Research Article
Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data
@INPROCEEDINGS{10.1007/978-3-642-10625-5_26, author={Walter Cerroni and Gabriele Monti and Gianluca Moro and Marco Ramilli}, title={Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data}, proceedings={Quality of Service in Heterogeneous Networks. 6th International ICST Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, QShine 2009 and 3rd International Workshop on Advanced Architectures and Algorithms for Internet Delivery and Applications, AAA-IDEA 2009, Las Palmas, Gran Canaria, November 23-25, 2009 Proceedings}, proceedings_a={QSHINE}, year={2012}, month={10}, keywords={Network security distributed intrusion detection SNMP data mining data clustering peer-to-peer}, doi={10.1007/978-3-642-10625-5_26} }
- Walter Cerroni
Gabriele Monti
Gianluca Moro
Marco Ramilli
Year: 2012
Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data
QSHINE
Springer
DOI: 10.1007/978-3-642-10625-5_26
Abstract
Network intrusion detection is a key security issue that can be tackled by means of different approaches. This paper describes a novel methodology for network attack detection based on the use of data mining techniques to process traffic information collected by a monitoring station from a set of hosts using the Simple Network Management Protocol (SNMP). The proposed approach, adopting unsupervised clustering techniques, allows to effectively distinguish normal traffic behavior from malicious network activity and to determine with very good accuracy what kind of attack is being perpetrated. Several monitoring stations are then interconnected according to any peer-to-peer network in order to share the knowledge base acquired with the proposed methodology, thus increasing the detection capabilities. An experimental test-bed has been implemented, which reproduces the case of a real web server under several attack techniques. Results of the experiments show the effectiveness of the proposed solution, with no detection failures of true attacks and very low false-positive rates (i.e. false alarms).