Skip to main content
SpringerLink
Log in

Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

  • Conference paper
Quality of Service in Heterogeneous Networks (QShine 2009)

Abstract

Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).

Work partially funded by the european project DORII: Deployment of Remote Instrumentation Infrastructure Grant agreement no. 213110.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Androulidakis, G., Chatzigiannakis, V., Papavassiliou, S.: Network anomaly detection and classification via opportunistic sampling. IEEE Network 23(1), 6–12 (2009)

    Article  Google Scholar 

  2. Bradley, P.S., Fayyad, U.M.: Refining initial points for k-means clustering. In: Proceedings of the 15th International Conference on Machine Learning (ICML 1998), pp. 91–99. Morgan kaufmann, San Francisco (1998)

    Google Scholar 

  3. Bridges, S.M., Vaughn, R.B.: Fuzzy data mining and genetic algorithms applied to intrusion detection. In: Proceedings of the National Information Systems Security Conference (NISSC), pp. 16–19 (2000)

    Google Scholar 

  4. Cabrera, J.B.D., Lewis, J.L., Qin, X., Lee, W., Mehra, R.K.: Proactive intrusion detection and distributed denial of service attacks—a case study in security management. Journal of Network System Management 10(2), 225–254 (2002)

    Article  Google Scholar 

  5. CAIDA. The cooperative association for internet data analysis passive monitor (May 2009), http://www.caida.org/data/monitors/passive-equinix-chicago.xml

  6. Datta, S., Giannella, C.R., Kargupta, H.: Approximate distributed k-means clustering over a peer-to-peer network. IEEE Transactions on Knowledge and Data Engineering 21(10), 1372–1388 (2009)

    Article  Google Scholar 

  7. Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)

    Article  Google Scholar 

  8. Dickerson, J.E., Dickerson, J.A.: Fuzzy network profiling for intrusion detection. In: Proc. of NAFIPS 19th International Conference of the North American Fuzzy Information Processing Society, Atlanta, pp. 301–306 (2000)

    Google Scholar 

  9. Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD 1996 Proceedings, pp. 226–231. AAAI Press, Menlo Park (1996)

    Google Scholar 

  10. Frawley, W.J., Piatetsky-shapiro, G., Matheus, C.J.: Knowledge discovery in databases: an overview. AAAI Press, Menlo Park (1992)

    MATH  Google Scholar 

  11. Ghoting, O.P., Otey, M., Parthasarathy, S., Ghoting, A., Li, G., Narravula, S.: Towards NIC-based intrusion detection. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 723–728. ACM Press, New York (2003)

    Google Scholar 

  12. Harrington, D., Presuhn, R., Wijnen, B.: An architecture for describing simple network management protocol (SNMP) management frameworks. IETF RFC 3411 (2002)

    Google Scholar 

  13. Hinneburg, A., Hinneburg, E., Keim, D.A.: An efficient approach to clustering in large multimedia databases with noise. In: Proceedings of the Fourth International Conference on Knowledge Discovery and Data Mining (KDD 1998), pp. 58–65. AAAI Press, Menlo Park (1998)

    Google Scholar 

  14. Johnson, E.L., Kargupta, H.: Collective, hierarchical clustering from distributed, heterogeneous data. In: Large-Scale Parallel KDD Systems, SIGKDD, pp. 221–244. Springer, Heidelberg (1999)

    Google Scholar 

  15. Kabiri, P., Ghorbani, A.A.: Research on intrusion detection and response: A survey. International Journal of Network Security 1, 84–102 (2005)

    Google Scholar 

  16. Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of an SOM based intrusion detection system. In: Proceedings of the International Joint Conference on Neural Networks, July 2003, vol. 3, pp. 1808–1813 (2003)

    Google Scholar 

  17. Klusch, M., Lodi, S., Moro, G.: Distributed clustering based on sampling local density estimates. In: Proceedings of the Biennal International Joint Conference on Artificial Intelligence, pp. 485–490. Morgan Kaufmann, San Francisco (2003)

    Google Scholar 

  18. Macqueen, J.B.: Some methods of classification and analysis of multivariate observations. In: Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, pp. 281–297 (1967)

    Google Scholar 

  19. Mai, J., Sridharan, A., Chuah, C.-N., Zang, H., Ye, T.: Impact of packet sampling on portscan detection. IEEE Journal on Selected Areas in Communications 24(12), 2285–2298 (2006)

    Article  Google Scholar 

  20. Monti, G., Moro, G.: Multidimensional range query and load balancing in wireless ad hoc and sensor networks. In: Wehrle, K., Kellerer, W., Singhal, S.K., Steinmetz, R. (eds.) Peer-to-Peer Computing, pp. 205–214. IEEE Computer Society, Los Alamitos (2008)

    Google Scholar 

  21. Moro, G., Ouksel, A.M.: G-grid: A class of scalable and self-organizing data structures for multi-dimensional querying and content routing in P2P networks. In: Moro, G., Sartori, C., Singh, M.P. (eds.) AP2PC 2003. LNCS (LNAI), vol. 2872, pp. 123–137. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  22. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA 2001), pp. 5–8 (2001)

    Google Scholar 

  23. Costa Da Silva, J., Klusch, M., Lodi, S., Moro, G.: Privacy-preserving agent-based distributed data clustering. Web Intelligence and Agent Systems 4(2), 221–238 (2006)

    Google Scholar 

  24. Silverman, B.W.: Density estimation for statistics and data analysis. Chapman and Hall, London (1986)

    Book  MATH  Google Scholar 

  25. Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Transactions on Signal Processing 51(8), 2191–2204 (2003)

    Article  Google Scholar 

  26. Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. SIGSOFT Software Engineering Notes 28(5), 88–97 (2003)

    Article  Google Scholar 

  27. Xu, R., Wunsch II, D.: Survey of clustering algorithms. IEEE Transactions on Neural Networks 16(3), 645–678 (2005)

    Article  Google Scholar 

  28. Xu, X., Ester, M., Kriegel, H.-P., Sander, J.: A distribution-based clustering algorithm for mining in large spatial databases. In: Proceedings of the Fourteenth International Conference on Data Engineering (ICDE 1998), Washington, DC, USA, pp. 324–331. IEEE Computer Society, Los Alamitos (1998)

    Google Scholar 

  29. Yu, J., Lee, H., Kim, M.-S., Park, D.: Traffic flooding attack detection with SNMP MIB using SVM. Computer Communications 31(17), 4212–4219 (2008)

    Article  Google Scholar 

  30. Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on Applied Computing (2004)

    Google Scholar 

  31. Zhang, R., Qian, D., Bao, C., Wu, W., Guo, X.: Multi-agent based intrusion detection architecture. In: Proceedings of the 2001 International Conference on Computer Networks and Mobile Computing (ICCNMC 2001), Washington, DC, USA, p. 494. IEEE Computer Society, Los Alamitos (2001)

    Chapter  Google Scholar 

  32. Zhang, T., Ramakrishnan, R., Livny, M.: Birch: An efficient data clustering method for very large databases. In: Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data, Montreal, Canada, pp. 103–114 (1996)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DEIS, University of Bologna, v. Venezia 52, 47521, Cesena (FC), Italy

    Walter Cerroni, Gabriele Monti, Gianluca Moro & Marco Ramilli

Authors
  1. Walter Cerroni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gabriele Monti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gianluca Moro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marco Ramilli
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, Sapienza University of Rome, Via Salaria 113, 00198, Rome, Italy

    Novella Bartolini

  2. Computer Technology Institute, N. Kazantzaki Str. 1, Patras University Campus, 26504, Patras, Rion, Greece

    Sotiris Nikoletseas

  3. Ohio State University, 2015 Neil Avenue, 43210, Columbus, OH, USA

    Prasun Sinha

  4. University of Roma Tor Vergata, Via del Politecnico 1, 00133, Roma, Italy

    Valeria Cardellini

  5. National ICT Australia (NICTA), Garden Street 13, Eveleigh, 2015, NSW, Australia

    Anirban Mahanti

Rights and permissions

Reprints and permissions

Copyright information

© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Cerroni, W., Monti, G., Moro, G., Ramilli, M. (2009). Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data. In: Bartolini, N., Nikoletseas, S., Sinha, P., Cardellini, V., Mahanti, A. (eds) Quality of Service in Heterogeneous Networks. QShine 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 22. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10625-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-10625-5_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-10624-8

  • Online ISBN: 978-3-642-10625-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation