Download - Academy Publisher

More documents

Recommendations

Info

ISBN 978-952-5726-09-1 (Print) Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10) Jinggangshan, P. R. China, 2-4, April. 2010, pp. 062-065 DDoS Detection System Based on Data Mining Rui Zhong 1,3 , and Guangxue Yue 1,2,4 1 Faculty of Science, Jiangxi University of Science and Technology, Ganzhou,China. 2 Jiaxing University, College of Computer and Mathematics, Jiaxing, China 3 Modern Education Technology Center, Gannan Normal University, Ganzhou,China Email:zhongrui_cn@126.com 4 Guangdong University of Business Studies ,GuangZhou, China Email: guangxueyue@163.com Abstract—Distributed denial of service attack(DDoS) brings a very serious threat to send to the stability of the Internet.This paper analyzes the characteristic of the DDoS attack and recently DDoS attack detection method. Presents a DDoS attack detection model based on data mining algorithm. FCM cluster algorithm and Apriori association algorithm used to extracts network traffic model and network packet protocol status model. The threshold is set for detection model. Experimental result shows that DDoS attacks can be detected efficiently and swiftly. Index Terms—DDoS, cluster algorithm, association algorithm, FCM, Apriori I. INTRODUCTION Distributed denial of service(DDoS)[1] attacks make the resources of host occupied largely via sending many malicious packets, which results in the failure of normal network services. DDoS attack the target host through construting a lot of illegal packets, this kind of attacks changed traditional peer to peer attack mode and used distributed attack mode instead that causes the extent of hosts participating in attack wider, data flow generated by attack present irregular status. All of this make DDoS attacks launched easily, prevented and tracked difficultly and so forth. So far DDoS attacks have become one of the essential threats to network security. In this paper cluster algorithm and association algorithm are used to build the traffic threshold model and packet protocol status model, so as to automatic, real-time, effective detection of DDoS attacks. II. ESTABLISHMENT OF DDOS DETECTION MODEL • A.DDoS attack procedure A DDoS attack launched by the attacker includes mainly three steps, that is, searching the attack target, attacking and occupying the zombie and actual attacks. The specific process is as follows: 1. Before attacking, the attacker firstly searches the hosts in the network with security vulnerabilities from which the hosts with good link state and performance are picked out, and then intrudes these hosts so that corresponding administration authority is achieved to install control programs. 2. The attacker through network gives the handlers of the attack control instructions that cause the handlers © 2010 ACADEMY PUBLISHER AP-PROC-CS-10CN006 62 give orders to the agents. Generally the attack agents are controlled by more than one handlers. 3. The agents send the victims a large quantity of packets. It is difficult to distinguish between malicious requests and normal connection requests because these packets are masqueraded and could not be recognized where they are from as well as the protocols used by attackers are very common. • B.The characteristics of DDoS Attack The characteristics of DDoS Attack are as follows after the analysis of it: 1. Abnormal traffic. A lot of useless packets transmitted by the attacker in order to occupy the resources of the victims(bandwidth or host resources). Such a large number of packets would cause the victims system-halted and fail to provide external services. 2. Most DDoS attacks take the three times handshake mechanism and use “SYN” status flag to send the victim connection requests . However, this does not mean to build a real connection, which makes the victim maintain a great deal of half-opened connection and consume the resources of the victims. 3. The attacker makes use of one of the characters of TCP/IP protocol that some non-compliant packets could be used so as to launch DDoS attacks. Among the characteristics above, the data of the first character could be received from network device via SNMP protocol, the data of the second and third characters would be received after the analysis of the captured network packets. These characters are used as DDoS detection parameter in this paper when the detection model is intended to be built. • C.Relative researches Recently there are three detection methods in DDoS attacks: DDoS attacks detection based on protocol analysis[2], DDoS attacks detection based on cluster[3], DDoS detection based on the model of network traffic statistics[4,5]. However, these methods present some problems. For example, DDoS attacks detection based on protocol analysis is effective relatively only for the attacks with obvious abnormal protocol characters, whereas it does no significant effects to DDoS attacks without obvious protocol characters. DDoS attacks detection based on cluster often make the high error rate, and there is large data needed to be conducted. In addition, it is unable to tell whether the abnormal network traffic is caused by the visit of normal users or by DDoS attacks. Therefore, based on the research on the
detection methods of DDoS attacks mentioned above, the only way to improve the detection efficiency of DDoS attacks is to combine various detection methods so as to make up for the deficiency of these detection methods above. Ref. [2] studied TCP connection status, which is used to identify TCP SYN FLOOD attack. This method is only for TCP SYN FLOOD attack and can not detect or protect UDP FLOOD and ICMP FLOOD. Ref. [3] proposed a DDoS attack detection model based on protocol analysis and cluster. This model uses data mining algorithm to analyze the protocol information in packets, the advantages of it are that the attack detection method need not any manual-construction data, and it keeps a comparatively high detection rate. However, the number of network connections in unit time will range from ten thousand to one million for a large scale network, so the number of network connections can not be reduced to an optimal level with association algorithm. Because of the large calculation data the situation of detection delay will appear which results in the failure to achieve the real-time detection of DDoS attacks. Ref. [4,5] detects and prevents DDoS attacks through building detection model of abnormal traffic statistics, this model could not conduct abnormal traffic well and make sure whether the abnormal traffic is caused by legal high traffic or DDoS attacks. • D.The DDoS attacks detection model packets protocol status detection. Step4 All of the captured packet are used to build the packet protocol status model based on Apriori and FCM algorithm. Step5 Import the current traffic to abnormal traffic detection module. Once the current network traffic is beyond the threshold value, the network packet protocol status module will be started immediately. Step6 Detect the packet protocol status via the network packet protocol status detection module. If there are abnormal packets, this module will give an alarm, whereas no abnormal packets the current network traffic will be clustered again by way of k-means data mining module to build a new threshold value model. • E.The establishment of abnormal traffic detection module In this module used the most obvious characters of network traffic are used to build the detection model. Once the network traffic detection module detect the traffic value is abnormal, the packet protocol status detection module will be started immediately to detect these packets in order to make sure if the current abnormal network traffic value results from DDoS attacks, at the same time the traffic threshold model could dynamically update according to the result of the Training data acquisition Network interface Packet Capture Module Training data acquisition Based on k-means algorithm module Network packet protocol status module Normal Detection of anomaly network traffic Network traffic threshold model Abnormal Network packet protocol status model Detection of packet protocol status Normal network packet protocol status Abnormal network packet protocol status Attack alarm module Fig.1. is the working trafficchart of this model that combines the abnormal traffic detection and the packet protocol status detection to detect DDoS attacks. The specific detection procedures are as below: Step1 Network packets Capture module achieve current network traffic value and packets. Step2 Build each detection module through Step 3 and Step 4. Step3 Capture the network traffic value based on k-means data mining module to build initiating the threshold value module of network traffic in which the threshold value would adjust automatically to the result of Figure1. DDoS attack detection model 63 packet protocol status detection module. It could adapt to the traffic variety caused by the increase of users or the change in application. The achievement of this module will greatly reduce the data which needs to be detected and detect DDoS attack in real-time. k-means[6] is one of cluster algorithm in data mining that preset a data set which contain n data object and k cluster that needs to create. The main idea of k-means algorithm is to split the data object set into k cluster( k ≤ n ) that could make a standard measure function optimization and make high similarity of data object in the same cluster.
