Content uploaded by Pradeepkumar Bhale
Author content
All content in this area was uploaded by Pradeepkumar Bhale on Dec 23, 2017
Content may be subject to copyright.
DoS Attack Detection Technique Using Back
Propagation Neural Network
Monika Khandelwal
Computer science & engineering
NIT Jalandhar
Jalandhar, India
Khandelwalmonu21@gmail.com
Mr. Deepak Kumar Gupta
Computer science & engineering
NIT Jalandhar
Jalandhar, India
guptadk@nitj.ac.in
Mr. Pradeep Bhale
Computer science & engineering
NIT Jalandhar
Jalandhar, India
Bhalepradeepkumar.iiit@gmail.com
Abstract—
Denial of Service attack is an endeavor to make a
gadget or framework resources occupied to its proposed clients.
DoS attack expends casualty's framework assets, for example,
data transfer capacity, memory, CPU by sending gigantic
number of fake requests so that the intended user cannot obtain
services and denial of service happens. This paper presents an
intelligent technique for the detection of denial of service attack.
This technique can easily detect DoS attack by using back-
propagation neural network (BPNN). The parameters used in
this technique are CPU usage, frame length and flow rate. In this
technique, analysis of server assets and network traffic for
training and testing the ability of detection method and the
results shows that the proposed method can detect DoS attack
with 96.2% accuracy.
Keywords—
Denial of service, Back Propagation Neural
Network, Detection accuracy.
I. INTRODUCTION
Security dangers are getting to be one of the real issues that
obstruct the improvement of electronic services because of the
progression of the computer networks. System security attacks
show up in various modes and structures. One of the widely
known attacks is Denial of Service (DoS). A DoS attack as
name demonstrates is essentially an effort by an attacker to
make network assets busy by sending a huge number of fake
requests so that the intended clients cannot obtain access. DOS
attacks are a standout amongst the most generally spread
issues confronted by the vast majority of the Web access
Suppliers (ISP's) today. DoS attacks cause genuine effect on
the computer system frameworks. In this way, how to discover
and use server resources against malicious activities become a
significant research trend.
DoS attacks are effectively accomplished by making
utilization of the impediment of the system convention
alongside repeating service demands for the application.
Denial of Service attack exploits the absence of authenticity in
the IP convention, objectively arranged and stateless
environment of the Web. These day’s web servers confront the
most thorough dangers that are Denial of service attacks.
DoS attack is a significant Web security problem. DoS
attack is that a large number of customers simultaneously send
fake requests to certain server on the web such that this server
is well occupied to offer normal services to others. A DoS
attack happens when a few frameworks surge the bandwidth
or resources of a victim system, i.e. the attacker sends large
number of spurious requests to the victim machine to exhaust
its resources.
In this paper, I propose a neural framework based way to
deal with effectively identify DoS attacks. To identify the DoS
attack, neural system based strategy is one of the best way to
deal with recognize attack variations, which searches for
deviations from normal behavior, flagging a perhaps attack.
This paper concentrates on distinguishing threats in the nearby
network by capturing all the packets that reach the victim
system.
In the following segment, segment 2 examines a portion of
the related works. The next segment, segment 3 depicts and
characterizes DoS attack. Segment 4 explains neural network.
Segment 5 describes the experimental setup and next segment
is result and discussion followed by the conclusion.
II. RELATED
WORKS
A few techniques for detection of DoS attack have been
proposed.
Al Islam [1] proposed a simulated based way to deal with
accurately recognize a DoS attack by using Recurrent Neural
Networks (RNN) and classified denial of service and
distributed denial of service attacks. This discovery instrument
was connected at customer side and at intermediate nodes. The
considered components for proposed method were resource
utilization parameters and number of requests rejected in some
past time slots. The output of the Recurrent Neural Network
was a posteriori likelihood that recognizes good and bad
requests. If the output crosses a certain threshold, an alarm
generated and corresponding flow was discarded.
2016 Intl. Conference on Advances in Computing, Communications and Informatics (ICACCI), Sept. 21-24, 2016, Jaipur, India
978-1-5090-2029-4/16/$31.00 @2016 IEEE 1064
Felix Lau [2] discussed about distributed denial of service
attacks on the Web and described some well known methods
and techniques used in denial of service attacks and also give
defenses. A network simulator tool ns-2 was used to study
denial of service attack and also examined various queuing
algorithms.
C. Haris [3] proposed a strategy to detect SYN flood attack
through the network in File transfer protocol by checking the
IP header and TCP header utilizing the payload. This paper
utilized anomaly detection to identify TCP SYN flood attack
taking into account payload and unusable area. With this
technique they performed packet filtering that concentrated on
payload and unusable area in TCP convention where the entire
payload in the TCP header and IP header was examined.
Every packet was analyzed by comparing normal of these two
headers to infected ones. They additionally performed Traffic
monitoring as far as the utilization of the CPU for attacking
network and attack free network and the network history of
receiving information during the normal scenario, document
downloading and downloading a file during attack scenario.
The CPU utilization showed an expansion in usage for TCP
SYN flood contaminated network when compared with
normal network.
D. Salunke [4] presented a detection system for the denial of
service attack detection. Detection system is built by using a
layered framework approach and creates its data set by
analyzing incoming packets and comparing with the KDD
1999 dataset. K-means clustering and Naive Bayes Classifier
is used in this proposed system. There are two steps of the
proposed system, first is Training set generation and the
second step is a Real time layered IDS. The output of the
detection algorithm is either the normal packet, or there is an
attack detected.
Dighe Mohit S. [5] proposed an Intrusion Detection System
that prevents unauthorized access to network assets. The
architecture contains three modules. A first module contains
IDS in Weka tool, a second module contain back-propagation
algorithm and third module contain online detection.
Multilayer perceptron and apriori algorithm is used for IDS.
The accuracy of the proposed system is 94%.
III. DENIAL-OF-SERVICE
ATTACK
DoS attack is described by an exact endeavor by an attacker
to counteract valid users of a service from utilizing the favored
resources. An attacker may flood a system and can reduce a
valid client's transmission capacity, avoid access to a service,
or suspend service to a particular system or a client. Therefore,
the valid users are not competent to have complete quality
access to a web service or services. A DoS attack consumes a
victim system’s resources, for example, system transfer speed,
CPU time and memory. This can include data structures, for
example, Transmission Control Blocks, open file handles,
process slots.
Denial of Service attack is intended to focus on any part of a
business and its assets, and can easily:
• Disable a particular computer, service or an entire
network,
• Aim printers, alarms, telephones or portable
workstations,
• Execute malware that influences processors and
triggers mistakes in computer microcode's,
• Hit system assets like transfer speed, disk space,
processor time or routing data,
• Exploit working framework vulnerabilities to exhaust
system assets,
• Crash the working framework.
Symptoms of Denial of service attacks:
• Inability to get to any site,
• Unusually moderate system execution,
• Unavailability of a specific site,
• Disconnection of a cordless or wired web link,
• Dramatic increment in the quantity of spam email
received,
• Enduring denial of access to the web or any web
administrations.
Examples of Denial of Service attacks are [6]:
• Attempts to "flood" a network, hence preventing
substantial network traffic,
• Attempts to interfere with connections between two
machines, in this way avoid access to a service,
• Attempt to keep away from a specific person from
getting to a service,
• Attempt to interrupt service to a specific system or
individual.
IV. NEURAL NETWORK
The neural network is an endeavor to assemble a machine
that will impersonate mind exercises and have the capacity to
learn. The neural network is a method of data structure and
programs that approximates the human brain activities. A
neural network is initially trained or fed huge amount of data
and rules about data associations. Neural network as a rule
learns by examples. The neural network has three layers:
input, output and hidden layer. Each layer can have number of
nodes [7]. Input layer nodes are connected to the hidden layer
nodes and hidden layer nodes are connected to the output layer
nodes. These connections represent weights among nodes.
