Visible to the public Investigating the utility of S-transform for detecting Denial-of-Service and probe attacks

TitleInvestigating the utility of S-transform for detecting Denial-of-Service and probe attacks
Publication TypeConference Paper
Year of Publication2014
AuthorsPukkawanna, S., Hazeyama, H., Kadobayashi, Y., Yamaguchi, S.
Conference NameInformation Networking (ICOIN), 2014 International Conference on
Date PublishedFeb
Keywordsaccurate attack signatures, Computer crime, computer network security, denial-of-service detection, DoS attacks, frequency components, IDS, image processing method, Internet, Intrusion Detection Systems, Otsu method, Ports (Computers), probe attacks, Probes, S-transform, signal processing method, telecommunication traffic, Time-frequency Analysis, time-frequency representation technique, traffic signal, two-dimensional image, wavelet transform, wavelet transforms

Denial-of-Service (DoS) and probe attacks are growing more modern and sophisticated in order to evade detection by Intrusion Detection Systems (IDSs) and to increase the potent threat to the availability of network services. Detecting these attacks is quite tough for network operators using misuse-based IDSs because they need to see through attackers and upgrade their IDSs by adding new accurate attack signatures. In this paper, we proposed a novel signal and image processing-based method for detecting network probe and DoS attacks in which prior knowledge of attacks is not required. The method uses a time-frequency representation technique called S-transform, which is an extension of Wavelet Transform, to reveal abnormal frequency components caused by attacks in a traffic signal (e.g., a time-series of the number of packets). Firstly, S-Transform converts the traffic signal to a two-dimensional image which describes time-frequency behavior of the traffic signal. The frequencies that behave abnormally are discovered as abnormal regions in the image. Secondly, Otsu's method is used to detect the abnormal regions and identify time that attacks occur. We evaluated the effectiveness of the proposed method with several network probe and DoS attacks such as port scans, packet flooding attacks, and a low-intensity DoS attack. The results clearly indicated that the method is effective for detecting the probe and DoS attack streams which were generated to real-world Internet.

Citation Key6799482