A System for Denial-of-Service Attack DetectionBased on Multivariate Correlation Analysis

Zhiyuan Tan, Aruna Jamdagni, Xiangjian He‡, Senior Member, IEEE,Priyadarsi Nanda, Member, IEEE, and Ren Ping Liu, Member, IEEE,

Abstract—Interconnected systems, such as Web servers, database servers, cloud computing servers etc, are now under threads fromnetwork attackers. As one of most common and aggressive means, Denial-of-Service (DoS) attacks cause serious impact on thesecomputing systems. In this paper, we present a DoS attack detection system that uses Multivariate Correlation Analysis (MCA) foraccurate network traffic characterization by extracting the geometrical correlations between network traffic features. Our MCA-basedDoS attack detection system employs the principle of anomaly-based detection in attack recognition. This makes our solution capableof detecting known and unknown DoS attacks effectively by learning the patterns of legitimate network traffic only. Furthermore, atriangle-area-based technique is proposed to enhance and to speed up the process of MCA. The effectiveness of our proposeddetection system is evaluated using KDD Cup 99 dataset, and the influences of both non-normalized data and normalized data onthe performance of the proposed detection system are examined. The results show that our system outperforms two other previouslydeveloped state-of-the-art approaches in terms of detection accuracy.

Keywords—Denial-of-Service attack, network traffic characterization, multivariate correlations, triangle area.

�

1 INTRODUCTION

DENIAL-OF-SERVICE (DoS) attacks are one type ofaggressive and menacing intrusive behavior to on-

line servers. DoS attacks severely degrade the availabil-ity of a victim, which can be a host, a router, or an entirenetwork. They impose intensive computation tasks to thevictim by exploiting its system vulnerability or floodingit with huge amount of useless packets. The victim canbe forced out of service from a few minutes to evenseveral days. This causes serious damages to the servicesrunning on the victim. Therefore, effective detectionof DoS attacks is essential to the protection of onlineservices. Work on DoS attack detection mainly focuseson the development of network-based detection mech-anisms. Detection systems based on these mechanismsmonitor traffic transmitting over the protected networks.These mechanisms release the protected online serversfrom monitoring attacks and ensure that the serverscan dedicate themselves to provide quality services withminimum delay in response. Moreover, network-baseddetection systems are loosely coupled with operatingsystems running on the host machines which they areprotecting. As a result, the configurations of network-based detection systems are less complicated than thatof host-based detection systems.

• Z. Tan, X. He, and P. Nanda are with Centre for Innovation in IT Servicesand Applications (iNEXT), University of Technology, Sydney, Australia.E-mail: Zhiyuan.Tan, Xiangjian.He, Priyadarsi.Nanda@uts.edu.au.

• A. Jamdagni is with School of Computing and Mathematics, University ofWestern Sydney, Parramatta, Australia. E-mail: a.jamdagni@uws.edu.au.

• R. Liu is with CSIRO ICT Centre, Marsfield, Australia. E-mail:ren.liu@csiro.au.

‡ Corresponding author: X. He.

Generally, network-based detection systems can beclassified into two main categories, namely misuse-based detection systems [1] and anomaly-based detec-tion systems [2]. Misuse-based detection systems detectattacks by monitoring network activities and looking formatches with the existing attack signatures. In spite ofhaving high detection rates to known attacks and lowfalse positive rates, misuse-based detection systems areeasily evaded by any new attacks and even variants ofthe existing attacks. Furthermore, it is a complicated andlabor intensive task to keep signature database updatedbecause signature generation is a manual process andheavily involves network security expertise.

Research community, therefore, started to explore away to achieve novelty-tolerant detection systems anddeveloped a more advanced concept, namely anomaly-based detection. Owing to the principle of detection,which monitors and flags any network activities pre-senting significant deviation from legitimate traffic pro-files as suspicious objects, anomaly-based detection tech-niques show more promising in detecting zero-day intru-sions that exploit previous unknown system vulnerabil-ities [3]. Moreover, it is not constrained by the expertisein network security, due to the fact that the profiles oflegitimate behaviors are developed based on techniques,such as data mining [4], [5], machine learning [6], [7]and statistical analysis [8], [9]. However, these proposedsystems commonly suffer from high false positive ratesbecause the correlations between features/attributes areintrinsically neglected [10] or the techniques do notmanage to fully exploit these correlations.

Recent studies have focused on feature correlationanalysis. Yu et al. [11] proposed an algorithm to dis-

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS VOL:25 NO:2 YEAR 2014

criminate DDoS attacks from flash crowds by analyzingthe flow correlation coefficient among suspicious flows.A covariance matrix based approach was designed in[12] to mine the multivariate correlation for sequentialsamples. Although the approach improves detection ac-curacy, it is vulnerable to attacks that linearly change allmonitored features. In addition, this approach can onlylabel an entire group of observed samples as legitimateor attack traffic but not the individuals in the group.To deal with the above problems, an approach basedon triangle area was presented in [13] to generate bet-ter discriminative features. However, this approach hasdependency on prior knowledge of malicious behaviors.More recently, Jamdagni et al. [14] developed a refinedgeometrical structure based analysis technique, whereMahalanobis distance was used to extract the correla-tions between the selected packet payload features. Thisapproach also successfully avoids the above problems,but it works with network packet payloads. In [15],Tan et al. proposed a more sophisticated non-payload-based DoS detection approach using Multivariate Corre-lation Analysis (MCA). Following this emerging idea, wepresent a new MCA-based detection system to protectonline services against DoS attacks in this paper, whichis built upon our previous work in [16]. In additionto the work shown in [16], we present the followingcontributions in this paper. First, we develop a completeframework for our proposed DoS attack detection sys-tem in Section 2.1. Second, we propose an algorithm fornormal profile generation and an algorithm for attackdetection in Sections 4.1 and 4.3 respectively. Third, weproceed a detailed and complete mathematical analysisof the proposed system and investigate further on timecost in Section 6. As resources of interconnected systems(such as Web servers, database servers, cloud computingservers etc.) are located in service providers’ Local AreaNetworks that are commonly constructed using the sameor alike network underlying infrastructure and are com-pliant with the underlying network model, our proposeddetection system can provide effective protection to allof these systems by considering their commonality.

