Visual Analytics Model for Intrusion Detection in Flood Attack

Jinson Zhang, Member IEEE

School of Software, Faculty of Engineering & ITUniversity of Technology, Sydney

Sydney, AustraliaJinson.Zhang@uts.edu.au

Mao Lin Huang

School of Software, Faculty of Engineering & ITUniversity of Technology, Sydney

Sydney, Australiamaolin@it.uts.edu.au

Abstract - Flood attacks are common forms of Distributed Denial-of-Service (DDoS) attack threats on internet in nature.This has necessitated the need for visual analysis within an intrusion detection system to identify these attacks. The challenges are how to increase the accuracy of detection and how to visualize and present flood attacks in networks for early detection. In this paper, we introduce three coefficients, whichnot only classify the behaviors of flood attacks, but also measure the system performance under those flood attacks: a) attack-density that patterns the characters of flood attack; b) system workload which represents the system capability in handling flood attack and c) the scalability to classify theimpact level of the flood attack at victim site. A visual clusteredmethod is used to display the DDoS flood attacks. The experimentation results are presented to demonstrate our new model significantly improves the accuracy of the detection of DDoS attacks and provides a better understanding of the nature of flood attacks on networks.

Keywords - Network security; DDoS flood attack; attack density; workload; attack scale; information visualization

I. INTRODUCTIONThe flood attack, bursts the network traffic largely at a

victim site, is the serious security problems for systemadministrators because it is hard to prevent. The example of flood attacks targeted on our systems is shown in Fig. 1.

Figure 1. Example of flood attacks from our systems

The flood DDoS attack, early reported in February 2000 [25], is a hacker controlling multisystem as agents sent huge requests demanding more resources than victim system or network can be supplied. The attack targets are not only on Web service, but also on Telnet service, on FTP service, on Mail service, on any service that connected to Internet. The

flood traffic can be TCP, SYN, UDP, or ICMP and attack methods are variable such as Smurf, or PortScan [24] [26].

Despite the importance, there are only a few visual approaches for Intrusion Detection System (IDS) of flood attacks. The common visualization for IDS is drawn the links between the sources and the destinations. Ewerton M Salvador et al [34] used three visualization techniques to analyze and trace Simple Network Management Protocol (SNMP) traffics: a) visualization of management network topologies; b) management information base (MIB) tree; and c) visualization of SNMP messages per hour intervals. Network Eye [36] and VisFlowConnect [35] both illustrated the links between local network/ports and external network/ports cross the network. Tree-Map [14] classified the network traffics and security events for the view of linking hosts. PortVis [27] visualized the ports usages for the network traffic analysis.

NVisionIP [33] visualized the network traffic on class-Bnetwork including IP and ports. IP Matrix [20] divided 32bit IP address into two groups: the global-level IP matrixand the local-level IP matrix for network security visualization. Zhang et al. [23] further developed a 3D IP Matrix visualization called NetViewer that uses the highest 8-bit IP address as the location. The rest of 24-bit are classified into x-axis; y-axis and z-axis in a 3D space for the visualization. InetVis [30] used the source IP address as Z-axis; the destination ports as Y-axis and X-axis for the destination IP address, 3D patterns to analyze network traffics and security events. ClockView [29] used the network-overview to display the links for external network and subnet-view of internal traffic. Host-matrix and parallel-coordinates-view in ClockView illustrated the external network patterns.

In this paper, we have further developed our visual analytics model [8] and [9] to meet scenario of the flood attacks, which combined the behaviors of flood attacks and the system capability handling threat. First, we analyze the characteristics of flood attack and its behaviors, and then introduce the attack-density to measure the flood attacks including the DDoS attacks. Second, we analyze the local system capabilities in handling the flood attacks and introduce a matrix to value the local system workload wherethe flood attacks occurred. Third, scalability of the flood attack has been established to meet the local system in handling the flood attacks. The scalability is the important parameter for our flood attack visualization. Fourth, we use our visual clustered method to classify and display the flood

