A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are now under threads from network attackers. As one of most common and aggressive means, Denial-of-Service (DoS) attacks cause serious impact on these computing systems. A DoS attack detection system is proposed that uses Multivariate Correlation Analysis (MCA) for accurate network traffic characterization by extracting the geometrical correlations between network traffic features. MCA-based DoS attack detection system employs the principle of anomaly-based detection in attack recognition. This makes the proposed solution capable of detecting known and unknown DoS attacks effectively by learning the patterns of legitimate network traffic only. Furthermore, a triangle-area-based technique is proposed to enhance and to speed up the process of MCA. The results show that the proposed system outperforms two other previously developed state-of-the-art approaches in terms of detection accuracy.
Network-based detection systems
Network-based detection systems are loosely coupled with operating systems running on the host machines which they are protecting. Network-based detection systems can be classified into two main categories
Misuse based detection systems and
Anomaly-based detection systems
Misuse-based detection systems
It detects attacks by monitoring network activities and looking for matches with the existing attack signatures. In spite of having high detection rates to known attacks and low false positive rates, misuse-based detection systems are easily evaded by any new attacks and even variants of the existing attacks.
Anomaly based detection
It monitors and flags any network activities presenting significant deviation from legitimate traffic profiles as suspicious objects, anomaly-based detection techniques show more promising in detecting zero-day intrusions that exploit previous unknown system vulnerabilities.
Feature correlation analysis
An algorithm to discriminate DDoS attacks from flash crowds by analyzing the flow correlation coefficient among suspicious flows.
A covariance matrix based approach was designed to mine the multivariate correlation for sequential samples.
Misuse based detection systems is a complicated and labor intensive task to keep signature database updated because signature generation is a manual process and heavily involves network security expertise.
Anomaly-based detection systems commonly suffer from high false positive rates because the correlations between features/attributes are intrinsically neglected or the techniques do not manage to fully exploit these correlations.
Feature correlation analysis can only label an entire group of observed samples as legitimate or attack traffic but not the individuals in the group.
Multivariate Correlation Analysis (MCA)-based detection system to protect online services against DoS attacks.
To develop a complete framework for our proposed DoS attack detection system
To propose an algorithm for normal profile generation and an algorithm for attack detection
As resources of interconnected systems are located in service providersÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢ Local Area Networks that are commonly constructed using the same or alike network underlying infrastructure and are compliant with the underlying network model, proposed detection system can provide effective protection to all of these systems by considering their commonality.
They equip detection system with capabilities of accurate characterization for traffic behaviors and detection of known and unknown attacks respectively.
triangle area technique is developed to enhance and to speed up the process of MCA.
Proposed detection system can provide effective protection to all systems by considering their commonality.