scholarly journals Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

2015 ◽  
Vol 2015 ◽  
pp. 1-11 ◽  
Author(s):  
Jian Kang ◽  
Mei Yang ◽  
Junyao Zhang
Keyword(s):  
Network Traffic ◽  
False Positive Rate ◽  
Denial Of Service ◽  
Threshold Value ◽  
Detection Accuracy ◽  
Packet Header ◽  
Positive Rate ◽  
Spectrum Density ◽  
Microscopic Feature ◽  
Low Rate

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we chooseF featurein TCP packet header as a microscopic feature and,P featureandD featureof network traffic as macroscopic features. Based on these features, we establishmultistream fused hidden Markov model(MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

Identifying High-Distributed Low-Rate QoS Violation Based on Multi-Stream Fused HMM

2014 ◽  
Vol 519-520 ◽  
pp. 245-249
Author(s):  
Mei Yang ◽  
Jian Kang
Keyword(s):  
Network Flow ◽  
False Positive Rate ◽  
Denial Of Service ◽  
False Negative ◽  
Recognition Rate ◽  
False Negative Rate ◽  
Threshold Value ◽  
Positive Rate ◽  
Multiple Network ◽  
Low Rate

In order to maintain high network QoS (quality of service) against new high-distributed low-rate QoS violation, this paper proposes a novel recognition scheme with the consideration of multiple network features in both macro and micro side. This scheme uses Multi-stream Fused Hidden Markov Model (MF-HMM) in automatic low-rate QoS violation recognition for integrating multi-features simultaneously. The multi-features include the I-I-P triple and TCP header control Flag in a data packet at a micro level, and R feature in network flow at a macro level. In addition, based on the successful experience of Load-Shedding, Kaufman algorithm is used to adjust and upgrade threshold value dynamically. Our experiments show that our approach effectively reduces false-positive rate and false-negative rate. Moreover, it has a high recognition rate specifically for new QoS violation by High-Distributed Low-rate Denial of Service attacks.

scholarly journals On the Detection of Low-Rate Denial of Service Attacks at Transport and Application Layers

Electronics ◽  
2021 ◽  
Vol 10 (17) ◽  
pp. 2105
Author(s):  
Vasudha Vedula ◽  
Palden Lama ◽  
Rajendra V. Boppana ◽  
Luis A. Trejo
Keyword(s):  
Network Traffic ◽  
Short Term Memory ◽  
Transmission Control Protocol ◽  
Denial Of Service ◽  
Detection Methods ◽  
Support Vector ◽  
Detection Accuracy ◽  
Ddos Attacks ◽  
Network Bandwidth ◽  
Low Rate

Distributed denial of service (DDoS) attacks aim to deplete the network bandwidth and computing resources of targeted victims. Low-rate DDoS attacks exploit protocol features such as the transmission control protocol (TCP) three-way handshake mechanism for connection establishment and the TCP congestion-control induced backoffs to attack at a much lower rate and still effectively bring down the targeted network and computer systems. Most of the statistical and machine/deep learning-based detection methods proposed in the literature require keeping track of packets by flows and have high processing overheads for feature extraction. This paper presents a novel two-stage model that uses Long Short-Term Memory (LSTM) and Random Forest (RF) to detect the presence of attack flows in a group of flows. This model has a very low data processing overhead; it uses only two features and does not require keeping track of packets by flows, making it suitable for continuous monitoring of network traffic and on-the-fly detection. The paper also presents an LSTM Autoencoder to detect individual attack flows with high detection accuracy using only two features. Additionally, the paper presents an analysis of a support vector machine (SVM) model that detects attack flows in slices of network traffic collected for short durations. The low-rate attack dataset used in this study is made available to the research community through GitHub.

A Novel OpenFlow-Based DDoS Flooding Attack Detection and Response Mechanism in Software-Defined Networking

2015 ◽  
Vol 9 (3) ◽  
pp. 21-40 ◽  
Author(s):  
Rui Wang ◽  
Zhiyong Zhang ◽  
Lei Ju ◽  
Zhiping Jia
Keyword(s):  
False Positive Rate ◽  
Denial Of Service ◽  
Software Defined Networking ◽  
Attack Detection ◽  
Detection Accuracy ◽  
Response Mechanism ◽  
Ip Traceback ◽  
Detection Model ◽  
Flooding Attack ◽  
Positive Rate

Software-Defined Networking (SDN) and OpenFlow have brought a promising architecture for the future networks. However, there are still a lot of security challenges to SDN. To protect SDN from the Distributed denial-of-service (DDoS) flooding attack, this paper extends the flow entry counters and adds a mark action of OpenFlow, then proposes an entropy-based distributed attack detection model, a novel IP traceback and source filtering response mechanism in SDN with OpenFlow-based Deterministic Packet Marking. It achieves detecting the attack at the destination and filtering the malicious traffic at the source and can be easily implemented in SDN controller program, software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results show that this scheme can detect the attack quickly, achieve a high detection accuracy with a low false positive rate, shield the victim from attack traffic and also avoid the attacker consuming resource and bandwidth on the intermediate links.

