Abstract
Anomaly detection in the Internet of Things (IoT) is imperative to improve its reliability and safety. Detecting denial of service (DOS) and distributed DOS (DDOS) is one of the critical security challenges facing network technologies. This paper presents an anomaly detection mechanism using the Kullback–Leibler distance (KLD) to detect DOS and DDOS flooding attacks, including transmission control protocol (TCP) SYN flood, UDP flood, and ICMP-based attacks. This mechanism integrates the desirable properties of KLD, the capacity to quantitatively discriminate between two distributions, with the sensitivity of an exponential smoothing scheme. The primary reason for exponentially smoothing KLD measurements (ES–KLD) is to aggregate all of the information from past and actual samples in the decision rule, making the detector sensitive to small anomalies. Furthermore, a nonparametric approach using kernel density estimation has been used to set a threshold for ES-KLD decision statistic to uncover the presence of attacks. Tests on three publicly available datasets show improved performances of the proposed mechanism in detecting cyber-attacks compared to other conventional monitoring procedures.
Similar content being viewed by others
References
Hsueh, C.T., Wen, C.Y., Ouyang, Y.C.: A secure scheme against power exhausting attacks in hierarchical wireless sensor networks. IEEE Sens. J. 15(6), 3590–3602 (2015)
Miloslavskaya, N., Tolstoy, A.: Internet of Things: information security challenges and solutions. Cluster. Comput. 22, 103–119 (2019)
Dhunna, G.S., Al-Anbagi, I.: A low power wsns attack detection and isolation mechanism for critical smart grid applications. IEEE Sens. J. 19(13), 5315–5325 (2019)
Zlomislic, A., Fertalj, K., Sruk, V.: Denial of service attacks, defenses and research challenges. Cluster. Comput. 20, 661–671 (2017)
Shone, N., Nguyen, N.T., Dinh, P.V., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell. 2(1), 41–50 (2018)
Sakhnini, J., Karimipour, H., Dehghantanha, A., Parizi, R.M., Srivastava, G.: Security aspects of internet of things aided smart grids: a bibliometric survey. Internet of Things (2019). https://doi.org/10.1016/j.iot.2019.100111
Baig, Z.A., Salah, K.: Multi-agent pattern recognition mechanism for detecting distributed denial of service attacks. IET Inf. Secur. 4(4), 333–343 (2010)
Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: Detecting SYN flood attacks via statistical monitoring charts: a comparative study. In: Proceeding of the fifth international conference on electrical engineering (ICEE), pp. 1–5. (2017). https://doi.org/10.1109/ICEE-B.2017.8192118.
Harrou, H., Bouyeddou, B., Sun, Y. Kadri, B.: Detecting cyber-attacks using a CRPS-based monitoring approach. In: Proceedings of 2018 IEEE symposium series on computational intelligence (SSCI), pp. 618–622. (2018). https://doi.org/10.1109/SSCI.2018.8628797.
Badotra, S., Panda, S.N.: SNORT based early DDoS detection system using Opendaylight and open networking operating system in software defined networking. Cluster Comput. (2020). https://doi.org/10.1007/s10586-020-03133-y
Saranya, R., Kannan, S.S., Sundaram, S.M.: Integrated quantum flow and hidden Markov chain approach for resisting DDoS attack and C-Worm. Cluster Comput 22, 14299–14310 (2019). https://doi.org/10.1007/s10586-018-2288-7
Fichera, S., Galluccio, L.S., Grancagnolo, C., Morabito, G., Palazzo, S.: Operetta: an openflow-based remedy to mitigate TCP SYN flood attacks against web servers. Comput. Net. 92, 89–100 (2015)
Mohammadi, R., Javidan, R., Conti, M.: Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans. Net. Serv. Manag. 14(2), 487–497 (2017)
Sahi, A., Lai, D., Li, Y., Diykh, M.: An efficient DDoS TCP flood attack detection and prevention system in a cloud environment. IEEE Access. 5, 6036–6048 (2017)
Velliangiri, S., Premalatha, J.: Intrusion detection of distributed denial of service attack in cloud. Cluster Comput. 22, 10615–10623 (2019). https://doi.org/10.1007/s10586-017-1149-0
Saxena, R., Dey, S.: DDoS attack prevention using collaborative approach for cloud computing. Cluster Comput. 23, 1329–1344 (2020). https://doi.org/10.1007/s10586-019-02994-2
