• Title/Summary/Keyword: DoS detection

Search Result 535, Processing Time 0.024 seconds

Traffic Seasonality aware Threshold Adjustment for Effective Source-side DoS Attack Detection

  • Nguyen, Giang-Truong;Nguyen, Van-Quyet;Nguyen, Sinh-Ngoc;Kim, Kyungbaek
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.13 no.5
    • /
    • pp.2651-2673
    • /
    • 2019
  • In order to detect Denial of Service (DoS) attacks, victim-side detection methods are used popularly such as static threshold-based method and machine learning-based method. However, as DoS attacking methods become more sophisticated, these methods reveal some natural disadvantages such as the late detection and the difficulty of tracing back attackers. Recently, in order to mitigate these drawbacks, source-side DoS detection methods have been researched. But, the source-side DoS detection methods have limitations if the volume of attack traffic is relatively very small and it is blended into legitimate traffic. Especially, with the subtle attack traffic, DoS detection methods may suffer from high false positive, considering legitimate traffic as attack traffic. In this paper, we propose an effective source-side DoS detection method with traffic seasonality aware adaptive threshold. The threshold of detecting DoS attack is adjusted adaptively to the fluctuated legitimate traffic in order to detect subtle attack traffic. Moreover, by understanding the seasonality of legitimate traffic, the threshold can be updated more carefully even though subtle attack happens and it helps to achieve low false positive. The extensive evaluation with the real traffic logs presents that the proposed method achieves very high detection rate over 90% with low false positive rate down to 5%.

A DoS Detection Method Based on Composition Self-Similarity

  • Jian-Qi, Zhu;Feng, Fu;Kim, Chong-Kwon;Ke-Xin, Yin;Yan-Heng, Liu
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.6 no.5
    • /
    • pp.1463-1478
    • /
    • 2012
  • Based on the theory of local-world network, the composition self-similarity (CSS) of network traffic is presented for the first time in this paper for the study of DoS detection. We propose the concept of composition distribution graph and design the relative operations. The $(R/S)^d$ algorithm is designed for calculating the Hurst parameter. Based on composition distribution graph and Kullback Leibler (KL) divergence, we propose the composition self-similarity anomaly detection (CSSD) method for the detection of DoS attacks. We evaluate the effectiveness of the proposed method. Compared to other entropy based anomaly detection methods, our method is more accurate and with higher sensitivity in the detection of DoS attacks.

Distributed Denial of Service Defense on Cloud Computing Based on Network Intrusion Detection System: Survey

  • Samkari, Esraa;Alsuwat, Hatim
    • International Journal of Computer Science & Network Security
    • /
    • v.22 no.6
    • /
    • pp.67-74
    • /
    • 2022
  • One type of network security breach is the availability breach, which deprives legitimate users of their right to access services. The Denial of Service (DoS) attack is one way to have this breach, whereas using the Intrusion Detection System (IDS) is the trending way to detect a DoS attack. However, building IDS has two challenges: reducing the false alert and picking up the right dataset to train the IDS model. The survey concluded, in the end, that using a real dataset such as MAWILab or some tools like ID2T that give the researcher the ability to create a custom dataset may enhance the IDS model to handle the network threats, including DoS attacks. In addition to minimizing the rate of the false alert.

An Adaptive Probe Detection Model using Fuzzy Cognitive Maps

  • Lee, Se-Yul;Kim, Yong-Soo
    • Proceedings of the Korean Institute of Intelligent Systems Conference
    • /
    • 2003.09a
    • /
    • pp.660-663
    • /
    • 2003
  • The advanced computer network technology enables connectivity of computers through an open network environment. There has been growing numbers of security threat to the networks. Therefore, it requires intrusion detection and prevention technologies. In this paper, we propose a network based intrusion detection model using Fuzzy Cognitive Maps(FCM) that can detect intrusion by the Denial of Service(DoS) attack detection method adopting the packet analyses. A DoS attack appears in the form of the Probe and Syn Flooding attack which is a typical example. The Sp flooding Preventer using Fuzzy cognitive maps(SPuF) model captures and analyzes the packet information to detect Syn flooding attack. Using the result of analysis of decision module, which utilized FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. The result of simulating the "KDD ′99 Competition Data Set" in the SPuF model shows that the Probe detection rates were over 97 percentages.

  • PDF

Performance Analysis of DoS/DDoS Attack Detection Algorithms using Different False Alarm Rates (False Alarm Rate 변화에 따른 DoS/DDoS 탐지 알고리즘의 성능 분석)

  • Jang, Beom-Soo;Lee, Joo-Young;Jung, Jae-Il
    • Journal of the Korea Society for Simulation
    • /
    • v.19 no.4
    • /
    • pp.139-149
    • /
    • 2010
  • Internet was designed for network scalability and best-effort service which makes all hosts connected to Internet to be vulnerable against attack. Many papers have been proposed about attack detection algorithms against the attack using IP spoofing and DoS/DDoS attack. Purpose of DoS/DDoS attack is achieved in short period after the attack begins. Therefore, DoS/DDoS attack should be detected as soon as possible. Attack detection algorithms using false alarm rates consist of the false negative rate and the false positive rate. Moreover, they are important metrics to evaluate the attack detections. In this paper, we analyze the performance of the attack detection algorithms using the impact of false negative rate and false positive rate variation to the normal traffic and the attack traffic by simulations. As the result of this, we find that the number of passed attack packets is in the proportion to the false negative rate and the number of passed normal packets is in the inverse proportion to the false positive rate. We also analyze the limits of attack detection due to the relation between the false negative rate and the false positive rate. Finally, we propose a solution to minimize the limits of attack detection algorithms by defining the network state using the ratio between the number of packets classified as attack packets and the number of packets classified as normal packets. We find the performance of attack detection algorithm is improved by passing the packets classified as attacks.

