A Combined Data Mining Approach
for DDoS Attack Detection
Mihui Kim1 , Hyunjung Na1 , Kijoon Chae1 , Hyochan Bang2 , and Jungchan Na2
1
Dept. of Computer Science and Engineering, Ewha Womans University, Korea
{mihui,hjna,kjchae}@ewha.ac.kr
2
Electronics and Telecommunications Research Institute, Korea
{bangs,njc}@etri.re.kr
Abstract. Recently, as the serious damage caused by DDoS attacks
increases, the rapid detection and the proper response mechanisms are
urgent. However, existing security mechanisms do not provide effective
defense against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. It is necessary to analyze
the fundamental features of DDoS attacks because these attacks can easily vary the used port/protocol, or operation method. In this paper, we
propose a combined data mining approach for modeling the traffic pattern of normal and diverse attacks. This approach uses the automatic
feature selection mechanism for selecting the important attributes. And
the classifier is built with the theoretically selected attribute through
the neural network. And then, our experimental results show that our
approach can provide the best performance on the real network, in comparison with that by heuristic feature selection and any other single data
mining approaches.
1
Introduction
Distributed Denial of Service (DDoS), is a relatively simple, yet very powerful
technique to attack Internet resources as well as system resources. Distributed
multiple agents consume some critical resources at the target within the short
time and deny the service to legitimate clients. As a side effect, they frequently
create network congestion on the way from source to target, thus disrupting
normal Internet operation and making the connections of many users be lost.
Recently, the side effect seriously threatens our real networks together with worm
viruses. As we consider the serious damage caused by DDoS attacks, rapid detection and proper response are urgent.
As the damage by DDoS attack increase, many research for detection mechanism have performed, but the existing security mechanisms do not provide
effective defense against these attacks or the defense capability is only limited to
specific DDoS attacks as we explained comparatively them [1]. The large number of attacking machines and the use of source IP address spoofing make the
traceback impossible. Although the router performs the ingress filtering, a lot
of spoofing packets can pass it because some DDoS tools provide the several
H.-K. Kahng and S. Goto (Eds.): ICOIN 2004, LNCS 3090, pp. 943–950, 2004.
c Springer-Verlag Berlin Heidelberg 2004
944
Mihui Kim et al.
spoofing levels in order to pass the ingress filtering router. The use of legitimate
packets for the attack and the variation of packet fields disable characterization
and filtering of the attack streams. The distributed nature of the attacks calls
for a distributed response, but cooperation between administrative domains is
hard to achieve, and security and authentication of participants incur high cost.
There are the automated DDoS tools of various types, so beginner can easily
operate them also.
In order to detect these attacks, we can monitor some features of each server
or router, merge those results, and output the synthetic judgment. So many
existing proposes used the network monitoring data such as tcpdump and SNMP
MIB [2]. Tcpdump needs to go through multiple iterations of data pre-processing
to extract meaningful features and measures, since tcpdump is not intended
specifically for security purposes. Also this process requires basically a lot of
domain knowledge, and may not be easily automated. SNMP MIB is meaningless
if few systems adopt the SNMP, and it supplies the features for system itself such
as in/out packet count, octets, error packet count, and so on. Then it is necessary
to integrate the MIP entries of each system and analyzing the combined outputs.
And we can use the RMON MIB that provides the features of network traffic
generated in a segment. It is more useful for detecting these attacks, but the
operation of RMON considerably decreases the system performance, so many
operators usually turn off the RMON feature.
So we used the NetFlow that is developed by Cisco systems. It is originally developed as the network accounting technology, and it answers questions
regarding IP traffic like who, what, where, when, and how. This framework defines a flow with seven unique keys that are source IP address, destination IP
address, source port, destination port, layer 3 protocol type, TOS byte (DSCP)
and input logical interface (ifIndex). Although the NetFlow is only provided at
the cisco systems, you can use the sFlow instead of Netflow. The sFlow(RFC
3176) was standardized at the IETF and provide the similar features with NetFlow. The flow-based traffic analysis is valuable for detecting the DDoS attacks,
because most of DDoS attacks suddenly increase the number of flow, exhaust
the maximum flows on the ingress switch, and make the Internet connections of
the network close up.
And we used the data mining techniques for modeling the traffic pattern
based on the NetFlow data. This model can be used for both the misuse detection
and the anomaly detection according to modeling data and method. At first, we
manually selected the meaningful features(attributes) for DDoS attack, and only
we used the data mining technique creating the classifier for attack detection[7].
However, because the deciding upon the right set of features is difficult and
time consuming, an automated tool is necessary. For example, many trials were
attempted before we came up with the current set of features, and we couldn’t
corroborate that our manually selected set is the really right set. So we also
used another data mining technique, decision tree algorithm, for selecting the
important features for each DDoS attack. This technique eliminated the helpless
A Combined Data Mining Approach for DDoS Attack Detection
945
Table 1. Features of DDoS Tools
Attack
Type
Source
IP
Source
Port
Target
Port
Etc.
Trinoo
UDP
flood
Not
Spoofing
Not allow
to specify
Not allow
to specify
Synk4
TFN2k
SYN flood UDP/SYN/ICMP
flood,
Smurf
Spoofing Capable of control the
spoofing level
Automatic Automatic selection (at
selection random or sequentially)
Specify
Allow to specify
the range
-Uni-directional control
-Encrypted communication
Stacheldraht
UDP/SYN/ICMP
flood,
Smurf
Automated spoofing
Automatic selection (at
random or sequentially)
Specify the range
- Automated agent update
- Encrypted communication
features, and informed the priority of the features. Therefore we could build the
efficient model for detecting the various DDoS attacks.
This paper is divided into five sections. In Section 2, we explain briefly DDoS
attacks and attack tools, and then we introduce the proposed combined data
mining approach. Next we explain our experimental environment and results.
Finally, a brief conclusion and future work are presented.
2
DDoS Attack & Attack Tool
An intrusion can be defined as ”any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource”[2]. Among these
compromises, the DoS/DDoS attacks has compromised the availability of the
network resource as well as the system resource itself, and the damage by the
DDoS attacks is increasing as the time goes on. And because the DDoS attacks
usually use the normal protocol packet like legitimate users, these attacks aren’t
enough with the intrusion prevention techniques only, such as user authentication and encryption. Therefore detection mechanisms are indispensable, as a first
line of DDoS attack defense.
The one of reasons why the DDoS attacks are very threatening is the automated tool. Because of using the automated attack process, if once the attacker
finds the systems with weak security, it dose not take above 5 seconds to install
the tool and attack the victim. And it takes thousands of hosts only one minute
to be invaded. As the representative DDoS attack tools, there are Trinoo, Synk4,
TFN, TFN2k, and Stacheldraht, and we usually used TFN2k and Stacheldraht,
the most powerful tools, for the experiments. We comparatively sum up the features of these tools at table 1. These tools use the specific port number and
protocol, but it can be easily changed. So, it is difficult to detect proactively the
DDoS attack by means of monitoring the control command between the attacker
and master, and between master and agent.
946
3
Mihui Kim et al.
Proposed Combined Data Mining Approach
As the first experimental step, we proposed the classifier built by the neural
network technology for DDoS attack detection [3]. At that experiment, we also
gathered the NetFlow data not only in the normal case, but also in the attack
case. However, because the NetFlow on the access router only turned on the
gathering feature of input traffic, that are on their way from Internet to our network, the NetFlow mainly gathered the TCP SYN flood attack traffic although
we mounted several attacks. And, we heuristically selected the input attributes
of the neural network, depicting the comparative graphs for the normal and attack case. The selected attributes were the number of flow, the number of octets
per flow, and the number of packets per flow, because most of DDoS attack tools
generate many flows using few octets and few packets. And the built classifier
was designed to output the normal or the abnormal. Conclusively, we could get
the 90.9% detection rate at that experiment.
As the enhanced approach, we propose the combined data mining approach.
It uses the automatic feature selection mechanism and builds the classifier by the
neural network technology with the automatic selected attributes. For the selection of the important attributes, heuristic method can’t prove that the choice is
the best, and the many trials and the many processing time are required [2]. So,
we propose the decision tree algorithm, one of the data mining technologies, as
the automatic feature selection mechanism. It can output the best attributes set
for the candidate attributes and their priority, using the entropy or the chi-square
theory. This algorithm theoretically provides insight into the patterns that may
be exhibited in the data. And, the output of this decision tree is used as the
input in order to build the neural network classifier like figure 1. Such mapping
approach between decision tree and neural network was proposed for the goal
to accurately specify the number of units, layers, connection and initial setting
of parameters of neural network [4]. This combined approach can be more overhead, but classifier generation can be performed as off-line process and generated
classifier can use for real-time detection as other data mining approaches.
Fig. 1. Proposed approach structure
A Combined Data Mining Approach for DDoS Attack Detection
947
Fig. 2. Attack Scenario
4
Experimental Results
In order to especially prove the performance for the DDoS attack detection, the
experiment on the real network is important and essential. The pattern of normal
traffic may affect the performance of DDoS attack detection, because most of
DDoS attacks use the general protocol packet, such as TCP, UDP and ICMP.
So we gathered the real network traffic using the NetFlow, that was composed
of the normal data and the attack data. The Router performing the NetFlow is
the access router that connects the Internet and our network like figure 2.
For the various experiments, we mounted the DDoS attack in the two cases.
First, the agents were located at the external network and the victim is located at
our internal network, and second is vice versa. We chiefly mounted the Stacheldraht and TFN2k, because these are the strongest DDoS attack tool and they
provide the various DDoS attack types, like the TCP flood, UDP flood, ICMP
flood, smurf attack, and mix attack. We performed all of the attack types, but
we could get only TCP flood attack traffic, UDP flood attack traffic and mix
traffic of TCP/UDP, because the firewall on our network filtered ICMP traffic.
So we could get the 176 normal runs, 15 TCP attack runs, 15 UDP attack runs,
and 4 mix attack runs. Each run is 5-minute statistical data. And we used the
40% of each run for training, the 30% of each run for model validation, and the
30% of each run for test. We turned on the gathering feature for the egress traffic
as well as the ingress traffic, different from the previous experiment [3].
At fist, we made the simple decision tree with the candidate attributes
that we considered as the important input for the classifier. The candidate attributes are octet count per flow(O/F), packet count per flow(P/F), TCP octet
count per flow(TO/F), TCP packet count per flow(TP/F), UDP octet count
per flow(UO/F), UDP packet count per flow(UP/F), source port variance for
TCP traffic(srcTport), source port variance for UDP traffic(srcUport), destination port variance for TCP traffic(dstTport), destination port variance for UDP
traffic(dstUport), source IP address variance(srcVar), TCP traffic ratio(Tratio),
and UDP traffic ratio(Uratio). Fist we designed decision tree with the simple
output that is normal or abnormal in order to compare the previous experiment
[3]. The result of decision tree by the chi-square is like figure 3.
948
Mihui Kim et al.
Fig. 3. Decision Tree by chi-square
This case selected P/F and srcTport attribute through minimizing the number of leaves and maximizing the model validation rate. Also, the result of decision tree by the entropy selected same attributes although the threshold of each
rule and the number of rules are somewhat different from each other. The leaf
nodes present the each class: white is abnormal, and the other is normal. Second
column of each leaf node is the classification result of training data, and third
column is the classification result of validation data. In the first leaf node case
of figure 3, it is normal class, and 4 normal and 1 abnormal training data, and
2 normal validation data are classified in this class.
To compare the model by theoretic selection with the model by heuristic
selection, we built two classifiers by neural network with the selected attributes
that were P/F and srcTport, and with all candidate attributes that were same
with the input of decision tree. The misclassification rate was outputted as the
test result like table 2. We could increase the detection performance in the case
of neural network model by the theoretic selection, as compared with the case
of neural network model by the heuristic selection and with the case of decision
tree model.
