DISCOVERING SERVICE REQUEST ATTACKS USING

ANOMALY BASED PROFILE LEARNING APPROACH

PRESENTED BY:
C.DHIVYA

GUIDED BY:
Mrs.D.Ponniselvi, M.Sc.,M.Phil.,

M.Phil(CS)
Assistant Professor
Vivekanandha College of Arts & Sciences for Women(Autonomous)
Tiruchengode

ABSTRACT

Web servers, database servers, cloud computing servers and so on,

are now under threads from network attackers.
Aggressive means, denial-of-service (DoS) attacks cause serious
impact on these computing systems.
DoS attack detection system that uses Multivariate Correlation
Analysis(MCA) for accurate network.
It use detecting known and unknown DoS attacks effectively by
legitimate network traffic only.

Cont..

Triangle-area-based technique is proposed to enhance and to

speed up the process of MCA.

Distributed Denial-of Service attack(DDoS) is a group of

attack it used Enhanced Multivariate Correlation
Analysis(EMCA).

Denial- of-Service attack(DoS)

Denial- of-Service attack(DoS)

Denial Of Service(DoS) attacks is a one type of aggressive

intrusion behavior to online servers.
Effective detection of DoS attacks is essential to the protection of
online services.
Dos attack is a one computer to one internet connection that is one
attacker attack the one internet connection.
DoS attack approach using Multivariate Correlation
Analysis(MCA) it used to findout the legitimate network traffic.

Distributed Denial of Service(DDoS)

attacks

Distributed Denial of Service(DDoS)

attacks

Distributed Denial of Service(DDoS) attack is a uses multiple

computers and Internet connections.
DDoS called Botnet attack and it have bot master (Head)and
bots(Group Members).
DDoS attacks using Enhanced Multivariate Correlation
Analysis(EMCA) for enhanced speed of DDoS.

LITERATURE SURVEY
Discriminating DDoS Attacks from Flash Crowds
Flow similarity-based approach is applied to DDoS attacks from
flash crowds, which remains an open problem to date.
Distributed Denial of Service (DDoS) attacks pose a critical threat
to the Internet.
Botnets for attacks or collecting sensitive information for
malicious purposes, hackers to commit these crimes.

Cont..
DNS for Massive Scale Command and Control
Botnet command-and-control (C&C) channel refers to the
protocol used by bots and botmaster to communicate to each
other.
Example for bots to receive new attack commands and updates
from botmaster, or to submit stolen data.
Botnet needs to be reliable, redundant, and easily as legitimate
traffic.
HTTP-based command and control is difficult to distinguish from
legitimate web traffic

Cont..
Scalable Random Early Detection Scheme against DoS Attacks
The routers queue management strategies are divided into two
categories,
Passive Queue Management (PQM)
Active Queue Management (AQM).
PQM drops the new arriving packets or packets in the head of the
queue when the queue is completely filled.
AQM active queue management is the intelligent drop of network
packets inside a buffer.

EXISTING SYSTEM

Denial-Of-Service(DoS) attacks are one type of aggressive and

menacing intrusive behavior to online servers.
DoS attacks severely degrade the availability of a victim, which
can be a host, a router, or an entire network.
System vulnerability or flooding it with huge amount of useless
packets.
DoS attacks is essential to the protection of online services.

Cont..

DoS attack detection system employs the principles of MCA

and anomaly based detection.
They equip the detection system with capabilities of accurate
characterization for traffic behaviors and detection of known
and unknown attacks, respectively.
A triangle area technique is developed to enhance and to speed
up the process of MCA.
A statistical normalization technique is used to eliminate the
bias from the raw data.

Drawbacks of the Existing System

Multivariate Correlation Analysis (MCA) is used for accurate

network traffic characterization.
MCA-based DoS attack detection system employs the
principle of anomaly based detection in attack recognition.
MCA extracts the geometrical correlations between network
traffic features.
MCA scheme is enhanced with triangle area based technique.
Triangle area map generation module is applied to extract the
correlations between two distinct features within each traffic
record.

PROPOSED SYSTEM

The Denial of Service (DoS) attacks are raised with the

continuous request submission mechanism.
The service provider verifies the request count and request
flow information to detect the DoS attacks.
Distributed Denial of Service (DDoS) attacks are initiated by a
group of users.
The DoS attack detection schemes are not able to discover the
DDoS attacks.
The attack detection system is constructed with the Enhanced
Multivariate Correlation Analysis (EMCA) scheme.

Advantages Of Proposed System

The system detects known and unknown DoS attacks.

Attack detection accuracy is improved.
The system detects attacks on non-normalized data and
normalized data.
The system includes variety of DoS attacks in the
detection process.

SYSTEM METHODOLOGY

The network intrusion detection system is constructed to protect

the service providers from the Denial of Service (DoS) and
Distributed Denial of Service (DDoS) attacks.
Multivariate Correlation Analysis (MCA) is employed to
discover the Denial of Serviced (DoS) attacks
The Enhanced Multivariate Correlation Analysis(EMCA)
model is also applied to detect the DDoS attacks.
Mahalanobis Distance measure is applied to estimate the
similarity between the user requests.

