International Journal of Research in Computer and Communication Technology, Vol 4, Issue 10, October- 2015

Transcription

1 An algorithm for normal profile generation and for attack detection in terms of detection accuracy Ch S V V S N Murty 1 Bonda Mownika 2 1 Associate Professor, 2 M.Tech Student, 1 chsatyamurty@gmail.com, 2 mounicab3@gmail.com 1,2 Dept. of CSE, Sri Sai Aditya Institute of ScienceAnd Technology, Surampalem, East Godavari, AP India ABSTRACT: We present a DoS attack detection system that uses Multivariate Correlation Analysis (MCA) for precise network traffic description by take out the geometrical correlations between network traffic features. Our MCA-based DoS attack detection system uses the principle of anomaly-based detection in attack recognition. This makes our key competent of detecting known and unknown DoS attacks effectively by education the model of legitimate network traffic only. Furthermore, a triangle-area-based system is proposed to improve and to speed up the process of MCA. Networkbased detection systems can be classified into two main categories, namely misuse based detection systems and anomaly-based detection systems. Misuse-based detection systems detect attacks by monitoring network activities and come across for matches with the existing attack signatures. In malice of having high detection rates to known attacks and low false positive rates, misuse-based detection systems are without difficulty avoided by any new attacks and even alternative of the existing attacks. Keywords: Denial-of-Service attack, network traffic characterization, multivariate correlations, triangle area. the host machines which they are protecting. As a result, the configurations of network based detection systems are less intricate than that of host-based detection systems. In the red to the belief of detection which monitors and flags any network performance presenting momentous departure from legitimate traffic profiles as apprehensive objects, anomaly-based detection techniques explain more gifted in detecting zeroday intrusions that utilize previous unknown system vulnerabilities. II. RELATED WORK: Yuet algorithm.proposed an algorithm to distinguish DDoS attacks as of flash crowds by analyzing the flow correlation coefficient in the middle of doubtful flows. A covariance matrix based approach was designed to pit the multivariate correlation for chronological samples. Thought he approaches perk up detection correctness,it is weak to harass that linearly modify all monitored features. In addition, this approach can only sticker an whole group of observed samples as legitimate or attack traffic but not the individuals in the group. To deal with the above problems, an approach based on triangle area was presented to create superior discriminative kind. I. INTRODUCTION: III. LITERATURE SURVEY: Effective detection of DoS attacks is vital to the guard of online services. Work on DoS attack detection largely focuses on the expansion of network-based detection mechanisms. Detection systems based on these mechanisms observe traffic send out over the protected networks. These mechanisms liberate the protected online servers on or after monitoring attacks and make sure that the servers can contribute themselves to present quality services with least delay in response. Moreover, network-based detection systems are limply coupled with operating systems consecutively on THE AUTHOR, Vern Paxson (ET.AL), AIM IN [1], we describe a stand-alone scheme for detecting network intruders in real-time by inertly monitoring a network link over which the intruder's traffic transits. We give an impression of the system s design, which highlights high-speed (FDDI -rate) monitoring, real-time notification, clear separation flanked by device and policy, and extensibility. To attain these ends, Bro is divided into an event engine that decrease a kernel filtered network traffic stream into a series of higher-level events, and a policy script interpreter that understand Page 890

