Detecting Flood Attacks through New Density-Pattern Based Approach

Jinson Zhang, Member IEEE School of Software, Faculty of Engineering & IT

University of Technology, Sydney Sydney, Australia

Jinson.Zhang@uts.edu.au

Mao Lin Huang School of Software, Faculty of Engineering & IT

University of Technology, Sydney Sydney, Australia maolin@it.uts.edu.au

Abstract - Flood attacks are common threats to Internet, which has necessitated the need for visual analysis within an intrusion detection system to identify these attacks patterns. The challenges are how to increase the accuracy of detection and how to visualize and present the patterns of flood attack for early detection. In this paper, we introduce a Two-Density model that contains two coefficients: sending-density and receiving-density for the network traffic analysis during flood attacks. The attack pattern is established based on these two coefficients which are also displayed in our clustering visualization graph. The experimental results are presented to demonstrate that the proposed new model significantly improves the detection of flood attacks and provides a better understanding of the nature of flood attacks on networks.

Keywords - Network security; flood attack pattern; sending density; receiving density; information visualization

I. INTRODUCTION Flood attacks are serious security problems for all

computers connected to Internet because they can come from everywhere and are hard to predict. A large-scale flood attack exhausts the victim’s memory usage, network bandwidth and CPU running time. This means that a Distributed Denial of Service (DDoS) attack occurred. Fig. 1 shows some examples of flood attack targeting our systems.

Figure 1. Example of flood attacks recorded in our systems

The network traffic patterns under the flood attack combine legitimate traffic patterns and the flood attacks. During flood attacks, the local routers at the hacker’s end are the first network devices recording these traffic patterns before it goes through the Internet. At the other end, the victim’s routers are the last network devices which record these traffic pattern logs.

Our study is to investigate the attack patterns when the flood traffics flow through the Internet router. The router logs have recorded the attack traffics that contain the information for both senders and receivers. After classifying and grouping the characters of the attack traffics, the attack pattern has been established. Furthermore, a visualization technique has also been used in our approach to provide the best understanding of the attack patterns and help the detection of the flood attack at an early age.

A. Motivation Despite the importance, there is no previous work

addressing the flood attacks pattern, to the best of our knowledge.

The most common visual approaches for Intrusion Detection System (IDS) draw the security events as the link between the sources and destinations, and the raw data is used to display the network links. Network Eye [9] and VisFlowConnect [12] both illustrate the links between local network/ports and external network/ports across the network. Tree-Map [10] [7] classifies the network traffic and security events in order to view the linking hosts. PortVis [19] visualizes the port’s usages for network traffic analysis. The main issue with these visual approaches is that there are too many crossing lines displayed in these visual approaches, which makes the visualization very complicated, and we try to resolve this.

The most common traffic types of flood attack are TCP traffic, UDP traffic and ICMP traffic. The current study of these traffics had three main foci: network traffic measurements such as traffic rate changes, IP traceback and packet classification; attack identification, such as Smurf, IP spoof or reflector; defense mechanisms such as router-based filters and proxy systems [8] [16] [17] [20].

Our research includes two areas: to investigate the flood attack traffics through the router in order to establish the attack patterns and behaviors for both the senders and receivers, and to study the visualization technique in order to create an algorithmic method that visualizes the attack pattern easily and quickly.

B. Our contributions In this paper, we further develop our visual analytics

model in [5] and [22] for analyzing flood attacks. Firstly, we must analyze the characteristics of flood attacks and their behaviors, and then establish the pattern of flood attacks which contains the eight attributes representing the flood traffics. Secondly, we introduce a Two-Density model with two coefficients, sending-density and receiving-density, to measure the traffic patterns of flood attacks through Internet routers. Thirdly, we use our visual clustering method to classify and display the pattern of flood attacks that help improve the detection of the flood attack at an early age. The main contributions of this work are therefore:

• Introducing a Two-density model that contains the

sending-density and the receiving-density in order to measures the sender and receiver patterns of the flood attacks at the Internet level.

4/20/2010 18:15:21 User attempting to access FTP interface from 58.251.201.113 (China) -------- 12/08/2011 18:51:02 ICMP … “GET /scgi-bin/…/XXX.pl ?configdir=|echo…|…/…” from 219.240.36.108 (Korea) --------

2013 IEEE International Conference on High Performance Computing and Communications & 2013 IEEE International Conference

on Embedded and Ubiquitous Computing

978-0-7695-5088-6/13 $26.00 © 2013 IEEE

DOI 10.1109/HPCC.and.EUC.2013.44

246

2013 IEEE International Conference on High Performance Computing and Communications & 2013 IEEE International Conference

on Embedded and Ubiquitous Computing

978-0-7695-5088-6/13 $31.00 © 2013 IEEE

DOI 10.1109/HPCC.and.EUC.2013.44

246

2013 IEEE International Conference on High Performance Computing and Communications & 2013 IEEE International Conference

on Embedded and Ubiquitous Computing

978-0-7695-5088-6/13 $31.00 © 2013 IEEE

DOI 10.1109/HPCC.and.EUC.2013.44

246

• Using the visual circle graph to display the attack pattern in our clustered visualization method that avoided the massive cross linking lines between the source and destination.

The experiment shows that the Two-density model with

clustering visualization can be effectively used for network security analysis. A clear clustered structure of flood attacks could help analysts identify unusual network security events.

The paper is organized as follows. Section II describes our Two-density model, including the flood attacks pattern, sending-density, receiving-density and the visual clustered method. Section III illustrates the implementation. Section IV shows the related works. Section V summarizes our approach and outlines future works.

II. TWO-DENSITY MODEL

A. Flood attack traffics Each flood attack is represented as an attributed node, such

as receive-time, target port or source-IP. We selected the eight most relevant attributes for flood attack analysis: receive-time, traffic-type, connecting-method, attack-type, destination-ip, destination-port, source-ip and source-port.

The traffic-type (tr) is the network traffic which travelled between the sender’s and the receiver’s system, not established by the sender or the receiver servers. It can be TCP-IPv4, IPv6, IPX, ARP, etc. tr � null

The connecting-method (co) is the network connection and is managed by the receiver system’s services, such as http, https, ftp, smtp, imap, pop3, ssh, dns, irc, eco, telnet, etc. co � null

The attack-type (at) is the method that the hacker used to attack the victim’s system, such as Smurf, rootkit, buffer overflow, Password cracking, PortScan. dip � 0

The destination-ip (dip) is the receiver’s IP address. The destination-port (dpo) is the port that the hacker

targets. dpo � 0 The source-IP (sip) is the hacker’s IP address. sip � 0 The source-port (spo) is the port the hacker used to send

the attacks. spo � 0 A flood attack can therefore be defined as:

f (t, tr, co, at, dip, dpo, sip, spo) Where t is the time stamp for the attack arrival time. t > 0.

Assume that in the period p time slot, all flood traffic n is

in a set of F, as defined below.

F = { f1, f2, f3, . . . fn } (1) Suppose a set TR contains all traffic-types mx, and so TR

can be defined as TR= {tr1, tr2, tr3… trmx} in the flood attacks. Thus, a subset for a particular traffic-type x, tr=x, is defined as

Fx={tr ���������� ������ ����� ����� (2)

Suppose a set CO contains all connecting-methods my, and

so it can be defined as CO = {co1, co2, co3… comy} in the flood

attacks. Thus, a subset for a particular connecting-method y, co=y, is defined as

Fy={co � �������� ������ ����� �� ��� (3) Suppose a set AT contains all attack-types mz, and so it can

be defined as AT= {at1, at2, at3… atmz} in the flood attacks. Thus, a subset for a particular z attack-type, at=z, is defined as

Fz={at � �������� ������ ����� ����� (4)

Assume a set DIP contains all destination-ips mk, and so it

can be defined as DIP= {dip1, dip2, dip3… dipmk} in the flood attacks. Thus, a subset for a particular k destination-ip, dip=k, is defined as

Fk={dip � ��������� ������ ����� ������� (5) Suppose a set SIP contains all source-ips mj, and so it can

be defined as SIP= {sip1, sip2, sip3… sipmj} in the flood attacks. Thus, a subset for particular j source-ip, sip=j, is defined as

Fj={sip � �������� ������ ����� �����!� (6) The traffic pattern of flood attacks is considered as two

different traffic flows; the flood attack’s flow to the victim’s particular destination IP address and the flood attack’s flow from the hacker’s source IP address. Accordingly, combining (2), (3), (4) and (5) creates a subset of flood attacks that contains a specific tr=x, co=y, at=z, and is targeted at a particular destination-ip dip=k. This is defined as

F(x, y, z, k) ={ f � "�� � ��� ������ ����� ������ �������������� (7) Combining (2), (3), (4) and (6), a subset of flood attacks

contains a specific tr=x, co=y, at=z, from a particular source-ip sip=j, is defined as

F(x, y, z, j) ={ f � "�� ����� ������ ����� ������ �����������!� (8) The subset (7) demonstrates the receiving pattern of the

flood attacks where #$ victim (����$��� ������ received ��� type of attacks within ��� traffic type and by � ���� %%$�� %� �� &� #$� �%$�%$'� �he subset (8) represents the sending pattern of the flood attacks that the hacker sent ��� type of attacks within ���� traffic type and by � ���� %%$�� %� �� &� ����$��� ����!' These two patterns show the flood traffics through the Internet router that forms the two-density: sending density and receiving density.

The potential risk is that IDS can’t detect the large number of unknown attacks, which are hidden inside network traffics and pass through the routers to damage the victim’s system. In our model, the sending pattern and receiving pattern can also identify tr = “unknown traffic-type”, co = “unknown connecting-method”, and at = “unknown attack-type”.

247247247

B. Sending Density and Receiving Density Here, we will introduce the first density. The receiving-

Density (rd) measures the flood attack’s flow to a destination site through the Internet. Based on formula (7), the Receiving-Density for tr=x, co=y, at=z, and dip=k is defined as

rd(x ,y ,z ,k) = ��(��)*+,����(�� ��

=-./ 0�1�23 34�)� 56�*� �73�+� 89: 8:6 ;9:�,� ;:6<.1=-

(9)

where 0 < rd(x, y, z, k) < 1 Fig. 2 shows the example of rd(x, y, z, k). The red ovals

represent incoming-attacks from different sip and spo that flow to dip=k where tr=TCP, co=HTTP, FTP or ssh.

Figure 2. Example of Receiving-Density (to dip=k)

The high value of rd(x, y, z, k) means the victim suffered harmful flood attacks from multiple sources. rd(x, y, z, k) � 1 indicates that the DDoS attack occurred because no legitimate traffics can be flown to the victim’s site dip=k.

We will also introduce another density. The sending-Density (sd) measures the flood attack’s flow from a source site through Internet. Based on formula (8), the Sending-Density for tr=x, co=y, at=z, sip=j, is defined as

sd(x, y, z, j) = ��(��)*+>����(�� ��

=-./ 0�1�23 34�)� 56�*� �73�+� 89:�>� 8:6 ;9: ;:6<.1=-

(10)

where 0 < sd(x, y, z, j) < 1

Figure 3. Example of Sending-Density (from sip=j)

Fig. 3 shows an example of sd(x, y, z, j). The blue ovals represent outgoing-attacks from sip=j that flow to different dip and dpo through the Internet, where tr=TCP, co=HTTP, FTP or ssh. The high value of sd(x, y, z, j) means that the hacker sent widespread attack traffics to the victim’s system across the network.

The value of sd(x, y, z, j) and rd(x, y, z, k) demonstrates the behaviors of attack traffic flows through the Internet for the hacker and the victim. If sd(x, y, z, j) > rd(x, y, z, k), the hacker (sip=j) sent widespread attacks to multiple victims across the network and the victim (dip=k) was only one of them. Fig. 4 shows such an example, where sd(x, y, z, j) > rd(x, y, z, k). The connecting-method between the hacker and the victim is Virtual Network Computing (VNC).

