Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
0Activity
0 of .
Results for:
No results containing your search query
P. 1
09 Paper 31121150 IJCSIS Camera Ready Paper Pp. 53-57

09 Paper 31121150 IJCSIS Camera Ready Paper Pp. 53-57

Ratings: (0)|Views: 11 |Likes:
Published by ijcsis

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

02/19/2012

pdf

text

original

 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, 2012
Detection of DoS and DDoS Attacks in InformationCommunication Networks with Discrete WaveletAnalysis
OlegI. Sheluhin
Department of Information SecurityMoscow Tech. Univ. of Communication and InformaticsMoscow, Russia
Aderemi A. Atayero
Department of Electrical and Information EngineeringCovenant UniversityOta, Nigeria
 Abstract
—A method based on discrete wavelet decomposition of traffic data and statistical processing algorithms based on Fisherand Cochran criteria are proposed for detection of trafficanomaly in computer and telecommunication networks. Twosliding windows with two different threshold values are employedto reduce the level of false alerts. A high efficiency level of detection of abnormal traffic spikes is thus guaranteed. Thepaper likewise presents an algorithm developed for detecting DoSand DDoS attacks based on these statistical criteria. Software isdeveloped in
 Matlab
based on the proposed algorithm. Data setsmade available by the Lincoln Laboratory of MIT (1999 DARPAIntrusion Detection Evaluation) were analyzed as the testsequence. Analysis of experimental results revealed that theultimate test for detecting an attack is to check if any one of thestatistical criteria exceeds the upper threshold at the stage of coefficients reconstruction.
 Keywords-Anomaly, Denial of Service, DDoS, Wavelet transform, DWT, FWT 
I.
 
I
 NTRODUCTION
 Statistical methods for detecting network attacks are basedon a comparison of the statistical characteristics of packet flow,averaged over a relatively short period of time (localcharacteristics), with appropriate characteristics for an extended period of time (global data) [1 - 4]. If the localcharacteristics differ significantly from the correspondingglobal characteristics, it is indicative of an anomalous behavior of packet flow, and an attempt to scan the network or network attack is highly probable. The problem thus arises of constructing effective methods for calculating the localstatistical characteristics for a limited period of time anddetermination of local characteristics of the anomalousdeviation from the global statistical characteristics of the packetflow.We propose in this paper a method for solving the problems of traffic anomaly detection in computer and telecommunicationnetworks based on discrete wavelet decomposition of trafficdata and statistical detection algorithm using Fisher's andCochran criteria [5]. The article also examines the harbingersof abnormal packet flow in the network and the relationship between these harbingers using different statistical criteria.Datasets provided by the Lincoln Laboratory MassachusettsInstitute of Technology (1999 DARPA Intrusion DetectionEvaluation) were obtained and used in the analysis,representing the network traffic collected at the border router of the university network [6]. Each sequence spanningapproximately 24 hours with discretization step of 1s is presented as pure 'unadulterated' network traffic without attack,as well as in the form of adulterated traffic with different typesof anomalies relating to attacks such as denial of service (DoS)and different types of unauthorized network sniffing. DoSattacks also incorporate distributed DoS attacks (DDoS), whichentail the 'owning' of a number of unsuspecting host computersfor the purpose of stealthy attacking a targeted single victimcomputer [7].II.
 
D
ISCRETE
W
AVELET
T
RANSFORM
:
 
M
ALLAT
A
LGORITHM
 Huge costs in computational power will be incurred for calculating the wavelet spectrum with continuous change of thes and u parameters. The set of 


function has a high levelof redundancy. Discretization of these parameters becomesnecessary with the possibility of restoring a signal from itstransformation. Discretization is usually carried out in powersof two as given in (1):
,
1√ 1√ 2
2

1
 where
2
,   2
,
j and k – whole numbers.In this case, the
u, s
 plane is into the corresponding
 j,k 
grid
.
The parameter 
 j
is
the scale parameter or the levelof decomposition;
the wavelet transform performed with suchscale parameter is called
dyadic.
The fastest and mostcommonly used discrete wavelet transform is the so-called fastwavelet transform (FWT) or Mallat algorithm [8].Inaccordance with the Mallat algorithm, a signal can berepresented as a set of successive rough approximations
 A
 
 j
 
(t)
and exact
(detailed) D
 
 j
 
(t)
componentswith their 
 
subsequent refinement using the iterative method (2).
53http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, 2012