8/19/2009 21:28:16 TCP …“GET /admin/db/XXX.php HTTP …/…/… “ from 217.195.206.226 (Turkey)--------4/20/2010 18:15:21 User attempting to access FTP interface from 58.251.201.113 (China)--------12/08/2011 18:51:02 ICMP … “GET /scgi-bin/…/XXX.pl ?configdir=|echo…|…/…” from 219.240.36.108 (Korea)--------12/04/2012 03:46:07 TCP… “GET /cgi-bin/XXX?/bin/cat …/etc/passwd HTTP…/…” from 208.118.237.47 (USA)

2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

978-0-7695-5022-0/13 $26.00 © 2013 IEEE

DOI 10.1109/TrustCom.2013.38

277

attacks that towards to detecting the DDoS attack at early age.

The experimentation shows that Density-Workloadmodel with the clustered visualization can be effectively used for the network security analysis. A clear clustered structure of the flood attacks could significantly help analysts to identify the unusual network security events including the DDoS attacks.

The paper is organized as follows. Section 2 describes the related works on detecting the DDoS flood attacks. Section 3 illustrates our Density-Workload model. Section 4 shows the implementation. Section 5 summarizes our approach and future works.

II. RELATED WORKSThe network traffics under the DDoS flood attacks are

combined the legitimate traffics and the flood attacks. The traffic pattern of the DDoS attacks is that an attacker sendshuge requests and packets using agents that exhausted victim’s resources and jammed its network bandwidthshown in Fig. 2. (a) is direct attack and (b) is reflect attack.

Figure 2. DDoS attack architectures [1]

Routers and switches are located between the hacker “A” and victim system “V”, transferring the data as requested. Study of those transactions have three focuses: a) network traffic measurements such as traffic rate changing, IP traceback, packet classification; b) attack methods such as Smurf, IP spoof, reflector; c) defend patterns such as router-based filter, proxy system [12] [15] [31].

Max-min fairness model [32] analyzed forwarding rate of traffic between the routers, and measured the router throttling rate that effect server load. CAT model (Change-Aggregation Tree) [7] analyzed the traffic historical average and comparing current traffic volume on the routers, far exceeds the average is considered as early alert of the DDoS attacks. The propagation and aggregation pattern are also analyzed in their CAT model.

Ying Huang et al [10] used two basic characteristics of the DDoS attack to propose their algorithm model. First characteristic is that DDoS attack has only one target, and all attacking packets are destined for this target. Second characteristic is that DDoS attack has to aggregate and send a huge amount of traffic to victim system to congest the link and host. The algorithm model used PIR (Positive Increment

Ratio) and AIS (Accumulative Increment Sum) as two vectors drawn the distribution. It is considered as the DDoS attacks when attacking rate is at low and begins to increase.

Entropy, the statistical measurement tool for uncertaintyrandom variables, has been used to measure abnormal network traffics. The legitimate network traffics have the regular packet sizes from regular IP addresses on regular flow rates so that the entropy values are concentrated. The burst value of entropy represents the abnormal change of network traffics that leads detection of DDoS attack whenever it occurred [3] [4].

There are three common types of flood traffic: TCP, UDP and ICMP [26]. D-WARD defense approach [28] analyzed the data flow at the source-router for those three types of traffic, and flagged as good, bad or transient for each connection, the sending rate and the rate limit is usedin their model to detect the DDoS attacks. Li et al [21] studied both UDP-type and TCP-type flood attacks by using the same attack intensity simulation environment, and found out that UDP-type attack reduces more TCP traffic of the legitimate clients than TCP-type attack, which means UDP-type attack is consumed more network bandwidth than TCP-type attack.

The network density for the flood traffics proposed by Villafuerte et al [6] used WDNI (Weight Density Node Intersection) as the network density to estimate the distances between two adjacent nodes based on the local neighborhood information. Habiba et al [5] used effective density that classified into three levels: low; medium and high levels to find out the trend of spreading pattern within the spread network. The relation between the densities and the extent of spread is analyzed in their proposal, and the effective density is defined by the degree of spread network nodes.

