alexa Denial of Service (DoS) Attacks using PART Rule and Decision Table Rule | Open Access Journals
ISSN: 2332-0796
Journal of Electrical & Electronic Systems
Make the best use of Scientific Research and information from our 700+ peer reviewed, Open Access Journals that operates with the help of 50,000+ Editorial Board Members and esteemed reviewers and 1000+ Scientific associations in Medical, Clinical, Pharmaceutical, Engineering, Technology and Management Fields.
Meet Inspiring Speakers and Experts at our 3000+ Global Conferenceseries Events with over 600+ Conferences, 1200+ Symposiums and 1200+ Workshops on
Medical, Pharma, Engineering, Science, Technology and Business

Denial of Service (DoS) Attacks using PART Rule and Decision Table Rule

Aladesote O Isaiah*

Department of Computer Science, Federal Polytechnic, Ile – Oluji, Ondo State, Nigeria

*Corresponding Author:
Aladesote O Isaiah
Department of Computer Science
Federal Polytechnic, Ile – Oluji
Ondo State, Nigeria
Tel: +234-07039090114
E-mail: isaaladesote@fedpolel.edu.ng, lomaladesote@yahoo.com

Received Date: March 22, 2016; Accepted Date: April 24, 2017; Published Date: April 29, 2017

Citation: Isaiah AO (2017) Denial of Service (DoS) Attacks using PART Rule and Decision Table Rule. J Electr Electron Syst 6: 220. doi:10.4172/2332-0796.1000220

Copyright: © 2017 Isaiah AO. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Visit for more related articles at Journal of Electrical & Electronic Systems

Abstract

Network Security has become a major and critical issue as a result of the vast growth in the field of Information Technology. This paper adopted the result of an existing extraction or attributes selection of KDD ’99 dataset. The dataset was run on data de-duplicated software developed using C# Programming Language and final mining analysis was carried out on Waikato Environment for Knowledge Analysis (WEKA) with the adoption of PART and Decision Table algorithms. The performance evaluation was carried out with some related existing works based on certain intrusion detection metrics. The Classification Rate of Decision Tree Rule, Part Rule and JRIP Rule are 98.14%, 99.4% and 99.1%, respectively. The False Alarm Rate of Decision Tree Rule, Part Rule and JRIP Rule are 0.86%, 0.43% and 0.55% respectively. The Sensitivity of Decision Tree Rule, Part Rule and JRIP Rule is 92.6%, 98.3% and 97.2% respectively while the Specificity of Decision Tree Rule, Part Rule and JRIP Rule is 99.1%, 99.6% and 99.4% respectively.

Keywords

Waikato Environment for Knowledge Analysis (WEKA); PART rule; Detection metrics; Decision table rule; Data deduplication

Introduction

Intrusion detection is an efficient method of dealing with network security related problems [1]. Network Security has become a serious concern due to the development and expansion in the field of Information Technology [2]. This appreciable improvement in network technologies has showed a way for invaders or hackers to devise an unauthorised means into a network system. Therefore, an effective and timely Intrusion Detection System, which helps to enhance the security of a network, is needed when attack(s) is/are noticed [3]. Intrusion detection is a security approach used to protect computer networks from unauthorised access [1].

An intrusion can be defined as any attempt that violates the basic elements of information security: confidentiality, integrity and availability [4]. There is necessity to apply data mining in Intrusion Detection System owing to the huge amount of existing intrusion dataset and also recently emerging network dataset [5]. There is need for effective and efficient intrusion system as conservative intrusion detection approach can no longer match the newly emerging dataset.

Coupled with enormous data available today with lots of record duplications, which to use for optimal data analysis becomes challenging. Data deduplication thus, helps to remove such bottlenecks, thereby leaving a copy of each record in a set of data; this leads to the reduction in the amount of data to be moved into the network [6].

Research Motivation

In the work of ref. [4], Hypothesis Testing was applied on KDD dataset. The significant attributes or features of the dataset were extracted; the records of the thirteen significant attributes were used in the research. The training set was run on an existing Decision Tree algorithm which resulted in some rules. The mean of each rule was determined and later used to form hypothesis. The accuracy of the system was tested using some detection metrics. Meanwhile there is the need to valid the accuracy of the existing result by applying data deduplication with other mining algorithm on the intrusion dataset to help offer more accurate classification.

Research Objective

The objectives of the research work are to develop deduplicated program, classify intrusion dataset using PART and Decision table Rules and also to carry out performance evaluation on the KDD dataset.

Methodology

Review of few existing works was carried out. The NSL-KDD dataset which is an improvement upon KDD ‘99 data was used. The records of Denial of Service (DoS) attacks and normal traffic based on the thirteen significant attributes were extracted, this contains Eighteen thousand, One hundred and Thirteen (18113) records. The dataset was run on data deduplication program developed using C#.

Decision table and PART Rules were used to classify the Denial of Service (DOS) attacks and normal traffic from WEKA data mining implementation. The performance of the system would be tested on the test data using classification rate, detection rate and false alarm rate, after which the comparative analysis would be carried out against the work of Oladunjoye [7].

Result and Discussion

Data deduplication

Table 1 shows the result obtained when the dataset was run on Data deduplicated program. 9711 records of Normal traffic were reduced to 7761, which amount to 20.1% reduction. 737 records of Apache2 were reduced to 440, which is 40.3% reduction. 359 records of Back were reduced to 65, which is 82% reduction. 7 records of Land were reduced to 3, resulting in 57.1%. 293 records of Mail bomb were reduced to 4, which amount to 98.6% reduction. 4557 records of Neptune were reduced to 295, which is 93.5% reduction. 41 records of Ping of Death (PoD) were reduced to 14, which equate to 65.8% reduction. 685 records of Processtable were reduced to 367, which is 46.4% reduction. 665 records of smurf were reduced to 10, which is equivalent to 98.5% reduction.12 records of teardrop were reduced to 2, which corresponds to 83.3% reduction. 2 records of teardrop were reduced to 1, which is 50% reduction while 994 records of warezmaster were reduced to 180, which is 80.9% reduction.

Attacks/Normal Traffic Before Deduplication After Deduplication
Normal 9711 7761
Apache2 737 440
Back 359 65
Land 7 3
Mailbomb 293 4
Neptune 4557 295
PoD 41 14
Processtable 685 367
Smurf 665 10
Teardrop 12 2
Udpstorm 2 1
Warezmaster 944 180
Total 18113 9142

Table 1: Result obtained when the dataset was run on Data Deduplicated Program.

Performance of rules generated using decision table rules

The performance of rules generated on test data using Decision Table Rules from Table 2, Figures 1 and 2 show that out of 2303 records of Normal traffic, 2303 were correctly classified while 20 were wrongly classified. Out of 140 records of Apache2, 117 were correctly classified while 23 were wrongly classified. All records of Back, Neptune, PoD and processtable were correctly classified. A record of mail bomb was wrongly classified. Out of 2 records of Smurf, 1 was correctly classified while the remaining 1 was wrongly classified. Out of 49 records of warezmaster, 45 were correctly classified while 4 were wrongly classified. Teardrop and udpstorm have no record in the test data.

Attacks/Normal Traffic TCC TWC TUC TOTAL
Apache2 117 23 0 140
Back 23 0 0 23
Land 0 2 0 2
Mailbomb 0 1 0 1
Neptune 93 0 0 93
Normal 2303 20 0 2323
Ping of Death (PoD) 3 0 0 3
Processtable 107 0 0 107
Smurf 1 1 0 2
Teardrop 0 0 0 0
Udpstorm 0 0 0 0
Warezmaster 45 4 0 49

Table 2: Performance of Rules Generated on Test Data.

electrical-electronic-systems-decision

Figure 1: Graphical Representation of Decision Table rules on Test Data that are correctly classified.

electrical-electronic-systems-rules

Figure 2: Graphical Representation of DecisionTable rules on Test Data that are incorrectly classified.

Performance of rules generated using part rules

The performance of rules generated on test data using PART Rules from Table 3, Figures 3 and 4 show that all records of Apache2, Back, Mail bomb, PoD processtable and Smurf were correctly classified. The 2 records of Land were wrongly classified. Out of 92 records of Neptune, 92 were correctly classified and 1 was wrongly classified. Out of 2323 records of Normal traffic, 2313 were correctly classified while 10 were wrongly classified. Out of 49 records of warezmaster, 45 were correctly classified while 4 were wrongly classified. Teardrop and udpstorm have no record in the test data.

Attacks/Normal Traffic TCC TWC TUC TOTAL
Apache2 140 0 0 140
Back 23 0 0 23
Land 0 2 0 2
Mailbomb 1 0 0 1
Neptune 92 1 0 93
Normal 2313 10 0 2323
Ping of Death (PoD) 3 0 0 3
Processtable 107 0 0 107
Smurf 2 0 0 2
Teardrop 0 0 0 0
Udpstorm 0 0 0 0
Warezmaster 45 4 0 49

Table 3: Performance of Rules Generated on Test Data.

electrical-electronic-systems-graphical

Figure 3: Graphical Representation of PART rules on Test Data that are Correctly Classified.

electrical-electronic-systems-test

Figure 4: Graphical Representation of PART Rules on Test Data that are Incorrectly Classified.

