Numerical analysis on detecting online attacks

For detecting online the network violations, I setup a small private network with 15 PCs, which are interconnected through a switch and Internet router. Among these PCs, one for the server, one for network analysis, 10 for normal users, and 3 for attackers. The diagram

Table 5.7: The network violations in DARPA dataset

Date Time Duaration Attacker IP Victim IP Labeled ODPOE 03/29/99 16:13:08 0:00:05 172.16.118.70 172.16.112.100 Yes No 03/29/99 21:34:16 0:00:11 6.238.105.108 172.16.112.50 Yes Yes 03/30/99 14:54:10 0:00:01 172.16.113.50 172.16.113.50 Yes Yes 03/30/99 15:51:16 0:11:24 194.27.251.21 172.16.114.50 Yes Yes 03/30/99 17:49:15 0:03:01 208.240.124.83 172.16.114.50 Yes Yes 03/30/99 21:04:10 0:00:07 209.1.12.46 172.16.112.100 Yes Yes 03/31/99 10:13:18 0:28:02 172.16.118.60 172.16.113.50 Yes No 03/31/99 11:30:13 0:11:21 172.16.118.20 172.16.113.50 Yes No 03/31/99 16:54:17 0:03:01 194.7.248.153 172.16.112.50 Yes Yes 03/31/99 18:29:12 0:00:03 1.12.120.6 172.16.112.100 No Yes 03/31/99 18:29:25 0:00:01 1.12.120.6 172.16.112.100 Yes No 04/01/99 08:26:16 0:00:02 172.16.118.60 172.16.114.50 No Yes 04/01/99 08:26:20 0:00:02 172.16.118.60 172.16.114.50 Yes No 04/01/99 11:00:07 0:01:33 172.16.115.234 172.16.112.100 Yes No 04/01/99 16:49:15 0:08:21 172.16.118.20 172.16.112.50 Yes Yes 04/01/99 18:32:17 0:10:07 194.27.251.21 172.16.114.50 Yes Yes 04/02/99 08:45:18 0:00:02 1.12.120.6 172.16.112.50 Yes No 04/02/99 09:00:10 0:12:51 206.47.98.151 172.16.114.50 Yes No 04/02/99 12:32:17 0:12:59 202.72.1.77 172.16.113.50 Yes Yes 04/05/99 08:39:52 0:00:10 202.77.162.213 172.16.112.50 Yes Yes 04/05/99 08:59:17 0:00:41 207.75.239.115 172.16.112.50 Yes Yes 04/05/99 10:29:22 0:17:37 202.77.162.213 172.16.114.50 Yes Yes 04/05/99 11:45:27 0:01:33 172.16.115.234 172.16.112.100 Yes Yes 04/05/99 13:18:12 0:00:01 23.234.78.52 172.16.114.50 Yes Yes 04/05/99 13:30:14 0:14:37 152.169.215.104 172.16.112.100 Yes No 04/05/99 14:05:43 0:11:09 152.169.215.104 172.16.114.50 Yes Yes 04/05/99 14:22:30 0:00:01 10.11.22.33 172.16.113.50 Yes Yes 04/05/99 17:19:10 0:00:01 172.5.3.5 172.16.112.50 Yes Yes 04/05/99 18:04:04 0:06:51 10.20.30.40 172.16.112.50 Yes Yes 04/05/99 18:36:11 0:00:07 202.72.1.77 172.16.112.100 Yes Yes 04/05/99 19:48:01 0:01:41 206.48.44.18 172.16.115.234 Yes Yes 04/05/99 20:00:27 0:15:00 172.16.112.50 172.16.113.50 Yes Yes 04/05/99 20:17:12 0:00:03 135.13.216.191 172.16.112.50 Yes Yes 04/06/99 08:11:15 0:10:50 135.8.60.182 172.16.112.50 Yes No 04/06/99 08:32:14 0:00:01 207.230.54.203 172.16.114.50 Yes Yes 04/06/99 09:45:13 0:00:03 192.182.91.233 172.16.112.50 Yes Yes 04/06/99 11:31:21 0:20:38 206.48.44.50 172.16.114.50 Yes Yes 04/06/99 11:38:04 0:13:41 10.20.30.40 172.16.114.50 Yes Yes 04/06/99 13:06:10 0:00:30 166.102.114.43 172.16.113.50 Yes Yes 04/06/99 13:50:03 0:00:05 194.7.248.153 172.16.112.100 Yes Yes 04/06/99 14:13:56 0:00:01 172.3.45.1 172.16.112.50 Yes No 04/06/99 18:16:05 0:03:26 10.20.30.40 192.168.1.1 Yes Yes 04/06/99 20:57:03 0:01:33 172.16.115.234 172.16.112.100 Yes No 04/07/99 10:26:12 0:00:04 152.204.242.193 172.16.114.50 Yes Yes 04/07/99 15:01:16 0:31:05 172.16.117.52 172.16.113.50 Yes No 04/07/99 15:26:15 0:01:49 194.27.251.21 172.16.114.50 Yes Yes 04/07/99 17:13:17 0:08:39 172.16.117.52 172.16.114.50 Yes Yes 04/08/99 11:57:01 0:00:03 194.7.248.153 172.16.112.100 Yes Yes 04/08/99 15:53:18 0:00:01 199.227.99.125 172.16.114.50 Yes Yes

