Two-Tier GCT Based Approach for Attack Detection

The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.

[1]  A.L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[2]  In-Koo Kim Analyzing network traces to identify long-term high rate flows , 2001 .

[3]  A. L. Narasimha Reddy,et al.  Identifying Long-Term High-Bandwidth Flows at a Router , 2001, HiPC.

[4]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[5]  Deying Tong,et al.  QoS enhancement with partial state , 1999, 1999 Seventh International Workshop on Quality of Service. IWQoS'99. (Cat. No.98EX354).

[6]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[7]  A. L. Narasimha Reddy,et al.  Statistical techniques for detecting traffic anomalies through packet header data , 2008, TNET.

[8]  Wang Sheng Application research based on Granger causality test for attack detection , 2005 .

[9]  Yao Zhi-qiang A method to stabilize network traffic , 2004 .

[10]  Fan Zhang,et al.  An approach to on-line predictive detection , 2000, Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No.PR00728).

[11]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[12]  Paul J Criscuolo,et al.  Distributed Denial of Service: Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht CIAC-2319 , 2000 .

[13]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[14]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[15]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[16]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[17]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[18]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[19]  Anja Feldmann,et al.  Dynamics of IP traffic: a study of the role of variability and the impact of control , 1999, SIGCOMM '99.

[20]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[21]  Christophe Diot,et al.  Traffic matrix estimation: existing techniques and new directions , 2002, SIGCOMM 2002.

[22]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[23]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[24]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2003, IEEE/ACM Transactions on Networking.

[25]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[26]  Scott Shenker,et al.  On the characteristics and origins of internet flow rates , 2002, SIGCOMM.

[27]  Sally Floyd,et al.  Pushback Messages for Controlling Aggregates in the Network , 2001 .

[28]  Jonathan D. Cryer,et al.  Time Series Analysis , 1986 .

[29]  P. J. Criscuolo Distributed Denial of Service Tools, Trin00, Tribe Flood Network, Tribe Flood Network 2000 and Stacheldraht. , 2000 .