scholarly journals Evaluation of Takagi-Sugeno-Kang fuzzy method in entropy-based detection of DDoS attacks

2018 ◽  
Vol 15 (1) ◽  
pp. 139-162 ◽  
Author(s):  
Miodrag Petkovic ◽  
Ilija Basicevic ◽  
Dragan Kukolj ◽  
Miroslav Popovic
Keyword(s):  
Network Traffic ◽  
Fuzzy System ◽  
False Positive Rate ◽  
Denial Of Service ◽  
Sudden Change ◽  
Change Point Detection ◽  
Statistical Characteristics ◽  
Ddos Attacks ◽  
Detection Process ◽  
Takagi Sugeno

The detection of distributed denial of service (DDoS) attacks based on internet traffic anomalies is a method which is general in nature and can detect unknown or zero-day attacks. One of the statistical characteristics used for this purpose is network traffic entropy: a sudden change in entropy may indicate a DDoS attack. However, this approach often gives false positives, and this is the main obstacle to its wider deployment within network security equipment. In this paper, we propose a new, two-step method for detection of DDoS attacks. This method combines the approaches of network traffic entropy and the Takagi-Sugeno-Kang fuzzy system. In the first step, the detection process calculates the entropy distribution of the network packets. In the second step, the Takagi-Sugeno-Kang fuzzy system (TSK-FS) method is applied to these entropy values. The performance of the TSK-FS method is compared with that of the typically used approach, in which cumulative sum (CUSUM) change point detection is applied directly to entropy time series. The results show that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process, achieving a high true-positive detection rate and a very low false-positive rate. As it is based on entropy, this combined method retains its generality and is capable of detecting various types of attack.

scholarly journals Efficient Detection of Large-Scale Multimedia Network Information Data Anomalies Based on the Rule-Extracting Matrix Algorithm

2021 ◽  
Vol 2021 ◽  
pp. 1-7
Author(s):  
Jie Zhao
Keyword(s):  
Large Scale ◽  
False Positive Rate ◽  
Detection Accuracy ◽  
Network Information ◽  
Matrix Algorithm ◽  
Efficient Detection ◽  
Sample Data ◽  
Multimedia Social Networks ◽  
Positive Rate ◽  
Rule Extracting

With the continuous development of multimedia social networks, online public opinion information is becoming more and more popular. The rule extraction matrix algorithm can effectively improve the probability of information data to be tested. The network information data abnormality detection is realized through the probability calculation, and the prior probability is calculated, to realize the detection of abnormally high network data. Practical results show that the rule-extracting matrix algorithm can effectively control the false positive rate of sample data, the detection accuracy is improved, and it has efficient detection performance.

scholarly journals An Approach Based on the Improved SVM Algorithm for Identifying Malware in Network Traffic

2021 ◽  
Vol 2021 ◽  
pp. 1-14
Author(s):  
Bo Liu ◽  
Jinfu Chen ◽  
Songling Qin ◽  
Zufa Zhang ◽  
Yisong Liu ◽  
...  
Keyword(s):  
Network Traffic ◽  
Cyber Security ◽  
False Positive ◽  
False Positive Rate ◽  
Support Vector ◽  
Traffic Classification ◽  
Svm Algorithm ◽  
Network Traffic Classification ◽  
Positive Rate ◽  
Function Selection

Due to the growth and popularity of the internet, cyber security remains, and will continue, to be an important issue. There are many network traffic classification methods or malware identification approaches that have been proposed to solve this problem. However, the existing methods are not well suited to help security experts effectively solve this challenge due to their low accuracy and high false positive rate. To this end, we employ a machine learning-based classification approach to identify malware. The approach extracts features from network traffic and reduces the dimensionality of the features, which can effectively improve the accuracy of identification. Furthermore, we propose an improved SVM algorithm for classifying the network traffic dubbed Optimized Facile Support Vector Machine (OFSVM). The OFSVM algorithm solves the problem that the original SVM algorithm is not satisfactory for classification from two aspects, i.e., parameter optimization and kernel function selection. Therefore, in this paper, we present an approach for identifying malware in network traffic, called Network Traffic Malware Identification (NTMI). To evaluate the effectiveness of the NTMI approach proposed in this paper, we collect four real network traffic datasets and use a publicly available dataset CAIDA for our experiments. Evaluation results suggest that the NTMI approach can lead to higher accuracy while achieving a lower false positive rate compared with other identification methods. On average, the NTMI approach achieves an accuracy of 92.5% and a false positive rate of 5.527%.

scholarly journals An Enhanced Multimedia Video Surveillance Security Using Wavelet Encryption Framework

2020 ◽  
Author(s):  
Velliangiri S
Keyword(s):  
Wavelet Transform ◽  
False Positive Rate ◽  
Digital Data ◽  
Detection Accuracy ◽  
Detection Time ◽  
Arbitrary Permutation ◽  
Secret Keys ◽  
Positive Rate ◽  
Cae System ◽  
Distortion Rate

Multimedia digital data include medical record and financial documents, which are not guaranteed with security. The concerns for security of multimedia digital data is been a widespread issue in the field of cybernetics. With increasing malwares in video payloads, the proposed study aims to reduce the embedding of malwares using Pseudo Arbitrary Permutation based Cellular Automata Encryption (PAP-CAE) System in video payloads. This method reduces the malware attacks and distortion rate by permuting the secret keys with Pseudo arbitrary permutation. Before the application of PAP-CAE, 2D wavelet transform is applied on the multimedia files that compresses the complex files into different scales and position to be transmitted via a network with reduced size. Simultaneously, it performs the process of decryption and decompression to retrieve the original files. The proposed method is evaluated against existing methods to test its efficacy in terms of detection accuracy, detection time of malwares and false positive rate. The result shows that the proposed method is effective against the detection of malwares in multimedia video files.

scholarly journals Contextual Identification of Windows Malware through Semantic Interpretation of API Call Sequence

2020 ◽  
Vol 10 (21) ◽  
pp. 7673
Author(s):  
Eslam Amer ◽  
Shaker El-Sappagh ◽  
Jong Wan Hu
Keyword(s):  
False Positive Rate ◽  
Heuristic Method ◽  
Semantic Interpretation ◽  
Detection Accuracy ◽  
Behavioral Models ◽  
Proposed Model ◽  
Positive Rate ◽  
Call Sequence ◽  
Proper Interpretation ◽  
Contextual Association

The proper interpretation of the malware API call sequence plays a crucial role in identifying its malicious intent. Moreover, there is a necessity to characterize smart malware mimicry activities that resemble goodware programs. Those types of malware imply further challenges in recognizing their malicious activities. In this paper, we propose a standard and straightforward contextual behavioral models that characterize Windows malware and goodware. We relied on the word embedding to realize the contextual association that may occur between API functions in malware sequences. Our empirical results proved that there is a considerable distinction between malware and goodware call sequences. Based on that distinction, we propose a new method to detect malware that relies on the Markov chain. We also propose a heuristic method that identifies malware’s mimicry activities by tracking the likelihood behavior of a given API call sequence. Experimental results showed that our proposed model outperforms other peer models that rely on API call sequences. Our model returns an average malware detection accuracy of 0.990, with a false positive rate of 0.010. Regarding malware mimicry, our model shows an average noteworthy accuracy of 0.993 in detecting false positives.

scholarly journals Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Energies ◽  
2020 ◽  
Vol 13 (19) ◽  
pp. 5176
Author(s):  
Ghada Elbez ◽  
Hubert B. Keller ◽  
Atul Bohara ◽  
Klara Nahrstedt ◽  
Veit Hagenmeyer
Keyword(s):  
False Positive ◽  
False Positive Rate ◽  
Denial Of Service ◽  
Statistical Hypothesis ◽  
Physical Security ◽  
Dos Attacks ◽  
Iec 61850 ◽  
Detection Delay ◽  
Positive Rate ◽  
Arfima Model

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics.

scholarly journals A novel Ensemble of Hybrid Intrusion Detection System for Detecting Internet of Things Attacks

Electronics ◽  
2019 ◽  
Vol 8 (11) ◽  
pp. 1210 ◽  
Author(s):  
Khraisat ◽  
Gondal ◽  
Vamplew ◽  
Kamruzzaman ◽  
Alazab
Keyword(s):  
Internet Of Things ◽  
Intrusion Detection ◽  
Intrusion Detection System ◽  
Detection System ◽  
False Positive Rate ◽  
Support Vector ◽  
Detection Accuracy ◽  
Lower False Positive Rate ◽  
Positive Rate ◽  
Iot Devices

The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack to the end nodes. Due to the large number and diverse types of IoT devices, it is a challenging task to protect the IoT infrastructure using a traditional intrusion detection system. To protect IoT devices, a novel ensemble Hybrid Intrusion Detection System (HIDS) is proposed by combining a C5 classifier and One Class Support Vector Machine classifier. HIDS combines the advantages of Signature Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The aim of this framework is to detect both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the Bot-IoT dataset, which includes legitimate IoT network traffic and several types of attacks. Experiments show that the proposed hybrid IDS provide higher detection rate and lower false positive rate compared to the SIDS and AIDS techniques.

Sign in / Sign up

Export Citation Format

Share Document