"Detection of DoS and DDoS Attacks in Information Communication Networks with Discrete Wavelet Analysis"
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, 2012 Detection of DoS and DDoS Attacks in Information Communication Networks with Discrete Wavelet Analysis Oleg I. Sheluhin Aderemi A. Atayero Department of Information Security Department of Electrical and Information Engineering Moscow Tech. Univ. of Communication and Informatics Covenant University Moscow, Russia Ota, Nigeria Abstract—A method based on discrete wavelet decomposition of Datasets provided by the Lincoln Laboratory Massachusetts traffic data and statistical processing algorithms based on Fisher Institute of Technology (1999 DARPA Intrusion Detection and Cochran criteria are proposed for detection of traffic Evaluation) were obtained and used in the analysis, anomaly in computer and telecommunication networks. Two representing the network traffic collected at the border router of sliding windows with two different threshold values are employed the university network . Each sequence spanning to reduce the level of false alerts. A high efficiency level of approximately 24 hours with discretization step of 1s is detection of abnormal traffic spikes is thus guaranteed. The presented as pure 'unadulterated' network traffic without attack, paper likewise presents an algorithm developed for detecting DoS as well as in the form of adulterated traffic with different types and DDoS attacks based on these statistical criteria. Software is of anomalies relating to attacks such as denial of service (DoS) developed in Matlab based on the proposed algorithm. Data sets made available by the Lincoln Laboratory of MIT (1999 DARPA and different types of unauthorized network sniffing. DoS Intrusion Detection Evaluation) were analyzed as the test attacks also incorporate distributed DoS attacks (DDoS), which sequence. Analysis of experimental results revealed that the entail the 'owning' of a number of unsuspecting host computers ultimate test for detecting an attack is to check if any one of the for the purpose of stealthy attacking a targeted single victim statistical criteria exceeds the upper threshold at the stage of computer . coefficients reconstruction. II. DISCRETE WAVELET TRANSFORM: MALLAT Keywords-Anomaly, Denial of Service, DDoS, Wavelet ALGORITHM transform, DWT, FWT Huge costs in computational power will be incurred for calculating the wavelet spectrum with continuous change of the I. INTRODUCTION s and u parameters. The set of ����!" (����) function has a high level Statistical methods for detecting network attacks are based of redundancy. Discretization of these parameters becomes on a comparison of the statistical characteristics of packet flow, necessary with the possibility of restoring a signal from its averaged over a relatively short period of time (local transformation. Discretization is usually carried out in powers characteristics), with appropriate characteristics for an extended of two as given in (1): period of time (global data) [1 - 4]. If the local characteristics differ significantly from the corresponding 1 ���� − ���� 1 ���� !,! ���� = ���� = ���� 2!! ���� − ���� (1) global characteristics, it is indicative of an anomalous behavior ���� ���� 2! of packet flow, and an attempt to scan the network or network attack is highly probable. The problem thus arises of ! where ���� = 2 , ���� = ����2 ! , j and k – whole numbers. constructing effective methods for calculating the local statistical characteristics for a limited period of time and In this case, the u, s plane is into the corresponding j,k grid. determination of local characteristics of the anomalous The parameter j is the scale parameter or the level deviation from the global statistical characteristics of the packet of decomposition; the wavelet transform performed with such flow. scale parameter is called dyadic. The fastest and most We propose in this paper a method for solving the problems of commonly used discrete wavelet transform is the so-called fast traffic anomaly detection in computer and telecommunication wavelet transform (FWT) or Mallat algorithm . In networks based on discrete wavelet decomposition of traffic accordance with the Mallat algorithm, a signal can be data and statistical detection algorithm using Fisher's and represented as a set of successive rough approximations Cochran criteria . The article also examines the harbingers A j (t) and exact (detailed) D j (t) components with their of abnormal packet flow in the network and the relationship subsequent refinement using the iterative method (2). between these harbingers using different statistical criteria. 53 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, 2012 ! necessary for the reconstruction of the signal. Thus, for the ���� ���� = ����! ���� + ����! ���� (2) signal analysis–synthesis in the wavelet basis, 4LN operations !!! must be executed, which is less than the number of operations for the fast Fourier transform (���� log ! ����). Each refinement step corresponds to a given scale 2 j (i.e. index j) of analysis (decomposition) and synthesis A. Method (reconstruction) of the signal. Such wavelet representation of We consider the detection of network traffic anomalies each component of the signal can be viewed both in the time based on discrete wavelet transform using statistical and frequency domains. For example in the first step of the criteria. To adapt this method to the analysis of real-time algorithm, the input signal S(t) decomposes into two traffic the technique of two sliding windows W1 and W2, components (3): moving in time with a given step is employed, while noting the value of traffic located at the time boundaries of each window. ���� ���� = ����! ���� + ����! ���� = ����! ����! ���� + ����! ����! ���� (3) ! ! The use of "sliding window" allows for the increase in where ψ 1k (t ) - wavelet, φ1k (t ) - wavelet generating function, reliability of the detection of even minor abnormalities. It is a1, d1 – Coefficients of the approximate and detailed known that the spectral power density of the time series of components at level 1, respectively. "traffic–time", in the presence of anomalies, has peaks at a certain frequencies. Wavelet analysis allows for the detection One of the advantages of wavelet transform is that it provides of traffic anormalies on the basis of differences in the spectra an opportunity to analyze the signal in the frequency-time of normal and abnormal traffic. We will consider window domain, thus allowing for the investigation of the anomalous W1 as 'comparison window' and the window W2 as a 'detection process vis-a-vis other components. The essence of the window'. Let the size of each window W1 and W2 be selected time units respectively, such that W1 > W2. Then at an wavelet decomposition algorithm is that splitting of signal arbitrary time t the beginning of the window W2 will be at the components is done not only low frequency domain, but also point t, and it would contain w2 traffic values for the time in the high frequency region. With this algorithm, the interval spanning from t–w2 to t. The W1 window will contain operation of splitting or decomposition is applied to any of the W1 values from t–w2–w1 to t–w2. resulting high-frequency component, and so on down the frequency scale. Further, through the adaptive reconstruction Performing FWT for samples within each of the windows at of wavelet coefficients of the different wavelet domains each time ti, we get at a certain scale level j, a set of containing elements of traffic anomalies, it is possible to coefficients ����!! , ����!! , ����!! , ⋯ , ����!" !,! for the W1 confirm the parameters of anomalies and increase the (approximation) window and another set reliability of detection. Employing wavelet packet transform ����!! , ����!! , ����!! , ⋯ , ����!" !,! for the W2 (detail) window; method with a sliding window makes it possible to reduce computational complexity by eliminating computation ����!! , ����!! , ����!! , ⋯ , ����!" for the W1 (approximation) !,! redundancy The use of windows and remembering parts of the window and ����!! , ����!! , ����!! , ⋯ , ����!" for the W2 (detail) coefficients in memory effectively eliminates the need for !,! redundant re-computations, hence speeding up the window. The quality of n and m coefficients at level j is gotten computation algorithm increasing memory usage. from expressions (5) for windows W1 and W2 respectively: The number of ����!! and d1k coefficients is reduced by half ����1 ����2 ���� = ! ; ���� = ! 5 compared to the original signal. The next iteration step for 2 2 level two is executed with the approximations obtained at level 1 in a similar way. In practice, the highest level of These coefficients are tested using statistical criteria, and decomposition is determined by the number n0–1 discrete decisions on the cardinal differences of the analyzed values of the signal ���� = 2!! . As a result, at each level of j parameters between windows W1 and W2 will be based on the decomposition we have a sequence of coefficients of the acceptance or rejection of statistical hypotheses and hence the approximation ����! and detailed ����! of length ����/2 ! each, and the presence of anomalies or the absence thereof will be determined. Analysis of both approximate and detailed original signal can be regenerated from equation (4): coefficients shows that anomaly can be seen at the first level ! of wavelet decomposition. Therefore, FWT will be carried out ���� ���� = ����! ���� ���� ���� + ����! ���� ����! ���� 4 on the first decomposition level, until the special statistical thresholds conditions as described below are exceeded. !!! The number of multiplications in the direct FWT will be 2LN, where L = 2n. The same number of operations is 54 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, 2012 III. ANOMALY DETECTION ALGORITHM ! ! ����! = ���� – sample mean of a sequence of details on a ! !!! !" We describe an algorithm for detecting abnormal spikes scale level j in window W2; based on statistical criteria used to determine changes in the ! ! ! ! ����! = ���� and ����! = ���� – sample mean of sample variance and the mean of the coefficients of the wavelet ! !!! !" ! !!! !" sequence of details on a scale level j in window W1 and W2 transform. Fisher's criterion is proposed for detecting respectively. anomalies expressed as change invariance, while the Cochran criteria is used to detect changes in the mean value . Summarizing the procedure above, an algorithm for The use of Fisher's criterion is proposed for detecting changes implementing the detection of anomalies based on discrete in the variances of samples of windows W1 and W2. The wavelet transform is hereby presented. The following actions sample distribution is considered Gaussian. At any given time are taken for each current window position at time t: t two statistical hypothesis are proposed at scale level j about STEP 1. Perform Fast Wavelet Transform for 1st the equality of the variances of two samples decomposition level on each sample from windows ����!! , ����!! , ����!! , ⋯ , ����!" !,! and ����!! , ����!! , ����!! , ⋯ , ����!" : W1 and W2 according to equation (4); !,! ! ! Compute Fisher statistics based on the details a) the null hypothesis – ����! : ����!,!,! = ����!,!,! and STEP 2. ! b) the alternative hypothesis – ����! : ����!,!,! ≠ ����!,!,! . ! coefficients dj according to equation (6). The algorithm for detection of spikes in Gaussian process STEP 3. Compute Cochran statistics based on the based on the analysis of anomalous variation of variances can approximation coefficients aj according to be written as: equation (7). ! ����!,!,! ����!,! = ! (6) ����!,!,! STEP 4. Compute two thresholds for each statistic based on the accepted values of the confidence intervals with where: the lower threshold of p1 = 0.95, the upper ! !! ! ����!,!,! = ���� − ����! – sample variance of sample threshold p2 = 0.999. !!! !!! !" sequence of details on a scale level j in window W1; ! !! ! STEP 5. Compare the current values of Fisher's and Cochran ����!,!,! = ���� − ����! – sample variance of sample criteria with their thresholds: if either is lower than !!! !!! !" sequence of details on a scale level j in window W1; the lower threshold – go to step 6, if on the other ! ! ����! = ���� – sample mean of a sequence of details on a hand, either is higher than the upper threshold – go to ! !!! !" scale level j in window W1; step 7. ! ! ����! = ���� – sample mean of a sequence of details on a Perform further FWT on the next decomposition level ! !!! !" STEP 6. scale level j in window W2; j. This step is only executed if the current decomposition level j is not greater than the The use of Cochran criterion is proposed for detecting changes maximum for the particular sequence. Repeat step 2 in the mean sample of approximations to step 5 for the current j level. ����!! , ����!! , ����!! , ⋯ , ����!" !,! and ����!! , ����!! , ����!! , ⋯ , ����!" !,! STEP 7. Reconstruct coefficients for the level at which the . The algorithm for detecting spikes in traffic data based on upper threshold was exceeded. To which end the analysis of anomalous change in sample mean values is approximations coefficients ����! = ����! ���� ���� ���� and the expressed as: 1 details coefficients ����! = ����! ���� ���� ���� are restored. The ����!,! = (7) existence of an anomaly is documented only in the ����!,! event of any of the statistical criteria exceeding the where: upper threshold, otherwise, there is no anomaly and ! ����!,!,! = ! ! ���� − ����! ! – sample variance of sample the window moves on. !!! !!! !" sequence of approximations on a scale level j in window W1; Thus, the ultimate test for detecting an attack is exceeding ! ! ! ! ����!,!,! = ���� − ����! – sample variance of sample the upper threshold by one of the statistical criteria at the stage !!! !!! !" sequence of approximations on a scale level j in window W1; of coefficients reconstruction. ! ! !!,!,! !!,!,! ! ����!,! = + – normalized sum of sample variance of IV. DISCUSSIONS: THE DEVELOPED SOFTWARE ! ! details in windows W1 and W2; A software was developed in accordance with this proposed ����! = ! ! ���� – sample mean of a sequence of details on a algorithm with a graphical user interface in MATLAB. The ! !!! !" main window in the process of analyzing the sequence is scale level j in window W1; shown in Figure 1. The top graph in Figure 1 shows an implementation of network traffic with attacks and the sliding 55 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, 2012 moving window process. The middle and bottom graphs show resolution of the DWT in time and consequently, small the Fisher and Cochran parameters calculated in real-time coefficients of confidence at higher levels. respectively. The red and yellow lines represent the upper and lower thresholds respectively. These graphs depict only the A comparison of the inter-dependence of the crucial statistics first decomposition level of the fast wavelet transform. shows that the determinant statistic for detecting abnormal If the conditions described in step 7 of the algorithm above spikes of mean value of the approximation coefficients is more hold, the occurence of an attack as well as its moment of first efficient for Fisher's criteria than it is for Cochran. This is occurrence are documented. The attacks are shown as red explained by taking into account the non-Gaussian nature of vertical lines in the trace (top) graph, and the number of the critical statistics in the case of Fisher's criterion. attacks recorded in the whole sequence is displayed at the base of the GUI, in this case five attacks has been documented V. CONCLUSION (shown as '5'). It can be clearly seen that the anomaly in the We have presented in this paper a proposed algorithm for region of 6×10! is a typical DoS attack. It was well detected detecting denial of service (DoS) and distributed denial of by both criteria (exceeds the red upper