Skip to main content
SpringerLink
Log in

Detecting network cyber-attacks using an integrated statistical approach

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

Anomaly detection in the Internet of Things (IoT) is imperative to improve its reliability and safety. Detecting denial of service (DOS) and distributed DOS (DDOS) is one of the critical security challenges facing network technologies. This paper presents an anomaly detection mechanism using the Kullback–Leibler distance (KLD) to detect DOS and DDOS flooding attacks, including transmission control protocol (TCP) SYN flood, UDP flood, and ICMP-based attacks. This mechanism integrates the desirable properties of KLD, the capacity to quantitatively discriminate between two distributions, with the sensitivity of an exponential smoothing scheme. The primary reason for exponentially smoothing KLD measurements (ES–KLD) is to aggregate all of the information from past and actual samples in the decision rule, making the detector sensitive to small anomalies. Furthermore, a nonparametric approach using kernel density estimation has been used to set a threshold for ES-KLD decision statistic to uncover the presence of attacks. Tests on three publicly available datasets show improved performances of the proposed mechanism in detecting cyber-attacks compared to other conventional monitoring procedures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

References

  1. Hsueh, C.T., Wen, C.Y., Ouyang, Y.C.: A secure scheme against power exhausting attacks in hierarchical wireless sensor networks. IEEE Sens. J. 15(6), 3590–3602 (2015)

    Article  Google Scholar 

  2. Miloslavskaya, N., Tolstoy, A.: Internet of Things: information security challenges and solutions. Cluster. Comput. 22, 103–119 (2019)

    Article  Google Scholar 

  3. Dhunna, G.S., Al-Anbagi, I.: A low power wsns attack detection and isolation mechanism for critical smart grid applications. IEEE Sens. J. 19(13), 5315–5325 (2019)

    Article  Google Scholar 

  4. Zlomislic, A., Fertalj, K., Sruk, V.: Denial of service attacks, defenses and research challenges. Cluster. Comput. 20, 661–671 (2017)

    Article  Google Scholar 

  5. Shone, N., Nguyen, N.T., Dinh, P.V., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell. 2(1), 41–50 (2018)

    Article  Google Scholar 

  6. Sakhnini, J., Karimipour, H., Dehghantanha, A., Parizi, R.M., Srivastava, G.: Security aspects of internet of things aided smart grids: a bibliometric survey. Internet of Things (2019). https://doi.org/10.1016/j.iot.2019.100111

    Article  Google Scholar 

  7. Baig, Z.A., Salah, K.: Multi-agent pattern recognition mechanism for detecting distributed denial of service attacks. IET Inf. Secur. 4(4), 333–343 (2010)

    Article  Google Scholar 

  8. Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: Detecting SYN flood attacks via statistical monitoring charts: a comparative study. In: Proceeding of the fifth international conference on electrical engineering (ICEE), pp. 1–5. (2017). https://doi.org/10.1109/ICEE-B.2017.8192118.

  9. Harrou, H., Bouyeddou, B., Sun, Y. Kadri, B.: Detecting cyber-attacks using a CRPS-based monitoring approach. In: Proceedings of 2018 IEEE symposium series on computational intelligence (SSCI), pp. 618–622. (2018). https://doi.org/10.1109/SSCI.2018.8628797.

  10. Badotra, S., Panda, S.N.: SNORT based early DDoS detection system using Opendaylight and open networking operating system in software defined networking. Cluster Comput. (2020). https://doi.org/10.1007/s10586-020-03133-y

    Article  Google Scholar 

  11. Saranya, R., Kannan, S.S., Sundaram, S.M.: Integrated quantum flow and hidden Markov chain approach for resisting DDoS attack and C-Worm. Cluster Comput 22, 14299–14310 (2019). https://doi.org/10.1007/s10586-018-2288-7

    Article  Google Scholar 

  12. Fichera, S., Galluccio, L.S., Grancagnolo, C., Morabito, G., Palazzo, S.: Operetta: an openflow-based remedy to mitigate TCP SYN flood attacks against web servers. Comput. Net. 92, 89–100 (2015)

    Article  Google Scholar 

  13. Mohammadi, R., Javidan, R., Conti, M.: Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans. Net. Serv. Manag. 14(2), 487–497 (2017)

    Article  Google Scholar 

  14. Sahi, A., Lai, D., Li, Y., Diykh, M.: An efficient DDoS TCP flood attack detection and prevention system in a cloud environment. IEEE Access. 5, 6036–6048 (2017)

    Google Scholar 

  15. Velliangiri, S., Premalatha, J.: Intrusion detection of distributed denial of service attack in cloud. Cluster Comput. 22, 10615–10623 (2019). https://doi.org/10.1007/s10586-017-1149-0

    Article  Google Scholar 

  16. Saxena, R., Dey, S.: DDoS attack prevention using collaborative approach for cloud computing. Cluster Comput. 23, 1329–1344 (2020). https://doi.org/10.1007/s10586-019-02994-2

    Article  Google Scholar 

  17. Bhuvaneswari Amma, N.G., Selvakumar, S.: A statistical class center based triangle area vector method for detection of denial of service attacks. Cluster Comput. (2020). https://doi.org/10.1007/s10586-020-03120-3

    Article  Google Scholar 

  18. Kesavamoorthy, R., Ruba Soundar, K.: Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system. Cluster Comput. 22, 9469–9476 (2019). https://doi.org/10.1007/s10586-018-2365-y

    Article  Google Scholar 

  19. Wang, C., Yao, H., Liu, Z.: An efficient DDoS detection based on SU-Genetic feature selection. Cluster Comput. 22, 2505–2515 (2019). https://doi.org/10.1007/s10586-018-2275-z

    Article  Google Scholar 

  20. Elejla, O.E., Anbar, M., Belaton, B.: ICMPv6-based DoS and DDoS attacks and defense mechanisms. IETE Tech. Rev. 34(4), 390–407 (2017)

    Article  Google Scholar 

  21. Olszewski, D.: Fraud detection in telecommunications using kullback-leibler divergence and latent dirichlet allocation. In: Procedings of 2011 international conference on adaptive and natural computing algorithms (ICANNGA), pp. 71–80. (2011)

  22. Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: An effective network intrusion detection using Hellinger distance-based monitoring mechanism. In: Proceedings 2018 international conference on applied smart systems (ICASS), pp. 24–25. (2018)

  23. Harrou, H., Bouyeddou, B., Sun, Y. Kadri, B.: A method to detect DOS and DDOS attacks based on generalized likelihood ratio test. In: Proceeding 2018 international conference on applied smart systems (ICASS), pp. 24–25. (2018)

  24. Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., Mohacsi, J.: IPv6 router advertisement guard. Tech. Rep (2011).

  25. Bansal, G., Kumar, N., Nandi, S., Biswas, S.: Detection of ndp based attacks using MLD. In: Proceedings of the fifth international conference on security of information and networks (SIN’12), pp. 163–167. (2012)

  26. Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Net. 20(6), 1828–1841 (2012)

    Article  Google Scholar 

  27. Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: Detection of smurf flooding attacks using Kullback-Leibler-based scheme. In: Proceedings of the fourth international conference on computer and technology applications (ICCTA), pp. 11–15. (2018). https://doi.org/10.1109/CATA.2018.8398647.

  28. Guo, Z., Shi, D., Johansson, K.H., Shi, L.: Worst-case stealthy innovation-based linear attack on remote state estimation. Automatica 89, 117–124 (2018)

    Article  MathSciNet  MATH  Google Scholar 

  29. Kung, E., Dey, S., Shi, L.: The performance and limitations of n-stealthy attacks on higher order systems. IEEE Trans. Auto. Control. 62(2), 941–947 (2016)

    Article  MathSciNet  MATH  Google Scholar 

  30. Bai, C.Z., Pasqualetti, F., Gupta, V.: Data-injection attacks in stochastic control systems: detectability and performance tradeoffs. Automatica 82, 251–260 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  31. Sahoo, K.S., Puthal, D., Tiwary, M., Rodrigues, J.J., Sahoo, B., Dash, R.: An early detection of low rate ddos attack to sdn based data center networks using information distance metrics. Futur. Gen. Comp. Syst. 89, 685–697 (2018)

    Article  Google Scholar 

  32. Li, H., Zhang, J., He, X.: Design of data-injection attacks for cyberphysical systems based on kullback-leibler divergence. Neurocomput. 361, 77–84 (2019). https://doi.org/10.1016/j.neucom.2019.05.085

    Article  Google Scholar 

  33. Zhang, Q., Liu, K., Xia, Y., Ma, A.: Optimal stealthy deception attack against cyber-physical systems. IEEE Trans. Cybernetics. (2019). https://doi.org/10.1109/TCYB.2019.2912622

    Article  Google Scholar 

  34. Yang, C.: Anomaly network traffic detection algorithm based on information entropy measurement under the cloud computing environment”. Cluster. Comput. 22, S8309–S8317 (2019)

    Article  Google Scholar 

  35. Rouzbahani, H.M., Karimipour, H., Rahimnejad, A., Dehghantanha, A., Srivastava, G.: Anomaly detection in cyber-physical systems using machine learning. In: Choo, K.K., Dehghantanha, A. (eds.) Handbook of big data privacy, pp. 219–235. Springer, Cham (2020)

    Chapter  Google Scholar 

  36. Mozaffari, F.S., Karimipour, H., Parizi, R.M.: Learning-based anomaly detection in critical cyber-physical systems. In: Choo, K.K.R., Dehghantanha, A. (eds.) Security of cyber-physical systems, pp. 107–130. Springer, Cham (2020)

    Chapter  Google Scholar 

  37. Zhiwen, P., Hariri, S., Pacheco, J.: Context aware intrusion detection for building automation systems. Comput. Secur. 85, 181–201 (2019)

    Article  Google Scholar 

  38. Satam, P., Satam, S., Hariri, S., Alshawi, A.: Anomaly behavior analysis of IoT protocols. Modeling and design of secure internet of things, pp. 295–330 (2020).

