Detection of DoS and DDoS Attacks in Information Communication Networks with Discrete Wavelet Analysis by ijcsiseditor


More Info
									                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 10, No. 1, 2012

   Detection of DoS and DDoS Attacks in Information
    Communication Networks with Discrete Wavelet

                     Oleg I. Sheluhin                                                            Aderemi A. Atayero
         Department of Information Security                                   Department of Electrical and Information Engineering
 Moscow Tech. Univ. of Communication and Informatics                                         Covenant University
                  Moscow, Russia                                                                  Ota, Nigeria

Abstract—A method based on discrete wavelet decomposition of                Datasets provided by the Lincoln Laboratory Massachusetts
traffic data and statistical processing algorithms based on Fisher          Institute of Technology (1999 DARPA Intrusion Detection
and Cochran criteria are proposed for detection of traffic                  Evaluation) were obtained and used in the analysis,
anomaly in computer and telecommunication networks. Two                     representing the network traffic collected at the border router of
sliding windows with two different threshold values are employed            the university network [6]. Each sequence spanning
to reduce the level of false alerts. A high efficiency level of             approximately 24 hours with discretization step of 1s is
detection of abnormal traffic spikes is thus guaranteed. The                presented as pure 'unadulterated' network traffic without attack,
paper likewise presents an algorithm developed for detecting DoS            as well as in the form of adulterated traffic with different types
and DDoS attacks based on these statistical criteria. Software is
                                                                            of anomalies relating to attacks such as denial of service (DoS)
developed in Matlab based on the proposed algorithm. Data sets
made available by the Lincoln Laboratory of MIT (1999 DARPA
                                                                            and different types of unauthorized network sniffing. DoS
Intrusion Detection Evaluation) were analyzed as the test                   attacks also incorporate distributed DoS attacks (DDoS), which
sequence. Analysis of experimental results revealed that the                entail the 'owning' of a number of unsuspecting host computers
ultimate test for detecting an attack is to check if any one of the         for the purpose of stealthy attacking a targeted single victim
statistical criteria exceeds the upper threshold at the stage of            computer [7].
coefficients reconstruction.
                                                                                    II.   DISCRETE WAVELET TRANSFORM: MALLAT
    Keywords-Anomaly,       Denial   of   Service,   DDoS,   Wavelet                                ALGORITHM
transform, DWT, FWT                                                             Huge costs in computational power will be incurred for
                                                                            calculating the wavelet spectrum with continuous change of the
                       I.     INTRODUCTION
                                                                            s and u parameters. The set of ����!" (����) function has a high level
    Statistical methods for detecting network attacks are based             of redundancy. Discretization of these parameters becomes
on a comparison of the statistical characteristics of packet flow,          necessary with the possibility of restoring a signal from its
averaged over a relatively short period of time (local                      transformation. Discretization is usually carried out in powers
characteristics), with appropriate characteristics for an extended          of two as given in (1):
period of time (global data) [1 - 4]. If the local
characteristics differ significantly from the corresponding                                      1         ���� − ����   1
                                                                                  ����  !,! ���� =        ����           =    ���� 2!! ���� − ����                             (1)
global characteristics, it is indicative of an anomalous behavior                                ����           ����     2!
of packet flow, and an attempt to scan the network or network
attack is highly probable. The problem thus arises of
                                                                                 where   ���� = 2   ,   ���� = ����2 !   , j and k – whole numbers.
constructing effective methods for calculating the local
statistical characteristics for a limited period of time and                In this case, the u, s plane is into the corresponding j,k grid.
determination of local characteristics of the anomalous                     The parameter j is the scale parameter or the level
deviation from the global statistical characteristics of the packet         of decomposition; the wavelet transform performed with such
flow.                                                                       scale parameter is called dyadic. The fastest and most
We propose in this paper a method for solving the problems of               commonly used discrete wavelet transform is the so-called fast
traffic anomaly detection in computer and telecommunication                 wavelet transform (FWT) or Mallat algorithm [8]. In
networks based on discrete wavelet decomposition of traffic                 accordance with the Mallat algorithm, a signal can be
data and statistical detection algorithm using Fisher's and                 represented as a set of successive rough approximations
Cochran criteria [5]. The article also examines the harbingers              A j (t) and exact (detailed) D j (t) components with their
of abnormal packet flow in the network and the relationship                 subsequent refinement using the iterative method (2).
between these harbingers using different statistical criteria.

                                                                                                               ISSN 1947-5500
                                                                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                                                     Vol. 10, No. 1, 2012
                                                                                                                              necessary for the reconstruction of the signal. Thus, for the
                 ���� ���� = ����! ���� +           ����! ����                                                                 (2)        signal analysis–synthesis in the wavelet basis, 4LN operations
                                      !!!                                                                                     must be executed, which is less than the number of operations
                                                                                                                              for the fast Fourier transform (���� log ! ����).
Each refinement step corresponds to a given scale 2 j (i.e.
index j) of   analysis     (decomposition)    and    synthesis                                                                A. Method
(reconstruction) of the signal. Such wavelet representation of                                                                    We consider the detection of network traffic anomalies
each component of the signal can be viewed both in the time                                                                   based on discrete wavelet transform using statistical
and frequency domains. For example in the first step of the                                                                   criteria. To adapt this method to the analysis of real-time
algorithm, the input signal S(t) decomposes into two                                                                          traffic the technique of two sliding windows W1 and W2,
components (3):                                                                                                               moving in time with a given step is employed, while noting
                                                                                                                              the value of traffic located at the time boundaries of each
    ���� ���� = ����! ���� + ����! ���� =         ����! ����! ���� +                            ����! ����! ����         (3)
                                  !                                   !                                                       The use of "sliding window" allows for the increase in
where ψ 1k (t ) - wavelet,   φ1k (t ) - wavelet generating function,                                                          reliability of the detection of even minor abnormalities. It is
a1, d1 – Coefficients of the approximate and detailed                                                                         known that the spectral power density of the time series of
components at level 1, respectively.                                                                                          "traffic–time", in the presence of anomalies, has peaks at a
                                                                                                                              certain frequencies. Wavelet analysis allows for the detection
One of the advantages of wavelet transform is that it provides                                                                of traffic anormalies on the basis of differences in the spectra
an opportunity to analyze the signal in the frequency-time                                                                    of normal and abnormal traffic. We will consider window
domain, thus allowing for the investigation of the anomalous                                                                  W1 as 'comparison window' and the window W2 as a 'detection
process vis-a-vis other components. The essence of the                                                                        window'. Let the size of each window W1 and W2 be selected
                                                                                                                              time units respectively, such that W1 > W2. Then at an
wavelet decomposition algorithm is that splitting of signal
                                                                                                                              arbitrary time t the beginning of the window W2 will be at the
components is done not only low frequency domain, but also                                                                    point t, and it would contain w2 traffic values for the time
in the high frequency region. With this algorithm, the                                                                        interval spanning from t–w2 to t. The W1 window will contain
operation of splitting or decomposition is applied to any of the                                                              W1 values from t–w2–w1 to t–w2.
resulting high-frequency component, and so on down the
frequency scale. Further, through the adaptive reconstruction                                                                 Performing FWT for samples within each of the windows at
of wavelet coefficients of the different wavelet domains                                                                      each time ti, we get at a certain scale level j, a set of
containing elements of traffic anomalies, it is possible to                                                                   coefficients   ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!" !,! for the W1
confirm the parameters of anomalies and increase the
                                                                                                                              (approximation)                          window        and another      set
reliability of detection. Employing wavelet packet transform
                                                                                                                               ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!" !,! for the W2 (detail) window;
method with a sliding window makes it possible to reduce
computational complexity by eliminating computation                                                                            ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!"             for the W1 (approximation)
redundancy The use of windows and remembering parts of the
                                                                                                                              window and ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!"                                  for the W2 (detail)
coefficients in memory effectively eliminates the need for                                                                                                                                                   !,!
redundant re-computations, hence speeding up the                                                                              window. The quality of n and m coefficients at level j is gotten
computation algorithm increasing memory usage.                                                                                from expressions (5) for windows W1 and W2 respectively:

The number of ����!! and d1k coefficients is reduced by half                                                                                                            ����1                           ����2
                                                                                                                                                              ���� =      !
                                                                                                                                                                                    ;           ���� = !                                                            5
compared to the original signal. The next iteration step for                                                                                                          2                             2
level two is executed with the approximations obtained at level
1 in a similar way. In practice, the highest level of                                                                         These coefficients are tested using statistical criteria, and
decomposition is determined by the number n0–1 discrete                                                                       decisions on the cardinal differences of the analyzed
values of the signal ���� = 2!! . As a result, at each level of j                                                               parameters between windows W1 and W2 will be based on the
decomposition we have a sequence of coefficients of the                                                                       acceptance or rejection of statistical hypotheses and hence the
approximation ����! and detailed ����! of length ����/2 ! each, and the                                                             presence of anomalies or the absence thereof will be
                                                                                                                              determined. Analysis of both approximate and detailed
original signal can be regenerated from equation (4):
                                                                                                                              coefficients shows that anomaly can be seen at the first level
                                      !                                                                                       of wavelet decomposition. Therefore, FWT will be carried out
            ���� ���� = ����! ���� ���� ���� +          ����! ����   ����! ����                                          4                        on the first decomposition level, until the special statistical
                                                                                                                              thresholds conditions as described below are exceeded.

The number of multiplications in the direct FWT will
be 2LN, where L = 2n. The same number of operations is

                                                                                                                                                                            ISSN 1947-5500
                                                                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                                                      Vol. 10, No. 1, 2012

                     III.        ANOMALY DETECTION ALGORITHM                                                                        ! !
                                                                                                                            ����! =          ���� – sample mean of a sequence of details on a
                                                                                                                                  ! !!! !"
   We describe an algorithm for detecting abnormal spikes                                                                   scale level j in window W2;
based on statistical criteria used to determine changes in the                                                                    ! !                  ! !
                                                                                                                            ����! =         ���� and ����! =       ���� – sample mean of sample
variance and the mean of the coefficients of the wavelet                                                                          ! !!! !"             ! !!! !"
                                                                                                                            sequence of details on a scale level j in window W1 and W2
transform. Fisher's criterion is proposed for detecting                                                                     respectively.
anomalies expressed as change invariance, while the Cochran
criteria is used to detect changes in the mean value [5].                                                                   Summarizing the procedure above, an algorithm for
The use of Fisher's criterion is proposed for detecting changes                                                             implementing the detection of anomalies based on discrete
in the variances of samples of windows W1 and W2. The                                                                       wavelet transform is hereby presented. The following actions
sample distribution is considered Gaussian. At any given time                                                               are taken for each current window position at time t:
t two statistical hypothesis are proposed at scale level j about                                                              STEP	
  1. Perform   Fast Wavelet Transform for 1st
the equality of the variances of two samples                                                                                             decomposition level on each sample from windows
 ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!" !,! and ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!" :                                           W1 and W2 according to equation (4);

                                       !         !                                                                                        Compute Fisher statistics based on the details
    a) the null hypothesis – ����! :   ����!,!,! = ����!,!,! and                                                                   STEP	
    b) the alternative hypothesis – ����! :   ����!,!,! ≠ ����!,!,! .          !                                                                coefficients dj according to equation (6).
The algorithm for detection of spikes in Gaussian process                                                                    STEP	
  3.    Compute Cochran statistics based on                      the
based on the analysis of anomalous variation of variances can                                                                             approximation coefficients  aj according                   to
be written as:                                                                                                                            equation (7).
                            ����!,! = !                                                                   (6)
                                       ����!,!,!                                                                               STEP	
  4.   Compute two thresholds for each statistic based on
                                                                                                                                          the accepted values of the confidence intervals with
where:                                                                                                                                    the lower threshold of p1 = 0.95, the upper
    !           !!                                 !
  ����!,!,! =        ���� − ����! – sample variance of sample                                                                                   threshold p2 = 0.999.
            !!! !!! !"
sequence of details on a scale level j in window W1;
  !             !!                                  !                                                                        STEP	
  5.   Compare the current values of Fisher's and Cochran
����!,!,! =           ���� − ����! – sample variance of sample                                                                                  criteria with their thresholds: if either is lower than
          !!! !!! !"
sequence of details on a scale level j in window W1;                                                                                      the lower threshold – go to step 6, if on the other
        ! !
����! =         ���� – sample mean of a sequence of details on a                                                                              hand, either is higher than the upper threshold – go to
        ! !!! !"
scale level j in window W1;                                                                                                               step 7.
        ! !
����! =          ���� – sample mean of a sequence of details on a                                                                             Perform further FWT on the next decomposition level
        ! !!! !"                                                                                                             STEP	
scale level j in window W2;                                                                                                               j. This step is only executed if the current
                                                                                                                                          decomposition level j is not greater than the
The use of Cochran criterion is proposed for detecting changes                                                                            maximum for the particular sequence. Repeat step 2
in           the              mean           sample        of              approximations                                                 to step 5 for the current j level.
 ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!" !,! and ����!!   ,   ����!!   ,   ����!!   , ⋯ ,   ����!"
                                                                                                                !,!          STEP	
  7.    Reconstruct coefficients for the level at which the
. The algorithm for detecting spikes in traffic data based on                                                                             upper threshold was exceeded. To which end the
analysis of anomalous change in sample mean values is                                                                                     approximations coefficients ����! = ����! ���� ���� ���� and the
expressed as:
                                       1                                                                                                  details coefficients ����! = ����! ���� ���� ���� are restored. The
                             ����!,! =                                                                             (7)                      existence of an anomaly is documented only in the
                                                                                                                                          event of any of the statistical criteria exceeding the
where:                                                                                                                                    upper threshold, otherwise, there is no anomaly and
  ����!,!,! =
             !  !
                   ���� − ����! ! – sample variance of sample                                                                                 the window moves on.
            !!! !!! !"
sequence of approximations on a scale level j in window W1;                                                                      Thus, the ultimate test for detecting an attack is exceeding
  !           !  !                                 !
����!,!,! =        ���� − ����! – sample variance of sample                                                                       the upper threshold by one of the statistical criteria at the stage
          !!! !!! !"
sequence of approximations on a scale level j in window W1;                                                                                   of coefficients reconstruction.
             !           !
            !!,!,!      !!,!,!
����!,! =     +       – normalized sum of sample variance of                                                                              IV.   DISCUSSIONS: THE DEVELOPED SOFTWARE
         !      !
details in windows W1 and W2;                                                                                               A software was developed in accordance with this proposed
����! =
        ! !
              ���� – sample mean of a sequence of details on a                                                                algorithm with a graphical user interface in MATLAB. The
       ! !!! !"                                                                                                             main window in the process of analyzing the sequence is
scale level j in window W1;                                                                                                 shown in Figure 1. The top graph in Figure 1 shows an
                                                                                                                            implementation of network traffic with attacks and the sliding

                                                                                                                                                             ISSN 1947-5500
                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 10, No. 1, 2012

moving window process. The middle and bottom graphs show                  resolution of the DWT in time and consequently, small
the Fisher and Cochran parameters calculated in real-time                 coefficients of confidence at higher levels.
respectively. The red and yellow lines represent the upper and
lower thresholds respectively. These graphs depict only the               A comparison of the inter-dependence of the crucial statistics
first decomposition level of the fast wavelet transform.                  shows that the determinant statistic for detecting abnormal
If the conditions described in step 7 of the algorithm above              spikes of mean value of the approximation coefficients is more
hold, the occurence of an attack as well as its moment of first           efficient for Fisher's criteria than it is for Cochran. This is
occurrence are documented. The attacks are shown as red                   explained by taking into account the non-Gaussian nature of
vertical lines in the trace (top) graph, and the number of                the critical statistics in the case of Fisher's criterion.
attacks recorded in the whole sequence is displayed at the base
of the GUI, in this case five attacks has been documented                                           V.    CONCLUSION
(shown as '5'). It can be clearly seen that the anomaly in the            We have presented in this paper a proposed algorithm for
region of 6×10! is a typical DoS attack. It was well detected             detecting denial of service (DoS) and distributed denial of
by both criteria (exceeds the red upper threshold) at each FWT            service (DDoS) attacks in information communication
level of decomposition. Moreover, Fisher's criterion detects              networks using discrete wavelet analysis. The proposed
this attack much more clearly, this is seen by the size of the            algorithm was tested by developing a software based on it in
spike and how much it exceeds the threshold of its graph.                 Matlab environment. Analysis of experimental results obtained
                                                                          using the proposed algorithm and developed software

                                         Figure 1. Sequence Analysis Program Graphical User Interface

It is observed that majority of the anomalies occur at the initial        corroborates our submission on the accuracy of the proposed
level of decomposition 1, while some of the anomalies could               algorithm in detecting DoS and DDoS attacks.
have been missed if decomposition was started higher levels.
We also observe that the number of false alarms are more at
higher decomposition levels. This is most likely due to the low

                                                                                                         ISSN 1947-5500
                                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                   Vol. 10, No. 1, 2012

                           ACKNOWLEDGEMENT                                             Oleg I. Sheluhin was born in Moscow, Russia in 1952. He obtained an M.Sc.
                                                                                       Degree in Radio Engineering1974 from the Moscow Institute of Transport
The authors appreciate the Lincoln laboratory of                                       Engineers (MITE). He later enrolled at Lomonosov State University
Massachusetts Institute Technology for making the (1999                                (Moscow) and graduated in 1979 with a Second M.Sc. in Mathematics. He
DARPA Intrusion Detection Evaluation) data sets used in this                           received a PhD at MITE in 1979 in Radio Engineering and earned a D.Sc.
                                                                                       Degree in Telecommunication Systems and Devices from Kharkov Aviation
study freely available on the Internet.                                                Institute in 1990. The title of his PhD thesis was ‘Investigation of interfering
                                                                                       factors influence on the structure and activity of noise short-range radar’.
                                 REFERENCES                                            He is currently Head, Department of Information Security, Moscow Technical
[1]   Roland Kwitt. A Statistical Anomaly Detection Approach for Detecting             University of Communication and Informatics, Russia. He was the Head,
      Network Attacks. 14th December 2004/ 6QM Workshop, Salzburg.                     Radio Engineering and Radio Systems Department of Moscow State
                                                                                       Technical University of Service (MSTUS).
[2]   L.Feinstein and D.Schnackenberg. Statistical Approaches to DDoS
      Attack Detection and Response. Proceedings of the DARPA Information                 Prof. Sheluhin is a member of the International Academy of Sciences of
      Survivability Conference and Expostion (DISCEX’03), April 2003.                  Higher Educational Institutions. He has published over 15 scientific books and
                                                                                       textbooks for universities and has more than 250 scientific papers. He is the
[3]   Vinay A.Mahadik, Xiaoyong Wu and Douglas S. Reeves, “Detection of                Chief Editor of the scientific journal Electrical and Informational Complexes
      Denial of QoS Attacks Based On χ 2 Statistic And EWMA Control                    and Systems and a member of Editorial Boards of various scientific journals.
      Charts”             In 2004 the Russian President awarded him the honorary title ‘Honored
      diffservattack.pdf, NC State University, Raleigh.                                Scientific Worker of the Russian Federation’.
[4]   Nong Ye and Qiang Chen. An Anomaly Detection Technique Based on
      a Chi-Square Statistic for Detecting Intrusions into Information Systems.        Aderemi A. Atayero graduated from the Moscow Institute of Technology
      Quality and Reliability Eng. Int'l, Vol 17, No. 2, P. 105-112, 2001.             (MIT) with a B.Sc. Degree in Radio Engineering and M.Sc. Degree in
[5]   E.L. Miller , "Efficient computational methods for wavelet domain                Satellite Communication Systems in 1992 and 1994 respectively. He earned a
      signal restoration problems," Signal Processing, IEEE Transactions on ,          Ph.D in Telecommunication Engineering/Signal Processing from Moscow
      vol.47, no.4, pp.1184-1188, Apr 1999.                                            State Technical University of Civil Aviation, Russia in 2000.
[6]   DARPA Intrusion Detection Data Sets, Accessed: 11.01.2012, available             He is a member of a number of professional associations including: the
      at:                                                         Institute of Electrical and Electronic Engineers, IEEE, the International
                                                                                       Association of Engineers, IAENG, and a professional member of the
[7]   O.I. Sheluhin, A.A. Atayero, A.B. Garmashev, "Detection of Teletraffic
                                                                                       International Who’s Who Historical Society (IWWHS) among others. He is a
      Anomalies Using Multifractal Analysis", Proceedings of the IEEE 11th
                                                                                       registered engineer with the Council for the Regulation of Engineering in
      International Conference on ITS Telecommunications (ITST-2011),
      ISBN: 978-1-61284-670-5, DOI: 10.1109/ITST.2011.6060160, 23rd –                  Nigeria, COREN. He is a two-time Head, Department of electrical and
      25th Aug. 2011, St. Petersburg, Russia.                                          Information Engineering, Covenant University, Nigeria. He was the
                                                                                       coordinator of the School of Engineering of the same University.
[8]   S. Mallat, “A Wavelet Tour of Signal Processing”, 3rd Edition, The               Dr.	
      Sparse Way, Academic Press, USA, 2009.                                           proceedings,	
                            AUTHORS PROFILE                                            ‘2009/10	

                                                                                                                                        ISSN 1947-5500

To top