Two-Tier GCT Based Approach for Attack Detection
ABSTRACT
The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.
The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.
Cite this paper
nullZ. Wang, Q. Xia and K. Lu, "Two-Tier GCT Based Approach for Attack Detection," Journal of Software Engineering and Applications, Vol. 1 No. 1, 2008, pp. 60-67. doi: 10.4236/jsea.2008.11009.
nullZ. Wang, Q. Xia and K. Lu, "Two-Tier GCT Based Approach for Attack Detection," Journal of Software Engineering and Applications, Vol. 1 No. 1, 2008, pp. 60-67. doi: 10.4236/jsea.2008.11009.
References
[1] M. Thottan and C. Y. Ji, “Anomaly detection in IP networks,” IEEE Transactions on Signal Processing, 51(8): pp. 2191–2204, 2003. [2] M. Roesch, “Snort-lightweight intusion detection for networks,” in USENIX LISA 1999, Seattle, WA, November 1999. [3] P. Barford et al., “A signal analysis of network traffic anomalies,” in ACM SIGCOMM Internet Measurement Workshop, November 2002. [4] A. Hussein, J. Heidemann, and C. Papadopoulus, “A framework for classifying denial of service attacks,” in ACM SIGCOMM, August 2003. [5] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide traffic anomalies,” in ACM SIGCOMM, September 2004. [6] D. Plonka, “FlowScan: A network traffic flow reporting and visualization tool,” in USENIX LISA 2000, New Orleans, LA, December 2000. [7] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the source,” in IEEE International Conference on Network Protocols, November 2002. [8] A. Garg and A. L. N. Reddy, “Mitigation of DoS attacks through QoS regulation,” in Proceedings of IWQOS, May 2002. [9] J. Ioannidis and S. M. Bellovin, “Implementing pushback: Router-based defense against DDoS attacks,” in Proceedings of Network and Distributed System Security Symposium, February 2002. [10] Y. Zhang, L. Breslau, V. Paxson, and S. Shenker, “On the characteristics and origins of internet flow rates,” in ACMSIGCOMM, August 2002. [11] Smitha, I. Kim, and A. L. N. Reddy, “Identifying long term high rate flows at a router,” in Proceedings of High Performance Computing, December 2001. [12] I. Kim, “Analyzing network traces to identify long-term high rate flows,” M. S. thesis, TAMU-ECE-2001-02, May 2001. [13] R. Mahajan, et al., “Controlling high bandwidth aggregates in the network,” ACM Computer Communication Review, Vol. 32, No. 3, July 2002. [14] C. Estan and G. Varghese, “New directions in traffic measurement and accounting,” in ACM SIGCOMM, August 2002. [15] A. Medina et al., “Traffic matrix estimation: Existing techniques and new directions,” in ACM SIGCOMM, August 2002. [16] D. Tong and A. L. N. Reddy, “QOS enhancement with partial state,” in Proceedings of IWQOS, June 1999. [17] Packeteer, “PacketShaper Express,” white paper, 2003, http://www. packeteer. Com / resources / prod-sol/Xpress_ Whitepaper.pdf. [18] S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson, “Pushback messages for controlling aggregates in the network,” IETF Internet draft, work in progress, July 2001. [19] S. Savage, D. Whetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” in ACM SIGCOMM, 2000. [20] S. S. Kim and A. L. N. Reddy, “Statistical techniques for detecting traffic anomalies through packet header data,” IEEE/ACM Transaction on Networking, Vol. 16, No. 3, pp. 562–575, June 2008. [21] A. Kuzmanovic and E. Knightly, “Low-rate TCP-targeted denial of service attacks,” in ACM SIGCOMM, Karlsruhe, Germany, August 2003. [22] A. Feldmann, A. Gilbert, P. Huang, and W. Willinger, “Dynamics of IP traffic: A study of the role of variability and the impact of control,” ACM Computer Communication Review, Vol. 29, No. 4, pp. 301–313, 1999. [23] C. M. Cheng, H. T. Kung, and K. S. Tan, “Use of spectral analysis in defense against DoS attacks,” in IEEE Globecom, 2002. [24] J. B. D. Cabrera, L. Lewis, and X. Z. Qin, “Proactive detection of distributed denial of service attacks using MIB traffic variables–a feasibility study,” IEEE Transactions on Signal Processing, 49(6): pp. 609–622, 2001. [25] S. Wang, L. C. Sun, and G. Z. Gan, “Application research based on Granger causality test for attack detection,” Computer Applications, 25 (6): pp. 1282–1285, 2005. [26] F. Zhang and J. Hellerstein, “An approach to on-line predictive detection,” in proceedings of the Eighth International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, San Francisco, CA, IEEE Computer Society, pp. 549–556 August 2000. [27] J. Hamilton, “Time series analysis,” Princeton University Press, 1994. [28] B. X. Zou and Z. Q. Yao, “A method to stabilize network traffic,” Journal of China Institute of Communications, 25(8): pp. 14–23, 2004. [29] P. J. Criscuolo, “Distribution denial of service — trin00, tribe flood network, tribe flood network 2000, and stacheldraht,” CIAC–2319, Department of Energy — CIAC (Computer Incident Advisory Capacity), 2000.