Table 5.8: The network violations in fourth and fifth week of the 1999 DARPA dataset Date Labeled Detected by ODPOE

DoS attacks FP MP CP IR

03/29/1999 2 1 0 1 0.50

03/30/1999 4 0 0 4 1.00

03/31/1999 5 1 3 2 0.40

04/01/1999 5 1 2 3 0.60

04/02/1999 3 0 2 1 0.33

04/05/1999 14 0 1 13 0.93

04/06/1999 10 0 3 7 0.70

04/07/1999 4 0 1 3 0.75

04/08/1999 3 0 0 3 1.00

04/09/1999 9 0 0 9 1.00

Average 0.72

Table 5.9: Outlier detection in the Italian industrial production index 1981−1996

Time Mar Apr May Jun Jul Aug Sep Oct Nov Dec

1981 96.3 90.4 90.4 94.4 95.2 36.6^⋆• 96.1 95.6 92.8 77.3 1982 96.9 90.5 88.5 87.9 90.2 36.9^⋆• 92.3 88 86.8 77.1 1983 92.6 79.5 87 86.7 84.8 38.4^⋆• 90.8 87.7 89.5 74.6^⋆ 1984 92.6 78.9 93.3 90 88.6 43^⋆• 89.3 97.5^⋆ 89.7 73.7^⋆ 1985 92.7 84.5 93.9 88.4 93.9 39.1^⋆• 91.4 96.5 89.7 77

1986 92.6 93.6 92.4 91.8 99 37.5^⋆• 97.9 101 91.3 83.3

1987 102.2 95.3 96 100.5 100.5 39.3^⋆• 100.3 103 99.1 86.5 1988 109.5 94.2 104.2 106.1 100.8 46.9^⋆• 107.2 104.3 106.3 93.3 1989 109 97.5 107.5 110.3 104.2 50.3^⋆• 108.1 112.2 109.5 89.8 1990 112.6 98.1 110.3 105.8 109 51.1^⋆• 103.6 113.8^⋆ 104.6 88.2^⋆ 1991 105.9 97.6 108.6 103.1 110.9 46.3^⋆• 106.9 112.8 105.3 89.1 1992 111.5^⋆ 102.4 103.1 109.7 111.1 43.4^⋆• 104.1 107.1 105.4 87.8 1993 111.3 98.5 102.4 105.7 103.9 45^⋆• 104.5 101.9 104.1 92.9 1994 113.3 97.9^⋆ 110.6 112.4 108.8 52.6^⋆• 112.9^⋆ 109.2 111.7 99.3 1995 123.6 98.9 117.5 117.7 113.4 58.5^⋆• 114.1 117.8 115.5 96.6 1996 115.6 103.5 115.3 110.1 118.1 52^⋆• 110.7 118.2 108.1 93.6

⋆Outlier point detected by HI • Outlier point detected by ODPOE The server is connected to the switch through a mirror port, which can observe all activity of the switch. The flow data between a source IP address and the destination IP address is captured and stored in the switch cache and then it will be exported to the collector. One computer is connected to the server to analyze the traffic activities (i.e., network flow and network packet) of all PCs in the network. We assume that all the hardware and software for analysis server are safe and strong enough to prevent any virus, worm, Trojan horse, malicious, or active Botnet, which may lead to the deflection results of the simulation.

Normal users are asked to use a list of safe applications and websites, where they can download and upload media files (over TCP), or just surfing the Internet (HTTP). By normal behavior, the average of the user’s network flow remain constantly and these PCs are not always active. The attacks are designed to attack the network both in frequency and the traffic load. They may be User Datagram Protocol (UDP) or Internet Control

Internet

Router Work group

switch

User1 User2 User3 Attacker1 Server

User4 User5 User6 Attacker2

Analysis

Attacker3 User7 User8 User9 User10

Figure 5.10: The experimental setup of the network

attack. Most of them force the victimized system to be overloaded and stop servicing new clients. Therefore, my proposed algorithm will detect the traffic anomaly in order to send an early warning to the network operators. The input data for traffic anomaly detection will be captured by Tshark [30], which are the flow traffic from each sampled IP. The time-series data from each IP includes: # of bytes received/sent, # of packets received/sent. In order to reduce the data volume, the data will be aggregated at 1 minutes interval. And the proposed ODPOE algorithm will be utilized to detect outliers in every 10 minutes data flow records for each User and among Users in the network. The simulation results are given and described in Figures: 5.11, 5.12.

In Figure 5.11, ODPOE algorithm detected outliers in the set of four parameters (i.e., # of bytes received/sent, # of packets received/sent from a user), which present the data flow at User 1. It is clear that there are 2 periods of time (fromt₁ = 96tot₂ = 300, and from t3 = 386to t4 = 486) in which the KB received per second by User 1 dramatically increases. It is very likely a DoS attacked the User 1 during these periods of time. High used bandwidth of a user helps to distinguish when an attacker attacks and takes control of a user’s account. This also helps to identify what type of attack has taken in place, the attack functions, and then the network security can guard against the risk of attackers effectively.

In Figures 5.12, the sampled flow data from every user in every 10 minutes also is collected for outlier detection in order to find attackers among users in the network.

In Figure 5.12, there are some attackers, who tried to attack User 1 and User 3. These security threats made the KB received from these Users respectively increased for a short time or a long time during their data transmission. The Bandwidth used by these Users

0 100 200 300 400 500 600

Time

0 5000

Received KB/sec

Outgoing and incoming traffic from/to User 1

Raw Data Outlier points detected by ODPOE algorithm

0 100 200 300 400 500 600

Time

0 5000 10000

Received packets/sec

0 100 200 300 400 500 600

Time

0 1 2

Sent KB/sec

10⁴

0 100 200 300 400 500 600

Time

0 5000 10000

Sent packets/sec

Figure 5.11: Detection of data-flow anomaly

0 100 200 300 400 500 600

Time 0

5000

Received KB/sec

Dataflow at User 1 ^{Raw Data} Outlier points detected by ODPOE algorithm

0 100 200 300 400 500 600

Time 0

2000

4000 Dataflow at User 2

0 100 200 300 400 500 600

Time 0

2000

4000 Dataflow at User 3

0 100 200 300 400 500 600

Time 0

5000

10000 Dataflow at User 4

Figure 5.12: Outlier detection in traffic flow within the network

as recorded in Figure 5.13 are 26.3% and 21.6 %, respectively. They are much higher than that of other users in the network. By increasing the data flow rapidly and then overloads the system network connection, the attackers are able to reach their goals by the disruption of network service and then take control of the victim systems. To prevent these risks, my proposed ODPOE algorithm provides an effective solution to detect the anomaly data flow early and then the administrators can choose the best solutions to protect the systems from DoS or DDoS attackers.

IP₃ IP1

IP6

IP₉ IP5

IP12 IP7IP₁₀ IP₄

IP₈

In document Energy-efficient, and reliable communication in wireless sensor networks (Pldal 82-87)