Minimal Triangle Area Mahalanobis Distance for Stream Homogeneous Group-based DDoS Classification

An Intrusion Detection System (IDS) which implement a group-based classification algorithm, theoretically has the benefit of higher accuracy. Unfortunately, higher accuracy only achieved if the observed group is homogeneous from a certain distribution. Recently, a distributed denial of service (DDoS) attack consists of multiple botnets which produce multi types of traffic in one attack session. It makes the IDS suffers from decreasing accuracy as the increasing heterogeneity within the observed group. To address the problem, we propose homogeneous grouping algorithm based on triangle area Mahalanobis distance to support IDS which implement group-based data analysis. First, the Mahalanobis distance measurement was used to construct homogeneous groups. Then, the covariance matrix of each homogeneous group was classified using a decision tree classifier. Classification performance was evaluated using known KDDCup 99 dataset. The results pointed out that the used of homogeneous grouping algorithm improve the classification performance for natural and mixed random DDoS traffic.

[2]  Li Liu,et al.  Clustering and Hybrid Genetic Algorithm based Intrusion Detection Strategy , 2014 .

[3]  Murad S. Taqqu,et al.  On the Self-Similar Nature of Ethernet Traffic , 1993, SIGCOMM.

[4]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[5]  Ming Yu,et al.  An Adaptive Method for Source-end Detection of Pulsing DoS Attacks , 2013 .

[6]  Wei Hu,et al.  Anomalous Network Packet Detection Using Data Stream Mining , 2011, J. Information Security.

[7]  Jaka Sembiring,et al.  Network Security Risk Analysis using Improved MulVAL Bayesian Attack Graphs , 2016 .

[8]  Oleg I. Sheluhin,et al.  Self-Similar Processes in Telecommunications , 2007 .

[9]  R Bellman,et al.  On the Theory of Dynamic Programming. , 1952, Proceedings of the National Academy of Sciences of the United States of America.

[10]  D. S. Yeung,et al.  Network intrusion detection in covariance feature space , 2007, Pattern Recognit..

[11]  Tito Waluyo Purboyo,et al.  A sliding window technique for covariance matrix to detect anomalies on stream traffic , 2015, 2015 International Conference on Control, Electronics, Renewable Energy and Communications (ICCEREC).

[12]  Hiroshi Tsunoda,et al.  A Multi-Stage Network Anomaly Detection Method for Improving Efficiency and Accuracy , 2012, J. Information Security.

[13]  P. Mahalanobis On the generalized distance in statistics , 1936 .

[14]  Roberto Battiti,et al.  Using mutual information for selecting features in supervised neural net learning , 1994, IEEE Trans. Neural Networks.

[15]  Sam Devlin,et al.  Distributed reinforcement learning for adaptive and robust network intrusion response , 2015, Connect. Sci..

[16]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[17]  Vallipuram Muthukkumarasamy,et al.  Performance of Flow-based Anomaly Detection in Sampled Traffic , 2015, J. Networks.

[18]  Budi Rahardjo,et al.  Traffic anomaly detection in DDos flooding attack , 2014, 2014 8th International Conference on Telecommunication Systems Services and Applications (TSSA).

[19]  Xiangjian He,et al.  A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis , 2014, IEEE Transactions on Parallel and Distributed Systems.

[20]  Chih-Fong Tsai,et al.  A triangle area based nearest neighbors approach to intrusion detection , 2010, Pattern Recognit..

[21]  Li Dan,et al.  A Network Intrusion Detection Model Based on K-means Algorithm and Information Entropy , 2014 .

[22]  Ahmed Ahmim,et al.  A New Fast and High Performance Intrusion Detection System , 2013 .

[23]  Zhiling Lan,et al.  A Scalable, Non-Parametric Method for Detecting Performance Anomaly in Large Scale Computing , 2016, IEEE Transactions on Parallel and Distributed Systems.

[24]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[25]  Budi Rahardjo,et al.  Cost Analysis for Classification-based Autonomous Response Systems , 2018, Int. J. Netw. Secur..

[26]  Gihwan Cho,et al.  Detecting an Anomalous Traffic Attack Area based on Entropy Distribution and Mahalanobis Distance , 2014 .

[27]  Xiangjian He,et al.  RePIDS: A multi tier Real-time Payload-based Intrusion Detection System , 2013, Comput. Networks.

[28]  Urbashi Mitra,et al.  Parametric Methods for Anomaly Detection in Aggregate Traffic , 2011, IEEE/ACM Transactions on Networking.

[29]  Xiangjian He,et al.  Mahalanobis distance map approach for anomaly detection of web-based attacks , 2010, AISM 2010.

[30]  Jun Liu,et al.  Anomaly-based Intrusion Detection using Multiclass-SVM with Parameters Optimized by PSO , 2015 .

[31]  Srikumar Venugopal,et al.  Anomaly Detection in Complex Real World Application Systems , 2018, IEEE Transactions on Network and Service Management.