Smart Wireless Intrusion Detection System Implementation for SOHO Environment (SOHO환경을 위한 스마트 무선 침입 탐지 시스템 구현)

  • Kim, Cheol-Hong;Jung, Im Y.
    • The Journal of the Korea Contents Association
    • /
    • v.16 no.10
    • /
    • pp.467-476
    • /
    • 2016
  • With the development of information technology, Small office Home office(SOHO) is picking up. SOHO generally uses Wi-Fi. The wireless LAN environment using 802.11 protocol is easily affected by DoS attacks. To deal with these threats, there is Wireless Intrusion Detection System(WIDS). However, legacy products of WIDS cannot be easily used by SOHO because they are expensive and require management burden. In this paper, Smart WIDS for SOHO is proposed and implemented on Raspberry Pi2. And, it provides the interface for attack detection notice to android smart phone. Smart WIDS detects Masquerading DoS and Resource Depletion DoS based on IEEE 802.11 so that we notice the attempt of cracking Pre-shared Key(PSK), Man-In-The-Middle(MITM), and service failure.

Design of Hybrid Network Probe Intrusion Detector using FCM

  • Kim, Chang-Su;Lee, Se-Yul
    • Journal of information and communication convergence engineering
    • /
    • v.7 no.1
    • /
    • pp.7-12
    • /
    • 2009
  • The advanced computer network and Internet technology enables connectivity of computers through an open network environment. Despite the growing numbers of security threats to networks, most intrusion detection identifies security attacks mainly by detecting misuse using a set of rules based on past hacking patterns. This pattern matching has a high rate of false positives and can not detect new hacking patterns, making it vulnerable to previously unidentified attack patterns and variations in attack and increasing false negatives. Intrusion detection and prevention technologies are thus required. We proposed a network based hybrid Probe Intrusion Detection model using Fuzzy cognitive maps (PIDuF) that detects intrusion by DoS (DDoS and PDoS) attack detection using packet analysis. A DoS attack typically appears as a probe and SYN flooding attack. SYN flooding using FCM model captures and analyzes packet information to detect SYN flooding attacks. Using the result of decision module analysis, which used FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance evaluation, the "IDS Evaluation Data Set" created by MIT was used. From the simulation we obtained the max-average true positive rate of 97.064% and the max-average false negative rate of 2.936%. The true positive error rate of the PIDuF is similar to that of Bernhard's true positive error rate.

Design and Implementation of an SNMP-Based Traffic Flooding Attack Detection System (SNMP 기반의 실시간 트래픽 폭주 공격 탐지 시스템 설계 및 구현)

  • Park, Jun-Sang;Kim, Sung-Yun;Park, Dai-Hee;Choi, Mi-Jung;Kim, Myung-Sup
    • The KIPS Transactions:PartC
    • /
    • v.16C no.1
    • /
    • pp.13-20
    • /
    • 2009
  • Recently, as traffic flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems (IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network traffic. In this paper we propose an SNMP-based lightweight and fast detection algorithm for traffic flooding attacks, which minimizes the processing and network overhead of the detection system, minimizes the detection time, and provides high detection rate. The attack detection algorithm consists of three consecutive stages. The first stage determines the detection timing using the update interval of SNMP MIB. The second stage analyzes attack symptoms based on correlations of MIB data. The third stage determines whether an attack occurs or not and figure out the attack type in case of attack.

SYN Flood DoS Detection System Using Time Dependent Finite Automata

  • Noura AlDossary;Sarah AlQahtani;Reem Alzaher;Atta-ur-Rahman
    • International Journal of Computer Science & Network Security
    • /
    • v.23 no.6
    • /
    • pp.147-154
    • /
    • 2023
  • Network intrusion refers to any unauthorized penetration or activity on a computer network. This upsets the confidentiality, integrity, and availability of the network system. One of the major threats to any system's availability is a Denial-of-Service (DoS) attack, which is intended to deny a legitimate user access to resources. Therefore, due to the complexity of DoS attacks, it is increasingly important to abstract and describe these attacks in a way that will be effectively detected. The automaton theory is used in this paper to implement a SYN Flood detection system based on Time-Dependent Finite Automata (TDFA).

A Probe Prevention Model for Detection of Denial of Service Attack on TCP Protocol (TCP 프로토콜을 사용하는 서비스거부공격 탐지를 위한 침입시도 방지 모델)

  • Lee, Se-Yul;Kim, Yong-Soo
    • Journal of the Korean Institute of Intelligent Systems
    • /
    • v.13 no.4
    • /
    • pp.491-498
    • /
    • 2003
  • The advanced computer network technology enables connectivity of computers through an open network environment. There has been growing numbers of security threat to the networks. Therefore, it requires intrusion detection and prevention technologies. In this paper, we propose a network based intrusion detection model using FCM(Fuzzy Cognitive Maps) that can detect intrusion by the DoS attack detection method adopting the packet analyses. A DoS attack appears in the form of the Probe and Syn Flooding attack which is a typical example. The SPuF(Syn flooding Preventer using Fussy cognitive maps) model captures and analyzes the packet informations to detect Syn flooding attack. Using the result of analysis of decision module, which utilized FCM, the decision module measures the degree of danger of the DoS and trains the response module to deal with attacks. For the performance comparison, the "KDD′99 Competition Data Set" made by MIT Lincoln Labs was used. The result of simulating the "KDD′99 Competition Data Set" in the SPuF model shows that the probe detection rates were over 97 percentages.