An Effective Network Intrusion Detection Using Hellinger Distance-Based Monitoring Mechanism

This paper proposes an intrusion detection scheme for Denial Of Service (DOS) and Distributed DOS (DDOS) attacks detection. We used Hellinger distance (HD), which is an effective measure to quantify the similarity between two distributions, to detect the presence of potential malicious attackers. Specifically, we applied HD-based anomaly detection mechanism to detect SYN and ICMPv6-based DOS/DDOS attacks. Here, Shewhart chart is applied to HD to set up a detection threshold. The proposed mechanism is evaluated using DARPA99 and ICMPv6 traffic datasets. Results indicate that our mechanism accomplished reliable detection of DOS/DDOS flooding attacks.

[1]  Syed Jawad Hussain,et al.  An Adaptive SYN Flooding attack Mitigation in DDOS Environment , 2016 .

[2]  Fouzi Harrou,et al.  Improved nonlinear fault detection strategy based on the Hellinger distance metric: Plug flow reactor monitoring , 2017 .

[3]  Michèle Basseville,et al.  Divergence measures for statistical data processing , 2010 .

[4]  Muna Sulieman Al-Hawawreh,et al.  SYN flood attack detection in cloud environment based on TCP/IP header statistical features , 2017, 2017 8th International Conference on Information Technology (ICIT).

[5]  W. Eddy Defenses Against TCP SYN Flooding Attacks , 2007 .

[6]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[7]  Fouzi Harrou,et al.  Detecting SYN flood attacks via statistical monitoring charts: A comparative study , 2017, 2017 5th International Conference on Electrical Engineering - Boumerdes (ICEE-B).

[8]  Fouzi Harrou,et al.  Detection of smurf flooding attacks using Kullback-Leibler-based scheme , 2018, 2018 4th International Conference on Computer and Technology Applications (ICCTA).

[9]  Imre Csiszár,et al.  Information Theory and Statistics: A Tutorial , 2004, Found. Trends Commun. Inf. Theory.

[10]  Pekka Nikander,et al.  SEcure Neighbor Discovery (SEND) , 2005, RFC.

[11]  S. Sahib,et al.  A Framework of Features Selection for IPv 6 Network Attacks Detection , 2015 .

[12]  Julie Boxwell Ard,et al.  Internet Protocol version Six (IPv6) at UC Davis: Traffic Analysis with a Security Perspective , 2012 .

[13]  Laura Galluccio,et al.  OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers , 2015, Comput. Networks.

[14]  Bin Liu,et al.  SACK2: effective SYN flood detection against skillful spoofs , 2012, IET Inf. Secur..

[15]  Murizah Kassim An Analysis on Bandwidth Utilization and Traffic Pattern for Network Security Management , 2011 .

[16]  Chang-Soo Kim,et al.  Design of TCP SYN Flood DDoS attack detection using artificial immune systems , 2016, 2016 6th International Conference on System Engineering and Technology (ICSET).

[17]  Marcelo Bagnulo,et al.  Source Address Validation Improvement (SAVI) Framework , 2013, RFC.

[18]  F. Beck,et al.  Monitoring the Neighbor Discovery Protocol , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).