The study that mostly close to our model is Lee et al [22], proposed their early DDoS detect method using nine attributes of the flood attacks (source-ip; source-port; destination-ip; destination-port; packet-type; number-packets; occurrence rate-TCP; occurrence rate-UDP and occurrence rate-ICMP) as the DDoS features to analyze abnormal changes in the network traffic. But, unfortunately, it is only concerned the occurrence rate of TCP/UDP/ICMP,not analyze the details of traffic types, not measure the capabilities of victim system in handling the different DDoS attacks, not classify the different attack-types, and not given the scalabilities of the DDoS attacks.

There is no previous work addressing the impact level of the DDoS attacks at the victim’s site combined the victim system workload in our knowledge. The impact level is the important factor to measure the scales of flood attacks. For instance, the same DDoS attacks might cause a local government system or a small company’s website crashed, but it will be little affected Google system or Facebook website. Our Density-Workload model not only analyzes the details of the flood attacks including traffic-type; target-ports; attack-method, but also values the capabilities of victim system in handling the flood attack, and scales impact levels with visual clustered graph that gives clear view for early detection of the flood DDoS attacks.

278

III. THE DENSITY-WORKLOAD MODEL

A. DensityEach flood attack is represented as an attributed node in

the visualization [13] which contains its specific attributes, such as receive-time; target port; traffic type; source-IP.Our model selects seven most relevant attributes for the flood attack analysis: receive-time; traffic-type; connecting-method; packet-size; attack-type; target-port and source-IP.

The traffic-type (tr) is the network traffic flow to victim’s system, not established by victim’s server. It can be IPv4, IPv6, IPX, ARP, etc.

The connecting-method (co) is the network connection, managed by victim system services such as http, https, ftp, smtp, imap, pop3, ssh, dns, irc, eco, telnet, etc.

The packet-size (pa) is the request size that victim system received measuring by bytes.

The attack-type (at) is the method hacker used to attack victim system such as Smurf, rootkit, buffer overflow, Password cracking, PortScan.

The target-port (po) is the port hacker targets on.The source-IP (ip) is the hacker sends attacks from.

A flood attack can then be defined as an attributed node:

f (t, tr, co, pa, at, po, ip)

wheret – Time-stamp for attack arrival time.

t > 0tr – Traffic-Type such as TCP, SYN, UDP,

ICMP. tr ������co – Connecting-Method such as http, https, ftp,

pop3, imap, smtp, ssh, echo, irc, dns, ntp, telnet. co ������

pa – Packet-size. pa > 0at – Attack-Type such as Smurf, rootkit, buffer

overflow, IP_spoof, PortScan,guess_passwd, mailbomb, ipsweep. at ������,(at =”normal” means not attack).

po – Target-Port. po ���ip – Source-IP address that sent an attack.

ip ���

Assume in period p time slot, the victim system has received a set of n flood attacks is defined below

F = { f1, f2, f3, . . . fn } (1)

The flood attacks can be patterned by using a subset from four attributes in the flood traffics where tr=x; co=y;at=z and po=k. The subset is defined as

Fxyzk ={ f � F | f (t, tr, co, pa, at, po, ip), tr=x, co=y, at=z, po=k} (2) Here, we introduce an Attack-Density (ad) to measure

the flood attacks on the victim system, is defined as

ad(x,y,z,k) = | � (�,�,�,�)|| � |

= � �(�) �, ��(�), ��(�), ��, ��(�), ��(�), ���

��� (3)

where0< ad( ) �1 at ��������

The attack-density ad( ), contains four main attributes offlood attacks, measures the flood attack pattern for particular tr=x; co=y; at=z; po=k; where attributes co and po can be managed by the victim’s system. The high value of ad( ) means the attacks are much harmful to the victim system. The different values of those four attributes will impact the performance on the different areas in the victim’s system. For example, flood attacks with the high value of attack-density on connecting-method, when co=SMTP, it shows that the mail service is under attacks; the flood attacks with the high attack-density on target port 80(po=80) demonstrates the web service is under threat.

The Fig. 3 shows the example of attack-density at victim end (IP4 base network). The red oval represents the victim server received “back” attacks from different source IP in TCP traffic with HTTP connection; blue oval represents victim system received “rootkit” attacks. The “back” attack-density of red oval is much high comparing other attacks, which makes serious threat at the victim site.

Figure 3. Example of Attack-Density at victim end (IP4 base network)

When attack-type at = “normal”, we re-define (3) asFlood-Density, for tr=x; co=y; at=”normal”; po=k, as following.

fd(x,y,z,k) = | � (�,�,�,�)|| � |

= � �(�) �, ��(�), ��(�), ��, ��(�), ��(�), ���

��� (4)

where0< fd( ) �1 at ( z ) = “normal”

The flood-density fd( ) indicates the network pattern ofnormal traffic on particular tr=x; co=y; po=k. For example,

279

fd(TCP,HTTP,normal,80) represents the flood-density on TCP traffic by HTTP connecting target port 80.

Different system performs different behaviors when the flood attacks occurred by the same attack densities. For instance, when the same set of flood F( ) companied by the same attack densities ad( ), had attacked Google and auniversity site at the same time, the university system might be crashed while Google doesn’t be affected at all. Thisbrings us to find the patterns to measure victim’s system workload when the flood attacks occurred.

B. WorkloadThe DDoS flood attacks normally target on application,

network and resource protocol on victim’s system [2]. When an attack occurs, the system will consume a considerable amount of resources, such as CPU, memory, disk space and network bandwidth to provide appropriate responses.

Abdulgafer’s server workload model [18] used average file size, number of requests per hour from network and server process speed as the elements to build the formulation. Nijim’s analytical model [17] used arrivingrates of CPU and I/O intensive job as the functions to measure system performance and workload. Bennani’s workload model [19] analyzed inter-arrival time and service time of requests. The main components measuring system workload is CPU processor speed, system memory, filestorage and network bandwidth [16].

We define the system workload SW as a 5×6 dimensions matrix: combine local system on CPU, Memory, Storage,Network bandwidth and system configuration, with six attributes from flood attacks as tr, co, pa, at, po and ip, to measure victim capabilities handling the flood attacks.

�� �� �� �� �� ��

SW = ���

�� �� �� �� �� ��!� !� !� !� !� !�"� "� "� "� "� "�#� #� #� #� #� #�$� $� $� $� $� $�

%&'

��*��+-../0�121(5)

where� SW – System Workload. ����SW �� � � – the minimum CPU usage for handling attacks,

value as percentage. �1 is usage for traffic-types; �2 for connecting-methods; �3 for packet-sizes; �4for attack-types; �5 for target-ports; �6 for source-IPs. ��� � ��

� ! – the minimum memory usage for handling attacks, value as percentage. !1 is usage for traffic-types; !2 for connecting-methods; !3 for packet-sizes; !4 for attack-types; !5 for target-ports; !6 for source-IPs.��� ! ��

� " – the disk I/O (read and write) usage for handling attacks, value as percentage. "1 is usage for traffic-types; "2 for connecting-methods; "3 for packet-

sizes; "4 for attack-types; "5 for target-ports; "6 for source-IPs.��� " ��

� # – the network I/O (send and receive) usage forhandling attacks, value as percentage. #1 is usage for traffic-types; #2 for connecting-methods; #3 for packet-sizes; #4 for attack-types; #5 for target-ports; #6 for source-IPs.��� # ��

� 3 – the parameter for system configuration in handling attacks, value as percentage. 31 parameter of configuration for traffic-types; 32 parameter of configuration for connecting-methods; 33parameter of configuration for packet-sizes; 34parameter of configuration for attack-types; 35parameter of configuration for target-ports; 36parameter of configuration for source-IPs.��� 3 ��

The �, !, ", # are easy to understand because the usages can be measured from system performance shown in Fig. 4.

Figure 4. System performance

The 3 is the parameter for system configuration in handling flood attacks. It depends on the system firewall setting, the network protocol setting, and the local service setting. For example, 31 0 for the ICMP traffic-type if the firewall blocks it; 32 1 for the ftp connecting if the ftp service is fully opened; 33 1 for the file serveraccepting all size of package; 34 1 if the authentication service and proxy server are not setup; 35 1 if the port is fully opened; 36 0 if the IP address is in the firewall block list.