The neural network here applied is back-propagation neural
network. Idea behind the back-propagation is relatively
simple; output of neural network is evaluated against desired
output. When training neural network, a set of examples are
fed to the network that have inputs and desired outputs.
Learning of the neural network is done by setting some initial
weights as some random numbers. If results are not matching
with the target output, then update weights and repeat the
same process until the results matches with the target output.
There are two types of neural network learning, i.e. supervised
learning and unsupervised learning. Supervised learning is
used in this experiment where output values are known in
2016 Intl. Conference on Advances in Computing, Communications and Informatics (ICACCI), Sept. 21-24, 2016, Jaipur, India
1065
advance. Figure 1 shows the learning of back-propagation
neural network.
Figure 1: Back-propagation Neural Network Learning.
IV. EXPERIMENTAL
SETUP
This method used two systems as a testbed that based on
operating system Ubuntu version 14.04 Lts and Windows 7.
Here, Ubuntu is used as the victim system and Windows 7 as
the attacker. Implementation of the system is done in four
phases as collecting data, preprocessing data, deciding the
neural network, and training and testing of the system as
shown in figure 2.
A. Data Collection
First, data are collected in the form of three parameters to
detect the normal and abnormal behavior. These are:
1. CPU Usage for normal situation and attacked
situation.
2. Frame length of the packets in normal situation and
attacked situation. Packets are captured using
Wireshark tool.
3. Flow rate of packets during normal situation and
attacked situation.
Figure 2: Steps of Proposed Work.
All the packets are captured using Wireshark tool and
analyzed to find the frame length of packets. The main port to
be analyzed in this paper is TCP so filtering only TCP packets.
To evaluate the flow rate, I created a C program on Linux
operating system. The program captures all types of TCP
packets that flow over the internet. This program was used to
capture packets arriving in the system and evaluate the flow
rate. The python script and hping3 tool are used to perform the
attack on the victim system.
B. Preprocessing of Dataset
The detail, how we used the data in our work is discussed in
this section. Data is normalized first, and then given to the
network. After normalization the value lies between 0 and 1.
The normalization formula is as shown in equation 1:
ݔ௪ ൌ௫ି௫
௫
ೌೣ
ି௫
.…..…………………….. (1)
Where x is input value,
ݔ is the minimum value of the input,
ݔ௫ is the maximum value of the input,
ݔ௪ is the new value of the input that lies between [0, 1].
C. Deciding the Neural Network
The data collected in the previous step is provided as input
to the neural network. There are only two types of result of
detection method. Set the first classification as normal and
second classification as an attack. The input layer has 4
neurons; hidden layer has 6 neurons and 1 neuron in the output
layer. Our architecture has only one hidden layer.
D. Training and Testing of NN Model
Training and testing of the data are done by using back
propagation neural network. Neural system is applied to the
information gathered by joining the attacked data and non-
attack data to train the neural system. In the proposed method,
90% of the data is used for training and learning rate set to
0.02. After training of the model, the other 10% of the data is
used for testing the model and get the outcome.
V. RESULTS AND DISCUSSION
From the experiments, CPU usage, frame length and flow
rate shows the difference between normal scenario and
attacked scenario. CPU usage is the amount of work
accomplished by a computer system.
Figure 3: CPU Usage in Normal Scenario.
2016 Intl. Conference on Advances in Computing, Communications and Informatics (ICACCI), Sept. 21-24, 2016, Jaipur, India
1066
In normal usage, CPU execution is beneath 10% yet a few
applications may utilize half of the CPU time. At the time of
the attack, CPU execution was above 90% or near 100%.
Figure 4 shows the CPU usage during the attack scenario.
Figure 4: CPU Usage during Attack.
Next, frame length of packets is analyzed during the normal
scenario and during the attack scenario. The frame length is
the size of entire frame on the wire. It is also called as packet
length means the length of each packet.
Frame length of
packets is analyzed by using Wireshark tool. Based on the
packets captured using Wireshark, IO graph is plotted for the
normal data and for the attacked data. IO graph shows the
overall traffic seen in captured files and is measured in rate per
second in bytes or packets.
Figure 5: IO Graph during Normal Usage.
In the normal case, 500 packets are captured per second and
during the attack, captured packets are more than 1600 packets
per second. Figure 6 shows the IO graph during attack usage.
Figure 6: IO Graph during Attack Usage.
Next, Flow rate is evaluated during the normal usage and
during the attack usage by using a C program created on Linux
OS that captures all the packets arriving on the victim system.
Figure 7: Flow Rate during Normal Usage.
During the normal usage, the flow rate is usually very less
but at the time of the attack, the flow rate is very high.
Figure
8 shows the flow rate for the attacked case.
Figure 8: Flow Rate for the Attacked Scenario.
And, finally back-propagation neural network is applied to
the data collected by the above results to check the accuracy of
our proposed model, i.e. how much our model is correct to
classify or distinguish between attacked data and normal data.
Keeping in mind the end goal to enhance the validness of the
test results, the same experiment is performed ten times and
got the results as shown in figure 9. The average accuracy of
our proposed model is 96.2%.
Figure 9: Accuracy for different observations.
82
84
86
88
90
92
94
96
98
100
102
12345678910
Percentage Accuracy
No. of Observation
Chart Title
2016 Intl. Conference on Advances in Computing, Communications and Informatics (ICACCI), Sept. 21-24, 2016, Jaipur, India
1067
VI. CONCLUSION
Denial of service attacks are actual threats to Computer
Security, thus detection of DoS attacks and to increase
computer network security, there is a requirement to build the
detection technique. In this paper, only the detection method is
specified. In the proposed work, the attack is performed by
using hping3 tool and running a python script on windows.
Detection of DoS attack is done by taking three parameters:
CPU performance, frame length and flow rate and then
applying back-propagation neural network. From the results, it
is concluded that the back-propagation neural network is the
best approach for the detection of DoS attack. BPNN achieves
96.2% detection accuracy.
REFERENCES
[1] Al Islam, ABM Alim, and Tishna Sabrina. "Detection of various denial
of service and Distributed Denial of Service attacks using RNN
ensemble."Computers and Information Technology, 2009. ICCIT'09.
12th International Conference on. IEEE, 2009.
[2] Lau, Felix, et al. "Distributed denial of service attacks." Systems, Man,
and Cybernetics, 2000 IEEE International Conference on. Vol. 3. IEEE,
2000.
[3] Haris, S. H. C., R. B. Ahmad, and M. A. H. A. Ghani. "Detecting TCP
SYN flood attack based on anomaly detection." Network Applications
Protocols and Services (NETAPPS), 2010 Second International
Conference on. IEEE, 2010.
[4] Mangesh D. Salunke, Ruhi Kabra, “Denial-of-Service Attack
Detection,” International Journal of Innovative Research in Advanced
Engineering, vol. 1, November 2014.
[5] Dighe Mohit S., Kharde Gayatri B., Mahadik Vrushali G., Gade
Archana L., Bondre Namrata R., “Using Artificial Neural Network
Classification and Invention of Intrusion in Network Intrusion Detection
System,” International Journal of Innovative Research in Computer and
Communication Engineering, vol. 3, February 2015.
[6] CERT Coordination Center, Cert Advisories: “CA-2000-01 denial-of-
service developments:” http://www.cert.org/advisories/CA-2000-
01.html; “CA-99-17 denial-of-service tools,”
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html;
“CA-98-13-tcp-denial-of-service: vulnerability in certain TCP/IP
implementations,” http://www.cert.org/advisories/CA-98-13-tcp-denial-
of-service.html.
[7] Mirza Cilimkovic, “Neural Networks and Back Propagation Algorithm”,
Retrieved from
http://www.dataminingmasters.com/uploads/studentProjects/NeuralNet
works.pdf.
2016 Intl. Conference on Advances in Computing, Communications and Informatics (ICACCI), Sept. 21-24, 2016, Jaipur, India
1068