Você está na página 1de 5

2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)

Presenting a Pattern for Detection of Denial of


Service Attacks with Web Mining Technique and
Fuzzy Logic Approach
Hamed Jelodar Javad Aramideh
Department of Computer engineering Department of Computer engineering
Science and Research, Islamic Azad University Islamic Azad University
Bushehr, Iran Sari, Iran
JelodarH@gmail.com Aramideh.Javad@gmail.com

to solve this important problem. We review work of some


Abstract— Hackers attack a server of website collectively. In researchers on this subject. Zhong et al. have detected DOS
other words, DOS attacks have been sent by hackers into server. attacks considering unnatural traffic and using data mining
To identify DOS , an accurate approach is required. S uch attacks technique [1]. Lin et al. suggested a method based on Priority
can be detected by analyzing Log File of server. In this paper, Queue to reduce DDOS attacks and simulated their proposed
attempt has been made to present a model by combining web method and results with NS-2 software[2]. Shiaeles et al.
mining technique with fuzzy logic approach to evaluate suggested a method based on fuzzy estimator for detection of
probability of DOS attacks using two effective factors of the
DDOS attacks and identification of destructive IPs[3].
number of Hits and time interval of the requests so that
appropriate preventive measures can be taken under different
conditions. III. REVIEW OF DENIAL OF SERVICR A T T ACKS

Keywords— Web mining; Fuzzy logic; Internet hackers; DOS A. Denial of Service (DOS)
attacks Generally, the hacker in Denial of Service (DOS) Attack
tries to suspend services of a server. In other words, hacker
I. INT RODUCT ION continually sends a series of requests to server and server is not
Growing increase of attacks by internet hackers into servers able to respond to all requests and this causes server face
led the researchers to find an approach for detection and shortage of bandwidth space. These requests can be sent from
neutralization of these attacks. As mentioned above, one of the HTTP,UDP,ICMP. On the other hand, if these attacks are
major types of attack is DOS attack. Here, we study and performed harmonically from several points toward a server ,
present a strategy for detection of this type of attacks this attack will be called Distributed Denial of Service
considering significance of the subject. DOS attacks are the (DDOS). The method which is usually used for detection of
ones with which internet hackers try to suspend services these attacks is tracking IP of the users who had access to
relating to server and prevent the server from servicing with server. By studying suspicious IPs, we may be able to detect
this goal. These attacks are performed with different methods hackers. At present, the systems have been designed for
such as SYN Flood, UDP Flood, HTTP Flood and SYN Flood. detection of these attacks and one of the desirable systems is
In this paper, we detect internet hackers with web mining Snort. Fig. 1 is scheme of DDOS attacks [4][5][6]. As
techniques to study DOS attacks with web mining technique mentioned above, DDOS attacks which are performed
and by analyzing log file so that we study behavior of internet collectively, several clients continually send URL requests to
hackers with help of web mining technique and finally prevent server. To detect these attacks, attack detection systems
implement the identified behavioral pattern with fuzzy logic. In have been designed.
this paper, the previous works on DOS attacks have been
reviewed in Section 2. Section 3 reviews DOS attacks and
Section 4 studies utilization of web mining techniques for
detection of attacks and Section 5 defines fuzzy system and
Section 6 explains the proposed method along with the
performed simulation.

II. RELAT ED W ORK


Denial of Service (DOS) Attacks are the serious threat for Fig 1. Scheme of DDOS attacks
servers in networks. Large and known websites have been
attacked up to now. For this reason, researchers have decided

978-1-4799-4190-2/14/$31.00 ©2014 IEEE 156


2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)

