2914
An Intrusion Detection System Using Optimized
Svm For Detecting Ddos In Cloud
M. Mayuranathan, Dr. M. Murugan, Dr. V. Dhanakoti
Abstract— One of the most advanced techniques in the field of information technology is the so called cloud computing technique . This technique has turned out to be user friendly as it offers scalability and flexibility in its services thus rendered to the end users, this technique is also known to offer a variety of services on demand to its users. The ultimate goal of the technique is to meet the demands of its users, these demands can be catered in three different ways and these ways are referred to as the three different levels of the cloud, using which it caters to the demands of the users. These three levels are named as the infrastructure, the platform and the software levels. The cloud environment thus appears to be susceptible to various kinds of offenses, one such is the so called DoS or the DDoS offense that can lead to a major breach in the security related aspect s. The training data set is thus considered in the cloud environment, the data type would be determined in the initial stage, if it belongs to the non li near type then the SVM appears to be a form of the kernel trick that is employed for the mapping purposes, her e the original input space would be suitably mapped onto the high dimensional feature space. This mapping procedure is thus accomplished so as to improvise the classifier generalization abili ty. The Genetic algorithm thus deployed in this strategy has been observed to be a stochastic and heuristic searching algorithm. The algorithm has derived its inspiration from the natural evolution process. This work discusses the deployment and application of the genetic algorithm and the support vector machine (GA–SVM) method that is found to be suitably integrated with the parameter optimization procedure for the purpose of detecting the DDO S in the cloud.
Index Terms— Denial of Service(DoS), Distributed Denial of Service (DDoS), Genetic algorithm (GA), Support Vector Machine (SVM) —————————— ——————————
1
INTRODUCTION
He field of information technology has been found to offer a wide variety of services to the end users, Cloud computing is one such advanced platform of the IT field that is now increasingly deployed for offering the on demand services to the concerned end users. Cloud computing technique is thus viewed as a centralized pool of configurable computing resources and computing outsourcing mechanisms. This platform has been observed to offer a wide range of computing services to the users. The security aspects of the Cloud have turned out to be an emerging sub domain platform among the various existing platforms today. The sub domains thus viewed in the cloud environment would concentrate on the security aspects such as the computer security, network security and the information security. Various benefits can be derived from the cloud computing technology; cost savings, high availability, flexibility and easy scalability are few among them. One of the major sources of information provider today is the Internet. The internet has turned out to be the most dominant part of the cloud. The dominant nature of the internet has urged the necessity for keeping the same in the available modethroughout as the demand for its services has increased enormously. Another common feature of the cloud is its distributed nature. As the cloud appears to be distributed the possibility for an intruder or a third person to intrude into the network illegally for accessing its contents increases. The internet is thus observed to be susceptible to various types of
attacks; one such is the Denial of Service (DoS) attack. operator. There exist certain forms of intrusion detectionsystems that would essentially react in some means once an intrusion is detected. This reaction would essentially involve in the process of either containing the concerned damage or preventing the same from occurring, a suitable example would be to terminate the entire network immediately. On the other hand when the IDS detects an intrusion, it would log the event, would preserve the relevant data/traffic, would inform the concerned administrator or else in certain cases it would try to intervene into the process directly. One of the noticeable benefits of the intrusion detection system is that the preserved data and the logs would essentially offer certain valuable forensic details that can used as the most promising evidences in the legal cases devised against the illegal intruders [4].Cloud Computing has been observed as one the techniques that appear to be more susceptible to the various forms of attacks and attackers. The attacks from the outside environment can be essentially prevented by employing the conventional network security channels like the firewall, whereas the attacks emerging within the networks or certain deadliest form of attacks such as the DoS and the DDoS attacks cannot be that easily controlled or prevented from occurring using the conventional methodologies. The above mentioned limitations can be handled by the intrusion detection systems suitably. As far as the security related factors are concerned the IDS plays a vital role in enhancing and strengthening the security parameters of the cloud. This is done by devising mechanisms to detect both the known and the unknown attacks. By performing the same the intrusion detection systems have been observed to safeguard the confidentiality, integrity, and the availability aspects of the concerned network. It has been observed that this intrusion detection system can stand either as an individual hardware component or as an individual software component or at times can appear as a combination of both. The mechanism ————————————————
M. Mayuranathan , Assistant Professor, CSE Department , SRM Valliammai Engineering College, SRM Nagar, Kattankulathur, Chennai – 603 203, Tamilnadu , India .Email [email protected]
Dr. M. Murugan, Professor and Vice-Principal, ECE Department, SRM Valliammai Engineering College, SRM Nagar, Kattankulathur, Chennai – 603 203, Tamilnadu , India .Email: [email protected]
accomplished by the intrusion detection system is that it would essentially acquire the necessary data content from the concerned network and would inform about the same to the corresponding network manager in charge either by mailing the acquired information or by means of logging the concerned intrusion event [5].The first and foremost responsibility of the detection system is to differentiate the normal traffic from the flooded ones; this can be suitably accomplished by adopting the anomaly detection mechanisms, which would perfectly model the traffic patterns by considering their behavior. The obtained final results would differentiate the normal patterns from those of the attacked patterns. This way of distinguishing the traffic patterns is thus considered as a tedious procedure in today’s scenario as the growth of the internet has taken new leaps and bounds. Various strategies have been identified in the recent times for the purpose of identifying and preventing the various types of offenses encountering the information sector, these mechanisms are identified as the state-full firewall and intrusion detection or prevention systems (IDS, IPS) appropriately incorporated for the purpose of detecting and preventing the DDOS attacks. These identified strategies have been found to be vulnerable to the encountering DDOS attack as the state tables in the concerned firewalls were observed to appear overwhelmed by the moderate size of the corresponding DDOS attack. The inbuilt DDOS defense mechanism should possess the ability of differentiating the approaching attack packets from that of the genuine packets, this differentiation must possess a high degree of perfection and accuracy, together with the features of minimized resource consumptions and low false negative and positive rates [6]. As far as this work is considered the cloud computing technique has been found to introduce some relevant paths of attack. The most important feature possessed by the DoS attack is that it very well disrupts the various forms of online operations. The above mentioned limitations can be alleviated by means of introducing new strategies for the purpose of determining the existing anomalies in the concerned cloud environment. This new incorporation would essentially rely on the existing traffic patterns, thorough analysis on the traffic patterns would establish the type of proposal thus required. The obtained information content could then be integrated with the corresponding Support Vector Machine (SVM) model, to which these features could be essentially supplied. The above mentioned integration model has been found to represent itself as a novel and effective approach for determining the various existing anomalous events in the cloud environment. Another important duty is to establish the forecasting task; this process is essentially accomplished by the Poisson process. The above accomplished task has been observed to be suitable for the dynamic environments such as the cloud computing environment. As far as the binary classification methodology is concerned the SVM procedure is viewed as the best learning algorithm for performing the required classification tasks [7].The forth coming sections of this work have been organized as follows: Section 2 comprises of the review discussions related to this work in the literature zone. Section 3 elaborates the details of the methodologies thus incorporated in this proposed work. Section 4 discusses the various obtained experiment results and finally section 5 concludes the concept accomplished in the proposed work.
2 RELATED WORKS
various existing symptoms of the DDoS attacks from its existing local data. The results obtained from the various detection mechanisms were consolidated together to identify both the victim and the type of attacking services. This introduced solution was thus computed by the authors with the help of a random dataset. The obtained results thus proved the promising nature of the procedure in terms of mitigating the DDoS attack in the service cloud.Ramamoorthi et al., [12] proposed an anomaly detection technique for detecting the DDoS attacks by means of incorporating an Enhanced Support Vector Machine (ESVM) suitably comprising of string kernels. As far as the ESVM is considered the normal user access behavior attributes is thus adopted as the required training samples that can be perfectly used for the task of producing the required model files. Test samples would be required by the ESVM, for this purpose the essential data contents thus required could be aggregated both during the normal and the attack period. It has been observed that both the Application and the Network layer DDoS attacks in this strategy can be classified with a classification accuracy of around 99% with the ESVM.Kato and Klyuev [13] have introduced strategies by means of analyzing a large number of network packets, these packets have been observed to be offered by the Center for Applied Internet Data Analysis, further they have accomplished the intrusion detection system with the help of a support vector machine using the radial basis function (Gaussian) kernel. This incorporated detection system possesses the ability of perfectly identifying the DDoS attacks.She et al., [14] has proposed a suitable detection mechanism for the application-layer type of DDoS attack in correspondence to a One-Class Support Vector Machine (OC-SVM). It has been viewed that this SVM is a relatively new machine learning strategy that functions with reference to the devised statistics. SVM comprises of certain special variants, one among them is the OC-SVM, this is thus considered as a special variant as only the normal type of data is required for the training purpose, also this variant has been found to be effective in the detection of the application-layer DDoS attack. Followed by which this work would enable the authors in the process of reconstructing the normal users’ browsing models with the help of the OC-SVM. On the whole the authors of this work have made use of these models for the process of detecting the application-layer type of DDoS attacks. The obtained numerical results with reference to the simulation experiments have been found to demonstrate the efficiency of the concerned detection strategy.