2 event handlers written in a particular language used to articulate a site's security policy. Event handlers can fill in state information, manufacture new events, record information to disk, and generate real-time notifications via syslog. of the proposed detection system are observed. The results show that our system outperforms two other up to that timedeveloped state-of-the-art approaches in terms of detection precisionvarious attacks from the user to avoid Network Intrusion. THE AUTHOR, Keunsoo Lee(ET.AL) AIM IN [2],Distributed Denial of Service (DDoS) attacks create vast packets by a large number of causes and can without difficulty tire out the calculate and communication resources of a victim within a short period of time. In this paper, we recommend a process for proactive detection of DDoS attack by make use of its structural design which consists of the selection of handlers and agents, the communication and compromise, and attack. We seem into the actions of DDoS attack and then plump for variables based on these features. After that, we achieve cluster breakdown for proactive detection of the attack. We experimentation with 2000 DARPA Intrusion Detection Scenario Specific Data Set in order to weigh up our method. The results show that each phase of the attack scenario is divider well and we can become aware of precursors of DDoS attack as well as the attack itself. VI. SYSTEM ARCHITECTURE: IV. PROBLEM DEFINITION: Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are at the present beneath threads from network attackers. As one of mainly ordinary and violent means, Denial-of-Service (DoS) attacks cause grave impact on these computing systems. This makes our answer competent of sense known and unknown DoS attacks efficiently by knowledge the prototype of legal network traffic only. V. PROPOSED APPROACH: We present a DoS attack detection system that uses Multivariate Correlation Analysis (MCA) for precise network traffic description by take out the geometrical correlations flanked by network traffic features. Our MCA-based DoS attack detection system use the standard of anomaly-based detection in attack gratitude. This makes our answerable of detecting known and unknown DoS attacks successfully by knowledge the outline of rightful network traffic only. Also, a triangle-area-based technique is future to augment and to swiftness up the development of MCA. The success of our proposed detection system is appraise using KDD Cup 99 dataset, and the sway of both nonnormalized data and normalized data on the concert The basic description is produced from entrance network traffic to the internal network where protected servers live in and are used to shape traffic records for a well-defined time interval. Monitoring and analyzing at the end network decrease the overhead of notice malicious activities by intent only on pertinent in bound traffic. Multivariate Correlation Analysis, in which the Triangle Area Map Generation module is practical to remove the correlations between two distinct features within each traffic record approaching from the first step or the traffic record normalized by the Feature Normalization module in this step. The happening of network interruptions source changes to these correlations so that the changes can be used as indicators to see the intrusive activities. The anomaly-based detection mechanism is approved in Decision Making. It helps the discovery of any DoS attacks without necessitate any attack appropriate knowledge. Furthermore, the labour- intensive attack analysis and the frequent update of the attack signature database in the case of misuse-based detection are evaded. VII. PROPOSED METHODOLOGY: SENDER Page 891

3 In this module, the Sender browses the required file, initializes nodes and uploads to the end user (node a, node b, node c, node d, node e, node f) via Router. NETWORK The Router is responsible for forwarding the data file in shortest distance to the destination; the Router consists of Group of nodes, the each and every node (n1, n2, n3,n4,n5,n6,n7,n8,n8,n10,n11,n12,n13) consist of Bandwidth. If router had found any malicious or traffic node in the router then it forwards to the IDS Manager. In Router we can assign the bandwidth for the nodes and can view the node details with their tags Node Name, Sender IP, Injected data, bandwidth and status.. IDS MANGER The IDS manager is nothing but Intrusion Detection System manager which is responsible to filter the malicious data and traffic data. The IDS manager decides the phases based on Router status and then decides on two phases i.e., the Training Phase and the Test Phase. TRAINING PHASE The Normal Profile Generation module is operated in the Training Phase to generate profiles for various types of legitimate traffic records, and the generated normal profiles are stored in a database. Test Phase: The Tested Profile Generation module is used in the Test Phase to build profiles for individual observed traffic records. Then, the tested profiles are handed over to the Attack Detection module, which compares the individual tested profiles with the respective stored normal profiles END USER TheEnd user can be given the data file from the Service Provider which is sent via Router, if malevolent or traffic node is establish in the router then it onwards to the IDS Manager to sift the content and adds to the attacker profile. ATTACKER Themalicious node or the traffic node particulars can be recognized by a threshold-based classifier is in use in the Attack Detection module to distinguish DoS attacks from genuinetraffic.the Attacker can introduce the fake message and produce the signature to a meticulous node in the router with the help of threshold-based classifier in difficultstage and then adds to the attacker profile. NORMAL PROFILE GENERATION ALGORITHM Step 1:normal profile Pro is built throughthe density estimation of the MDs between individual legitimate training traffic records (TAMnormal, I lower ) and the expectation ( TAMnormal lower ) of the g legitimate training traffic records. Step2:The MD is computed and the covariance matrix is computed. Step3: The distribution of the MDs is described by two parameters, namely the mean μ and the standard deviation σ of the MDs. Step4: Finally, the obtained distribution N(μ,σ2) of the normal training traffic records, TAMnormallower and Cov are stored in the normal profile Pro for attack detection. The normal profile Pro is built through the density estimation of the MDs between individual legitimate training traffic records ( TAM normal lower) and the expectation (TAM normal lower) of the g legitimate training traffic records. Finally, the obtained distribution N (μ, σ2) of the normal training traffic records, TAM normal lower and Covare stored in the normal profile Pro for attack detection. ATTACK DETECTION BASED ON EUCLIDEANDISTANCE: Observed traffic record x observed, normal profile Pro: (N(μ,σ 2 ), TAM lower normal, Cov) and parameter α STEP1: Generate TAMobserved lower for the observed traffic record xobserved for the observed traffic STEP2: ED observed ED (TAM observed lower, TAM normal lower) STEP3: if(μobserved σ α ) EDobserved (μ + σ α)then STEP4: returnnormal STEP5: else STEP6: returnattack STEP7: end if If the ED between an observed traffic recordand the respective normal profile is greater than the threshold, it will be considered as an attack otherwise it is considered as normal. Page 892

