Authors E.S. Abramov, Y.V. Tarasov, E.P. Tumoyan
Month, Year 09, 2016 @en
Index UDC 004.056
DOI 10.18522/2311-3103-2016-9-5871
Abstract This article presents the results of the method of detecting the low-rate DDoS-attacks on http-services. A low-rate attack model in the form of a chronological series of events with an additive superposition of attack and normal traffic is used. Such presentation allows using a mathematical signal processing apparatus, including methods of pattern recognition. The task of developing a method of detection of low-rate attacks is formulated as allocation of homogeneous groups (patterns) of the time series, based on pattern recognition models, and the subsequent construction of prediction model for each separate group. Taking into account the context of the problem being solved (the requirements of the high classification accuracy, the rate of formation of models and classification rate), the most promising direction of the solution is the use of combined neural network models, performing clustering at the first stage and then forecasting time series within the specified cluster. To detect the attacks the fact of the periodic appearance of the same type of packet"s set in the incoming traffic should be identified and then the membership of the set to a certain class (normal or anomaly) should be determined. The sequence of packets is not important, the time information is taken into account in the division of the incoming traffic to the window. The method includes the following steps: 1) for each protected service a separate hybrid ANN is built; 2) for each service a set of packets is received, the number of which is determined by the size of the window (experimentally set value); 3) create a vector for reducing the dimension (by self-organizing map); 4) reduce the dimension of the input vector data by clustering using SOM; 5) create a vector for MLP, in which each component corresponds to the number of the cluster to which the packet belongs. Thus input vector is a set of clustered packets and it stores information about the order (sequence) of their receipt. The belonging to a certain type is already identified for all packets; 6) vectors are analyzed by the MLP to classify all the identified sets of traffic, dividing them into two classes: attack or norm.

Download PDF

Keywords Attack detection; low-rate DDoS-attacks; denial of service; artificial neural network; hybrid neural network; computer network security.
References 1. Tarasov Ya.V. Model' nizkointensivnoy setevoy ataki "otkaz v obsluzhivanii" [Neural network method of detection of low-rate dos-attacks on web-services], Sbornik trudov VII Vserossiyskoy nauchno-tekhnicheskoy konferentsii «Bezopasnye informatsionnye tekhnologii» (BIT – 2016) [proceedings of VII All-Russian Scientific and Technical Conference "Safety of information technology" (BIT - 2016). Moscow: MGTU im. N.E. Baumana.
2. Chuchueva I.A. Model' prognozirovaniya vremennykh ryadov po vyborke maksimal'nogo podobiya: diss. kand. tekhn. nauk [Model prediction of time series based on a sample of max-imum similarity. Dr. of eng. sc. diss. Moscow, 2012.
3. Fogler H.R. A pattern recognition model for forecasting, Management science, 1974, No. 8, pp. 1178-1189.
4. F. Martinez Alvarez [at al.] Discovering Patterns in Electricity Price Using Clustering Tech-niques, ICREPQ International Conference on Renewable Energies and Power Quality, Spain, Sevilla, 2007. 8 p. Available at: (accessed 15 January 2016).
5. Haykin. Neural Networks: A Comprehensive Foundation. Prentice Hall, Upper Saddle River, New Jersey, 1999. 2nd ed., 842 p.
6. C. Lee Giles, Steve Lawrence, Ah Chung Tsoi. Noisy Time Series Prediction using Recurrent Neural Networks and Grammatical Inference, Machine Learning, July 2001, Vol. 44, Issue 1, pp. 161-183.
7. Fodor I. A survey of dimension reduction techniques. Center for Applied Scientific Computing, Lawrence Livermore National, Technical Report UCRL-ID-148494. 2002.
8. Van der Maaten, L.J.P., Hinton, G.E. Visualizing High-Dimensional Data Using t-SNE, Jour-nal of Machine Learning Research, Nov. 2008, No. 9, pp. 2579-2605.
9. Borg I., Groenen P. Modern Multidimensional Scaling: theory and applications 2nd ed. New York: Springer-Verlag, 2005, pp. 207-212. ISBN 0-387-94845-7.
10. Command-line packet analyzer tcpdump. Available at: (accessed 03 December 2016).
11. Robert Graham. What's the max speed on Ethernet? Available at: (ac-cessed 03 December 2016).
12. Stephen Northcutt, Judy Novak. Network Intrusion Detection An Analyst's Handbook. Sams Publishing, 2002, 346 p.
13. Ghost A.K., et al. Detecting Anomalous and Unknown Intrusions Against Programs in Real-Time, DARPA SBIR Phase I Final Report. Reliable Software Technologies.
14. Tarasov Ya.V., Makarevich O.B. Modelirovanie i issledovanie nizkointensivnykh DoS-atak na BGP-infrastrukturu [Modeling and study of low-intensity DOS-attacks on BGP-infrastructure], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2013, No. 12 (149), pp. 101-111.
15. Tarasov Ya.V. Metod obnaruzheniya nizkointensivnykh DDOS-atak na osnove gibridnoy neyronnoy seti, infrastrukturu [Method of detection of low-rate dos-attacks based on hybrid neural network], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2014, No. 8 (157), pp. 47-87.
16. Abramov E.S., Sidorov I.D. Metod obnaruzheniya raspredelennykh informatsionnykh vozdeystviy na osnove gibridnoy neyronnoy seti [Metod obnaruzheniya raspredelennykh informatsionnykh vozdeystviy na osnove gibridnoy neyronnoy seti], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2009, No. 11 (100), pp. 154-164.
17. Kohonen T. Self-Organizing Maps. Third, extended edition. Springer, 2001.
18. Abramov E.S., Anikeev M.V., Makarevich O.B. Ispol'zovanie apparata neĭroseteĭ pri obnaruzhenii setevykh atak [Ispol'zovanie apparata neyrosetey pri obnaruzhenii setevykh atak], Izvestiya TRTU [Izvestiya TSURE], 2004, No. 1 (36), pp. 130.

19. Abramov E.S., Anikeev M.V., Makarevich O.B. Podgotovka dannykh dlya ispol'zovaniya v obuchenii i testirovanii neĭroseteĭ pri obnaruzhenii setevykh atak [Preparing data for use in training and testing of neural networks in the detection of network attacks], Izvestiya TRTU [Izvestiya TSURE], 2003, No. 4 (33), pp. 204-206.
20. Aiello M., Cambiaso E., Scaglione S., Papaleo G. A similarity based approach for application DoS attacks detection, 2013 IEEE Symposium on Computers and Communications (ISCC).

Comments are closed.