The DoS attack detection system presented in this pa-per employs the principles of MCA and anomaly-baseddetection. They equip our detection system with capabil-ities of accurate characterization for traffic behaviors anddetection of known and unknown attacks respectively. Atriangle area technique is developed to enhance and tospeed up the process of MCA. A statistical normalizationtechnique is used to eliminate the bias from the raw data.Our proposed DoS detection system is evaluated usingKDD Cup 99 dataset [17] and outperforms the state-of-the-art systems shown in [13] and [15].

The rest of this paper is organized as follows. Wegive the overview of the system architecture in Section2. Section 3 presents a novel MCA technique. Section 4describes our MCA-based detection mechanism. Section5 evaluates the performance of our proposed detectionsystem using KDD Cup 99 dataset. Section 6 shows the

systematic analysis on the computational complexity andthe time cost of the proposed system. Finally, conclusionsare drawn and future work is given in Section 7.

2 SYSTEM ARCHITECTURE

The overview of our proposed DoS attack detectionsystem architecture is given in this section, where thesystem framework and the sample-by-sample detectionmechanism are discussed.

2.1 Framework

The whole detection process consists of three major stepsas shown in Fig. 1. The sample-by-sample detectionmechanism is involved in the whole detection phase (i.e.,Steps 1, 2 and 3) and is detailed in Section 2.2.

In Step 1, basic features are generated from ingressnetwork traffic to the internal network where protectedservers reside in and are used to form traffic records for awell-defined time interval. Monitoring and analyzing atthe destination network reduce the overhead of detectingmalicious activities by concentrating only on relevantinbound traffic. This also enables our detector to provideprotection which is the best fit for the targeted internalnetwork because legitimate traffic profiles used by thedetectors are developed for a smaller number of networkservices. The detailed process can be found in [17].

Step 2 is Multivariate Correlation Analysis, in whichthe “Triangle Area Map Generation” module is appliedto extract the correlations between two distinct featureswithin each traffic record coming from the first step orthe traffic record normalized by the “Feature Normal-ization” module in this step (Step 2). The occurrence ofnetwork intrusions cause changes to these correlations sothat the changes can be used as indicators to identify theintrusive activities. All the extracted correlations, namelytriangle areas stored in Triangle Area Maps (TAMs), arethen used to replace the original basic features or thenormalized features to represent the traffic records. Thisprovides higher discriminative information to differen-tiate between legitimate and illegitimate traffic records.Our MCA method and the feature normalization tech-nique are explained in Sections 3 and 5.2 respectively.

In Step 3, the anomaly-based detection mechanism [3]is adopted in Decision Making. It facilitates the detec-tion of any DoS attacks without requiring any attackrelevant knowledge. Furthermore, the labor-intensiveattack analysis and the frequent update of the attacksignature database in the case of misuse-based detec-tion are avoided. Meanwhile, the mechanism enhancesthe robustness of the proposed detectors and makesthem harder to be evaded because attackers need togenerate attacks that match the normal traffic profilesbuilt by a specific detection algorithm. This, however,is a labor-intensive task and requires expertise in thetargeted detection algorithm. Specifically, two phases(i.e., the “Training Phase” and the “Test Phase”) are

Step 1:Basic FeatureGeneration for

IndividualRecords

Normal ProfileGeneration

Tested ProfileGeneration for

Individual Records

Attack Detectionfor Individual

Records

Normal Profiles

TrainingPhase

Test Phase

Step 3: Decision Making

Network Traffic

Step 2: Multivariate Correlation Analysis

Triangle Area MapGeneration for

Individual Records

FeatureNormalization

Raw/Original Features

Normalised Features

Fig. 1. Framework of the proposed denial-of-service attack detection system

involved in Decision Marking. The “Normal Profile Gen-eration” module is operated in the “Training Phase” togenerate profiles for various types of legitimate trafficrecords, and the generated normal profiles are stored ina database. The “Tested Profile Generation” module isused in the “Test Phase” to build profiles for individualobserved traffic records. Then, the tested profiles arehanded over to the “Attack Detection” module, whichcompares the individual tested profiles with the respec-tive stored normal profiles. A threshold-based classifieris employed in the “Attack Detection” module to distin-guish DoS attacks from legitimate traffic. The detailedalgorithm is given in Section 4.

2.2 Sample-by-sample Detection

Jin et al. [12] systematically proved that the group-baseddetection mechanism maintained a higher probability inclassifying a group of sequential network traffic sam-ples than the sample-by-sample detection mechanism.Whereas, the proof was based on an assumption thatthe samples in a tested group were all from the samedistribution (class). This restricts the applications of thegroup-based detection to limited scenarios, because at-tacks occur unpredictably in general and it is difficult toobtain a group of sequential samples only from the samedistribution.

To remove this restriction, our system in this paperinvestigates traffic samples individually. This offers ben-efits that are not found in the group-based detectionmechanism. For example, (a) attacks can be detected ina prompt manner in comparison with the group-baseddetection mechanism, (b) intrusive traffic samples canbe labeled individually, and (c) the probability of cor-rectly classifying a sample into its population is higherthan the one achieved using the group-based detectionmechanism in a general network scenario. To betterunderstand the merits, we illustrate them through amathematical example given in [12], which assumes traf-fic samples are independent and identically distributed[12], [18], [19], and legitimate traffic and illegitimatetraffic follow normal distributions X1 ∼ N(μ1, σ

21) and

X2 ∼ N(μ2, σ22) respectively. The two distributions

are described statistically using the probability den-sity functions f(x;μ1, σ

21) = (1/(σ1

√2π))e−(x−μ1)

2/2σ21

and f(x;μ2, σ22) = (1/(σ2

√2π))e−(x−μ2)

2/2σ22 respectively,

where x ∈ (−∞,+∞). In this task, the sample-by-sample labeling and the group-based labeling are used toidentify the correct distribution for the individuals froma group of k independent samples {x1, x2, · · · , xk}.

In [12], on one hand, Jin et al. defined the probabilitiesof correctly classifying a sample into its distributionusing the sample-by-sample labeling as the cumulativedistribution functions shown in (1) and (2) respectively.