4 VIII. RESULTS: true information and utilize more complex order systems to further lighten the false positive rate. XII. REFERENCES: Detection system for all time enjoys elevated detection rates while operational with the normalized data than with the original data. Last but not least, two state-of-the-art detection approaches, that is triangle area based nearest neighbors approach and Euclidean distance map based approach are certain to evaluate with our proposed detection system. IX. ENHANCEMENT: To improve detection accuracy of dos attack Euclidean distance with normal profile generation and introducing intrusion detection manager which filters malicious traffic. X. CONCLUSION: The authority of original non-normalized and normalized data has been considered in the paper. The results have exposed that when working with non-normalized data, our exposure scheme attains maximum 95.20% detection correctness though it does not work well in identifying Land, Neptune and Teardrop attack records. The difficulty, though, can be answered by make use of statistical normalization practice to get rid of the prejudice from the data. The results of appraise with the normalized data have shown a more encouraging detection accuracy of 99.95% and nearly100.00% DRs for the various DoS attacks. In addition, the computational complication and the time cost of the anticipated detection system have been analyzed. XI. FUTURE WORK: To be a piece without bounds work, we will further test our DoSAttack recognition framework utilizing [1] V. Paxson, Bro: A System for Detecting Network Intruders in Real-time, Computer Networks, vol. 31, pp , 1999 [2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci- Fernndez, and E.Vzquez, Anomaly-based Network Intrusion Detection: Techniques,Systems and Challenges, Computers & Security, vol. 28,pp , [3] D. E. Denning, An Intrusion-detection Model, IEEE Transactionson Software Engineering, pp , [4] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, DDoSattackdetection method using cluster analysis, Expert Systems withapplications, vol. 34, no. 3, pp , [5] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, Intrusion detectionusing fuzzy association rules, Applied Soft Computing, vol. 9,no. 2, pp , [6] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic flooding attack detectionwith SNMP MIB using SVM, Computer Communications, vol. 31, no. 17, pp , [7] W. Hu, W. Hu, and S. Maybank, AdaBoost- Based Algorithm fornetwork Intrusion Detection, Trans. Sys. Man Cyber. Part B, vol.38, no. 2, pp , [8] C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of DDoSAttacks over Multiple Network Domains, Parallel and DistributedSystems, IEEE Transactions on, vol. 18, pp , [9] G. Thatte, U. Mitra, and J. Heidemann, Parametric Methods foranomaly Detection in Aggregate Traffic, Networking, IEEE/ACMTransactions on, vol. 19, no. 2, pp , [10] S. T. Sarasamma, Q. A. Zhu, and J. Huff, Hierarchical KohonenenNet for Anomaly Detection in Network Security, Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, vol. 35,pp , [11] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, DiscriminatingDDoS Attacks from Flash Crowds Using Flow CorrelationCoefficient, Parallel and Distributed Systems, IEEE Transactionson, vol. 23, pp , [12] S. Jin, D. S. Yeung, and X. Wang, Network Intrusion Detection incovariance Feature Space, Pattern Recognition, vol. 40, pp , [13] C. F. Tsai and C. Y. Lin, A Triangle Area Based Nearest NeighborsApproach to Intrusion Page 893

5 Detection, Pattern Recognition, vol. 43, pp , [14] A. Jamdagni, Z. Tan, X. He, P. Nanda, and R. P. Liu, RePIDS: A multi-tier Real-time Payload-based Intrusion Detection System, Computer Networks, vol. 57, pp , [15] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, Denialof-Service Attack Detection Based on Multivariate CorrelationAnalysis, Neural Information Processing, 2011, pp Bonda Mownika is currently Persuing M.Tech from Sri Sai Aditya Institute of Science & Technology Surampalem, AP. She received her B.Tech Degree from the same institute. Her area of interest includes s networks, database and current trends in Computer Science. Ch.S V V S N Murty.He received hism.tech Degree in Information Technology from SRKR Engineering College, he is currently working as Associate Professor in CSE Department, Sri Sai Aditya Institute of Science & Technology Surampalem, AP, India. He is currently a Research Scholar. His research interests include Data Mining. Page 894