A Cluster-based Approach Towards Detecting and Modeling Network Dictionary Attacks


  • A. Tajari Siahmarzkooh Department of Computer Science, University of Tabriz, Tabriz, Iran
  • J. Karimpour Department of Computer Science, University of Tabriz, Tabriz, Iran
  • S. Lotfi Department of Computer Science, University of Tabriz, Tabriz, Iran
Volume: 6 | Issue: 6 | Pages: 1227-1234 | December 2016 | https://doi.org/10.48084/etasr.937


In this paper, we provide an approach to detect network dictionary attacks using a data set collected as flows based on which a clustered graph is resulted. These flows provide an aggregated view of the network traffic in which the exchanged packets in the network are considered so that more internally connected nodes would be clustered. We show that dictionary attacks could be detected through some parameters namely the number and the weight of clusters in time series and their evolution over the time. Additionally, the Markov model based on the average weight of clusters,will be also created. Finally, by means of our suggested model, we demonstrate that artificial clusters of the flows are created for normal and malicious traffic. The results of the proposed approach on CAIDA 2007 data set suggest a high accuracy for the model and, therefore, it provides a proper method for detecting the dictionary attack.


intrusion detection, Markov chain, grpah clustering, dictionary attack


Download data is not yet available.


A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, B. Stiller, “An Overview of IP Flow-Based Intrusion Detection”, Communications Surveys & Tutorials, Vol. 12, No. 3, pp. 343-356, 2010 DOI: https://doi.org/10.1109/SURV.2010.032210.00054

R. Hofstede, V. Bartos, A. Sperotto, A. Pras, “Towards real-time intrusion detection for NetFlow and IPFIX”, 9th International Conference on Network and Service Management (CNSM)", pp. 227-234, 2013 DOI: https://doi.org/10.1109/CNSM.2013.6727841

N. Hoque, D. K. Bhattacharyya, J. K. Kalita, “FFSc: a novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis”, Security and Communication Networks, Vol. 9, No. 13, pp. 2032-2041, 2016 DOI: https://doi.org/10.1002/sec.1460

P. Hick, E. Aben, K. Claffy, J. Polterock, The CAIDA DDoS attack 2007 dataset, 2007

Y. Gao, Z. Li, Y. Chen, “A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks”, 26th IEEE International Conference on Distributed Computing Systems (ICDCS 06), pp. 39-46, 2006 DOI: https://doi.org/10.1109/ICDCS.2006.6

T. Dubendorfer, B. Plattner, “Host behavior based early detection of worm outbreaks in internet backbones”, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE 05), pp. 166–171, 2005

G. Androulidakis, S. Papavassiliou, “Intelligent Flow-Based Sampling for Effective Network Anomaly Detection”, IEEE Global Telecommunications Conference (GLOBECOM 07), pp. 1948–1953, 2007 DOI: https://doi.org/10.1109/GLOCOM.2007.374

M. J. Chapple, T. E. Wright, R. M. Winding, “Flow Anomaly Detection in Firewalled Networks”, Securecomm and Workshops, pp. 1–6, 2006 DOI: https://doi.org/10.1109/SECCOMW.2006.359576

P. Barford, D. Plonka, “Characteristics of network traffic flow anomalies”, IMW 01: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 69-73, 2001 DOI: https://doi.org/10.1145/505202.505211

L. Akoglu, H. Tong, D. Koutra, “Graph based anomaly detection and description: a survey”, Data Mining and Knowledge Discovery, Vol. 29, No. 3, pp. 626-688, 2015 DOI: https://doi.org/10.1007/s10618-014-0365-y

K. Henderson, T. Eliassi-Rad, C. Faloutsos, L. Akoglu, L. Li, K. Maruhashi, B.A. Prakash, H. Tong, “Metric forensics: A multi-level approach for mining volatile graphs”, 16th ACM International Conference on Knowledge Discovery and Data Mining, pp. 163-172, 2010 DOI: https://doi.org/10.1145/1835804.1835828

K. Henderson, B. Gallagher, T. Eliassi-Rad, H. Tong, S. Basu, L. Akoglu, D. Koutra, C. Faloutsos, L. Li, “RolX: structural role extraction & mining in large graphs”, 18th ACM International Conference on Knowledge Discovery and Data Mining, pp. 1231-1239, 2012 DOI: https://doi.org/10.1145/2339530.2339723

Q. Ding, N. Katenka, P. Barford, E. D. Kolaczyk, M. Crovella, “Intrusion as (anti) social communication: characterization and detection”, 18th ACM International Conference on Knowledge Discovery and Data Mining, pp. 886-894, 2012 DOI: https://doi.org/10.1145/2339530.2339670

L. Akoglu, M. McGlohon, C. Faloutsos, “OddBall: Spotting anomalies in weighted graphs”, 14th Pacific-Asia Conference on Knowledge Discovery and Data Mining, pp. 410-421, 2001 DOI: https://doi.org/10.1007/978-3-642-13672-6_40

P. Bonacich, P. Lloyd, “Eigenvector-like measures of centrality for asymmetric relations”, Social Networks, Vol. 23, No. 3, pp. 191-201, 2001 DOI: https://doi.org/10.1016/S0378-8733(01)00038-7

B. Perozzi, L. Akoglu, P.L. Sanchez, E. Muller, “Focused clustering and outlier detection in large attributed graphs”, 20th ACM Special Interest Group on Knowledge Discovery and Data Mining (SIG-KDD), pp. 1346-1355, 2014 DOI: https://doi.org/10.1145/2623330.2623682

C. Liu, X. Yan, H. Yu, J. Han, P.S. Yu, “Mining behavior graphs for backtrace of noncrashing bugs”, 5th SIAM International Conference on Data Mining, pp. 286-297, 2005 DOI: https://doi.org/10.1137/1.9781611972757.26

S. Gunnemann, I. Farber, B. Boden, T. Seidl, “Subspace clustering meets dense subgraph mining: A synthesis of two paradigms”, 10th IEEE International Conference on Data Mining (ICDM), pp. 845-850, 2010 DOI: https://doi.org/10.1109/ICDM.2010.95

X. Xu, N. Yuruk, Z. Feng, T. A. J. Schweiger, “Scan: a structural clustering algorithm for networks”, 13th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 824-833, 2007 DOI: https://doi.org/10.1145/1281192.1281280

S. Chakrabarti, “Dynamic personalized page rank in entity-relation graphs”, 16th International Conference on World Wide Web (WWW), pp. 571-580, 2007 DOI: https://doi.org/10.1145/1242572.1242650

J. Neville, D. Jensen, “Iterative classification in relational data”, AAAI Workshop on Learning Statistical Models from Relational Data, pp. 13-20, 2000

K. M. Kapsabelis, P. J. Dickinson, K. Dogancay, “Investigation of graph edit distance cost functions for detection of network anomalies”, 13th Biennial Computational Techniques and Applications Conference (CTAC 06), pp. 436-449, 2006 DOI: https://doi.org/10.21914/anziamj.v48i0.47

T. Ide, H. Kashima, “Eigenspace-based anomaly detection in computer systems”, 10th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 440-449, 2004 DOI: https://doi.org/10.1145/1014052.1014102

M. Kuramochi, G. Karypis, “Frequent subgraph discovery”, 2001 IEEE International Conference on Data Mining (ICDM), pp. 313-320, 2001

D. Chakrabarti, “Autopart: parameter-free graph partitioning and outlier detection”, 8th European Conference on Principles and Practice of Knowledge Discovery in Databases (PKDD), pp. 112-124, 2004 DOI: https://doi.org/10.1007/978-3-540-30116-5_13

D. Chakrabarti, R. Kumar, A. Tomkins, “Evolutionary clustering”, 12th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 554-560, 2006 DOI: https://doi.org/10.1145/1150402.1150467

C. Tantipathananandh, T. Berger-Wolf, “Constant-factor approximation algorithms for identifying dynamic communities”, 15th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 827-836, 2009 DOI: https://doi.org/10.1145/1557019.1557110

M. Mongiovi, P. Bogdanov, R. Ranca, A. K. Singh, E. E. Papalexakis, C. Faloutsos, “Netspot: Spotting significant anomalous regions on dynamic networks”, 13th SIAM International Conference on Data Mining (SDM), pp. 1-9, 2013 DOI: https://doi.org/10.1137/1.9781611972832.4

L. Peel, A. Clauset, Detecting change points in the large-scale structure of evolving networks, CoRR, abs/1403.0989, pp. 38-53, 2014

D. Doval, S. Mancoridis, B. S. Mitchell, “Automatic Clustering of Software Systems using a Genetic Algorithm”, 1999 International Conference on Software Tools and Engineering Practice (STEP 99), pp. 73-81, 1999

J. Karimpour, S. Lotfi, A. Tajari Siahmarzkooh, "Intrusion detection in network flows based on an optimized clustering criterion", Turkish Journal of Electrical Engineering & Computer Sciences, accepted for publication: 10.3906/elk-1601-105


How to Cite

A. Tajari Siahmarzkooh, J. Karimpour, and S. Lotfi, “A Cluster-based Approach Towards Detecting and Modeling Network Dictionary Attacks”, Eng. Technol. Appl. Sci. Res., vol. 6, no. 6, pp. 1227–1234, Dec. 2016.


Abstract Views: 858
PDF Downloads: 240

Metrics Information
Bookmark and Share