⎧⎪⎪⎪⎨⎪⎪⎪⎩P1 =

∫ μ

−∞

1

σ1

√2π

e−(x−μ1)2/2σ2

1dx,

P2=

∫ +∞

μ

1

σ2

√2π

e−(x−μ2)2/2σ2

2dx,

(1)

(2)

where μ = μ1× σ2

σ1+σ2+μ2× σ1

σ1+σ2is the threshold value

for classifying a sample into one of the two distributionsN(μ1, σ

21) and N(μ2, σ

22). P ′1 = 1 − P1 represents the

probability that a sample coming from the distributionN(μ1, σ

21) is not correctly classified into X1. P ′2 = 1− P2

represents the probability that a sample coming fromthe distribution N(μ2, σ

22) is not correctly classified into

X2. As proven in [12] that (a) P1 = P2 = P andP ′1 = P ′2 = 1 − P , (b) the samples are independentlydistributive, and (c) the results of classification followthe binomial distribution, the probability of correctlylabeling j samples is defined as Pr(j) = Cj

kPj(1−P )k−j

where j = 1, 2, · · · , k. Thus, the probability of correctlyclassifying all k samples is

Pr(k) = P k. (3)

On the other hand, to classify the same group ofindependent samples {x1, x2, · · · , xk} using the group-based labeling, a new random variable z, which isthe mean of k random samples from the distributionN(μl, σ

2l ), is defined as z = 1

k

∑kt=1 xt, where xt ∈ Xl

and l = 1, 2. Clearly, the new random variable z followsthe distribution Zl ∼ N(μl,

1kσ

2l ) in which l = 1, 2. The

threshold value for classification is u = μ1× σ2

σ1+σ2+μ2×

σ1

σ1+σ2. Since the random variable z is generated utilizing

k random samples xt from the distribution N(μl, σ2l ), the

detection precision rate of the z correctly classified intothe respective distribution N(μ1, σ

21) or N(μ2, σ

22) will

thus be as given in (4) and (5) respectively.⎧⎪⎪⎪⎨⎪⎪⎪⎩q1 =

∫ u

−∞(1/(

1√kσ1

√2π))e−(z−μ1)

2/ 2kσ2

1dz,

q2=

∫ +∞

u

(1/(1√kσ2

√2π))e−(z−μ2)

2/ 2kσ2

2dz.

(4)

(5)

As proven in [12] that q1 = q2, q′1 = 1−q1 and q′2 = 1−q2.The z above represents a group of samples com-

pletely coming from the same distribution N(μ1, σ21)

or N(μ2, σ22). However, in practical, samples may come

from either distribution independently so that the prob-ability of having a group of samples which come onlyfrom a single distribution N(μ1, σ

21) or N(μ2, σ

22) is 1/2k.

Thus, the probability of correctly classifying all k sam-ples by using group-based labeling is⎧⎨

⎩k = 1, Q(k) = q1 = q2,

k > 1, Q(k) =1

2kq1 =

1

2kq2.

(6)

(7)

Considering the same example given on p.2188 of[12] where k is set to 16, the precision of the sample-by-sample labeling achieves Pr(16) = P 16 = 0.6316 =6.1581e–04, and q1 = q2 = 0.90824 when using group-based labeling. The precision of the group-based labelingachieving in the general network scenario is Q(16) =1

216 q1 = 1216 × 0.90824 = 1.3859e–05. Clearly, the sample-

by-sample labeling and the group-based labeling per-form differently in detection precision. The relationshipbetween the detection precisions of two detection mech-anisms can be found by analyzing (3), (6) and (7). Asshown in (8) and (9), when k equals to 1, the probabilityof correctly classifying all k samples using the sample-by-sample labeling is same as the one using the group-based labeling. If k is greater than 1, both probabilitiesPr(k) and Q(k) decrease gradually, but the one of thegroup-based labeling drops faster in comparison withthat of the sample-by-sample labeling, i.e.,

{k = 1, P r(k) = Q(k),

k > 1, P r(k) > Q(k).

(8)(9)

Therefore, the sample-by-sample labeling can alwaysachieve equal or better detection precision than thegroup-based labeling.

3 MULTIVARIATE CORRELATION ANALYSIS

DoS attack traffic behaves differently from the legitimatenetwork traffic, and the behavior of network traffic isreflected by its statistical properties. To well describethese statistical properties, we present a novel Multivari-ate Correlation Analysis (MCA) approach in this section.This MCA approach employs triangle area for extractingthe correlative information between the features withinan observed data object (i.e., a traffic record). The detailsare presented in the following.

Given an arbitrary dataset X = {x1, x2, · · · , xn},where xi = [f i

1 f i2 · · · f i

m]T , (1 ≤ i ≤ n) represents the

ith m-dimensional traffic record. We apply the conceptof triangle area to extract the geometrical correlationbetween the jth and kth features in the vector xi. Toobtain the triangle formed by the two features, datatransformation is involved. The vector xi is first pro-jected on the (j, k)-th two-dimensional Euclidean sub-space as yi,j,k = [εj εk]

Txi = [f ij f i

k]T , (1 ≤ i ≤ n,

1 ≤ j ≤ m, 1 ≤ k ≤ m, j �= k). The vectorsεj = [ej,1 ej,2 · · · ej,m]T and εk = [ek,1 ek,2 · · · ek,m]T

have elements with values of zero, except the (j, j)-thand (k, k)-th elements whose values are ones in εj andεk respectively. The yi,j,k can be interpreted as a two-dimensional column vector, which can also be defined asa point on the Cartesian coordinate system in the (j, k)-th two-dimensional Euclidean subspace with coordinate(f i

j , f ik). Then, on the Cartesian coordinate system, a

triangle Δf ijOf i

k formed by the origin and the projectedpoints of the coordinate (f i

j , f ik) on the j-axis and k-axis

is found. Its area Trij,k is defined as

Trij,k = (‖ (f ij , 0)− (0, 0) ‖ × ‖ (0, f i

k)− (0, 0) ‖)/2, (10)

where 1 ≤ i ≤ n, 1 ≤ j ≤ m, 1 ≤ k ≤ m andj �= k. In order to make a complete analysis, all possiblepermutations of any two distinct features in the vectorxi are extracted and the corresponding triangle areas arecomputed. A Triangle Area Map (TAM) is constructedand all the triangle areas are arranged on the mapwith respect to their indexes. For example, the Trij,k ispositioned on the jth row and the kth column of themap TAM i, which has a size of m × m. The values ofthe elements on the diagonal of the map are set to zeros(Trij,k = 0, if j = k) because we only care about thecorrelation between each pair of distinct features. Forthe non-diagonal elements Trij,k and Trik,j where j �= k,they indeed represent the areas of the same triangle.This infers that the values of Trij,k and Trik,j are actuallyequal. Hence, the TAM i is a symmetric matrix havingelements of zero on the main diagonal.

