DoS Detection based on Mobile Agent and Naïve

Bayes Filter

Yousra BERGUIG Jalal LAASSIRI Sanae HANAOUI

Informatics Systems and Optimization Informatics Systems and Optimization Informatics Systems and Optimization
Laboratory Laboratory Laboratory
Faculty of science, Ibn Tofail university Faculty of science, Ibn Tofail university Faculty of science, Ibn Tofail university
Kenitra, Morocco Kenitra, Morocco Kenitra, Morocco
yousra.berguig@gmail.com LAASSIRI@uit.ac.ma sanae.hanaoui@uit.ac.ma

Abstract— Presently, the most wondrous and powerful
cyber-attacks are Dos flooding and its DDoS variant. This type
of attack is expected to reduce the availability of a service to its
legitimate customers. one of the most effective methods for
detecting this type of intrusion into a distributed environment
is the mobile agent. In this paper, we present the mobile agent-
based techniques most commonly used to resist Dos flooding
attack; we also propose a new distributed Denial of service
filter system based on mobile agent and Naive Bayesian Filter,
finally we will implement our solution with python language
using Anaconda, Jupyter and Jade tools to present our
experimental results.
Keywords— Mobile Agents, Filter System, Naïve Bayesian
Filter, DDos attack, machine learning, distributed system,
Intrusion detection.
value over the class labels, and clearly depicts the percent
safety as well as the percent risk involve.
Agent use is currently being encouraged by Intrusion
Detection System (IDS) for its fast detection, easy
transportation, minimal complexity, etc. our study will also
be based on mobile agent, which is an emerging technology
that makes very much easier to design, implements and
maintain distributed systems. We notice that mobile agent
reduces the network traffic, provides some effective means
of overcoming network latency. Through their ability to
operate asynchronously and autonomously of the process
that created theme, they help building more robust and fault-
tolerant system and allow to gather information and
accomplish tasks in an optimum way [8,9,10,11,12].

Dos as cited before is one of the most destructive attacks,

I. INTRODUCTION
The protection of data against unauthorized access is the
main objective of security. It can be guaranteed by security
mechanisms [1,2,3]. Among the powerful attacks that
threaten the security of a system, we find Distributed Denial
of Service attack [4]. Recently, this type of attack has
become an active research field. In fact, with the
development of cloud computing and e-commerce
applications, this threat is becoming more and more serious.
The availability of several free online tools makes the attack
an easy task for attackers which increases its rate. A denial-
of-service (DoS) or distributed denial-of-service (DDoS)
attack is defined as an attempt to make a machine or
network resource unavailable to users [5]. The general way
to perform this type of attack is to flood the network by
sending several requests to the server, to keep it busy for a
long time and prevent legitimate users from getting the
service. The goal is to suspend temporarily or indefinitely
the services of a system and paralyzes it. The system can
detect DOS attack by capturing the packets flowing in the
network [6]. In the literature there are several technics of
prevention, detection, tracing and identification to protect
the system against DoS attacks. In this work, we are
interested in the filtering method based on Naive Bayes
classifier [7] which is a probabilistic classifier that can
predict given a sample input. It requires a small amount of
training data to estimate the parameters of a classification
model. The Naïve Bayes classifier shows the probability
that paralyze internet systems by overwhelming servers. we
found many solutions proposed in the literature to detect this
kind of traffic. Nevertheless, there is no hybrid solution that
gathers between parallelism, distribution, intelligence,
security and detection. For this reason, we proposed a
distributed and intelligent solution for detection intrusion
packet where large data streams are arrived.
Our aim in this paper is to propose a distributed solution for
Dos attack intrusion detection using both Mobile Agent [13]
and machine learning algorithms as shown below in figure
1. We chose to use a distributed system to parallelize the
different spots of our intrusion detection system.
One of the advantages of distribution is the ability to detect
attack patterns across an entire corporate network, with
geographic locations separating segments by time zones or
even continents. The second major advantage is that a single
analysis team can now do what previously required several
incident analysis teams due to physical distance. This
obviates the need to pay for distinct incident analysis teams
for each separate geographic location of the organization’s
offices. The use of internet and different computing devices
from computers to Smartphone have raised many security
and privacy problems. While traditional intrusion detection
methods may be able to detect previously known attacks,
machine learning gives us the possibility to deal with new
unknown attacks.

00978-1-5386-7328-7/18/$31.00 ©2018 IEEE


Figure 1. The installation scenario of the proposed solution
In this work, we investigate the security problematic in
distributed systems. In the first section, we present the
availability problem by introducing the DoS attack. In
the second section, we enumerate some different
counter-measure and related work that have been
proposed and considered by researchers. In the third
section, we propose and discuss our approach for
Detecting the Denial of service Attack. In the fourth, we
present our simulation results. Finally, a conclusion and
perspective will be exposed.
II. RELATED WORK
A detector is intended to detect and distinguish malicious
packet traffic from legitimate packet traffic. In the case
where many clients want a service and a DOS attack
maliciously floods many web session requests, the server
will not be able to discriminate between the requests
because the legitimate activity of the user can be easily
confused with a flood attack. Currently, there are many
researches to detect DOS attack.
F. Lau et al. [14] describe the distributed denial of service
attacks in the internet specially Yahoo attack, also discuss
methods of distributed denial of service attacks and describe
some defense mechanisms. They present a comparison
between different queuing algorithm using different
topologies, to conclude that the class-based queuing had the
best performance. G. Carl et al. [4] give an overview on
DDOS attack by offering a general attack types and some
attack detection, they also present several technics and
detection methods like activity profiling and sequential
change-point detection. G. Preetha, et al. [15] propose a
mathematical model to analyze the vulnerability of DDOS
attacks combining it with Mobile agent technology, they
also present 2 detection techniques HFC AND Hybrid
model (SVM-MLP) and validate it in an experimental test-
bed with geographically distributed nodes. V. Hema et al.
[16] propose an approach for DDOS detection with Naïve
Bayes classification machine learning algorithm. B. B.
Gupta et al. [17] Give a history and background about the
DDOS attack, they discuss this attack in cloud computing
and discuss the problematic of cloud computing and security
issues, the authors also present the statistics and security
issues, finally they expose a taxonomy of some principal
detection methods.
P. Xiao et al. [18] propose an attack detection system that
can deal with the link flooding attack, it is based on the
bloom filter and software-defined network (SDN).
A. Saidi et al. [19] introduced a mobile agent system to
detect the first signs of DOS/DDOS flooding attacks on
cloud computers by analyzing virtual machines by groups
and priority, they use the thresholding mechanism to assure
the detection. A.Odesile et al [20] present a distributed
mobile agent-based intrusion detection system to secure
healthcare networks. Specifically, they compare between 5
machine learning algorithms by offering autonomous mobile
agents that use machine learning algorithms to perform local
and network level anomaly detection to detect various
security attacks targeted on healthcare systems like DDOS
attack which threat the availability of those systems. J. Tajer
et al. [21] propose an approach for anomaly detection in
mobile agent networks based on sketch and divergence
measures. A. Saidi et al. [22] underline the most used
techniques to stand up against DOS flooding attacks in
Cloud Technology. C.Y. Tseung et al. [23] propose new
technics to mitigate different types of DDOS, combining
and taking advantages of both machine learning algorithms
and Bloom filter. They use machine learning to extract
features of attacks, then use a customized Bloom filter to
defend attacks based on selected features. The authors also
implemented and tested the performance of the proposed
technique in a lab environment.
III. NAÏVE BAYES CLASSIFICATION FOR DDOS DETECTION
Naïve Bayes classifier [7] is a machine learning classifier
based on Bayes rule, it uses probabilities of all the attributes
that are independent to one another, to make an accurate and
faster prediction. The fact that naïve Bayes classifier can
receives a large number of attributes and can also work with
small amounts of training data, makes it a good choice for
network modeling DOS Attacks.
The Naive Bayesian Filter [24] is described as follows.
Firstly, the filter learns from the DOS set and the non-DOS
set to establish the feature vectors of DOS and non-DOS.
When a packet is received, the filter extracts the features of
the packet contents and establishes the vector space of the
packet contents. Then the filter computes the probability of
belonging to DOS ( ) and the probability of belonging to
non-DOS ( ). If > , then the packet is a DOS, otherwise
the packet is a non-DDOS. Suppose the packet content L
has n features ( … ), and the sample
p space has two
classes: DOS and non-DOS . Assume is the amount
of packets belonging to , and is the amount of packets
belonging too . The probability and are
(1)
 Where and are performance of processing model. The proposed scheme can
integrate flow information into the classification process and
(2) determining the correlation between themes. we use the
Mobile Agent technology for its various benefits like the
reduced network load and load balance, the Asynchronous
The probabilities and are & Autonomous Execution, Dynamic Adaption,
Heterogeneous Execution, Fault tolerance. On the other
(3) hand, we use the Naive Bayes classifier which is one of the
earliest classification methods applied in intrusion detection
is the probability of belonging to , and system, in fact it is an effective probabilistic classifier
employing the Bayes theorem with naive feature
is the probability of belonging to . They independence assumptions. It also requires a small amount
can be computed as follows of training data to estimate the parameters of a classification
model.
(4) The Figure 3, presents the system architecture of our
proposed approach, it is a multi-agent system which contains
three major entity. It begins with the Monitoring Agent
Where |V| is the number of features, and is server that guarantees the packet capturing and the transfer of
the sum of times of appearing in . The weight is those packets to the DOS filter system server by a mobile
applied to increase the precision of the classification. agent. In this server the black list Agent compare its
malicious IP addresses list with the IP address received.
Our deal is to apply the Naïve Bayes filter to classify and Later if the IP address is not found in the black list, features
detect the DoS intrusion. The use of this classifier seems to are extracted by the features extract mobile agent. Finally,
be an adequate solution in a network security scenario the classification agent uses the feature Data set and applied
because of its predictability feature which is very helpful in Naïve Bayes classification to the test data set to classify the
an uncertain world. packets.

IV. PROPOSED APPROACH FOR DOS DETECTION

Figure 2. Dos Attack Detection Based on Naive Bayes Classifier
Model
The model that we opted for our solution is based on the
figure 2 [25], which is a centralized model. The added value
is the mobile agent technology that makes it distributed,
autonomous and intelligent, which goes perfectly with the
intelligent distributed systems of today. This mobile agent
system will allow us to parallelize the tasks in order to
reduce the execution time as well as the consumption of the
memory.
In proposed System DIDMANB (Distributed Intrusion
Detection by Mobile Agent and Naive Bayes) the main
objective is to detect intrusion packet or data to increase the
Figure 3. Model of Proposed Approach
While using mobile agent we should not neglect the
agent’s security [26,27,28,29]. For this we consider a
model that help our system to be more secure, by adapting
both detection and prevention mechanism to improve the
security agent communication, while its migration as a
result we grant security at agent and system. In our
communication tunnel for the secure migration agent
process, we opt for different cryptographic mechanisms.
Before the secure transfer of a mobile agent between the
two platforms, they must authenticate each other, for this
we encrypted and formatted header using RSA algorithm.
We choose to communicate a public key with the visited
platform via the secure communication protocol SSL. For
confidentiality we used the binary serialization and the
AES encryption to encrypt the mobile agent. To grant the
integrity of our mobile agent, our proposed tunnel is based
on using the Schorr signature to our code. Finally, to avoid
denial of service attack (DOS) on our mobile agent and
subsequently ensure its availability, we propose time max
authentication (authentication timeout) which is the
maximum time allowed to establish the authentication with
the visited platform.
Figure 4. Secure communication tunnel
V. SIMULATION AND TEST
A. Algorithm scenario
The Mobile Agent monitor the network and capture the
packets. Then it migrates to the Dos filter system.
During migration the mobile agent must authenticate in
the destination platform, if the authentication is
successful we go on to test the integrity, otherwise the
agent returns to the initial platform. After granting the
integrity the confidentiality and the availability, the
mobile agent arrives at the hosting platform. The black
list agent receive the IP address from the mobile agent
and compares it with the malicious IP list (black list). If
the IP address is found in this list we cut the
connection, if not features are extracted by the features
extract agent. Finally the classification agent uses this
features data and applied Naive Bayes classification to
classify and filter the packets. If It is a dos attack we
add it on the Dos set, if not we put it on the non-Dos
set.
Figure 5. Proposed DDoS Intrusion detection Algorithm
The entire system begins with the packet capturing
operation by the mobile agent. In order to do this, the
winpcap and ‘jpcap’ are actually used for capturing packets.
winpcap which also helps to analyze packets transmit
network packets, by-pass the protocol stack, monitor the
network, network intrusion detection. The ‘jpcap’
distribution includes a tool for real time network traffic
capture and analysis and an API for the ‘jpcap’ network
capture tool performs real-time decomposition and
visualization of network traffic. For the creation,
management, mobility and execution of Agents we adopt
JADE [30,31,32]. The next step is to perform a pre-
processing that is retrieve header data from the packets,
which needs to be stored and displayed. Then the
classification agent take the necessary data for our
classification, from the feature data set server. In our case
we choose the KDD CUP 99 Data Set [33]. For lack of
material reasons, we have opted for 10 % version, we
divided the database on 80% learning and 20% test. Before
using the Naïve Bayes classifier, we did data pre-processing
which is an important step in the data mining process. we
kept two classes DOS and Normal. For the feature selection
we applied two different methods RFECV and Select-k-
Best, we also used the Cross-validation to evaluate our Experimental Testbed”, International Journal of Fuzzy Systems, Vol.
16, No. 4, December 2014.
Machine learning model. After applying the Naïve Bayes
[15] V. Hema and C. Emilin Shyni, “DoS Attack Detection Based on
classification by using mobile agent, we had 98.28 % of Naive Bayes Classifier”, IDOSI Publications, 2015.
detection precision and 1.72 % as an error rate. [16] B. B. Gupta and Omkar P. Badve, “Taxonomy of DoS and DDoS
attacks and desirable defense mechanism in a Cloud computing
environment”, The Natural Computing Applications Forum, 2016.
VI. CONCLUSION [17] P. Xiao, Z. Li, H. Qi , W. Qu, H. Yu, “An Efficient DDoS Detection
In this paper, we introduce the design and implementation of with Bloom Filter in SDN”, IEEE Trust Com-BigData SE-ISPA,
2016.
a distributed DOS filter system based on machine learning
[18] A. Saidi, E. Bendriss , A. Kartit, M. El Marraki, "The functional of A
and mobile agent technology. We have presented our Mobile Agent System to Enhance DoS and DDoS Detection in
detection Algorithm for DOS attack, based on naïve Bayes Cloud", International Journal of Applied Engineering Research ISSN
classifier and we have combined it with mobile agents to 0973-4562 Volume 11, Number 6 , 2016.
have an improve results. Since the agents work [19] A. Odesile, G. Thamilarasu, “Distributed Intrusion Detection Using
Mobile Agents in Wireless Body Area Networks", Seventh
cooperatively, the system has many advantages, such as on International Conference on Emerging Security Technologies, 2017.
intelligence, distribution, mobility and scalability. The [20] J. Tajer, M. Adda, B. Aziz, “Flooding Attacks Detection of Mobile
testing result of the experiment indicates that the system can Agents in IP Networtks”, 2017.
detect and prevent the DOS attack with 98.28% of precision. [21] A. Saidi, E. Bendriss, “Techniques to Detect DoS and DDoS Attacks
For our perspective we are investigating other scenarios and and an Introduction of a Mobile Agent System to Enhance it in Cloud
working on the optimization of our solution. Computing”, International Journal of Interactive Multimedia and
Artificial Intelligence · January 2017.
[22] C.Y. Tseung, K.P. Chow, X. Zhang, “Extended Abstract: Anti-DDoS
Technique Using Self-learning Bloom Filter”, IEEE, 2017.
ACKNOWLEDGMENT
[23] X. Cheng, X. Ma1, L. Wang, and S. Zhong, “A Mobile Agent Based
The authors are grateful to the anonymous referees and to Spam Filter System”, Springer, CIS 2005, Part I, LNAI 3801, pp. 422
the editors for their helpful comments and suggestions to – 427, 2005.
improve the manuscript. [24] V. Hema and C.E. Shyni, “DoS Attack Detection Based on Naive
Bayes Classifier”, Middle-East Journal of Scientific Research 23
(Sensing, Signal Processing and Security): 398-405, 2015.
REFERENCES [25] G.Vigna. “Cryptographic traces for mobile agents “. In Mobile agents
and security.Springer Berlin Heidelberg, 1998.
[26] H. IDRISSI, "Contribution à la sécurité des systèmes d'agents
[1] M. H. Shao and J. Zhou. “Protecting mobile-agent data collection mobiles". PhD thesis, Université Mohammed-V, Université de La
against blocking attacks”. Computer Standards & Interfaces, 28(5). Rochelle, 2016.
(2006).
[2] M. Li, W. Lou, and K. Ren, “Data security and privacy in wireless
body area networks,” Wireless Communications, IEEE, vol. 17, no. 1,
pp. 51–58, february 2010.
[3] S. Movassaghi, M. Abolhasan, J. Lipman, D. Smith, A. Jamalipour,
“Wireless body area networks: A survey,” IEEE Communications
Surveys and Tutorials, vol. 16, pp. 1658–1686, 2014.
[4] G. Carl, G. Kesidis, R.R. Brooks, S. Rai, “Denial-of-Service Attack-
Detection Techniques”, IEEE Computer Society, february 2006.
[5] F. Lau, S. H. Rubin, M.H. Smith, L. Trajkovic., “Distributed Denial
of Service Attacks”, IEEE, 2000.
[6] B. B. Gupta, O. P. Badve. “Taxonomy of DoS and DDoS attacks and
desirable defense mechanism in a Cloud computing environment”.
Neural Comput & Applic, 2017.
[7] I. Androutsopoulos, J. Koutsias, K. V. Chandrinos, G. Paliouras, C.
D. Spyropoulos, "An Evaluation of Naive Bayesian Anti-Spam
Filtering," Proceedings of the Workshop on Machine Learning in the
New Information Age. Proceedings of the 11th European Conference
on Machine Learning, Barcelona, Spain, pp. 9-17, 2000.
[8] J. Ferber, Les systèmes multi-agents. Versune intelligence collective.
Inter Edition, Paris, 1995.
[9] D.B. Lange and M. Oshima. “Seven good reasons for mobile agents”.
Commun. ACM, ACM, vol. 42, 1999.
[10] J. Cao and S. K. Das. “Mobile agents in networking and distributed
computing”, Vol. 3, Jhon Wiley &Sons, 2012.
[11] P. Braun and W. Rossak. ”Mobile agent security: Basic concepts,
mobility models and the tracytoolkit”, Morgan Kaufmann/Elsevier
anddpunkt.verlag,USA, 2005.
[12] W. Jansen and T. Karygiannis, "Mobile Agent Security", Computer
Security – NIST Special Publication,800-19, 1999.
[13] J.J. Adri Jovin and M. Marikkannan "A Review on Attacks and
Security Approaches in Mobile Agent Technology", Australian
Journal of Basic and Applied Sciences, , 2016.
[14] G. Preetha, B.S. Kiruthika Devi, and S. Mercy Shalinie,
“Autonomous Agent for DDoS Attack Detection and Defense in an