Traffic flooding attack detection with SNMP MIB using SVM

Recently, as network flooding attacks such as DoS/DDoS and Internet Worm have posed devastating threats to network services, rapid detection and proper response mechanisms are the major concern for secure and reliable network services. However, most of the current Intrusion Detection Systems (IDSs) focus on detail analysis of packet data, which results in late detection and a high system burden to cope with high-speed network traffic. Little or no integration exists between IDS and SNMP-based network management, in spite of the extensive monitoring and statistical information provided by SNMP agents implemented on network devices and systems. In this paper we propose a lightweight and fast detection mechanism for traffic flooding attacks. Firstly, we use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Secondly, we use a machine learning approach based on a Support Vector Machine (SVM) for attack classification. Using MIB and SVM, we achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The proposed mechanism is constructed in a hierarchical structure, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Using MIB datasets collected from real experiments involving a DDoS attack, we validate the possibility of our approaches. It is shown that network attacks are detected with high efficiency, and classified with low false alarms. 2008 Elsevier B.V. All rights reserved.