Figure 4. Example of attack pattern where sd( ) > rd( )

When sd(x, y, z, j) < rd(x, y, z, k), it indicates that the centralized attacks that the victim (dip=k) suffered came from multiple sources and the hacker (sip=j) was only one of them. Fig. 5 shows such an example, where sd(x, y, z, j) < rd(x, y, z, k). The connecting-method between the hacker and victim is HTTP.

Figure 5. Example of attack pattern where sd( ) < rd( )

The different attributes in sd(x, y, z, j) or rd(x, y, z, k) will be used to identify the attack behaviors that enable the defense of flood attacks much easier and quicker. For example, the high value of rd(x, y, z, k), where tr=x, co=y and at=z, indicates the victim (dip=k) received huge amounts of flood attacks. However, it can be controlled by editing dip=k and co=y in the router’s access list to prevent the hacker damaging the victim’s system.

248248248

The high value of sd(x, y, z, j) represents thesending huge amounts of attacks to the netwmanaged by adding the hacker’s source-ip into

C. Attack pattern The attack pattern varied depending on th

co and at. We use the coefficient � to clapatterns. � is defined as

� = ?@���A@����

When a victim is targeted by flood attack

resources, as shown in Fig. 5, where sd(x, y, z, j) > 1, this indicates the centralized attack pWhen sd(x, y, z, j) > rd(x, y, z, k) and � < 1, as showillustrates that widespread attacks occurred. Wrd(x, y, z, k) and � = 1, this means that single aThis classification shows in Table I.

TABLE I. Attack pattern classificatio

Pattern ValueCentralized attacks � >Single attacks � =Widespread attacks � <

Figure 6. Attack patterns with value o

Fig. 6 shows a relationship between �patterns. The three curves, (green, red anexamples of the three different values of � patterns. The three intersections illustratesattack patterns where sd(green) > sd(red) > sd(orcolour represents the centralized attack area wgrey colour area illustrates the widespread awhere � < 1. When � � �, the DDoS attackmost affected victim site. When � � 0, the hamounts of attacks across the whole Internet.

D. Clustered Visualization Each flood attack can be represented as a

the eight attributes in our definition. We will ulevels to illustrate this.

• First clustered level: tr=x is used for the

y, z, k) and sd(x, y, z, j), which represents thvictim (dip=k) and the most active hacke

e hacker (sip=j) work. This can be o the block list.

he attributes of tr, assify the attack

(11)

ks from multiple < rd(x, y, z, k) and �

pattern occurred. wn in Fig. 4, this When sd(x, y, z, j) = attacks occurred.

on

e of � > 1 = 1 < 1

of �

� and the attack nd orange), are and their attack

s three different range). The yellow where � > 1, and attacks occurring, k occurred on the hacker sent huge

a node containing use five clustered

top value of rd(x, he most affected er (sip=j).

• Second clustered level: Uses which separates flood tconnections.

• Third clustered level: Uses thco=y, which indicates the method for the system admcontrol.

• Fourth clustered level: Uses tdip and sip, which representsand the most active hacker.

• Fifth clustered level: Uses ththe port used by the hacker and

Visually, a circle is used to

attribute of sd(x, y, z, j) and rd(x, y, z, without any linking lines. When therd(x, y, z, k) are set, five levels of thillustrated.

Accordingly, a radius of circlerelated to its density from (1), (2), (3

R(x) = B��(��)��(���� CDE/0�1�23 34�)� 56 73 89:.

1=- where R(x) is the radius for tr=x.

R(y) = B��(��*��(���� CDE/0�1�23 34 56�*� 73 89:.

1=- where R(y) is the radius for co=y.

R(z) = B��(��+���(���� CDE/0�1�23 34 56 73�+� 89:.

1=- where R(z) is the radius for at=z.

Circle notes for sip and dip ar

because it takes too much spacedisplayed separately from thevisualization has been finalized.

the higher value for at=z, traffics from legitimate

he higher set of values for most active connecting-

inistrator to monitored or

the higher set of values for s the most affected victim

e spo and dpo to illustrate d the port targeted.

o represent each different k), using points in a graph e top values of sd(x, y, z, j) and he cluster structure will be

e for a particular attribute, 3) and (4), is defined as

)��

: 8:6 ;9: ;:6<

(12)

*��

: 8:6 ;9: ;:6<

(13)

��

: 8:6 ;9: ;:6<

(14)

e not calculated for radius e in the graph. They are graph after clustered

249249249

III. IMPLEMENTATION

A. Simulation for two-density Our Two-density model has been tested by using the

ISCX2012 dataset [6]. The details of the ISCX2012 dataset are shown in Table I. Unlike KDDCUP99 dataset [14], which labels all different attack-types such as Smurf, rootkit and guess_passwd, ISCX2012 dataset has only labeled it as “attack”.

TABLE II. TestbedTueJun15c – ISCX2012 dataset

Name Amount Network traffics 130288 Source IPs 36 Destination IPs 1656 ICMP traffics 31 TCP traffics 119242 Unknown TCP traffics 3 UDP traffics 11015 Unknown UDP traffics 36 Connecting methods 19 Source ports 23653 Destination ports 222 Attacks 37375

In the simulation, the dip = 192.168.5.122 is targeted. The

victim suffered the malicious attacks by TCP traffic with the HTTP connection targeted on port 80. There are seven different sip that sent the flood attacks, with the IRC or HTTP connections shown in Fig. 7 (at the end of this paper).

Around 15:55 in our testing, sd(x, y, z, j) increases its value on IRC connection from sip = 192.168.2.112 by spo = 6667. The attack pattern is widespread as � < 1. At 16:05, rd(x, y, z, k) increased its value on dip = 192.168.5.122 by HTTP connection target on dpo = 80. At the same time, the value of sd(x, y, z, j) from six different sip has increased. The attack pattern is changed to centralize as � > 1. During the threat, both values of rd(x, y, z, j) and sd(x, y, z, j) stayed on the higher level and the attack pattern remain unchanged until 17:20, as shown in Fig. 7.

The value of �, sd(x, y, z, j) and rd(x, y, z, k) clearly illustrates the attack patterns in our simulation that no previous work demonstrates, to the best our knowledge. The Two-Density model significantly improved the accuracy of the detection of the network intrusion detection.

B. Error analysis for unknown traffics The potential risk for unknown traffics is mainly when

there are large numbers of attacks hidden inside unknown network traffics, and they pass through the gateway router and damage the victim’s system. In the simulation, there are 39 unknown traffics including 3 unknown_TCP traffics and 36 unknown_UDP traffics shown as Table III. 2 unknown_TCP traffics have been identified as “attack”.

The densities for the unknown traffics are rd(Unknown_TCP) = 0.00003 and rd(Unknown_UDP) = 0.003. The density of the unknown_UDP traffic is therefore a hundred times greater than the density of unknown_TCP traffics. This may be due to unknown files or applications are not categorized or classified yet in the ISCX dataset traffic capture process.

TABLE III. Unknown traffics – ISCX2012 dataset

Name Amount TCP traffics 119242 Unknown_TCP 3 rd(Unknown TCP) 0.00003 UDP traffics 11015 Unknown_UDP 36 rd(Unknown UDP) 0.003

Suppose that 36 unknown attacks are hidden inside the

unknown_UDP traffics. We considered this as still low risk because for rd(Unknown_UDP) = 0.003 and rd( ) � 0.6 (shown in Fig 7), only 0.5% error might occur. There is no major risk in this simulation. C. Visualization

A visual circle is used to represent the flood traffic and their attributes for tr, co, at, sip, spo, dip and dpo using points. The clustered structure relies on the value of the rd(x, y, z, k) and sd(x, y, z, j). Fig. 8 (at the end of this paper) shows all the nodes as points. The yellow nodes that represent rd(k) and sd(j) for clustering visualization. The different rd(x, y, z, k) and sd(x, y, z, j) are represented in the graph for their different attributes. For example, rd(4) represents the value of the FTP connection, and sd(6) indicates the value of the ICMP traffic. Before visualization processing, there are no links connected to any node for tr, co and at. The sip, spo, dip and dpo are not shown in this graph to save space, but will be illustrated separately after the cluster structure is finalized.

