Embed Size (px)
Citation preview
© 2016, IJCERT All Rights Reserved Page | 149
International Journal of Computer Engineering In Research Trends
Volume 3, Issue 3, March-2016, pp. 149-151 ISSN (O): 2349-7084
A System for Denial of Service Attack Detection Based On Multivariate Corelation
Analysis 1Sonam Deshmukh,2Shoaib Inamdar, 3Sachin Waghmode
Abstract: - in computing world, a denial-of-service (DoS) or is an process to make a machine or network resource
unavailable to its regular users.DoS attack minimizes the efficiency of the server, inorder to increase the efficiency of the server it is necessary to identify the dos attacks hence MULTIVARIATE CORRELATION ANALYSIS(MCA)is used, this approach employs triangle area for obtaining the correlation information between the ip address. Based on extracted data the denial of service-attack is discovered and the response to the particular user is blocked, this maximizes the efficiency. Our proposed system is examined using KDD Cup 99 data set, and the influence of data on the performance of the
proposed system is examined.
Keywords – denial-of-service attack, Network traffic characterization, multivariate correlations, triangle area, maximum number of hopes; network lifetime
—————————— ——————————
1. INTRODUCTION
Denial of service attack severely reduces the acceptance of the online benefits. Therefore effective finding of dos attack is important to the protection of the online services. The DOS attack detection, focuses on the growth of the network based detection criteria [3]. The detection system carries two approaches namely misuse detection [1] and anomaly detection [2]. Misuse detection is used to identify the known attacks, using the signatures of already defined rules.[2]Anomaly detection is used to build the usage profile of the system. During the working phase, the profiles for the legitimate traffic data are produced and the produced data are stored in the database. The trusted profile production is build and handed over to the “attack detection” module, which compares the individual tested profile without his normal profile. Online servers from monitoring attacks and ensure that the servers can allot themselves to provide quality services with minimum delay in response
2. RELETED WORK
In this section, we gives a threshold-based anomaly
detector, whose normal profiles are generated using
purely legitimate network traffic records and make use
for future comparisons with new incoming
investigated traffic records. The separation between a
new traffic record and the various normal profiles is
identified by the proposed detector [5]. If the
dissimilarity is higher than a predetermined threshold,
the traffic record is flagged as an attack. Otherwise, it is
named as a legitimate traffic record. Specially, normal
profiles and thresholds have direct impact on the
performance of a threshold-based detector.[1] A low
quality normal profile made an inaccurate
characterization to legitimate network traffic. Thus, we
first put the proposed triangle area- based MCA
approach to analyze legitimate network traffic, and the
obtained TAMs are then used to give quality features
for normal profile generation
2.1. Normal Profile Generation
Predict there is a set of g legitimate training traffic
records; the triangle-area based MCA approach is
applied to understand the records. [1]Mahalanobis
Distance (MD) is applied to calculate the dissimilarity
between traffic records. This is because MD has been
Available online at: www.ijcert.org
Sonam Deshmukh et al.,International Journal of Computer Engineering In Research Trends Volume 3, Issue 3, March-2016, pp. 149-151
© 2016, IJCERT All Rights Reserved Page | 150
successfully and extensively used in cluster analysis,
classification and multivariate outlier detection
techniques. Unlike Euclidean distance and Manhattan
distance, it finds distance between two multivariate
data.
2.2. Threshold Selection
The threshold given is used to difference the attack
traffic from the legitimate one
2.3. ATTACK DETECTION
To find DoS attacks, the lower triangle (TAM observed
lower) of the TAM of an detect record needs to be
generated using the advanced triangle-area-based
MCA technique [6]. Then, the MD between the TAM
observed lower and the TAM normal lower saved in
the respective pregenerated normal profile Pro is
obtained using the detailed detection algorithm.
Privacy defense and quality of service is important to
studying.
2. Spatio-Temporal Obfuscation: Spatio-temporal
obfuscation minimizes the precision of not only place
but the time-related data so as to fulfill the predefined
k-anonymity standard.
3. FRAMEWORK
The whole detection process consists of three major
steps
The sample-by-sample detection mechanism is
implicate in the whole detection phase (i.e., Steps 1, 2 )
and is given in Section 2.2. In Step 1, basic advantages
are obtained from ingress network to the internal
network where protected servers reside in and are used
to instruct traffic data for a well-defined time
difference. Monitoring and analyzing at the destination
network reduce the above of finding malicious
activities by analyzing only on related inbound traffic.
This also enables our detector to enable security which
is the best suit for the targeted internal network
because legitimate traffic records use by the detectors
are created for a small number of network services
Step 2 is Multivariate Correlation Analysis, in which
the “Triangle Area Map Generation” module is given
to obtain the correlations between two distinct
advantages within each traffic data coming from the
first part or the traffic record distributed by the
“Feature Normalization” section in this part (Step 2).
The events of network attacks made changes to these
correlations so that the differences can be used as
instructors to find the dangers activities. All the action
correlations, namely triangle area saved in Triangle
Area Maps (TAMs), are then use to change the initial
basic feature or the normalized feature to show the
traffic records. This gives higher selective information
to distinct between legitimate and illegitimate traffic
records.
Network Traffic
Sampling of IP Address
In Step 3, the anomaly-based detection mechanism [3]
is taken in Decision Making. It promotes the finding of
any DoS attacks without need of any attack related
data. Moreover, the labor-intensive attack analysis and
the frequent update of the attack signature data in the
case of misuse-based detection are deflect. Meanwhile,
the mechanism enhances the robustness of the advance
detectors and makes them toughest to be evaded
because attackers need to attack
4. PRAPOSED WORK
We present a DoS attack detection system that uses
Multivariate Correlation Analysis (MCA) for correct
network traffic characterization by obtaining the
geometrical correlations between network traffic
advantages. Our MCA-based DoS attack detection
system adopted the rules of anomaly-based detection in
attack. This makes our solution capable of detecting
known and unknown DoS attacks efficiently by taking
Triangle Area
Generation
Feature
Normalization
Multivariate
Correlations Analysis
Testing Phase Training Phase
Decision Making
Sonam Deshmukh et al.,International Journal of Computer Engineering In Research Trends Volume 3, Issue 3, March-2016, pp. 149-151
© 2016, IJCERT All Rights Reserved Page | 151
the patterns of legitimate network traffic. Moreover, a
triangle-area-based system is used to improve and to
speed up the technique of MCA. The efficiency of our
proposed detection system is finding using KDD Cup 99
dataset and the impact of both non-normalized record
and normalized record on the work of the advanced
detection system are analyzed. The results give that our
system performs two other previously constructed state-
of-the-art techniques in terms of detection accuracy
ALGORITHMS:
5. CONCLUSION
This paper has given a MCA-based DoS attack
detection system which is powered by the triangle-area
based MCA technique and the anomaly detection
system. The former technique extracts the geometrical
correlations hidden in individual couple of two
different features within each network traffic record,
and offers more accurate characterization for network
traffic behaviors. The next technique helps our system
to be able to distinguish both known and unknown
DoS attacks from legitimate network traffic.
Calculation has been finding using KDD Cup 99
dataset to verify the efficiency and work of the
advanced DoS attack detection system. The impact of
original (non-normalized) and normalized data has
been considered in the paper. The results have revealed
that when process with non-normalized data, our
detection system obtains highest (94.20%) detection
accuracy although it does not work well in identifying
Land
.REFERENCES
*1+ V. Paxson, “Bro: A System for Detecting Network
Intruders in Realtime,”
Computer Networks, vol. 31, pp. 2435-2463, 1999.
[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-
Fernndez, and E. Vzquez, “Anomaly-based Network
Intrusion Detection: Techniques, Systems and
Challenges,” Computers & Security, vol. 28, pp. 18-28,
2009.
*3+ D. E. Denning, “An Intrusion-detection Model,”
IEEE Transactions on Software Engineering, pp. 222-
232, 1987.
[4] J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic
flooding attack detection
with SNMP MIB using SVM,” Computer
Communications, vol. 31, no. 17, pp. 4212-4219, 2008.
*5+ G. Thatte, U. Mitra, and J. Heidemann, “Parametric
Methods for Anomaly Detection in Aggregate Traffic,”
Networking, IEEE/ACM Transactions on, vol. 19, no. 2,
pp. 512-525, 2011.
*6+ S. Jin, D. S. Yeung, and X. Wang, “Network
Intrusion Detection in Covariance Feature Space,”
Pattern Recognition, vol. 40, pp. 2185- 2197, 2007.
[11] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P.
Liu, “Denial of- Service Attack Detection Based on
Multivariate Correlation Analysis,” Neural Information
Processing, 2011, pp. 756-765.
