Supervised learning‐based DDoS attacks detection: Tuning hyperparameters

Two supervised learning algorithms, a basic neural network and a long short‐term memory recurrent neural network, are applied to traffic including DDoS attacks. The joint effects of preprocessing methods and hyperparameters for machine learning on performance are investigated. Values representing attack characteristics are extracted from datasets and preprocessed by two methods. Binary classification and two optimizers are used. Some hyperparameters are obtained exhaustively for fast and accurate detection, while others are fixed with constants to account for performance and data characteristics. An experiment is performed via TensorFlow on three traffic datasets. Three scenarios are considered to investigate the effects of learning former traffic on sequential traffic analysis and the effects of learning one dataset on application to another dataset, and determine whether the algorithms can be used for recent attack traffic. Experimental results show that the used preprocessing methods, neural network architectures and hyperparameters, and the optimizers are appropriate for DDoS attack detection. The obtained results provide a criterion for the detection accuracy of attacks.     

基于K—means聚类的网络流量异常检测

针对网络异常检测领域存在的漏报率和误报率较高的问题,提出一种基于K—means聚类的网络流量异常检测方法。选择了多个不同维度上的特征;计算各维特征在滑动窗口中的局部均值偏差,以保证在实时动态变化的网络中的检测准确度;利用由K—means聚类算法产生的检测模型对各维特征进行综合评判,有效地降低了漏报率和误报率。在网络流量数据集上对所提方法进行了验证并和已有方法进行了对比,所提方法在精度和效率方面取得了较好的实验效果。     

基于深度特征学习的网络流量异常检测方法

针对网络流量异常检测过程中提取的流量特征准确性低、鲁棒性差导致流量攻击检测率低、误报率高等问题,该文结合堆叠降噪自编码器(SDA)和softmax,提出一种基于深度特征学习的网络流量异常检测方法。首先基于粒子群优化算法设计SDA结构两阶段寻优算法:根据流量检测准确率依次对隐藏层层数及每层节点数进行寻优,确定搜索空间中的最优SDA结构,从而提高SDA提取特征的准确性。然后采用小批量梯度下降算法对优化的SDA进行训练,通过最小化含噪数据重构向量与原始输入向量间的差异,提取具有较强鲁棒性的流量特征。最后基于提取的流量特征对softmax进行训练构建异常检测分类器,从而实现对流量攻击的高性能检测。实验结果表明:该文所提方法可根据实验数据及其分类任务动态调整SDA结构,提取的流量特征具有更高的准确性和鲁棒性,流量攻击检测率高、误报率低。     

An adaptive network traffic prediction approach for LDoS attacks detection

Low‐rate denial of service (LDoS) attacks reduce throughput and degrade quality of service (QoS) of network services by sending out attack packets with relatively low average rate. LDoS attack flows are difficult to detect from normal traffic since it has the property of low average rate. The research on network traffic analysis and modeling shows that network traffic measurement data are irregular nonlinear time series. To characterize and analyze network traffic between attack and non‐attack situations, the adaptive normal and abnormal ν‐support vector regression (ν‐SVR) prediction models are constructed on the basis of the reconstructed phase space. In this paper, the dimension of reconstructed phase space for ν‐SVR is optimized by Bayesian information criteria method, and the parameter in the radial basis function is adaptively adjusted by minimizing the within‐class distance and maximizing the between‐class distance in the feature space. The nonthreshold decision function is obtained through calculating the prediction error of adaptive normal and abnormal ν‐SVR prediction models, which is adopted to detect LDoS attacks. Experiments in NS‐2 environment show that the adaptive ν‐SVR prediction model can effectively predict the network traffic measurement time series, and the probability distribution of time series generated by the adaptive ν‐SVR prediction model is quite similar to that of the network traffic measurement data. Experiments also clearly demonstrate the superiority of the proposed approach in LDoS attacks detection.     

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service (DoS) attacks, the Low-rate Denial of Service (LDoS) attacks make the traditional method of detecting Distributed Denial of Service Attack (DDoS) attacks useless due to the characteristics of a low average rate and concealment. With features extracted from the network traffic, a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper. An attack feature set containing the Acknowledge character(ACK) sequence number, the packet size, and the queue length is used to classify normal and LDoS attack traffics. Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor (KNN) classifier separately, and to obtain the decision contour matrix. Then a posteriori probability in the matrix is fused, and the fusion decision index D is used as the basis of detecting the LDoS attacks. Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.     

基于PROBE的DDOS攻击检测分析

分布式拒绝服务(DDOS)攻击是目前严重威胁网络安全和影响网站服务质量的一种攻击手段DDOS攻击就是利用多个分布式攻击源向攻击对象发送超出攻击目标处理能力的海量数据包,来消耗可用系统和带宽资源,从而导致网络服务瘫痪的一种攻击.目前有很多方法检测和防御DDOS攻击,传统的检测和防范措施是基于特征匹配的检测往往要求有一定的先验知识难以区分突发正常流量与DDOS攻击.本文通过介绍PROBE技术来检测应对DDOS攻击,并探究了PROBE在DDOS攻击检测中的应用策略.     

Network intrusion and fault detection: a statistical anomaly approach

With the advent and explosive growth of the global Internet and electronic commerce environments, adaptive/automatic network/service intrusion and anomaly detection in wide area data networks and e-commerce infrastructures is fast gaining critical research and practical importance. We present and demonstrate the use of a general-purpose hierarchical multitier multiwindow statistical anomaly detection technology and system that operates automatically, adaptively, and proactively, and can be applied to various networking technologies, including both wired and wireless ad hoc networks. Our method uses statistical models and multivariate classifiers to detect anomalous network conditions. Some numerical results are also presented that demonstrate that our proposed methodology can reliably detect attacks with traffic anomaly intensity as low as 3-5 percent of the typical background traffic intensity, thus promising to generate an effective early warning.     

一种基于暗网的蠕虫早期检测方法

为了对网络蠕虫等网络攻击行为进行早期检测,论文设计实现了一个基于暗网的可视化的早期检测系统,并采用实际网络实验的方法,在某专用网络中进行实验,结果表明该系统在专用网络中比传统入侵检测系统更早发现蠕虫,且时间提前量十分可观。     

基于深度学习的僵尸网络检测技术研究

入侵检测系统通过分析网络流量来学习正常和异常行为,并能够检测到未知的攻击。一个入侵检测系统的性能高度依赖于特征的设计,而针对不同入侵的特征设计则是一个很复杂的问题。因此,提出了一种基于深度学习检测僵尸网络的系统。该系统利用卷积神经网络(Convolutional Neural Network,CNN)和长短期记忆网络(Long Short-Term Memory,LSTM)分别学习网络流量的空间特征和时序特征,而特征学习的整个过程由深度神经网络自动完成,不依赖于人工设计特征。实验结果表明,该系统在僵尸网络检测方面具有良好的表现。     

Denial of service detection using dynamic time warping

With the rapid growth of security threats in computer networks, the need for developing efficient security-warning systems is substantially increasing. Distributed denial-of-service (DDoS) and DoS attacks are still among the most effective and dreadful attacks that require robust detection. In this work, we propose a new method to detect TCP DoS/DDoS attacks. Since analyzing network traffic is a promising approach, our proposed method utilizes network traffic by decomposing the TCP traffic into control and data planes and exploiting the dynamic time warping (DTW) algorithm for aligning these two planes with respect to the minimum Euclidean distance. By demonstrating that the distance between the control and data planes is considerably small for benign traffic, we exploit this characteristic for detecting attacks as outliers. An adaptive thresholding scheme is implemented by adjusting the value of the threshold in accordance with the local statistics of the median absolute deviation (MAD) of the distances between the two planes. We demonstrate the efficacy of the proposed method for detecting DoS/DDoS attacks by analyzing traffic data obtained from publicly available datasets.     

低层网络攻击及检测方法

常规的探作系统因缺乏充足的审计教据使基于主机的入侵检测系统无法检测到低层网络攻击。基于网络的入侵检测系统因只依靠网上教据流而不能检测到所有攻击。本文分析了几种低层IP攻击，在分析的基础上，提出在探作系统的审计记录中添加部分审计教据，使基于主机的入侵检测系统能检测到低层网络攻击。     

Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data

This paper proposes a traffic anomaly detector, operated in postmortem and in real-time, by passively monitoring packet headers of traffic. The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks, anomalies and to take action to contain the attacks appropriately before they have had time to propagate across the network. In this paper, we suggest a technique for traffic anomaly detection based on analyzing correlation of destination IP addresses in outgoing traffic at an egress router. This address correlation data are transformed using discrete wavelet transform for effective detection of anomalies through statistical analysis. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the source. We also present a multidimensional indicator using the correlation of port numbers and the number of flows as a means of detecting anomalies.     

Counting bloom filters for pattern matching and anti-evasion at the wire speed

Standard pattern-matching methods used for deep packet inspection and network security can be evaded by means of TCP and IP fragmentation. To detect such attacks, intrusion detection systems must reassemble packets before applying matching algorithms, thus requiring a large amount of memory and time to respond to the threat. In the literature, only a few efforts proposed a method to detect evasion attacks at high speed without reassembly. The aim of this article is to introduce an efficient system for anti-evasion that can be implemented in real devices. It is based on counting Bloom filters and exploits their capabilities to quickly update the string set and deal with partial signatures. In this way, the detection of attacks and almost all of the traffic processing is performed in the fast data path, thus improving the scalability of intrusion detection systems.     