We preset sd(x, y, z, j) = 0.80 and rd(x, y, z, k) = 0.80 to start the visualization process. Unfortunately, no clustered structure appeared because the value of either sd(x, y, z, k) or rd(x, y, z, k) is not reached at those points. The value were lowered until sd(x,

y, z, j) = 0.10 and rd(x, y, z, k) = 0.50. The final clustered visualization which appeared is shown in Fig. 9 (at the end of this paper). There are two top values of sd(x, y, z, j) nodes and one top value rd(x, y, z, k) node. The classification value �=5 suggests that the centralized attacks pattern hit the victim’s system, which may have suffered DDoS attacks.

The preset value of sd(x, y, z, j) and rd(x, y, z, k) can remove the mass linking lines across the nodes that provided the clustered structure clearly for detection. The higher value of sd(x, y, z, j) indicated that the hacker send the widespread attack traffics to the victim systems across the network. The high value of rd(x, y,

z, k ) means that the victim suffered harmful the flood attacks from multiple sources.

When rd(x, y, z, k) and sd(x, y, z, j) reached the preset values, the attribute tr=x is the first clustered link for visualization, at=z is the second and co=y is third. The sip and dip are the last attributes for clustering. The final clustered structure is generated when rd(k) = 0.500 and sd(j) = 0.100, as shown Fig. 9. All nodes that have the same classifications for rd(k) and sd(j) are gathered into groups, linked by their different clustered level and the destination-IPs and source-IPs after the final clustered visualization.

The top value of rd(k) occurred when dip = 192.168.5.122, tr = TCP, co = HTTP, dpo = 80 and at = “attack”. The two top values of sd(j) appeared when co=HTTP and co=IRC on TCP traffics using the different source ports. The red lines represent source-IPs and destination-IPs that reached value of rd(k) and sd(j). The nodes that do not belong to the rd(k) and sd(j) are still

250250250

points in the graph. The clustering visualization scaled down the patterns of the flood traffics into their particular characters, which made the detection of the flood attacks easier and more efficient due to the clear view.

The clustered visualization of using the Two-density gives clear outlines of the pattern of flood attacks in their different attack-types, the different target ports and the different connecting-methods that make the detection of the flood attack during the early stage much clearer and easier. The Model has significantly improved the accuracy of IDS for the detection of flood attacks and accurately scaled down the flood attacks while illustrating the scope of the flood attack pattern.

IV. RELATED WORKS The most common traffics of flood attacks flowing through

routers are TCP, UDP and ICMP. Jelena Mirkovic et al [18] analyzed the data flow at the source-router for these three types of traffic, and flagged each connection as good, bad or transient. The sending rate and the rate limit are used in their model to detect the DDoS attacks. Li et al [11] studied both UDP-type and TCP-type flood attacks by using the same attack intensity simulation environment, and found that UDP-type attack consumes more network bandwidth than TCP-type attack.

Ratul Mahajan et al [15] set a rate-limit for adjacent upstream routers to protect the traffics within the aggregate from the attack traffics. David K. Y. Yau et al [21] analyzed the forwarding rate of traffics between the routers, and measure the router throttling rate that affected the server load.

Entropy (the statistical measurement tool for random uncertainty variables) has been used to measure abnormal network traffic. Legitimate network traffics have regular packet sizes from regular IP addresses on regular flow rates so that the values of the entropy are concentrated. The burst value of entropy represents the abnormal change of network traffic that leads to the detection of flood attack when it occurred [1] [13].

Villafuerte et al [3] used the network density to estimate the distances between two adjacent nodes based on the local neighborhood information. Habiba et al [2] used effective density which is classified by three levels (low, medium and high levels) to find out the trend of spreading patterns within the spread network. The relationship between the densities and the extent of spread is analyzed in their proposal, and the effective density is defined by the degree of spread network nodes. Dean Pemberton et al [20] studied the arrival density of Internet Background Radiation (IBR) which represents the packet arrival rate in the local subnets aaa.bbb.p.q and uses 2D viewer, dimensioned by p×q, to display the arrival density. The network telescope is used to explore arrival rate.

