IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

International Journal of Research in Information Technology (IJRIT) www.ijrit.com

ISSN 2001-5569

MCA Used For Efficient Attack Detection for Dos of System Manjula G, Nagveni B .Biradar Mtech 4th SEM, Dept of CSE, RYMEC, Bellary,Karnataka(India) Associate professor, Dept of CSE, RYMEC, Bellary,Karnataka(India) [email protected] , [email protected]

ABSTRACT A Neural network, such as cloud computing servers, database servers, Web servers etc., are now threads from network attackers. As one of great and aggressive means of the Denial-of-Service (DoS) attacks cause crucial impact on these computing system. In this paper, we present a Denial of Service attack detection system that use Multivariate Correlation Analysis (MCA) for precise network traffic characterizing it by extracting the geometrical correlations between network traffic features. Our Multivariate Correlation Analysis based Denial of Service attack detection systems employ the law of anomaly-based detection in attack recognition. This makes our result capable of detecting known Denial of Service attacks and unknown Denial of Service attacks effectively by learning the pattern of legitimate traffic network only. In addition to a triangle area based technique, proposed to enhance and speed up the process of Multivariate Correlation Analysis. The effectiveness of our proposed detection system is evaluated using KDD Cup 99 dataset and the influence of both non normalized and normalized data on the behavior of the proposed detection system that are examined. This result shows that our system outperform two other previously developed state of the art approaches in terms of detection accuracy. Keywords: -Denial of Service attack, Correlation, network traffic characterizing, multivariate correlations analysis, and triangle based area.Trianglearea.

INTRODUCTION A denial of service attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporally interrupting or suspending the services of a host connected to internet. A distributed denial of service attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources from banks to news website and present a major challenge to making sure people can publish and access important information. Victim can be within the service from a few minutes to the several days, which causes a services impact and damage on the running services, thus detecting denial of service attacks are essential to protect online services. Detecting DoS focuses on how development works in network based detection mechanism. Detecting software based on the mechanism used to monitor the network traffic transmitting ones the protected networks. These mechanism release the protected online services from monitoring attacks and ensure that the servers can dedicate themselves to provide quality of service with response in minimum delay. Furthermore, it is a complicated and labor intensive task to keep signature database updated because signature generation is a manual process and heavily involves network security expertise. The simulated attacks fall in one of the following four categories: Denial of Service Attack (DoS): is an attack in which the attacker makes some computing or memory Resource too busy or too full to handle legitimate requests, or denies legitimate users access to a machine. Manjula G, IJRIT-109

IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

User to Root Attack (U2R): is a class of exploit in which the attacker starts out with access to a normal User account on the system (perhaps gained by sniffing passwords, a dictionary attack, or social engineering) and is able to exploit some vulnerability to gain root access to the system. Remote to Local Attack (R2L): occurs when an attacker who has the ability to send packets to a machine over a network but who does not have an account on that machine exploits some vulnerability to gain local access as a user of that machine. Probing Attack: is an attempt to gather information about a network of computers for the apparent purpose of circumventing its security controls. It is important to note that the test data is not from the same probability distribution as the training data, and it includes specific attack types not in the training data which make the task more realistic. Some intrusion experts believe that most novel attacks are variants of known attacks and the signature Of known attacks can be sufficient to catch novel variants. The datasets contain a total number of 24 training attack types, with an additional 14 types in the test data only. The name and detail description of the training attack types are listed in [7]. KDD’99 features can be classified into three groups: 1) Basic features: this category encapsulates all the attributes that can be extracted from a TCP/IP connection. Most of these features leading to an implicit delay in detection. 2) Traffic features: this category includes features that are computed with respect to a window interval and is divided into two groups: a) “Same host” features: examine only the connections in the past 2 seconds that have the same Destination host as the current connection, and calculate statistics related to protocol behavior, Service, etc. b) “Same service” features: examine only the connections in the past 2 seconds that have the same service as the current connection. The two aforementioned types of “traffic” features are called time-based. However, there are several slow probing attacks that scan the hosts (or ports) using a much larger time interval than 2 seconds, for example, one in every minute. As a result, these attacks do not produce intrusion patterns with a time window of 2 seconds. To solve this problem, the “same host” and “same service” features are re-calculated but based on the connection window of 100 connections rather than a time window of 2 seconds. These features are called connection-based traffic features. 3) Content features: unlike most of the DoS and Probing attacks, the R2L and U2R attacks don’t have any intrusion frequent sequential patterns. This is because the DoS and Probing attacks involve many connections to some host(s) in a very short period of time; however the R2L and U2R attacks are embedded in the data portions of the packets, and normally involves only a single connection. To detect these kinds of attacks, we need some features to be able to look for suspicious behavior in the data portion, e.g., number of failed login attempts. These features are called content features.

SYSTEM ARCHITECTURE The overview of our proposed DoS attack detection system architecture is given in this section, where the system framework and the sample-by-sample detection mechanism are discussed.

Manjula G, IJRIT-110

IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

FRAMEWORK

In Step 1, basic features are generated from ingress network traffic to the internal network where protected servers reside in and are used to form traffic records for a well-defined time interval. Monitoring and analyzing at the destination network reduce the overhead of detecting malicious activities by concentrating only on relevant inbound traffic. Step 2 is Multivariate Correlation Analysis, in which the “Triangle Area Map Generation” module is appliedto extract the correlations between two distinct featureswithin each traffic record coming from the first step orthe traffic record normalized by the “Feature Normalization”module in this step (Step 2). The occurrence ofnetwork intrusions cause changes to these correlations sothat the changes can be used as indicators to identify theintrusive activities. In Step 3, the anomaly-based detection mechanism is adopted in Decision Making. It facilitates the detection of any DoS attacks without requiring any attack relevant knowledge. Furthermore, the labor-intensive attack analysis and the frequent update of the attack signature database in the case of misuse-based detection are avoided.

MULTIVARIATE CORRELATION ANALYSIS This approach similar tothe mean and standard deviation model exceptthat it is based on correlations among two ormore metrics. This model would be useful ifexperimental data show that betterdiscriminating power can be obtained fromcombinations of related measures rather thanindividually -- e.g., CPU time and 1/0 unitsused by a program, login frequency andsession elapsed time (which may be inverselyrelated).The behavior of network traffic is reflecting with its statically properties and DoS attack traffic behave different from its legitimate network traffic. Thus to describe the staticallyproperties, we present these in a Novel Multivariate Correlation Analysis approach. The Multivariate Correlation analysis approach employ triangle area of extracting the correlative information between the features within an observed data objects like traffic record. The complete analysis is presented in the following. Given an arbitrary dataset X= {
 ,
 … …
 }, where
 =[   … … .  ] , (1 ≤ I ≤ n) represents the  m dimensions traffic record. The concept we use from triangle area which is extracted between the geometrical correlation of  and   feature s where data transformation is involved the vector where
 is projected. Data transformation is involved toobtainthe triangle formed by two features. The
 vector is projected first on the ( joke) the two dimensional Euclidean space as ,, = [∈ , ∈ ]
 = [   ] ,(1 ≤ I ≤ n, 1 ≤ j ≤ m, 1 ≤ k ≤ m , j ≠ k). These vectors∈ = [, , … … . . , ] and ∈ = [, , … … . . , ] have elements whose values are zeroes, except the (juju) the and (kaki) the elements whose values are ones in ∈ and ∈ respectively. The Cartesian coordinate system in the (joke) the in (  ,  ) dimensional vector which defines Euclidean subspace of ∆     formed by the origin andthe projected points on the coordinate (  ,  ) on the j-axis and k-axis is found its T, is defined as follows:  T, = (|| (  , 0) - (0, 0) || x (0,  ) - (), 0) ||) /2 Manjula G, IJRIT-111

IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

Where 1≤ I ≤ n, 1 ≤ j ≤ m, 1 ≤ k ≤ m and j ≠ k .when comparing two TAMs, we can we can recognize two images are symmetric, changes in upper triangles can be found in lower triangles also. Furthermore, toe perform comparison of two TAMs, we choose to investigate either the lower triangles or upper triangles of the TAMs only. They produce results as compared using the entire Tams. Forconsistency, the lower triangle of   is converted into a new correlation vector  !"#$ denoted as        , %, … . , %, &, … , … ,' ]  !"#$ = [, The advantages obtained data analysis from the above explanation are firstly, it doesn’t require the knowledge of historic traffic in performing analysis. Secondly, the covariance matrix approach proposed in which vulnerable to linear change of all feature, our proposed triangle area based Multivariate correlation analysis withstands the problem. Third, itprovides characterizing for indidudal network traffic records.fourth, thecorrelations between distinct pairs of features are revealed through the geometrical collation analysis.

DETECTION MECHANIM In this section, a threshold based anomaly detector of normal profile are been generated by purely legitimate network traffic records are been utilized for further comparisons with new incoming investigated recorded traffic. Thedissimilar between a new incoming record traffic and the respective normal profile are been examined with proposed detector. If the dissimilarityis lower than it is labelled as a legitimate record traffic, otherwise it is a predetermined threshold. These normal profile and the thresholds have results direct impact on the influence on the performance of threshold based detector. A low quality normal profile impacts ingave serious impact on the causing inaccurate cauterizing to legitimate network traffic.so, therefore we apply first the triangle area based MCA approach i.e. proposed in this paper, to analyseslegitimate network traffic and with the generated TAMs , used to supply quality features for normal profiles.

NORMAL PROFILE GENERATION The Euclidean distance and Mahalanobis distance (MD) evaluates distance between two multivariate data objects by extracting the correlations between variables into account and removing the dependency on the scale measurement in the calculation.

Algorithm for normal profile generation based on triangle based area on MCA

THERSHOLD SELECTION The threshold is used to differentiate attack traffic from the legitimate one. Manjula G, IJRIT-112

IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

Threshold = µ + σ ∗α.

ATTACK DETECTION Algorithm for attack detection based on mahalanobis distance as follows

Conclusion Many threshold frequency were set in comparison. The result reveals that at a certain threshold the server goes to sleep mode for long time period and crashes. Now this particular threshold is set as a limit to detect the intrusive networks. Evaluation has been conducted using KDD Cup 99 dataset to verify the effectiveness and performance of the proposed DoS attack detection system. The influence of original (non-normalized) and normalized data has been studied in the paper. The results have revealed that when working with non-normalized data, our election system achieves maximum 95.20% detection accuracy although it does not work well in identifying Land, Neptune and Teardrop attack records. The problem, however, can be solved by utilizing statistical normalization technique to eliminate the bias from the data. The results of evaluating with the normalized data have shown a more encouraging detection accuracy of 99.95% and nearly 100.00% DRs for the various DoS attacks. Besides, the comparison result has proven that our detection system outperforms two state-of-the-art approaches in terms of detection accuracy. Moreover, the computational complexity and the time cost of the proposed detection system have been analyzed and shown in Section 6. The proposed system achieves equal or better performance in comparison with the two state-of-the-art approaches. To be part of the future work, we will further test our DoS attack detection system using real world data and employ more sophisticated classification techniques to further alleviate the false positive rate.

REFERENCES [1] Parson, “Bro: A System for Detecting Network Intruders in Real-time,” Computer Networks, vol. 31, pp. 2435-2463, 1999 [2] P. Garca-Teodoro, Daz-Verdejo, G. Maci-Fernndez, and E. Vzquez, “Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges,” Computers & Security, vol. 28, pp. 18-28, 2009. [3] D. E. Dennie, “An Intrusion-detection Model,” IEEE Transactions on Software Engineering, pp. 222-232, 1987. [4] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, “DDoS attack detection method using cluster analysis,” Expert Systems with Applications, vol., no. 3, pp. 1659-1665, 2008. [5] A. Tajbakhsh, Rahmati, and A. Mirzaei, “Intrusion detection using fuzzy association rules,” Applied Soft Computing, vol. 9, no. 2, pp. 462-469, 2009. [6] J. Yu, Lee, M.-S. Kim, and D. Park, “Traffic flooding attack detection with SNMP MIB using SVM,” Computer Communications, vol. 31, pp. 4212-4219, 2008. Manjula G, IJRIT-113

IJRIT International Journal of Research in Information Technology, Volume 3, Issue 5, May 2015, Pg.109-114

[7] W. Hu and S. Maybank, “AdaBoost-Based Algorithm for Network Intrusion Detection,” Trans. Sys. Man Cyber. Part B, vol. 38, no. 2, pp. 577-583, 2008 [8] C. Yu, H. Kai, and K. Wei-Shinn, “Collaborative Detection of DDoS Attacks over Multiple Network Domains,” Parallel and Distributed dos Systems, IEEE Transactions on, vol. 18, pp. 1649-1662, 2007. [9] G. Thatte, U. Mitra, and J. Heidemann, “Parametric Methods for Anomaly Detection in Aggregate Traffic,” Networking, IEEE/ACM Transactions on, no. 2, pp. 512-525, 2011. [10] S. T. Sarasamma, Q. A. Zhu, and J. Huff, “Hierarchical Kohonenen Net for Anomaly Detection in Network Security,” Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, vol. 35, 302-312, and 2005. [11] S. Yu, W. Zhou, W. Jian, S. Guo, Y. Xiang, and F. Tang, “Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient,” Parallel and Distributed Systems, IEEE Transactions on, vol. 23, pp. 1073-1080, 2012. [12] S. Jin, D. Yeung, and X. Wang, “Network Intrusion Detection in Covariance Feature Space,” Pattern Recognition, vol. 40, pp. 2185- 2197, 2007. [13] C. F. Tsai and Y. Lin, “A Triangle Area Based Nearest Neighbors Approach to Intrusion Detection,” Pattern Recognition, vol. 43, pp. 222-229, 2010. [14] A. Jamdagni, Z. Tan, X. He, P. Nanda, and R. P. Liu, “RePIDS: A multi-tier Real-time Payload-based Intrusion Detection System,” Computer Networks, vol. 57, pp. 811-824, 2013. [15] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, “Denial of- Service Attack Detection Based on Multivariate Correlation Analysis,” Neural Information Processing, 2011, pp. 756-765. [16] Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, “Triangle- Area-Based Multivariate Correlation Analysis for Effective Denial of- Service Attack Detection,” The 2012 IEEE 11th International Conference on Trust, Security and [17] S. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. K. Chan, “Costbased modeling for fraud and intrusion detection: results from the JAM project,” The DARPA Information Survivability Conference and Exposition 2000 (DISCEX ’00), Vol.2, pp. 130144, 2000. [18] V. Moustakides, “Quickest detection of abrupt changes for a class of random processes,” Information Theory, IEEE Transactions on, vol. 44, pp. 1965-1968, 1998. [19] A. Cardenas, S. Baras, and V. Ramezani, “Distributed change detection for worms, DDoS and other network attacks,” The American Control Conference, Vol.2, pp. 1008-1013, 2004. [20] W. Wang, X. Zhang, S. Gombault, and S. J. Knapskog, “Attribute Normalization in Network Intrusion Detection,” The 10th International Symposium on Pervasive Systems, Algorithms, and Networks (ISPAN), 2009, pp. 448-453. [21] M. Tavallaee Bagheri, L. Wei, and A. A. Ghorbani, “A Detailed Analysis of the KDD Cup 99 Data Set,” The Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, 2009, pp. 1-6. [22] D. E. Knuth, The art of computer programming vol I: Fundamental Algorithms Addison-Wesley, 1973.

Manjula G, IJRIT-114