When comparing two TAMs, we can imagine themas two images symmetric along their main diagonals.Any differences, identified on the upper triangles of theimages, can be found on their lower triangles as well.Therefore, to perform a quick comparison of the twoTAMs, we can choose to investigate either the uppertriangles or the lower triangles of the TAMs only. Thisproduces the same result as comparing using the en-tire TAMs (see Appendix 1 in the supplemental file tothis paper for an example). Therefore, the correlationsresiding in a traffic record (vector xi) can be representedeffectively and correctly by the upper triangle or thelower triangle of the respective TAM i. For consistency,we consider the lower triangles of TAMs in the followingsections. The lower triangle of the TAM i is convertedinto a new correlation vector TAM i

lower denoted as (11).

TAM ilower = [Tri2,1 Tri3,1 · · · Trim,1 Tri3,2

Tri4,2 · · · Trim,2 · · · Trim,m−1]T .

(11)

For the aforementioned dataset X , its geometrical mul-tivariate correlations can be represented by XTAMlower

={TAM1

lower, TAM2lower, · · · , TAM i

lower, · · · , TAMnlower}.

When putting into practice, the computation of theTrij,k defined in (10) can be simplified because the valueof the Trij,k is eventually equal to half of the multipli-cation of the absolute values of f i

j and f ik. Therefore,

the transformation can be eliminated, and (10) can bereplaced by Trij,k = (|f i

j | × |f ik|)/2.

The above explanation shows that our MCA approachsupplies with the following benefits to data analysis.First, it does not require the knowledge of historictraffic in performing analysis. Second, unlike the Co-variance matrix approaches proposed in [12] which isvulnerable to linear change of all features, our proposedtriangle-area-based MCA withstands the problem. Third,it provides characterization for individual network traf-fic records rather than model network traffic behavior ofa group of network traffic records. This results in lowerlatency in decision making and enable sample-by-sampledetection. Fourth, the correlations between distinct pairsof features are revealed through the geometrical struc-ture analysis. Changes of these structures may occurwhen anomaly behaviors appear in the network. Thisprovides an important signal to trigger an alert.

4 DETECTION MECHANISM

In this section, we present a threshold-based anomalydetector, whose normal profiles are generated usingpurely legitimate network traffic records and utilizedfor future comparisons with new incoming investigatedtraffic records. The dissimilarity between a new incom-ing traffic record and the respective normal profile isexamined by the proposed detector. If the dissimilarityis greater than a pre-determined threshold, the trafficrecord is flagged as an attack. Otherwise, it is labeled asa legitimate traffic record. Clearly, normal profiles andthresholds have direct influence on the performance ofa threshold-based detector. A low quality normal profilecauses an inaccurate characterization to legitimate net-work traffic. Thus, we first apply the proposed triangle-area-based MCA approach to analyze legitimate networktraffic, and the generated TAMs are then used to supplyquality features for normal profile generation.

4.1 Normal Profile Generation

Assume there is a set of g legitimate training traf-fic records Xnormal = {xnormal

1 , xnormal2 , · · · , xnormal

g }.The triangle-area-based MCA approach is appliedto analyze the records. The generated lower trian-gles of the TAMs of the set of g legitimate train-ing traffic records are denoted by Xnormal

TAMlower=

{TAMnormal,1lower , TAMnormal,2

lower , · · · , TAMnormal,glower }.

Mahalanobis Distance (MD) is adopted to measurethe dissimilarity between traffic records. This is becauseMD has been successfully and widely used in cluster

analysis, classification and multivariate outlier detectiontechniques. Unlike Euclidean distance and Manhattandistance, it evaluates distance between two multivariatedata objects by taking the correlations between variablesinto account and removing the dependency on the scaleof measurement during the calculation.

Require: XnormalTAMlower

with g elements1: TAMnormal

lower ← 1g

∑gi=1 TAM

normal,ilower

2: Generate covariance matrix Cov for XnormalTAMlower

us-ing (12)

3: for i = 1 to g do4: MDnormal,i ← MD(TAMnormal,i

lower , TAMnormallower )

{Mahalanobis distance between TAMnormal,ilower

and TAMnormallower computed using (14)}

5: end for6: μ ← 1

g

∑gi=1 MDnormal,i

7: σ ←√

1g−1

∑gi=1(MDnormal,i − μ)2

8: Pro ← (N(μ, σ2), TAMnormallower , Cov)

9: return Pro

Fig. 2. Algorithm for normal profile generation based ontriangle-area-based MCA.

Fig. 2 presents the algorithm for normal profile gener-ation, in which the normal profile Pro is built throughthe density estimation of the MDs between individuallegitimate training traffic records (TAMnormal,i

lower ) and theexpectation (TAMnormal

lower ) of the g legitimate trainingtraffic records. The MD is computed using (14) and thecovariance matrix (Cov) involved in (14) can be obtainedusing (12). The covariance between two arbitrary ele-ments in the lower triangle of a normal TAM is definedin (13). Moreover, the mean of the (j, k)-th elementsand the mean of the (l, v)-th elements of TAMs over glegitimate training traffic records are defined as μTrnormal

j,k

= 1g

∑gi=1 Tr

normal,ij,k and μTrnormal

l,v= 1

g

∑gi=1 Tr

normal,il,v

respectively. As shown in Fig. 2, the distribution of theMDs is described by two parameters, namely the meanμ and the standard deviation σ of the MDs. Finally, theobtained distribution N(μ, σ2) of the normal trainingtraffic records, TAMnormal

lower and Cov are stored in thenormal profile Pro for attack detection.

4.2 Threshold SelectionThe threshold given in (16) is used to differentiate attacktraffic from the legitimate one.

Threshold = μ+ σ ∗ α. (16)

For a normal distribution, α is usually ranged from 1 to3. This means that detection decision can be made witha certain level of confidence varying from 68% to 99.7%in association with the selection of different values ofα. Thus, if the MD between an observed traffic recordxobserved and the respective normal profile is greater thanthe threshold, it will be considered as an attack. Attackdetection is detailed in Section 4.3.

