Detecting cyber-attacks using a CRPS-based monitoring approach

Cyber-attacks can seriously affect the security of computers and network systems. Thus, developing an efficient anomaly detection mechanism is crucial for information protection and cyber security. To accurately detect TCP SYN flood attacks, two statistical schemes based on the continuous ranked probability score (CRPS) metric have been designed in this paper. Specifically, by integrating the CRPS measure with two conventional charts, Shewhart and the exponentially weighted moving average (EWMA) charts, novel anomaly detection strategies were developed: CRPS-Shewhart and CRPS-EWMA. The efficiency of the proposed methods has been verified using the 1999 DARPA intrusion detection evaluation datasets.

[1]  Xiaohong Jiang,et al.  Detecting SYN Flooding Agents under Any Type of IP Spoofing , 2008, 2008 IEEE International Conference on e-Business Engineering.

[2]  Sanjay Jadhav,et al.  Analysis and Review of TCP SYN Flood Attack on Network with Its Detection and Performance Metrics , 2017 .

[3]  Farid Kadri,et al.  Seasonal ARMA-based SPC charts for anomaly detection: Application to emergency department systems , 2016, Neurocomputing.

[4]  Timothy A. Gonsalves,et al.  Detection of Syn Flooding Attacks using Linear Prediction Analysis , 2006, 2006 14th IEEE International Conference on Networks.

[5]  Fouzi Harrou,et al.  Detection of smurf flooding attacks using Kullback-Leibler-based scheme , 2018, 2018 4th International Conference on Computer and Technology Applications (ICCTA).

[6]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[7]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[8]  Fouzi Harrou,et al.  Detecting SYN flood attacks via statistical monitoring charts: A comparative study , 2017, 2017 5th International Conference on Electrical Engineering - Boumerdes (ICEE-B).

[9]  Cherif Foudil,et al.  Monitoring a robot swarm using a data-driven fault detection approach , 2017, Robotics Auton. Syst..

[10]  R. L. Winkler,et al.  Scoring Rules for Continuous Probability Distributions , 1976 .

[11]  Li Guo,et al.  Network anomaly detection based on TCM-KNN algorithm , 2007, ASIACCS '07.

[12]  Angela Amphawan,et al.  Review of syn-flooding attack detection mechanism , 2012, ArXiv.

[13]  Monika Sachdeva,et al.  Impact Analysis of Recent DDoS Attacks , 2011 .

[14]  Prasert Kanthamanon,et al.  Hybrid Neural Networks for Intrusion Detection System , 2002 .

[15]  Sanjay Silakari,et al.  A Survey of Cyber Attack Detection Systems , 2009 .

[16]  Mitko Bogdanoski,et al.  Analysis of the SYN Flood DoS Attack , 2013 .

[17]  Fouzi Harrou,et al.  Kullback-Leibler distance-based enhanced detection of incipient anomalies , 2016 .

[18]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  T. Gneiting,et al.  The continuous ranked probability score for circular variables and its application to mesoscale forecast ensemble verification , 2006 .

[20]  Richard P. Lippmann,et al.  1999 DARPA Intrusion Detection Evaluation: Design and Procedures , 2001 .

[21]  Fouzi Harrou,et al.  Monitoring road traffic congestion using a macroscopic traffic model and a statistical monitoring scheme , 2017 .

[22]  Hazem Nounou,et al.  PLS-based EWMA fault detection strategy for process monitoring , 2015 .

[23]  Fouzi Harrou,et al.  An Improved Multivariate Chart Using Partial Least Squares With Continuous Ranked Probability Score , 2018, IEEE Sensors Journal.

[24]  Fred Spiring,et al.  Introduction to Statistical Quality Control , 2007, Technometrics.

[25]  Miroslav Popovic,et al.  Use of Tsallis entropy in detection of SYN flood DoS attacks , 2015, Secur. Commun. Networks.