The study that is closest to our model is Lee et al [4], who used nine attributes of flood attacks (source-ip, source-port, destination-ip, destination-port, packet-type, number-packets, occurrence rate-TCP, occurrence rate-UDP and occurrence rate-ICMP) to analyze abnormal changes in the network traffics and classify the groups on the different phases (attack, post-attack and normal-traffic). But unfortunately, it did not analyze the details of the connecting method and did not include the different attack-types or the pattern of the flood attacks.

V. CONCLUSIONS & FUTURE WORK In this paper, we propose a new Two-density model to

analyze and detect flood attacks. The model has two unique features that are not found in existing proposals; the sending-density and receiving-density which demonstrated the pattern of flood attacks, and the visual nodes used in clustered visualization that do not draw any lines between the source and destination.

Our implementation shows that the Two-density model not only detected the flood attack and its patterns, but also clustered the flood traffics clearly for early detection. The model has the high accuracy to measure different types of flood attacks and their behaviors. The clustering visualization is used to classify and display these flood attacks, and interactively select and scale down the scope of the visualisation for better understanding of the connecting-methods, attack-types and traffic-types. The experiment shows that the model, with the clustering visualization, significantly improves the accuracy of detecting the flood attack and network security analysis.

For the future work, we plan to develop our Two-density model to cover the botnet attacks and flash crowd attacks, which have different network traffic patterns and classifications. The cloud network and BigData are also areas we are interested in for clustering visualization.

REFERENCES [1] Y. Xiang, K. Li, and W. Zhou, "Low-Rate DDoS Attacks

Detection and Traceback by Using New Information Metrics," Information Forensics and Security, IEEE Transactions on , vol.6, no.2, pp.426-437, June 2011

[2] Habiba and T. Berger-Wolf, "Working for Influence: Effect of Network Density and Modularity on Diffusion in Networks," In Proc, 2011 IEEE 11th International Conference on Data Mining Workshops (ICDMW), PP.933-940, 11 Dec. 2011

[3] F.L. Villafuerte, K. Terfloth and J. Schiller, "Using Network Density as a New Parameter to Estimate Distance," In Proc. ICN 2008. Seventh International Conference on Networking, pp.30-35, 13-18 April 2008

[4] K. Lee, J. Kim, K.H. Kwon, Y. Han and S. Kim, “DDoS attack detection method using cluster analysis”, Expert Systems with Applications, Volume 34, Issue 3, April 2008, Pages 1659-1665, ISSN 0957-4174

[5] J. Zhang and M.L. Huang, "Visual Analytics Model for Intrusion Detection in Flood Attack". In Proc, TrustCom 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp.277-284, July 2013

[6] A. Shiravi, H. Shiravi, M. Tavallaee, and A.A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,” Computers & Security, Volume 31, Issue 3, May 2012, Pages 357-374, ISSN 0167-4048

[7] Q.V. Nguyen, M.L. Huang, "A space-optimized tree visualization," In Proc, INFOVIS ’02, IEEE Symposium on Information Visualization, 2002, pp. 85- 92

[8] Y. Kim, J.Y. Jo, H.J. Chao and F. Merat, "High-speed router filter for blocking TCP flooding under DDoS attack," In Proc, 2003 IEEE International Performance, Computing, and Communications Conference, pp. 183- 190, 9-11 April 2003

[9] R. Ball, G.A. Fink and C. North. “Home-centric visualization of network traffic for security administration”. In Proc,

251251251

VizSEC/DMSEC '04, 2004 ACM workshop ondata mining for computer security, 2004, pp.5

[10] F. Mansmann, F. Fischer, D.A. Keim and Ssupport for analyzing network traffic and ievents using TreeMap and graph representatSymposium on Computer Human InteManagement of Information Technology, Ba19-28, 2009

[11] M. Li, J. Li, and W. Zhao, “Experimentalattacking of flood type based on NS2” InternElectronics and Computers, vol. 1, no. 2, pp. 1

[12] X. Yin, W. Yurcik, M. Treaster, Y. Li, a“VisFlowConnect: netflow visualizations of for security situational awareness”. In Proc,'04, 2004 ACM workshop on Visualization ancomputer security, 2440, pp.26-34.