Cov =

⎡⎢⎢⎢⎣σ(Trnormal

2,1 , T rnormal2,1 ) σ(Trnormal

2,1 , T rnormal3,1 ) · · · σ(Trnormal

2,1 , T rnormalm,m−1)

σ(Trnormal3,1 , T rnormal

2,1 ) σ(Trnormal3,1 , T rnormal

3,1 ) · · · σ(Trnormal3,1 , T rnormal

m,m−1)...

.... . .

...σ(Trnormal

m,m−1, T rnormal2,1 ) σ(Trnormal

m,m−1, T rnormal3,1 ) · · · σ(Trnormal

m,m−1, T rnormalm,m−1)

⎤⎥⎥⎥⎦ . (12)

σ(Trnormalj,k , T rnormal

l,v ) =1

g − 1

g∑i=1

(Trnormal,ij,k − μTrnormal

j,k)(Trnormal,i

l,v − μTrnormall,v

). (13)

MDnormal,i =

√(TAMnormal,i

lower − TAMnormallower )T (TAMnormal,i

lower − TAMnormallower )

Cov. (14)

MDobserved =

√(TAMobserved

lower − TAMnormallower )T (TAMobserved

lower − TAMnormallower )

Cov. (15)

4.3 Attack DetectionTo detect DoS attacks, the lower triangle (TAMobserved

lower )of the TAM of an observed record needs to be gener-ated using the proposed triangle-area-based MCA ap-proach. Then, the MD between the TAMobserved

lower andthe TAMnormal

lower stored in the respective pre-generatednormal profile Pro is computed using (15). The detaileddetection algorithm is shown in Fig. 3.

Require: Observed traffic record xobserved, normal pro-file Pro : (N(μ, σ2), TAMnormal

lower , Cov) and param-eter α

1: Generate TAMobservedlower for the observed traffic

record xobserved

2: MDobserved ← MD(TAMobservedlower , TAMnormal

lower )3: if (μ− σ ∗ α) ≤ MDobserved ≤ (μ+ σ ∗ α) then4: return Normal5: else6: return Attack7: end if

Fig. 3. Algorithm for attack detection based on Maha-lanobis distance.

5 EVALUATION OF THE MCA-BASED DOS AT-TACK DETECTION SYSTEM

The evaluation of our proposed DoS attack detectionsystem is conducted using KDD Cup 99 dataset [17].Despite the dataset is criticised for redundant recordsthat prevent algorithms from learning infrequent harm-ful records [21], it is the only publicly available la-beled benchmark dataset, and it has been widely usedin the domain of intrusion detection research. Testingour approach on KDD Cup 99 dataset contributes aconvincing evaluation and makes the comparisons withother state-of-the-art techniques equitable. Additionally,our detection system innately withstands the negative

impact introduced by the dataset because its profiles arebuilt purely based on legitimate network traffic. Thus,our system is not affected by the redundant records.

During the evaluation, the 10 percent labeled dataof KDD Cup 99 dataset is used, where three typesof legitimate traffic (TCP, UDP and ICMP traffic) andsix different types of DoS attacks (Teardrop, Smurf,Pod, Neptune, Land and Back attacks) are available. Allof these records are first filtered and then are furthergrouped into seven clusters according to their labels (seeTable 9 in Appendix 4 in the supplemental file to thispaper for details).

The overall evaluation process is detailed as follows.First, the proposed triangle-area-based MCA approachis assessed for its capability of network traffic character-ization. Second, a 10-fold cross-validation is conductedto evaluate the detection performance of the proposedMCA-based detection system, and the entire filtered datasubset is used in this task. In the training phase, weemploy only the Normal records. Normal profiles arebuilt with respect to the different types of legitimatetraffic using the algorithm presented in Fig. 2. Thecorresponding thresholds are determined according to(16) given the parameter α varying from 1 to 3 with anincrement of 0.5. During the test phase, both the Normalrecords and the attack records are taken into account.As given in Fig. 3, the observed samples are examinedagainst the respective normal profiles which are builtbased on the legitimate traffic records carried usingthe same type of Transport layer protocol. Third, fourmetrics, namely True Negative Rate (TNR), DetectionRate (DR), False Positive Rate (FPR) and Accuracy (i.e.the proportion of the overall samples which are classifiedcorrectly), are used to evaluate the proposed MCA-baseddetection system. To be a good candidate, our proposeddetection system is required to achieve a high detectionaccuracy.

5.1 Results and Analysis on Original Data5.1.1 Network Traffic Characterization Using Triangle-area-based Multivariate Correlation AnalysisIn the evaluation, the TAMs of the different types of traf-fic records are generated using 32 continuous features.The images for the TAMs of Normal TCP record, Backattack record, Land attack record and Neptune attackrecord are presented in Fig. 4. More results can be foundin Appendix 2 in the supplemental file to this paper. Theimages demonstrate that TAM is a symmetric matrix,whose upper triangle and lower triangle are identical.The brightness of an element in an image represents itsvalue in the corresponding TAM. The greater the valueis, the brighter the element is. The images in Fig. 4 alsodemonstrate that our proposed MCA approach fulfils theanticipation of generating features for accurate networktraffic characterization.

5 10 15 20 25 30

5

10

15

20

25

30

(a) Normal TCP record

5 10 15 20 25 30

5

10

15

20

25

30

(b) Back attack record

5 10 15 20 25 30

5

10

15

20

25

30

(c) Land attack record

5 10 15 20 25 30

5

10

15

20

25

30

(d) Neptune attack record

Fig. 4. Images of TAMs of Normal TCP traffic, Back, Landand Neptune attacks generated using original data

5.1.2 10-fold Cross-validationTo evaluate the performance of our detection systemalong with the change of the threshold, the averageTNRs for legitimate traffic and the average DRs for theindividual types of DoS attacks are shown in Table 1.

Throughout the evaluation, our proposed detectionsystem achieves encouraging performance in most of thecases except Land attack. The rate of correct classificationof the Normal records rise from 98.74% to 99.47% alongwith the increase of the threshold. Meanwhile, the Smurfand Pod attack records are completely detected withoutbeing affected by the change of the threshold. Moreover,the system achieves nearly 100% DRs for the Back attacks

in almost all cases. However, the detection system suffersserious degeneration in the cases of the Teardrop andNeptune attacks when the threshold is greater than 1.5σ.The DRs for these two attacks drop sharply to 48.45%and 52.96% respectively while the threshold is set to 3σ.

TABLE 1Average Detection Performance of the Proposed System

on Original Data Against Different ThresholdsType of Thresholdrecords 1σ 1.5σ 2σ 2.5σ 3σNormal 98.74% 99.03% 99.23% 99.35% 99.47%Teardrop 71.50% 63.92% 57.93% 52.81% 48.45%Smurf 100.00% 100.00% 100.00% 100.00% 100.00%Pod 100.00% 100.00% 100.00% 100.00% 100.00%Neptune 82.44% 61.79% 57.00% 54.84% 52.96%Land 0.00% 0.00% 0.00% 0.00% 0.00%Back 99.96% 99.82% 99.58% 99.44% 99.31%

To have a better overview of the performance of ourMCA-based detection system, the overall FPR and DRare highlighted in Table 2. The overall FPR and DR arecomputed over all traffic records regardless the types ofattacks. When the threshold grows from 1σ to 3σ, theFPR drops quickly from 1.26% to 0.53%. Correspond-ingly, the DR also drops from 95.11% to 86.98% whilethe threshold rises. It shows clearly in the table that alarger number of legitimate traffic records are coveredby a greater threshold, and more DoS attack records areincorrectly accepted as legitimate traffic in the meantime.

TABLE 2Detection Rate and Fals Positive Rates Achieving by the

Proposed System on Original DataThreshold

1σ 1.5σ 2σ 2.5σ 3σFPR 1.26% 0.97% 0.77% 0.65% 0.53%DR 95.11% 89.44% 88.11% 87.51% 86.98%Accuracy 95.20% 89.67% 88.38% 87.79% 87.28%

5.2 Problems with the Current System and SolutionAlthough the detection system achieves a moderateoverall detection performance in the above evaluation,we want to explore the causes of degradation in detect-ing the Land, Teardrop and Neptune attacks.

Our analysis shows that the problems come from thedata used in the evaluation, where the basic features inthe non-normalized original data are in different scales.Therefore, even though our triangle-area-based MCAapproach is promising in characterization and clearlyreveals the patterns of the various types of traffic records,our detector is still ineffective in some of the attacks. Forinstance, the Land, Teardrop and Neptune attacks whosepatterns are different than the patterns of the legitimatetraffic. However, the level of the dissimilarity betweenthese attacks and the respective normal profiles are closeto that between the legitimate traffic and the respective

normal profiles. Moreover, the changes appearing insome other more important features with much smallervalues can hardly take effect in distinguishing the DoSattack traffic from the legitimate traffic, because theoverall dissimilarity is dominated by the features withlarge values. Nevertheless, the non-normalized originaldata contains zero values in some of the features (boththe important and the less important features), andthey confuse our MCA and make many new generatedfeatures (Trij,k) equal to zeros. This vitally degrades thediscriminative power of the new feature set (TAM i

lower),which is not supposed to happen.

Apparently, an appropriate data normalization tech-nique should be employed to eliminate the bias. Weadopt the statistical normalization technique [20] to thiswork. The statistical normalization takes both the meanscale of attribute values and their statistical distributioninto account. It converts data derived from any normaldistribution into standard normal distribution, in which99.9% samples of the attribute are scaled into [-3, 3].In addition, statistical normalization has been provenimproving detection performance of distance-based clas-sifiers and outperforming other normalization methods,such as mean range [0, 1], ordinal normalization etc. [20].

Considering the same arbitrary dataset X ={x1, x2, · · · , xn} given in Section 3, the statistical nor-malization is defined as follows. The normalized valueof feature f i

j is given as F ij = (f i

j − f̄j)/σfij, where

f̄j = 1n

∑ni=1 f

ij is the mean of feature f i

j , and σfij=√

1n

∑ni=1(f

ij − f̄j) is the standard deviation of feature

f ij . The normalized feature vector xi is represented by[F i

1 F i2 · · · F i

m]T in which 1 ≤ i ≤ n. In the followingevaluation, the data is normalized in a batch man-ner. However, real-time normalization can be achievedthrough the incremental learning [22] when our detec-tion system is put on-line. The mean f̄i can be updatedas f̄i = f̄i +

xn+1−f̄in+1 .

5.3 Results and Analysis on Normalized DataTo verify our observation, a 10-fold cross-validation isconducted as done in Section 5.1.2 on the data normal-ized using the aforementioned statistical normalizationtechnique. The results are given in Section 5.3.1.

5.3.1 10-fold Cross-validationThe detection performance based on the normalized datais given in Table 3. The results reveal that the datadoes have significant influence on our detection sys-tem, whose overall performance increases dramaticallywhen taking the normalized data as the inputs. TheTeardrop, Neptune and Land attacks, which are mostlymiss-classified in the previous evaluation, now can becompletely classified correctly by the system along theincrease of the threshold. Except the Back attacks, theother types of DoS attacks are detected completely re-gardless of the change of the threshold as well. Although

the detection system claims only a 93.56% DR in de-tecting the Back attacks in the worst case, its DR risesstably and slowly to 99.32% when the a more rigorousthreshold is chosen. The ineffectiveness of the statisticalnormalization technique on the Back attacks is causedby the fact that the non-normalized features of the Backattacks originally fall in similar scales as the ones of thelegitimate traffic so that after data normalization thereis no improvement on the detection of the Back attacks.In comparison with the TNR of our detection systemachieved on the non-normalized Normal records, the oneachieved on the normalized Normal records declines abit to maximum 98.75% when the threshold is set to 3σ.However, it manages to remain in the reasonable range.

