Science Direct 1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Science Direct 1 as PDF for free.
More details
- Words: 5,345
- Pages: 11
Computer Networks 48 (2005) 235–245 www.elsevier.com/locate/comnet
Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features Dimitris Gavrilis, Evangelos Dermatas
*
Department of Electrical Engineering and Computer Technology, University of Patras, Kato Kastritsi, 26500 Patras, Greece Received 17 July 2003; received in revised form 12 April 2004; accepted 6 August 2004 Available online 21 December 2004 Responsible Editor: Z.-L. Zhang
Abstract In this paper we present and evaluate a Radial-basis-function neural network detector for Distributed-Denial-of-Service (DDoS) attacks in public networks based on statistical features estimated in short-time window analysis of the incoming data packets. A small number of statistical descriptors were used to describe the DDoS attacks behaviour, and an accurate classification is achieved using the Radial-basis-function neural networks (RBF-NN). The proposed method is evaluated in a simulated public network and showed detection rate better than 98% of DDoS attacks using only three statistical features estimated from one window of data packets of 6 s length. The same type of experiments were carried out on a real network giving significantly better results: a 100% DDoS detection rate is achieved followed by a 0% of false alarm rate using different statistical descriptors and training conditions for the RBF-NN. Ó 2004 Elsevier B.V. All rights reserved. Keywords: Intrusion detection; Denial-of-service attacks; RBF networks; Neural networks; Computer security
1. Introduction In recent years there has been a sudden increase of Network-based intrusion and Distributed Denial of Service (DDoS) attacks. Especially after the year 2000 the problem has grown enormously, increasing the costs of losses to billions of US dol*
Corresponding author. Tel.: +30 261 099 6476. E-mail addresses: [email protected] (D. Gavrilis), [email protected] (E. Dermatas).
lars. Major commercial web sites have been disabled for several hours due to such attacks. The DDoS attacks usually do not take advantage of some security flaw but instead they make legitimate use of a service until all the resources that this service uses are exhausted [14]. The attacker increases the number of network processes requiring significant computer resources: CPU load, memory, disk space, and network bandwidth. This characteristic of those attacks makes them difficult to detect especially in large commercial networks
1389-1286/$ - see front matter Ó 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2004.08.014
236
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
such as yahoo.com or amazon.com where they serve hundreds or maybe thousands of users per minute. When the flow of packets on a network suddenly increases we cannot be certain that it is because of a DDoS attack that is in progress or because too many users happen to use that service at that time [16]. Commercial DDoS detection systems [13,16–19] have high false-alarm rates, producing hundreds of false alarms per day because it is often difficult to select manually the identification conditions for a great number of attacks and their variants [17–19,2]. 1.1. Network-based intrusion and DDoS attacks A great number of methods for recognizing intrusion and DDoS attacks have already been presented (4–25). In [4], the Articon-Intergralis group discusses the specification and test process of Intrusion Detection Systems and proposed a detailed topology, machines and attacks scenarios that were used to make the assessment. The Network Intrusion Detection System technology is described in [5], comparing the most popular methods: Pattern-searching and protocol analysis. The protocol analysis usually can be used to detect the true signature of the intrusion when it is hidden in the protocol. In this case most of the patternsearch methods fail to detect the intrusion. A common protocol analysis is based on a decision tree. The computational effort of the tree search increases significantly in case of intrusion or DDoS attacks. In this case the Network Intrusion Detection System would overload and eventually shutdown. An intrusion detection approach has been proposed by Me (in [6]) based on predefined attack scenarios and using a genetic algorithm. Taking into account that pattern-searching methods are NP-Complete problems, a genetic algorithm is used to reduce the computations in Ôthe security audit trail analysis problemÕ. The experimental evaluation showed successful detection of the attacks after 20 generations, giving a detection rate of 99% after 100 generations. If the attacks coded in the Attacks–Events matrix grows, the final generation number has to increase to keep the detectionÕs quality at the same level.
In [1], Mell et al. describes an intrusion detection system (IDS) to become resistant to flooding DoS attacks using a combination of techniques: the critical IDS components are made invisible to the attacker, critical IDS components are made adaptive to flooding DoS attacks. The authors do not prevent an attacker from launching attacks but instead makes the significant targets invisible which forces the attacker to fire blindly. Recently neural network architectures for intrusion detection have been proposed [12,20,22,21]. A backpropagation neural network (multilayer perceptron) has been presented by Ryan et al. [3]. The neural network is trained to identify users based on what commands they use during a day. In a system of 10 users and a dataset collected for 12 days, the neural network was 96% accurate in detecting anomalous behaviour, with a false alarm of 7%. In [7] an adaptive intrusion detection system for TCP/IP networks is described based on neural networks. The training process is based on previous well-known intrusion profiles, and the adaptation capabilities is realized by re-training the neural network using new profiles. The system is based on the fact that an intrusion can be detected from an analysis of predetermined models for both normal and intrusion actions. The best performance of approximately 95% has been achieved using a two hidden-layer perceptron neural network (20-5-1 neurons per layer) trained by the error backpropagation algorithm. The well-known K-nearest Neighbor Classifier KNNC has been evaluated in [8], to categorize a process into normal or intrusive class using system calls over each program execution. The computational load of the KNNC is partially faced by processing the restricted set of system calls (less than 100 in DARPA BSM data), while a typical Pattern-searching intrusion detection system in shell level could have over 15,000 unique words. The KNNC calculates the similarity between the new process and each training process instance using the assumption that the process belonging to the same class will cluster together in the vector space. The KNNC is applied to the 1998 DARPA data. The audit data were collected on a traffic simulator of an Air Force Local Area Network. The system is extensively evaluated giving an excellent detec-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
tion rate. When the number of simultaneously processes increases, the detector is computationally expensive for real-time implementation in some computers. In the same dataset (1998 DARPA) a statistical traffic model for detecting novel attacks has been presented in [15]. The model effectiveness in discriminating normal connections from DoS attacks is quantified by plotting the Receiver Operating Characteristics curves. The kolmogorov–Smirnov test is used as a classifier between the normal and the attack conditions by processing the statistical differences of the number of bytes from the responder, and the byte ratio responder–originator. Recently, Streilein et al. [21] presents neural network classifiers based on the multilayer perceptron for accurately detection of several classes of attacks including stealthy probes and novel DDoS attacks. The neural-based detection system achieves a recognition rate of 100% with a false alarm of 0.1% when tested against stealthy attacks in the DARPA 1999 IDS Evaluation data. From the original extended set of features, the authors eliminate the least effective, proposing a minimal set of five only features. 1.2. The DDos attacks As reported in [23], where a structural approach of the DDoS attacks and the defense mechanisms can be found, DDoS attacks can be classified in five categories. The most important are the TCP Flooding, UDP Flooding, ICMP Flooding and Smurf attacks. The first three attempt to flood a network with TCP [10,11], UDP and ICMP traffic respectively so as to exhaust the networkÕs or the serverÕs resources. The latter works in a different manner and does not pose a threat when certain modifications are made in the networkÕs devices. The DoS attacks performed using ICMP messages usually succeed because the victim host does not maintain enough information on the messages communication [9]. However, with the appropriate modifications, it can be prevented. The most important work is concentrated in the first type of attack because TCP is the most widely used protocol and WWW is the most widely used service on the Internet. The same mechanism can be applied
237
successfully both in UDP and ICMP protocols. In a great number of Internet sites, DDoS attack tools are available. After an analysis of the available tools that perform DDoS attacks, it is found that a DDoS attack has the following characteristics: (a) The source IP of the packets is set random. (b) The source and the destination port of the packets is set random. (c) Some of the flags (URG, ACK), fragmentation, TCP options, TTL and the clientÕs SEQ number are assigned by a pseudorandom generator. In most tools, multiple instances of the application (usually residing on multiple machines), communicate with each other and coordinate during the attack. The packets can be sent to the target(s) in bursts or in a continuous flow.
