ANOMALY  DETECTION FOR  NETWORK TRAFFIC DATA

ABSTRACT

The research work effectively produces a functional algorithm for detecting anomalous traffic data   in   network   Transport   Control   Protocols   (TCP).   This   research   work   proposed

‘Synchronize’  Synchronization  Packet  Flood  Distributed  Denial  of Service  (SYN  Flood DDoS) attacks detection algorithm on network Transport Control Protocols (TCP), in order to analyze and examine network traffic traces and see how this affect  detecting  anomalies  in distributed  attacks. This anomaly detection algorithm was developed using Object-Oriented Software   Engineering    (OOSE)   methodology,   which   is   compliant   to   Model-Driven Architecture   (MDA)   in   the   development   processes.   The   algorithm   deploys   Entity• Relationship model in organizing the main information object. Java programing language was chosen for the implementation  of the proposed  algorithm.  Finally,  Detection  of SYN Flood Distributed  Denial  of Service attacks  were performed  on network  packet  traces  (datasets) captured  from  15″  through  24″  November,  2017  to  determine  how  well  anomalies  are detected  on  TCP  network  protocols.  The  results   obtained  while  testing  the  proposed algorithm  summarizes  SYS Flood  DDoS  attacks  detected  in each of the network  packet traces.  It  can be observed  that the attacks were  detected  in only four datasets, which  are network packet traces, captured on 15″, 16″, 22″ and 24″ November  2017, while other six datasets were attack free. All the attacks detected occurred in less than 1   minute. The result obtained   in this experiment  using the proposed   JLP(Java  Logical Program)  SYN Floods DDoS attack detection algorithm,  shows that  SYN floods attack inundate a host server  with [SYN] segment containing   forged (spoofed) IP source addresses with non-existent or unreachable addresses.   Host server responds with [SYN, ACK]  segments to these addresses and  then  waits  for  responding  acknowledgement   [ACK]  segments.  Host  server  will  not receive any acknowledgment  [ACK] response and eventually time out. This is because the response was sent to non-existent  or unreachable  IP addresses.   JLP algorithm continues to detect  those  attacks  flooding  a host  with  incomplete  TCP  connection  ([SYN]  and  [SYN, ACK] without an [ACK]), the detection algorithm result shows that the attacker eventually attempts filling the memory buffer of the victim. Because once this buffer is full, the host can no longer process new TCP connection requests.

CHAPTER ONE INTRODUCTION

1.1        BACKGROUND OF STUDY

Ever  since  the  computer  and  the  critical  data  it  holds  came  into  headlines,  so  did  the malicious  programs,  attacks  and  the  threat  landscape.  There  are  thousands  of cases  of malware infection, zombies and trojans taking over networks in fast pace. The amount of data that passes through any switch, router, Firewall  is enormous. There are ‘gigabits of traffic’ flowing every second through perimeter and internal networking devices. To protect this vast amount of data, designers have deployed host as well as network level controls and software. Every security measure deployed makes it one step harder for the attackers to gain access to the internal resources.  There are devices that check for malware patterns,  do heuristic scans, and find patterns that resemble a blacklisted file or a cyber-threat.  This technology is termed as Deep Packet Inspection (DPI) for it inspects the payload as well as the protocol details of every packet against the set of signatures to match. But, with the constant evolution of attack vectors it’s now a crazy fire-fighting exercise to match every type and strain of malware or every  style  and patterns  of an  attack.  Moreover  the  detection  capability  bridge  between malicious  and benign software is shrinking rapidly.  It is very important to have something that can help narrow down the spread of a malicious file.  Traffic Anomaly is anything which is not expected in day-to-day traffic;  something that creates an anomaly and raises an alarm. It can be huge amount of requests, response, particular TCP flag, DNS queries, anything.

