Decentralized detection of network attacks through P2P data clustering of SNMP data

Abstract The goal of Network Intrusion Detection Systems (NIDSs) is to protect against attacks by inspecting network traffic packets, for instance, looking for anomalies and signatures of known attacks. This paper illustrates an approach to attack detection that analyzes just the standard statistics automatically generated by the Simple Network Management Protocol (SNMP) through unsupervised distributed data mining algorithms. We describe the design of a decentralized system composed of a peer-to-peer network of monitoring stations: each of them continuously gathers SNMP statistical observations about the network traffic and runs a distributed data clustering algorithm in cooperation with other stations. This progressively leads to the construction of a traffic model capable to detect undergoing attacks on later observations, including potentially previously unknown attacks. To estimate the accuracy of the described system, we performed an extensive number of distributed data clustering processing on data sets of SNMP observations generated from real traffic.

[1]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[2]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1990, RFC.

[3]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[4]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[5]  Matthias Klusch,et al.  Distributed Clustering Based on Sampling Local Density Estimates , 2003, IJCAI.

[6]  Inderjit S. Dhillon,et al.  A Data-Clustering Algorithm on Distributed Memory Multiprocessors , 1999, Large-Scale Parallel Data Mining.

[7]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[8]  Han-Wei Hsiao,et al.  Constructing an ARP attack detection system with SNMP traffic data mining , 2009, ICEC.

[9]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[10]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[11]  Viviane Crestana Jensen,et al.  Mining decentralized data repositories. , 2001 .

[12]  Ludmila I. Kuncheva,et al.  Classifier Ensembles for Detecting Concept Change in Streaming Data: Overview and Perspectives , 2008 .

[13]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[14]  K. A. Jackson,et al.  An expert system application for network intrusion detection , 1991 .

[15]  Marco Ramilli,et al.  Peer-to-Peer Data Mining Classi ers for Decentralized Detection of Network Attacks , 2013, ADC.

[16]  Daihee Park,et al.  Traffic flooding attack detection with SNMP MIB using SVM , 2008, Comput. Commun..

[17]  Nagiza F. Samatova,et al.  RACHET: An Efficient Cover-Based Merging of Clustering Hierarchies from Distributed Datasets , 2002, Distributed and Parallel Databases.

[18]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[19]  Marco Ramilli,et al.  Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data , 2009, QSHINE.

[20]  Hillol Kargupta,et al.  Distributed Clustering Using Collective Principal Component Analysis , 2001, Knowledge and Information Systems.

[21]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[22]  Paul S. Bradley,et al.  Refining Initial Points for K-Means Clustering , 1998, ICML.

[23]  Gianluca Moro,et al.  W-Grid: A scalable and efficient self-organizing infrastructure for multi-dimensional data management, querying and routing in wireless data-centric sensor networks , 2012, J. Netw. Comput. Appl..

[24]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[25]  Naji Habra,et al.  ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis , 1992, ESORICS.

[26]  Gianluca Moro,et al.  Multidimensional Range Query and Load Balancing in Wireless Ad Hoc and Sensor Networks , 2008, 2008 Eighth International Conference on Peer-to-Peer Computing.

[27]  Hillol Kargupta,et al.  Collective, Hierarchical Clustering from Distributed, Heterogeneous Data , 1999, Large-Scale Parallel Data Mining.

[28]  Isabelle Guyon,et al.  An Introduction to Variable and Feature Selection , 2003, J. Mach. Learn. Res..

[29]  Jiankun Hu,et al.  Scalable Hypergrid k-NN-Based Online Anomaly Detection in Wireless Sensor Networks , 2013, IEEE Transactions on Parallel and Distributed Systems.

[30]  Hillol Kargupta,et al.  Approximate Distributed K-Means Clustering over a Peer-to-Peer Network , 2009, IEEE Transactions on Knowledge and Data Engineering.

[31]  Matthias Klusch,et al.  Privacy-preserving agent-based distributed data clustering , 2006, Web Intell. Agent Syst..

[32]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[33]  Claudio Sartori,et al.  Peer-to-Peer Data Clustering in Self-Organizing Sensor Networks , 2010 .

[34]  Mark A. Hall,et al.  Correlation-based Feature Selection for Machine Learning , 2003 .

[35]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[36]  Stephen E. Hansen,et al.  Automated System Monitoring and Notification with Swatch , 1993, LISA.

[37]  Jun Zhang,et al.  Network Traffic Classification Using Correlation Information , 2013, IEEE Transactions on Parallel and Distributed Systems.

[38]  Bin Zhang,et al.  Distributed data clustering can be efficient and exact , 2000, SKDD.

[39]  Christopher Leckie,et al.  Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters , 2005, ACSC.

[40]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[41]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[42]  Gregory Piatetsky-Shapiro,et al.  Knowledge Discovery in Databases: An Overview , 1992, AI Mag..

[43]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[44]  Ling Liu,et al.  PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities , 2004, IEEE Transactions on Knowledge and Data Engineering.

[45]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[46]  Jiankun Hu,et al.  Critical infrastructure protection: Resource efficient sampling to improve detection of less frequent patterns in network traffic , 2010, J. Netw. Comput. Appl..