2. System innovations Every robust DDoS detection system must satisfy some important specifications: (a) very high detection rates with minimal false alarm rates, (b) real-time detection with low memory and cpu-time requirements, (c) invariant in evolutionary trends in DDoS attacks, network topology and the variations of the normal data-exchange rates, (d) minimum interference of the DDoS detector in the traffic. In the direction of building efficient DDoS detectors, we present a system providing a number of important innovations: (a) A small and a robust number of normalized statistical features is used for monitoring the statistical properties of the data exchange packets in the network. The computational effective features set is used to recognize in real-time the normal network traffic from suddenly increased packet flow from a DDoS attack in very short time intervals. (b) The features space present reduced variance in different DDoS attacks giving very high detection rates, which is almost independent of the DDoS implementation details.
238
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
(c) Even in the case of very-fast networks, accurate estimation of the statistical features can be obtained by processing a subset of the packets transferred on the network. (d) Even in the case of complex distribution of the features vector, the effective RadialBasis-Function neural network (RBF-NN) is used to recognize DDoS attacks from the normal traffic. The well-developed theoretical analysis of the RBF-NN [24] introduces a number of significant advantages over multilayer perceptrons. The RBF-NN detector is a two layer neural network. In the first (hidden) layer the neurons implement a radial function while the output neurons implement a weighted sum of hidden neuron outputs. The excellent approximation properties of the RBF-NN allows for complex non-linear mapping by modifying only the number of hidden neurons, which simplifies the computational complexity in both the activation and training process. Moreover, extremely faster learning rates, smaller approximation errors with extremely low probability to converge in local minima has been measured in a great number of applications.
3. System description The system consists of three sequentially connected modules: Data collector. A sniffer captures the following data fields for each packet: Source Port, SEQ number of client, Window size, and the Syn, Ack, Fin, Psh, Urg, Rst flags. The timestamp for each packet is also recorded in order to group the packets into overlapping timeframes. The number of the distinct Source Ports, and Window size numbers are estimated for each timeframe. The SEQ number is a 32-bit random number produced by the client as an identification for a certain TCP connection. The estimation of the distinct SEQ numbers requires significant memory space and computing power. Experimental results showed that, although the SEQ number varies across clients, the upper
16 bits are adequate in estimating the SEQ numbersÕ feature. The upper 16 bits can store the necessary information in an array of 65,535 bytes long. The statistics gathered for each timeframe are the frequency of occurence for each of the following six flags to be set: Syn, Ack, Fin, Psh, Urg, Rst. In extended experiments it has been found that these flags contain significant information related to the presence of a DDoS attack. The Source IP Address is not used in the recognition process, even if it provides significant information, because it requires substantial amount of computing power to store the individual addresses. Additionally, it is also decided not to use the packet length information because it would make the DDoS detector system service specific (e.g. only for www). In the same experiments it is showed that other data transferred by the TCP/IP packets, such as the Time-to-Live field, do not contain information related to the presence of a DDoS attack. Features estimator. The frequency of flags and the number of the distinct values for the Source Ports, SEQ number, and Window size are estimated for each timeframe. The statistical features for each timeframe for the six flags are the probability of the flag to be set. The number of the distinct values is divided by the total number of packets for a certain timeframe for the SEQ number, the Window Size and the Source Port. DDoS detector. The nine-features vector were used to activate a two-output RBF network at each timeframe. The most active output neuron detects the presence of a DDoS attack or characterizes the timeframe as normal traffic. In the experiments it is shown that a small number of hidden neurons can be used to achieve high detection rates of DDoS attacks. Moreover, the RBFNN classification capabilities are studied using an extremely small input vector containing only three features.
4. The RBF-NN training process The gathered data were used to create two different training scenarios. In the first scenario the DDoS detector is trained using normal www and
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 1. Time frames and a DDoS attack in the bold line: normal traffic (0), DDoS and normal traffic (1).
pure DDoS traffic. In the second scenario the pure DDoS traffic was replaced by the data collected when the DDoS hits the server which serves the normal traffic. In both training scenarios different normal and combined traffic is used to estimate the RBF-NN efficiency, as shown in Fig. 1. The networkÕs efficiency was measured for a different number of hidden neurons ranging from 1 to 20. A mixture of Gaussian functions was used as the RBFÕs non-linear function. The mean and variance for the Gaussian function was estimated using the K-means clustering algorithm [24]. It is well-known that the K-meansÕ initial centers significantly influences the quality of the training process. A good selection of the initial centers led to significantly better classification rates for different network topologies. Therefore, the K-means centers which minimizes the quantization error from the training data are selected from a set of multiple local minimum set of centers. Multiple local minimum solutions are created by applying the Kmeans algorithm using different initialization. During the center re-estimation process of the K-means algorithm the variance of some flags was zero (e.g. RST, URG flags) or very close to zero. In this case, the algorithm fails to continue or convergence to an extremely bad local minimum, decreasing significantly the classification efficiency of the RBF-NN. To overcome this problem, a minimum value for the estimated variance was experimentally derived, giving significantly better classification rates.
