Download - Academy Publisher

More documents

Recommendations

Info

In this model the network traffic is captured in fixed time window for a period of time. All of the data captured is used to calculate the mean value of every time window via cluster algorithm. The particular algorithm procedure is as follows: Step1 Select at random K initial cluster center K 1, K 2,..., K in m time window k Step2 Calculate the distance between each network traffic data xi and initial cluster center through Dj = min{|| xi − Kv ||} , the sample point that is the nearest to cluster center would be assigned to the cluster whose center is K v Step3 Move every K w to its cluster center and recalculate the cluster center according to new data added in cluster. Then calculate the deviation including sample value in each cluster domain through formula: n 2 [min r= 1,..., k d( xi, Kr) ] i= 1 D = ∑ . Step4 The repetitive execution of step3 and step4 until the convergence of D value and all the cluster center will not move. After that the cluster center is the traffic mean value in different time window. • F.The establishment of packet protocol status detection module Time windows are used as the unit to deal with packet protocol status in this model. For the accurate description of DDoS attacks, Dst-ip, Dst-port, flag, src-byte and dst-byte are used as detection parameters of the packet protocol status: Dst-ip represents destination IP, Dst-port represents destination port, flag represents the status of connection end whose values includes SF(normal connection end ) and REJ( connection requests refusal) etc, src-byte represents source byte, dst-byte represents destination byte. 1.The feature extraction of packet protocol status Apriori association algorithm is used in mining of packet protocol status. The packet protocol status appearing frequently in the network could be combined into one association record, which has massive packet protocol status compressed and reduces the data numbers. The following is an association record extracted from frequent items of the packet protocol status records: (Dst-ip:192.168.9.8 and Dst-port:8081--->flag:sf) [support=2.5% confidence=98.5%] This association record shows the destination IP is 192.168.9.8 and the destination port is 8081,the support of normal service is 2.5% and the confidence is 98.5%. (Dst-ip:192.168.96.9andDst-port:8000 and dst-byte=0--->flag:s0)[support=8.01% confidence=96.7%] This association record shows the destination IP is 192.168.96.9 and the destination port is 8000, the support of packets in which the number of bytes received is zero is 8.01% , the confidence is 96.7%, and this is the abnormal connection. 2.Establishing the threshold value Several protocol status characteristics generated through the use of association algorithm are used to calculate the distance between packet protocol status feature vector and each normal cluster in detection model. If the packet protocol status feature vector are beyond all the normal cluster, this feature vector is viewed as abnormal. If some feature vector in several consecutive time windows is marked abnormal, the attack alarm module will send alarm. Fuzzy C-means algorithm[7] is used to build the network protocol status model. Fuzzy C-means clustering algorithm is described as follows: Suppose a data set X = { x1, x2,..., x n } , fuzzy matrix U = [ u ij ] stands for its fuzzy C division, u should meet the following condition: ij c ∀ j, ∑ uij = 1 ; ∀ i, j u ij ∈ [0,1] ; i = 1 n ∑ ∀ i, u > 0 .At j = 1 present the widely used cluster rule is to use the minimal value of weighted sum squared error in cluster. That is n c m 2 (min) J ( U, V) = ∑ ∑ u d ( x , v ) , in which U is m ij ij j i j= 1 i= 1 sample space, V is clustering prototype and d 2 ( , ) ij xj vi is the euclidean distance between the No.i data and the No.j cluster center. In order to get the minimum value of cluster rule function Jm( UV , ) , Lagrange multiplier method could be used to reach the necessary condition to get the minimum value of J ( , ) m UV that is: k 2/( m 1) uij = 1/ ∑ ( dij / drl ) − , ∀i (1) l= 1 m m m m ij ij j ij i= 1 r= 1 ∑ ∑ (2) c = ( u x )/( u ), ∀j In this model the packet is captured in fixed time window. The data collected continuously for a period is used to calculate the packet protocol status threshold through the FCM cluster algorithm. The specific algorithm procedure is as follows: Step1 select all association record of the packet protocol status in every time window Step2 Use number at random in [0,1] to initialize the subordinate-matrix U ,and it should meet the constraint n conditionå uij = 1, " j= 1,..., n. i= 1 Step3 calculate the cluster center through the formula m m m m ij ∑ ij j ∑ ij i= 1 r= 1 c = ( u x )/( u ), ∀j ij 64