Page 1 and 2:
Proceedings The Second Internationa
Page 3 and 4:
Table of Contents Message from the
Page 5 and 6:
Zuming Xiao, Zhan Guo, Bin Tan, and
Page 7 and 8:
Message from the Symposium Chairs T
Page 9 and 10:
Second International Symposium on N
Page 11 and 12:
ISBN 978-952-5726-09-1 (Print) Proc
Page 13 and 14:
model that can deal with time serie
Page 15 and 16:
ISBN 978-952-5726-09-1 (Print) Proc
Page 17 and 18:
training for the Wushu competition
Page 19 and 20:
ISBN 978-952-5726-09-1 (Print) Proc
Page 21 and 22: information, called weak uncertain
Page 23 and 24: Student side Student side Student s
Page 25 and 26: ISBN 978-952-5726-09-1 (Print) Proc
Page 27 and 28: If we define element of student as
Page 31 and 32: QoS, each frame data is divided int
Page 35 and 36: for Imaging Two and Three Phase Flo
Page 39 and 40: A. Profiling&following control algo
Page 41 and 42: Research and Realization about Conv
Page 43 and 44: PDF document structure is a tree st
Page 47 and 48: support 10 Mb / s. But ENC28J60 onl
Page 51 and 52: condition the first byte output of
Page 55 and 56: According to maximum membership deg
Page 59 and 60: ubber according to the mass ratio o
Page 61 and 62: Ⅲ. AN IMPROVED DNA ALGORITHM FOR
Page 63 and 64: Ⅴ.CONCLUSION REMARKS DNA computer
Page 65 and 66: its first child q 1 on the left, th
Page 67 and 68: chains can greatly improve efficien
Page 69 and 70: II. RELATED WORK A. Mobile Service
Page 71: special services. SOAP is used to b
Page 75 and 76: Step4 calculate the new subordinate
Page 77 and 78: Figure 1. An analysis of the partit
Page 81 and 82: The preceding three formulas can be
Page 85 and 86: And the decay speed of buffer seque
Page 89 and 90: distance of view point. Given that
Page 93 and 94: Ⅳ. EVALUATION OF BLENDED LEARNING
Page 97 and 98: symmetric with respect to the origi
Page 101 and 102: each sample belongs to each categor
Page 105 and 106: A. Data Preparing To generate our t
Page 109 and 110: oth α and β . determination of Qu
Page 113 and 114: Strong earthquake 0.1< M L
Page 117 and 118: indirect causes, and the logical re
Page 119 and 120: egression. Granger causality test i
Page 121 and 122: B. Evaluation We have evaluated thi
Page 123 and 124:
used as a source and neighboring ce
Page 125 and 126:
Figure 3. Drainage networks generat
Page 127 and 128:
Combinational logic unit failures i
Page 129 and 130:
Tabal.1 Combinational fault logic t
Page 131 and 132:
under the endorsement of both the m
Page 133 and 134:
TABLE I. DESCRIPTION OF PROPOSITION
Page 135 and 136:
Figure 2. The process of the invers
Page 137 and 138:
Figure 9. (a)the original image.(b)
Page 139 and 140:
ISBN 978-952-5726-09-1 (Print) Proc
Page 141 and 142:
In order to reduce to the number of
Page 143 and 144:
ISBN 978-952-5726-09-1 (Print) Proc
Page 145 and 146:
that studying being going to be to
Page 147 and 148:
Reference[10] analyzed the evolutio
Page 149 and 150:
module, communication module, apper
Page 151 and 152:
After the comprehensive performance
Page 153 and 154:
system testing can be seen that the
Page 155 and 156:
III. AUTONOMIC RESOURCE ALLOCATION
Page 157 and 158:
The QoE i (T i ) is the ith user’
Page 159 and 160:
ISBN 978-952-5726-09-1 (Print) Proc
Page 161 and 162:
nodes will be formed one cluster, t
Page 163 and 164:
ISBN 978-952-5726-09-1 (Print) Proc
Page 165 and 166:
Where n is the number of data point
Page 167 and 168:
ISBN 978-952-5726-09-1 (Print) Proc
Page 169 and 170:
Keyboard event Application User mod
Page 171 and 172:
ISBN 978-952-5726-09-1 (Print) Proc
Page 173 and 174:
SQL Azure will eventually include a
Page 175 and 176:
ISBN 978-952-5726-09-1 (Print) Proc
Page 177 and 178:
The nodes in the suffix tree are dr
Page 179 and 180:
[3] Y. Li, S. M. Chung, and J. D. H
Page 181 and 182:
some drilling fluid produces hydrog
Page 183 and 184:
"normalization", whose membership b
Page 185 and 186:
and minimum structural elements in
Page 187 and 188:
esults of the spatial transform par
Page 189 and 190:
B. Research on protocol actions Com
Page 191 and 192:
ACKNOWLEDGMENT This work is funded
Page 193 and 194:
A. Problem Description In a small b
Page 195 and 196:
[4] Huang, Hung, and J. Y. jen Hsu.
