Detection of denial-of-service attacks based on computer vision techniques

University of Technology, Sydney. Faculty of Engineering and Information Technology.A Denial-of-Service (DoS) attack is an intrusive attempt, which aims to force a designated resource (e.g., network bandwidth, processor time or memory) to be unavailable to its intended users. This attack is launched either by deliberately exploiting system vulnerabilities of a victim (e.g., a host, a router, or an entire network) or by flooding a victim with large volume of useless network traffic. Since 1990s, DoS attacks have emerged as a type of the most severe network intrusive behaviours and have posed serious threats to the infrastructures of computer networks and various network-based services. This thesis aims to provide an intelligent and effective solution for DoS attack detection. Unlike the related works based on machine learning and statistical analysis, this thesis suggests to treat network traffic records as images and to redefine the DoS attack detection problem as a computer vision task. To achieve the aforementioned objectives, this thesis first conducts a detailed literature review on the state of the art in DoS attack detection. Then, it analyses and chooses the most appropriate mechanisms for DoS attack detection. Afterwards, it designs a general system framework for DoS attack detection with respect to the chosen mechanisms. Furthermore, two Multivariate Correlation Analysis (MCA) approaches are proposed based on two techniques, namely Euclidean distance and triangle area. These two proposed MCA approaches provide accurate description for network traffic records and facilitate conversion of network traffic into the respective images. In addition, this thesis proposes a DoS attack detection system, in which the images of network traffic are served as the observed objects and the task of DoS attack detection is reformulated as a computer vision problem, namely image retrieval. This proposed DoS attack detection system applies a widely used dissimilarity measure, namely the Earth Mover’s Distance (EMD), to object classification. The EMD takes cross-bin matching into account and provides a more accurate evaluation on the dissimilarity between distributions than some other well-known dissimilarity measures, such as Minkowski-form distance Lp and X² statistics. The merits of the EMD facilitate the capability of our proposed system with effective detection. Last but not least, our intelligent and effective solutions, including the two proposed MCA approaches and the EMD-based DoS attack detection system, are evaluated using the KDD Cup 99 dataset. The evaluation results illustrate that our proposed MCA approaches provide accurate characterisation for network traffic, and the proposed detection system can detect unknown DoS attacks and outperforms two state-of-the-art approaches

Improved Mca Based Dos Attack Detection

A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are now under threads from network attackers. As one of most common and aggressive means, Denial-of-Service (DoS) attacks cause serious impact on these computing systems. In this paper, we present a DoS attack detection system that uses Multivariate Correlation Analysis (MCA) for accurate network traffic characterization by extracting the geometrical correlations between network traffic features. Our MCA-based DoS attack detection system employs the principle of anomaly-based detection in attack recognition. This makes our solution capable of detecting known and unknown DoS attacks effectively by learning the patterns of legitimate network traffic only. Furthermore, a triangle-area-based technique is proposed to enhance and to speed up the process of MCA. The effectiveness of our proposed detection system is evaluated using KDD Cup 99 dataset, and the influences of both non-normalized data and normalized data on the performance of the proposed detection system are examined. The results show that our system outperforms two other previously developed state-of-the-art approaches in terms of detection accuracy

Network Intrusion Detection and Mitigation Against Denial of Service Attack

The growing use of Internet service in the past few years have facilitated an increase in the denial of service (DoS) attacks. Despite the best preventative measures, DoS attacks have been successfully carried out against high-prole organizations and enterprises, including those that took down Chase, BOA, PNC and other major US banks in September 2009, which reveal the vulnerability of even well equipped networks. These widespread attacks have resulted in significant loss of service, money, and reputation for organizations, calling for a practical and ecient solution to DoS attack detection and mitigation. DoS attack detection and mitigation strengthens the robustness and security of network or computer system, by monitoring system activities for suspicious behaviors or policy violations, providing forensic information about the attack, and taking defensive measures to reduce the impact on the system. In general, attacks can be detected by (1) matching observed network trac with patterns of known attacks; (2) looking for deviation of trac behavior from the established prole; and (3) training a classier from labeled dataset of attacks to classify incoming trac. Once an attack is identied, the suspicious trac can be blocked or rate limited. In this presentation, we present a taxonomy of DoS attack detection and mitigation techniques, followed by a description of four representative systems (Snort, PHAD, MADAM, and MULTOPS). We conclude with a discussion of their pros/cons as well as challenges for future work

An Improved Packet size Entropy Based DoS Attack Detection Scheme

A denial-of-service attack is an attempt by a single person or a group of people to disrupt an online service. The cost of the attack depends on the importance of the online service in the Internet world, whether it is online banking or online shopping. Shutting down some services for some hours can cost millions and millions of dollars for companies like Amazon, eBay, HSBC, etc. So a denial-of-service attack is a very serious problem in the online world. By recognizing such an attack at the beginning can reduce the damage caused by these attacks. Even so, such an attempt is extremely difficult on the networks where the traffic is very high. Furthermore, people who were determined to take down a particular network service will definitely do a lot of homework and can cause much more damage than a general denial-of-service attack can. However, there are a lot of mechanisms available today to identify the denial-of-service attacks. One such method is entropy based detection scheme. In entropy based detection scheme, packet size entropy based scheme is much faster and easy to implement. Even so, there are some shortcomings as well to this method. This thesis introduces a new parameter to the packet size entropy based DoS attack detection scheme so that it can improve the detection accuracy. The new parameter is the entropy of the source and destination IP address combination. I.e. a concatenation of both addresses will give a hash like value, which can uniquely identify a particular path. By this parameter, even if the attacker changes the packet size using simple application programs for packets such as ICMP, the attack can be detected

An effective Denial of Service Attack Detection Method in Wireless Mesh Networks

AbstractIn order to detect the DoS attack (Denial-of-Service attack) when wireless mesh networks adopt AODV routing protocol of Ad Hoc networks. Such technologies as an end-to-end authentication, utilization rate of cache memory, two pre-assumed threshold value and distributed voting are used in this paper to detect DoS attacker, which is on the basic of hierarchical topology structure in wireless mesh networks. Through performance analysis in theory and simulations experiment, the scheme would improve the flexibility and accuracy of DoS attack detection, and would obviously improve its security in wireless mesh networks

MODYFIKACJA ALGORYTMU WYKRYWANIA ZMASOWEGO ATAKU TCP SYN FLOOD (DoS)

This work focuses onto proposal and implementation of modification of SYN flood (DoS) attack detection algorithm. Based on Counting Bloom filter, the attack detection algorithm is proposed and implemented into KaTaLyzer network traffic monitoring tool. TCP attacks can be detected and network administrator can be notified in real-time about ongoing attack by using different notification methods.Praca koncentruje się na propozycji implementacji modyfikacji algorytmu wykrywania zmasowanego SYN flood (DoS) ataku. Bazując na filtrze typu Counting Bloom, zaproponowano algorytm wykrywania ataku i zaimplementowano w narzędziu monitorowania ruchu w sieci - KaTaLyzer. Ataki TCP mogą być wykrywane i administrator sieci może być powiadamiany w czasie rzeczywistym o przeprowadzanym ataku dzięki różnym metodom powiadamiania