{"title":"FP-growth-based signature extraction and unknown variants of DoS/DDoS attack detection on real-time data stream","authors":"Arpita Srivastava, Ditipriya Sinha","doi":"10.1016/j.jisa.2025.103996","DOIUrl":null,"url":null,"abstract":"<div><div>Protecting sensitive information on Internet from unknown attacks is challenging due to no known signatures, limited historical data, a high number of false positives, and a lack of vendor patches. This paper has proposed a statistical method to detect unknown variants of denial-of-service (DoS)/ distributed denial-of-service (DDoS) (high-volume) attacks. The proposed method is primarily divided into two modules: DoS/DDoS attack signature extraction and unknown variants of DoS/DDoS attack detection. A setup in laboratory of NITP is created to capture real-time traffic of six different variants of DoS or DDoS attacks with benign network traffic behavior, referred to as RTNITP24. Unique DoS/DDoS attack signatures are extracted by applying a Frequent-Pattern Growth (FP-Growth) algorithm using 71 % of RTNITP24 data having DoS/DDoS attack and benign traffic, assuming these signatures are primarily present in DoS/DDoS attack traffic but rarely in benign traffic. These signatures are stored in a high-volume attack (HVA) knowledge base (KB). Unknown variants of the DoS/DDoS (high-volume) attack detection module use an HVA knowledge base and pcap files of 29 % RTNITP24 and CICIDS2017 new data packets, which is not considered in the attack signature extraction module. Jaccard similarity score is computed between new data packets and attack signatures and scrutinizes the two main conditions: if similarity score of any of the signatures is greater than or equal to rule threshold or if the average similarity score of all the signatures is greater than or equal to the overall threshold. Packet is detected as malicious if any of aforementioned conditions are true. Otherwise, the packet is benign. Proposed model achieves high accuracy (91.66 % and 94.87 %) and low false alarm rates (5.32 % and 4.98 %) on RTNITP24 and CICIDS2017 datasets, respectively. Additionally, proposed model is compared to apriori-based rule extraction technique and current state-of-the-art methods, revealing that it outperforms both apriori-based and existing methods.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103996"},"PeriodicalIF":3.8000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000341","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Protecting sensitive information on Internet from unknown attacks is challenging due to no known signatures, limited historical data, a high number of false positives, and a lack of vendor patches. This paper has proposed a statistical method to detect unknown variants of denial-of-service (DoS)/ distributed denial-of-service (DDoS) (high-volume) attacks. The proposed method is primarily divided into two modules: DoS/DDoS attack signature extraction and unknown variants of DoS/DDoS attack detection. A setup in laboratory of NITP is created to capture real-time traffic of six different variants of DoS or DDoS attacks with benign network traffic behavior, referred to as RTNITP24. Unique DoS/DDoS attack signatures are extracted by applying a Frequent-Pattern Growth (FP-Growth) algorithm using 71 % of RTNITP24 data having DoS/DDoS attack and benign traffic, assuming these signatures are primarily present in DoS/DDoS attack traffic but rarely in benign traffic. These signatures are stored in a high-volume attack (HVA) knowledge base (KB). Unknown variants of the DoS/DDoS (high-volume) attack detection module use an HVA knowledge base and pcap files of 29 % RTNITP24 and CICIDS2017 new data packets, which is not considered in the attack signature extraction module. Jaccard similarity score is computed between new data packets and attack signatures and scrutinizes the two main conditions: if similarity score of any of the signatures is greater than or equal to rule threshold or if the average similarity score of all the signatures is greater than or equal to the overall threshold. Packet is detected as malicious if any of aforementioned conditions are true. Otherwise, the packet is benign. Proposed model achieves high accuracy (91.66 % and 94.87 %) and low false alarm rates (5.32 % and 4.98 %) on RTNITP24 and CICIDS2017 datasets, respectively. Additionally, proposed model is compared to apriori-based rule extraction technique and current state-of-the-art methods, revealing that it outperforms both apriori-based and existing methods.
期刊介绍:
Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
