Detection of DOS Flooding Attacks with an Improved Growing Hierarchical SOM

In this paper, an improved growing hierarchical self-organizing map (IGHSOM) approach based on growing self-organizing mapping (GSOM) is proposed to detect the DOS flooding attacks. The IGHSOM is a layered architecture, which can be extended from both horizontal and vertical, and utilized to represent the topological relation of data space and the hierarchical relation of data. Compared with the traditional growing hierarchical self-organizing mapping (GHSOM) approach, which has the potential disadvantage of inaccurate mapping of data topological relationships on DOS flooding attack detection, the proposed scheme can accurately represent the topological relationship of data space, increase the DOS detection rate and then reduce the false alarm rate. Through the numerical experiments on KDD data, the results show that the proposed IGHSOM approach can achieve better performance than traditional GHSOM in terms of DOS flooding attack detection, and can further improve the detection rate and reduce the false positive rate. Introduction A denial of service attack is an attack that a user occupies a large number of shared resources, leaving the system with no remaining resources for other users. In recent years, DOS flooding attacks are on the rise, and solving DOS flooding attacks becomes a top priority for network security. Many scholars and research institutions have focused on SOM-based DOS flooding attacks detection [1]-[2]. The growing hierarchical self-organizing map (GHSOM) is a typical SOM model, which is used to detect DOS flooding attacks [3]. The GHSOM is a dynamic architecture, which is proposed for the SOM static architecture. The architecture of the GHSOM model is composed of several SOMs arranged in layers, where the whole architecture (number of layers, maps, and neurons) is established during the training process depending on the input data and mirroring their inherent structure [4]. But the GHSOM expands the rules of neurons in the horizontal direction, which generates redundant neurons, bring computational burden, and in return affect the accuracy for data clustering. This paper describes a modified version of the GHSOM algorithm, which is an improved growth hierarchical self-organizing map (IGHSOM). The IGHSOM is hierarchical architecture, which expands neurons horizontally and vertically. Implementing neuron expansion in the horizontal direction using a special GSOM principle [5]. The main contributions of this paper are worth emphasizing as follows: • Firstly, we proposed an improved growing hierarchical SOM(IGHSOM) based on a special GSOM to implement DOS flooding attacks detection. The IGHSOM can fully express the topological relationship between data to reduce the false positives rate and reduces the computational burden; • Secondly, we use the open source datasets to evaluate the performance of the proposed method to show its high accuracy and adaptability. 2019 5th International Conference on Education, Management and Information Technology (ICEMIT 2019) Copyright © (2019) Francis Academic Press, UK DOI: 10.25236/icemit.2019.049 310 The remaining parts of the paper are organized as follow: Section II briefly reviews the related work. The details of the special GSOM and IGHSOM algorithms are described in Section III. Section IV reviews the evaluation methodology. Section V presents the experimental results of IGHSOM and traditional GHSOM in network DOS flooding attack detection. Section VI will present the conclusions and possible future aspects of this work.