5. Experimental evaluation The evaluation process is divided in three steps: in the first step the packets are captured from the
239
network using a linux based sniffer placed on a monitoring host, which is based on the popular libpcap library and while in capture mode a filter was used to monitor traffic for the www service only. In the second step, the captured packets for some scenario are grouped into timeframes and the statistical features for each timeframe and overlaptime sizes are produced. The data were grouped into 18 different timeframes ranging from 5 to 18 s, with an overlap time from 1 to 6 s. In the final step, the features data were used to train and evaluate the RBF-NN. The DDoS attack was carried out using the program Tribe Flood Network (TFN2k). The sniffer recorded an actual attack, normal www requests only and traffic generated only by the TFN2k program. It is possible that the sniffer could ‘‘miss’’ some packets especially when the packet rate is very high. The missing data does not influence the systemÕs performance due to the statistical nature of the features. 5.1. The features set Two different features sets were used to evaluate the RBF-NN detection efficiency depending on the number of features used to build the input vector. In many cases the original set of 9 statistical features surpassed the 98% of correct classification. During experiments, it is also noticed that many of the fields of the input vector such as the Timeto-Live, the Window Size and some of the Flags did not contain sufficient information to contribute in the DDoS detection process. This along with the excellent system performance led to an evaluation using the reduced set of the 3 input vector (Source Port, SEQ number, Syn flag). This set of features can be estimated in real-time using conventional low-cost computing systems. We considered those three features to be the most important except the Source IP Address which we did not use in order to allow minimum computing resources in both computational complexity and memory requirements in the RBF-NN-based DDoS detection system. The correct classification rate was in most cases as close as the 9 features rate. This figure verified the initial assumptions about the nature of the input fields.
240
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
5.2. The experiments
6. Experimental results on the simulated network
The proposed RBF-NN detector was trained and evaluated in two experiments. In the first experiment, a 100 Mbps network was setup and the Web Application Stress Tool from Microsoft Corp. was used to simulate the clients. An entire web site was mirrored on the test server and actual users surfed the site. The users responseÕs, pages they surfed, delay time between hits etc, are recorded and saved as user profiles using the Web Application Stress Tool (a tool that sends HTTP requests on a web server using actual profiles). The SEQ numbers and the Source Ports for a recorded session did not correspond to the real ones because they were produced by the same client machine (that simulated thousands of different clients). In order to overcome this problem, the distinct TCP sessions are recognised and the SEQ and Source Port numbers are modified according to the protocol rules. While parsing the file containing the captured packets, each distinct connection is recognised using the information provided by the source port and the clientÕs SEQ number. After a connection has been found, a random number is generated which replaces the clientÕs SEQ number. The new SEQ number is modified in the same way with the old one during data exchange between the client and the server thus following the TCP/IP protocol rules. Several experiments were conducted, producing normal www traffic of 1 min total length, DDoS traffic of 1 min total length and combined traffic of 3 min total length. In the second experiment, a DDoS attack was launched on the main web server of the university of Patras central library. This is probably the web server with most hits in the university as it serves over 25.000 users. The recorded packets for the normal traffic were 78,361 (60 min duration). For the DDoS attack were 73,677 (1 min duration) and for the combined traffic 822,655 (6 min duration). During the combined traffic experiment, in the first 3 min there was normal traffic and after the 3rd minute the attack started.
The RBF-NN has better classification rate in the first experiment when the second training scenario (Sen2) is used to estimate the NN synaptic weights against the first training scenario (Sen1), as shown in Fig. 2 and 3 where the correct classification rate for both features sets (9in-original features vector and 3in-reduced features vector) is plotted for different timeframe sizes. These results are typical in pattern recognition experiments where the second training scenario describes better the pattern distribution in the features space than the training data of the first scenario. In the second scenario simultaneous normal traffic and a DDoS attack is recorded: the training and the evaluation data describe the same type of traffic. In the case where the overlap time was 2 s (Fig. 2) and the RBF-NN is trained with the second dataset, almost 20% better classification rate is obtained in regard to the rate obtained by the RBF-NN trained by the first dataset. In addition, a comparison between the two figures showed better classification rates in case where the overlap step is set to 1 s step, giving the best results when the RBFNN is trained by the second dataset. In both training datasets, the 3 features RBFNN is expected to behave worse than the RBFNN processing the 9-features vector. However, the experimental results (Figs. 2 and 3) showed better classification rate for the 3-features vector. This unexpected behaviour is caused by the insufficient number of training examples. In regression problems, where a great number of unknown parameters are met, the size of the training data must be increased enormously to obtain sufficient generalization capabilities. In the case of the 9-features input vector, the number of training examples are insufficient to embody generalization capabilities to the synaptic weights. As the timeframe increases, the correct classification rate is expected to improve. In general, that is the case mostly carried out in the experiments using the training data derived by the first scenario (Fig. 4). Classification rates better than 94% were achieved using the complete set of features and timeframe sizes greater than 10 s. A totally differ-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 2. Correct classification rate for the simulated network and 2 s overlapping step.
Fig. 3. Correct classification rate for the simulated network and 1 s overlapping step.
241
242
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 4. Correct classification rate for the simulated network using the first training scenario.
ent figure is met in case where the RBF-NN is trained using the second scenario training data (Fig. 5). Generally, the correct classification rate decreases when the timeframe size increases. The best classification rate of 99% was achieved using a 6 s window timeframe and the original set of 9-features vector. A small timeframe is more preferable in applications because the features estimation module is faster. Generally, it is easier to achieve the first scenario dataset because the only required information is normal and pure DDoS traffic data, while in the case of the second scenario, a combined traffic signature is needed. The best correct classification rate of 94.5% was achieved using the first scenario data, the original features vector consisting of 9 components, a 12 s timeframe and 1 s overlap step. In the same conditions, the DDoS detection rate was 91.8% when the 3 features vector is used. In the second scenario the best correct identification rate was 98.97% (6 s timeframe and 1 s step) for both feature vectors. In any case, the
correct classification rate did not fall under 92% (16 s timeframe and 2 s step). In Fig. 6 the correct classification versus the number of RBF weights are showed. The number of RBF weights that are capable to produce correct classification rates more than 99%, vary from 70 to 90 and refer to a RBF-NN trained with the second scenario data. The DDoS detection errors occurred only at the timeframes where the attack begins or at the timeframe where the attack ends (Fig. 1, timeframes no: 5, 43, 75), In these timeframes transition phenomena distort the statistical features. In timeframes 5 and 75 the DDoS starts to hit the network, while in those timeframes some DDoS packets remains in the traffic.
7. Experimental results on the real network In the case of the real network (second experiment), the results are surprisingly better. The iden-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
243
Fig. 5. Correct classification rate for the simulated network using the second training scenario.
tification rate of the RBF-NN was 100% when the number of hidden neurons are greater than 3, as shown in Fig. 6 (D1-Simulated and D2-real network). The results show that in the worst case, when the RBF-NN is trained using the first scenario data, the correct identification was better than 98%. If the RBF-NN is trained using the second scenario data the correct identification rate was 100% in all timeframes and overlapping steps.
195 examples, established on the simulated network. The correct classification rate in all experiments was better than 83.59% reaching its maximum (87.69%) when 8 hidden neurons were used. The experimental results were almost as good as with the TCP protocol but with a slight smaller efficiency.
9. Conclusions 8. DDoS detection on the UDP protocol While all our experiments so far, are concerned with the TCP/IP protocol, the same recognition mechanism should also detect DDoS attacks in the UDP protocol. To evaluate the DDoS detector preliminary experiments were carried out using the RBF-NN and only two features: the Source-port and the Time-to-Live which are both used in the UDP protocol. A 3 up to 20 hidden neuron RBF-NN was trained using 186 examples, and the detector was evaluated using a different set of
The DDoS attacks are becoming one of the InternetÕs most critical problems. With the InternetÕs speeds increasing, the need for lighter and more efficient detection systems is necessary. It is shown that the proposed method can successfully identify known DDoS attacks with very high detection rates. It can be easily implemented and integrated into any network because it is a passive monitoring system requiring very few computing resources since it uses statistical features. Today, the most widely method used for preventing Denial of Service attacks is to block all
244
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 6. Correct classification rate versus the number of weights for the best timeframe configuration, the simulated (D1) and the real (D2) network.
packets that donÕt belong to an established connection when a DDoS attack has been recognized. This procedure takes place within a time frame where the DDoS detector monitors the network by allowing all packets to pass. If a DDoS is detected, all packets that donÕt belong to an established connection are blocked. Thus, the proposed method can be easily integrated with existing technologies to prevent such attacks. A most challenging task is to effectively block a DDoS attack without interfering with normal traffic. The task of selectively blocking packets that are presumed to belong to an attack session is extremely difficult and has never been attempted. Also the use of more advanced DDoS tools than those that exist today, must be considered. Another method of preventing an attack is to search for patterns in the network packets when a DDoS attack has been recognized and then to block the packets that follow a specific statistical pattern. This can be successfully implemented if
we assume known DDoS attacks. Each of those tools has a specific signature that allows it to be detected. However, someone could write a new tool that follows a different pattern. In such a case, if a DDoS detector isolates the DDoS packets, the development of automatic blocking methods for the DDoS packets can be used to eliminate the influence of the DDoS attacks especially in large networks. References [1] P. Mell, D. Marks, M. McLarnon, A denial-of-service, Computer Networks 34 (2000) 641–658. [2] T. Ptacek, T. Newsham, Insertion, Evasion, and Denial-ofService: Eluding Network Intrusion Detection, Secure Networks Inc., 1998. [3] J. Ryan, M. Lin, R. Miikkulainen, Intrusion detection with neural networksAdvances in Neural Information Processing Systems, vol. 10, MIT Press, Cambridge, MA, 1998. [4] R. Barder, The evolution of intrusion detection systems— the next step, Computer & Security 20 (1) (2001) 132–145.
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245 [5] R. Graham, NIDS-pattern search vs. protocol decode, Computer & Security 20 (1) (2001) 37–41. [6] L. Me, GASSATA, A genetic algorithm as an alternative tool for security audit trails analysis, First International Workshop on the Recent Advances in Intrusion Detection, Belgium, 1998. [7] J. Bonifacio, A. Casian, CPLF de A. Carvalho, E. Moreira, Neural networks applied in intrusion detection systems, in: Proceedings of the Word Congress on Computational Intelligence—WCCI, Anchorage, USA, 1998, pp. 205–210. [8] Y. Liao, R. Vemuri, Use of K-nearest neighbor classifier for intrusion detection, Computer & Security 21 (5) (2001) 439–448. [9] M. Baltatu, A. Lioy, F. Maino, D. Mazzocchi, Security issues in control, management and routing protocols, Computer Networks 34 (2000) 881–894. [10] Y.W. Chen, Study on the prevention of SYN flooding by using traffic policing, IEEE Symposium on Network Operations and Management, 2000, pp. 593–604. [11] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, Analysis of a denial-of-service attack on TCP, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, USA, 1997, pp. 208–223. [12] R. Lippmann, R. Cunnigham, Improving intrusion detection performance using Keyword selection and neural networks, Computer Networks 34 (2000) 596–603. [13] W. Scwartau, Surviving denial-of-service, Computers & Security 18 (2) (1999) 124–133. [14] F. Lau, S. Rubin, M. Smith, L. Trajkovic, Distributed denial-of-service attacks, in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, vol. 3, 2000, pp. 2275–2280. [15] J. Cabrera, B. Ravichandran, R. Mehra, Statistical traffic modeling for network intrusion detection, IEEE International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, 2000, pp. 466–473. [16] D. Cox, K. McClanahan, Method for blocking denial of service and address spoofing attacks on a private network, Patent WO9948303, Cisco Tech Ind (US), 1999. [17] K. Narayanaswamy, T. Ross, B. Spinney, M. Paquette, C. Wright, System and process for defending against denial of service attacks on network nodes, Patent WO0219661, Top Layer Networks Inc. (US), 2002. [18] R. Maher, V. Bennett, Method for preventing denial of service attacks, Patent WO0203084, Netrake Corp (US), 2002.
245
[19] J. Belissent, Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests, Patent WO0201834, Sun Microsystems Inc. (US), 2002. [20] A. Bivens, C. Palagiri, R. Smith, B. Szymanski, M. Embrechts, Network-based intrusion detection using neural networks (2002), Artificial Neural Networks In Engineering November 10–13, St. Louis, Missouri, 2002. [21] W. Streilein, R.K. Cunningham, S.E. Webster, Improved detection of low-profile probe and novel denial-of-service attacks (2002), Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, Maryland, June 2002, pp. 11–13. [22] H. Debar, M. Baker, D. Siboni, A neural network component for an intrusion detection system, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1992. [23] C. Douligeris, A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks 44 (5) (2004) 643–666. [24] S. Haykin, Neural Networks: A Comprehensive Foundation, Predice Hall, Upper Saddle River, NJ, 1994.
Dimitris Gavrilis received the Diploma in Electrical Engineering from the University of Patras in 2002. He is currently a Ph.D. candidate in the Department of Electrical and Computer Engineering of the University of Patras. His research interest areas include computer security, intrusion detection, pattern recognition and information extraction.
Evangelos Dermatas is Assistant Professor at the Department of Electrical and Computer Engineering of the University of Patras, Patras, Hellas. He received his Diploma and Ph.D. degrees from the Department of Electrical Engineering of the University of Patras, Patras, Hellas in 1985 and 1991 respectively. His research interest areas include: statistical signal processing, pattern recognition, computer security and information extraction.
Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features Dimitris Gavrilis, Evangelos Dermatas
*
Department of Electrical Engineering and Computer Technology, University of Patras, Kato Kastritsi, 26500 Patras, Greece Received 17 July 2003; received in revised form 12 April 2004; accepted 6 August 2004 Available online 21 December 2004 Responsible Editor: Z.-L. Zhang
Abstract In this paper we present and evaluate a Radial-basis-function neural network detector for Distributed-Denial-of-Service (DDoS) attacks in public networks based on statistical features estimated in short-time window analysis of the incoming data packets. A small number of statistical descriptors were used to describe the DDoS attacks behaviour, and an accurate classification is achieved using the Radial-basis-function neural networks (RBF-NN). The proposed method is evaluated in a simulated public network and showed detection rate better than 98% of DDoS attacks using only three statistical features estimated from one window of data packets of 6 s length. The same type of experiments were carried out on a real network giving significantly better results: a 100% DDoS detection rate is achieved followed by a 0% of false alarm rate using different statistical descriptors and training conditions for the RBF-NN. Ó 2004 Elsevier B.V. All rights reserved. Keywords: Intrusion detection; Denial-of-service attacks; RBF networks; Neural networks; Computer security
1. Introduction In recent years there has been a sudden increase of Network-based intrusion and Distributed Denial of Service (DDoS) attacks. Especially after the year 2000 the problem has grown enormously, increasing the costs of losses to billions of US dol*
Corresponding author. Tel.: +30 261 099 6476. E-mail addresses: [email protected] (D. Gavrilis), [email protected] (E. Dermatas).
lars. Major commercial web sites have been disabled for several hours due to such attacks. The DDoS attacks usually do not take advantage of some security flaw but instead they make legitimate use of a service until all the resources that this service uses are exhausted [14]. The attacker increases the number of network processes requiring significant computer resources: CPU load, memory, disk space, and network bandwidth. This characteristic of those attacks makes them difficult to detect especially in large commercial networks
1389-1286/$ - see front matter Ó 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2004.08.014
236
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
such as yahoo.com or amazon.com where they serve hundreds or maybe thousands of users per minute. When the flow of packets on a network suddenly increases we cannot be certain that it is because of a DDoS attack that is in progress or because too many users happen to use that service at that time [16]. Commercial DDoS detection systems [13,16–19] have high false-alarm rates, producing hundreds of false alarms per day because it is often difficult to select manually the identification conditions for a great number of attacks and their variants [17–19,2]. 1.1. Network-based intrusion and DDoS attacks A great number of methods for recognizing intrusion and DDoS attacks have already been presented (4–25). In [4], the Articon-Intergralis group discusses the specification and test process of Intrusion Detection Systems and proposed a detailed topology, machines and attacks scenarios that were used to make the assessment. The Network Intrusion Detection System technology is described in [5], comparing the most popular methods: Pattern-searching and protocol analysis. The protocol analysis usually can be used to detect the true signature of the intrusion when it is hidden in the protocol. In this case most of the patternsearch methods fail to detect the intrusion. A common protocol analysis is based on a decision tree. The computational effort of the tree search increases significantly in case of intrusion or DDoS attacks. In this case the Network Intrusion Detection System would overload and eventually shutdown. An intrusion detection approach has been proposed by Me (in [6]) based on predefined attack scenarios and using a genetic algorithm. Taking into account that pattern-searching methods are NP-Complete problems, a genetic algorithm is used to reduce the computations in Ôthe security audit trail analysis problemÕ. The experimental evaluation showed successful detection of the attacks after 20 generations, giving a detection rate of 99% after 100 generations. If the attacks coded in the Attacks–Events matrix grows, the final generation number has to increase to keep the detectionÕs quality at the same level.
In [1], Mell et al. describes an intrusion detection system (IDS) to become resistant to flooding DoS attacks using a combination of techniques: the critical IDS components are made invisible to the attacker, critical IDS components are made adaptive to flooding DoS attacks. The authors do not prevent an attacker from launching attacks but instead makes the significant targets invisible which forces the attacker to fire blindly. Recently neural network architectures for intrusion detection have been proposed [12,20,22,21]. A backpropagation neural network (multilayer perceptron) has been presented by Ryan et al. [3]. The neural network is trained to identify users based on what commands they use during a day. In a system of 10 users and a dataset collected for 12 days, the neural network was 96% accurate in detecting anomalous behaviour, with a false alarm of 7%. In [7] an adaptive intrusion detection system for TCP/IP networks is described based on neural networks. The training process is based on previous well-known intrusion profiles, and the adaptation capabilities is realized by re-training the neural network using new profiles. The system is based on the fact that an intrusion can be detected from an analysis of predetermined models for both normal and intrusion actions. The best performance of approximately 95% has been achieved using a two hidden-layer perceptron neural network (20-5-1 neurons per layer) trained by the error backpropagation algorithm. The well-known K-nearest Neighbor Classifier KNNC has been evaluated in [8], to categorize a process into normal or intrusive class using system calls over each program execution. The computational load of the KNNC is partially faced by processing the restricted set of system calls (less than 100 in DARPA BSM data), while a typical Pattern-searching intrusion detection system in shell level could have over 15,000 unique words. The KNNC calculates the similarity between the new process and each training process instance using the assumption that the process belonging to the same class will cluster together in the vector space. The KNNC is applied to the 1998 DARPA data. The audit data were collected on a traffic simulator of an Air Force Local Area Network. The system is extensively evaluated giving an excellent detec-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
tion rate. When the number of simultaneously processes increases, the detector is computationally expensive for real-time implementation in some computers. In the same dataset (1998 DARPA) a statistical traffic model for detecting novel attacks has been presented in [15]. The model effectiveness in discriminating normal connections from DoS attacks is quantified by plotting the Receiver Operating Characteristics curves. The kolmogorov–Smirnov test is used as a classifier between the normal and the attack conditions by processing the statistical differences of the number of bytes from the responder, and the byte ratio responder–originator. Recently, Streilein et al. [21] presents neural network classifiers based on the multilayer perceptron for accurately detection of several classes of attacks including stealthy probes and novel DDoS attacks. The neural-based detection system achieves a recognition rate of 100% with a false alarm of 0.1% when tested against stealthy attacks in the DARPA 1999 IDS Evaluation data. From the original extended set of features, the authors eliminate the least effective, proposing a minimal set of five only features. 1.2. The DDos attacks As reported in [23], where a structural approach of the DDoS attacks and the defense mechanisms can be found, DDoS attacks can be classified in five categories. The most important are the TCP Flooding, UDP Flooding, ICMP Flooding and Smurf attacks. The first three attempt to flood a network with TCP [10,11], UDP and ICMP traffic respectively so as to exhaust the networkÕs or the serverÕs resources. The latter works in a different manner and does not pose a threat when certain modifications are made in the networkÕs devices. The DoS attacks performed using ICMP messages usually succeed because the victim host does not maintain enough information on the messages communication [9]. However, with the appropriate modifications, it can be prevented. The most important work is concentrated in the first type of attack because TCP is the most widely used protocol and WWW is the most widely used service on the Internet. The same mechanism can be applied
237
successfully both in UDP and ICMP protocols. In a great number of Internet sites, DDoS attack tools are available. After an analysis of the available tools that perform DDoS attacks, it is found that a DDoS attack has the following characteristics: (a) The source IP of the packets is set random. (b) The source and the destination port of the packets is set random. (c) Some of the flags (URG, ACK), fragmentation, TCP options, TTL and the clientÕs SEQ number are assigned by a pseudorandom generator. In most tools, multiple instances of the application (usually residing on multiple machines), communicate with each other and coordinate during the attack. The packets can be sent to the target(s) in bursts or in a continuous flow.
