Jaber KARIMPOUR, Shahriar LOTFI, Aliakbar SIAHMARZKOOH TAJARI

7072

Intrusion detection in network flows based on an optimized clustering criterion

Intrusion detection in network flows based on an optimized clustering criterion

Graph-based intrusion detection approaches consider the network as a graph and detect anomalies based on graph metrics. However, most of these approaches succumb to the cluster-based behavior of the anomalies. To resolve this problem in our study, we use flow and graph-clustering concepts to create a data set first. A new criterion related to the average weight of clusters is then defined and a model is proposed to detect attacks based on the above-mentioned criterion. Finally, the model is evaluated using a DARPA data set. Results show that the proposed approach detects the attacks with high accuracy relative to methods described in previous studies.
PDF

___

  • [1] Halme LR, Bauer RK. AINT misbehaving-A taxonomy of anti-intrusion techniques. Comput Secur 1995; 14: 163- 172.
  • [2] Lunt TF. A survey of intrusion detection techniques. Comput Secur 1993; 12: 405-418.
  • [3] Barford P, Plonka D. Characteristics of network traffic flow anomalies. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement; 1–2 November 2001; Burlingame, CA, USA. pp. 69-73.
  • [4] Chapple MJ, Wright TE, Winding RM. Flow anomaly detection in firewalled networks. In: Securecomm and Workshops; 28–31 August 2006; Baltimore, MD, USA. pp. 1-6.
  • [5] Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B. An overview of IP flow-based intrusion detection. IEEE Commun 2010; 12: 343-356.
  • [6] Hofstede R, Bartos V, Sperotto A, Pras A. Towards real-time intrusion detection for NetFlow and IPFIX. In: 9th International Conference on Network and Service Management (CNSM) 2013; 14–18 October; Zurich, Switzerland. pp. 227-234.
  • [7] Akoglu L, McGlohon M, Faloutsos C. OddBall: Spotting anomalies in weighted graphs. In: 14th Pacific-Asia Conference on Knowledge Discovery and Data Mining; 28 February 2010; Hyderabad, India. pp. 410-421.
  • [8] Akoglu L, Tong H, Koutra D. Graph based anomaly detection and description: a survey. Data Min Knowl Disc 2015; 29: 626-688.
  • [9] Ellis D, Aiken J, McLeod A, Keppler D, Amman P. Graph-Based Worm Detection on Operational Enterprise Networks. McLean, VA, USA: MITRE Corporation, 2006.
  • [10] Doval, D, Mancoridis S, Mitchell BS. Automatic clustering of software systems using a genetic algorithm. In: 1999 International Conference on Software Tools and Engineering Practice; 25–28 July 1999; Pittsburgh, PA, USA. pp. 73-81.
  • [11] Hoque N, Bhattacharyya DK, Kalita JK. FFSc: a novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis. In: 8th International Conference on Communication Systems and Networks; 5–10 January 2016; Bangalore, India. New York, NY, USA: IEEE. pp. 1-2.
  • [12] Peel L, Clauset A. Detecting change points in the large-scale structure of evolving networks. In: Twenty-Ninth AAAI Conference on Artificial Intelligence; 25–29 January 2015; Austin, TX, USA. pp. 2914-2920.
  • [13] Perozzi B, Akoglu L, Sanchez P. L, Muller E. Focused clustering and outlier detection in large attributed graphs. In: 20th ACM Special Interest Group on Knowledge Discovery and Data Mining; 24–27 August 2014; New York, NY, USA. pp. 1346-1355.
  • [14] Karagiannis T, Papagiannaki K, Faloutsos M. BLINC: Multilevel traffic classification in the dark. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications; 22–26 August 2005; New York, NY, USA. pp. 229-240.
  • [15] Henderson K, Gallagher B, Eliassi-Rad T, Tong H, Basu S, Akoglu L, Koutra D, Faloutsos C, Li L. RolX: structural role extraction & mining in large graphs. In: 18th ACM International Conference on Knowledge Discovery and Data Mining; 12–16 August 2012; Beijing, China. pp. 1231-1239.
  • [16] Ding Q, Katenka N, Barford P, Kolaczyk ED, Crovella M. Intrusion as (anti) social communication: characterization and detection. In: 18th ACM International Conference on Knowledge Discovery and Data Mining; 12–16 August 2012; Beijing, China. pp. 886-894.
  • [17] Henderson K, Eliassi-Rad T, Faloutsos C, Akoglu L, Li L, Maruhashi K, Prakash BA, Tong, H. Metric forensics: A multi-level approach for mining volatile graphs. In: 16th ACM International Conference on Knowledge Discovery and Data Mining; 24–28 July 2010; Washington, DC, USA. pp. 163-172.
  • [18] Bonacich P, Lloyd P. Eigenvector-like measures of centrality for asymmetric relations. Soc Networks 2001; 23: 191-201.
  • [19] Ide T, Kashima H. Eigenspace-based anomaly detection in computer systems. In: 10th ACM International Conference on Knowledge Discovery and Data Mining; 22–25 August 2004; Seattle, WA, USA. pp. 440-449.
  • [20] Liu C, Yan X, Yu H, Han J, Yu PS. Mining behavior graphs for backtrace of noncrashing bugs. In: 5th SIAM International Conference on Data Mining; 10–11 April 2005; Newport Beach, CA, USA. pp. 286-297.
  • [21] Gunnemann S, Farber I, Boden B, Seidl T. Subspace clustering meets dense subgraph mining: a synthesis of two paradigms. In: 10th IEEE International Conference on Data Mining; 13–17 December 2010; Sydney, Australia. pp. 845–850.
  • [22] Xu X, Yuruk N, Feng Z, Schweiger T. Scan: a structural clustering algorithm for networks. In: 13th ACM International Conference on Knowledge Discovery and Data Mining; 12–15 August 2007; San Jose, CA, USA. pp. 824-833.