Step4 calculate the new subordinate-matrixU in each time window through formula k u = 1/ ∑ ( d / d ) ij ij rl l= 1 2/( m−1) Step5 Loop computations step3 and step4 until the cluster rule function is less than a threshold value. The value is the cluster result. Cluster rule m 2 function is J ( U, V) u d ( x , v ) n m ij ij j i j= 1 i= 1 c = ∑∑ . Through the above calculation step the deviation of membership of every sample point could be determined in its time window. According to the rule of the maximum deviation of membership in fuzzy date set, it should be determined that which cluster center every sample point belongs to so as to make sure whether there are DDoS attacks in current network. Table 1 DDoS attack detection result in different duration 1 min 5 min Attack tools Detection rate Error rate Residual rate Detection rate Error rate Residual rate SYN Flood 100% 0% 0% 100% 0% 0% Stacheldraht 96.53% 1.05% 2.42% 99.33% 0.54% 0.13% Trinoo 98.92% 0.41% 0.67% 99.69% 0.13% 0.18% TFN2K 97.20% 2.45% 0.35% 98.65% 1.12% 0.23% Ⅲ. EXPERIMENT Attack detection experiment platform is built in some campus network, the target host is in the network computer center, the operating system is Windows 2000 server, and WWW and FTP service are also used, attack hosts are distributed in this campus network. When the attack detection experiment is under way, the network traffic and packets of the target host would be collected and lasted for two weeks, then the collected network traffic value and packets would used as training samples to generate the threshold model of network traffic and detection model of packet connection status. DDoS attack tools include TFN2K, Stacheldraht, SYN Flood, Trinoo. DDoS attacks in this experiment will be detected in different duration. From the analysis of DDoS attacks in this experiment, it is found that this system has a high detection efficiency, the detection rate of it could reach more than 97%. moreover, with the increase in the duration of DDoS attacks, higher is the attack detection rate of this system. The function test result of this system shows that it could meet the daily detection needs well. Ⅳ. CONCLUSIONS This paper, aiming at the characteristics of difficult detection and prevention as to DDoS attacks, proposes a detection model based on data mining. This model could receive the currently normal network traffic model with data mining algorithm. Once network traffic appears abnormal, this model could detect the packets maintaining in abnormal traffic duration. In this way the system load will be greatly reduced and its real-time can be improved. Through the test in LAN, this system is able to effectively detect DDoS attacks in real time. ACKNOWLEDGMENT This work is supported by Economic Commence Market Application Technology Foundation Grant by 2007gdecof004. REFERENCES [1] Meyer L, and Penzhorn WT. “Denial of service and distributed denial of service-today and tomorrow,”In: Proc. of the IEEE 7th AFRICON Conf. Vol.2,pp.959-964,2004. [2] Wang HN, Zhang DL, and Shin KG. “Detecting SYN floodingattacks,”In:Proc.of the 21st Annual Joint Conf. of the IEEE Computer and Communications Societies,Vol.3,pp.1530-1539,2002. [3] Gao Neng, Feng Deng-Guo, and Xiang Ji. “A Data-Mining Based DoS Dectection Technique,” Chinese Journal of Computers,Vol.29, pp.944-951,2005. [4] Li J, and Manikopoulos C. “Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters,”In:Proc.of the IEEE Systems,Man and Cybernetics Society,Information Assurance Workshop,pp.53-59,2003. [5] Kim YW, Lau WC, Chuah MC, and Chao HJ. “Packetscore:Statistical-Based overload control against distributed denial-of-service a ttacks,”In:Proc.of the 23rd Annual Joint Conf.of the IEEE Computer and Communications Societies,Vol.4,pp.2594-2604,2004. [6] SUN Ji-Gui, and LIU Jie. “Clustering Algorithms Research,” Journal of Software,Vol.19,pp.48-61,2008. [7] YANG De-Gang. “Research of the Network Intrusion Detection Based on Fuzzy Clustering,” Computer Science, Vol.32, pp.86-91,2005. 65
