A Cluster-based Approach Towards Detecting and Modeling Network Dictionary Attacks

A. Tajari Siahmarzkooh, J. Karimpour, S. Lotfi


In this paper, we provide an approach to detect network dictionary attacks using a data set collected as flows based on which a clustered graph is resulted. These flows provide an aggregated view of the network traffic in which the exchanged packets in the network are considered so that more internally connected nodes would be clustered. We show that dictionary attacks could be detected through some parameters namely the number and the weight of clusters in time series and their evolution over the time. Additionally, the Markov model based on the average weight of clusters,will be also created. Finally, by means of our suggested model, we demonstrate that artificial clusters of the flows are created for normal and malicious traffic. The results of the proposed approach on CAIDA 2007 data set suggest a high accuracy for the model and, therefore, it provides a proper method for detecting the dictionary attack.


intrusion detection; Markov chain; grpah clustering; dictionary attack

Full Text:



A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, B. Stiller, “An Overview of IP Flow-Based Intrusion Detection”, Communications Surveys & Tutorials, Vol. 12, No. 3, pp. 343-356, 2010

R. Hofstede, V. Bartos, A. Sperotto, A. Pras, “Towards real-time intrusion detection for NetFlow and IPFIX”, 9th International Conference on Network and Service Management (CNSM)", pp. 227-234, 2013

N. Hoque, D. K. Bhattacharyya, J. K. Kalita, “FFSc: a novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis”, Security and Communication Networks, Vol. 9, No. 13, pp. 2032-2041, 2016

P. Hick, E. Aben, K. Claffy, J. Polterock, The CAIDA DDoS attack 2007 dataset, 2007

Y. Gao, Z. Li, Y. Chen, “A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks”, 26th IEEE International Conference on Distributed Computing Systems (ICDCS 06), pp. 39-46, 2006

T. Dubendorfer, B. Plattner, “Host behavior based early detection of worm outbreaks in internet backbones”, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE 05), pp. 166–171, 2005

G. Androulidakis, S. Papavassiliou, “Intelligent Flow-Based Sampling for Effective Network Anomaly Detection”, IEEE Global Telecommunications Conference (GLOBECOM 07), pp. 1948–1953, 2007

M. J. Chapple, T. E. Wright, R. M. Winding, “Flow Anomaly Detection in Firewalled Networks”, Securecomm and Workshops, pp. 1–6, 2006

P. Barford, D. Plonka, “Characteristics of network traffic flow anomalies”, IMW 01: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 69-73, 2001

L. Akoglu, H. Tong, D. Koutra, “Graph based anomaly detection and description: a survey”, Data Mining and Knowledge Discovery, Vol. 29, No. 3, pp. 626-688, 2015

K. Henderson, T. Eliassi-Rad, C. Faloutsos, L. Akoglu, L. Li, K. Maruhashi, B.A. Prakash, H. Tong, “Metric forensics: A multi-level approach for mining volatile graphs”, 16th ACM International Conference on Knowledge Discovery and Data Mining, pp. 163-172, 2010

K. Henderson, B. Gallagher, T. Eliassi-Rad, H. Tong, S. Basu, L. Akoglu, D. Koutra, C. Faloutsos, L. Li, “RolX: structural role extraction & mining in large graphs”, 18th ACM International Conference on Knowledge Discovery and Data Mining, pp. 1231-1239, 2012

Q. Ding, N. Katenka, P. Barford, E. D. Kolaczyk, M. Crovella, “Intrusion as (anti) social communication: characterization and detection”, 18th ACM International Conference on Knowledge Discovery and Data Mining, pp. 886-894, 2012

L. Akoglu, M. McGlohon, C. Faloutsos, “OddBall: Spotting anomalies in weighted graphs”, 14th Pacific-Asia Conference on Knowledge Discovery and Data Mining, pp. 410-421, 2001

P. Bonacich, P. Lloyd, “Eigenvector-like measures of centrality for asymmetric relations”, Social Networks, Vol. 23, No. 3, pp. 191-201, 2001

B. Perozzi, L. Akoglu, P.L. Sanchez, E. Muller, “Focused clustering and outlier detection in large attributed graphs”, 20th ACM Special Interest Group on Knowledge Discovery and Data Mining (SIG-KDD), pp. 1346-1355, 2014

C. Liu, X. Yan, H. Yu, J. Han, P.S. Yu, “Mining behavior graphs for backtrace of noncrashing bugs”, 5th SIAM International Conference on Data Mining, pp. 286-297, 2005

S. Gunnemann, I. Farber, B. Boden, T. Seidl, “Subspace clustering meets dense subgraph mining: A synthesis of two paradigms”, 10th IEEE International Conference on Data Mining (ICDM), pp. 845-850, 2010

X. Xu, N. Yuruk, Z. Feng, T. A. J. Schweiger, “Scan: a structural clustering algorithm for networks”, 13th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 824-833, 2007

S. Chakrabarti, “Dynamic personalized page rank in entity-relation graphs”, 16th International Conference on World Wide Web (WWW), pp. 571-580, 2007

J. Neville, D. Jensen, “Iterative classification in relational data”, AAAI Workshop on Learning Statistical Models from Relational Data, pp. 13-20, 2000

K. M. Kapsabelis, P. J. Dickinson, K. Dogancay, “Investigation of graph edit distance cost functions for detection of network anomalies”, 13th Biennial Computational Techniques and Applications Conference (CTAC 06), pp. 436-449, 2006

T. Ide, H. Kashima, “Eigenspace-based anomaly detection in computer systems”, 10th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 440-449, 2004

M. Kuramochi, G. Karypis, “Frequent subgraph discovery”, 2001 IEEE International Conference on Data Mining (ICDM), pp. 313-320, 2001

D. Chakrabarti, “Autopart: parameter-free graph partitioning and outlier detection”, 8th European Conference on Principles and Practice of Knowledge Discovery in Databases (PKDD), pp. 112-124, 2004

D. Chakrabarti, R. Kumar, A. Tomkins, “Evolutionary clustering”, 12th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 554-560, 2006

C. Tantipathananandh, T. Berger-Wolf, “Constant-factor approximation algorithms for identifying dynamic communities”, 15th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 827-836, 2009

M. Mongiovi, P. Bogdanov, R. Ranca, A. K. Singh, E. E. Papalexakis, C. Faloutsos, “Netspot: Spotting significant anomalous regions on dynamic networks”, 13th SIAM International Conference on Data Mining (SDM), pp. 1-9, 2013

L. Peel, A. Clauset, Detecting change points in the large-scale structure of evolving networks, CoRR, abs/1403.0989, pp. 38-53, 2014

D. Doval, S. Mancoridis, B. S. Mitchell, “Automatic Clustering of Software Systems using a Genetic Algorithm”, 1999 International Conference on Software Tools and Engineering Practice (STEP 99), pp. 73-81, 1999

J. Karimpour, S. Lotfi, A. Tajari Siahmarzkooh, "Intrusion detection in network flows based on an optimized clustering criterion", Turkish Journal of Electrical Engineering & Computer Sciences, accepted for publication: 10.3906/elk-1601-105

eISSN: 1792-8036     pISSN: 2241-4487