International Conference on Computing and Intelligence Systems

Pages: 1262 1266

Volume: 04, Special Issue: March 2015

ISSN: 2278-2397

A Detection System for Denial Of Service

Attacks Using Triangle Area Map Based
Multivariate Correlation Analysis
V. Balaji1, V.Jeyabalaraja2
1

M.E Computer Science And Engineering, Velammal Engineering College, Surapet, Chennai
2
Professor, Dept of CSE, Velammal Engineering College, Surapet, Chennai
Email: balaji.venkat90@gmail.comjeyabalaraja@gmail.com

AbstractModern Computing Systems such as Web

servers, databases, cloud environmentetc, are
vulnerable to attackers in the web. One of the most
commonly known type of threats is Denial-of-Service
(DoS) attacks causes heavy loses and damages to these
systems. In this paper, we present detection system to
analyze DoS attack that uses Multivariate Correlation
Analysis (MCA) for determining network trafc
characterization by analyzing the distinct correlation
between network trafc features. Our MCA-based
approach employs the mechanism of widely used
detection method anomaly-based detection in attack
identification. Thus making it quite easy to detect
known as well as unknown attacks by learning patterns
of legitimate network traffic. Furthermore a triangle
area based approach is used along to enhance the
process of MCA. The proposed system is effectively
mapped and calculated using KDD Cup 99 Dataset.
KeywordsDenial-Of-Service attack , multivariate
correlations, triangle area maps.

I.
INTRODUCTION
Denial-Of-Service(DoS) attacks are one type
ofaggressive and menacing intrusive behavior to
onlineservers. DoS attacks deniesthe availabilityof a
victim, which can be a host, a router, or an
entirenetwork. They cause lot of damages to the
online servers making them vulnerable to further
more threats. The victim can be denied a particular
service even for several days.A very efficient
detection mechanism is completely required to
prevent such menacing attacksIn recent days, security
has been a priority during the transmission of data in
wireless network, be it through adhoc, Wi-Fi or
wireless sensor network (WSN). The existence of
malicious behaviour have enhanced the day by day
security protocols.Major drawback is the hacker is
able to backdoor every new security measures by
attacking the server systems directly. So they are
some equipment to disrupt these advancements. Since
wireless networks are more accessible for the use of
internet in the near past and future, it is more
vulnerable to attacks than any wired network.
Generally,
network-based
detection
areclassifiedinto two types, namely misuse-based
detection system [1] and anomaly-based detection

International Journal of Computing Algorithm (IJCOA)

system [2]. Misuse based detection system operates

by matching every single attack with the existing
system which has stored signatures of known attacks.
Despite having high detection rates and also entirely a
low false positive rate surveyed based on the attacks
detection system. Furthermore, manual work is
needed to keep signature database updated because
signature generation heavily involves network
security expertise.Looking at the principle of
detection, which monitors and flags any network
activities showing significant deviation from
legitimate traffic profiles as suspicious objects,
anomaly based detection techniques show more
promising in detecting intrusions that exploit previous
unknown system vulnerabilities. Moreover, it is not
constrained by the expertise in network security, due
to the fact that the profiles of legitimate behaviors are
developed based on techniques, such as data mining
[3], Fuzzy logic rules[4], machine learning[5], and
statistical analysis[6]. However, these proposed
systems commonly suffer from high false-positive
rates
because
the
correlations
between
features/attributes are intrinsicallyneglectedor the
techniques do not manage to fully exploit these
correlations.
The Dos attack system proposed in this paper
involves a concept called as MCA which is based on
some network features characterization. The detection
mechanism involves accurate characterization on
network traffic and purely it detects both known and
unknown attacks by matching the network patterns of
the incoming traffic.Furthermore a triangle area map
generation process is involved to enhance the MCA
approach.A normalization is employed to remove
bias from collected raw data.Our proposed DoS
detection system is evaluated usingKDD Cup 99 data
set.
II.
FRAMEWORK
The overview of our proposed DoS attack
detection layout is given in this section, where the
system

1262

International Conference on Computing and Intelligence Systems

Pages: 1262 1266

Volume: 04, Special Issue: March 2015

ISSN: 2278-2397

Fig 1. System Flow

Framework and whole detection process consists of three major steps as shown in Fig. 1.
Step 1: In this paper the Dos attacks are detected
by creating a webpage using it as an real-time
example on how well the admin can monitor a
particular site. From diagram the web page is created
in this case a online ticketing webpage which
functions entire based on data collected and raw data
analysis. The ticketing process are further more
enhanced by using the OTP an one time password
mechanism where only authorized users can only be
able access data in a secure way. This is one way of
security measures.
Step 2: In the second step the admin monitor is
being implemented. Admin is the one who monitors
the entire activity of the webpage. A separate login
for admin will be given where he can view the entire
history of the webpage. By doing so admin can be
able to monitor the webpage. He can also analyse the
traffic details and also view the ipaddress of the
particular logged users. Also collects the data sent
and received within the transaction. The ticket
transaction details can also be viewed by the admin.

International Journal of Computing Algorithm (IJCOA)

Step 3: Here a Hacker module is created to

simulate the activities of a hacker in real-time.
Simulating in the sense sending hacks requests such
as sharing unwanted packets and sending it to main
server of the web page. For real time purpose a
hacker module is created to implement attacks on the
particular web page. In the Hacker module the
requests are predefined can define number of attacks
onto to web page. Once sent the admin will able to
monitor attacks which gets filtered based on MCA
approach matching with the network patterns
A.Traffic Monitoring at the Destination
Focusing on monitoring very ingress traffic that
enter the system by determing its features and
characterise its network patterns and behaviours. It is
possible for the system to raise false alarms even on
the legitimate traffic that enters the detection system.
Destination is the web page in this case which is
monitored by a unique admin who can be anyone. A
separate column which helps the admin to monitor
the type of network behaviour and also track the

1263

International Conference on Computing and Intelligence Systems

Pages: 1262 1266
history of the attacker and match the records with the
database. Further a triangle area map[7] is used to
boost up the detection process.
B.General Mechanism of the Detectors
The anomaly based detection approach use a
very unique type of detectors where both known and
unknown attacks can be entirely detected. This
method of detection is not vulnerable since it can
easily able to detect and alarm the system for any new
kind of attacks. Also the MCA approach widely uses
anomaly base detection technique it is easiest and
also more secure technique. Meanwhile, the
mechanism enhances the detection accuracy and also
false positive rates are rapidly decreased by
employing detectors on each level and detection
mechanism for traffic analysing can be employed
using parametric methods [8].
Systematicallyproved that group-based detection
mechanism maintained a higher probability in
classifying a group of sequential network traffic
samples
than
sample-by-sample
detection
mechanism. The proof was based on network samples
based on KDD cup data sets which matches the
network traffic with the already built-in samples of
traffic dataSince network traffic are unpredictable in
the modern world the data can be quite menacing
sometimes it flags the legitimate traffic also as an
Dos attack in the system. This can be avoided using
the triangle area maps where every features of the
traffic are analysed
To remove this restriction, our system
investigates trafficsamples individually in the process
of detection. The triangle maps approach offers
precision that cannot be found in the group based
detection. For example, intrusive traffic samples can
be labelled individually and the probability of
correctly classifying into its population is higher than
the one achieved in group-based detection mechanism
in a general network scenario. To better understand
the merits, we illustrate them through a mathematical
example given in [9], where traffic samples are
assumed to be i.id., and legitimatetraffic and
illegitimate traffic follow random distributions
X1N(1, 21) and X2 N(2, 2 2)
respectively.Rawnetworktraffic features, such as the
ones in KDD Cup 99 dataset [10], calculate the
hidden correlation features from the incoming traffic.
III.
MULTIVARIATE CORRELATION
DoS attack entirely behave in a different way
when comparing to normal traffic and the
behaviorisrepresentedbyits statistical properties. To
describe these, we present Multivariate Correlation
Analysis (MCA) approach in this section. This MCA
approach uses a method such astriangle area map for
hidden feature information from traffic data within an
observed data object (i.e., a traffic record).The
Triangle area map approach collects and projects
hidden traffic data between two distinct features

International Journal of Computing Algorithm (IJCOA)

Volume: 04, Special Issue: March 2015

ISSN: 2278-2397

within each traffic record coming from the first step.

All extracted correlations, i.e. triangle areas, are then
used swap with the existing basic features of the
observed traffic record. This provides a unique way
to identify which is legitimate traffic and illegitimate
records.
A.Triangle Area Maps
A Triangle Area Map (TAM) is plotted and the
triangle areas are arranged on the map depending on
their index values which is unique. The values of the
elements right across diagonal of the triangle are set
to zeros because we only care about the correlation
between each pair of distinct features. The entire map
is of size of mm.
IV.
DETECTIONSYSTEM
A mechanism well effective to detect known and
unknown are well placed in system. To match the
anticipation, we propose, a threshold-based anomaly
detector, whose norm profiles (i.e. legitimate traffic
profiles) are entirely generated using legitimate
network traffic records and used for further
comparisons with incoming traffic records. The
dissimilarity between a new incoming traffic record
and the respective normal profile is examined by the
proposed detection mechanism. If the dissimilarity is
slightly deviated than the pre-determined threshold,
the traffic record is flagged as an attack. Else, it is
determined as a legitimate traffic record.
Normal profiles and thresholds have great effect
on the effectiveness of a threshold-based detector. We
first apply the proposed triangle area-based MCA
approach to determine legitimate network traffic, and
the generated TAMs are then used as quality features
for normal profile generation.
A. Normal Profile Generation
Assume there is a set of n legitimate training
traffic records Xnormal = {xnormal1 ,xnormal 2 ,
xnormal n }.The triangle-area-based MCA approach
is implemented to analyse the records. The generated
lower triangles of the TAMs of the set of n legitimate
training
traffic
records
are
denoted
by
XnormalTAMlower={TAMnormal,1lower,TAMnor
mal,2lower, , TAMnormal,lower}. Mahalanobis
Distance (MD) is adopted to measure the
dissimilarity between traffic records. This is due to
MD is widely used in cluster based analysis
technique, classification and multivariate detection
techniques. It is efficient than Euclidean distance and
Manhattan distance since it evaluates distance
between two multivariate data objects by taking the
correlations between variables into account and
neglecting the dependent data on scale of
measurement during the calculation.
B. Threshold Selection
The threshold is used to analyse, identify and
differentiate attacks from the legitimate network
traffic.Threshold = + .For a normal
distribution, is usually ranged from values 1 to 3

1264

International Conference on Computing and Intelligence Systems

Pages: 1262 1266
the threshold value are different for servers it is
entirely based on the amount of load a webpage can

Volume: 04, Special Issue: March 2015

ISSN: 2278-2397

hold. The values tend to vary for various web pages it

defined by capacity.

Fig 2. Roc Curve for Original Data

This means that resulting values are entirely
based on detection can be made with a certain level of
confidence varying from 68% to 99.7% in association
with the selection of different values of . Thus, if the
MD for an observed traffic record and thenormal
profile is greater than the threshold, it will be flagged
as an attack.
C. Attack Detection
To
detect
DoS
attacks,
the
lower
triangle(TAMobservedlower) of the TAM of an
observed record (Tobserved) mapped using the
proposed triangle-area-based MCA technique. Then,
the MD between the TAMobserved lower and the
TAMnormal lower stored in the respective pregenerated normal profile are evaluated. The detailed
detection algorithm is shown.
Algorithm for attack detection based on
Mahalanobis distance.
Require: Observed traffic record Tobserved, normal
profile
Parameters : (N(, 2), TAMnormal
lower ,Cov) and parameter
1: Generate TAMobserved
lower for the observed traffic
recordTobserved
2: MDobserved MD(TAMobserved
lower ,TAMnormal
lower )
3: if ( ) MDobserved ( + ) then
4: return Normal
5: else
6: return Attack
7: end if
V.
SYSTEM EVALUATION
The evaluation of the system is conducted on
KDD CUP 99 dataset [11]. The 10 percentlabelled
data of KDD CUP 99 dataset is employed, where
three different types of legitimate traffic (TCP, UDP,
ICMP) and different types of attacks from previous
history are stored in the databases for further
classification.

International Journal of Computing Algorithm (IJCOA)

DoS attacks (Teardrop, Smurf, Pod, Neptune,

Land and Back attacks) are availablein the datasets to
match with the observed traffic to determine the
attack type. They are the targeted records in this
evaluation and then filtered. Then, they are then
grouped into several typesbased on their labels.
A 10-fold cross-validation is implemented to
analyse and evaluatethesystem, and filtered data is
used for validation process. Evaluation results are
projected in graphs. Moreover, we come across some
vulnerability in current system and needed a solution.
The results of the enhanced system and the
performance comparisons with two state-of-the-art
approaches are the presented to prove the
effectiveness of the solution.
A.Evaluation Metrics
True Negative Rate (TNR), Detection Rate (DR),
FalsePositive Rate (FPR) and Accuracy (i.e. the
proportion of the Fig 2 ROC Curve for Original
dataoverall samples which are classified correctly)
are four important parametrises for evaluating a DoS
attack detection system. Systems which can give a
high detection rate and also a low false positive rate
(namely a high detection accuracy rate) are highly
rated in detection mechanisms. To technically reveal
the performance of the proposed DoS attack detection
system, Receiver Operating Characteristics (ROC)
curve Shown in Fig 2 is employed to reveal the
relationship between DR and FPR.
B. KDD CUP Datasets
During the last decade, anomaly detection
hasattracted the attention of many researchers to
overcome the weakness of signature-based IDSs in
detecting novel attacks, and KDDCUP99 is the
mostly widely used data set for the evaluation of
these systems.Since 1999, KDD99 has been the most
wildly useddata set for the evaluation of anomaly
detection methods. This data set is and is built based
on the data captured in DARPA98 IDS evaluation
program. DARPA98 is about 4 gigabytes of
compressed raw (binary) tcpdump data of 7 weeks of
network traffic,which can be processed into about 5
million connection records, each with about 100
bytes.

1265

International Conference on Computing and Intelligence Systems

Pages: 1262 1266
VI.

CONCLUSIONS

This paper has proposed a threshold-based

DoSattackdetectionmechanism which is used in the
triangle area based multivariate correlation analysis
technique and the anomaly-based detection technique.
The previousmethodsextracts the geometrical
correlations that cannot be found in two distinct
features in the network traffic records, and offers
more precisedifferentiation for network traffic
changes. The latter technique enables our system to
differentiate both known and unknown DoS attacks
from legitimate network traffic records. Evaluation is
conducted using the KDD CUP 99dataset to test the
efficiency and accuracy rate of the proposed system.
The results proves that when working using nonnormalized data, our system achieves maximum
95.20% detection accuracy though its performances
reduces in detecting certain types of DoSattacks. The
problem,
however,
can
be
solved
by
implementingstatistical normalization technique to
remove the bias from the dataset. The results of
evaluating with the normalized data show a more
satisfying detection accuracy of 99.95% and nearly
100.00% detection rates for wide range of DoS
attacks. However, the false positive rate of our system
has to be reduced in depth in order to release network
administrators from being confused by frequent
shown false alarms. Thus, we will employ more
improved and advancedclassification techniques in
our future work to reduce the false positive rates.To
be part of the future work, we will further test
moreourDoS attack detection mechanism using realworld problems and newly arriving attcks and employ
more sophisticated classification techniques to further
eliminate the false-positive rate.

Volume: 04, Special Issue: March 2015

ISSN: 2278-2397

[9]

S. Jin, et al., Network Intrusion Detection in Covariance

Feature Space, Pattern Recognition, vol. 40, pp. 21852197,2007.
[10] J. Cheng, et al., KDD Cup 2001 report, ACM
SIGKDDExplorations Newsletter], vol. 3, pp. 47-64, 2002.
[11] M. Tavallaee, E. Bagheri, L. Wei, and A.A. Ghorbani, A
Detailed Analysis of the KDD Cup 99 Data Set, Proc. IEEE
Second Intl Conf. Computational Intelligence for Security
and Defense Applications, pp. 1-6, 2009.

REFERENCES
[1] V. Paxson, Bro: A System for Detecting Network Intruders in
Real-Time, Computer Networks, vol. 31, pp. 2435-2463,
1999.
[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E.
Vzquez, Anomaly-Based Network Intrusion Detection:
Techniques, Systems and Challenges, Computers and
Security, vol. 28, pp. 18-28, 2009.
[3] K. Lee, J. Kim, K.H. Kwon, Y. Han, and S. Kim, DDoS
Attack Detection Method Using Cluster Analysis, Expert
Systems with Applications, vol. 34, no. 3, pp. 1659-1665,
2008.
[4]
A. Tajbakhsh, M. Rahmati, and A. Mirzaei, Intrusion
Detection Using Fuzzy Association Rules, Applied Soft
Computing, vol. 9, no. 2, pp. 462-469, 2009.
[5] C. Yu, H. Kai, and K. Wei-Shinn, Collaborative Detection of
DDoS Attacks over Multiple Network Domains, IEEE
Trans. Parallel and Distributed Systems, vol. 18, no. 12, pp.
1649-1662, Dec.2007.
[6] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic Flooding
Attack Detection with SNMP MIB Using SVM, Computer
Comm., vol. 31, no. 17, pp. 4212-4219, 2008.
[7] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R.P. Liu,
Triangle- Area-Based Multivariate Correlation Analysis for
Effective Denialof-Service Attack Detection, Proc. IEEE
11th Intl Conf. Trust, Security and Privacy in Computing
and Comm., pp. 33-40, 2012.
[8] G. Thatte, U. Mitra, and J. Heidemann, Parametric Methods
for Anomaly Detection in Aggregate Traffic, IEEE/ACM
Trans. Networking, vol. 19, no. 2, pp. 512-525, Apr. 2011.

International Journal of Computing Algorithm (IJCOA)

1266