Confusion matrix obtained from denial of service (dos) and normal traffic using decision table rules

Table 4 shows the confusion matrix obtained from the Decision Table Rules Classification when DOS attacks and Normal Traffic test data were used. Out of 140 records of Apache2, 117 were correctly classified, while 21 and 2 were incorrectly classified as Neptune and Normal respectively. All records of Back, Neptune, Ping of Death (POD) and processtable were correctly classified. The 2 records of Land were incorrectly classified as Neptune. A record of Mail bomb was incorrectly classified as Normal. Out of 2323 records of Normal Traffic, 2303 were correctly classified while 11, 1, 7 and 1 were incorrectly classified as Apache2, Back, Neptune and Ping of Death (POD) respectively. 1 of the 2 records of Smurf was correctly classified while the other was incorrectly classified as POD. Out of 49 records of warezmaster, 45 were correctly classified while 4 were incorrectly classified as Normal.

  Ap Ba La Ma Nep Nor Pod Pro Smu Tea Udp Wam
Ap 117 0 0 0 21 2 0 0 0 0 0 0
Ba 0 23 0 0 0 0 0 0 0 0 0 0
La 0 0 0 0 2 0 0 0 0 0 0 0
Ma 0 0 0 0 0 1 0 0 0 0 0 0
Ne 0 0 0 0 93 0 0 0 0 0 0 0
Nor 11 1 0 0 7 2303 1 0 0 0 0 0
Pod 0 0 0 0 0 0 3 0 0 0 0 0
Pro 0 0 0 0 0 0 0 107 0 0 0 0
Sm 0 0 0 0 0 0 1 0 1 0 0 0
Te 0 0 0 0 0 0 0 0 0 0 0 0
Ud 0 0 0 0 0 0 0 0 0 0 0 0
Wa 0 0 0 0 0 4 0 0 0 0 0 45

Table 4: Confusion Matrix obtained from decisiontable rules system on test data.

TN=2303; FP=20; FN=21; TP=389

equation

Sensitivity=(100 × TP/TP+FN)

=92.6%

Specificity=(100 × TN/TN+FP)=99.1%

Confusion matrix obtained from denial of service (dos) and normal traffic using part rules

Table 5 shows the confusion matrix obtained from the PART Rules Classification when DOS attacks and Normal Traffic test data were used. All records of Apache2, Back, Mail bomb, Ping of Death (POD), Processtable and Smurf were correctly classified. The 2 records of Land were incorrectly classified as Neptune. Out of 93 records of Neptune, 92 were correctly classified while 1 was incorrectly classified as Apache2. 2313 records of Normal were correctly classified out of 2323 while 1, 1, 1, 5 and 2 were incorrectly classified as Apache2, Back, Mail bomb, Neptune and Warezmaster respectively. Out of 49 records of Warezmaster, 45 were correctly classified while 4 were incorrectly classified as Normal.

  Ap Ba La Ma Ne No Po Pr Sm Te Ud Wa
AP* 140 0 0 0 0 0 0 0 0 0 0 0
BA* 0 23 0 0 0 0 0 0 0 0 0 0
LA* 0 0 0 0 2 0 0 0 0 0 0 0
MA* 0 0 0 1 0 0 0 0 0 0 0 0
NE* 1 0 0 0 92 0 0 0 0 0 0 0
NO* 1 1 0 1 5 2313 0 0 0 0 0 2
PD* 0 0 0 0 0 0 3 0 0 0 0 0
PR* 0 0 0 0 0 0 0 107 0 0 0 0
SM* 0 0 0 0 0 0 0 0 2 0 0 0
TD* 0 0 0 0 0 0 0 0 0 0 0 0
US* 0 0 0 0 0 0 0 0 0 0 0 0
WM* 0 0 0 0 0 4 0 0 0 0 0 45

Table 5: Confusion Matrix obtained from PART rules system on Test Data.

NO*=Normal, WM*=Warezmaster, US*=Udpstorm, TD*=Teardrop, SM*=Smurf, PR*=Processtable, PD*=Pod, NE*=Neptune, MB*=Mailbomb, LA*=Land, BA*=Back, AP*=Apache2.

TN = 2313; FP = 10; FN = 7; TP = 413

equation

Sensitivity=(100 × TP / TP + FN)=98.3%

Specificity=(100 × TN / TN + FP)=99.6%

Performance evaluation with existing system

Table 6 shows the number of records that are correctly classified incorrectly classified and not classified for each denial of services attacks and normal traffic.

