Traffic flooding attack detection with SNMP MIB using SVM
- Authors
- Yu, Jaehak; Lee, Hansung; Kim, Myung-Sup; Park, Daihee
- Issue Date
- 20-Nov-2008
- Publisher
- ELSEVIER
- Keywords
- Intrusion detection; SNMP; MIB; DoS/DDoS; Support vector machine
- Citation
- COMPUTER COMMUNICATIONS, v.31, no.17, pp 4212 - 4219
- Pages
- 8
- Indexed
- SCIE
SCOPUS
- Journal Title
- COMPUTER COMMUNICATIONS
- Volume
- 31
- Number
- 17
- Start Page
- 4212
- End Page
- 4219
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/122391
- DOI
- 10.1016/j.comcom.2008.09.018
- ISSN
- 0140-3664
1873-703X
- Abstract
- Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems (IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network traffic. Little or no integration exists between IDS and SNMP-based network management, in spite of the extensive monitoring and statistical information provided by SNMP agents implemented on network devices and systems. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Secondly, we use a machine learning approach based on a Support Vector Machine (SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy. the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB datasets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms. (C) 2008 Elsevier B.V. All rights reserved.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - Graduate School > Department of Computer and Information Science > 1. Journal Articles
- College of Science and Technology > Department of Computer Convergence Software > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.