System workload SW measures the performance of victim system on its capabilities handling the flood attacks.SW ���� indicated that victim system has strong capabilities (needs less workload) to handle the flood attacks, and SW ��1 indicated that victim system has weak capabilities (needs more workload) to handle the flood attacks. The same server hardware using the different operating system causes the

280

different value of SW, because the resources are consumedat the different percentage. For example, Web apache service on UNIX, on Windows or on Linux will consume the different percentage of CPU, RAM, Disk space and network bandwidth, that results the different value of SW.

The same set of flood attack with the same attack density are targeted on two different systems at the same time, the results will be the different. The system has the low value of SW (high capabilities to handle attacks) will be less impact comparing the system that has high value of SW.

C. Attacking ScalesWe have further defined scalability AttackScale for the

measurement of the flood attacks. It combines two vectors: the attack densities ad( ) and the system workload SW . We have

AttackScale( ) = ad( ) × SW (6)

The AttackScale( ) represents the scale of the flood attacks at the victim’s system. If ad( ) �� �and SW �� ��both are on the high value end, the scalability of AttackScale( ) ��1, that means the DDoS flood attack in the critical level because the attacks came from the high flood attack-density,and victim’s system is nearly reached its limit (high system workload).

Here, we classify AttackScale as Table I.

TABLE I. AttackScale Classification

AttackScale ClassificationAttackScale < 0.1 Light-scale attacks�� ������������������ Low level DDoS attack����� AttackScale < 0.5 Medium level DDoS attack��������������������� High level DDoS attack��������������� Critical level DDoS attack

If ad( ) �����on the low value end, and SW �� �� on the high value end, it is not indicated the critical level DDoS attacks, because the attack-density is not high. The system workload as the high value shows the system has the problem on its own – may be hardware problem, system update problem, or system configuration problem.

If ad( ) �� ��on the high value end, and SW �����on the low value end, it is not shown the high level DDoS attacks because the victim’s system can still handle it well – not denial to its legitimate users.

The AttackScale( ) alerts flood attack on particular tr=x;co=y; at=z; po=k that explains the more details for intrusion detection leading to defend the DDoS flood attacks at early stage. For example, AttackScale( ) on the high value when tr= “TCP”; co = “SMTP”; at = “mailbomb”; po = “25”, it represents that the attacker send “mailbomb” by SMTP connection and target at the port 25. To defend against this DDoS attacks, the system administrator needs to setup the proxy service rules to block mailbomb on port 25 for SMTP connection, the value of system workload SW dropped after system re-configuration, and the value of AttackScale( ) will be on low end, that results the DDoS flood attacks to be

prevented because the system increases its capabilities to reduce the impact level for this DDoS attacks.

IV. IMPLEMENTATION

A. Density-workloadThe Density-Workload model has been tested by using

ISCX2012 dataset [11], the details shown in Table II.Not like KDDCUP99 dataset [24] that labels all different

attack-types such as Smurf; rootkit; guess_passwd,ISCX2012 dataset does not show the details on attack-types, only labeled it as “attack”.

TABLE II. TestbedTueJun15c – ISCX2012 dataset

Name AmountNetwork traffics 130288Source IPs 36Destination IPs 1656ICMP traffics 31TCP traffics 119242UDP traffics 11015Connecting methods 19Source ports 23653Destination ports 222Attacks 37375

In the simulation, the destination IP address 192.168.5.122 is targeted as the victim, suffering the DDoS attacks by TCP traffic with HTTP connection on port 80.The attack-density and other flood-densities are shown in Fig. 6.

Before 16:00, the attack-density ad=0, the flood-densities fd on TCP and UDP traffics by DNS; FTP; HTTP; IMAP and POP connections are at the normal level. At 16:05, the attack-density on TCP traffic by HTTP connecting target on port 80 started and increased sharply.During threat, the attack-density keeps on the high level, and other flood-densities are dropped into low level until 17:20 demonstrated in Fig. 6. It gives the early alert at 16:05 for the detection of flood DDoS attacks.

The value of system workload SW cannot be calculatedby using ISCX2012 dataset. We use SW=0.2 (20% of workload); SW=0.5 (50% of workload) and SW=0.8 (80% of workload), to measure the impact level of the DDoS attacks. The values of AttackScale are shown in Fig. 5.

Figure 5. AttackScale where ip=192.168.5.122

0.000

0.200

0.400

0.600

0.800

ad (TCP_HTTP_attack_80) × (sw=0.2)

ad (TCP_HTTP_attack_80) × (sw=0.5)

ad (TCP_HTTP_attack_80) × (sw=0.8)

281

The victim (192.168.5.122) suffered the low level DDoS attacks when SW=0.2, the medium level DDoS attacks when SW=0.5 and the high level DDoS attacks when SW=0.8. It demonstrates the system workload SW is the important factor that values the scale of the flood DDoS attack at the victim site.

B. VisualizationA graph model used to represent the flood traffics and

their attributes is a classical undirected graph, consisting of nodes and edges. The nodes are attributed by the flood traffic on t, tr, co, pa, at, po and ip. The edges are measured by AttackScale on classification. The graph is dynamic, that is, the node and edge set may be changed; these changes are result of user interaction through the visualization depends on attributes of the node, AttackScale or asynchronously by user control. The cluster view to represent set of groups IP that sent flood attack is based on AttackScale as well.

Visual object is represented the flood attacks for the display and analysis. The node is based on (2) to represent a flood attacks and its attributes in clustered visualization:

[r] f (tr, co, at, po )

Where [r] represents the repeating attack times that has the same node f(tr, co, at, po) during flood attacks. When flood attack appears as the same f(tr, co, at, po) in existing recorded log or database, [r] will be added by 1 (r=r+1). If flood attack is new f(tr, co, at, po), the node f(tr, co, at, po)will be displayed as a new node on random spot in the graph. To save the graph space, the nodes is only displayed in graph as [r]f(tr_co_at) at random spot shown in Fig. 7 and Fig. 8.

All traffic nodes without cluster show in Fig. 7. During visualization, when the AttackScale reach the alert level (AttackScale>0.5), the final clustered structure has been generated with the details of nodes including the source-IP and displayed in Fig. 8. The nodes that not reach at the alert level are in the random spot without target-port labeled.

The clustered visualization by using the value of AttackScale gives the clear outlines of the flood attacks onthe different attack-types, target ports and connecting-methods that make detection of the DDoS attack at the early age much clear and easy. The visual analysis process shows our Density-Workload Model could accurately scale the impact level of the flood attacks and detect the DDoS attacks.

V. CONCLUSIONS & FUTURE WORKIn this paper, we have proposed Density-Workload

Model to analyze and detect the flood attacks. The model focuses on two coefficients: ‘density’ and ‘workload’, which represent the attack densities on attack-types; target-ports and connecting-methods, and the system workload capabilities correspondingly. The attack level and the impact level of the flood attacks on the victim side have also been examined. The model has the high accuracy to measure the different types of the flood attacks. The clustered visualization has been used to classify and display

those flood attacks. The visualization allows users to interactively select and scale down the scope of views for better understanding on the connecting-methods, attack-types and target-ports. The experiment shows that this model with the clustered visualization can be used effectively for flood attack detection and security analysis.

System workload SW for handling flood attacks is an open question, but it is the important element measuring the impact level of the DDoS attacks. The system workloaddetermined by the hardware performances and system configuration.

For the future work, we plan to develop our visual model to cover the botnet attacks and flash crowd attacks which have the different network traffic patterns and classifications. The security on cloud network is also the area we are interested in for cluster visualization.

REFERENCES[1] R.K.C. Chang, "Defending against flooding-based distributed denial-

of-service attacks: a tutorial," Communications Magazine, IEEE , vol.40, no.10, pp.42-51, Oct 2002

[2] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms”. SIGCOMM Computer. Communication Review. vol 34, no. 2, 2004, pp, 39-53.

[3] Y. Yu, M. Fry, A. Schaeffer-Filho, P. Smith and D. Hutchison, "An adaptive approach to network resilience: Evolving challenge detection and mitigation," 2011 8th International Workshop on the Design of Reliable Communication Networks (DRCN), pp.172-179, 10-12 Oct. 2011

[4] Y. Xiang, K. Li, and W. Zhou, "Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics," Information Forensics and Security, IEEE Transactions on , vol.6, no.2, pp.426-437, June 2011

[5] Habiba and T. Berger-Wolf, "Working for Influence: Effect of Network Density and Modularity on Diffusion in Networks," In Proc, 2011 IEEE 11th International Conference on Data Mining Workshops (ICDMW), PP.933-940, 11 Dec. 2011

[6] F.L. Villafuerte, K. Terfloth and J. Schiller, "Using Network Density as a New Parameter to Estimate Distance," In Proc. ICN 2008. Seventh International Conference on Networking, pp.30-35, 13-18 April 2008

[7] Y. Chen and K. Hwang, "Collaborative Change Detection of DDoS Attacks on Community and ISP Networks". In Collaborative Technologies and Systems, 2006. CTS 2006, pp. 401-410, 14-17 May 2006

[8] M.L. Huang, J. Zhang, Q. V. Nguyen and J. Wang, "Visual Clustering of Spam Emails for DDoS Analysis," In Information Visualization, IV 2011, 15th International Conference on, pp.65-72, 13-15 July 2011

[9] J. Zhang, M.L. Huang and D. Hoang, "Detecting DDoS Attack in Spam Emails using Density-Weight Model". In Proc, ICITIS 2011, 2011 2nd IEEE International Conference on Information Theory and Information Security, Hangzhou, China, pp.344-352, 4-6 Nov 2011

[10] Y. Huang, X. Fu, Q. Hou and Z. Yu, "The Early Detection of DDoS Based on the Persistent Increment Feature of the Traffic Volume," In Proc, AINAW 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops, 2008, pp.365-370, 25-28 March 2008

[11] A. Shiravi, H. Shiravi, M. Tavallaee, and A.A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,” Computers & Security, Volume 31, Issue 3, May 2012, Pages 357-374, ISSN 0167-4048

[12] S. Savage, D. Wetherall, A. Karlin and T Anderson, "Network support for IP traceback," Networking, IEEE/ACM Transactions on , vol.9, no.3, pp.226-237, Jun 2001

282

[13] P. Eades and M.L. Huang , “Navigating Clustered Graphs using Force-Directed Methods”, Journal of Graph Algorithms and Applications, vol. 4 no. 3, pp 157–181, July, 2000.

[14] Q.V. Nguyen, M.L. Huang, "A space-optimized tree visualization," In Proc, INFOVIS ’02, IEEE Symposium on Information Visualization,2002, pp. 85- 92

[15] Y. Kim, J.Y. Jo, H.J. Chao and F. Merat, "High-speed router filter for blocking TCP flooding under DDoS attack," In Proc, 2003 IEEE International Performance, Computing, and Communications Conference, pp. 183- 190, 9-11 April 2003

[16] S. Elnaffar and P. Martin, "Techniques and a Framework for Characterizing Computer Systems' Workloads," Innovations in Information Technology, 2006, pp.1-5, Nov. 2006

[17] M. Nijim, T. Xie and X. Qin, "Integrating a performance model in self-managing computer systems under mixed workload conditions," In Proc, IRI 2005, IEEE International Conference on Information Reuse and Integration, 2005, pp. 132- 137, 15-17 Aug. 2005

[18] A.R. Abdulgafer, P.N. Marimuthu and S.J. Habib, "Redesign of grid-based enterprise information network through servers consolidation," In Proc, ICCIT 2010, 5th International Conference on Computer Sciences and Convergence Information Technology, pp.445-450, Nov. 30 - Dec. 2 2010

[19] M.N. Bennani and D.A. Menasce, "Assessing the robustness of self-managing computer systems under highly variable workloads," In Proc, International Conference on Autonomic Computing, 2004, pp. 62- 69, 17-18 May 2004

[20] H. Koike, K. Ohno, and K. Koizumi, "Visualizing cyber attacks using IP matrix," In Proc, VizSEC 05, IEEE Workshop on Visualization for Computer Security, 2005. pp. 91-98

[21] M. Li, J. Li, and W. Zhao, “Experimental study of DDOS attacking of flood type based on NS2” International Journal of Electronics and Computers, vol. 1, no. 2, pp. 143, 2009.

