Anda di halaman 1dari 3

Volume 3, Issue 3, March-2016, pp.

149-151 ISSN (O): 2349-7084

International Journal of Computer Engineering In Research Trends

Available online at:

A System for Denial of Service Attack

Detection Based On Multivariate Corelation
Sonam Deshmukh,2Shoaib Inamdar, 3Sachin Waghmode

Abstract: - in computing world, a denial-of-service (DoS) or is an process to make a machine or network resource
unavailable to its regular users.DoS attack minimizes the efficiency of the server, inorder to increase the efficiency of the
server it is necessary to identify the dos attacks hence MULTIVARIATE CORRELATION ANALYSIS(MCA)is used, this
approach employs triangle area for obtaining the correlation information between the ip address. Based on extracted data
the denial of service-attack is discovered and the response to the particular user is blocked, this maximizes the efficiency.
Our proposed system is examined using KDD Cup 99 data set, and the influence of data on the performance of the
proposed system is examined.

Keywords denial-of-service attack, Network traffic characterization, multivariate correlations, triangle area, maximum
number of hopes; network lifetime

1. INTRODUCTION purely legitimate network traffic records and make use

for future comparisons with new incoming
Denial of service attack severely reduces the investigated traffic records. The separation between a
acceptance of the online benefits. Therefore effective new traffic record and the various normal profiles is
finding of dos attack is important to the protection of
identified by the proposed detector [5]. If the
the online services. The DOS attack detection, focuses
on the growth of the network based detection criteria dissimilarity is higher than a predetermined threshold,
[3]. The detection system carries two approaches the traffic record is flagged as an attack. Otherwise, it is
namely misuse detection [1] and anomaly detection [2]. named as a legitimate traffic record. Specially, normal
Misuse detection is used to identify the known attacks, profiles and thresholds have direct impact on the
using the signatures of already defined performance of a threshold-based detector.[1] A low
rules.[2]Anomaly detection is used to build the usage quality normal profile made an inaccurate
profile of the system. During the working phase, the characterization to legitimate network traffic. Thus, we
profiles for the legitimate traffic data are produced and
first put the proposed triangle area- based MCA
the produced data are stored in the database. The
approach to analyze legitimate network traffic, and the
trusted profile production is build and handed over to
the attack detection module, which compares the obtained TAMs are then used to give quality features
individual tested profile without his normal profile. for normal profile generation
Online servers from monitoring attacks and ensure that
the servers can allot themselves to provide quality 2.1. Normal Profile Generation
services with minimum delay in response
Predict there is a set of g legitimate training traffic
2. RELETED WORK records; the triangle-area based MCA approach is
applied to understand the records. [1]Mahalanobis
In this section, we gives a threshold-based anomaly Distance (MD) is applied to calculate the dissimilarity
detector, whose normal profiles are generated using between traffic records. This is because MD has been

2016, IJCERT All Rights Reserved Page | 149

Sonam Deshmukh et al.,International Journal of Computer Engineering In Research Trends
Volume 3, Issue 3, March-2016, pp. 149-151

successfully and extensively used in cluster analysis, The events of network attacks made changes to these
classification and multivariate outlier detection correlations so that the differences can be used as
techniques. Unlike Euclidean distance and Manhattan instructors to find the dangers activities. All the action
distance, it finds distance between two multivariate correlations, namely triangle area saved in Triangle
data. Area Maps (TAMs), are then use to change the initial
basic feature or the normalized feature to show the
2.2. Threshold Selection traffic records. This gives higher selective information
to distinct between legitimate and illegitimate traffic
The threshold given is used to difference the attack
traffic from the legitimate one
Network Traffic


Sampling of IP Address
To find DoS attacks, the lower triangle (TAM observed
lower) of the TAM of an detect record needs to be
generated using the advanced triangle-area-based
Triangle Area Feature
MCA technique [6]. Then, the MD between the TAM
observed lower and the TAM normal lower saved in Generation Normalization
the respective pregenerated normal profile Pro is
obtained using the detailed detection algorithm.
Privacy defense and quality of service is important to Multivariate
studying. Correlations Analysis
2. Spatio-Temporal Obfuscation: Spatio-temporal
obfuscation minimizes the precision of not only place
but the time-related data so as to fulfill the predefined
k-anonymity standard. Testing Phase Training Phase