B. Some known methods for DOS attack D. Pattern Analysis


DOS attacks are being executed toward server which Pattern analysis is the last stage of data mining. In this step,
causes server to face shortage of bandwidth space. Finally, we should find correct pattern among the detected patterns
creation of high traffic causes the server not to serve. Some of
their examples include SYN Flood, UDP Flood, HTTP Flood. IV. FUZZY SYST EM
2) SYN Flood method Fuzzy systems have the ability to decide and control a
This attack is one of the strong styles in DOS attacks. It system using knowledge of an expert. They are mostly
first sends client of a SYN/TCP package to server and the profitable in systems with sophisticated environments where a
server sends response with ACK package and then client clear and obvious model of the system is not achievable. In
continually sends many of SYN/TCP packages. In this case, these cases the system is considered as a black box. Then,
server is not able to respond to all of the sent packages [7][8]. conclusions and decisions are made based on sample inputs
and their results. The most prominent reason for using fuzzy
3) UDP Flood method system As can be seen in figure 3 symptoms are fed to fuzzy
system and it determines how close are them to DOS attacks
Udp attack is of DOS attack. This attack randomly selects
probability and present it as its output.
ports and sends many udp packages to server[9].
4) HTTP Flood method
This attack is a method which hackers use for damaging
server. The hacker creates disorder in services of server by
sending many http requests to the server[10].

C. Web mining and detection of attacks


Fig3. Function of Fuzzy System
Web mining means data mining in web. Web mining
includes several types including Web Usage Mining, content In order to model concerning concepts we exploited rules in
web mining and structural web mining. Since we want to detect the form of equation1[11].
behavior of the users who have access to server to fin dos
attacks, we use Web Usage Mining technique. This type of web ifx1isA11 ,..., xmisAm
1
theny B1 (1)
mining includes three steps which include data preparation ,
pattern detection and pattern analysis.
V. PROPOSED M ET HOD
A. Data Preparation We studied behavior of users with web mining technique
In this step, the data source which we want to analyze is a and identified behavior of suspicious IPs by tracking them.
log file of server on which three steps of data cleaning, Now, we detail analyze data sources in detail. We first analyze
detection of user and identification of session are performed. In a software downloading website which has been attacked by
the first step which is data cleaning, unnecessary and additional DOS and detect the hacker by investigating suspicious IPs.
data should be filtered and deleted. After removal of additional Test trend is such that log file of the server which has volume
items, unique users are identified and data are entered in a of 21 megabytes is analyzed. In Table 1, some of the IPs
database for analysis. which have access to server are shown. As seen above, this
table includes two important columns. The users who have
B. Pattern detection access to server are called Host. IP of 151.232.196.** has
In this step, we detect the desired patterns with data source excessive Hit compared with other IPs which shows this
using data mining techniques and algorithm. We analyze data unordinary state and we consider it a suspicious IP. In Table 1,
source using classification techniques and J48 algorithm. Fig. 2 some of the users who have access to server are shown.
shows the obtained output with Weka software.
TABLE I. T HE USERS WHO HAVE ACCESS TO SERVER

Fig2. Obtained output with J48 algorithm

978-1-4799-4190-2/14/$31.00 ©2014 IEEE 157


2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)

Considering Table 1, we analyze and compare IP of **. Therefore, the above fuzzy system has an output which
151.232.196 is considered highly suspicious with one of the shows probability of DOS attacks based on different input
other IPs. Table 2 shows how many times suspicious IP has states. In this research, FIS tools have been used in Matlab
been visited. This, IP 47153 has sent request to server and the software to determine efficiency of the test technique as
sent requests have been sent in very short intervals considering generally shown in Fig. 4.
column "Date" and considering column Page/File"" , this IP
has not observed any page and the occurring DOS attacks may
relate to this IP. In Table 3, IP of 66.249.81.** has been studied
and as shown above , this IP has had access to server with
different pages. By comparing Tables 2 and 3 , it can be said
that DOS attacker has unique behaviors which include
abundance of Hits and also different accesses with short time
intervals. By identifying behavioral pattern of hacker , we
implement this behavioral pattern using fuzzy logic in the next
Fig4. General model of fuzzy expert system
Section.
This system has 2 input fields relating to factor affecting
TABLE II. VIEWS A SUSP ICIOUS USERS A SHORT TIME DISTANCE evaluation of DOS attacks to which three clusters of low,
normal and high verbal words have been assigned and 1 output
field which shows probability of DOS attacks and classifies the
output into 5 classes to which very low, low, normal, high and
very high verbal words have been assigned and one of the
membership functions of input and output parameters is shown
in Fig. 5 and 6.

TABLE III. VISITS OF AN ORDINARY USER

Fig 5. Membership function relating to input of the number of Hits

A) Construction of Fuzzy System


In this section how to make the fuzzy system, is described.
Fig 6. Membership function relating to output
1) Input –output parameters of fuzzy systems
As mentioned before, two factors of the number of Hits and
time interval of request have been used for detection of DDOS 2) Construction of rules base
attacks as input parameter. Based on these two input factors , A simple method for production of fuzzy rules is
we have studied effect of the factor on probability of detecting classification of values of input characteristics using specified
DOS attacks but as mentioned above, other factors also number of fuzzy membership functions (for example,
intervene in detection of these attacks such as the number of triangular membership function and allocation of verbal words
pages scrolled by an IP etc. as a res ult, it is not possible to to each cluster). Based on a divided space for each pattern,
determine DOS but attempt has been made to find specified there is one way for production of fuzzy rules is to consider all
and correct behavioral patterns among the identified patterns in possible combinations of the antecedents (input
web mining and implement this pattern for detection of DOS characteristics). As mentioned above, suitable fuzzy rules have
attacks using a fuzzy system.

978-1-4799-4190-2/14/$31.00 ©2014 IEEE 158


2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)

been written considering the behavioral patterns identified in dimensional method which has been obtained in the simulated
the previous step. model in Figure 9.
3) Fuzzy If-Then Rules
We write if-then rules as follows using the mentioned facts.
1.If (N_Hits is high) and (time_Distance is high) then
(DOS_Attack_Probability is very_low)
2.If (N_Hits is high) and (time_Distance is low) then
(DOS_Attack_Probability is very_high)
3.If (N_Hits is high) and (time_Distance is medium) then
(DOS_Attack_Probability is low)
4.If (N_Hits is medium) and (time_Distance is low) then
(DOS_Attack_Probability is high)
5.If (N_Hits is medium) and (time_Distance is high) then
(DOS_Attack_Probability is low)
6.If (N_Hits is low) and (time_Distance is high) then
(DOS_Attack_Probability is very_low)
7.If (N_Hits is low) and (time_Distance is medium) then
(DOS_Attack_Probability is low)
8.If (N_Hits is low) and (time_Distance is low) then Fig7. N_Hit= 152 , T ime Distance = 35
(DOS_Attack_Probability is very_low)
9.If (N_Hits is medium) and (time_Distance is medium) then
(DOS_Attack_Probability is normal)

4) Building fuzzy system


In this study we utilize product inference engine, singleton
fuzzifier and center average defuzzifier in order to build fuzzy
system. In our inference engine we also used Mamdani product
implication and individual-rule based inference combined with
algebraic summation and mulitplication for t-norms and max
for s-norms. Thus, product inference engine can be written as
denoted by equation2 [12].
k

B ( y) max ln 1 [sup( A ( x) Ail


( xi ) B ( y ))] (2)
i 1
In this fuzzy system, singleton fuzzifier and average defuzzifier
are utilized. Singleton fuzzifier is widely applied as it
simplifies calculation of inference engine. Moreover, center
averages defuzzifier is the most popular defuzzifier used in Fig 8. N_HIT = 780 , T IME DIST ANCE = 10
fuzzy systems and fuzzy control systems owing to its
simplicity, justifiability and continuity. Center average
defuzzifier is calculated as shown in equation3 [12].
1
s( A j Classh) ( x p ) (3)
m x p Classh
Aj