3 METHODOLOGY
This section discusses about the SVM kernel and the GA utilized for the SVM parameter optimization methods.
3.1 SVM kernel
As far as the Support vector machine is concerned it is observed that it is one of the kernel-based learning algorithms that essentially comprises of a learning algorithm and the kernel function. The kernel function involves in the task of creating the hypothesis space, it is in this space that the essential learning procedures would appropriately take place. The kernel thus existing in this method appears to be a similarity measure between the two inputs, this has been found to correspond to their inner product in this feature
space, it is into this space that the original inputs would be essentially mapped onto. This concept when considered for the learning purpose would rely itself essentially on the methodology when it depends nonlinearly on the concerned data, yet this learning algorithm has been found to adapt only to the linear type of dependencies.As these support vector machines are observed to belong to the linear type of classifiers, it becomes mandatory for mapping the input vectors in the nonlinear mapping forms for the purpose of learning about the non-linear type of relations. The final output vectors thus obtained would be preferably termed as the features. Here the letter k has been observed to denote the input space, this can correspond to any of the contained sets, and the letter F has been observed to denote the feature vector space correspondingly. For any of the mapping function:
:
k
F
The inner product of the mapped inputs is called a kernel function:
,
,
k x z
x
z
The inner product of the concerned mapped inputs is thus called as the kernel function:One of the devised conditions that appear to be mandatory is that the function
k x z
,
must be symmetric and finitely positive semi definite. Analysis of the literature section has revealed the fact that there exist kernels of different types for different functions [15].The SVMs would comprise of various classification methodologies involving in the process to segregating the samples belonging to the various classes by means of adopting the tracing strategy in which the maximum margin hyper-planes would be contained within the kernel space, it is in this space where the essential mapping procedures would suitable encounter. Increasing the distance of the contained samples to that of the optimal decision hyper-planes has been observed to be equivalent to the procedure of minimizing the norm of w, therefore this particular term has been considered to be the first term in the concerned minimizing functional. Better manipulation of this particular functional can be achieved by considering the l2-norm of the concerned weights.2 2 , ,
1 min
2
i i
w b
i
w C
constrained to
1 , 1,...,0, 1,...,
T
i i i
i
y x w b i n
i n
process of dealing with the various protruding errors.
As the vector variable w has been observed to lie in a (possibly infinite) kernel feature space H, it becomes mandatory for a user to solve the primal through its Lagrangian dual problem, which consists of the maximized
constraints,
,
1
2
d i i j i j i j
i i j
L
y y
x
x
0
i
C
and i i0,
1,..., ,
i
y
i
n
, where theauxiliary variables is observed as the Lagrange multiplier suitably referring to the various restrictions. Variables thus present in the model can be exclusively adopted for the purpose of performing the optimization functions, further the above mentioned strategy can be incorporated for alleviating the explicit usage of w. The incorporated
mappings in the SVM learning strategy have been found to represent itself in the form of the inner products. The above statements have led to the formation of the kernel function K,
i,
j
i
jK x x
x
x
further it is possible to define the nonlinear SVM without considering the mapping function .Existence of the pair
,
appears to be possible onlyunder certain conditions; one such condition is that the kernel function K must be in a position to fulfil the devised Mercer’s conditions. The following kernels can be viewed as some of the most popular kernels thus striving hard in incorporating these conditions [16].
Linear kernel:
K x x
i,
j
x x
i jPolynomial:
K x x
i,
j
x x
i
j1 , d
d
Radial Basis Function kernel (RBF):
,
exp
2 2,
2
i j
i j
x
x
K x x
3.2 GA-SVM based Parameter Optimization Method
One of the methodologies that have been identified in achieving an enormous level of success in the classification of the remote sensing images is the SVM. The ultimate goal here is to design an efficient classifier; this can be achieved by perfectly configuring the corresponding parameters of the SVM properly. Such configuring tasks must be established prior to the accomplishment of the entire process. The parameter optimization approach thus adopted by the SVM technique has been found to function in accordance with the strategies devised by the well known Genetic algorithm.Fitness function One of the well known functions is the Fitness function; this appears to be a kind of objective function. The function of this fitness function is to evaluate and determine the quality of the concerned chromosomes. The ultimate objective of the GA-based SVM parameter optimization process is to perfectly design a fitness function for the purpose of generating the SVM parameters. These generated parameters are thus found to be both reliable and effective for the concerned SVM models. The most important function of prime consideration is the assessment of the SVMs generalization ability; this can be suitably accomplished by means of incorporating the K-fold cross validation technique. The initial step here would involve
the incorporation of the k-fold cross-validation (CV) classification rate to the concerned GA fitness function for achieving the same. The SVMs enhanced generalization ability is due to the enhanced cross-validation classification rate. In the k-fold cross-validation scheme, the corresponding training data T has been observed to be randomly segregated into equal number of k subsets T1… Tk, training of a particular classifier is done with the existing k-1 subsets and thereafter correspondingly tested using the remaining subset Ti (i=1,…, k). In this model the concerned training process has been observed to be iterated k times, further the obtained final classification rate has been observed as the average of all the existing k times’ Classification rates. The k-fold cross-validation fitness F is obtained by incorporating the following relationship:
1
irate
F
K
T
Figure 1 Basic flowchart of GA–SVM method
4 RESULTS AND DISCUSSION
In this section, we are discuss about Detection rate of DoS and DDoS using SVM Polykernel, SVM RBF kernel and GA SVM.
Table 1 Detection rate for DDOS False
Acceptance Rate
Detection rate - SVM Polykernel
Detection rate -SVM RBF kernel
Detection rate - GA SVM 0.01 0.865 0.874 0.894
0.05 0.885 0.894 0.915
0.1 0.905 0.925 0.933
0.15 0.934 0.954 0.963
0.2 0.953 0.952 0.962
0.25 0.964 0.985 0.985
0.3 0.983 0.983 0.983
0.35 0.983 0.983 0.982
0.4 0.984 0.985 0.985
0.45 0.983 0.984 0.985
0.5 0.984 0.984 0.984
0.55 0.984 0.982 0.984
0.6 0.983 0.982 0.983
0.65 0.983 0.983 0.982
0.7 0.985 0.983 0.984
0.75 0.985 0.982 0.985
0.8 0.985 0.985 0.985
0.85 0.985 0.982 0.983
0.9 0.983 0.984 0.984
0.95 0.984 0.982 0.984
1 0.984 0.985 0.984
Figure 2 Detection rate for DDOS
From table 1 and figure 2, it can be found that the average detection rate of the DDoS has considerably improved by a percentage of around 0.34% in comparison to the SVM Poly kernel & the SVM RBF kernel. Further the average detection rate of the DDoS has enhanced by a percentage of around 0.37% in comparison with the SVM RBF kernel & GA SVM.
Table 2 Detection rate for DOS
False Acceptance
Rate
Detection rate - SVM Polykernel
Detection rate -SVM RBF kernel
Detection rate - GA
SVM 0.01 0.909 0.909 0.924
0.05 0.928 0.93 0.944
0.1 0.95 0.959 0.965
0.15 0.979 0.988 0.99
0.2 0.99 0.99 0.992
0.25 0.991 0.99 0.992
0.3 0.989 0.992 0.99
0.35 0.991 0.989 0.991
0.4 0.991 0.99 0.99
0.45 0.991 0.991 0.991
0.5 0.989 0.99 0.99
0.55 0.989 0.989 0.99
0.6 0.99 0.989 0.989
0.65 0.988 0.99 0.992
0.7 0.989 0.99 0.991
0.75 0.99 0.99 0.991
0.8 0.989 0.99 0.992
0.85 0.99 0.991 0.992
0.9 0.991 0.991 0.992
0.95 0.989 0.991 0.99
Figure 3 Detection rate for DOS
From table 2 and figure 3, it can be determined that the average detection rate of the DoS has further increased by a percentage of around 0.13% in comparison with the SVM Poly kernel & SVM RBF kernel. Similarly it can be understood that the average detection rate of the DoS has improved by a percentage of around 0.24% in comparison with the SVM RBF kernel & GA SVM.
5 CONCLUSION
Cloud computing holds the privilege of revolutionizing the way the internet is being adopted and used today, this has converted the process as a service on a pay per usage basis. Various benefits have been offered by the cloud today, starting from the range of services to the benefits in terms of yielding enhanced profits for both the individuals and the organizations the cloud has played massive roles, due to its distributive nature and wide spread usage the cloud has been observed to face a high risk of attack. Among the various existing offenses the DoS or the DDoS attack has been found to be the most dangerous type of offense that can eventually lead to a major breach in the security of the system. As far as this work is concerned the quality of the SVMs have been improved in considerable ways for solving existing the classification problems by means of adopting the mapping strategies, where the training data would be essentially mapped onto the feature space with the help of the Laguerre kernel functions, followed by which the concerned data would be essentially segregated with the help of a large margin hyper plane. Thus an application of the GA–SVM method integrated with the parameter optimization techniques has been suitably presented. The experimental results have been found to portray the average detection rate of the DDoS, which has been found to illustrate a considerable rise of around 0.34% percentage when compared with the SVM Poly kernel & the SVM RBF kernel.
R
EFERENCES[1] P.Ankita , F.Khatiwala, ―Survey on DDoS attack detection and prevention in cloud ―, International Journal of Engineering Technology, Management and Applied Sciences, 3(2), 43-7,2015.
[2] V.Vidhya, ―A Review of DOS Attacks in Cloud Computing‖, IOSR Journal of Computer Engineering (IOSRJCE), 16(5), 32-35,2014.
[3] M.Rahman ,W.M.Cheung ― A novel cloud computing
security model to detect and prevent DoS and DDoS attack‖, International Journal of Advanced Computer Science and Applications (IJACSA), 5(6),2014.
[4] M.Bijone ―A Survey on Secure Network: Intrusion Detection & Prevention Approaches‖, American Journal of Information Systems, 4(3), 69-88,2016.
[5] S.G.Kene, D.P.Theng, ―A review on intrusion detection techniques for cloud computing and security challenges‖, In Electronics and Communication Systems (ICECS), 2015 2nd International Conference on pp. 227-232. IEEE, 2015.
[6] P.Shamsolmoali, M.A.Alam, R.Biswas ―C2DF: High Rate DDOS filtering method in Cloud Computing‖, International Journal of Computer Network and Information Security, 6(9), 43,2014.
[7] B.L.Dalmazo, J.P.Vilela, P.Simoes, M.Curado ―Expedite feature extraction for enhanced cloud anomaly detection‖, In IEEE/IFIP International Conference on Network Operations and Management Symposium (NOMS), 2016,pp. 1215-1220. IEEE,2016.
[8] A.Sahi, D.Lai, Y.Li, M.Diykh ―An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment‖, IEEE Access, PP(99), pp. 1-1,2017.
[9] O.Osanaiye, K.K.R.Choo, M.Dlodlo ―Change-point cloud DDoS detection using packet inter-arrival time‖. In Computer Science and Electronic Engineering (CEEC), 2016 8th ,pp. 204-209. IEEE,2016.
[10] O.P.Badve, B.B.Gupta, S.Yamaguchi, Z.Gou, ―DDoS detection and filtering technique in cloud environment using GARCH model‖. In IEEE 4th Global Conference on Consumer Electronics (GCCE), 2015 pp. 584-586. IEEE,2015.
[11] S.Alqahtani, R.F.Gamble ―DDoS attacks in service clouds. In System Sciences (HICSS)‖, 8th Hawaii International Conference on (pp. 5331-5340). IEEE,2015.
[12] A.Ramamoorthi, T.Subbulakshmi, S.M.Shalinie ―Real time detection and classification of DDoS attacks using enhanced SVM with string kernels‖. In 2011 International Conference on Recent Trends in Information Technology (ICRTIT), (pp. 91-96). IEEE,2011.
[13] K.Kato, V.Klyuev ―An Intelligent DDoS Attack Detection System Using Packet Analysis and Support Vector Machine‖. IJICR, 478-485,2014.
[14] C.She, W.Wen, Z.Lin, K.Zheng ―Application-Layer DDOS Detection Based On A One-Class Support Vector Machine‖ .International Journal of Network Security & Its Applications (IJNSA), 9(1), pp. 13-24,2017.
[15] A.Afifi, Laguerre ―kernels-based SVM for image classification‖, International Journal of Advanced Computer Science and Applications, 5(1),2014.
[16] G.Camps-Valls, L.Bruzzone ―Kernel-based methods for hyperspectral image classification‖ ,IEEE Transactions on Geoscience and Remote Sensing, 43(6), 1351-1362,2005.
[17] K.M.Ravindra, G.P.Chandrashekhar ―Classification of Satellite images based on SVM classifier Using Genetic Algorithm‖, International Journal of Innovative Research in Electrical, Electronics, Instrumentation and Control