  39. Zeroual, A., Harrou, F., Sun, Y., Messai, N.: Integrating model-based observer and kullback–leibler metric for estimating and detecting road traffic congestion. IEEE Sens. J. 18(20), 8605–8616 (2018)

    Article  Google Scholar 

  40. Xin, G.: Performance evaluation of automatic object detection with post-processing schemes under enhanced measures in wide-area aerial imagery. Multimed Tools Appl. 79(41), 30357–30386 (2020)

    Google Scholar 

  41. Bogdanoski, M., Suminoski, T., Risteski, A.: Analysis of the SYN flood DoS attack. Int. J. Compt. Net. Inf. Secu. 5(8), 1–11 (2013)

    Google Scholar 

  42. Gont, F.: Icmp attacks against tcp, Tech. Rep., document RFC 5927 (2010).

  43. Singh, N., Agrawal, R.: Combination of kullback–leibler divergence and manhattan distance measures to detect salient objects. Sig. Img. Video Proc 9(2), 427–435 (2015)

    Article  Google Scholar 

  44. Karine, A., Toumi, A., Khenchaf, A., El Hassouni, M.: Target recognition in radar images using weighted statistical dictionary-based sparse representation”. IEEE Geo Rem. Sens. Lett. 14(12), 2403–2407 (2017)

    Article  Google Scholar 

  45. Harrou, F., Sun, Y., Madakyaru, M.: Kullback-leibler distance-based enhanced detection of incipient anomalies. J. Loss Prev. Proc. Industr. 44, 73–87 (2016)

    Article  Google Scholar 

  46. Harrou, F., Sun, Y.: Enhanced anomaly detection via PLS regression models and information entropy theory. In: Proceeding of 2015 IEEE symposium series on computational intelligence (SSCI), pp. 383–388. (2015).

  47. Leonard, A. S., Weissman, D., Greenbaum, B., Ghedin, E., Koelle, K.: Transmission bottleneck size estimation from pathogen deep-sequencing data, with an application to human influenza A virus. J. Vi JVI–00, 171 (2017).

  48. Pardo, L.: Statistical inference based on divergence measures. Chapman and Hall/CRC, Boca Raton (2005)

    MATH  Google Scholar 

  49. Martin, E., Morris, A.: Non-parametric confidence bounds for process performance monitoring charts. J. Proc. Control 6(6), 349–358 (1996)

    Article  Google Scholar 

  50. Chen, Y.C.: A tutorial on kernel density estimation and recent advances. Biostat. Epidemi. 1(1), 161–187 (2017)

    Article  Google Scholar 

  51. Mugdadi, A.R., Ahmad, I.A.: A bandwidth selection for kernel density estimation of functions of random variables. Comput. Stat. Data Anal. 47(1), 49–62 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  52. Elejla, O.E., Belaton, B., Anbar, M., Alnajjar, A.: A reference dataset for icmpv6 flooding attacks. J. Eng. App. Sci. 11(3), 476–481 (2016)

    Google Scholar 

  53. Zheng, J., Hu, M.: An anomaly intrusion detection system based on vector quantization. IEICE trans. Inf. Syst. 89(1), 201–210 (2006)

    Article  Google Scholar 

  54. McDermott, C.D., Petrovski, A.: Investigation of computational intelligence techniques for intrusion detection in wireless sensor networks. Int. J. Comput. Net. Comm. 9(4), 45–56 (2017)

    Google Scholar 

  55. Mahoney, M., Chan, P.: Packet header anomaly detection for identifying hostile network traffic. In: Proceedings of ACM symposium on applied computing (SAC), pp. 346–350. (2001).

  56. Harrou, F., Sun, Y., Hering, A.S., Madakyaru, M.: Statistical process monitoring using advanced data-driven and deep learning approaches: theory and practical applications. Elsevier, New York (2020)

    Google Scholar 

  57. Harrou, F., Hittawe, M.M., Sun, Y., Beya, O.: Malicious attacks detection in crowded areas using deep learning-based approach. IEEE Inst & Mea Mag 23(5), 57–62 (2020)

    Article  Google Scholar 

Download references

Acknowledgements

The work presented in this publication was supported by the king Abdullah University of Science and Technology (KAUST) Office of Sponsored Research (OSR) under Award No: OSR-2019-CRG7-3800

Author information

Authors and Affiliations

  1. STIC Lab., Department of Telecommunications, Abou Bekr Belkaid University, Tlemcen, Algeria

    Benamar Bouyeddou & Benamar Kadri

  2. Computer, Electrical and Mathematical Sciences and Engineering (CEMSE) Division, King Abdullah University of Science and Technology (KAUST), Thuwal, 23955-6900, Saudi Arabia

    Fouzi Harrou & Ying Sun

Authors
  1. Benamar Bouyeddou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fouzi Harrou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benamar Kadri
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ying Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fouzi Harrou.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bouyeddou, B., Harrou, F., Kadri, B. et al. Detecting network cyber-attacks using an integrated statistical approach. Cluster Comput 24, 1435–1453 (2021). https://doi.org/10.1007/s10586-020-03203-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-020-03203-1

Keywords

Search

Navigation