Abstract
Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).
Keywords
Work partially funded by the european project DORII: Deployment of Remote Instrumentation Infrastructure Grant agreement no. 213110.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Androulidakis, G., Chatzigiannakis, V., Papavassiliou, S.: Network anomaly detection and classification via opportunistic sampling. IEEE Network 23(1), 6–12 (2009)
Bradley, P.S., Fayyad, U.M.: Refining initial points for k-means clustering. In: Proceedings of the 15th International Conference on Machine Learning (ICML 1998), pp. 91–99. Morgan kaufmann, San Francisco (1998)
Bridges, S.M., Vaughn, R.B.: Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the National Information Systems Security Conference (NISSC), pp. 16–19 (2000)
Cabrera, J.B.D., Lewis, J.L., Qin, X., Lee, W., Mehra, R.K.: Proactive intrusion detection and distributed denial of service attacks—a case study in security management. Journal of Network System Management 10(2), 225–254 (2002)
CAIDA. The cooperative association for internet data analysis passive monitor (May 2009), http://www.caida.org/data/monitors/passive-equinix-chicago.xml
Datta, S., Giannella, C.R., Kargupta, H.: Approximate distributed k-means clustering over a peer-to-peer network. IEEE Transactions on Knowledge and Data Engineering 21(10), 1372–1388 (2009)
Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)
Dickerson, J.E., Dickerson, J.A.: Fuzzy network profiling for intrusion detection. In: Proc. of NAFIPS 19th International Conference of the North American Fuzzy Information Processing Society, Atlanta, pp. 301–306 (2000)
Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD 1996 Proceedings, pp. 226–231. AAAI Press, Menlo Park (1996)
Frawley, W.J., Piatetsky-shapiro, G., Matheus, C.J.: Knowledge discovery in databases: an overview. AAAI Press, Menlo Park (1992)
Ghoting, O.P., Otey, M., Parthasarathy, S., Ghoting, A., Li, G., Narravula, S.: Towards NIC-based intrusion detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 723–728. ACM Press, New York (2003)
Harrington, D., Presuhn, R., Wijnen, B.: An architecture for describing simple network management protocol (SNMP) management frameworks. IETF RFC 3411 (2002)
Hinneburg, A., Hinneburg, E., Keim, D.A.: An efficient approach to clustering in large multimedia databases with noise. In: Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (KDD 1998), pp. 58–65. AAAI Press, Menlo Park (1998)
Johnson, E.L., Kargupta, H.: Collective, hierarchical clustering from distributed, heterogeneous data. In: Large-Scale Parallel KDD Systems, SIGKDD, pp. 221–244. Springer, Heidelberg (1999)
Kabiri, P., Ghorbani, A.A.: Research on intrusion detection and response: A survey. International Journal of Network Security 1, 84–102 (2005)
Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of an SOM based intrusion detection system. In: Proceedings of the International Joint Conference on Neural Networks, July 2003, vol. 3, pp. 1808–1813 (2003)
Klusch, M., Lodi, S., Moro, G.: Distributed clustering based on sampling local density estimates. In: Proceedings of the Biennal International Joint Conference on Artificial Intelligence, pp. 485–490. Morgan Kaufmann, San Francisco (2003)
Macqueen, J.B.: Some methods of classification and analysis of multivariate observations. In: Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, pp. 281–297 (1967)
Mai, J., Sridharan, A., Chuah, C.-N., Zang, H., Ye, T.: Impact of packet sampling on portscan detection. IEEE Journal on Selected Areas in Communications 24(12), 2285–2298 (2006)
Monti, G., Moro, G.: Multidimensional range query and load balancing in wireless ad hoc and sensor networks. In: Wehrle, K., Kellerer, W., Singhal, S.K., Steinmetz, R. (eds.) Peer-to-Peer Computing, pp. 205–214. IEEE Computer Society, Los Alamitos (2008)
Moro, G., Ouksel, A.M.: G-grid: A class of scalable and self-organizing data structures for multi-dimensional querying and content routing in P2P networks. In: Moro, G., Sartori, C., Singh, M.P. (eds.) AP2PC 2003. LNCS (LNAI), vol. 2872, pp. 123–137. Springer, Heidelberg (2004)
Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA 2001), pp. 5–8 (2001)
Costa Da Silva, J., Klusch, M., Lodi, S., Moro, G.: Privacy-preserving agent-based distributed data clustering. Web Intelligence and Agent Systems 4(2), 221–238 (2006)
Silverman, B.W.: Density estimation for statistics and data analysis. Chapman and Hall, London (1986)
Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Transactions on Signal Processing 51(8), 2191–2204 (2003)
Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. SIGSOFT Software Engineering Notes 28(5), 88–97 (2003)
Xu, R., Wunsch II, D.: Survey of clustering algorithms. IEEE Transactions on Neural Networks 16(3), 645–678 (2005)
Xu, X., Ester, M., Kriegel, H.-P., Sander, J.: A distribution-based clustering algorithm for mining in large spatial databases. In: Proceedings of the Fourteenth International Conference on Data Engineering (ICDE 1998), Washington, DC, USA, pp. 324–331. IEEE Computer Society, Los Alamitos (1998)
Yu, J., Lee, H., Kim, M.-S., Park, D.: Traffic flooding attack detection with SNMP MIB using SVM. Computer Communications 31(17), 4212–4219 (2008)
Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on Applied Computing (2004)
Zhang, R., Qian, D., Bao, C., Wu, W., Guo, X.: Multi-agent based intrusion detection architecture. In: Proceedings of the 2001 International Conference on Computer Networks and Mobile Computing (ICCNMC 2001), Washington, DC, USA, p. 494. IEEE Computer Society, Los Alamitos (2001)
Zhang, T., Ramakrishnan, R., Livny, M.: Birch: An efficient data clustering method for very large databases. In: Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data, Montreal, Canada, pp. 103–114 (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cerroni, W., Monti, G., Moro, G., Ramilli, M. (2009). Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data. In: Bartolini, N., Nikoletseas, S., Sinha, P., Cardellini, V., Mahanti, A. (eds) Quality of Service in Heterogeneous Networks. QShine 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 22. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10625-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-10625-5_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10624-8
Online ISBN: 978-3-642-10625-5
eBook Packages: Computer ScienceComputer Science (R0)