  Classification Rate (%) False Alarm Rate (%) Sensitivity (%) Specificity (%)
DecisionTree Rules 98.14 0.86 92.6 99.1
PART Rules 99.4 0.43 98.3 99.6
JRIP Rules 99.1 0.55 97.2 99.4

Table 6: Performance evaluation with an existing work.

Figure 5 reveals that the % of the record correctly classified using decision tree rules 98.14%, 99.43% when PART rules methods are used and 99.1% for JRIP rules. It can be deduced that PART rules is competitively better with this type of classification than the other two methods.

electrical-electronic-systems-methods

Figure 5: Graphical Representation of Classification Rate of different methods.

Figure 6 shows the % of the normal connections that are not correctly classified in the training and testing sets. The result show that FAR is 0.86 when decision tree rules is applied, 0.43 when PART rules is used and 0.55 JRIP rules is used. This indication that the percentage of records that are misclassified is minimal when rules in PART used. Therefore, PART rules are preferably better in term of false Alarm rate for this type of classification.

electrical-electronic-systems-false

Figure 6: Graphical Representation of False Alarm Rate (FAR) of different methods.

Figure 7 show the % of the number of attacks connection that is correctly classified. The result indicates that the number of attacks that are correctly classified when decision tree Rules in used is 92.6%, 98.3% when PART rules in used whiles 97.2% when JRIP rules in used. PART rules perform better than the two other methods in term of sensitivity.

electrical-electronic-systems-representation

Figure 7: Graphical Representation of Sensitivity of different methods.

Figure 8 shows the specificity is 99.1% when decision tree is used, 99.6% when PART rules is used and 99.4% when a JRIP rule is used.

electrical-electronic-systems-specificity

Figure 8: Graphical Representation of Specificity of different methods.

Conclusion

The system shows that PART Rules performed better than other methods in terms of Classification Rate, False Alarm Rate, Sensitivity and Specificity.

References

Select your language of interest to view the total content in your interested language
Post your comment

Share This Article

Relevant Topics

Recommended Conferences

Article Usage

  • Total views: 84
  • [From(publication date):
    June-2017 - Jul 25, 2017]
  • Breakdown by view type
  • HTML page views : 65
  • PDF downloads :19
 
 

Post your comment

captcha   Reload  Can't read the image? click here to refresh

Peer Reviewed Journals
 
Make the best use of Scientific Research and information from our 700 + peer reviewed, Open Access Journals
International Conferences 2017-18
 
Meet Inspiring Speakers and Experts at our 3000+ Global Annual Meetings

Contact Us

Agri, Food, Aqua and Veterinary Science Journals

Dr. Krish

agrifoodaquavet@omicsonline.com

1-702-714-7001 Extn: 9040

Clinical and Biochemistry Journals

Datta A

clinical_biochem@omicsonline.com

1-702-714-7001Extn: 9037

Business & Management Journals

Ronald

business@omicsonline.com

1-702-714-7001Extn: 9042

Chemical Engineering and Chemistry Journals

Gabriel Shaw

chemicaleng_chemistry@omicsonline.com

1-702-714-7001 Extn: 9040

Earth & Environmental Sciences

Katie Wilson

environmentalsci@omicsonline.com

1-702-714-7001Extn: 9042

Engineering Journals

James Franklin

engineering@omicsonline.com

1-702-714-7001Extn: 9042

General Science and Health care Journals

Andrea Jason

generalsci_healthcare@omicsonline.com

1-702-714-7001Extn: 9043

Genetics and Molecular Biology Journals

Anna Melissa

genetics_molbio@omicsonline.com

1-702-714-7001 Extn: 9006

Immunology & Microbiology Journals

David Gorantl

immuno_microbio@omicsonline.com

1-702-714-7001Extn: 9014

Informatics Journals

Stephanie Skinner

omics@omicsonline.com

1-702-714-7001Extn: 9039

Material Sciences Journals

Rachle Green

materialsci@omicsonline.com

1-702-714-7001Extn: 9039

Mathematics and Physics Journals

Jim Willison

mathematics_physics@omicsonline.com

1-702-714-7001 Extn: 9042

Medical Journals

Nimmi Anna

medical@omicsonline.com

1-702-714-7001 Extn: 9038

Neuroscience & Psychology Journals

Nathan T

neuro_psychology@omicsonline.com

1-702-714-7001Extn: 9041

Pharmaceutical Sciences Journals

John Behannon

pharma@omicsonline.com

1-702-714-7001Extn: 9007

Social & Political Science Journals

Steve Harry

social_politicalsci@omicsonline.com

1-702-714-7001 Extn: 9042

 
© 2008-2017 OMICS International - Open Access Publisher. Best viewed in Mozilla Firefox | Google Chrome | Above IE 7.0 version