The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Traffic Flooding Attack Detection on SNMP MIB Using SVM

SVM을 이용한 SNMP MIB에서의 트래픽 폭주 공격 탐지

  • 유재학 (고려대학교 전산학과) ;
  • 박준상 (고려대학교 컴퓨터정보학과) ;
  • 이한성 (고려대학교 전산학과) ;
  • 김명섭 (고려대학교 컴퓨터정보학과) ;
  • 박대희 (고려대학교 컴퓨터정보학과)
  • Published : 2008.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems(IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network environment. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. Secondly, we use a machine learning approach based on a Support Vector Machine(SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB data sets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms.

DoS/DDoS로 대표되는 트래픽 폭주 공격은 대상 시스템뿐만 아니라 네트워크 대역폭 및 프로세서 처리능력, 시스템 자원 등을 고갈시킴으로써 네트워크에 심각한 장애를 유발하기 때문에, 신속한 트래픽 폭주 공격의 탐지는 안정적인 서비스의 제공 및 시스템의 운영에 필수요건이다. 전통적인 패킷 수집을 통한 DoS/DDoS의 탐지방법은 공격에 대한 상세한 분석은 가능하나 설치의 확장성 부족, 고가의 고성능 분석시스템의 요구, 신속한 탐지를 보장하지 못하는 문제점을 갖고 있다. 본 논문에서는 MIB 정보 갱신 시점 단위로 수집된 SNMP MIB 객체 정보를 바탕으로 Support Vector Data Description(SVDD)을 이용하여 보다 빠르고 정확한 침입탐지와 쉬운 확장성, 저비용탐지 및 정확한 공격유형별 분류를 가능케 하는 새로운 시스템을 설계 및 구현하였다. 실험을 통하여 만족스러운 침입 탐지율과 안전한 False Negative Rate(FNR), 공격유형별 분류율 수치 등을 확인함으로써 제안된 시스템의 성능을 검증하였다.

Keywords

References

  1. M. Kim, H. Kang, S. Hong, Seung-Hwa Chung, and J. W. Hong, “A flow-based method for abnormal network traffic detection”, Proc. of NOMS 2004, Seoul, Korea, Apr. 19-23, pp.559-612, 2004 https://doi.org/10.1109/NOMS.2004.1317747
  2. E. Duarte and Jr., A. L. Santos, “Network fault management based on SNMP agent groups”, Proc. of ICDCSW 2001, pp.51-56, 2001 https://doi.org/10.1109/CDCS.2001.918686
  3. J. Li and C. Manikopoulos, “Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters”, Information Assurance Workshop, IEEE, pp.53-59, 2003 https://doi.org/10.1109/SMCSIA.2003.1232401
  4. L. P. Gaspary, R. N. Sanchez, D. W. Antunes, and E. Meneghetti, “A SNMP-based platform for distributed stateful intrusion detection in enterprise networks”, IEEE Journal on Selected Areas in Communications, Vol. 23, No. 10, pp.1973-1982, 2005 https://doi.org/10.1109/JSAC.2005.854116
  5. J. B. D. Cabrera, L. Lewis, X. Qin, C. Gutierrez, W. Lee, and R. K. Mehra, “Proactive intrusion detection and SNMP-based security management: new experiments and validation”, IFIP/IEEE Eighth International Symposium on Integrated Network Management, pp.93-96, 2003
  6. S. Noel, D. Wijesekera, and C. Youman, “Modern intrusion detection, data mining, and degrees of attack guilt”, in Applications of Data Mining in Computer Security, Kluwer Academic Publisher, pp.1-31, 2002
  7. H. Lee, J. Song, and D. Park, “Intrusion detection system based on multi-class SVM”, RSFDGrC 2005, LNAI, Vol. 3642, pp.511-519, 2005 https://doi.org/10.1007/11548706_54
  8. T. Ambwani, “Multi class support vector machine implementation to intrusion detection”, Proceedings of the International Joint Conference on Neural Networks, Vol. 3, pp.2300-2305, 2003 https://doi.org/10.1109/IJCNN.2003.1223770
  9. R. Puttini, M. Hanashiro, F. Miziara, R. Sousa, L. García-Villalba, and C. Barenco, “On the anomaly intrusion-detection in mobile adhoc network environments”, Proc. of PWC 2006, LNCS 4217, pp.182-193, 2006 https://doi.org/10.1007/11872153_16
  10. K. Ramah, H. Ayari, and F. Kamoun, “Traffic anomaly detection and characterization in the Tunisian national university network”, Proc. of Networking 2006, LNCS 3979, pp.136-147, 2006 https://doi.org/10.1007/11753810_12
  11. M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang, “A novel anomaly detection scheme based on principal component classifier,” Proc. of the IEEE Foundations and New Directions of Data Mining Workshop, pp.172-179, Melbourne, Florida, USA, 2003
  12. D. Yoo, and C. Oh, “Traffic gathering and analysis algorithm for attack detection”, KoCon 2004 Spring Integrated Conference, Vol. 4, pp.33-43, 2004
  13. 박준상, 조현승, 김명섭, “SNMP MIB의 상관 관계를 이용한 트래픽 폭주 공격 탐지”, 통신 학회 추계종합학술발표회, 서울대학교, 서울, Nov. 17, pp.13-16, 2007
  14. IETF RFC 1213, “Management Information Base for Network Management of TCP/Ip-Based Internets: MIB-II”, http://www.rfc-editor.org/rfc/rfc1213.txt
  15. “Distributed Denial of Service (DDoS) Attacks/tools”, http://staff.washington.edu/dittrich/misc/ddos/
  16. 이한성, 송지영, 김은영, 이철호, 박대희, “다중 클래스 SVM기반의 침입탐지 시스템,” 퍼지 및 지능시스템학회 논문지, 제 15권, 제 3 호, pp.282-288, 2005 https://doi.org/10.5391/JKIIS.2005.15.3.282