Detection of DDoS Attack on the Client Side Using Support Vector Machine

Similar documents
CHAPTER V KDD CUP 99 DATASET. With the widespread use of computer networks, the number of attacks has grown

Analysis of Feature Selection Techniques: A Data Mining Approach

Analysis of FRAUD network ACTIONS; rules and models for detecting fraud activities. Eren Golge

Big Data Analytics: Feature Selection and Machine Learning for Intrusion Detection On Microsoft Azure Platform

A Technique by using Neuro-Fuzzy Inference System for Intrusion Detection and Forensics

Classification Trees with Logistic Regression Functions for Network Based Intrusion Detection System

CHAPTER 2 DARPA KDDCUP99 DATASET

CHAPTER 5 CONTRIBUTORY ANALYSIS OF NSL-KDD CUP DATA SET

CHAPTER 4 DATA PREPROCESSING AND FEATURE SELECTION

Network attack analysis via k-means clustering

Intrusion Detection System Based on K-Star Classifier and Feature Set Reduction

INTRUSION DETECTION SYSTEM

FUZZY KERNEL C-MEANS ALGORITHM FOR INTRUSION DETECTION SYSTEMS

International Journal of Scientific & Engineering Research, Volume 6, Issue 6, June ISSN

Why Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set

A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms

Machine Learning for Network Intrusion Detection

Classification of Attacks in Data Mining

Anomaly based Network Intrusion Detection using Machine Learning Techniques.

Feature Reduction for Intrusion Detection Using Linear Discriminant Analysis

Journal of Asian Scientific Research EFFICIENCY OF SVM AND PCA TO ENHANCE INTRUSION DETECTION SYSTEM. Soukaena Hassan Hashem

PAYLOAD BASED INTERNET WORM DETECTION USING NEURAL NETWORK CLASSIFIER

A COMPARATIVE STUDY OF DATA MINING ALGORITHMS FOR NETWORK INTRUSION DETECTION IN THE PRESENCE OF POOR QUALITY DATA (complete-paper)

A Hybrid Anomaly Detection Model using G-LDA

An Efficient Decision Tree Model for Classification of Attacks with Feature Selection

Basic Concepts in Intrusion Detection

Anomaly detection using machine learning techniques. A comparison of classification algorithms

Contribution of Four Class Labeled Attributes of KDD Dataset on Detection and False Alarm Rate for Intrusion Detection System

Data Reduction and Ensemble Classifiers in Intrusion Detection

A COMPARATIVE STUDY OF CLASSIFICATION MODELS FOR DETECTION IN IP NETWORKS INTRUSIONS

Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets

Association Rule Mining in Big Data using MapReduce Approach in Hadoop

A Back Propagation Neural Network Intrusion Detection System Based on KVM

Classifying Network Intrusions: A Comparison of Data Mining Methods

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Experiments with Applying Artificial Immune System in Network Attack Detection

Modeling Intrusion Detection Systems With Machine Learning And Selected Attributes

NAVAL POSTGRADUATE SCHOOL THESIS

Analysis of TCP Segment Header Based Attack Using Proposed Model

Developing the Sensor Capability in Cyber Security

Hybrid Feature Selection for Modeling Intrusion Detection Systems

An Intelligent CRF Based Feature Selection for Effective Intrusion Detection

System Health Monitoring and Reactive Measures Activation

ATwo Stage Intrusion Detection Intelligent System

Feature Selection in UNSW-NB15 and KDDCUP 99 datasets

ANOMALY DETECTION IN COMMUNICTION NETWORKS

An advanced data leakage detection system analyzing relations between data leak activity

Cloud Computing Intrusion Detection Using Artificial Bee Colony-BP Network Algorithm

DATA REDUCTION TECHNIQUES TO ANALYZE NSL-KDD DATASET

INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK

Analysis of network traffic features for anomaly detection

Independent degree project - first cycle Bachelor s thesis 15 ECTS credits

A study on fuzzy intrusion detection

Intrusion Detection System with FGA and MLP Algorithm

Novel Technique of Extraction of Principal Situational Factors for NSSA

DDoS Detection in SDN Switches using Support Vector Machine Classifier

Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

DDoS Attacks Detection Using GA based Optimized Traffic Matrix

An Ensemble Data Mining Approach for Intrusion Detection in a Computer Network

DDOS Attack Prevention Technique in Cloud

Computer Security: Principles and Practice

Intrusion Detection System based on Support Vector Machine and BN-KDD Data Set

A Survey And Comparative Analysis Of Data

Intrusion Detection Using Data Mining Technique (Classification)

Review of Detection DDOS Attack Detection Using Naive Bayes Classifier for Network Forensics