Page 1 and 2:
Proceedings The Second Internationa
Page 3 and 4:
Table of Contents Message from the
Page 5 and 6:
Zuming Xiao, Zhan Guo, Bin Tan, and
Page 7 and 8:
Message from the Symposium Chairs T
Page 9 and 10:
Second International Symposium on N
Page 11 and 12:
ISBN 978-952-5726-09-1 (Print) Proc
Page 13 and 14:
model that can deal with time serie
Page 15 and 16:
ISBN 978-952-5726-09-1 (Print) Proc
Page 17 and 18:
training for the Wushu competition
Page 19 and 20:
ISBN 978-952-5726-09-1 (Print) Proc
Page 21 and 22:
information, called weak uncertain
Page 23 and 24: Student side Student side Student s
Page 25 and 26: ISBN 978-952-5726-09-1 (Print) Proc
Page 27 and 28: If we define element of student as
Page 31 and 32: QoS, each frame data is divided int
Page 35 and 36: for Imaging Two and Three Phase Flo
Page 39 and 40: A. Profiling&following control algo
Page 41 and 42: Research and Realization about Conv
Page 43 and 44: PDF document structure is a tree st
Page 47 and 48: support 10 Mb / s. But ENC28J60 onl
Page 51 and 52: condition the first byte output of
Page 55 and 56: According to maximum membership deg
Page 59 and 60: ubber according to the mass ratio o
Page 61 and 62: Ⅲ. AN IMPROVED DNA ALGORITHM FOR
Page 63 and 64: Ⅴ.CONCLUSION REMARKS DNA computer
Page 65 and 66: its first child q 1 on the left, th
Page 67 and 68: chains can greatly improve efficien
Page 69 and 70: II. RELATED WORK A. Mobile Service
Page 71 and 72: special services. SOAP is used to b
Page 73: detection methods of DDoS attacks m
Page 77 and 78: Figure 1. An analysis of the partit
Page 81 and 82: The preceding three formulas can be
Page 85 and 86: And the decay speed of buffer seque
Page 89 and 90: distance of view point. Given that
Page 93 and 94: Ⅳ. EVALUATION OF BLENDED LEARNING
Page 97 and 98: symmetric with respect to the origi
Page 101 and 102: each sample belongs to each categor
Page 105 and 106: A. Data Preparing To generate our t
Page 109 and 110: oth α and β . determination of Qu
Page 113 and 114: Strong earthquake 0.1< M L
Page 117 and 118: indirect causes, and the logical re
Page 119 and 120: egression. Granger causality test i
Page 121 and 122: B. Evaluation We have evaluated thi
Page 123 and 124: used as a source and neighboring ce
Page 125 and 126:
Figure 3. Drainage networks generat
Page 127 and 128:
Combinational logic unit failures i
Page 129 and 130:
Tabal.1 Combinational fault logic t
Page 131 and 132:
under the endorsement of both the m
Page 133 and 134:
TABLE I. DESCRIPTION OF PROPOSITION
Page 135 and 136:
Figure 2. The process of the invers
Page 137 and 138:
Figure 9. (a)the original image.(b)
Page 139 and 140:
ISBN 978-952-5726-09-1 (Print) Proc
Page 141 and 142:
In order to reduce to the number of
Page 143 and 144:
ISBN 978-952-5726-09-1 (Print) Proc
Page 145 and 146:
that studying being going to be to
Page 147 and 148:
Reference[10] analyzed the evolutio
Page 149 and 150:
module, communication module, apper
Page 151 and 152:
After the comprehensive performance
Page 153 and 154:
system testing can be seen that the
Page 155 and 156:
III. AUTONOMIC RESOURCE ALLOCATION
Page 157 and 158:
The QoE i (T i ) is the ith user’
Page 159 and 160:
ISBN 978-952-5726-09-1 (Print) Proc
Page 161 and 162:
nodes will be formed one cluster, t
Page 163 and 164:
ISBN 978-952-5726-09-1 (Print) Proc
Page 165 and 166:
Where n is the number of data point
Page 167 and 168:
ISBN 978-952-5726-09-1 (Print) Proc
Page 169 and 170:
Keyboard event Application User mod
Page 171 and 172:
ISBN 978-952-5726-09-1 (Print) Proc
Page 173 and 174:
SQL Azure will eventually include a
Page 175 and 176:
ISBN 978-952-5726-09-1 (Print) Proc
Page 177 and 178:
The nodes in the suffix tree are dr
Page 179 and 180:
[3] Y. Li, S. M. Chung, and J. D. H
Page 181 and 182:
some drilling fluid produces hydrog
Page 183 and 184:
"normalization", whose membership b
Page 185 and 186:
and minimum structural elements in
Page 187 and 188:
esults of the spatial transform par
Page 189 and 190:
B. Research on protocol actions Com
Page 191 and 192:
ACKNOWLEDGMENT This work is funded
Page 193 and 194:
A. Problem Description In a small b
Page 195 and 196:
[4] Huang, Hung, and J. Y. jen Hsu.