[1] M. Thottan and C. Y. Ji, “Anomaly detection in IP networks,” IEEE Transactions on Signal Processing, 51(8): pp. 2191–2204, 2003. [2] M. Roesch, “Snort-lightweight intusion detection for networks,” in USENIX LISA 1999, Seattle, WA, November 1999. [3] P. Barford et al., “A signal analysis of network traffic anomalies,” in ACM SIGCOMM Internet Measurement Workshop, November 2002. [4] A. Hussein, J. Heidemann, and C. Papadopoulus, “A framework for classifying denial of service attacks,” in ACM SIGCOMM, August 2003. [5] A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide traffic anomalies,” in ACM SIGCOMM, September 2004. [6] D. Plonka, “FlowScan: A network traffic flow reporting and visualization tool,” in USENIX LISA 2000, New Orleans, LA, December 2000. [7] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the source,” in IEEE International Conference on Network Protocols, November 2002. [8] A. Garg and A. L. N. Reddy, “Mitigation of DoS attacks through QoS regulation,” in Proceedings of IWQOS, May 2002. [9] J. Ioannidis and S. M. Bellovin, “Implementing pushback: Router-based defense against DDoS attacks,” in Proceedings of Network and Distributed System Security Symposium, February 2002. [10] Y. Zhang, L. Breslau, V. Paxson, and S. Shenker, “On the characteristics and origins of internet flow rates,” in ACMSIGCOMM, August 2002. [11] Smitha, I. Kim, and A. L. N. Reddy, “Identifying long term high rate flows at a router,” in Proceedings of High Performance Computing, December 2001. [12] I. Kim, “Analyzing network traces to identify long-term high rate flows,” M. S. thesis, TAMU-ECE-2001-02, May 2001. [13] R. Mahajan, et al., “Controlling high bandwidth aggregates in the network,” ACM Computer Communication Review, Vol. 32, No. 3, July 2002. [14] C. Estan and G. Varghese, “New directions in traffic measurement and accounting,” in ACM SIGCOMM, August 2002. [15] A. Medina et al., “Traffic matrix estimation: Existing techniques and new directions,” in ACM SIGCOMM, August 2002. [16] D. Tong and A. L. N. Reddy, “QOS enhancement with partial state,” in Proceedings of IWQOS, June 1999. [17] Packeteer, “PacketShaper Express,” white paper, 2003, http://www. packeteer. Com / resources / prod-sol/Xpress_ Whitepaper.pdf. [18] S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson, “Pushback messages for controlling aggregates in the network,” IETF Internet draft, work in progress, July 2001. [19] S. Savage, D. Whetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” in ACM SIGCOMM, 2000. [20] S. S. Kim and A. L. N. Reddy, “Statistical techniques for detecting traffic anomalies through packet header data,” IEEE/ACM Transaction on Networking, Vol. 16, No. 3, pp. 562–575, June 2008. [21] A. Kuzmanovic and E. Knightly, “Low-rate TCP-targeted denial of service attacks,” in ACM SIGCOMM, Karlsruhe, Germany, August 2003. [22] A. Feldmann, A. Gilbert, P. Huang, and W. Willinger, “Dynamics of IP traffic: A study of the role of variability and the impact of control,” ACM Computer Communication Review, Vol. 29, No. 4, pp. 301–313, 1999. [23] C. M. Cheng, H. T. Kung, and K. S. Tan, “Use of spectral analysis in defense against DoS attacks,” in IEEE Globecom, 2002. [24] J. B. D. Cabrera, L. Lewis, and X. Z. Qin, “Proactive detection of distributed denial of service attacks using MIB traffic variables–a feasibility study,” IEEE Transactions on Signal Processing, 49(6): pp. 609–622, 2001. [25] S. Wang, L. C. Sun, and G. Z. Gan, “Application research based on Granger causality test for attack detection,” Computer Applications, 25 (6): pp. 1282–1285, 2005. [26] F. Zhang and J. Hellerstein, “An approach to on-line predictive detection,” in proceedings of the Eighth International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, San Francisco, CA, IEEE Computer Society, pp. 549–556 August 2000. [27] J. Hamilton, “Time series analysis,” Princeton University Press, 1994. [28] B. X. Zou and Z. Q. Yao, “A method to stabilize network traffic,” Journal of China Institute of Communications, 25(8): pp. 14–23, 2004. [29] P. J. Criscuolo, “Distribution denial of service — trin00, tribe flood network, tribe flood network 2000, and stacheldraht,” CIAC–2319, Department of Energy — CIAC (Computer Incident Advisory Capacity), 2000.