This document describes a system for detecting denial-of-service (DoS) attacks based on multivariate correlation analysis (MCA). The system generates normal traffic profiles using MCA to analyze legitimate training records. It then measures the dissimilarity between live traffic and normal profiles using Mahalanobis distance, flagging records above a threshold as potential attacks. If a record's distance exceeds the threshold, it is identified as a DoS attack. The system is intended to accurately detect both known and unknown DoS attacks compared to existing detection methods.

1. A System for Denial-of-
Service Attack Detection
Based on Multivariate
Correlation Analysis
Under The Guidance Of
:
Mr. Ritesh Kumar
Presented
By:
Amal Chacko

2. CONTENTS
 INTRODUCTION
 ARCHITECTURE
 CONCLUTION
 REFERENCE

3. What is a Denial Of Service Attack?
 Denial Of Service Attack (DoS) is an attack on a computer or network that
prevents legitimate use of its resources.
 In a DoS attack, attackers flood a victim system with non-legitimate service
requests or traffic to overload its resources, which prevents it from
performing intended task

4. TYPES..
 Denial of Service (DoS)
 Distributed Denial of Service (DDoS)

5. Symtoms Of A DoS Attack…

6. Impact Of DoS…
 Disabled network
 Disabled organization
 Financial loss
 Loss of goodwill
 Other attacks
 Sabotage
 Extortion

7. DoS Attack Technique…

8. DOS ATTACK TOOLS
􀁾 Jolt2
􀁾 Bubonic.c
􀁾 Land and LaTierra
􀁾 Targa
􀁾 Blast20
􀁾 Nemesy
􀁾 Panther2
􀁾 Crazy Pinger
􀁾 Some Trouble
􀁾 UDP Flood
􀁾 FSMax

9. DOS TOOL: JOLT2
 Allows remote attackers to
cause a denial of service attack
against Windows-based
Machines
 Causes the target machines
to
consume 100% of the CPU time
on processing the illegal packets
 Not Windows-specific. Cisco
routers and other gateways may
be vulnerable

10. DOS TOOL: NEMESYS
This application generate random packets
(protocol,port,etc
It's presense means that your computer is infected with
malicious software and is insecure

11. BOT (Derived From The Word Robot)
 IRC bot - also called zombie or drone.
 Internet Relay Chat (IRC) is a form of
realtime communication over the Internet.
It is mainly designed for group (one-to-
many) communication in discussion
forums called channels The bot joins a
specific IRC channel on an IRC server
and waits for further commands.
 The attacker can remotely control the bot
and use it for fun and also for profit.
 Different bots connected together is called
Botnet.

12. How Do They Infect?

13. Existing System
 Misuse Type Detection System.
 Anomaly Type Intrusion Detection System.

14. Proposed System
A System for Denial-of-Service
Attack Detection Based on
Multivariate Correlation
Analysis

15. Multivariate Correlation Analysis (MCA)
 Multivariate analysis (MVA) techniques allow more than two variables to be
analysed at once.
 MCA approach employs triangle area for extracting the correlative information
between the features within an observed data object.
 MCA approach supplies with the some benefits to data analysis.

16. SYSTEM ARCHITECTURE

17. Normal Profile Generation
 Assume there is a set of ‘g’ legitimate training traffic records.
 The triangle-area based MCA approach is applied to analyse the
records.
 Mahalanobis distance is adopted to measure the dissimilarity
between traffic records.

18. Algorithm For Profile Generation

19. Continued..
 1
 2
 3

20. Detection Mechanism
 Here we present a threshold-based anomaly detector .
 Normal profiles and Thresholds have direct influence on the performance of a
threshold-based detector.
 Mahalanobis Distance is adopted to measure the dissimilarity between traffic
records.

21. Algorithm For Attack Detection

22. Continued..
Threshold Selection:
The threshold given is used to differentiate attack traffic from the legitimate
one.
For a normal distribution, is usually ranged from 1 to 3.

23. Continued..
Attack Detection:
To detect DoS attacks, the lower triangle of the
TAM of an observed record needs to be generated.
The MD between the and the
stored in the respective pre generated normal profile Pro.

24. References…
 International Journal of Advanced Technology in Engineering and Science
Vol. No.3,Issue 07 July 2015.
 International Journal of Advanced Research in Computer and
Communication Engineering Vol. 3, Issue 10, October 2014.
 K. Houle et al., “Trends in Denial of Service Attack
Technology,”www.cert.org/archive/pdf/, 2001.
 A. Hussain, J. Heidemann, and C. Papadopoulos, “Identification of
Repeated Denial of Service Attacks,” Proc. INFOCOM ’06, Apr. 2006.

25. Conclusion..
 The MCA based TAM technique facilitates our system to be able to
distinguish both known and unknown DoS attacks from legitimate network
traffic.
 The MCA based TAM technique will provide:
 More detection accuracy.
Accurate characterization for traffic behaviors and detection of known and
unknown attacks respectively.