Browse > Article

An Empirical Comparison Study on Attack Detection Mechanisms Using Data Mining  

Kim, Mi-Hui (이화여자대학교 컴퓨터학과)
Oh, Ha-Young (이화여자대학교 컴퓨터학과)
Chae, Ki-Joon (이화여자대학교 컴퓨터학과)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.31, no.2C, 2006 , pp. 208-218 More about this Journal
Abstract
In this paper, we introduce the creation methods of attack detection model using data mining technologies that can classify the latest attack types, and can detect the modification of existing attacks as well as the novel attacks. Also, we evaluate comparatively these attack detection models in the view of detection accuracy and detection time. As the important factors for creating detection models, there are data, attribute, and detection algorithm. Thus, we used NetFlow data gathered at the real network, and KDD Cup 1999 data for the experiment in large quantities. And for attribute selection, we used a heuristic method and a theoretical method using decision tree algorithm. We evaluate comparatively detection models using a single supervised/unsupervised data mining approach and a combined supervised data mining approach. As a result, although a combined supervised data mining approach required more modeling time, it had better detection rate. All models using data mining techniques could detect the attacks within 1 second, thus these approaches could prove the real-time detection. Also, our experimental results for anomaly detection showed that our approaches provided the detection possibility for novel attack, and especially SOM model provided the additional information about existing attack that is similar to novel attack.
Keywords
Attack Detection Mechanism; Data Mining; Empirical Comparison; Detection Rate/Time;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, Darrell Kindred, 'Statistical Approaches to DDoS Attack Detection and Response,' Proc. of The DARPA Information Survivability Conference and Exposition, 2003
2 Wenke Lee, Salvatore J. Stolfo, 'Data Mining Approaches for Intrusion Detection,' Proc. of the 7th USENIX Security Symposium, pp.79-94, Jan. 1998
3 KDD Cup 1999 data, http://kdd.ics.uci.edu
4 Jiawei Han, Micheline Kamber, 'Dam Mining: Concepts and Techniques,' Morgan Kaufmann Publishers
5 Anup K. Ghosh, Aaron Schwartzbard, 'A Study in using Neural Networks for Anomaly and Misuse Detection,' Proc. of the 8th USENIX Security Symposium, Washington, D.C., USA, Aug. 1999
6 나현정, 김미희, 채기준, 나중찬, 'NetFlow 트래픽을 이용한 분산 서비스거부 공격 탐지 기법', 한국정보처리학회 추계학술발표대회, 제10권 제2호, pp.1957-1960, 2003년 11월
7 Joao B. D. Cabrera, Lundy Lewis, Xinzhou Qin, Wenke Lee, Ravi K. Prasanth, B. Ravichandran, Raman K. Mehra, 'Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables,' Proc. of ICNP 2002
8 최종후, 한상태, 강현철, 김은석, 심미경, 이성건, 'SAS Enterprise Miner 4.0을 이용한 데이터 마이닝-기능과 사용법', 자유아카데미
9 Juha Vesanto, John Himberg, Esa Alhoniemi, and Juha Parhankangas, 'SOM Toolbox for Matlab5,' SOM Toolbox Team, Helsinki University of Technology, 2000
10 Jelena Mirkovic, Gregory Prier, Peter Reiher, 'Attacking DDoS at the Source,' Proc. of ICNP 2002
11 허명회, 'SOM(자기조직화지도)의 이론과 응용', 2004년 한국통계학회 추계학술대회, 2004년 11월
12 P. Phaal, S. Panchen, N. McKee, 'InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks,' RFC 3176, 2001
13 Wenke Lee, Salvatore J. Stolfo, 'Data Mining Approaches for Intrusion Detection,' Proc. of the 7th USENIX Security Symposium, pp.79-94, Jan. 1998
14 Susan C. Lee, David V. Heinbuch, 'Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks,' Proc. of the 2000 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 6-7 Jun. 2000
15 Mihui Kim, Hyunjung Na, Kijoon Chae, Hyochan Bang, Jungchan Na, 'A Combined Data Mining Approach for DDos Attack Detection,' ICOIN 2004, LNCS 3090, pp.943-950, Feb. 2004
16 SOM Toolbox for Matlab, http://www.cis.hut.fi