Bayesian Learning Networks Approach to Cybercrime Detection

CSE 565 Computer Security Fall 2018

Combining Cross-Correlation and Fuzzy Classification to Detect Distributed Denial-of-Service Attacks*

The Caspian Sea Journal ISSN: A Study on Improvement of Intrusion Detection Systems in Computer Networks via GNMF Method

Collaborative Security Attack Detection in Software-Defined Vehicular Networks

Configuring attack detection and prevention 1

Fuzzy Grids-Based Intrusion Detection in Neural Networks

Two Level Anomaly Detection Classifier

Anomaly Detection in Communication Networks

Enhanced Multivariate Correlation Analysis (MCA) Based Denialof-Service

ScienceDirect. Analysis of KDD Dataset Attributes - Class wise For Intrusion Detection

9. Security. Safeguard Engine. Safeguard Engine Settings

Extracting salient features for network intrusion detection using machine learning methods

Network Anomaly Detection using Co-clustering

International Journal of Scientific & Engineering Research, Volume 4, Issue 7, July-2013 ISSN

Attack Prevention Technology White Paper

DDOS DETECTION SYSTEM USING C4.5 DECISION TREE ALGORITHM

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Detect Covert Channels in TCP/IP Header using Naive Bayes

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Rough Set Discretization: Equal Frequency Binning, Entropy/MDL and Semi Naives algorithms of Intrusion Detection System

Deep Tensor: Eliciting New Insights from Graph Data that Express Relationships between People and Things

Configuring attack detection and prevention 1

DDoS Attacks Classification using Numeric Attribute-based Gaussian Naive Bayes

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Adaptive Framework for Network Intrusion Detection by Using Genetic-Based Machine Learning Algorithm

Anatomy and Mechanism of DOS attack

Feature Selection in the Corrected KDD -dataset

A hybrid network intrusion detection framework based on random forests and weighted k-means

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

LAWRA: a layered wrapper feature selection approach for network attack detection

Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows

Applying Packet Score Technique in SDN for DDoS Attack Detection

Transcription:

Detection of DDoS Attack on the Client Side Using Support Vector Machine Donghoon Kim * and Ki Young Lee** *Department of Information and Telecommunication Engineering, Incheon National University, Incheon, 22012, Korea. ** Department of Information and Telecommunication Engineering, Incheon National University, Incheon, 22012, Korea. Corresponding author: Ki Young Lee, Professor. Abstract Nowadays, cyber-attack attempts have been increasing and DDoS (Denial of Service) attacks are one of the major threat in computer networks. It attempts server s resources unavailable and generates massive traffic on the network. These attacks are evolving very quickly in scope and complexity. Also, it is not possible to prevent the network congestion even if these attacks are detected on the server side, unless client as act a zombie blocks their attack packets. To detect DDoS attack early and invalidate the attack itself, this paper proposes a method to detect DDoS attack on the client side using machine learning algorithm Keywords: DDoS Attack, s Selection, SVM, Cyber Security, Machine Learning INTRODUCTION Nowadays, cyber-attack attempts have been increasing and DDoS (Denial of Service) attacks are one of the major threat in computer networks. In the past, DDoS attacks have forced server s resources to be used or making the network itself congested. However, recent scope of the attack has been extended to make zombie PC s hard drive unavailable for removing their cyber foot prints. And there are many side effects because of the attack. It generates huge traffic on the network, so many of the general users could suffer from low latency. Furthermore, the users who do not know that their PC is performed an attack may suffer financially by the billing. Therefore, not only servers need to detect the attack, but also clients should recognize whether the attack is performing by their own. It is possible to reduce network traffic and mitigate success of the attack to server. Many research studies continue to figure out the solution for DDoS attack. The traditional method for detecting DDoS attacks has been used the pattern matching. However, the methods of DDoS attacks are getting complicated and variant to avoid the pattern matching algorithms. In recent years, various types of machine learning methods have been introduced into detection systems to detect such complex, disordered, and changing attacks. However, machine learning algorithm can flexibly adapt to various variants of attacks. The remainder of this paper is organized as follows. In Section 2, we review publications in this research. In Section 3, we propose attributes for classification and propose a method for detecting DDoS attacks on the client side using SVM (support vector machine). Then we evaluate performance of our method and we make a conclusion and suggest future works. RELATED WORKS Many of detection method for DDoS attack using machine learning such as Bayesian network, SVM and other algorithms. The machine learning algorithms use predefined attributes for classification and generate a model using a large amount of data set composed of this information. Then apply the new data to this model for classification. Most of studies on DDoS detection using machine learning have studied the improvement of performance by decreasing the false positive rate, increasing the detection rate and/or decreasing computational complexity using 41 attributes and data set defined in KDD99 [1, 2]. Table 1. Basic features of individual TCP connections. duration protocol_type service src_bytes dst_bytes flag land wrong_fragment urgent length (number of seconds) of the connection type of the protocol. network service on the destination number of data bytes from source to destination number of data bytes from destination to source normal or error status of the connection 1 if connection is from/to the same host/port; 0 number of wrong fragments number of urgent packets 9909