Decision Making
The whole detection process consists of three major
In Step 3, the anomaly-based detection mechanism [3]
The sample-by-sample detection mechanism is
is taken in Decision Making. It promotes the finding of
implicate in the whole detection phase (i.e., Steps 1, 2 )
any DoS attacks without need of any attack related
and is given in Section 2.2. In Step 1, basic advantages
data. Moreover, the labor-intensive attack analysis and
are obtained from ingress network to the internal
the frequent update of the attack signature data in the
network where protected servers reside in and are used
case of misuse-based detection are deflect. Meanwhile,
to instruct traffic data for a well-defined time
the mechanism enhances the robustness of the advance
difference. Monitoring and analyzing at the destination
detectors and makes them toughest to be evaded
network reduce the above of finding malicious
because attackers need to attack
activities by analyzing only on related inbound traffic.

This also enables our detector to enable security which 4. PRAPOSED WORK
is the best suit for the targeted internal network
because legitimate traffic records use by the detectors We present a DoS attack detection system that uses
are created for a small number of network services Multivariate Correlation Analysis (MCA) for correct
network traffic characterization by obtaining the
Step 2 is Multivariate Correlation Analysis, in which geometrical correlations between network traffic
the Triangle Area Map Generation module is given advantages. Our MCA-based DoS attack detection
to obtain the correlations between two distinct system adopted the rules of anomaly-based detection in
advantages within each traffic data coming from the attack. This makes our solution capable of detecting
first part or the traffic record distributed by the known and unknown DoS attacks efficiently by taking
Feature Normalization section in this part (Step 2).

2016, IJCERT All Rights Reserved Page | 150

Sonam Deshmukh et al.,International Journal of Computer Engineering In Research Trends
Volume 3, Issue 3, March-2016, pp. 149-151

the patterns of legitimate network traffic. Moreover, a advanced DoS attack detection system. The impact of
triangle-area-based system is used to improve and to original (non-normalized) and normalized data has
speed up the technique of MCA. The efficiency of our been considered in the paper. The results have revealed
proposed detection system is finding using KDD Cup 99 that when process with non-normalized data, our
dataset and the impact of both non-normalized record detection system obtains highest (94.20%) detection
and normalized record on the work of the advanced accuracy although it does not work well in identifying
detection system are analyzed. The results give that our Land
system performs two other previously constructed state- .REFERENCES
of-the-art techniques in terms of detection accuracy

ALGORITHMS: *1+ V. Paxson, Bro: A System for Detecting Network

Intruders in Realtime,
Computer Networks, vol. 31, pp. 2435-2463, 1999.

[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-

Fernndez, and E. Vzquez, Anomaly-based Network
Intrusion Detection: Techniques, Systems and
Challenges, Computers & Security, vol. 28, pp. 18-28,

*3+ D. E. Denning, An Intrusion-detection Model,

IEEE Transactions on Software Engineering, pp. 222-
232, 1987.

[4] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic

flooding attack detection
with SNMP MIB using SVM, Computer
Communications, vol. 31, no. 17, pp. 4212-4219, 2008.

*5+ G. Thatte, U. Mitra, and J. Heidemann, Parametric

Methods for Anomaly Detection in Aggregate Traffic,
Networking, IEEE/ACM Transactions on, vol. 19, no. 2,
pp. 512-525, 2011.

*6+ S. Jin, D. S. Yeung, and X. Wang, Network

Intrusion Detection in Covariance Feature Space,
Pattern Recognition, vol. 40, pp. 2185- 2197, 2007.
[11] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P.
This paper has given a MCA-based DoS attack Liu, Denial of- Service Attack Detection Based on
detection system which is powered by the triangle-area Multivariate Correlation Analysis, Neural Information
based MCA technique and the anomaly detection Processing, 2011, pp. 756-765.
system. The former technique extracts the geometrical
correlations hidden in individual couple of two
different features within each network traffic record,
and offers more accurate characterization for network
traffic behaviors. The next technique helps our system
to be able to distinguish both known and unknown
DoS attacks from legitimate network traffic.

Calculation has been finding using KDD Cup 99

dataset to verify the efficiency and work of the

2016, IJCERT All Rights Reserved Page | 151