TABLE 3Average Detection Performance of the Proposed System

on Normalized Data Against Different ThresholdsType of Thresholdrecords 1σ 1.5σ 2σ 2.5σ 3σNormal 97.36% 97.97% 98.32% 98.56% 98.75%Teardrop 100.00% 100.00% 100.00% 100.00% 100.00%Smurf 100.00% 100.00% 100.00% 100.00% 100.00%Pod 100.00% 100.00% 100.00% 100.00% 100.00%Neptune 100.00% 100.00% 100.00% 100.00% 100.00%Land 100.00% 100.00% 100.00% 100.00% 100.00%Back 99.32% 98.96% 94.09% 93.79% 93.56%

Then, similar to the previous evaluation, we show theoverall FPR and DR in Table 4. The FPR shown in thetable drops nearly 1% when the threshold increases from1σ to 2σ. Finally it reaches to 1.25% while the threshold isstaying at 3σ. The DR of the system varies from 100.00%to 99.96%. It is clearly seen that the proposed detectionsystem achieves a better DR with the normalized data.

TABLE 4Detection Rate and False Positive Rate Achieving by the

Proposed System on Normalized DataThreshold

1σ 1.5σ 2σ 2.5σ 3σFPR 2.64% 2.03% 1.68% 1.44% 1.25%DR 100.00% 99.99% 99.97% 99.97% 99.96%Accuracy 99.93% 99.95% 99.93% 99.93% 99.93%

5.3.2 Performance ComparisonsTo make complete comparisons, the ROC curves of theprevious two evaluations are shown in Fig. 5. The rela-tionship between DR and FPR is clearly revealed in theROC curves. The DR increases when larger numbers offalse positive are tolerated. In Fig. 5a, the ROC curve foranaylzing the original data using our proposed detectionsystem shows a rising trend. The curve climbs graduallyfrom 86.98% DR to 89.44% DR, and finally reachesto 95.11% DR. Likewise, the ROC curve for analyzingthe normalized data presents a resembling pattern butjumps dramatically from 99.97% DR to 99.99% DR after

82.00%

84.00%

86.00%

88.00%

90.00%

92.00%

94.00%

96.00%

0.53% 0.65% 0.77% 0.97% 1.26%

Dete

ctio

n Ra

tes

False Postivie Rates

(a) ROC curve for analysing original data

99.94%

99.95%

99.96%

99.97%

99.98%

99.99%

100.00%

1.25% 1.44% 1.68% 2.03% 2.64%

Dete

ctio

n Ra

tes

False Positive Rates

(b) ROC curve for analysing normalized data

Fig. 5. ROC curves for the detection of DoS attacks

experiencing slow progress as shown in Fig. 5b. Then,the curve remains in a high level of DR around 100.00%.It is shown clearly in Fig. 5 that our detection systemalways enjoys higher detection rates while working withthe normalized data than with the original data. Theworst performance (99.96% DR and 1.25% FPR) of oursystem shown in Fig. 5b is even much better the bestperformance (95.11% DR and 1.26% FPR) in term ofdetection rate shown in Fig. 5a.

Last but not least, two state-of-the-art detection ap-proaches, namely triangle area based nearest neighborsapproach [13] and Euclidean distance map based ap-proach [15] are selected to compare with our proposeddetection system. The best accuracies on detecting DoSattacks achieved by the various approaches and systemsare given in Table 5. Although all approaches and sys-tems highlighted in Table 5 have high accuracies on DoSattack detection, our proposed MCA-based detectionsystem (95.20% for the original data and 99.95% forthe normalized data) clearly outperforms the trianglearea based nearest neighbours approach (92.15%). Inaddition, our proposed detection system cooperatingwith normalized data (99.95%) shows a marginal advan-tage over the Euclidean distance map based approach(99.87%). Although this is a narrow lead, our detectionsystem shows more promising especially when it isdeployed on a production network with a throughputof 1 Gbps. Due to a significantly fewer number of falsealarms generated per second, network administratorswill be much less interrupted by the false information.

6 COMPUTATIONAL COMPLEXITY AND TIMECOST ANALYSISIn this section, we conduct an analysis on the compu-tational complexity and the time cost of our proposed

MCA-based detection system.On one hand, as discussed in Section 3, triangle areas

of all possible combinations of any two distinct featuresin a traffic record need to be computed when process-ing our proposed MCA. Since each traffic record hasm features (or dimensions), m(m−1)

2 triangle areas aregenerated and are used to construct a TAM i

lower. Thus,the proposed MCA has a computational complexity ofO(m2). On the other hand, as explained in Section 4.3,the MD between the observed feature vector (i.e., theTAM i

lower) and TAMnormallower of the respective normal

profile needs to be computed in the detection process ofour proposed detection system to evaluate the level ofthe dissimilarity between them. Thus, this computationincurs a complexity of O(M2), in which M = m(m−1)

2is the dimensions of TAM i

lower. O(M2) can be writtenas O(m4). By taking the computational complexities ofthe proposed MCA and the detection process of ourproposed detection system into account, the overall com-putational complexity of the proposed detection systemis O(m2 +m4) = O(m4). However, m is a fixed numberwhich is 32 in our case, so that the overall computationalcomplexity is indeed equal to O(1).

Similarly, Euclidean distance map based approach [15]achieves the same computational complexities of O(m2)and O(m4) in data processing and attack detection re-spectively. Moreover, the number of features (m) in useis identical to that used in our proposed detection systemas well. Thus, the overall computational complexity ofthe Euclidean distance map based approach is O(1).For another state-of-the-art detection approach that wecompared in the previous section, triangle area basednearest neighbors approach [13] suffers a heavier overallcomputational complexity. In data processing and at-tack detection phases, the computational complexitiesare O(ml2) and O(l2n2) respectively, where m is thenumber of features (or dimensions) in a traffic record,l is the number of clusters used in generating triangleareas and n is the number of training samples. Theoverall complexity is O(ml2 + l2n2) = O(l2(m + n2)).In general, our proposed detection system can achieveequal or better computational complexity than the abovetwo other approaches. Table 6 is provided to summarizethe computational complexities of the above discussedapproaches.

TABLE 6Computational Complexities of Different State-of-the-art

Detection ApproachesThe proposed Euclidean distance map Triangle area based nearest

detection system based approach [15] neighbors approach [13]

O(1) O(1) O(l2(m+ n2))

Moreover, time cost is discussed to show the contri-bution of our proposed MCA in terms of accelerationof data processing. Our proposed MCA can proceed ap-proximately 23,092 traffic records per second. In contrast,

TABLE 5Performance Comparisons with Different Detection Approaches

Triangle area basednearest neighborsapproach [13]

Euclidean distance mapbased approach [15] (Originaldata, Threshold = 1σ)

The proposed detec-tion system (Originaldata, Threshold = 1σ)

The proposed detectionsystem (Normalizeddata, Threshold = 1.5σ)

Accuracy 92.15% 99.87% 95.20% 99.95%

the MCA of Euclidean distance map based approach[15] can achieve approximately 12,044 traffic records persecond, which is nearly less than half of that achievedby our proposed MCA. Due to the unavailability of thesource code of triangle area based nearest neighborsapproach [13], we cannot provide comparison to it.