  • [23] Chakrabarti D. Autopart: parameter-free graph partitioning and outlier detection. In: 8th European Conference on Principles and Practice of Knowledge Discovery in Databases; 20–24 September 2004; Pisa, Italy. pp. 112-124.
  • [24] Tantipathananandh C, Berger-Wolf T. Constant-factor approximation algorithms for identifying dynamic communities. In: 15th ACM International Conference on Knowledge Discovery and Data Mining; 28–30 June 2009; Paris, France. pp. 827-836.
  • [25] Kuramochi M, Karypis G. Frequent subgraph discovery. In: 2001 IEEE International Conference on Data Mining; 29–30 November 2001; San Jose, CA, USA. New York, NY, USA: IEEE. pp. 313-320.
  • [26] Chakrabarti S. Dynamic personalized page rank in entity-relation graphs. In: 16th International Conference on World Wide Web; 08–12 May 2007; Alberta, Canada. pp. 571-580.
  • [27] Mongiovi M, Bogdanov P, Ranca R, Singh AK, Papalexakis EE, Faloutsos C. Netspot: Spotting significant anomalous regions on dynamic networks. In: 13th SIAM International Conference on Data Mining; 2–4 April 2013; Austin, TX, USA. pp. 1-9.
  • [28] Martin R. Snort: Lightweight intrusion detection for networks. In: Proceedings of LISA’99’: 13th Systems Administration Conference; 7–12 November 1999; Seattle, WA, USA. pp. 229-238.
  • [29] Wang K, Stolfo SJ. Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M, editors. Recent Advances in Intrusion Detection. Berlin, Germany: Springer, 2004. pp. 203-222.
  • [30] Mahoney MV, Chan PK. PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic. Technical Report CS 2001-04. Melbourne, FL, USA: Florida Institute of Technology, 2001.
  • [31] Manandhar P, Aung Z. Towards practical anomaly-based intrusion detection by outlier mining on TCP packets. In: Proceedings of 25th International Conference on Database and Expert Systems Applications; 1–4 September 2014; Munich, Germany. pp. 164-173.
  • [32] Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B. An overview of IP flow-based intrusion detection. IEEE Commun 2010; 12: 343-356.
  • [33] Hellemons L, Hendriks L, Hofstede R, Sperotto A, Sadre R, Pras, A. SSHCure: a flow-based SSH intrusion detection system. In: Proceedings of the 6th International Conference on Autonomous Infrastructure, Management and Security; 4–8 June 2012; Luxembourg, Luxembourg. pp. 86-97.
  • [34] Staniford-Chen S, Cheung S, Crawford R, Dilger M, Frank J, Hoagland J, Levitt K, Wee C, Yip R, Zerkle D. GrIDS: A graph based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference; 22–25 October 1996; Baltimore, MD, USA. pp. 361-370.
  • [35] Ellis DR, Aiken JG, McLeod AM, Keppler DR, Amman PG. Graph-Based Worm Detection on Operational Enterprise Networks. Technical Report. McLean, VA, USA: George Mason University, 2006.
  • [36] Zhou Y, Hu G, He W. Using graph to detect network traffic anomaly. In: Communications, Circuits and Systems; 23–25 July 2009; Milpitas, CA, USA. pp. 341-345.
  • [37] Iliofotou M, Pappu P, Faloutsos M, Mitzenmacher M, Singh S, Varghese G. Network traffic analysis using traffic dispersion graphs (TDGs): techniques and hardware implementation. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement; 24–26 October 2007; San Diego, CA, USA. pp. 315-320.
  • [38] Le DQ, Jeong T, Hong JWK. Traffic dispersion graph based anomaly detection. In: Proceedings of the Second Symposium on Information and Communication Technology; 13–14 October 2011; Hanoi, Vietnam. pp. 36-41.
  • [39] Muniyandi AP, Rajeswari R, Rajaram R. Network anomaly detection by cascading k-means clustering and c4.5 decision tree algorithm. Proc Eng 2012; 30:174-182.
  • [40] Mingqiang Z, Hui H, Qian W. A graph-based clustering algorithm for anomaly intrusion detection. In: 7th International Conference on Computer Science & Education; 14–17 July 2012; Melbourne, Australia. pp. 1311- 1314.
  • [41] Yin S, Chen Z, Kim S. LDFGB algorithm for anomaly intrusion detection. In: Linawati, Mahendra MS, Neuhold EJ, Tjoa AM, You I, editors. Information and Communication Technology. Berlin, Germany: Springer, 2012. pp. 396-404.
  • [42] Moorthy M, Rajeswari M. Virtual host based intrusion detection system for cloud. Int J Eng Tech 2013; 5: 5023- 5029.
  • [43] Huang T, Zhu Y, Zhang Q, Zhu Y, Wang D, Qiu M, Liu L. An LOF-based adaptive anomaly detection scheme for cloud computing. In: 37th Annual Computer Software and Applications Conference Workshops; 22–26 July 2013; Kyoto, Japan. pp. 206-211.
  • [44] Madhu BR, Pratik PJ. Data mining based CIDS: Cloud Intrusion Detection System for Masquerade Attacks [DCIDSM]. In: Computing, Fourth International Conference on Communications and Networking Technologies; 4–6 July 2013; Tiruchengode, India. pp. 1-5.
  • [45] Vaid C, Verma HK. Anomaly-based IDS implementation in cloud environment using BOAT algorithm. In: 3rd International Conference on Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions); 2–4 September 2015; Noida, India. pp. 1-6.
  • [46] Chou H, Wang SD. An adaptive network intrusion detection approach for the cloud environment. In: International Carnahan Conference on Security Technology; 21–24 September 2015; Taoyuan, Taiwan. pp. 1-6.
Turkish Journal of Electrical Engineering and Computer Sciences-Cover
  • ISSN: 1300-0632
  • Yayın Aralığı: 6
  • Yayıncı: TÜBİTAK
Arşiv
Sayıdaki Diğer Makaleler

