Identifying DOS attacks using data pattern analysis

During a denial of service attack, it is difficult for a firewall to differentiate legitimate packets from rogue packets, particularly in large networks carrying substantial levels of traffic. Large networks commonly use network intrusion detection systems to identify such attacks, however new viruses and worms can escape detection until their signatures are known and classified as an attack. Commonly used IDS are rule based and static, and produce a high number of false positive alerts. The aim of this research was to determine if it is possible for a firewall to self-learn by analysing its own traffic patterns. Statistical analyses of firewall logs for a large network were carried out and a baseline determined. Estimated traffic levels were projected using linear regresssion and Holt-Winter methods for comparison with the baseline. Rejected traffic falling outside the projected level for the network under study could indicate an attack. The results of the research were positive with variance from the projected rejected packet levels successfully indicating an attack in the test network.

[1]  Rolf Oppliger,et al.  Internet security: firewalls and beyond , 1997, CACM.

[2]  Andrew Blyth,et al.  Evaluation of the performance of ID systems in a switched and distributed environment: the RealSecure case study , 2002, Comput. Networks.

[3]  Kathleen M. Carley,et al.  Characterization of defense mechanisms against distributed denial of service attacks , 2004, Comput. Secur..

[4]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[5]  Juan E. Tapiador,et al.  Detection of Web-based attacks through Markovian protocol parsing , 2005, 10th IEEE Symposium on Computers and Communications (ISCC'05).

[6]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[7]  ChangR. K.C. Defending against flooding-based distributed denial-of-service attacks , 2002 .

[8]  William Stallings,et al.  Cryptography and network security , 1998 .

[9]  J. Lane Thames,et al.  A distributed firewall and active response architecture providing preemptive protection , 2008, ACM-SE 46.

[10]  Stefano Zanero ULISSE, a network intrusion detection system , 2008, CSIIRW '08.

[11]  Sung-Bae Cho,et al.  Efficient anomaly detection by modeling privilege flows using hidden Markov model , 2003, Comput. Secur..

[12]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[13]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[14]  René de Jesús Romero-Troncoso,et al.  Mlp neural network and on-line backpropagation learning implementation in a low-cost fpga , 2008, GLSVLSI '08.

[15]  Anup K. Ghosh,et al.  A Study in Using Neural Networks for Anomaly and Misuse Detection , 1999, USENIX Security Symposium.

[16]  Chunlin Zhang,et al.  Intrusion detection using hierarchical neural networks , 2005, Pattern Recognit. Lett..

[17]  Richard A. Kemmerer Designing and implementing a family of intrusion detection systems , 2005, ASE '05.

[18]  Susan C. Lee,et al.  Training a neural-network based intrusion detector to recognize novel attacks , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[19]  Mohammed J. Zaki,et al.  ADMIT: anomaly-based data mining for intrusions , 2002, KDD.

[20]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.

[21]  R. N. Smith,et al.  Operating firewalls outside the LAN perimeter , 1999, 1999 IEEE International Performance, Computing and Communications Conference (Cat. No.99CH36305).

[22]  Pieter H. Hartel,et al.  POSEIDON: a 2-tier anomaly-based network intrusion detection system , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[23]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[24]  N. A. Noureldien,et al.  On firewalls evaluation criteria , 2000, 2000 TENCON Proceedings. Intelligent Systems and Technologies for the New Millennium (Cat. No.00CH37119).

[25]  Gunter Ollmann IPS: Intrusion Prevention Systems (IPS) destined to replace legacy routers , 2003 .