Page 197 and 198:
Further by calculating, the followi
Page 199 and 200:
TABLE II. THE CONCENTRATION BETWEEN
Page 201 and 202:
private key that obtained by using
Page 203 and 204:
ISBN 978-952-5726-09-1 (Print) Proc
Page 205 and 206:
ontology, and the domain dictionary
Page 207 and 208:
ISBN 978-952-5726-09-1 (Print) Proc
Page 209 and 210:
Eq.4 is NP-hard and can be solved b
Page 211 and 212:
ISBN 978-952-5726-09-1 (Print) Proc
Page 213 and 214:
Where: G i is the selection field o
Page 215 and 216:
If there is X j in a generation, wh
Page 217 and 218:
Theorem 2.4([10]). Let L 1 and L 2
Page 219 and 220:
The relation between the lattice im
Page 221 and 222:
Figure 2. Example of single-step de
Page 223 and 224:
evocation and the fourth group stor
Page 225 and 226:
focused mainly on rule-based forms
Page 227 and 228:
Ⅵ. CONCLUSION Figure 6. The Flask
Page 229 and 230:
EDCF in comparison with DCF, has so
Page 231 and 232:
B. Simulation results and analysis
Page 233 and 234:
ISBN 978-952-5726-09-1 (Print) Proc
Page 235 and 236:
in routing table. When search resou
Page 237 and 238:
ISBN 978-952-5726-09-1 (Print) Proc
Page 239 and 240:
others through the selective emotio
Page 241 and 242:
such as weather information, techno
Page 243 and 244:
the opening window, a related page
Page 245 and 246:
1) Process context storage areas. I
Page 247 and 248:
V. CONCLUSION In this thesis, sCPU-
Page 249 and 250:
main types of horizontal search env
Page 251 and 252:
Enterprise Portal security provides
Page 253 and 254:
() t = [ S () t S () t ] T N S ,...
Page 255 and 256:
[2] Kumaravel, N., and Kavitha, V.,
Page 257 and 258:
output, so BP network has been wide
Page 259 and 260:
input to the artificial neural netw
Page 261 and 262:
(2) In a process (tokens from outsi
Page 263 and 264:
The reduction process consists of t
Page 265 and 266:
all eight normal vectors are identi
Page 267 and 268:
is B object , and the number of emp
Page 269 and 270:
xi, j y' = εα ( (1 + tanh( )) −
Page 271 and 272:
Error 8000 7000 6000 5000 4000 3000
Page 273 and 274:
Architecture (AMBA) a new bus archi
Page 275 and 276:
In order to ensure the smooth proce
Page 277 and 278:
ISBN 978-952-5726-09-1 (Print) Proc
Page 279 and 280:
In this paper, we adopt two Sobel o
Page 281 and 282:
ISBN 978-952-5726-09-1 (Print) Proc
Page 283 and 284:
four layers.The far right of the gr
Page 285 and 286:
ISBN 978-952-5726-09-1 (Print) Proc
Page 287 and 288:
TABLE II. OPERATIONAL EMPLOYEE TABL
Page 289 and 290:
A. Object-relational Type To audit
Page 291 and 292:
to execution time. Also, DBA would
Page 293 and 294:
Liping Chen .......................
show all

Download - Academy Publisher

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?