A steganographic approach to hide secret data in digital audio based on XOR operands triplet property with high embedding rate and good quality audio

Krishna BHOWAL, Debasree SARKAR, Susanta BISWAS, Partha Pratim SARKAR

Bayesian estimation of discrete-time cellular neural network coefficients

Habib ŞENOL, Atilla ÖZMEN, Hakan Metin ÖZER

Performance enhancement of a dynamic voltage restorer

Valsalal PRASAD, Latha Pappath VASUDEVAN

An efficient OFDM-based system with an insufficient cyclic prefix via a novel constellation algorithm

Saeed MAGHREBI GHAZI

Design and implementation of a six-port junction based on substrate integrated waveguide

Gholamreza MORADI, Masoud JAFARI, Reza SHIRAZI SARRAF, Rashid MIRZAVAND

Smart frequent itemsets mining algorithm based on FP-tree and DIFFset data structures

Tao JIANG, George GATUHA

An ultrafast all-optical switch based on a nonlinear photonic crystal waveguide using single crystal p-toluene sulfonate

Masood OMOOMI, Mahdi TAHERI

An improved clonal selection algorithm using a tournament selection operator and its application to microstrip coupler design

Ezgi ÜLKER DENİZ

Research on magnetic field state analysis of a nonsalient pole synchronous generator Baojun

Dajun TAO, Fang XIAO, Hongsen ZHAO, Baojun GE, Pin LV

Thermomechanical MEMS membranes for fiber optic temperature sensing

Onur FERHANOĞLU