Get documents about "Detection of DoS and DDoS Attacks in Information Communication Networks with Discrete Wavelet Analysis
Description
Vol. 10 No. 1 January 2012 International Journal of Computer Science and Information Security Publication January 2012, Volume 10 No. 1 . Copyright � IJCSIS. This is an open access journal distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Document Sample
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 1, 2012
Detection of DoS and DDoS Attacks in Information
Communication Networks with Discrete Wavelet
Analysis
Oleg I. Sheluhin Aderemi A. Atayero
Department of Information Security Department of Electrical and Information Engineering
Moscow Tech. Univ. of Communication and Informatics Covenant University
Moscow, Russia Ota, Nigeria
Abstract—A method based on discrete wavelet decomposition of Datasets provided by the Lincoln Laboratory Massachusetts
traffic data and statistical processing algorithms based on Fisher Institute of Technology (1999 DARPA Intrusion Detection
and Cochran criteria are proposed for detection of traffic Evaluation) were obtained and used in the analysis,
anomaly in computer and telecommunication networks. Two representing the network traffic collected at the border router of
sliding windows with two different threshold values are employed the university network [6]. Each sequence spanning
to reduce the level of false alerts. A high efficiency level of approximately 24 hours with discretization step of 1s is
detection of abnormal traffic spikes is thus guaranteed. The presented as pure 'unadulterated' network traffic without attack,
paper likewise presents an algorithm developed for detecting DoS as well as in the form of adulterated traffic with different types
and DDoS attacks based on these statistical criteria. Software is
of anomalies relating to attacks such as denial of service (DoS)
developed in Matlab based on the proposed algorithm. Data sets
made available by the Lincoln Laboratory of MIT (1999 DARPA
and different types of unauthorized network sniffing. DoS
Intrusion Detection Evaluation) were analyzed as the test attacks also incorporate distributed DoS attacks (DDoS), which
sequence. Analysis of experimental results revealed that the entail the 'owning' of a number of unsuspecting host computers
ultimate test for detecting an attack is to check if any one of the for the purpose of stealthy attacking a targeted single victim
statistical criteria exceeds the upper threshold at the stage of computer [7].
coefficients reconstruction.
II. DISCRETE WAVELET TRANSFORM: MALLAT
Keywords-Anomaly, Denial of Service, DDoS, Wavelet ALGORITHM
transform, DWT, FWT Huge costs in computational power will be incurred for
calculating the wavelet spectrum with continuous change of the
I. INTRODUCTION
s and u parameters. The set of ����!" (����) function has a high level
Statistical methods for detecting network attacks are based of redundancy. Discretization of these parameters becomes
on a comparison of the statistical characteristics of packet flow, necessary with the possibility of restoring a signal from its
averaged over a relatively short period of time (local transformation. Discretization is usually carried out in powers
characteristics), with appropriate characteristics for an extended of two as given in (1):
period of time (global data) [1 - 4]. If the local
characteristics differ significantly from the corresponding 1 ���� − ���� 1
���� !,! ���� = ���� = ���� 2!! ���� − ���� (1)
global characteristics, it is indicative of an anomalous behavior ���� ���� 2!
of packet flow, and an attempt to scan the network or network
attack is highly probable. The problem thus arises of
!
where ���� = 2 , ���� = ����2 ! , j and k – whole numbers.
constructing effective methods for calculating the local
statistical characteristics for a limited period of time and In this case, the u, s plane is into the corresponding j,k grid.
determination of local characteristics of the anomalous The parameter j is the scale parameter or the level
deviation from the global statistical characteristics of the packet of decomposition; the wavelet transform performed with such
flow. scale parameter is called dyadic. The fastest and most
We propose in this paper a method for solving the problems of commonly used discrete wavelet transform is the so-called fast
traffic anomaly detection in computer and telecommunication wavelet transform (FWT) or Mallat algorithm [8]. In
networks based on discrete wavelet decomposition of traffic accordance with the Mallat algorithm, a signal can be
data and statistical detection algorithm using Fisher's and represented as a set of successive rough approximations
Cochran criteria [5]. The article also examines the harbingers A j (t) and exact (detailed) D j (t) components with their
of abnormal packet flow in the network and the relationship subsequent refinement using the iterative method (2).
between these harbingers using different statistical criteria.
53 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 1, 2012
!
necessary for the reconstruction of the signal. Thus, for the
���� ���� = ����! ���� + ����! ���� (2) signal analysis–synthesis in the wavelet basis, 4LN operations
!!! must be executed, which is less than the number of operations
for the fast Fourier transform (���� log ! ����).
Each refinement step corresponds to a given scale 2 j (i.e.
index j) of analysis (decomposition) and synthesis A. Method
(reconstruction) of the signal. Such wavelet representation of We consider the detection of network traffic anomalies
each component of the signal can be viewed both in the time based on discrete wavelet transform using statistical
and frequency domains. For example in the first step of the criteria. To adapt this method to the analysis of real-time
algorithm, the input signal S(t) decomposes into two traffic the technique of two sliding windows W1 and W2,
components (3): moving in time with a given step is employed, while noting
the value of traffic located at the time boundaries of each
window.
���� ���� = ����! ���� + ����! ���� = ����! ����! ���� + ����! ����! ���� (3)
! ! The use of "sliding window" allows for the increase in
where ψ 1k (t ) - wavelet, φ1k (t ) - wavelet generating function, reliability of the detection of even minor abnormalities. It is
a1, d1 – Coefficients of the approximate and detailed known that the spectral power density of the time series of
components at level 1, respectively. "traffic–time", in the presence of anomalies, has peaks at a
certain frequencies. Wavelet analysis allows for the detection
One of the advantages of wavelet transform is that it provides of traffic anormalies on the basis of differences in the spectra
an opportunity to analyze the signal in the frequency-time of normal and abnormal traffic. We will consider window
domain, thus allowing for the investigation of the anomalous W1 as 'comparison window' and the window W2 as a 'detection
process vis-a-vis other components. The essence of the window'. Let the size of each window W1 and W2 be selected
time units respectively, such that W1 > W2. Then at an
wavelet decomposition algorithm is that splitting of signal
arbitrary time t the beginning of the window W2 will be at the
components is done not only low frequency domain, but also point t, and it would contain w2 traffic values for the time
in the high frequency region. With this algorithm, the interval spanning from t–w2 to t. The W1 window will contain
operation of splitting or decomposition is applied to any of the W1 values from t–w2–w1 to t–w2.
resulting high-frequency component, and so on down the
frequency scale. Further, through the adaptive reconstruction Performing FWT for samples within each of the windows at
of wavelet coefficients of the different wavelet domains each time ti, we get at a certain scale level j, a set of
containing elements of traffic anomalies, it is possible to coefficients ����!! , ����!! , ����!! , ⋯ , ����!" !,! for the W1
confirm the parameters of anomalies and increase the
(approximation) window and another set
reliability of detection. Employing wavelet packet transform
����!! , ����!! , ����!! , ⋯ , ����!" !,! for the W2 (detail) window;
method with a sliding window makes it possible to reduce
computational complexity by eliminating computation ����!! , ����!! , ����!! , ⋯ , ����!" for the W1 (approximation)
!,!
redundancy The use of windows and remembering parts of the
window and ����!! , ����!! , ����!! , ⋯ , ����!" for the W2 (detail)
coefficients in memory effectively eliminates the need for !,!
redundant re-computations, hence speeding up the window. The quality of n and m coefficients at level j is gotten
computation algorithm increasing memory usage. from expressions (5) for windows W1 and W2 respectively:
The number of ����!! and d1k coefficients is reduced by half ����1 ����2
���� = !
; ���� = ! 5
compared to the original signal. The next iteration step for 2 2
level two is executed with the approximations obtained at level
1 in a similar way. In practice, the highest level of These coefficients are tested using statistical criteria, and
decomposition is determined by the number n0–1 discrete decisions on the cardinal differences of the analyzed
values of the signal ���� = 2!! . As a result, at each level of j parameters between windows W1 and W2 will be based on the
decomposition we have a sequence of coefficients of the acceptance or rejection of statistical hypotheses and hence the
approximation ����! and detailed ����! of length ����/2 ! each, and the presence of anomalies or the absence thereof will be
determined. Analysis of both approximate and detailed
original signal can be regenerated from equation (4):
coefficients shows that anomaly can be seen at the first level
! of wavelet decomposition. Therefore, FWT will be carried out
���� ���� = ����! ���� ���� ���� + ����! ���� ����! ���� 4 on the first decomposition level, until the special statistical
thresholds conditions as described below are exceeded.
!!!
The number of multiplications in the direct FWT will
be 2LN, where L = 2n. The same number of operations is
54 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 1, 2012
III. ANOMALY DETECTION ALGORITHM ! !
����! = ���� – sample mean of a sequence of details on a
! !!! !"
We describe an algorithm for detecting abnormal spikes scale level j in window W2;
based on statistical criteria used to determine changes in the ! ! ! !
����! = ���� and ����! = ���� – sample mean of sample
variance and the mean of the coefficients of the wavelet ! !!! !" ! !!! !"
sequence of details on a scale level j in window W1 and W2
transform. Fisher's criterion is proposed for detecting respectively.
anomalies expressed as change invariance, while the Cochran
criteria is used to detect changes in the mean value [5]. Summarizing the procedure above, an algorithm for
The use of Fisher's criterion is proposed for detecting changes implementing the detection of anomalies based on discrete
in the variances of samples of windows W1 and W2. The wavelet transform is hereby presented. The following actions
sample distribution is considered Gaussian. At any given time are taken for each current window position at time t:
t two statistical hypothesis are proposed at scale level j about STEP
1. Perform Fast Wavelet Transform for 1st
the equality of the variances of two samples decomposition level on each sample from windows
����!! , ����!! , ����!! , ⋯ , ����!" !,! and ����!! , ����!! , ����!! , ⋯ , ����!" : W1 and W2 according to equation (4);
!,!
! ! Compute Fisher statistics based on the details
a) the null hypothesis – ����! : ����!,!,! = ����!,!,! and STEP
2.
!
b) the alternative hypothesis – ����! : ����!,!,! ≠ ����!,!,! . ! coefficients dj according to equation (6).
The algorithm for detection of spikes in Gaussian process STEP
3. Compute Cochran statistics based on the
based on the analysis of anomalous variation of variances can approximation coefficients aj according to
be written as: equation (7).
!
����!,!,!
����!,! = ! (6)
����!,!,! STEP
4. Compute two thresholds for each statistic based on
the accepted values of the confidence intervals with
where: the lower threshold of p1 = 0.95, the upper
! !! !
����!,!,! = ���� − ����! – sample variance of sample threshold p2 = 0.999.
!!! !!! !"
sequence of details on a scale level j in window W1;
! !! ! STEP
5. Compare the current values of Fisher's and Cochran
����!,!,! = ���� − ����! – sample variance of sample criteria with their thresholds: if either is lower than
!!! !!! !"
sequence of details on a scale level j in window W1; the lower threshold – go to step 6, if on the other
! !
����! = ���� – sample mean of a sequence of details on a hand, either is higher than the upper threshold – go to
! !!! !"
scale level j in window W1; step 7.
! !
����! = ���� – sample mean of a sequence of details on a Perform further FWT on the next decomposition level
! !!! !" STEP
6.
scale level j in window W2; j. This step is only executed if the current
decomposition level j is not greater than the
The use of Cochran criterion is proposed for detecting changes maximum for the particular sequence. Repeat step 2
in the mean sample of approximations to step 5 for the current j level.
����!! , ����!! , ����!! , ⋯ , ����!" !,! and ����!! , ����!! , ����!! , ⋯ , ����!"
!,! STEP
7. Reconstruct coefficients for the level at which the
. The algorithm for detecting spikes in traffic data based on upper threshold was exceeded. To which end the
analysis of anomalous change in sample mean values is approximations coefficients ����! = ����! ���� ���� ���� and the
expressed as:
1 details coefficients ����! = ����! ���� ���� ���� are restored. The
����!,! = (7) existence of an anomaly is documented only in the
����!,!
event of any of the statistical criteria exceeding the
where: upper threshold, otherwise, there is no anomaly and
!
����!,!,! =
! !
���� − ����! ! – sample variance of sample the window moves on.
!!! !!! !"
sequence of approximations on a scale level j in window W1; Thus, the ultimate test for detecting an attack is exceeding
! ! ! !
����!,!,! = ���� − ����! – sample variance of sample the upper threshold by one of the statistical criteria at the stage
!!! !!! !"
sequence of approximations on a scale level j in window W1; of coefficients reconstruction.
! !
!!,!,! !!,!,!
!
����!,! = + – normalized sum of sample variance of IV. DISCUSSIONS: THE DEVELOPED SOFTWARE
! !
details in windows W1 and W2; A software was developed in accordance with this proposed
����! =
! !
���� – sample mean of a sequence of details on a algorithm with a graphical user interface in MATLAB. The
! !!! !" main window in the process of analyzing the sequence is
scale level j in window W1; shown in Figure 1. The top graph in Figure 1 shows an
implementation of network traffic with attacks and the sliding
55 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 1, 2012
moving window process. The middle and bottom graphs show resolution of the DWT in time and consequently, small
the Fisher and Cochran parameters calculated in real-time coefficients of confidence at higher levels.
respectively. The red and yellow lines represent the upper and
lower thresholds respectively. These graphs depict only the A comparison of the inter-dependence of the crucial statistics
first decomposition level of the fast wavelet transform. shows that the determinant statistic for detecting abnormal
If the conditions described in step 7 of the algorithm above spikes of mean value of the approximation coefficients is more
hold, the occurence of an attack as well as its moment of first efficient for Fisher's criteria than it is for Cochran. This is
occurrence are documented. The attacks are shown as red explained by taking into account the non-Gaussian nature of
vertical lines in the trace (top) graph, and the number of the critical statistics in the case of Fisher's criterion.
attacks recorded in the whole sequence is displayed at the base
of the GUI, in this case five attacks has been documented V. CONCLUSION
(shown as '5'). It can be clearly seen that the anomaly in the We have presented in this paper a proposed algorithm for
region of 6×10! is a typical DoS attack. It was well detected detecting denial of service (DoS) and distributed denial of
by both criteria (exceeds the red upper threshold) at each FWT service (DDoS) attacks in information communication
level of decomposition. Moreover, Fisher's criterion detects networks using discrete wavelet analysis. The proposed
this attack much more clearly, this is seen by the size of the algorithm was tested by developing a software based on it in
spike and how much it exceeds the threshold of its graph. Matlab environment. Analysis of experimental results obtained
using the proposed algorithm and developed software
Figure 1. Sequence Analysis Program Graphical User Interface
It is observed that majority of the anomalies occur at the initial corroborates our submission on the accuracy of the proposed
level of decomposition 1, while some of the anomalies could algorithm in detecting DoS and DDoS attacks.
have been missed if decomposition was started higher levels.
We also observe that the number of false alarms are more at
higher decomposition levels. This is most likely due to the low
56 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 1, 2012
ACKNOWLEDGEMENT Oleg I. Sheluhin was born in Moscow, Russia in 1952. He obtained an M.Sc.
Degree in Radio Engineering1974 from the Moscow Institute of Transport
The authors appreciate the Lincoln laboratory of Engineers (MITE). He later enrolled at Lomonosov State University
Massachusetts Institute Technology for making the (1999 (Moscow) and graduated in 1979 with a Second M.Sc. in Mathematics. He
DARPA Intrusion Detection Evaluation) data sets used in this received a PhD at MITE in 1979 in Radio Engineering and earned a D.Sc.
Degree in Telecommunication Systems and Devices from Kharkov Aviation
study freely available on the Internet. Institute in 1990. The title of his PhD thesis was ‘Investigation of interfering
factors influence on the structure and activity of noise short-range radar’.
REFERENCES He is currently Head, Department of Information Security, Moscow Technical
[1] Roland Kwitt. A Statistical Anomaly Detection Approach for Detecting University of Communication and Informatics, Russia. He was the Head,
Network Attacks. 14th December 2004/ 6QM Workshop, Salzburg. Radio Engineering and Radio Systems Department of Moscow State
Technical University of Service (MSTUS).
[2] L.Feinstein and D.Schnackenberg. Statistical Approaches to DDoS
Attack Detection and Response. Proceedings of the DARPA Information Prof. Sheluhin is a member of the International Academy of Sciences of
Survivability Conference and Expostion (DISCEX’03), April 2003. Higher Educational Institutions. He has published over 15 scientific books and
textbooks for universities and has more than 250 scientific papers. He is the
[3] Vinay A.Mahadik, Xiaoyong Wu and Douglas S. Reeves, “Detection of Chief Editor of the scientific journal Electrical and Informational Complexes
Denial of QoS Attacks Based On χ 2 Statistic And EWMA Control and Systems and a member of Editorial Boards of various scientific journals.
Charts” http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec- In 2004 the Russian President awarded him the honorary title ‘Honored
diffservattack.pdf, NC State University, Raleigh. Scientific Worker of the Russian Federation’.
[4] Nong Ye and Qiang Chen. An Anomaly Detection Technique Based on
a Chi-Square Statistic for Detecting Intrusions into Information Systems. Aderemi A. Atayero graduated from the Moscow Institute of Technology
Quality and Reliability Eng. Int'l, Vol 17, No. 2, P. 105-112, 2001. (MIT) with a B.Sc. Degree in Radio Engineering and M.Sc. Degree in
[5] E.L. Miller , "Efficient computational methods for wavelet domain Satellite Communication Systems in 1992 and 1994 respectively. He earned a
signal restoration problems," Signal Processing, IEEE Transactions on , Ph.D in Telecommunication Engineering/Signal Processing from Moscow
vol.47, no.4, pp.1184-1188, Apr 1999. State Technical University of Civil Aviation, Russia in 2000.
[6] DARPA Intrusion Detection Data Sets, Accessed: 11.01.2012, available He is a member of a number of professional associations including: the
at: http://bit.ly/xuCDby Institute of Electrical and Electronic Engineers, IEEE, the International
Association of Engineers, IAENG, and a professional member of the
[7] O.I. Sheluhin, A.A. Atayero, A.B. Garmashev, "Detection of Teletraffic
International Who’s Who Historical Society (IWWHS) among others. He is a
Anomalies Using Multifractal Analysis", Proceedings of the IEEE 11th
registered engineer with the Council for the Regulation of Engineering in
International Conference on ITS Telecommunications (ITST-2011),
ISBN: 978-1-61284-670-5, DOI: 10.1109/ITST.2011.6060160, 23rd – Nigeria, COREN. He is a two-time Head, Department of electrical and
25th Aug. 2011, St. Petersburg, Russia. Information Engineering, Covenant University, Nigeria. He was the
coordinator of the School of Engineering of the same University.
[8] S. Mallat, “A Wavelet Tour of Signal Processing”, 3rd Edition, The Dr.
Atayero
is
widely
published
in
International
peer-‐reviewed
journals,
Sparse Way, Academic Press, USA, 2009. proceedings,
and
edited
books.
He
is
on
the
editorial
board
of
a
number
of
highly
reputed
International
journals.
Atayero
is
a
recipient
of
the
AUTHORS PROFILE ‘2009/10
Ford
Foundation
Teaching
Innovation
Award’.
His
current
research
interests
are
in
Radio
and
Telecommunication
Systems
and
Devices;
Signal
Processing
and
Converged
Multi-‐service
Networks.
57 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsiseditor
Digital Images Encryption in Spatial Domain Based on Singular Value Decomposition and Cellular Automata
Views: 0 | Downloads: 0
Agent Behavior in Multiagent Systems: Issues and Challenges in Design, Development and Implementation
Views: 1 | Downloads: 0
Optimizing Cost, Delay, Packet Loss and Network Load in AODV Routing Protocols
Views: 2 | Downloads: 0