2
 Each refinement step corresponds to a given scale
2
 
 j
(i.e.index
 j)
of analysis (decomposition) and synthesis(reconstruction) of the signal.Such wavelet representation of each component of the signal can be viewed both in the timeand frequency domains. For example in the first step of thealgorithm, the input signal
S
(
) decomposes into twocomponents (3):
3
 where - wavelet, - wavelet generating function,
a
1
,
1
 – Coefficients of the
approximate
and
detailed 
components at level 1, respectively.One of the advantages of wavelet transform is that it providesan opportunity to analyze the signal in the frequency-timedomain, thus allowing for the investigation of the anomalous process
vis-a-vis
other components.
 
The essence of thewavelet decomposition algorithm is
 
that splitting of signalcomponents is done not only low frequency domain, but alsoin the high frequency region. With this algorithm, theoperation of splitting or decomposition is applied to any of theresulting high-frequency component, and so on down thefrequency scale.
 
Further, through the adaptive reconstructionof wavelet coefficients of the different wavelet domainscontaining elements of traffic anomalies, it is possible toconfirm the parameters of anomalies and increase thereliability of detection.
 
Employing wavelet packet transformmethod with a sliding window makes it possible to reducecomputational complexity by eliminating computationredundancy The use of windows and remembering parts of thecoefficients in memory effectively eliminates the need for redundant re-computations, hence speeding up thecomputation algorithm increasing memory usage.The number of 

and
1k 
coefficients is reduced by half compared to the original signal. The next iteration step for level two is executed with the approximations obtained at level1 in a similar way. In practice, the highest level of decomposition is determined by the number 
n
0
 –1 discretevalues of the signal
2
.As a result, at each level of 
 j
decomposition we have a sequence of coefficients of theapproximation
and
detailed 
of length
/2
each, and theoriginal signal can be regenerated from equation (4):

 4
 The number of multiplications in the direct FWT will be
2LN,
where
 L = 2n
. The same number of operations isnecessary for the reconstruction of the signal. Thus, for thesignal analysis–synthesis in the wavelet basis,
4LN 
operationsmust be executed, which is less than the number of operationsfor the fast Fourier transform
log

.
 
 A.
 
 Method 
We consider the detection of network traffic anomalies based on discrete wavelet transform using statisticalcriteria. To adapt this method to the analysis of real-timetraffic the technique of two sliding windows W
1
and W
2
,moving in time with a given step is employed, while notingthe value of traffic located at the time boundaries of eachwindow.The use of "sliding window" allows for the increase inreliability of the detection of even minor abnormalities. It isknown that the spectral power density of the time series of "traffic–time", in the presence of anomalies, has peaks at acertain frequencies.Wavelet analysis allows for the detectionof traffic anormalies on the basis of differences in the spectraof normal and abnormal traffic. We will consider windowW
1
as '
comparison window
' and the window W
2
as a
'detectionwindow' 
. Let the size of each window W
1
and W
2
be selectedtime units respectively, such that W
1
> W
2
. Then at anarbitrary time
the beginning of the window W
2
will be at the point
t,
and it would contain
w2
traffic values for the timeinterval spanning from
t–w2
to
t.
The W
1
window will containW
1
values from
t–w2–w1
to
t–w2
.Performing FWT for samples within each of the windows ateach time
i,
we get at a certain scale level
 j,
a set of 
 
coefficients


, 

, 

,, 

,
for the W
1
 (approximation) window and another set


, 

, 

,, 

,
for the W
2
(detail) window;


, 

, 

,, 

,
for the W
1
(approximation)window and


, 

, 

,, 

,
for the W
2
(detail)window. The quality of 
n
and
m
coefficients at level
 j
is gottenfrom expressions (5) for windows W
1
and W
2
respectively:
12
; 22
 5
 These coefficients are tested using statistical criteria, anddecisions on the cardinal differences of the analyzed parameters between windows W1 and W2 will be based on theacceptance or rejection of statistical hypotheses and hence the presence of anomalies or the absence thereof will bedetermined. Analysis of both approximate and detailedcoefficients shows that anomaly can be seen at the first levelof wavelet decomposition. Therefore, FWT will be carried outon the first decomposition level, until the special statisticalthresholds conditions as described below are exceeded.
1
()
ψ 
1
()
φ 
54http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, 2012
III.
 
A
 NOMALY
D
ETECTION
A
LGORITHM
 We describe an algorithm for detecting abnormal spikes based on statistical criteria used to determine changes in thevariance and the mean of the coefficients of the wavelettransform.Fisher's criterion is proposed for detectinganomalies expressed as change invariance, while the Cochrancriteria is used to detect changes in the mean value [5].The use of Fisher's criterion is proposed for detecting changesin the variances of samples of windows W
1
and W
2
. Thesample distribution is considered Gaussian. At any given time
two statistical hypothesis are proposed at scale level
 j
aboutthe equality of the variances of two samples


, 

, 

,, 

,
and


, 

, 

,, 

,
:a)
 
the null hypothesis – 
: 
,,
,,
and b)
 
the alternative hypothesis – 
: 
,,
,,
.The algorithm for detection of spikes in Gaussian process based on the analysis of anomalous variation of variances can be written as:
,
,,
,,
6
 where
:
 
,,



 

– sample variance of samplesequence of 
details
on a scale level
 j
in window W1;
,,



 

– sample variance of samplesequence of 
details
on a scale level
 j
in window W1;
 

– sample mean of a sequence of 
details
on ascale level
 j
in window W1;
 

– sample mean of a sequence of 
details
on ascale level
 j
in window W2;The use of Cochran criterion is proposed for detecting changesin the mean sample of approximations


, 

, 

,, 

,
and


, 

, 

,, 

,
 . The algorithm for detecting spikes in traffic data based onanalysis of anomalous change in sample mean values isexpressed as:
,
1
,
7
 where
:
 
,,



 – sample variance of samplesequence of 
approximations
on a scale level
 j
in window W1;
,,




– sample variance of samplesequence of 
approximations
on a scale level
 j
in window W1;
,
,,
,,
– normalized sum of sample variance of 
details
in windows W1 and W2;
 

– sample mean of a sequence of details on ascale level
 j
in window W1;
 

– sample mean of a sequence of details on ascale level
 j
in window W2;

and

– sample mean of samplesequence of 
details
on a scale level
 j
in window W1 and W2respectively.Summarizing the procedure above, an algorithm for implementing the detection of anomalies based on discretewavelet transform is hereby presented. The following actionsare taken for each current window position at time t:
STEP 1.
 
Perform Fast Wavelet Transform for 1stdecomposition level on each sample from windowsW1 and W2 according to equation (4);
STEP 2.
 
Compute Fisher statistics based on the
details
coefficients
 j
according to equation (6).
STEP 3.
 
Compute Cochran statistics based on the
approximation
coefficients
a
 j
according toequation (7).
STEP 4.
 
Compute two thresholds for each statistic based onthe accepted values of the confidence intervals withthe lower threshold of 
 p
1
= 0.95, the upper threshold
 p
2
= 0.999.
STEP 5.
 
Compare the current values of Fisher's and Cochrancriteria with their thresholds: if either is lower thanthe lower threshold – go to step 6, if on the other hand, either is higher than the upper threshold – go tostep 7.
STEP 6.
 
Perform further FWT on the next decomposition level
 j
. This step is only executed if the currentdecomposition level
 j
is not greater than themaximum for the particular sequence. Repeat step 2to step 5 for the current
 j
level.
STEP 7.
 
Reconstruct coefficients for the level at which theupper threshold was exceeded. To which end the
approximations
coefficients
 
and the
details
coefficients
are restored. Theexistence of an anomaly is documented
 only
in theevent of any of the statistical criteria exceeding theupper threshold, otherwise, there is no anomaly andthe window moves on.
Thus, the ultimate test for detecting an attack is exceedingthe upper threshold by one of the statistical criteria at the stageof coefficients reconstruction.
 IV.
 
D
ISCUSSIONS
:
 
T
HE
D
EVELOPED
S
OFTWARE
 A software was developed in accordance with this proposedalgorithm with a graphical user interface in MATLAB. Themain window in the process of analyzing the sequence isshown in Figure 1. The top graph in Figure 1 shows animplementation of network traffic with attacks and the sliding
55http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->