1.System Framework

In Step 1, basic features are generated from ingress network

traffic to the internal network where protected servers reside in
and are used to form traffic records for a well-defined time
interval.
Step 2, multivariate correlation analysis, in which the triangle
area map generation module is applied to extract the
correlations between two distinct features within each traffic
record coming from the first step or the traffic record.
Step 3, the anomaly based detection mechanism is adopted in
decision making. It facilitates the detection of any DoS attacks
without requiring any attack relevant knowledge.

2. Multivariate Correlation Analysis

DoS attack traffic behaves differently from the legitimate network traffic, and the
behavior of network traffic is reflected by its statistical properties.

This MCA approach employs triangle area for extracting the correlative information
between the features within an observed data object

Given an arbitrary data set X =

Represents,
ith m - dimensional traffic record.
Triangle area concept is applied to extract the geometrical correlation between the j and
k features in the vector xi .
To obtain the triangle formed by the two features, data transformation is involved.

where x

Cont..

The vector x is first projected on the (j, k)th 2D Euclidean

subspace as.

The vectors
and
have
elements with values of zero, except the (j,j)th and (k,k)th
elements whose values are ones in "j and "k, respectively.
The y
can be interpreted as a 2D column vector, which
can also be defined as a point on the Cartesian coordinate
system in the (j,k)th 2D euclidean subspace with coordinate

Cont..
Then, on the Cartesian coordinate system, a triangle
formed by the origin and the projected points of the coordinate
on the j-axis and k-axis is found. Its area Tr is defined

Tr

where 1 i n, 1 j m, 1 k m, and j = k.
To make a complete analysis, all possible permutations of any two
distinct features in the vector x are extracted and the corresponding
triangle areas are computed.
A TAM is constructed and all the triangle areas are arranged on the map
with respect to their indexes.

Cont..

For example, the Tr

is positioned on the j th row and the k th
column of the map TAM which has a size of m * m.
The values of the elements on the diagonal of the map are set to
zeros
because the system only cares about the
correlation between each pair of distinct features.
For the non diagonal elements Tr
and Tr
where
j =k, they indeed represent the areas of the same triangle.
This infers that the values of Tr
and Tr
are actually equal.
Hence, the TAM is a symmetric matrix having elements of zero
on the main diagonal.

3. Enhanced Multivariate Correlation Analysis

The attack detection systems are built with traffic analysis

mechanism.
Traffic patterns are identified and applied to discover the attack
levels.
Service requests are initiated by the legitimate users and attackers.
The Denial of Service (DoS) attacks are generated by a single user
by sending continuous service requests to the service providers.
The Mahalanobis distance measure is also tuned to compare
request patterns from different users.
The anomaly detection model is also adapted to discover attacks
that are generated from botnet members.

Comparison of Detection Latency between Multivariate Correlation Analysis (MCA) and Enhanced Multivariate Correlation Analysis
(EMCA)

Comparison of Detection Latency between Multivariate

Correlation Analysis (MCA) and Enhanced Multivariate
Correlation Analysis (EMCA)

Request MCA EMCA

s
200

25

13

400

27

16

600

30

18

800

32

20

1000

34

22

Comparison of False Positive Rate between Multivariate Correlation

Analysis (MCA) and Enhanced Multivariate Correlation Analysis
(EMCA)

Comparison of False Positive Rate between Multivariate Correlation Analysis (MCA) and Enhanced Multivariate Correlation
Analysis (EMCA) Schemes

Requests

MCA

EMCA

200

4.52

3.63

400

4.21

3.42

600

4.17

3.25

800

4.23

3.49

1000

4.39

3.58

Comparison of False Negative Rate between Multivariate Correlation

Analysis (MCA) and Enhanced Multivariate Correlation Analysis
(EMCA)

Comparison of False Negative Rate between Multivariate Correlation

Analysis (MCA) and Enhanced Multivariate Correlation Analysis
(EMCA)

Requests

MCA

EMCA

200

4.24

3.46

400

4.53

3.62

600

4.31

3.48

800

4.68

3.77

1000

4.57

3.86

3.Attack Detection Process

A threshold-based anomaly detector with normal profiles are

generated using purely legitimate network traffic records and
utilized for future comparisons with new incoming
investigated traffic records.
The dissimilarity between a new incoming traffic record and
the respective normal profile is examined by the proposed
detector.
If the dissimilarity is greater than a predetermined threshold,
the traffic record is flagged as an attack. Otherwise, it is
labeled as a legitimate traffic record.

3.1 Normal Profile Generation

Mahalanobis distance is adopted to measure the dissimilarity

between traffic records.
This is because MD has been successfully and widely used in
cluster analysis, classification and multivariate outlier
detection techniques.
Unlike euclidean distance and Manhattan distance, it evaluates
distance between two multivariate data objects by taking the
correlations between variables into account and removing the
dependence on the scale of measurement during the
calculation.

3.2 Threshold Selection

The threshold given is used to differentiate attack traffic from

the legitimate one.
For a normal distribution, is usually ranged from 1 to 3.
This means that detection decision can be made with a certain
level of confidence varying from 68 to 99.7 percent in
association with the selection of different values of .

Screen Shots

QUERIES?

THANK YOU