Wednesday, March 10, 2010

Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

Hi Folks, today I wanna point out this interesting paper: "Network Attack Detection Based on peer-to-peer clustering" . Finally I can post the result of our research in a blog post :D, since has already been published. Here the abstract of the paper:
Network intrusion detection is a key security issue that can be tackled by means of diff erent approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process tra c information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to e ectively distinguish normal tra c behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the ef ectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).

The accuracy of the results:

The False positive rate:

This paper described a novel methodology for network attack detection based on data mining of tra c information collected via SNMP by multiple monitoring stations, which are organized in a peer-to-peer network with the purpose of sharing the gained knowledge. In particular, the use of unsupervised clustering techniques on network-speci c MIB objects allows to e ectively detect malicious network behaviors, such as the ones due to DoS, DDoS and port scanning attacks, while still distinguishing between normal and harmful tra c pro les with very high accuracy. Experimental results, obtained by emulating the real tra c of ten web servers under several kinds of attack, demonstrated the e ectiveness of the proposed solution, reaching high accuracy levels with no detection failures and a false positive rate as low as 1.21% on average. The accuracy levels of discerning normal and harmful tra c is on average greater than 99.58%. Moreover the detection accuracy can be increased by increasing the number of collaborative neighbours per peer, particularly the accuracy of identifying also the kind of attack. Finally, the experiments highlighted that the loss of detection accuracy of not updated clustering models, over new incoming observations, is on average only 0.39%, after that the amount of the new SNMP tra c is an order of magnitude greater than the one used to learn the corresponding model. Such promising results will be the basis to extend the current work to more complex network scenarios, where experiments will be conducted on SNMP traffi c collected from a larger set of heterogeneous hosts and servers as well as from interconnecting equipment such as routers and switches.

Enjoy your reading.

No comments: