Proceedings International Conference On Advances In Engineering And Technology

www.iaetsd.in

A Survey on Detecting Denial-of-Service Attacks

Balaji V

Dr. V Jeyabalaraja

M.E Computer Science And Engineering

Velammal Engineering College
Surapet, Chennai
balaji.venkat90@gmail.com

Professor, Dept of CSE

Velammal Engineering College
Surapet, Chennai
jeyabalaraja@gmail.com

AbstractModern World Systems such as Web servers,

database servers, cloud computing environment etc, are now
under threads from network attackers. One of most threat is
Denial-of-Service (DoS) attacks cause serious impact on these
computing systems. In this paper, we present a detection
mechanism for DoS attack that uses Multivariate Correlation
Analysis (MCA) for analyzing network trafc characterization
by studying the geometrical correlations between network trafc
features. Our MCA-based DoS attack detection mechanism
employs the principle of anomaly-based detection in attack
recognition. Thus making it easier for detecting known and
unknown attacks by learning patterns of legitimate network
traffic. Further a triangle area based approach is employed to
speed up the process of MCA. The propsed system is effectively
checked using KDD Cup 99 Dataset.
KeywordsDenial-Of-Service attack , multivariate correlations,
triangle area.

I. INTRODUCTION
Denial-Of-Service (DoS) attacks are one type of
aggressive and menacing intrusive behavior to online servers.
DoS attacks denies the availability of a victim, which can be a
host, a router, or an entire network. They impose high
intrusion tasks to the victim by exploiting its system
vulnerability or flooding it with huge amount of useless
packets. The victim can be forced out of service from a few
minutes to several days. Effective detection of DoS attacks is
essential to the protection of online services.
DoS attack detection focuses on the development of networkbased detection mechanisms. The systems based on these
mechanisms reside on a network to monitor transmitting
traffic. This releases the online servers from monitoring
attacks and ensures that they can dedicate themselves to
provide quality services with optimum response delay.
Moreover, the network-based detection systems are loosely
coupled with the operating systems running on the host
machines which they are protecting, such that configuration of
this type of detection systems is less complicated than the host
based detection systems.

anomaly-based detection system [2]. Misuse based detection

system detects attacks by monitoring network activities and
looks for matches with the existing attack signatures. In spite
of having high detection rates to the known attacks and low
false positive rates, misuse based detection systems can be
easily evaded by any new types of attacks and also variants
existing attacks. Furthermore, manual work is needed to keep
signature database updated because signature generation
heavily involves network security expertise.
Looking at the principle of detection, which monitors and
flags any network activities showing significant deviation
from legitimate traffic profiles as suspicious objects, anomaly
based detection techniques show more promising in detecting
intrusions that exploit previous unknown system
vulnerabilities. Moreover, it is not constrained by the expertise
in network security, due to the fact that the profiles of
legitimate behaviors are developed based on techniques, such
as data mining [3], [4], machine learning, and statistical
analysis. However, these proposed systems commonly suffer
from high false-positive rates because the correlations between
features/attributes are intrinsically neglected or the techniques
do not manage to fully exploit these correlations.
The DoS attack detection system presented in this paper
describes the principles of MCA and anomaly based detection.
The detection mechanism involves accurate characterization
for traffic behaviors and detection of known and unknown
attacks, respectively. A triangle area map is developed to
enhance and to speed up the process of MCA. A statistical
normalization method is used to eliminate the bias from the
raw data. Our proposed DoS detection system is evaluated
using KDD Cup 99 data set
II. SYSTEM ARCHITECTURE
The overview of our proposed DoS attack detection
system architecture is given in this section, where the system
framework and the sample-by-sample detection mechanism
are discussed.

