Journal of Communications and Networks

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

An Online Response System for Anomaly Traffic by Incremental Mining with Genetic Optimization

  • Su, Ming-Yang (Department of Computer Science and Information Engineering, Ming Chuan University) ;
  • Yeh, Sheng-Cheng (Department of Computer and Communication Engineering, Ming Chuan University)
  • Received : 2008.10.15
  • Accepted : 2010.05.11
  • Published : 2010.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

A flooding attack, such as DoS or Worm, can be easily created or even downloaded from the Internet, thus, it is one of the main threats to servers on the Internet. This paper presents an online real-time network response system, which can determine whether a LAN is suffering from a flooding attack within a very short time unit. The detection engine of the system is based on the incremental mining of fuzzy association rules from network packets, in which membership functions of fuzzy variables are optimized by a genetic algorithm. The incremental mining approach makes the system suitable for detecting, and thus, responding to an attack in real-time. This system is evaluated by 47 flooding attacks, only one of which is missed, with no false positives occurring. The proposed online system belongs to anomaly detection, not misuse detection. Moreover, a mechanism for dynamic firewall updating is embedded in the proposed system for the function of eliminating suspicious connections when necessary.

Keywords

References

  1. K. Lu, Z. Chen, Z. Jin, and J. Guo, "An adaptive real-time intrusion detection system using sequences of system call," in Proc. IEEE Canadian Conf. Electric. Comput. Eng., 2003, pp. 789–792.
  2. A. N. Toosj and M. Kahani, "A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers," Comput. Commun., vol. 30, no. 10, pp. 2201–2212, 2007. https://doi.org/10.1016/j.comcom.2007.05.002
  3. C.-H. Tsang, S. Kwong, and H. Wang, "Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection," Pattern Recognition, vol. 40, no. 9, pp. 2373–2391, 2007. https://doi.org/10.1016/j.patcog.2006.12.009
  4. S. Lekkas and L. Mikhailov, "Towards the development of OMNIVOR: An evolving intelligent intrusion detection system," Appl. and Innovations in Intell. Syst., pp. 303–308, 2007.
  5. B. Caswell, J. C. Foster, R. Russell, J. Beale, and J. Posluns, Snort 2.0 Intrusion Detection, Syngress Press, 2003.
  6. G. Zhang, J. Yin, Z. Liang, and Y. G. Cail, "Prior knowledge SVM-based intrusion detection framework," in Proc. Int. Conf. Natural Comput., 2007, pp. 489–493.
  7. N. B. Amor, S. Benferhat, and Z. Elouedi, "Naive bayes vs. decision trees in intrusion detection systems," in Proc. ACM Symp. Appl. Comput., 2004, pp. 420–424.
  8. T. Auld, A. W. Moore, and S. F. Gull, "Bayesian neural networks for internet traffic classification," IEEE Trans. Neural Netw., vol. 18, no. 1, pp. 223–239, 2007.
  9. D. Zuev and A. W. Moore, "Traffic classification using a statistical approach," in Proc. Passive and Active Meas. Workshop, 2005.
  10. M. S. Abadeh, J. Habibi, Z. Barzegar, and M. Sergi, "A parallel genetic local search algorithm for intrusion detection in computer networks," Eng. Appl. of Artificial Intell., vol. 20, no. 8, pp. 1058–1069, 2007. https://doi.org/10.1016/j.engappai.2007.02.007
  11. A. E.-Semary, J. Edmonds, J. G. A. Pino and M. Papa, "Applying data mining of fuzzy association rules to network intrusion detection," in Proc. IEEE Workshop Inf. Assurance United States Military Academy, 2006.
  12. S. M. Bridges and R. B. Vaughn, "Intrusion detection via fuzzy data mining," in Proc. Canadian Inf. Technol. Security Symp., 2000.
  13. G. Florez, S. M. Bridges, and R. B. Vaughn, "An improved algorithm for fuzzy data mining for intrusion detection," in Proc. IEEE Fuzzy Inf., 2002.
  14. J. E. Dickerson and J. A. Dickerson, "Fuzzy network profiling for intrusion detection," in Proc. Int. Conf. North American Fuzzy Inf. Process., 2000, pp. 301–306,
  15. M. Hossain, S. M. Bridges, and R. B. Vaughn Jr., "Adaptive intrusion detection with data mining," in Proc. IEEE Conf. Syst., Man and Cybern., 2003, pp. 3097–3103.
  16. B. Shanmugam and N. B. Idris, "Improved hybrid intelligent intrusion detection system using AI technique," Neural Netw. World, vol. 17, no. 4, pp. 351–362, 2007.
  17. KDD CUP 1999 for intrusion detection evaluation, ACM Special Interest Group on Knowledga Discovery and Data Mining. [Online]. Available: http://www.sigkdd.org/kddcup/index.php?section=1999&method=data
  18. The UCI KDD Archive, UCI Knowledge Discovery in Databases Archive. [Online]. Available: http:// kdd.ics.uci.edu/ databases/ kddcup99/ kddcup
  19. M. Kaya and R. Alhajj, "A clustering algorithm with genetically optimized membership functions for fuzzy association rules mining," in Proc. IEEE Conf. Fuzzy Syst., 2003, pp. 881–886.
  20. W.-H. Au and K. C. C. Chan, "Mining fuzzy association rules in a bankaccount database," IEEE Trans. Fuzzy Syst., vol. 11, no. 2, pp. 238–248, 2003. https://doi.org/10.1109/TFUZZ.2003.809901
  21. M. Kaya and R. Alhajj, "Facilitating fuzzy association rules mining by using multi-objective genetic algorithms for automated clustering," in Proc. IEEE Conf. Data Mining, 2003, pp. 561–564.
  22. P.-Qiliu, Z.-Z. Li, and Y.-L. Zhao, "Algorithm of mining fuzzy association rules in network management," in Proc. IEEE Conf. Mach. Learning and Cybern., 2003, pp. 123–127.
  23. R. Agrawal, T. Imielinski, and A. Swami, "Mining association rules between sets of items in large databases," in Proc. ACM SIGMOD, 1993, pp. 207–216.
  24. D. W. Xie, "Fuzzy association rules discovered on effective reduced database algorithm," in Proc. IEEE Conf. Fuzzy Syst., pp. 779–784, 2005.
  25. Y. Gao, J. Ma, and L. Ma, "A new algorithm for mining fuzzy association rules," in Proc. Conf. Mach. Laming and Cybem., 2004, pp. 1635–1640.
  26. C. Kuok, A. Fu, and M. Wong, "Mining fuzzy association rules in databases," in Proc. ACM SIGMOD, 1998, pp. 41–46.
  27. M.-Y. Su, S.-C. Yeh, and K.-C. Chang, "Using incremental mining approach to analyze network traffic online based on fuzzy rules," J. Internet Technol., vol. 9, no. 1, pp. 77–86, Feb. 2008; A simplified version also appeared in Proc. IEEE Conf. Adv. Inf. Netw. and Appl., 2008, entitled - "Using incremental mining to generate fuzzy rules for real-time network intrusion detection systems."
  28. IP Traffic, Omnicor. [Online]. Available: http://www.omnicor.com/netest.htm