threshold) at each FWT service (DDoS) attacks in information communication level of decomposition. Moreover, Fisher's criterion detects networks using discrete wavelet analysis. The proposed this attack much more clearly, this is seen by the size of the algorithm was tested by developing a software based on it in spike and how much it exceeds the threshold of its graph. Matlab environment. Analysis of experimental results obtained using the proposed algorithm and developed software Figure 1. Sequence Analysis Program Graphical User Interface It is observed that majority of the anomalies occur at the initial corroborates our submission on the accuracy of the proposed level of decomposition 1, while some of the anomalies could algorithm in detecting DoS and DDoS attacks. have been missed if decomposition was started higher levels. We also observe that the number of false alarms are more at higher decomposition levels. This is most likely due to the low 56 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, 2012 ACKNOWLEDGEMENT Oleg I. Sheluhin was born in Moscow, Russia in 1952. He obtained an M.Sc. Degree in Radio Engineering1974 from the Moscow Institute of Transport The authors appreciate the Lincoln laboratory of Engineers (MITE). He later enrolled at Lomonosov State University Massachusetts Institute Technology for making the (1999 (Moscow) and graduated in 1979 with a Second M.Sc. in Mathematics. He DARPA Intrusion Detection Evaluation) data sets used in this received a PhD at MITE in 1979 in Radio Engineering and earned a D.Sc. Degree in Telecommunication Systems and Devices from Kharkov Aviation study freely available on the Internet. Institute in 1990. The title of his PhD thesis was ‘Investigation of interfering factors influence on the structure and activity of noise short-range radar’. REFERENCES He is currently Head, Department of Information Security, Moscow Technical  Roland Kwitt. A Statistical Anomaly Detection Approach for Detecting University of Communication and Informatics, Russia. He was the Head, Network Attacks. 14th December 2004/ 6QM Workshop, Salzburg. Radio Engineering and Radio Systems Department of Moscow State Technical University of Service (MSTUS).  L.Feinstein and D.Schnackenberg. Statistical Approaches to DDoS Attack Detection and Response. Proceedings of the DARPA Information Prof. Sheluhin is a member of the International Academy of Sciences of Survivability Conference and Expostion (DISCEX’03), April 2003. Higher Educational Institutions. He has published over 15 scientific books and textbooks for universities and has more than 250 scientific papers. He is the  Vinay A.Mahadik, Xiaoyong Wu and Douglas S. Reeves, “Detection of Chief Editor of the scientific journal Electrical and Informational Complexes Denial of QoS Attacks Based On χ 2 Statistic And EWMA Control and Systems and a member of Editorial Boards of various scientific journals. Charts” http://arqos.csc.ncsu.edu/papers/2002-02-usenixsec- In 2004 the Russian President awarded him the honorary title ‘Honored diffservattack.pdf, NC State University, Raleigh. Scientific Worker of the Russian Federation’.  Nong Ye and Qiang Chen. An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems. Aderemi A. Atayero graduated from the Moscow Institute of Technology Quality and Reliability Eng. Int'l, Vol 17, No. 2, P. 105-112, 2001. (MIT) with a B.Sc. Degree in Radio Engineering and M.Sc. Degree in  E.L. Miller , "Efficient computational methods for wavelet domain Satellite Communication Systems in 1992 and 1994 respectively. He earned a signal restoration problems," Signal Processing, IEEE Transactions on , Ph.D in Telecommunication Engineering/Signal Processing from Moscow vol.47, no.4, pp.1184-1188, Apr 1999. State Technical University of Civil Aviation, Russia in 2000.  DARPA Intrusion Detection Data Sets, Accessed: 11.01.2012, available He is a member of a number of professional associations including: the at: http://bit.ly/xuCDby Institute of Electrical and Electronic Engineers, IEEE, the International Association of Engineers, IAENG, and a professional member of the  O.I. Sheluhin, A.A. Atayero, A.B. Garmashev, "Detection of Teletraffic International Who’s Who Historical Society (IWWHS) among others. He is a Anomalies Using Multifractal Analysis", Proceedings of the IEEE 11th registered engineer with the Council for the Regulation of Engineering in International Conference on ITS Telecommunications (ITST-2011), ISBN: 978-1-61284-670-5, DOI: 10.1109/ITST.2011.6060160, 23rd – Nigeria, COREN. He is a two-time Head, Department of electrical and 25th Aug. 2011, St. Petersburg, Russia. Information Engineering, Covenant University, Nigeria. He was the coordinator of the School of Engineering of the same University.  S. Mallat, “A Wavelet Tour of Signal Processing”, 3rd Edition, The Dr. Atayero is widely published in International peer-‐reviewed journals, Sparse Way, Academic Press, USA, 2009. proceedings, and edited books. He is on the editorial board of a number of highly reputed International journals. Atayero is a recipient of the AUTHORS PROFILE ‘2009/10 Ford Foundation Teaching Innovation Award’. His current research interests are in Radio and Telecommunication Systems and Devices; Signal Processing and Converged Multi-‐service Networks. 57 http://sites.google.com/site/ijcsis/ ISSN 1947-5500