[13] Y. Gu, A. McCallum, and D. Towsley, “DetecNetwork Traffic using Maximum Entropy Es5th ACM SIGCOMM Conference on Inte2005, pp 32-32

[14] KDD Cup 1999. Avhttp://kdd.ics.uci.edu/databases/kddcup99/kddAugust 2010.

[15] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioanand S. Shenker. 2002. “Controlling high banin the network”. SIGCOMM Comput. Com(July 2002), pp. 62-73

rd on HTTP

sd on IRC

0.000

0.100

0.200

0.300

0.400

0.500

0.600

0.700

15:55 16:00 16:05 16:10 16:15 16:20

rd (dip=192.168.5.122:80) sd

sd (sip=192.168.2.113) sd

n Visualization and 5-64 .C. North, "Visual intrusion detection ions", In Proc, the

eraction for the altimore, Marylan,

l study of DDOS national Journal of 143, 2009. and K. Lakkaraju. f link relationships , VizSEC/DMSEC nd data mining for

cting Anomalies in stimation” In Proc, ernet Measurement

vailable on dcup99.html,

annidis, V. Paxson, ndwidth aggregates mmun. Rev. 32, 3

[16] V. Paxson, 'An analysis of using reof-service attacks'. SIGCOMM Review. vol 31, issue 3, July 2001,

[17] K. Park and H. Lee, "On the effectmarking for IP traceback under denINFOCOM 2001. Twentieth AnnIEEE Computer and Communicat347, Apr 2001

[18] J. Mirkovic, G. Prier and P. Reisource," In Proc, 10th IEEE INetwork Protocols, 2002, pp. 312-

[19] J. McPherson, K-L Ma, P. KryChristensen. “PortVis: a tool for pevents”. In Procc, VizSEC/DMSECVisualization and data mining fpp.73-81

[20] D. Pemberton, P. Komisarczukbackground radiation arrival densampling strategies," Australasian and Applications Conference, 2002-5 Dec. 2007

[21] D.K.Y. Yau, J.C.S. Lui, F. Lianagainst distributed denial-of-serviserver-centric router throttles”. Networking. Vol.13, no.1,pp. 29-4

[22] J. Zhang, M.L. Huang and D. Hintrusion detection in spam emaGrid and Utility Computing, vol 4,

Figure 7. Values of rd( ) and sd( )

16:25 16:30 16:35 16:40 16:45 16:50 16:55 17:00 17:05 17:10

d (sip=192.168.1.103) sd (sip=192.168.1.105) sd

d (sip=192.168.4.118) sd (sip=192.168.4.120) sd

eflectors for distributed denial-Computer. Communication.

, pp.38-47 tiveness of probabilistic packet nial of service attack," In Proc,

nual Joint Conference of the tions Societies. vol.1, pp.338-

iher, "Attacking DDoS at the International Conference on 321, 12-15 Nov. 2002

ystosk, T. Bartoletti, and M. ort-based detection of security C '04, 2004 ACM workshop on for computer security, 2004,

k and I. Welch, "Internet nsity and network telescope Telecommunication Networks 7. ATNAC 2007. pp.246-252,

ng and Y. Yam, “Defending ce attacks with max-min fair IEEE/ACM Transaction on 2, Feb 2005 Hoang, “Visual analytics for

ails”, International Journal of , no 2/3, pp 178-186, 2013

0.000

0.010

0.020

0.030

0.040

0.050

0.060

0.070

17:15 17:20

d (sip=192.168.2.110)

d-IRC (sip=192.168.2.112:6667)

252252252

Fi

Figure 9. T

gure 8. The nodes before clustering visualization

The higher values of rd( ) and sd( ) after clustering visualization

253253253