Shuyuan Jin

A covariance analysis model for DDoS attack detection

This paper discusses the effects of multivariate correlation analysis on the DDoS detection and proposes an example, a covariance analysis model for detecting SYN flooding attacks. The simulation results show that this method is highly accurate in detecting malicious network traffic in DDoS attacks of different intensities. This method can effectively differentiate between normal and attack traffic. Indeed, this method can detect even very subtle attacks only slightly different from the normal behaviors. The linear complexity of the method makes its real time detection practical. The covariance model in this paper to some extent verifies the effectiveness of multivariate correlation analysis for DDoS detection. Some open issues still exist in this model for further research.

Network intrusion detection in covariance feature space

Detecting multiple and various network intrusions is essential to maintain the reliability of network services. The problem of network intrusion detection can be regarded as a pattern recognition problem. Traditional detection approaches neglect the correlation information contained in groups of network traffic samples which leads to their failure to improve the detection effectiveness. This paper directly utilizes the covariance matrices of sequential samples to detect multiple network attacks. It constructs a covariance feature space where the correlation differences among sequential samples are evaluated. Two statistical supervised learning approaches are compared: a proposed threshold based detection approach and a traditional decision tree approach. Experimental results show that both achieve high performance in distinguishing multiple known attacks while the threshold based detection approach offers an advantage of identifying unknown attacks. It is also pointed out that utilizing statistical information in groups of samples, especially utilizing the covariance information, will benefit the detection effectiveness.

Covariance-Matrix Modeling and Detecting Various Flooding Attacks

This paper presents a covariance-matrix modeling and detection approach to detecting various flooding attacks. Based on the investigation of correlativity changes of monitored network features during flooding attacks, this paper employs statistical covariance matrices to build a norm profile of normal activities in information systems and directly utilizes the changes of covariance matrices to detect various flooding attacks. The classification boundary is constrained by a threshold matrix, where each element evaluates the degree to which an observed covariance matrix is different from the norm profile in terms of the changes of correlation between the monitored network features represented by this element. Based on Chebyshev inequality theory, we give a practical (heuristic) approach to determining the threshold matrix. Furthermore, the result matrix obtained in the detection serves as the second-order features to characterize the detected flooding attack. The performance of the approach is examined by detecting Neptune and Smurf attacks-two common distributed Denial-of-Service flooding attacks. The evaluation results show that the detection approach can accurately differentiate the flooding attacks from the normal traffic. Moreover, we demonstrate that the system extracts a stable set of the second-order features for these two flooding attacks

DDoS detection based on feature space modeling

This work tries to use a feature space modeling methodology to identify DDoS attacks. Compared with the existing approaches, the proposed feature space presents a more general model in DDoS detection. It changes the non-separable attacks into separable cases and more importantly, it also allows the unknown attacks potentially being identified by their own features. To validate these claims, a classification algorithm is defined under this feature space. We use a subset in KDD Cup 1999 data in the experiments. The KDD Cup 1999 training dataset contains 6 different types of DDoS attacks and the testing dataset contains more 4 novel DDoS attacks. In detecting these 6 already known DDoS attacks and 4 novel DDoS attacks from the normal, we get a high detection rate under this feature space by using the proposed classification algorithm, which shows the discriminative abilities of the feature space.

A review of classification methods for network vulnerability

Classification of network vulnerability is critical to detection and risk analysis of network vulnerability. A broad range of classification methods have been proposed in literature. This paper reviews a total of 25 selected approaches and identifies the differences and relations among them. It also points out some open issues for research in this field.

Research of Network Vulnerability Analysis Based on Attack Capability Transfer

Network vulnerability analysis is one of the important techniques to protect network security. Modeling and classification of network vulnerability are introduced firstly, then the concept of attack capability transfer and the algorithm to produce it are presented, which can aggregate vulnerabilities with the same exploitation attributes and satisfying some constrains to simplify the further analysis. Based on the attack capability transfer, a new method constructing attack graph is presented, and the complexity is O(N2) where N is the number of hosts in a network. Through the analysis of attack graph, network vulnerability quantitative analysis is taken and security hardening method based on approximate greedy algorithm is presented, the complexity of which is O(V), where V is the number of vulnerabilities in a network. Experiment shows the effectiveness of the method.

Network Threat Assessment Based on Alert Verification

In face of overwhelming alerts produced by firewalls or intrusion detection devices, it is difficult to assess network threats that we face. In this paper, we propose a threat assessment approach to estimate the impact of attacks on network. The approach employs the Common Vulnerability Scoring System to quantitatively assess network threats and further correlates alerts with contextual information to improve the accuracy of assessment. In the case studies, we demonstrate how the approach is applied in real networks. The experimental results show that the approach can make an accurate assessment of network threats.

A feature space analysis for anomaly detection

Intrusion detection is an important part of assuring the reliability of computer systems. From the viewpoint of feature space partition of detectors, this paper investigates one of the limitations of two traditional anomaly detection technologies - NN-based anomaly detection and statistical detection approaches in detecting novel attacks. A high dimensional covariance matrix feature space and an on-line detection algorithm are proposed to detect various known and unknown attacks. An illustrative example of detecting various known and unknown probing attacks is provided.

Network Security Situation Prediction Based on BP and RBF Neural Network

With tremendous complex attacks on the network, network analysts not only need to understand but also predict the situation of network security. In the field of network security, the research on predicting network security situation has become a hot spot. The prediction of network security situation can dynamically reflect the security situation of the entire network and provide a reliable reference to ensure the network safety. This paper predicts the network security situation using the BP and the RBF neural networks, and then makes a comparison between the two methods. The results show that the effect of the model based on the BP neural network is better than that of the model based on the RBF neural network on predicting the network security situation.

A second-order statistical detection approach with application to Internet anomaly detection

Detecting multiple network attacks is essential to intrusion detection, network prevention, security defense and network traffic management. But in todays distributed computer networks, the various and frequent attacks make an effective detection difficult. This paper presents a covariance matrix based second-order statistical method to detect multiple known and unknown network anomalies. The detection method is initially based on the observations of the correlativity changes in typical flooding DoS attacks. It utilizes the difference of covariance matrices among observed samples in the detection. As case studies, extensive experiments are conducted to detect multiple DoS attacks - the prevalent Internet anomalies. The experimental results indicate that the proposed approach achieves high detection rates in detecting multiple known and unknown anomalies.