Denial of Service Attack Detection using Multivariate Correlation Analysis

Denial of Service (DoS)/ DDoS attack is a common and severe problem for network security researchers and practitioners. Attackers often generate attack traffic that behaves similar to normal network traffic using sophisticated attacking tools. Many intrusion detection systems fail to detect anomalous packets in real time. In this paper, we use a Multivariate Correlation Analysis (MCA) approach to distinguish attack traffic from normal traffic. This statistical measure is used to analyze the behavior of network traffic for attack detection. Since DDoS attack traffic behaves differently from legitimate network traffic, statistical properties of various parameters reflect the changed behavior of network traffic. We extract three basic parameters of network traffic, viz., entropy of source IPs, variation of source IPs and packet rate to analyze the behavior of network traffic during attack detection. The method is validated using several benchmark datasets.

[1]  J. K. Kalita,et al.  Botnet in DDoS Attacks: Trends and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[2]  Sushil Jajodia,et al.  Intrusion Detection Techniques , 2004 .

[3]  S. Selvakumar,et al.  Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems , 2013, Comput. Commun..

[4]  Jugal K. Kalita,et al.  A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis , 2016, 2016 8th International Conference on Communication Systems and Networks (COMSNETS).

[5]  Anukool Lakhina,et al.  Multivariate Online Anomaly Detection Using Kernel Recursive Least Squares , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[6]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[7]  Deni Torres Román,et al.  Detecting anomalies in network traffic using Entropy and Mahalanobis distance , 2012, CONIELECOMP 2012, 22nd International Conference on Electrical Communications and Computers.

[8]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[9]  Xiangjian He,et al.  A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis , 2014, IEEE Transactions on Parallel and Distributed Systems.

[10]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[11]  Chih-Ming Chen,et al.  An efficient fuzzy classifier with feature selection based on fuzzy entropy , 2001, IEEE Trans. Syst. Man Cybern. Part B.

[12]  W. Marsden I and J , 2012 .

[13]  Jugal K. Kalita,et al.  Packet and Flow Based Network Intrusion Dataset , 2012, IC3.

[14]  Andrzej Skowron,et al.  Rough set methods in feature selection and recognition , 2003, Pattern Recognit. Lett..

[15]  Frédéric Cuppens,et al.  Correlation in an intrusion detection process , 2002 .

[16]  Dhruba Kumar Bhattacharyya,et al.  A DDoS attack detection mechanism based on protocol specific traffic features , 2012, CCSEIT '12.

[17]  Jugal K. Kalita,et al.  MIFS-ND: A mutual information-based feature selection method , 2014, Expert Syst. Appl..

[18]  Huan Liu,et al.  Feature Selection for High-Dimensional Data: A Fast Correlation-Based Filter Solution , 2003, ICML.

[19]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[20]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[21]  Dhruba K. Bhattacharyya,et al.  Network Anomaly Detection: A Machine Learning Perspective , 2013 .

[22]  Qiang Chen,et al.  Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection , 2002, IEEE Trans. Computers.