Table 2. Content features within a connection suggested by domain knowledge. hot num_failed_logins logged_in num_compromised root_shell su_attempted num_root num_file_creations num_shells number of hot indicators number of failed login attempts 1 if successfully logged in; 0 number of compromised conditions 1 if root shell is obtained; 0 1 if su root command attempted; 0 number of root accesses number of file creation operations number of shell prompts num_access_files number of operations on access control files number of outbound commands in an num_outbound_cmds ftp session is_hot_login 1 if the login belongs to the hot list; 0 is_guest_login 1 if the login is a guest login; 0 Table 3. Traffic features computed using a two-second time window. count serror_rate rerror_rate same_srv_rate diff_srv_rate srv_count srv_serror_rate number of connections to the same host as the current connection in the past two seconds % of connections that have SYN errors % of connections that have REJ errors % of connections to the same service % of connections to different services number of connections to the same service as the current connection in the past two seconds % of connections that have SYN errors However, W. Wang et al. pointed out that some of the attributes may be redundant or even act like noise which decrease detection performance [3]. They ranked for 41 attributes through information gain and chi-square test. Then they showed that the best performance was obtained by using only 9 attributes through their experiment. S. Umarani et al. used PCA (principle component analysis) to reduce dimension to remove redundant and noise form attributes [4]. However, many of the attributes defined in KDD99 are composed of information that can be obtained from the server side and it contains information about various cyber-attacks such as unauthorized access from a remote machine, port scanning or buffer overflow, as well as information about DDoS as shown in the table 1-3, so it is not appropriate to use on the client side for detecting DDoS attacks. Therefore, it is one of the main issue to select appropriate attributes for detecting attacks from huge massive traffic. Other studies are focused on increasing performance with various machine learning algorithms used in detection of DDoS attacks including decision tree, Naïve Bayes, artificial neural networks and SVM [5-10]. Nowadays, SVM has become an extremely popular algorithm for classification and future estimate problems because Naïve Bayes and artificial neural networks depends on the number of data set and attributes. These algorithms require huge amount of data set to minimize empirical error. Therefore, in the absence of enough training set, a significant drop in performance may occurs. On the other hand, SVM requires relatively less data set than above techniques, so it performs very well without enough training set especially in binary classification. However, complex data transformations and resulting boundary plane are very difficult to interpret. PROPOSED ALGORITHM In this section, we propose attributes and a method for detecting DDoS attack on the client side. Detection performance in machine learning is dependent on the number and definition of valid attributes, and the number of training sets for learning. Since each machine learning has advantages and disadvantages, it is important to select the appropriate technique depending on the application. For binary classification, we defined attributes given in Table 4 and choose SVM as machine learning algorithm srv_rerror_rate % of connections that have REJ errors srv_diff_host_rate % of connections to different hosts 9910

Table 4. s for detecting DDoS attack on the client side. connection_duration header_size cumulative_size connected_port service flags protocol elapsed time time since connection ip packet header size Cumulative size of transmitted packets the number of connected port to the same host Network service on the destination normal or error status of the connection type of the protocol Connection_duration and cumulative_size can provide information to detect DDoS attack since most DDoS attacks continuously transmit massive packets to a victim server, the client side must keep an eye on the size of the accumulated packets over the time of the connection. Also, DDoS attacks such as SYN flood can be suspected when many ports are assigned to the same server. In addition, IP header information including header_size, service, flags and protocol are used for classifying normal and abnormal status. We use SVM method to create a model for normal and abnormal binary classification with a limited amount of training set for detecting DDoS attack on the client. The experiment was carried out in the following manner. All outgoing packets including normal and attack packets from a client were captured over three days for data collection. We installed a Tomcat web server on another PC, and the client performed DDoS attack to the server using DDoS attack tools, stacheldraht and tfn (tribe flood network) at some specific times. Figure 1 shows our DDoS attack scenario. Figure1. A DDoS attack scenario for collecting data. 9911

Afterwards, the captured packet information is converted into the values for the attribute defined above and marked with normal and attack packets. We randomly selected 100,000 datasets from the total data, used 70,000 and 30,000 of them training set and test set respectively. Of the 100,000 data sets, only about 15% of the data was marked as attack. The method used for DDoS attack is shown in Table 5 Table 5. Attack name and the number of data used for the attack Attack Name The number of data for training set The number of data for test set stacheldraht_icmp 1774 713 stacheldraht_udp 1962 802 stacheldraht_tcp_syn 1483 689 tfn_tcp 1502 643 tfn_udp 1621 832 tfn_tcp_syn 2054 894 RESULTS AND DISCUSSION We generate a model to detect DDoS attack using SVM and Bayesian networks with 10,396 training sets and then performed performance analysis using test sets. The results are shown in Table 6 and Table 7. Table 6. Accuracy of SVM and Bayesian networks with proposed attributes Method Detection Rate (%) False Positive Rate (%) SVM 99.94 0.143 Bayesian Networks 98.57 0.106 Table 7. Computational time evaluation for SVM and Bayesian networks with proposed attributes Method Training (s) Test (s) SVM 0.54 0.15 Bayesian Networks 1.43 0.32 From the results in the above two tables, SVM performs better than the Bayesian network in accuracy and computational time because the total number of data sets and the number of attributes are not large. Thus, SVM provides good performance even with a small number of data sets. However, the attack methods used in this experiment are not sophisticated or complicated enough as they are applied in practice, and the number of attributes is small and these attributes may not key attributes in detecting DDoS attacks as arbitrarily selected. Therefore, the reliability of this experiment may be lacked and it is necessary to design the experiment to increase the reliability in the future. Also, it may be reasonable to obtain the raw data packets of the various clients used in the actual DDoS attack and to use it for the performance evaluation. Furthermore, the key attributes extraction, such as client s network usage pattern or other network-related attributes, applicable to the client to increase the DDoS attack detection performance through the various studies will be additionally needed CONCLUSION In this paper, we have proposed some attributes and a method for detecting variant of DDoS attack on the client side using SVM. However, the attack methods used in this experiment are not sophisticated or complicated enough as they are applied in practice, and the number of attributes is small and these attributes are arbitrarily selected. Since the number of attributes and effectiveness for detection are very important for machine learning, it is necessary to use user s network usage pattern or other network-related attributes for practical applications. Also, obtaining the raw data packets of the various clients used in the actual DDoS attack is needed to reliable performance evaluation. Furthermore, future research will be needed to optimize performance using dimension reduction such as Information Gain, Chi-square statistics and PCA (principal component analysis). ACKNOWLEDGMENTS This work was supported by the Incheon National University Research Grant in 2014. REFERENCES [1] W. Lee, S. Stolfo, K. Mok, A Data Mining Framework for Building Intrusion Detection Models, Proceedings of the 1999 IEEE Symposium on Security and Privacy, (1999), 120-132. [2] KDD Cup 1999 data: http://kdd.ics.uci.edu/databases/kdd99/kddcup99.html 9912

[3] Wei Wang, Sylvain Gombault, Efficient Detection of DDoS attacks with Important Attributs, Third International Conference on Risks and Security of Internet and Systems: CriSIS 2008, (2008), 61-67. [4] S. Umarani, D. Sharmila, Predicting Application Layer DDoS Attacks Using Machine Learning Algorithms, International Journal of Computer, Electrical, Automation, Control and Information Engineering, Vol 8, No 10, (2014), 1907-1912. [5] Taeshik Shon, Yongdae Kim, Cheolwon Lee, Jongsub Moon, A machine learning framework for network anomaly detection using SVM an GA, Information Assurance Workshop, (2005), 176-183. [6] S. Seufert, D. O Brein, Machine Learning for Automatic Defence Against Distributed Denial of Service Attacks, Communications, (2007), 1217-1222. [7] T. Subbulakshmi, K. BalaKrishnan, S. Mercy Shalinie, D. AnandKumar, V. GanapathiSubramanian, K. Kannathal, Detection of DDoS attacks using Enhanced Support Vector Machines with real time generated dataset, Advanced Computing (ICoAC), (2011), 17-22. [8] A. Ramamoorthi, T. Subbulakshmi, S. Mercy Shalinie, Real time detection and classification of DDoS attacks using enhanced SVM with string kernels, Recent Trends in Information Technology (ICRTIT), (2011), 91-96. [9] Sujay Apale, Rupesh Kamble, Manoj Ghodekar, Hitesh Nemade, Rina Waghmode, Defense Mechanism for DDoS Attack Through Machine Learning, International Journal of Research in Engineering and Technology, Vol. 03, Issue 10, (2014), 291-294. [10] Niharika Sharma, Amit Mahajan, Vibhakar Mansotra, Machine Learning Techniques Used in Detection of DOS Attacks: A Literature Review, International Journal of Advanced Research in Computer Science and Software Engineering, Vol. 6, Issue 3, (2016), 100-105. 9913

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback