Article Preview
TopIntroduction
IDSs are tools for monitoring and controlling performance used for auditing information systems and detecting possible intrusions (Anderson.J,1980; Denning.D,1987).
Intrusion detection is based on two basic approaches, the behavioral approach and the scenario approach. The scenario approach, often called misuse detection approach, defines the user actions that constitute abuse. It uses rules defined to encode and detect known intrusions. The behavioral approach, on its side, can detect unknown intrusions, and does not require any prior knowledge of intrusions (Boudaoud.K,2000). This approach is based on the fact that an intruder does not behave the same way as a regular user. Contrary to the user, who has a normal behavior, the intruder has an abnormal behavior. Thus, all intrusive activities are necessarily abnormal (Sundaram.A,2000).
Classification techniques in IDS intends to classify network traffic into two classes: “normal” and “intrusion”. Classification requires learning. The accuracy of this learning provides lower false positive rate and false negative rate (Maxime DUMAS, 2011).
Among the techniques commonly used for classification in IDS, we find the ANN (Artificial Neural Network), SVM (Support Vector Machines) and often the K-means and others (see section 2).
This paper presents a new technique for classifying DoS attacks relying on a visual representation of the network traffic. This representation is based on simple geometric forms and has two objectives:
- 1.
Find models of DoS attacks and in particular be able to distinguish between them and the normal traffic. Seven models were identified to recognize six types of DoS attacks (Neptune, Smurf, Teardrop, Land, Pack, Pod) to which is added the normal case.
- 2.
Improve the detection rate, which presents a great challenge for IDS.
The effectiveness of this technique has been proved through MATLAB simulation of network traffic drawn from the 10% KDD. The proposed technique treats DoS attacks. However, it can also be applied to other types of attacks with the integration of their geometric forms in the detection system.
The remaining of this paper is organized as follows: Section 2 presents some works dealing with the classification in IDS, Section 3 describes the proposed detection technique. Section 4 adds an experimentation and discussion to this work. Finally, Section 5 concludes the paper and suggests some perspectives.
TopThere are several techniques used for classification in IDS, the most frequently are ANN, SVM and K-means as well as others.
The k-means classifier, originally an algorithm for pattern recognition that has proven its effectiveness against the text processing (Yang Y,1997) represents a simple and popular classification that uses statistics properties (Kaplantzis.S & Mani M.,2006). It allows the partition of a collection of objects into K classes (K is a number set by the user). In the context of intrusion detection, there are generally two groups (classes), one for attacks and another for normal cases. The classification is then performed by taking each individual point in a test set and associating it with the nearest class. At the end, each point is assigned to a class “attack” or “normal.” Most distance measures used in this category of classification algorithms are Euclidean or Manhattan distances.
Neural networks are also used for ANN classification in IDS (Kevin L et al,1990; Debar H. et al,1992; Ryan J. et al,1998; Cannady J.,1998). In the work of Fox et al. (Kevin L et al,1990), the authors proposed the use of artificial neural networks to detect intrusions. The input network is actually a collection of URLs elements that often appear together to refine the recognition of simultaneous occurrences of different elements. Debar H. et al. (1992) proposed to learn the next commands predict using the history of previous commands of the user. In this case, a window offset w recent orders is used. The predicted command of the user is compared with its current command and each deviation is shown as an intrusion. The size of the window w plays an important role, because if w is too small, there will be many false positives and some attacks will not be detected (Hamoui, F., 2007).