1.2     PROBLEM STATEMENT

Life cannot be imagined without security, as it is one of the basic needs.  Similarly, computer security  is also  the  heart  of today’s  technological  world.  Many  organizations  have  been looking to move their services and business processes to the cloud, and so there is need for employees to have access from remote locations as well as the increasing number of online transactions  that promotes  an internet  solution  [1].  Data protection  is the most  important security issue in Cloud environment.  In the service provider’s data center, protecting  data privacy and managing compliance are critical by using encrypting and managing encryption keys of data in transfer to the cloud.  Denial of Service (DOS) attacks is popular due to their ability to significantly affect networks.  DOS,  as the name implies,  exhausts the resources of the target network  by sending invalid traffic.  A DOS attack when carried out by multiple

1

devices is known  as a Distributed  Denial of Service (DDOS) attack. DDOS is considered  to be the biggest  threat for networks. These problems  are intended to be solved by effectively producing  a functional  algorithm  for detecting  anomalous  traffic  data  in Transport  Control Protocols (TCP) network.

1.3      AIM & OBJECTIVES  OF THE WORK

The aim of this project  is to produce a functional algorithm for detecting anomalous traffic data in network Transport Control Protocols (TCP). The objectives are

❖   to deploy Entity-Relationship  model in organizing the main information object.

❖   to develop an application that is aimed at storing captured network traffic traces into a database, and performing  detection of SYN Floods DDoS attacks automatically and display result in enhanced form using the proposed algorithm.

❖   to study the effect of SYN Floods Distributed Denial of Service (DDoS) anomaly in network Transport Control Protocols (TCP) traffic data.

1.4       SIGNIFICANCE  OF THE STUDY

This research work is expected to reveal the possible variation in normal behaviour of Transport  Control  Protocol  (TCP) network  traffic data due to the presence  of SYN Flood Distributed  Denial  of Service (DDoS)  attacks.   It will also develop  an anomaly  detection algorithm which is an important tool for detecting  SYN Flood DDoS attack automatically. The  validation  of the  proposed  algorithm  will  compare  the  existing  algorithms  with  the proposed  algorithm  in accordance  with normal  characteristics  of TCP  (Transport  Control Protocols) network traffic packets connection establishment processes.

1.5      SCOPE OF THE STUDY

This research provided  an extensive  literature review  on related  technologies  and existing works. It also produces a functional algorithm for detecting SYN Flood Distributed Denial of Service attack  on network  Transport  Control  Protocol  traffic packet  traces  collected  from WIDE MAWI WORKING GROUP repository directory which is publicly made available for researchers.   WIDE   MAWI   WORKING    GROUP   has   carried   out   network    traffic measurement, analysis, evaluation, and verification from the beginning of the WIDE Project.

2

The proposed  algorithm  were developed  such that it can store network  traffic packet  traces, detect SYN Flood Distributed  Denial of Service attacks automatically in each of the network traffic  packet  traces(datasets)  captured    from  15″  to  24″ November  2017  and  display  the result in an enhanced form. Finally, results were obtained, and discussed; and conclusion was drawn from the result findings.

1.6      ORGANIZATION OF THE REPORT

Chapter  One provides  the background  of study,  Aim  and objectives  of the work, problem statement, significance of the study and scope of the study.

Chapter Two presents  background  information  on existing research  in the fields of network  data  centers,  cloud  computing  architecture,  cloud  computing  stack,  data  center traffic,   traffic   analysis,   anomaly   detection   and   anomaly   detection   techniques.   This information is necessary to understand decisions taken throughout the course of this work.

Chapter Three provides directions which this project will take in order to achieve its objectives. The detailed information  on the process  involved in data acquisition, important attributes of the data. Also the information that the attributes gives about the data transfer and the nature of data transfer are discussed extensively under data analysis section.

Chapter Four provides details on the exact experiment scenarios that were conducted such  as  the  development,  implementation   and  testing  processes.  The  results  of these experiments are shown using plots and analyzed based on their behaviour.

Chapter Five completes this work by summarizing all the research studies during this project. Limitations and the key findings based on the presented results including suggestions for future work and improvements are all given.

₦5,000.00 – DOWNLOAD FULL PROJECT DOWNLOAD FULL PROJECT Added to cart

---

---

---

---

---

Related Project Topics :