Abstract
The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.
Highlights
The frequent attacks on network infrastructure, using various forms of denial of service (DoS) attacks and worms, have led to an increased need for developing techniques for analyzing and monitoring network traffic
1) Obtain abnormal behavior babnorm from network behavior base on target, 2) Obtain all the network behaviors hattack( j ) from network behavior base on attacker, which are coincided with babnorm in detecting period; 3) Calculate the GCT detection statistics gwhole of all input/output pair hattack( j ), babnorm); 4) If gwhole corresponding to any hattack( j ) is beyond the critical value Fα of F distribution under significance level α, it is showed that hattack( j ) has whole causality with babnorm and the detecting variables used to construct hattack ( j ) will be recognized as preliminary attacking variables
Since the conventional method of network attack detection is focused on stage T3 of attacking procedure, it is difficult to detect the attack before security of target is damaged
Summary
The frequent attacks on network infrastructure, using various forms of denial of service (DoS) attacks and worms, have led to an increased need for developing techniques for analyzing and monitoring network traffic. All the approaches on detecting attack mentioned above absolutely depend on individual network behavior at the target, which usually ignore the causality among different network behaviors and the impact of time series Those impacts may be caused by attacking behaviors at the attacker in most cases, so it is prone to produce a high rate of failed and false alarm [1]. This paper makes the following contributions: 1) considers the time series analysis of network behaviors; 2) presents a novel approach based on two-tier GCT for detecting attack; 3) uses prevalent SNMP MIB traffic variable as input of detecting model; and 4) shows the approach with two-tier GCT is more accurate than that with single GCT under the experiment of Trin00 UDP Flood.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