Page 197 and 198:
Further by calculating, the followi
Page 199 and 200:
TABLE II. THE CONCENTRATION BETWEEN
Page 201 and 202:
private key that obtained by using
Page 203 and 204:
ISBN 978-952-5726-09-1 (Print) Proc
Page 205 and 206:
ontology, and the domain dictionary
Page 207 and 208:
ISBN 978-952-5726-09-1 (Print) Proc
Page 209 and 210:
Eq.4 is NP-hard and can be solved b
Page 211 and 212:
ISBN 978-952-5726-09-1 (Print) Proc
Page 213 and 214:
Where: G i is the selection field o
Page 215 and 216:
If there is X j in a generation, wh
Page 217 and 218:
Theorem 2.4([10]). Let L 1 and L 2
Page 219 and 220:
The relation between the lattice im
Page 221 and 222:
Figure 2. Example of single-step de
Page 223 and 224:
evocation and the fourth group stor
Page 225 and 226:
focused mainly on rule-based forms
Page 227 and 228:
Ⅵ. CONCLUSION Figure 6. The Flask
Page 229 and 230:
EDCF in comparison with DCF, has so
Page 231 and 232:
B. Simulation results and analysis
Page 233 and 234:
ISBN 978-952-5726-09-1 (Print) Proc
Page 235 and 236:
in routing table. When search resou
Page 237 and 238:
ISBN 978-952-5726-09-1 (Print) Proc
Page 239 and 240:
others through the selective emotio
Page 241 and 242:
such as weather information, techno
Page 243 and 244:
the opening window, a related page
Page 245 and 246:
1) Process context storage areas. I
Page 247 and 248:
V. CONCLUSION In this thesis, sCPU-
Page 249 and 250:
main types of horizontal search env
Page 251 and 252:
Enterprise Portal security provides
Page 253 and 254:
() t = [ S () t S () t ] T N S ,...
Page 255 and 256:
[2] Kumaravel, N., and Kavitha, V.,
Page 257 and 258:
output, so BP network has been wide
Page 259 and 260:
input to the artificial neural netw
Page 261 and 262:
(2) In a process (tokens from outsi
Page 263 and 264:
The reduction process consists of t
Page 265 and 266:
all eight normal vectors are identi
Page 267 and 268:
is B object , and the number of emp
Page 269 and 270:
xi, j y' = εα ( (1 + tanh( )) −
Page 271 and 272:
Error 8000 7000 6000 5000 4000 3000
Page 273 and 274:
Architecture (AMBA) a new bus archi
Page 275 and 276:
In order to ensure the smooth proce
Page 277 and 278:
ISBN 978-952-5726-09-1 (Print) Proc
Page 279 and 280:
In this paper, we adopt two Sobel o
Page 281 and 282:
ISBN 978-952-5726-09-1 (Print) Proc
Page 283 and 284:
four layers.The far right of the gr
Page 285 and 286:
ISBN 978-952-5726-09-1 (Print) Proc
Page 287 and 288:
TABLE II. OPERATIONAL EMPLOYEE TABL
Page 289 and 290:
A. Object-relational Type To audit
Page 291 and 292:
to execution time. Also, DBA would
Page 293 and 294:
Liping Chen .......................
show all

Download - Academy Publisher

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?