DDoS attack detection in IEEE 802.16 based networks

Achieving high data rate transmission, WiMAX has acquired noticeable attention by communication industry. One of the vulnerabilities of the WiMAX network which leads to DDoS attack is sending a high volume of ranging request messages to base station (BS) in the initial network entry process. In the initial network entry process, BS and subscriber station (SS) exchange management messages. Since some of these messages are not authenticated, malicious SSs can attack the network by exploiting this vulnerability which may increase the traffic load of the BS and prevent it from serving the SSs. So, detecting such attacks is one of the most important issues in such networks. In this research, an artificial neural network (ANN) based approach is proposed in order to detect DDoS attacks in IEEE 802.16 networks. Although lots of studies have been devoted to the detection of DDoS attack, some of them focus just on some statistical features of the traffic and some other focus on packets’ headers. The proposed approach exploits both qualitative and quantitative methods. It detects the attack by feeding some features of the network traffic under attack to an appropriate ANN structure. To evaluate the method, first a typical attacked network is implemented in OPNet simulator, and then by using the proposed system, the efficiency of the method is evaluated. The results show that by choosing suitable time series we can classify 93 % of normal traffic and 91 % of attack traffic.     

基于弱分类器集成的车联网虚假交通信息检测

车联网中车辆以自组织的方式相互报告交通信息,开放的网络环境需要甄别消息,然而,要快速移动的车辆在短时间内检测出大量的交通警报信息是非常困难的。针对这一问题,提出一种基于弱分类器集成的虚假交通信息检测方法。首先,扩充交通警报信息的有效特征,并设计分割规则,将信息的特征集划分为多个特征子集;然后,根据子集特征的不同特性,使用对应的弱分类器分别进行处理。仿真实验和性能分析表明,选用弱分类器集成方法检测车联网中的虚假交通信息减少了检测时间,且由于综合特征的应用,检测率优于仅使用部分特征的检测结果。     

Impact of Packet Sampling on Portscan Detection

Packet sampling is commonly deployed in high-speed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of nonvolume-based anomalies, portscans, which are associated with worm/virus propagation. Existing portscan detection algorithms fall into two general approaches: target-specific and traffic profiling. We evaluated representative algorithms for each class, namely: 1) TRWSYN that performs stateful traffic analysis; 2) TAPS that tracks connection pattern of scanners; and 3) entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider's backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives. Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling     

Biologically inspired artificial intrusion detection system for detecting wormhole attack in MANET

A mobile ad hoc network (MANET) does not have traffic concentration points such as gateway or access points which perform behaviour monitoring of individual nodes. Therefore, maintaining the network function for the normal nodes when other nodes do not forward and route properly is a big challenge. One of the significant attacks in ad hoc network is wormhole attack. In this wormhole attack, the adversary disrupts ad hoc routing protocols using higher bandwidth and lower-latency links. Wormhole attack is more hidden in character and tougher to detect. So, it is necessary to use mechanisms to avoid attacking nodes which can disclose communication among unauthorized nodes in ad hoc networks. Mechanisms to detect and punish such attacking nodes are the only solution to solve this problem. Those mechanisms are known as intrusion detection systems (IDS). In this paper, the suggested biological based artificial intrusion detection system (BAIDS) include hybrid negative selection algorithm (HNSA) detectors in the local and broad detection subsection to detect anomalies in ad hoc network. In addition to that, response will be issued to take action over the misbehaving nodes. These detectors employed in BAIDS are capable of discriminating well behaving nodes from attacking nodes with a good level of accuracy in a MANET environment. The performance of BAIDS in detecting wormhole attacks in the background of DSR, AODV and DSDV routing protocols is also evaluated using Qualnet v 5.2 network simulator. Detection rate, false alarm rate, packet delivery ratio, routing overhead are used as metrics to compare the performance of HNSA and the BAIDS technique.     

抵御SYN洪水攻击早期阶段的检测方法

Existing detection methods against SYN flooding attacks are effective only at the later stages when attacking signatures are obvious. In this paper an early stage detecting method （ESDM） is proposed. The ESDM is a simple but effective method to detect SYN flooding attacks at the early stage. In the ESDM the SYN traffic is forecasted by autoregressive integrated moving average model, and non-parametric cumulative sum algorithm is used to find the SYN flooding attacks according to the forecasted traffic. Trace-driven simulations show that ESDM is accurate and efficient to detect the SYN flooding attacks.     

Effective discovery of attacks using entropy of packet dynamics

Network-based attacks are so devastating that they have become major threats to network security. Early yet accurate warning of these attacks is critical for both operators and end users. However, neither speed nor accuracy is easy to achieve because both require effective extraction and interpretation of anomalous patterns from overwhelmingly massive, noisy network traffic. The intrusion detection system presented here is designed to assist in diagnosing and identifying network attacks. This IDS is based on the notion of packet dynamics, rather than packet content, as a way to cope with the increasing complexity of attacks. We employ a concept of entropy to measure time-variant packet dynamics and, further, to extrapolate this entropy to detect network attacks. The entropy of network traffic should vary abruptly once the distinct patterns of packet dynamics embedded in attacks appear. The proposed classifier is evaluated by comparing independent statistics derived from five well-known attacks. Our classifier detects those five attacks with high accuracy and does so in a timely manner.