2. System innovations Every robust DDoS detection system must satisfy some important specifications: (a) very high detection rates with minimal false alarm rates, (b) real-time detection with low memory and cpu-time requirements, (c) invariant in evolutionary trends in DDoS attacks, network topology and the variations of the normal data-exchange rates, (d) minimum interference of the DDoS detector in the traffic. In the direction of building efficient DDoS detectors, we present a system providing a number of important innovations: (a) A small and a robust number of normalized statistical features is used for monitoring the statistical properties of the data exchange packets in the network. The computational effective features set is used to recognize in real-time the normal network traffic from suddenly increased packet flow from a DDoS attack in very short time intervals. (b) The features space present reduced variance in different DDoS attacks giving very high detection rates, which is almost independent of the DDoS implementation details.
238
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
(c) Even in the case of very-fast networks, accurate estimation of the statistical features can be obtained by processing a subset of the packets transferred on the network. (d) Even in the case of complex distribution of the features vector, the effective RadialBasis-Function neural network (RBF-NN) is used to recognize DDoS attacks from the normal traffic. The well-developed theoretical analysis of the RBF-NN [24] introduces a number of significant advantages over multilayer perceptrons. The RBF-NN detector is a two layer neural network. In the first (hidden) layer the neurons implement a radial function while the output neurons implement a weighted sum of hidden neuron outputs. The excellent approximation properties of the RBF-NN allows for complex non-linear mapping by modifying only the number of hidden neurons, which simplifies the computational complexity in both the activation and training process. Moreover, extremely faster learning rates, smaller approximation errors with extremely low probability to converge in local minima has been measured in a great number of applications.
3. System description The system consists of three sequentially connected modules: Data collector. A sniffer captures the following data fields for each packet: Source Port, SEQ number of client, Window size, and the Syn, Ack, Fin, Psh, Urg, Rst flags. The timestamp for each packet is also recorded in order to group the packets into overlapping timeframes. The number of the distinct Source Ports, and Window size numbers are estimated for each timeframe. The SEQ number is a 32-bit random number produced by the client as an identification for a certain TCP connection. The estimation of the distinct SEQ numbers requires significant memory space and computing power. Experimental results showed that, although the SEQ number varies across clients, the upper
16 bits are adequate in estimating the SEQ numbersÕ feature. The upper 16 bits can store the necessary information in an array of 65,535 bytes long. The statistics gathered for each timeframe are the frequency of occurence for each of the following six flags to be set: Syn, Ack, Fin, Psh, Urg, Rst. In extended experiments it has been found that these flags contain significant information related to the presence of a DDoS attack. The Source IP Address is not used in the recognition process, even if it provides significant information, because it requires substantial amount of computing power to store the individual addresses. Additionally, it is also decided not to use the packet length information because it would make the DDoS detector system service specific (e.g. only for www). In the same experiments it is showed that other data transferred by the TCP/IP packets, such as the Time-to-Live field, do not contain information related to the presence of a DDoS attack. Features estimator. The frequency of flags and the number of the distinct values for the Source Ports, SEQ number, and Window size are estimated for each timeframe. The statistical features for each timeframe for the six flags are the probability of the flag to be set. The number of the distinct values is divided by the total number of packets for a certain timeframe for the SEQ number, the Window Size and the Source Port. DDoS detector. The nine-features vector were used to activate a two-output RBF network at each timeframe. The most active output neuron detects the presence of a DDoS attack or characterizes the timeframe as normal traffic. In the experiments it is shown that a small number of hidden neurons can be used to achieve high detection rates of DDoS attacks. Moreover, the RBFNN classification capabilities are studied using an extremely small input vector containing only three features.
4. The RBF-NN training process The gathered data were used to create two different training scenarios. In the first scenario the DDoS detector is trained using normal www and
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 1. Time frames and a DDoS attack in the bold line: normal traffic (0), DDoS and normal traffic (1).
pure DDoS traffic. In the second scenario the pure DDoS traffic was replaced by the data collected when the DDoS hits the server which serves the normal traffic. In both training scenarios different normal and combined traffic is used to estimate the RBF-NN efficiency, as shown in Fig. 1. The networkÕs efficiency was measured for a different number of hidden neurons ranging from 1 to 20. A mixture of Gaussian functions was used as the RBFÕs non-linear function. The mean and variance for the Gaussian function was estimated using the K-means clustering algorithm [24]. It is well-known that the K-meansÕ initial centers significantly influences the quality of the training process. A good selection of the initial centers led to significantly better classification rates for different network topologies. Therefore, the K-means centers which minimizes the quantization error from the training data are selected from a set of multiple local minimum set of centers. Multiple local minimum solutions are created by applying the Kmeans algorithm using different initialization. During the center re-estimation process of the K-means algorithm the variance of some flags was zero (e.g. RST, URG flags) or very close to zero. In this case, the algorithm fails to continue or convergence to an extremely bad local minimum, decreasing significantly the classification efficiency of the RBF-NN. To overcome this problem, a minimum value for the estimated variance was experimentally derived, giving significantly better classification rates.