Bhuvaneswari Amma, N.G., Selvakumar, S.: A statistical class center based triangle area vector method for detection of denial of service attacks. Cluster Comput. (2020). https://doi.org/10.1007/s10586-020-03120-3
Kesavamoorthy, R., Ruba Soundar, K.: Swarm intelligence based autonomous DDoS attack detection and defense using multi agent system. Cluster Comput. 22, 9469–9476 (2019). https://doi.org/10.1007/s10586-018-2365-y
Wang, C., Yao, H., Liu, Z.: An efficient DDoS detection based on SU-Genetic feature selection. Cluster Comput. 22, 2505–2515 (2019). https://doi.org/10.1007/s10586-018-2275-z
Elejla, O.E., Anbar, M., Belaton, B.: ICMPv6-based DoS and DDoS attacks and defense mechanisms. IETE Tech. Rev. 34(4), 390–407 (2017)
Olszewski, D.: Fraud detection in telecommunications using kullback-leibler divergence and latent dirichlet allocation. In: Procedings of 2011 international conference on adaptive and natural computing algorithms (ICANNGA), pp. 71–80. (2011)
Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: An effective network intrusion detection using Hellinger distance-based monitoring mechanism. In: Proceedings 2018 international conference on applied smart systems (ICASS), pp. 24–25. (2018)
Harrou, H., Bouyeddou, B., Sun, Y. Kadri, B.: A method to detect DOS and DDOS attacks based on generalized likelihood ratio test. In: Proceeding 2018 international conference on applied smart systems (ICASS), pp. 24–25. (2018)
Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., Mohacsi, J.: IPv6 router advertisement guard. Tech. Rep (2011).
Bansal, G., Kumar, N., Nandi, S., Biswas, S.: Detection of ndp based attacks using MLD. In: Proceedings of the fifth international conference on security of information and networks (SIN’12), pp. 163–167. (2012)
Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Net. 20(6), 1828–1841 (2012)
Bouyeddou, B., Harrou, H., Sun, Y. Kadri, B.: Detection of smurf flooding attacks using Kullback-Leibler-based scheme. In: Proceedings of the fourth international conference on computer and technology applications (ICCTA), pp. 11–15. (2018). https://doi.org/10.1109/CATA.2018.8398647.
Guo, Z., Shi, D., Johansson, K.H., Shi, L.: Worst-case stealthy innovation-based linear attack on remote state estimation. Automatica 89, 117–124 (2018)
Kung, E., Dey, S., Shi, L.: The performance and limitations of n-stealthy attacks on higher order systems. IEEE Trans. Auto. Control. 62(2), 941–947 (2016)
Bai, C.Z., Pasqualetti, F., Gupta, V.: Data-injection attacks in stochastic control systems: detectability and performance tradeoffs. Automatica 82, 251–260 (2017)
Sahoo, K.S., Puthal, D., Tiwary, M., Rodrigues, J.J., Sahoo, B., Dash, R.: An early detection of low rate ddos attack to sdn based data center networks using information distance metrics. Futur. Gen. Comp. Syst. 89, 685–697 (2018)
Li, H., Zhang, J., He, X.: Design of data-injection attacks for cyberphysical systems based on kullback-leibler divergence. Neurocomput. 361, 77–84 (2019). https://doi.org/10.1016/j.neucom.2019.05.085
Zhang, Q., Liu, K., Xia, Y., Ma, A.: Optimal stealthy deception attack against cyber-physical systems. IEEE Trans. Cybernetics. (2019). https://doi.org/10.1109/TCYB.2019.2912622
Yang, C.: Anomaly network traffic detection algorithm based on information entropy measurement under the cloud computing environment”. Cluster. Comput. 22, S8309–S8317 (2019)
Rouzbahani, H.M., Karimipour, H., Rahimnejad, A., Dehghantanha, A., Srivastava, G.: Anomaly detection in cyber-physical systems using machine learning. In: Choo, K.K., Dehghantanha, A. (eds.) Handbook of big data privacy, pp. 219–235. Springer, Cham (2020)
Mozaffari, F.S., Karimipour, H., Parizi, R.M.: Learning-based anomaly detection in critical cyber-physical systems. In: Choo, K.K.R., Dehghantanha, A. (eds.) Security of cyber-physical systems, pp. 107–130. Springer, Cham (2020)
Zhiwen, P., Hariri, S., Pacheco, J.: Context aware intrusion detection for building automation systems. Comput. Secur. 85, 181–201 (2019)
Satam, P., Satam, S., Hariri, S., Alshawi, A.: Anomaly behavior analysis of IoT protocols. Modeling and design of secure internet of things, pp. 295–330 (2020).
Zeroual, A., Harrou, F., Sun, Y., Messai, N.: Integrating model-based observer and kullback–leibler metric for estimating and detecting road traffic congestion. IEEE Sens. J. 18(20), 8605–8616 (2018)
Xin, G.: Performance evaluation of automatic object detection with post-processing schemes under enhanced measures in wide-area aerial imagery. Multimed Tools Appl. 79(41), 30357–30386 (2020)
Bogdanoski, M., Suminoski, T., Risteski, A.: Analysis of the SYN flood DoS attack. Int. J. Compt. Net. Inf. Secu. 5(8), 1–11 (2013)
Gont, F.: Icmp attacks against tcp, Tech. Rep., document RFC 5927 (2010).
Singh, N., Agrawal, R.: Combination of kullback–leibler divergence and manhattan distance measures to detect salient objects. Sig. Img. Video Proc 9(2), 427–435 (2015)
Karine, A., Toumi, A., Khenchaf, A., El Hassouni, M.: Target recognition in radar images using weighted statistical dictionary-based sparse representation”. IEEE Geo Rem. Sens. Lett. 14(12), 2403–2407 (2017)
Harrou, F., Sun, Y., Madakyaru, M.: Kullback-leibler distance-based enhanced detection of incipient anomalies. J. Loss Prev. Proc. Industr. 44, 73–87 (2016)
Harrou, F., Sun, Y.: Enhanced anomaly detection via PLS regression models and information entropy theory. In: Proceeding of 2015 IEEE symposium series on computational intelligence (SSCI), pp. 383–388. (2015).
Leonard, A. S., Weissman, D., Greenbaum, B., Ghedin, E., Koelle, K.: Transmission bottleneck size estimation from pathogen deep-sequencing data, with an application to human influenza A virus. J. Vi JVI–00, 171 (2017).
Pardo, L.: Statistical inference based on divergence measures. Chapman and Hall/CRC, Boca Raton (2005)
Martin, E., Morris, A.: Non-parametric confidence bounds for process performance monitoring charts. J. Proc. Control 6(6), 349–358 (1996)
Chen, Y.C.: A tutorial on kernel density estimation and recent advances. Biostat. Epidemi. 1(1), 161–187 (2017)
Mugdadi, A.R., Ahmad, I.A.: A bandwidth selection for kernel density estimation of functions of random variables. Comput. Stat. Data Anal. 47(1), 49–62 (2004)
Elejla, O.E., Belaton, B., Anbar, M., Alnajjar, A.: A reference dataset for icmpv6 flooding attacks. J. Eng. App. Sci. 11(3), 476–481 (2016)
Zheng, J., Hu, M.: An anomaly intrusion detection system based on vector quantization. IEICE trans. Inf. Syst. 89(1), 201–210 (2006)
McDermott, C.D., Petrovski, A.: Investigation of computational intelligence techniques for intrusion detection in wireless sensor networks. Int. J. Comput. Net. Comm. 9(4), 45–56 (2017)
Mahoney, M., Chan, P.: Packet header anomaly detection for identifying hostile network traffic. In: Proceedings of ACM symposium on applied computing (SAC), pp. 346–350. (2001).
Harrou, F., Sun, Y., Hering, A.S., Madakyaru, M.: Statistical process monitoring using advanced data-driven and deep learning approaches: theory and practical applications. Elsevier, New York (2020)
Harrou, F., Hittawe, M.M., Sun, Y., Beya, O.: Malicious attacks detection in crowded areas using deep learning-based approach. IEEE Inst & Mea Mag 23(5), 57–62 (2020)
Acknowledgements
The work presented in this publication was supported by the king Abdullah University of Science and Technology (KAUST) Office of Sponsored Research (OSR) under Award No: OSR-2019-CRG7-3800
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Bouyeddou, B., Harrou, F., Kadri, B. et al. Detecting network cyber-attacks using an integrated statistical approach. Cluster Comput 24, 1435–1453 (2021). https://doi.org/10.1007/s10586-020-03203-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-020-03203-1