To provide more information by the output of classifier, we designed the
output of decision tree became normal case and each attack type such as the
TCP attack, UDP attack or MIX attack. This added output information can
easily add the filter rule on the firewall or IDS. The result of decision tree by
entropy is like figure 1. At this case, decision tree outputted the P/F, Tratio
and srcTport as the important attributes. Also the decision tree by chi-square
outputted the same attributes although the number of rules and the threshold
A Combined Data Mining Approach for DDoS Attack Detection
949
Table 2. Misclassification Rate by heristic and theoretic selection(target status :
normal/abnormal)
Used Technologies
Misclassification
Rate
Heuristic Selection + Neural 0.0428571429
Network
Decision Tree
0.0428571429
Theoretic Selection (Deci- 0.0285714286
sion Tree)+ Neural Network
Comments
Heuristically selected attributes :
Flow, O/F, P/F
All candidate attribute as input
Theoretically selected attributes :
P/F, srcTport
Fig. 4. Decision Tree by entropy
Table 3. Misclassification Rate by single data mining and combined data mining
approach (target status : normal/each attack type)
Used Technologies
Misclassification
Rate
Neural Network
0.0434782609
Decision Tree (entropy)
0.0724637681
Decision Tree (chi-square)
0.0869565217
Theoretic Selection (Deci- 0.0289855072
sion Tree) + Neural Network
Comments
All candidate attribute as input
All candidate attribute as input
All candidate attribute as input
Theoretically selected attributes
: P/F, srcTport, Tratio
of each rule were different. We compared the misclassification rate of one data
mining technology like decision tree or neural network with that of proposed
combined data mining approach at table 3. The combined approach provided
950
Mihui Kim et al.
the best performance for the DDoS attack detection, and the neural network is
the next.
5
Conclusions
In this paper, we have proposed a combined data mining approach for the DDoS
attack detection of the various types, that is composed of the automatic feature
selection module by decision tree algorithm and the classifier generation module
by neural network. For proving the practical detection performance of our approach, we gathered the real network traffic in the normal case and the attack
case. We mounted the most powerful DDoS attack changing attack types, so we
could get the attack traffic of various types. And we used the NetFlow data as
the gathering data, because the analysis per flow is useful in the DDoS attack
detection. Because the NetFlow provides the abstract information per flow, we
don’t need the extensive pre-processing, different with the tcpdump.
At first, we designed the target status became normal or abnormal, in order to compare new approach with our previous approach [3]. As the result of
experiment, we compared the misclassification rate by the automatic selection
with that by heuristic selection, and our approach resulted in the twice performance, in comparison with that by heuristic selection. Next, we devised the
target status became normal or each attack type, in order to provide the extra
information for attack type. Also, we compared the misclassification rate of classifier by single data mining approach and by our combined approach, and our
approach provided the best performance.
The future works include the comparative experiments using various data
mining technologies, and comparative experiments between the data mining approach and the pure statistic approach. And we couldn’t gather the many attack
runs because the DDoS attack could severely affect our network, we have a plan
to gather sufficient attack runs and normal runs with enough time.
References
[1] Mihui Kim, et al.: A Combined Data Mining Approach for DDoS Attack Detection. Proc. of ICOIN (2004) 1365-1374 943
[2] Wenke Lee, Salvatore J. Stolfo: Data Mining Approaches for Intrusion Detection.
Proc. of the 7th USENIX Security Symposium (1998) 79-94 944, 945, 946
[3] Hyunjung Na, et al.: Distributed Denial of Service Attack Detection using Netflow
Traffic. Proc. of the Korea Information Processing Society (2003) 946, 947, 950
[4] LI Aijun, LIU Yunhui and LUO Siwei: Mapping a Decision Tree for Classification
into a Neural Network. Proc. of the 6th International Conference on Computational Intelligence & Natural Computing (2003) 946