International Journal of Computer Network and Information Security (IJCNIS)
IJCNIS Vol. 4, No. 1, 8 Feb. 2012
Cover page and Table of Contents: PDF (size: 1662KB)
M2KMIX: Identifying the Type of High Rate Flooding Attacks using a Mixture of Expert Systems
Full Text (PDF, 1662KB), PP.1-16
Views: 0 Downloads: 0
Author(s)
Index Terms
High Rate Flooding, Neural Networks, Machine Learning, Ensemble of Classifiers
Abstract
High rate flooding attacks such as SYN flood, UDP flood, and HTTP flood have been posing a perilous threat to Web servers, DNS servers, Mail servers, VoIP servers, etc. These high rate flooding attacks deplete the limited capacity of the server resources. Hence, there is a need for the protection of these critical resources from high rate flooding attacks. Existing detection techniques used in Firewalls, IPS, IDS, etc., fail to identify the illegitimate traffic due to its self-similarity nature of legitimate traffic and suffer from low detection accuracy and high false alarms. Also, very few in the literature have focused on identifying the type of attack. This paper focuses on the identification of type of high rate flooding attack with High detection accuracy and fewer false alarms. The attack type identification is achieved by training the classifiers with different feature subsets. Therefore, each trained classifier is an expert in different feature space. High detection accuracy is achieved by creating a mixture of expert classifiers and the ensemble output decisions are identified by our proposed Preferential Agreement (PA) rule. Our proposed classification algorithm, M2KMix (mixture of two Multi Layer Perceptron and one K-Nearest Neighbor models) differs from the existing solutions in feature selection, error cost reduction, and attack type identification. M2KMix was trained and tested with our own SSE Lab 2011 dataset and CAIDA dataset. Detection accuracy and False Alarms are the two metrics used to analyze the performance of the proposed M2KMix algorithm with the existing output combination methods such as mean, maximum, minimum, and product. From the simulation results, it is evident that M2KMix algorithm achieves high detection accuracy (97.8%) with fewer false alarms than the existing output combination methods. M2KMix identifies three types of flooding attacks, viz., the SYN Flood, UDP flood, and HTTP Flood, effectively with detection accuracy of 100%, 93.75%, and 97.5%, respectively.
Cite This Paper
Arun Raj Kumar P., S. Selvakumar, "M2KMIX: Identifying the Type of High Rate Flooding Attacks using a Mixture of Expert Systems", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.1, pp.1-16, 2012. DOI:10.5815/ijcnis.2012.01.01
Reference
[1]Arbor Networks, “Worldwide Infrastructure Security Report”, Volume VI, November 2010.
[2]DDoS Security Reports, Arbor Networks, http://ddos.arbornetworks.com/.
[3]C. Douligeris, A. Mitrokotsa, “DDoS attacks and defense mechanisms: classification”, in Proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 03), Darmstadt, Germany, pp. 190-193, Dec. 14-17, 2003.
[4]Wu, S., Chang, H., Jou, F., Wang, F., Gong, F., Sargor, C., Qu, D., and Cleaveland, R. Jinao: Design and implementation of a scalable intrusion detection system for the ospf routing protocol. To appear in Journal of Computer Networks and ISDN Systems. http://projects.anr.mcnc.org/JiNao/ JiNaoJournal.ps Accessed 30 December 2002.
[5]Lunt, T. F. Detecting Intruders in Computer Systems. In 1993 Conference on Auditing and Computer Technology (1993).http://www.sdl.sri.com/ papers/c/a/canada93/canada93.ps.gz Accessed 22 August 2002.
[6]Ye, N., and Li, X. Application of decision tree classifiers to computer intrusion detection. In DATA MINING 2000 Data Mining Methods and Databases for Engineering, Finance and Other Fields, July 2000, Cambridge, UK (Southampton, UK, 2000), N. Ebecken and C. Brebbia, Eds., WIT Press, pp. 381–90.
[7]Tsudik, G., AND Summers, R. Audes-an expert system for security auditing. Computer Security Journal 6, 1 (1990), 89–93.
[8]Teng, H. S., Chen, K., and Lu, S. C. Y. Adaptive real-time anomaly detection using inductively generated sequential patterns. In IEEE Symposium on Security and Privacy (1990), pp. 278–284.
[9]Arun Raj Kumar, P. and S. Selvakumar, “Distributed Denial of Service Attack Detection using an Ensemble of Neural Classifier”, International Journal of Computer Communications, Elsevier Publications, United Kingdom, Volume 34, Issue 11, 2011, pp. 1328-1341.
[10]KDD data set, 1999; http://kdd.ics.uci.edu/databases/-kddcup99/kddcup99.html
[11]The CAIDA "DDoS Attack 2007" Dataset Paul Hick, Emile Aben, kc claffy, Josh Polterock, http://www.caida.org/data/passive/ddos-20070804_dataset.xml.
[12]CAIDA UCSD Network Telescope "Three Days Of Conficker" - < Nov. 2008 > , Paul Hick, Emile Aben, Dan Andersen and kcclaffy http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml.
[13]Sommer, R., Paxson, V., “Outside the closed world: On using machine learning for network intrusion detection”, In proceedings of the Symposium on Security and Privacy, 2010.
[14]Park J S, Shazzad K M, Kim D S, “Toward modeling lightweight intrusion detection through correlation-based hybrid feature selection”, Information Security and Cryptolo, First SKLOIS Conference, CISC 2005, Beijing, China, 2005, pp. 279–289.
[15]Moore A W, Zeuv D, “Discriminators for use in flow-based classification”, Intel Research Technical Report, 2005.
[16]Auld T, Moore A W, Gull S F, “Bayesian neural networks for Internet traffic classification”, IEEE Transactions on Neural Networks, 2007, Volume 8, No.1, pp. 223-239.
[17]Dimitris Gavrilis, Evangelos Dermatas, “Real time detection of distributed denial-of-service attacks using RBF networks and statistical features”, Computer Networks, 44 (5) (2005) pp.235 – 245.
[18]Hoai-Vu Nguyen, Yongsun Choi, “Proactive detection of DDoS attacks using k-NN classifier in an Anti-DDoS Framework”, International Journal of Computer System Science and Engineering, 2008, pp. 247-252.
[19]Rasool Jalili, Fatema Imani–mehr, Morteza Amini, Hamid Reza shahriari “Detection of DDoS attacks using statistical Preprocessor and unsupervised Neural Networks”, LNCS 2005, pp.192-203.
[20]Stefan Seufert, Darragh O Brein, “Machine Learning for Automatic Defense against Distributed Denial of Service Attacks”, Proceedings of IEEE International Conference (ICC) 2007, pp.1217-1222.
[21]Xu, L., “Bayesian Ying-Yang System and Theory as A Unified Statistical Learning Approach: (III) Models and Algorithms for Dependence Reduction, Data Dimension Reduction, ICA and Supervised Learning”. Lecture Notes in Computer Science: Proc. of International Workshop on Theoretical Aspects of Neural Computation, May 26-28, 1997, Hong Kong, Springer-Verilag, pp. 43-60.
[22]Yang Xiang and Wanlei Zhou, “Mark-Aided Distributed Filtering by using Neural Networks for DDoS defense”, IEEE GLOBECOM 2005, pp. 1701-1705.
[23]G. Giacinto, R. Perdisci, and F. Roli, “Network intrusion detection by combining one class classifiers,” presented at the Int. Conf. Image Analysis and Processing, Cagliari, Italy, 2005.
[24]Devi Parikh and Tsuhan Chen, Data fusion and cost minimization for intrusion detection. IEEE Transactions on Information Forensics and Security, 3 3 (2008), pp. 381–389.
[25]Haykin, S., Neural Networks: A Comprehensive Foundation, Prentice Hall, Upper Saddle River, NJ, 1994.
[26]Mukkamala, S. Lanaski, S.and Sung, A. “Intrusion detection using neural networks and support vector machines,” in Pmc. ofthe Int Joint Conf on Neural Networks (IJCNN 2002). Honolulu. vol. 2. 2002, pp. 1702 – 1707.
[27]Guo, G., Wang, H., Bell, D., Y. Bi, and Greer, K.,, “Using kNN model for automatic text Categorization”, Soft Computing - A Fusion of Foundations, Methodologies and Applications, Vol. 10, No. 5, pp. 423- 430. 2006.
[28]Duda, R. O. and Hart, P. E., “Pattern Classification and Scene Analysis”, New York: Wiley, 1973.
[29]Mitchell, T. Machine Learning, McGraw-Hill Education (ISE Editions), 1997.
[30]Shanbhag, S. and T. Wolf, Evaluation of an online parallel anomaly detection system, in Proc. of IEEE Global Communications Conference (GLOBECOM). 2008: New Orleans, LA.
[31]Shanbhag, S. and T. Wolf. Massively Parallel Anomaly Detection in Online Network Measurement. In Proceedings of 17th International Conference on Computer Communications and Networks, 2008. ICCCN '08. 2008.
[32]L. Breiman, “Bagging predictors,” Machine Learning, vol. 24, no. 2, pp. 123–140, 1996.
[33]Y. Freund and R.E. Schapire, “Decision-theoretic generalization of on-line learning and an application to boosting,” Journal of Computer and System Sciences, vol. 55, no. 1, pp. 119–139, 1997.
[34]Polikar, R. “Ensemble based systems in Decision Making”, IEEE Circuits and Systems, Vol. 6, September 2006, pp. 21 – 45.
[35]J. Kittler, M. Hatef, R. P. W. Duin, J. Matas, “On Combining Classifiers”, Pattern Analysis and Machine Intelligence, IEEE Transactions on, Vol. 20, No. 3. (1998), pp. 226-239.
[36]Clayton Scott, Robert Nowak, “A Neyman Pearson Approach to statistical learning”, Technical Report TREE 0407.
[37]Planet Lab, http://www.planet-lab.org/
[38]Netwag Tool, http://ntwag.sourceforge.net/
[39]HTTPTrafficGen, HTTP Traffic Generator for testing Web Applications, http://www.nsauditor.com/web_tools_utilities/http_traffic_generator.html.
[40]LOIC, Low Orbit Ion Cannon Tool, http://sourceforge.net/projects/loic/.