3)*X (n-2) -... A (N+1)*X (n-n) A= [1 A (2)... A (N+1)], of an Nth order forward linear predictor.

4 Step 5: Detect the abnormal traffic by analysing prediction error. Step 6: Detect DoS by using trained neural network. IF Current value > adaptive weight value, then abnormal ELSE normal. VII.EXPERIMENTAL RESULTS AND DISCUSSION The evaluation of the model based prediction technique for denial of service attack detection system is conducted using KDD cup 99 dataset [17]. The dataset is publicly available and is mainly used in the intrusion detection studies. The overall evaluation process is as follows. First, the MCA approach is assessed for its traffic characterisation. In the training phase, the normal profile generated is used to find the correlation between the features. Changes to the geometrical structure may occur when anomaly behaviour appears. This provides a way to detect attacks. In order to accurately detect attack, in the testing phase linear predictive technique is used. Using this technique, the mean and standard deviation is computed and it can be used to predict the model. As a result, the attack can be detected based on the ground truth value. The performance of the LPC technique can be represented using the confusion matrix as shown in Fig 2. Confusion matrix is a specific table layout that allows visualization of an algorithm. Each column of matrix represents instances in a predicted class and each row represents instances in actual class. Consider 23 samples to determine the performance. Confusion matrix is generated using the following data. Targets = [ ] Outputs = [ ] Ground Predicted Metric Truth Value Value 0 0 True Negative 1 1 True Positive 1 0 False Positive 0 1 False Negative Table 1: Metric Table The TPR, FPR, TPR, FNR calculated with the help of the metric table as shown in Table 1. True Positive Rate = TP / TP + FN = 11 / 11 = 100% False Negative Rate = FN/ TP + FN = 0 / 11= 0 False Positive Rate = FP/ TN + FP = 1 / 12 = 8.3% True Negative Rate = TN/ TN + FP = 11 / 12 = 91.7% Accuracy = TP+TN / TP+FN+FP+TN = 22 / 23 = 95.7% Thus from the confusion matrix, it can be concluded that the accuracy of detection is 95.7%. The below Fig 3 depicts the ROC curve using a threshold classifier. It can be found from the graph that using threshold based attack detection accuracy of only 80% is obtained and there are chances that the actual attacks below the threshold value cannot be detected. In order to overcome this linear predictive technique is used in which by varying the threshold values the actual attacks can be detected with an increase in detection accuracy. 37 Fig 2: Confusion Matrix Fig 3: ROC curve for threshold classifier.

5 Fig 4: ROC curve of the existing and proposed system. The above Fig 4 depicts the comparison of the ROC curve using the threshold based detection and linear prediction technique. It is clear from the figure that the proposed system increases the detection accuracy and reduces the misclassification. VIII.CONCLUSION AND FUTURE ENHANCEMENT No matter whether there are attacks undergoing, if a server is overloaded even by normal service requests, the effect imposed to a service system is equivalent to that of attacks. The proposed prediction method to predict DoS attacks is investigated through simulation studies. Evaluation has been conducted using KDD Cup 99 data set [15] to verify the effectiveness and performance of the proposed DoS attack detection system. The influence of original (non-normalized) and normalized data has been studied. In the future, the model can be tested using real world data and employ more sophiscated classification techniques to further alleviate the false positive rate. REFERENCES [1] V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Networks, vol. 31, pp , [2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci- Fernndez, and E. Vzquez, Anomaly-Based Network Intrusion Detection: Techniques, Systems and Challenges, Computers and Security, vol. 28,pp , [3] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, DDoS Attack Detection Method Using Cluster Analysis, Expert Systems with Applications, vol. 34, no. 3, pp , [4] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic Flooding Attack Detection with SNMP MIB Using SVM, Computer Comm., vol. 31, no. 17, pp , [5] C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of DDoS Attacks over Multiple Network Domains, IEEE Trans. Parallel and Distributed Systems, vol. 18, no. 12, pp , Dec [6] G. Thatte, U. Mitra, and J. Heidemann, Parametric Methods for Anomaly Detection in Aggregate Traffic, IEEE/ACM Trans. Networking, vol. 19, no. 2, pp , Apr [7] S.T. Sarasamma, Q.A. Zhu, and J. Huff, Hierarchical Kohonenen Net for Anomaly Detection in Network Security, IEEE Trans. Systems, Man, and Cybernetics, Part B: Cybernetics, vol. 35, no. 2, pp , Apr [8] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE Trans. Parallel and Distributed Systems, vol. 23, no. 6, pp , June [9] S. Jin, D.S. Yeung, and X. Wang, Network Intrusion Detection in Covariance Feature Space, Pattern Recognition, vol. 40, pp , [10] C.F. Tsai and C.Y. Lin, A Triangle Area Based Nearest NeighborsApproach to Intrusion Detection, Pattern Recognition, vol. 43, pp , [11] A. Jamdagni, Z. Tan, X. He, P. Nanda, and R.P. Liu, RePIDS: A Multi Tier Real-Time Payload- Based Intrusion Detection System, Computer Networks, vol. 57, pp , [12] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R.P. Liu, Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis, Proc. Conf. Neural Information Processing, pp , [13] Zhiyuan Tan, ArunaJamdagni, Xiangjian He, Senior Member, IEEE, Priyadarsi Nanda, Member, IEEE, and Ren Ping Liu, A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis VOL. 25, NO. 2, Feb [14] Learning-based Query Performance Modeling and Prediction ;data engineering 2012 IEEE 28th international conference on. [15] M. Tavallaee, E. Bagheri, L. Wei, and A.A. Ghorbani, A Detailed Analysis of the KDD Cup 99 Data Set, Proc. IEEE Second Int l Conf.

6 Computational Intelligence for Security and Defense Applications, pp. 1-6, [16] S.J. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P.K. Chan, Cost- BasedModeling for Fraud and IntrusionDetection: Results from the JAM Project, Proc. DARPA Information Survivability Conf. and Exposition (DISCEX 00), vol. 2, pp , [17] A.A. Cardenas, J.S. Baras, and V. Ramezani, Distributed ChangeDetection for Worms, DDoS and Other Network Attacks, Proc.The Am. Control Conf., vol. 2, pp , [18] W. Wang, X. Zhang, S. Gombault, and S.J. Knapskog, Attribute Normalization in Network Intrusion Detection, Proc. 10th Int l Symp. Pervasive Systems, Algorithms, and Networks (ISPAN), pp ,