[22] K. Lee, J. Kim, K.H. Kwon, Y. Han and S. Kim, “DDoS attack detection method using cluster analysis”, Expert Systems with Applications, Volume 34, Issue 3, April 2008, Pages 1659-1665, ISSN 0957-4174,

[23] J. Zhang, P. Yang, L. Lu, and L. Chen, "NetViewer: A Visualization Tool for Network Security Events," In proc, NSWCTC '09. International Conference on Networks Security, Wireless Communications and Trusted Computing, 2009, pp. 434-437

[24] KDD Cup 1999. Available on http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 2010.

[25] L. Garber, ‘Denial-of-service attacks rip the Internet’. IEEE Computer, 2000, Vol 33, pp 12-17

[26] V. Paxson, 'An analysis of using reflectors for distributed denial-of-service attacks'. SIGCOMM Computer. Communication. Review. vol 31, issue 3, July 2001, pp.38-47

[27] J. McPherson, K-L Ma, P. Krystosk, T. Bartoletti, and M. Christensen. “PortVis: a tool for port-based detection of security events”. In Procc, VizSEC/DMSEC '04, 2004 ACM workshop on Visualization and data mining for computer security, 2004, pp.73-81

[28] J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the source," In Proc, 10th IEEE International Conference on Network Protocols,2002, pp. 312- 321, 12-15 Nov. 2002

[29] C. Kintzel, J. Fuchs, and F. Mansmann. “Monitoring large IP spaces with ClockView”. In Proc, VizSec '11, 8th International Symposium on Visualization for Cyber Security. 2011 , pp.1-10

[30] J-P. van Riel and B. Irwin. “InetVis, a visual tool for network telescope traffic analysis”. In Proc, AFRIGRAPH '06. 4th international conference on Computer graphics, virtual reality, visualisation and interaction in Africa, 2006, pp.85-89.

[31] A. Yaar, A. Perrig and D. Song, "StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense," IEEE Journal on Selected Areas in Communications, vol.24, no.10, pp.1853-1863, Oct. 2006

[32] D.K.Y. Yau, J.C.S. Lui, F. Liang and Y. Yam, “Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles”. IEEE/ACM Transaction on Networking. Vol.13, no.1,pp. 29-42, Feb 2005

[33] K. Lakkaraju, W. Yurcik, and A.J. Lee, “NVisionIP: netflow visualizations of system state for security situational awareness”. In Proc, VizSEC/DMSEC '04, 2004 ACM workshop on Visualization and data mining for computer security. 2004, pp.65-72

[34] E.M. Salvador and L.Z. Granville, "Using visualization techniques for SNMP traffic analyses," In Proc, ISCC 2008, IEEE Symposium on Computers and Communications, 2008, pp.806-811, 6-9 July 2008

[35] X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju. “VisFlowConnect: netflow visualizations of link relationships for security situational awareness”. In Proc, VizSEC/DMSEC '04, 2004 ACM workshop on Visualization and data mining for computer security, 2440, pp.26-34

[36] R. Ball, G.A. Fink and C. North. “Home-centric visualization of network traffic for security administration”. In Proc, VizSEC/DMSEC '04, 2004 ACM workshop on Visualization and data mining for computer security, 2004, pp.55-64

Figure 6. Attack-density and flood-densities where ip=192.168.5.122

0.000

0.100

0.200

0.300

0.400

0.500

0.600

0.700

0.800

0.900

1.000

ad (TCP_HTTP_attack_80) fd (TCP_HTTP_normal_80) fd (UDP_DNS_normal_53)

fd (TCP_FTP_normal_21…60291) fd (TCP_IMAP_normal_143) fd (TCP_POP_normal_110)

283

Figure 7. Traffic nodes without clustering where ip=192.168.5.122

Figure 8. Clustered visualization of AttackScale where ip=192.168.5.122

284