Classification of DOS Attacks Using Visualization Technique

Classification of DOS Attacks Using Visualization Technique

Mohamed Cheikh (Computer Science Department, Constantine 2 University, Constantine, Algeria), Salima Hacini (TLSI department, Constantine 2 University, Constantine, Algeria) and Zizette Boufaida (Computer Science Department, Constantine 2 University, Constantine, Algeria)
Copyright: © 2014 |Pages: 14
DOI: 10.4018/IJISP.2014040102


A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. In this paper, a new technique for detecting DoS attacks is proposed; it detects DOS attacks using a set of classifiers and visualizes them in real time. This technique is based on the collection of network parameter values (data packets) which are automatically represented by simple geometric graphs form in order to highlight relevant elements. The effectiveness of the proposed technique has been proven through a MATLAB simulation of network traffic drawn from the 10% KDD, and a comparison with other classification techniques for intrusion detection.
Article Preview


IDSs are tools for monitoring and controlling performance used for auditing information systems and detecting possible intrusions (Anderson.J,1980; Denning.D,1987).

Intrusion detection is based on two basic approaches, the behavioral approach and the scenario approach. The scenario approach, often called misuse detection approach, defines the user actions that constitute abuse. It uses rules defined to encode and detect known intrusions. The behavioral approach, on its side, can detect unknown intrusions, and does not require any prior knowledge of intrusions (Boudaoud.K,2000). This approach is based on the fact that an intruder does not behave the same way as a regular user. Contrary to the user, who has a normal behavior, the intruder has an abnormal behavior. Thus, all intrusive activities are necessarily abnormal (Sundaram.A,2000).

Classification techniques in IDS intends to classify network traffic into two classes: “normal” and “intrusion”. Classification requires learning. The accuracy of this learning provides lower false positive rate and false negative rate (Maxime DUMAS, 2011).

Among the techniques commonly used for classification in IDS, we find the ANN (Artificial Neural Network), SVM (Support Vector Machines) and often the K-means and others (see section 2).

This paper presents a new technique for classifying DoS attacks relying on a visual representation of the network traffic. This representation is based on simple geometric forms and has two objectives:

  • 1.

    Find models of DoS attacks and in particular be able to distinguish between them and the normal traffic. Seven models were identified to recognize six types of DoS attacks (Neptune, Smurf, Teardrop, Land, Pack, Pod) to which is added the normal case.

  • 2.

    Improve the detection rate, which presents a great challenge for IDS.

The effectiveness of this technique has been proved through MATLAB simulation of network traffic drawn from the 10% KDD. The proposed technique treats DoS attacks. However, it can also be applied to other types of attacks with the integration of their geometric forms in the detection system.

The remaining of this paper is organized as follows: Section 2 presents some works dealing with the classification in IDS, Section 3 describes the proposed detection technique. Section 4 adds an experimentation and discussion to this work. Finally, Section 5 concludes the paper and suggests some perspectives.


There are several techniques used for classification in IDS, the most frequently are ANN, SVM and K-means as well as others.

The k-means classifier, originally an algorithm for pattern recognition that has proven its effectiveness against the text processing (Yang Y,1997) represents a simple and popular classification that uses statistics properties (Kaplantzis.S & Mani M.,2006). It allows the partition of a collection of objects into K classes (K is a number set by the user). In the context of intrusion detection, there are generally two groups (classes), one for attacks and another for normal cases. The classification is then performed by taking each individual point in a test set and associating it with the nearest class. At the end, each point is assigned to a class “attack” or “normal.” Most distance measures used in this category of classification algorithms are Euclidean or Manhattan distances.

Neural networks are also used for ANN classification in IDS (Kevin L et al,1990; Debar H. et al,1992; Ryan J. et al,1998; Cannady J.,1998). In the work of Fox et al. (Kevin L et al,1990), the authors proposed the use of artificial neural networks to detect intrusions. The input network is actually a collection of URLs elements that often appear together to refine the recognition of simultaneous occurrences of different elements. Debar H. et al. (1992) proposed to learn the next commands predict using the history of previous commands of the user. In this case, a window offset w recent orders is used. The predicted command of the user is compared with its current command and each deviation is shown as an intrusion. The size of the window w plays an important role, because if w is too small, there will be many false positives and some attacks will not be detected (Hamoui, F., 2007).

Complete Article List

Search this Journal:
Open Access Articles
Volume 15: 4 Issues (2021): 1 Released, 3 Forthcoming
Volume 14: 4 Issues (2020)
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing