实时数据流中基于fp增长的签名提取和未知变体DoS/DDoS攻击检测

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-02-07 DOI:10.1016/j.jisa.2025.103996

Arpita Srivastava, Ditipriya Sinha

{"title":"实时数据流中基于fp增长的签名提取和未知变体DoS/DDoS攻击检测","authors":"Arpita Srivastava, Ditipriya Sinha","doi":"10.1016/j.jisa.2025.103996","DOIUrl":null,"url":null,"abstract":"<div><div>Protecting sensitive information on Internet from unknown attacks is challenging due to no known signatures, limited historical data, a high number of false positives, and a lack of vendor patches. This paper has proposed a statistical method to detect unknown variants of denial-of-service (DoS)/ distributed denial-of-service (DDoS) (high-volume) attacks. The proposed method is primarily divided into two modules: DoS/DDoS attack signature extraction and unknown variants of DoS/DDoS attack detection. A setup in laboratory of NITP is created to capture real-time traffic of six different variants of DoS or DDoS attacks with benign network traffic behavior, referred to as RTNITP24. Unique DoS/DDoS attack signatures are extracted by applying a Frequent-Pattern Growth (FP-Growth) algorithm using 71 % of RTNITP24 data having DoS/DDoS attack and benign traffic, assuming these signatures are primarily present in DoS/DDoS attack traffic but rarely in benign traffic. These signatures are stored in a high-volume attack (HVA) knowledge base (KB). Unknown variants of the DoS/DDoS (high-volume) attack detection module use an HVA knowledge base and pcap files of 29 % RTNITP24 and CICIDS2017 new data packets, which is not considered in the attack signature extraction module. Jaccard similarity score is computed between new data packets and attack signatures and scrutinizes the two main conditions: if similarity score of any of the signatures is greater than or equal to rule threshold or if the average similarity score of all the signatures is greater than or equal to the overall threshold. Packet is detected as malicious if any of aforementioned conditions are true. Otherwise, the packet is benign. Proposed model achieves high accuracy (91.66 % and 94.87 %) and low false alarm rates (5.32 % and 4.98 %) on RTNITP24 and CICIDS2017 datasets, respectively. Additionally, proposed model is compared to apriori-based rule extraction technique and current state-of-the-art methods, revealing that it outperforms both apriori-based and existing methods.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103996"},"PeriodicalIF":3.8000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"FP-growth-based signature extraction and unknown variants of DoS/DDoS attack detection on real-time data stream\",\"authors\":\"Arpita Srivastava, Ditipriya Sinha\",\"doi\":\"10.1016/j.jisa.2025.103996\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Protecting sensitive information on Internet from unknown attacks is challenging due to no known signatures, limited historical data, a high number of false positives, and a lack of vendor patches. This paper has proposed a statistical method to detect unknown variants of denial-of-service (DoS)/ distributed denial-of-service (DDoS) (high-volume) attacks. The proposed method is primarily divided into two modules: DoS/DDoS attack signature extraction and unknown variants of DoS/DDoS attack detection. A setup in laboratory of NITP is created to capture real-time traffic of six different variants of DoS or DDoS attacks with benign network traffic behavior, referred to as RTNITP24. Unique DoS/DDoS attack signatures are extracted by applying a Frequent-Pattern Growth (FP-Growth) algorithm using 71 % of RTNITP24 data having DoS/DDoS attack and benign traffic, assuming these signatures are primarily present in DoS/DDoS attack traffic but rarely in benign traffic. These signatures are stored in a high-volume attack (HVA) knowledge base (KB). Unknown variants of the DoS/DDoS (high-volume) attack detection module use an HVA knowledge base and pcap files of 29 % RTNITP24 and CICIDS2017 new data packets, which is not considered in the attack signature extraction module. Jaccard similarity score is computed between new data packets and attack signatures and scrutinizes the two main conditions: if similarity score of any of the signatures is greater than or equal to rule threshold or if the average similarity score of all the signatures is greater than or equal to the overall threshold. Packet is detected as malicious if any of aforementioned conditions are true. Otherwise, the packet is benign. Proposed model achieves high accuracy (91.66 % and 94.87 %) and low false alarm rates (5.32 % and 4.98 %) on RTNITP24 and CICIDS2017 datasets, respectively. Additionally, proposed model is compared to apriori-based rule extraction technique and current state-of-the-art methods, revealing that it outperforms both apriori-based and existing methods.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"89 \",\"pages\":\"Article 103996\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-02-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625000341\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000341","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

由于没有已知的签名、有限的历史数据、大量的误报和缺乏供应商补丁，保护互联网上的敏感信息免受未知攻击是具有挑战性的。本文提出了一种统计方法来检测拒绝服务(DoS)/分布式拒绝服务（DDoS）（大容量）攻击的未知变体。该方法主要分为两个模块：DoS/DDoS攻击特征提取和DoS/DDoS攻击未知变体检测。在NITP实验室中创建了一个设置，用于捕获具有良性网络流量行为的六种不同的DoS或DDoS攻击变体的实时流量，称为RTNITP24。通过使用具有DoS/DDoS攻击和良性流量的71%的RTNITP24数据应用频率模式增长（FP-Growth）算法提取唯一的DoS/DDoS攻击签名，假设这些签名主要存在于DoS/DDoS攻击流量中，但很少出现在良性流量中。这些签名存储在高容量攻击知识库（KB）中。DoS/DDoS（大容量）攻击检测模块的未知变体使用HVA知识库和pcap文件的29% RTNITP24和CICIDS2017新数据包，这在攻击签名提取模块中没有考虑。Jaccard相似度评分是计算新数据包和攻击签名之间的相似度评分，主要检查两个条件：一个签名的相似度评分大于等于规则阈值，或者所有签名的平均相似度评分大于等于总体阈值。如果上述任何条件为真，则将数据包检测为恶意。否则为良性报文。该模型在RTNITP24和CICIDS2017数据集上分别达到了较高的准确率（91.66%和94.87%）和较低的误报率（5.32%和4.98%）。此外，将该模型与基于先验的规则提取技术和当前最先进的方法进行了比较，结果表明该模型优于基于先验的方法和现有方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

FP-growth-based signature extraction and unknown variants of DoS/DDoS attack detection on real-time data stream

Protecting sensitive information on Internet from unknown attacks is challenging due to no known signatures, limited historical data, a high number of false positives, and a lack of vendor patches. This paper has proposed a statistical method to detect unknown variants of denial-of-service (DoS)/ distributed denial-of-service (DDoS) (high-volume) attacks. The proposed method is primarily divided into two modules: DoS/DDoS attack signature extraction and unknown variants of DoS/DDoS attack detection. A setup in laboratory of NITP is created to capture real-time traffic of six different variants of DoS or DDoS attacks with benign network traffic behavior, referred to as RTNITP24. Unique DoS/DDoS attack signatures are extracted by applying a Frequent-Pattern Growth (FP-Growth) algorithm using 71 % of RTNITP24 data having DoS/DDoS attack and benign traffic, assuming these signatures are primarily present in DoS/DDoS attack traffic but rarely in benign traffic. These signatures are stored in a high-volume attack (HVA) knowledge base (KB). Unknown variants of the DoS/DDoS (high-volume) attack detection module use an HVA knowledge base and pcap files of 29 % RTNITP24 and CICIDS2017 new data packets, which is not considered in the attack signature extraction module. Jaccard similarity score is computed between new data packets and attack signatures and scrutinizes the two main conditions: if similarity score of any of the signatures is greater than or equal to rule threshold or if the average similarity score of all the signatures is greater than or equal to the overall threshold. Packet is detected as malicious if any of aforementioned conditions are true. Otherwise, the packet is benign. Proposed model achieves high accuracy (91.66 % and 94.87 %) and low false alarm rates (5.32 % and 4.98 %) on RTNITP24 and CICIDS2017 datasets, respectively. Additionally, proposed model is compared to apriori-based rule extraction technique and current state-of-the-art methods, revealing that it outperforms both apriori-based and existing methods.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.