A statistical class center based triangle area vector method for detection of denial of service attacks

Abstract

Denial of service (DoS) attack is the menace to private cloud computing environment that denies services provided by cloud servers leading to huge business losses. Efficient DoS attack detection mechanisms are demanded which necessitates the extraction of features for its best performance. The lacuna in the existing feature extraction based detection systems is the sensitiveness of initial cluster center which leads to high false alarm rate and low accuracy. In this paper, this issue is addressed by proposing a class center based triangle area vector (CCTAV) method which computes the mean of target classes individually and extracts the correlation between features. Mahalanobis distance measure is used for profile construction and DoS attacks detection. The proposed CCTAV method is tested with five publicly available datasets and compared with existing methods. It is noticed that the proposed statistical method reduces the complexity of feature extraction and enhances the attack detection process. The proposed approach is evaluated by conducting tenfold cross validation to compute 95% confidence interval. It is evident that the accuracy obtained for all the datasets are within the confidence interval. Further, the proposed CCTAV method provides significant results compared to the state-of-the-art attack detection methods.

Appendices

Appendix

Illustration of proposed method

Table 7 Features used for Illustration

Table 8 Sample data

This section illustrates the proposed method. For illustrative purpose, only six features as tabulated in Table 7 [44] have been used. The sample data used for illustration is tabulated in Table 8. \(R1\) to \(R13\) represent the records, \(F1\) to \(F6\) represent the features, and Class denotes the target classes. The first step is to compute the CCs for the five classes of the sample data. The CCs for the five classes are computed and tabulated in Table 9. \({C}_{1}\), \({C}_{2}\), \({C}_{3}\), \({C}_{4}\), and \({C}_{5}\) are the CCs for the target classes such as Normal, Back, Neptune, Smurf, and Teardrop respectively. Once the CCs are known, then the TAV for each record is computed. The TAV is a vector that consists of 10 triangle areas. The TAV of record, \({R}_{1}\) is shown as follows:\(\left[{R}_{1}{C}_{1}{C}_{2}, {R}_{1}{C}_{1}{C}_{3},{R}_{1}{C}_{1}{C}_{4}, {R}_{1}{C}_{1}{C}_{5}, {R}_{1}{C}_{2}{C}_{3},{R}_{1}{C}_{2}{C}_{4}, {R}_{1}{C}_{2}{C}_{5},{R}_{1}{C}_{3}{C}_{4}, {R}_{1}{C}_{3}{C}_{5},{R}_{1}{C}_{4}{C}_{5}\right].\)

Table 9 Class centers

Table 10 Triangle points of \({R}_{1}{C}_{1}{C}_{2}\)

Table 11 Threshold computation

Table 12 Test cases

Table 13 Normalized values of test cases

Fig. 8

Triangle \({R}_{1}{C}_{1}{C}_{2}\)

Fig. 9

TAV of record, \({R}_{1}\)

Fig. 10

Mean TAV of normal records

Fig. 11

TAV of test case 1

Fig. 12

TAV of test case 2

The first triangle area of record, \({R}_{1}\) as depicted in Fig. 8, i.e., \({R}_{1}{C}_{1}{C}_{2}\) is computed. The triangle points of \({R}_{1}{C}_{1}{C}_{2}\), i.e., \({R}_{1}\), \({C}_{1}\), and \({C}_{2}\) are tabulated in Table 10. The points \(\left({C}_{1}, {C}_{2}\right)\), \(\left({C}_{2}, {R}_{1}\right)\), and \(\left({C}_{1}, {R}_{1}\right)\) are for the sides of the triangle \({S}_{1}\), \({S}_{2}\), and \({S}_{3}\) respectively. The values obtained for three sides of the triangle \({S}_{1}\), \({S}_{2}\), and \({S}_{3}\) are 1.3173, 1.4119, and 0.1374 respectively. The perimeter of the triangle is 2.8666, the semi-perimeter of the triangle is 1.4333, and the triangle area obtained for \({R}_{1}{C}_{1}{C}_{2}\) is 0.0679. Similarly, the three sides of the triangle, perimeter of the triangle, semi-perimeter of the triangle, and the triangle area are obtained for the other 9 triangles. Then, the obtained TAV of \({R}_{1}\) is as follows: [0.0679 0.1025 1.1674 0.0952 1.1473 1.3352 0.0825 0.8647 0.3782 1.0170], which is shown in Fig. 9.

The mean of TAVs of normal traffic is computed and shown in Fig. 10. The profile is generated for detection using the mean TAV of normal records. The generated profile comprises of computed mean, -4.0175 × 10⁸ and the standard deviation, 8.9723 × 10⁸. The threshold, \(Thresh\) for the sample data is computed using the generated profile and tabulated in Table 11 for both the positive range and negative range. The computed profile is tested with two test cases and the test cases are tabulated in Table 12. The values of the test cases are normalized using min–max normalization and the normalized values of the test cases are shown in Table 13. The TAV of test case1 and test case2 are shown in Figs. 11 and 12 respectively. The MahD between TAV of test case1 and mean TAV of normal records is 1.1291 × 10⁴ which lies within the \(Thresh\) and hence it is detected as \(Normal\). The MahD between TAV of test case2 and mean TAV of normal records is -3.9192 × 10⁹–1.9073 × 10⁻⁶i which lies beyond the \(Thresh\) and hence it is detected as \(Attack\).