5. Experimental evaluation The evaluation process is divided in three steps: in the first step the packets are captured from the
239
network using a linux based sniffer placed on a monitoring host, which is based on the popular libpcap library and while in capture mode a filter was used to monitor traffic for the www service only. In the second step, the captured packets for some scenario are grouped into timeframes and the statistical features for each timeframe and overlaptime sizes are produced. The data were grouped into 18 different timeframes ranging from 5 to 18 s, with an overlap time from 1 to 6 s. In the final step, the features data were used to train and evaluate the RBF-NN. The DDoS attack was carried out using the program Tribe Flood Network (TFN2k). The sniffer recorded an actual attack, normal www requests only and traffic generated only by the TFN2k program. It is possible that the sniffer could ‘‘miss’’ some packets especially when the packet rate is very high. The missing data does not influence the systemÕs performance due to the statistical nature of the features. 5.1. The features set Two different features sets were used to evaluate the RBF-NN detection efficiency depending on the number of features used to build the input vector. In many cases the original set of 9 statistical features surpassed the 98% of correct classification. During experiments, it is also noticed that many of the fields of the input vector such as the Timeto-Live, the Window Size and some of the Flags did not contain sufficient information to contribute in the DDoS detection process. This along with the excellent system performance led to an evaluation using the reduced set of the 3 input vector (Source Port, SEQ number, Syn flag). This set of features can be estimated in real-time using conventional low-cost computing systems. We considered those three features to be the most important except the Source IP Address which we did not use in order to allow minimum computing resources in both computational complexity and memory requirements in the RBF-NN-based DDoS detection system. The correct classification rate was in most cases as close as the 9 features rate. This figure verified the initial assumptions about the nature of the input fields.
240
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
5.2. The experiments
6. Experimental results on the simulated network
The proposed RBF-NN detector was trained and evaluated in two experiments. In the first experiment, a 100 Mbps network was setup and the Web Application Stress Tool from Microsoft Corp. was used to simulate the clients. An entire web site was mirrored on the test server and actual users surfed the site. The users responseÕs, pages they surfed, delay time between hits etc, are recorded and saved as user profiles using the Web Application Stress Tool (a tool that sends HTTP requests on a web server using actual profiles). The SEQ numbers and the Source Ports for a recorded session did not correspond to the real ones because they were produced by the same client machine (that simulated thousands of different clients). In order to overcome this problem, the distinct TCP sessions are recognised and the SEQ and Source Port numbers are modified according to the protocol rules. While parsing the file containing the captured packets, each distinct connection is recognised using the information provided by the source port and the clientÕs SEQ number. After a connection has been found, a random number is generated which replaces the clientÕs SEQ number. The new SEQ number is modified in the same way with the old one during data exchange between the client and the server thus following the TCP/IP protocol rules. Several experiments were conducted, producing normal www traffic of 1 min total length, DDoS traffic of 1 min total length and combined traffic of 3 min total length. In the second experiment, a DDoS attack was launched on the main web server of the university of Patras central library. This is probably the web server with most hits in the university as it serves over 25.000 users. The recorded packets for the normal traffic were 78,361 (60 min duration). For the DDoS attack were 73,677 (1 min duration) and for the combined traffic 822,655 (6 min duration). During the combined traffic experiment, in the first 3 min there was normal traffic and after the 3rd minute the attack started.
The RBF-NN has better classification rate in the first experiment when the second training scenario (Sen2) is used to estimate the NN synaptic weights against the first training scenario (Sen1), as shown in Fig. 2 and 3 where the correct classification rate for both features sets (9in-original features vector and 3in-reduced features vector) is plotted for different timeframe sizes. These results are typical in pattern recognition experiments where the second training scenario describes better the pattern distribution in the features space than the training data of the first scenario. In the second scenario simultaneous normal traffic and a DDoS attack is recorded: the training and the evaluation data describe the same type of traffic. In the case where the overlap time was 2 s (Fig. 2) and the RBF-NN is trained with the second dataset, almost 20% better classification rate is obtained in regard to the rate obtained by the RBF-NN trained by the first dataset. In addition, a comparison between the two figures showed better classification rates in case where the overlap step is set to 1 s step, giving the best results when the RBFNN is trained by the second dataset. In both training datasets, the 3 features RBFNN is expected to behave worse than the RBFNN processing the 9-features vector. However, the experimental results (Figs. 2 and 3) showed better classification rate for the 3-features vector. This unexpected behaviour is caused by the insufficient number of training examples. In regression problems, where a great number of unknown parameters are met, the size of the training data must be increased enormously to obtain sufficient generalization capabilities. In the case of the 9-features input vector, the number of training examples are insufficient to embody generalization capabilities to the synaptic weights. As the timeframe increases, the correct classification rate is expected to improve. In general, that is the case mostly carried out in the experiments using the training data derived by the first scenario (Fig. 4). Classification rates better than 94% were achieved using the complete set of features and timeframe sizes greater than 10 s. A totally differ-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 2. Correct classification rate for the simulated network and 2 s overlapping step.
Fig. 3. Correct classification rate for the simulated network and 1 s overlapping step.
241
242
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 4. Correct classification rate for the simulated network using the first training scenario.
ent figure is met in case where the RBF-NN is trained using the second scenario training data (Fig. 5). Generally, the correct classification rate decreases when the timeframe size increases. The best classification rate of 99% was achieved using a 6 s window timeframe and the original set of 9-features vector. A small timeframe is more preferable in applications because the features estimation module is faster. Generally, it is easier to achieve the first scenario dataset because the only required information is normal and pure DDoS traffic data, while in the case of the second scenario, a combined traffic signature is needed. The best correct classification rate of 94.5% was achieved using the first scenario data, the original features vector consisting of 9 components, a 12 s timeframe and 1 s overlap step. In the same conditions, the DDoS detection rate was 91.8% when the 3 features vector is used. In the second scenario the best correct identification rate was 98.97% (6 s timeframe and 1 s step) for both feature vectors. In any case, the
correct classification rate did not fall under 92% (16 s timeframe and 2 s step). In Fig. 6 the correct classification versus the number of RBF weights are showed. The number of RBF weights that are capable to produce correct classification rates more than 99%, vary from 70 to 90 and refer to a RBF-NN trained with the second scenario data. The DDoS detection errors occurred only at the timeframes where the attack begins or at the timeframe where the attack ends (Fig. 1, timeframes no: 5, 43, 75), In these timeframes transition phenomena distort the statistical features. In timeframes 5 and 75 the DDoS starts to hit the network, while in those timeframes some DDoS packets remains in the traffic.
7. Experimental results on the real network In the case of the real network (second experiment), the results are surprisingly better. The iden-
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
243
Fig. 5. Correct classification rate for the simulated network using the second training scenario.
tification rate of the RBF-NN was 100% when the number of hidden neurons are greater than 3, as shown in Fig. 6 (D1-Simulated and D2-real network). The results show that in the worst case, when the RBF-NN is trained using the first scenario data, the correct identification was better than 98%. If the RBF-NN is trained using the second scenario data the correct identification rate was 100% in all timeframes and overlapping steps.
195 examples, established on the simulated network. The correct classification rate in all experiments was better than 83.59% reaching its maximum (87.69%) when 8 hidden neurons were used. The experimental results were almost as good as with the TCP protocol but with a slight smaller efficiency.
9. Conclusions 8. DDoS detection on the UDP protocol While all our experiments so far, are concerned with the TCP/IP protocol, the same recognition mechanism should also detect DDoS attacks in the UDP protocol. To evaluate the DDoS detector preliminary experiments were carried out using the RBF-NN and only two features: the Source-port and the Time-to-Live which are both used in the UDP protocol. A 3 up to 20 hidden neuron RBF-NN was trained using 186 examples, and the detector was evaluated using a different set of
The DDoS attacks are becoming one of the InternetÕs most critical problems. With the InternetÕs speeds increasing, the need for lighter and more efficient detection systems is necessary. It is shown that the proposed method can successfully identify known DDoS attacks with very high detection rates. It can be easily implemented and integrated into any network because it is a passive monitoring system requiring very few computing resources since it uses statistical features. Today, the most widely method used for preventing Denial of Service attacks is to block all
244
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245
Fig. 6. Correct classification rate versus the number of weights for the best timeframe configuration, the simulated (D1) and the real (D2) network.
packets that donÕt belong to an established connection when a DDoS attack has been recognized. This procedure takes place within a time frame where the DDoS detector monitors the network by allowing all packets to pass. If a DDoS is detected, all packets that donÕt belong to an established connection are blocked. Thus, the proposed method can be easily integrated with existing technologies to prevent such attacks. A most challenging task is to effectively block a DDoS attack without interfering with normal traffic. The task of selectively blocking packets that are presumed to belong to an attack session is extremely difficult and has never been attempted. Also the use of more advanced DDoS tools than those that exist today, must be considered. Another method of preventing an attack is to search for patterns in the network packets when a DDoS attack has been recognized and then to block the packets that follow a specific statistical pattern. This can be successfully implemented if
we assume known DDoS attacks. Each of those tools has a specific signature that allows it to be detected. However, someone could write a new tool that follows a different pattern. In such a case, if a DDoS detector isolates the DDoS packets, the development of automatic blocking methods for the DDoS packets can be used to eliminate the influence of the DDoS attacks especially in large networks. References [1] P. Mell, D. Marks, M. McLarnon, A denial-of-service, Computer Networks 34 (2000) 641–658. [2] T. Ptacek, T. Newsham, Insertion, Evasion, and Denial-ofService: Eluding Network Intrusion Detection, Secure Networks Inc., 1998. [3] J. Ryan, M. Lin, R. Miikkulainen, Intrusion detection with neural networksAdvances in Neural Information Processing Systems, vol. 10, MIT Press, Cambridge, MA, 1998. [4] R. Barder, The evolution of intrusion detection systems— the next step, Computer & Security 20 (1) (2001) 132–145.
D. Gavrilis, E. Dermatas / Computer Networks 48 (2005) 235–245 [5] R. Graham, NIDS-pattern search vs. protocol decode, Computer & Security 20 (1) (2001) 37–41. [6] L. Me, GASSATA, A genetic algorithm as an alternative tool for security audit trails analysis, First International Workshop on the Recent Advances in Intrusion Detection, Belgium, 1998. [7] J. Bonifacio, A. Casian, CPLF de A. Carvalho, E. Moreira, Neural networks applied in intrusion detection systems, in: Proceedings of the Word Congress on Computational Intelligence—WCCI, Anchorage, USA, 1998, pp. 205–210. [8] Y. Liao, R. Vemuri, Use of K-nearest neighbor classifier for intrusion detection, Computer & Security 21 (5) (2001) 439–448. [9] M. Baltatu, A. Lioy, F. Maino, D. Mazzocchi, Security issues in control, management and routing protocols, Computer Networks 34 (2000) 881–894. [10] Y.W. Chen, Study on the prevention of SYN flooding by using traffic policing, IEEE Symposium on Network Operations and Management, 2000, pp. 593–604. [11] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, Analysis of a denial-of-service attack on TCP, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, USA, 1997, pp. 208–223. [12] R. Lippmann, R. Cunnigham, Improving intrusion detection performance using Keyword selection and neural networks, Computer Networks 34 (2000) 596–603. [13] W. Scwartau, Surviving denial-of-service, Computers & Security 18 (2) (1999) 124–133. [14] F. Lau, S. Rubin, M. Smith, L. Trajkovic, Distributed denial-of-service attacks, in: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, vol. 3, 2000, pp. 2275–2280. [15] J. Cabrera, B. Ravichandran, R. Mehra, Statistical traffic modeling for network intrusion detection, IEEE International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, 2000, pp. 466–473. [16] D. Cox, K. McClanahan, Method for blocking denial of service and address spoofing attacks on a private network, Patent WO9948303, Cisco Tech Ind (US), 1999. [17] K. Narayanaswamy, T. Ross, B. Spinney, M. Paquette, C. Wright, System and process for defending against denial of service attacks on network nodes, Patent WO0219661, Top Layer Networks Inc. (US), 2002. [18] R. Maher, V. Bennett, Method for preventing denial of service attacks, Patent WO0203084, Netrake Corp (US), 2002.
245
[19] J. Belissent, Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests, Patent WO0201834, Sun Microsystems Inc. (US), 2002. [20] A. Bivens, C. Palagiri, R. Smith, B. Szymanski, M. Embrechts, Network-based intrusion detection using neural networks (2002), Artificial Neural Networks In Engineering November 10–13, St. Louis, Missouri, 2002. [21] W. Streilein, R.K. Cunningham, S.E. Webster, Improved detection of low-profile probe and novel denial-of-service attacks (2002), Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, Maryland, June 2002, pp. 11–13. [22] H. Debar, M. Baker, D. Siboni, A neural network component for an intrusion detection system, in: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1992. [23] C. Douligeris, A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks 44 (5) (2004) 643–666. [24] S. Haykin, Neural Networks: A Comprehensive Foundation, Predice Hall, Upper Saddle River, NJ, 1994.
Dimitris Gavrilis received the Diploma in Electrical Engineering from the University of Patras in 2002. He is currently a Ph.D. candidate in the Department of Electrical and Computer Engineering of the University of Patras. His research interest areas include computer security, intrusion detection, pattern recognition and information extraction.
Evangelos Dermatas is Assistant Professor at the Department of Electrical and Computer Engineering of the University of Patras, Patras, Hellas. He received his Diploma and Ph.D. degrees from the Department of Electrical Engineering of the University of Patras, Patras, Hellas in 1985 and 1991 respectively. His research interest areas include: statistical signal processing, pattern recognition, computer security and information extraction.
Related Documents
Science Direct 1
May 2020 7
Viterbi Science Direct
June 2020 4
Science Direct 2
May 2020 9
Science Direct Active Titles
November 2019 6
Science Direct Database
April 2020 18