B) Simulation and Results


In Section 4, we analyzed dataset using web mining
techniques and in this Section, we show the results of
implemented fuzzy system. For simulation of this fuzzy
system, Matlab software which is a suitable medium for
simulation of such fuzzy system has been used. Simulation of
two cases of the performed tests with different inputs is shown
in Figures 7&8. As shown in Figure 7, if the number of hits is
lot and time distance is long, the suspicion rate will be low and
considering Figure 8, if the number of hit is high and time
distance is short, the suspicion rate will be high. Then, we Fig 9. T wo-dimensional Effect of two inputs on output
showed effect of two input factors on output with two -

978-1-4799-4190-2/14/$31.00 ©2014 IEEE 159


2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)

VI. CONCLUSION
The present study relates to detection of DOS attacks with
web mining technique and fuzzy logic. Detection of DOS
attacks is one of the issues which is important for keeping
security of server. In this paper, we extracted the requests sent
to server and detected behavior of suspicious user and then
detected attack of hackers with fuzzy technique.

REFERENCES
[1] R. Zhong, & Yue, G. (2010, April). DDOS detection system based on
data mining. In Proceedings of the Second International Symposium on
Networking and Network Security, Jinggangshan, China (pp. 62 -65).
[2] L. Chu-Hsing, Jung-Chun Liu, Hsun-Chi Huang, and T sung-Che Yang.
"Using adaptive bandwidth allocation approach to defend DDOS
attacks." In Multimedia and Ubiquitous Engineering, 2008. MUE 2008.
International Conference on, pp. 176-181. IEEE, 2008.
[3] S. Stavros N., Vasilios Katos, Alexandros S. Karakos, and Basil K.
Papadopoulos. "Real time DDOS detection using fuzzy estimators."
computers & security 31, no. 6 (2012): 782-790.
[4] J. Mirkovic, & Reiher, P. (2004). A taxonomy of DDOS attack and
DDOS defense mechanisms. ACM SIGCOMM Computer
Communication Review, 34(2), 39-53.
[5] J. Sen, (2011). A Robust Mechanism for Defending Distributed Denial
of Service Attacks On Web Servers. arXiv preprint arXiv:1103.3333.
[6] G , Dimitris, Ioannis S. Chatzis, and Evangelos Dermatas. "Detection of
Web Denial-of-Service Attacks using decoy hyperlinks." 5th
International Symposium on Communication Systems, Networks and
Digital Signal Processing (CSNDSP), Patras. 2006.
[7] T ripathi, Shweta, Brij Gupta, Ammar Almomani, Anupama Mishra, and
Suresh Veluru. "Hadoop Based Defense Solution to Handle Distributed
Denial of Service (DDOS) Attacks." Journal of Information Security 4,
no. 3 (2013).
[8] Alomari, Esraa, et al. "Botnet -based Distributed Denial of Service
(DDOS) Attacks on Web Servers: Classification and Art." arXiv preprint
arXiv:1208.0403 (2012).
[9] Nguyen, Huy Anh, T . T am Van Nguyen, Dong Il Kim, and Deokjai
Choi. "Network traffic anomalies detection and identification with flow
monitoring." In Wireless and Optical Communications Networks, 2008.
WOCN'08. 5th IFIP International Conference on, pp. 1-5. IEEE, 2008.
[10] Choi, Junho, Chang Choi, Byeongkyu Ko, Dongjin Choi, and Pankoo
Kim. "Detecting Web based DDOS Attack using MapReduce operations
in Cloud Computing Environment." Journal of Internet Services and
Information Security (JISIS) 3, no. 3/4: 28-37.2009
[11] LA. Zadeh, "Fuzzy Logic, Neural Networks and Soft Computing," Com.
Of the ACM, vol.37,1994,pp.77-84

978-1-4799-4190-2/14/$31.00 ©2014 IEEE 160