Generally, network-based detection are classified into two

types, namely misuse-based detection system [1] and

ISBN NO: 978 - 1503304048

International Association of Engineering & Technology for Skill Development

58

Proceedings International Conference On Advances In Engineering And Technology

www.iaetsd.in

Fig 1. System Architecture

The whole detection process consists of three major steps as
shown in Fig. 1.
Step 1: The basic features are generated from observed
network are used to form traffic records for a well-defined
time period. Observing and analyzing at the destination
network reduce the overhead of detecting abnormal traffic by
concentrating only on relevant inbound traffic. This also
enables us provide protection which is the best fit for the
targeted internal network because legitimate traffic profiles
used are developed for a smaller number of network services.
Step 2: Multivariate Correlation Analysis, in which the
Triangle Area Map Generation method [5] is applied to
determine the correlations between two distinct features within
each traffic record coming from the first step or the traffic
record normalized by the Feature Normalization module in
this step. The occurrence of intrusions cause changes to these
correlations so that the changes can be used as indicators to
identify the malicious activities. All the extracted correlations,
namely triangle areas stored in Triangle Area Maps (TAMs),
are then used to replace the original basic features or the
normalized features to represent the traffic records. This
provides a better discriminative information to differentiate
between legitimate and illegitimate traffic records.
Step 3: The anomaly-based detection mechanism is widely
used in Decision Making. It performs the detection of any DoS
attacks without requiring any attack relevant knowledge.
Furthermore, the labor-intensive analysis of data and the
frequent update of the attack signatures in the case of misusebased detection are avoided. Meanwhile, the mechanism
enhances the robustness of the proposed detectors and makes
them harder to be evaded because attackers need to generate
attacks that match the normal traffic profiles built by a specific
detection algorithm. This, however, is a labor-intensive task
and requires expertise in the targeted detection algorithm.
There are two phases (i.e., the Training Phase and the Test
Phase) are involved in Decision Making. The Normal
Profile Generation module is operated in the Training
Phase to generate profiles for various types of legitimate

ISBN NO: 978 - 1503304048

traffic records, and the generated normal profiles are stored in

a database. The Tested Profile Generation module is used in
the Test Phase to build profiles for individual observed
traffic records. Then, the tested profiles are handed over to the
Attack Detection module, which compares the individual
tested profiles with the respective stored normal profiles. A
threshold-based classifier is employed in the Attack
Detection module to distinguish DoS attacks from legitimate
traffic.
The group-based detection mechanism has a higher rate in
classifying a group of sequential network traffic samples than
the sample-by-sample detection mechanism. Whereas the
proof was based on an assumption that the samples in a tested
group were all from the same distribution (class). This restricts
the applications of the group-based detection to limited
scenarios, because attacks occur unpredictably in general and
it is difficult to obtain a group of sequential samples only from
the same distribution. To remove these types of restriction, our
system in this paper investigates traffic samples individually.
This offers great outcome that are not found in the groupbased detection mechanism. For example, 1) attacks can be
detected by comparing with the group-based detection
mechanism, 2) intrusive traffic samples can be named
individually, and 3) the probability of classifying a sample
accurately into its population is higher than the one achieved
using the group-based detection mechanism in a general
network scenario.

III. MULTIVARIATE CORRELATION ANALYSIS

DoS attack traffic behaves in a different way compared
with legitimate network traffic and the behavior of network
traffic is represented by its statistical properties. To well
describe these statistical properties, we present Multivariate
Correlation Analysis (MCA) approach in this section. This
MCA approach employs a triangle area map for extracting the
correlative information between the features within an
observed data object (i.e., a traffic record). The Triangle area
map approach is used to extract the hidden correlations
between two distinct features within each traffic record

International Association of Engineering & Technology for Skill Development

59

Proceedings International Conference On Advances In Engineering And Technology

www.iaetsd.in

coming from the first step. All extracted correlations, i.e.

triangle areas, are then used to replace the existing basic
features to represent the traffic records. This provides a unique
way to differentiate between legitimate traffic and illegitimate
records. In order to make a complete analysis, all possible
permutations of any two distinct features are extracted and the
corresponding triangle areas are computed.

This is because MD has been successfully and widely used in

cluster based analysis, classification and multivariate detection
techniques. Unlike Euclidean distance and Manhattan
distance, it evaluates distance between two multivariate data
objects by taking the correlations between variables into
account and eliminating the dependency on the scale of
measurement during the calculation.

A Triangle Area Map (TAM) is constructed and all the

triangle areas are arranged on the map depending on their
indexe values. The values of the elements on the diagonal of
the map are set to zeros because we only care about the
correlation between each pair of distinct features. The entire
map has a size of mm.

4.2 Threshold Selection

The threshold is used to identify and differentiate attack traffic
from the legitimate one. Threshold = + .

Our MCA approach introduces the some unique benefits to

data analysis. The hidden correlations between distinct
features in each pairs are analysed through the geometrical
structure analysis. Changes to these may occur when anomaly
behaviors appear in the traffic, and lead to significant changes
occurring between the hidden correlations and the historical
models. This plays a vital role in triggering an alert to our
detection system. Moreover, the triangle area map based
approach facilitates our MCA method to withstand the issue of
linear change of all features.

IV. DETECTION MECHANISM

A mechanism efficient in detecting any known and
unknown DoS attacks will be well served. To match the
anticipation, we propose, a threshold-based anomaly detector,
whose norm profiles (i.e. legitimate traffic profiles) are
extracted using pure legitimate network traffic records and
used for future comparisons with new incoming investigated
traffic records. The dissimilarity between a new incoming
traffic record and the respective normal profile is examined by
the proposed detection mechanism. If the dissimilarity is more
than a pre-determined threshold, the traffic record is viewed as
an attack. Else, it is categorized as a legitimate traffic record.
Normal profiles and thresholds have direct effect on the
performance of a threshold-based detector. A low quality
normal profile causes an inaccurate characterization to
legitimate network traffic. Thus, we first apply the proposed
triangle area- based MCA approach to analyze legitimate
network traffic, and the generated TAMs are then employed to
supply quality features for normal profile generation.
4.1 Normal Profile Generation
Assume there is a set of n legitimate training traffic records
Xnormal = {xnormal 1 , xnormal 2 , , xnormal n }.The
triangle-area-based MCA approach is implemented to analyze
the records. The generated lower triangles of the TAMs of the
set of n legitimate training traffic records are denoted by
XnormalTAMlower={TAMnormal,1lower,TAMnormal,2lowe
r, , TAMnormal,glower}. Mahalanobis Distance (MD) is
adopted to measure the dissimilarity between traffic records.

ISBN NO: 978 - 1503304048

For a normal distribution, is usually ranged from values 1 to

3. This means that decision based on detection can be made
with a certain level of confidence varying from 68% to 99.7%
in association with the selection of different values of . Thus,
if the MD between an observed traffic record and the
respective normal profile is higher than the threshold, it will
be flagged as an attack.
4.3 Attack Detection
To detect DoS attacks, the lower triangle(TAMobservedlower)
of the TAM of an observed record (Tobserved) are generated
using the proposed triangle-area-based MCA approach. Then,
the MD between the TAMobserved lower and the
TAMnormal lower stored in the respective pre-generated
normal profile are evaluated. The detailed detection algorithm
is below.
Algorithm for attack detection based on Mahalanobis
distance.
Require: Observed traffic record Tobserved, normal profile
Parameters : (N(, 2), TAMnormal
lower , Cov) and parameter
1: Generate TAMobserved
lower for the observed traffic
record Tobserved
2: MDobserved MD(TAMobserved
lower ,TAMnormal
lower )
3: if ( ) MDobserved ( + ) then
4: return Normal
5: else
6: return Attack
7: end if

V. SYSTEM EVALUATION
The evaluation of the system is conducted on KDD CUP
99 dataset [6]. The 10 percent labeled data of KDD CUP 99
dataset is employed, where three different types of legitimate
traffic (TCP, UDP and ICMP traffic) and six different types of
DoS attacks (Teardrop, Smurf, Pod, Neptune, Land and Back
attacks) are available in the dataset. They are the targeted

International Association of Engineering & Technology for Skill Development

60

Proceedings International Conference On Advances In Engineering And Technology

records in this evaluation and first filtered. Then, they are
further grouped into several clusters according to their labels.
A 10-fold cross-validation is conducted to analyse and
evaluate the system, and the entire filtered data subset is used
for validation. Evaluation results are shown as graphs.
Moreover, we come across some weakness in the current
system and suggest a solution. In addition, the results of the
enhanced system and the performance comparisons with two
state-of-the-art approaches are the presented to prove the
effectiveness of the solution.
5.1 Evaluation Metrics
True Negative Rate (TNR), Detection Rate (DR), False
Positive Rate (FPR) and Accuracy (i.e. the proportion of the
overall samples which are classified correctly) are four
important parametrics for evaluating a DoS attack detection
system. Systems which can give a high detection rate and also
a low false positive rate (namely a high detection accuracy
rate) are highly rated in detection mechanisms. To technically
reveal the performance of the proposed DoS attack detection
system, Receiver Operating Characteristics (ROC) curve is
employed to reveal the relationship between DR and FPR.

VI. COMPUTATIONAL COMPLEXITY AND

TIME COST ANALYSIS
We conduct an analysis on the computational complexity
and the time cost of our proposed MCA-based detection
system. On one hand, as discussed in, triangle areas of all
possible combinations of any two distinct features in a traffic
record have to be calculated when processing our proposed
MCA. The former technique analyses the geometrical
correlations hidden in individual pairs of two distinct features
within each network traffic record, and offers more accurate
characterization for network traffic behaviors. The latter
technique facilitates our system to be able to distinguish both
known and unknown DoS attacks from legitimate network
traffic.
Moreover, time cost is evaluated to show the contribution of
our proposed MCA towards detection mechanism of DOS
attacks. Our proposed MCA can proceed approximately
23,092 traffic records per second. In contrast, the MCA based
on euclidean distance map can achieve relatively 12,044
traffic records per second, which is almost half of what is
achieved by our proposed MCA.

VII. CONCLUSION
This paper has proposed a threshold-based DoS attack
detection system which is employed by the triangle area based
multivariate correlation analysis technique and the anomalybased detection technique. The previously used method
extracts the geometrical correlations that are invisible in

ISBN NO: 978 - 1503304048

www.iaetsd.in

individual pairs of two distinct features within each network

traffic records, and offers more accurate differentiation for
network traffic behaviors. The latter technique enables our
system to distinguish both known and unknown DoS attacks
from legitimate network traffic.
Evaluation has been conducted on the KDD CUP 99 dataset to
verify the effectiveness and acuuracy rate of the proposed
system. The results proves that when working with nonnormalized data, our detection system achieves maximum
95.20% detection accuracy though its performances degrades
in detecting ceratain types of DoS attacks. The problem,
however, can be solved by employing statistical normalization
technique to eliminate the bias from the dataset. The results of
evaluating with the normalized data show a more satisfying
detection accuracy of 99.95% and nearly 100.00% detection
rates for wide range of DoS attacks. Besides, the comparison
result proves that our detection system outperforms two stateof-the-art approaches in terms of detection accuracy.
However, the false positive rate of our detection system needs
to be further reduced in order to release network
administrators from being disrupted by frequent shown false
alarms. Thus, we will employ more sophisticated classification
techniques in our future work to reduce the false positive rates.
To be part of the future work, we will further put to test our
DoS attack detection mechanism using real-world data and
employ more sophisticated classification techniques to further
eliminate the false-positive rate.
VIII. REFERENCES
[1] V. Paxson, Bro: A System for Detecting Network
Intruders in Real-Time, Computer Networks, vol. 31, pp.
2435-2463, 1999.
[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and
E. Vzquez, Anomaly-Based Network Intrusion Detection:
Techniques, Systems and Challenges, Computers and
Security, vol. 28, pp. 18-28, 2009.
[3] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, DDoS
Attack Detection Method Using Cluster Analysis, Expert
Systems with Applications, vol. 34, no. 3, pp. 1659-1665,
2008.
[4] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, Intrusion
Detection Using Fuzzy Association Rules, Applied Soft
Computing, vol. 9, no. 2, pp. 462-469, 2009.
[5] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R.P. Liu,
Triangle- Area-Based Multivariate Correlation Analysis for
Effective Denialof-Service Attack Detection, Proc. IEEE
11th Intl Conf. Trust, Security and Privacy in Computing and
Comm., pp. 33-40, 2012.
[6] M. Tavallaee, E. Bagheri, L. Wei, and A.A. Ghorbani, A
Detailed Analysis of the KDD Cup 99 Data Set, Proc. IEEE
Second Intl Conf. Computational Intelligence for Security
and Defense Applications, pp. 1-6, 2009.

International Association of Engineering & Technology for Skill Development

61