Quality of Service in Heterogeneous Networks. 6th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, QShine 2009 and 3rd International Workshop on Advanced Architectures and Algorithms for Internet Delivery and Applications, AAA-IDEA 2009, Las Palmas, Gran Canaria, November 23-25, 2009 Proceedings

Research Article

Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data

Download76 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-10625-5_26,
        author={Walter Cerroni and Gabriele Monti and Gianluca Moro and Marco Ramilli},
        title={Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data},
        proceedings={Quality of Service in Heterogeneous Networks. 6th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, QShine 2009 and 3rd International Workshop on Advanced Architectures and Algorithms for Internet Delivery and Applications, AAA-IDEA 2009, Las Palmas, Gran Canaria, November 23-25, 2009 Proceedings},
        proceedings_a={QSHINE},
        year={2012},
        month={10},
        keywords={Network security distributed intrusion detection SNMP data mining data clustering peer-to-peer},
        doi={10.1007/978-3-642-10625-5_26}
    }
    
  • Walter Cerroni
    Gabriele Monti
    Gianluca Moro
    Marco Ramilli
    Year: 2012
    Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data
    QSHINE
    Springer
    DOI: 10.1007/978-3-642-10625-5_26
Walter Cerroni1,*, Gabriele Monti1,*, Gianluca Moro1,*, Marco Ramilli1,*
  • 1: University of Bologna
*Contact email: walter.cerroni@unibo.it, gabriele.monti4@unibo.it, gianluca.moro@unibo.it, marco.ramilli@unibo.it

Abstract

Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).