Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

  • Walter Cerroni
  • Gabriele Monti
  • Gianluca Moro
  • Marco Ramilli
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 22)


Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).


Network security distributed intrusion detection SNMP data mining data clustering peer-to-peer 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Androulidakis, G., Chatzigiannakis, V., Papavassiliou, S.: Network anomaly detection and classification via opportunistic sampling. IEEE Network 23(1), 6–12 (2009)CrossRefGoogle Scholar
  2. 2.
    Bradley, P.S., Fayyad, U.M.: Refining initial points for k-means clustering. In: Proceedings of the 15th International Conference on Machine Learning (ICML 1998), pp. 91–99. Morgan kaufmann, San Francisco (1998)Google Scholar
  3. 3.
    Bridges, S.M., Vaughn, R.B.: Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the National Information Systems Security Conference (NISSC), pp. 16–19 (2000)Google Scholar
  4. 4.
    Cabrera, J.B.D., Lewis, J.L., Qin, X., Lee, W., Mehra, R.K.: Proactive intrusion detection and distributed denial of service attacks—a case study in security management. Journal of Network System Management 10(2), 225–254 (2002)CrossRefGoogle Scholar
  5. 5.
    CAIDA. The cooperative association for internet data analysis passive monitor (May 2009),
  6. 6.
    Datta, S., Giannella, C.R., Kargupta, H.: Approximate distributed k-means clustering over a peer-to-peer network. IEEE Transactions on Knowledge and Data Engineering 21(10), 1372–1388 (2009)CrossRefGoogle Scholar
  7. 7.
    Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  8. 8.
    Dickerson, J.E., Dickerson, J.A.: Fuzzy network profiling for intrusion detection. In: Proc. of NAFIPS 19th International Conference of the North American Fuzzy Information Processing Society, Atlanta, pp. 301–306 (2000)Google Scholar
  9. 9.
    Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD 1996 Proceedings, pp. 226–231. AAAI Press, Menlo Park (1996)Google Scholar
  10. 10.
    Frawley, W.J., Piatetsky-shapiro, G., Matheus, C.J.: Knowledge discovery in databases: an overview. AAAI Press, Menlo Park (1992)zbMATHGoogle Scholar
  11. 11.
    Ghoting, O.P., Otey, M., Parthasarathy, S., Ghoting, A., Li, G., Narravula, S.: Towards NIC-based intrusion detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 723–728. ACM Press, New York (2003)Google Scholar
  12. 12.
    Harrington, D., Presuhn, R., Wijnen, B.: An architecture for describing simple network management protocol (SNMP) management frameworks. IETF RFC 3411 (2002)Google Scholar
  13. 13.
    Hinneburg, A., Hinneburg, E., Keim, D.A.: An efficient approach to clustering in large multimedia databases with noise. In: Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (KDD 1998), pp. 58–65. AAAI Press, Menlo Park (1998)Google Scholar
  14. 14.
    Johnson, E.L., Kargupta, H.: Collective, hierarchical clustering from distributed, heterogeneous data. In: Large-Scale Parallel KDD Systems, SIGKDD, pp. 221–244. Springer, Heidelberg (1999)Google Scholar
  15. 15.
    Kabiri, P., Ghorbani, A.A.: Research on intrusion detection and response: A survey. International Journal of Network Security 1, 84–102 (2005)Google Scholar
  16. 16.
    Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of an SOM based intrusion detection system. In: Proceedings of the International Joint Conference on Neural Networks, July 2003, vol. 3, pp. 1808–1813 (2003)Google Scholar
  17. 17.
    Klusch, M., Lodi, S., Moro, G.: Distributed clustering based on sampling local density estimates. In: Proceedings of the Biennal International Joint Conference on Artificial Intelligence, pp. 485–490. Morgan Kaufmann, San Francisco (2003)Google Scholar
  18. 18.
    Macqueen, J.B.: Some methods of classification and analysis of multivariate observations. In: Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, pp. 281–297 (1967)Google Scholar
  19. 19.
    Mai, J., Sridharan, A., Chuah, C.-N., Zang, H., Ye, T.: Impact of packet sampling on portscan detection. IEEE Journal on Selected Areas in Communications 24(12), 2285–2298 (2006)CrossRefGoogle Scholar
  20. 20.
    Monti, G., Moro, G.: Multidimensional range query and load balancing in wireless ad hoc and sensor networks. In: Wehrle, K., Kellerer, W., Singhal, S.K., Steinmetz, R. (eds.) Peer-to-Peer Computing, pp. 205–214. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  21. 21.
    Moro, G., Ouksel, A.M.: G-grid: A class of scalable and self-organizing data structures for multi-dimensional querying and content routing in P2P networks. In: Moro, G., Sartori, C., Singh, M.P. (eds.) AP2PC 2003. LNCS (LNAI), vol. 2872, pp. 123–137. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA 2001), pp. 5–8 (2001)Google Scholar
  23. 23.
    Costa Da Silva, J., Klusch, M., Lodi, S., Moro, G.: Privacy-preserving agent-based distributed data clustering. Web Intelligence and Agent Systems 4(2), 221–238 (2006)Google Scholar
  24. 24.
    Silverman, B.W.: Density estimation for statistics and data analysis. Chapman and Hall, London (1986)CrossRefzbMATHGoogle Scholar
  25. 25.
    Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Transactions on Signal Processing 51(8), 2191–2204 (2003)CrossRefGoogle Scholar
  26. 26.
    Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. SIGSOFT Software Engineering Notes 28(5), 88–97 (2003)CrossRefGoogle Scholar
  27. 27.
    Xu, R., Wunsch II, D.: Survey of clustering algorithms. IEEE Transactions on Neural Networks 16(3), 645–678 (2005)CrossRefGoogle Scholar
  28. 28.
    Xu, X., Ester, M., Kriegel, H.-P., Sander, J.: A distribution-based clustering algorithm for mining in large spatial databases. In: Proceedings of the Fourteenth International Conference on Data Engineering (ICDE 1998), Washington, DC, USA, pp. 324–331. IEEE Computer Society, Los Alamitos (1998)Google Scholar
  29. 29.
    Yu, J., Lee, H., Kim, M.-S., Park, D.: Traffic flooding attack detection with SNMP MIB using SVM. Computer Communications 31(17), 4212–4219 (2008)CrossRefGoogle Scholar
  30. 30.
    Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on Applied Computing (2004)Google Scholar
  31. 31.
    Zhang, R., Qian, D., Bao, C., Wu, W., Guo, X.: Multi-agent based intrusion detection architecture. In: Proceedings of the 2001 International Conference on Computer Networks and Mobile Computing (ICCNMC 2001), Washington, DC, USA, p. 494. IEEE Computer Society, Los Alamitos (2001)CrossRefGoogle Scholar
  32. 32.
    Zhang, T., Ramakrishnan, R., Livny, M.: Birch: An efficient data clustering method for very large databases. In: Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data, Montreal, Canada, pp. 103–114 (1996)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2009

Authors and Affiliations

  • Walter Cerroni
    • 1
  • Gabriele Monti
    • 1
  • Gianluca Moro
    • 1
  • Marco Ramilli
    • 1
  1. 1.DEISUniversity of BolognaCesena (FC)Italy

Personalised recommendations