7 CONCLUSION AND FUTURE WORK

This paper has presented a MCA-based DoS attack de-tection system which is powered by the triangle-area-based MCA technique and the anomaly-based detectiontechnique. The former technique extracts the geometricalcorrelations hidden in individual pairs of two distinctfeatures within each network traffic record, and offersmore accurate characterization for network traffic behav-iors. The latter technique facilitates our system to be ableto distinguish both known and unknown DoS attacksfrom legitimate network traffic.

Evaluation has been conducted using KDD Cup 99dataset to verify the effectiveness and performance ofthe proposed DoS attack detection system. The influenceof original (non-normalized) and normalized data hasbeen studied in the paper. The results have revealed thatwhen working with non-normalized data, our detectionsystem achieves maximum 95.20% detection accuracyalthough it does not work well in identifying Land, Nep-tune and Teardrop attack records. The problem, however,can be solved by utilizing statistical normalization tech-nique to eliminate the bias from the data. The results ofevaluating with the normalized data have shown a moreencouraging detection accuracy of 99.95% and nearly100.00% DRs for the various DoS attacks. Besides, thecomparison result has proven that our detection systemoutperforms two state-of-the-art approaches in terms ofdetection accuracy. Moreover, the computational com-plexity and the time cost of the proposed detectionsystem have been analyzed and shown in Section 6. Theproposed system achieves equal or better performancein comparison with the two state-of-the-art approaches.

To be part of the future work, we will further test ourDoS attack detection system using real world data andemploy more sophisticated classification techniques tofurther alleviate the false positive rate.

REFERENCES[1] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-

time,” Computer Networks, vol. 31, pp. 2435-2463, 1999[2] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, and E.

Vzquez, “Anomaly-based Network Intrusion Detection: Tech-niques, Systems and Challenges,” Computers & Security, vol. 28,pp. 18-28, 2009.

[3] D. E. Denning, “An Intrusion-detection Model,” IEEE Transactionson Software Engineering, pp. 222-232, 1987.

[4] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, “DDoS attackdetection method using cluster analysis,” Expert Systems withApplications, vol. 34, no. 3, pp. 1659-1665, 2008.

[5] A. Tajbakhsh, M. Rahmati, and A. Mirzaei, “Intrusion detectionusing fuzzy association rules,” Applied Soft Computing, vol. 9,no. 2, pp. 462-469, 2009.

[6] J. Yu, H. Lee, M.-S. Kim, and D. Park, “Traffic flooding attack de-tection with SNMP MIB using SVM,” Computer Communications,vol. 31, no. 17, pp. 4212-4219, 2008.

[7] W. Hu, W. Hu, and S. Maybank, “AdaBoost-Based Algorithm forNetwork Intrusion Detection,” Trans. Sys. Man Cyber. Part B, vol.38, no. 2, pp. 577-583, 2008.

[8] C. Yu, H. Kai, and K. Wei-Shinn, “Collaborative Detection of DDoSAttacks over Multiple Network Domains,” Parallel and DistributedSystems, IEEE Transactions on, vol. 18, pp. 1649-1662, 2007.

[9] G. Thatte, U. Mitra, and J. Heidemann, “Parametric Methods forAnomaly Detection in Aggregate Traffic,” Networking, IEEE/ACMTransactions on, vol. 19, no. 2, pp. 512-525, 2011.

[10] S. T. Sarasamma, Q. A. Zhu, and J. Huff, “Hierarchical KohonenenNet for Anomaly Detection in Network Security,” Systems, Man,and Cybernetics, Part B: Cybernetics, IEEE Transactions on, vol. 35,pp. 302-312, 2005.

[11] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, “Discrimi-nating DDoS Attacks from Flash Crowds Using Flow CorrelationCoefficient,” Parallel and Distributed Systems, IEEE Transactionson, vol. 23, pp. 1073-1080, 2012.

[12] S. Jin, D. S. Yeung, and X. Wang, “Network Intrusion Detection inCovariance Feature Space,” Pattern Recognition, vol. 40, pp. 2185-2197, 2007.

[13] C. F. Tsai and C. Y. Lin, “A Triangle Area Based Nearest NeighborsApproach to Intrusion Detection,” Pattern Recognition, vol. 43, pp.222-229, 2010.

[14] A. Jamdagni, Z. Tan, X. He, P. Nanda, and R. P. Liu, “RePIDS: Amulti tier Real-time Payload-based Intrusion Detection System,”Computer Networks, vol. 57, pp. 811-824, 2013.

[15] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, “Denial-of-Service Attack Detection Based on Multivariate CorrelationAnalysis,” Neural Information Processing, 2011, pp. 756-765.

[16] Z. Tan, A. Jamdagni, X. He, P. Nanda, and R. P. Liu, “Triangle-Area-Based Multivariate Correlation Analysis for Effective Denial-of-Service Attack Detection,” The 2012 IEEE 11th InternationalConference on Trust, Security and Privacy in Computing andCommunications, Liverpool, United Kingdom, 2012, pp. 33-40.

[17] S. J. Stolfo, W. Fan, W. Lee, A. Prodromidis, and P. K. Chan, “Cost-based modeling for fraud and intrusion detection: results from theJAM project,” The DARPA Information Survivability Conferenceand Exposition 2000 (DISCEX ’00), Vol.2, pp. 130-144, 2000.

[18] G. V. Moustakides, “Quickest detection of abrupt changes for aclass of random processes,” Information Theory, IEEE Transactionson, vol. 44, pp. 1965-1968, 1998.

[19] A. A. Cardenas, J. S. Baras, and V. Ramezani, “Distributed changedetection for worms, DDoS and other network attacks,” The Amer-ican Control Conference, Vol.2, pp. 1008-1013, 2004.

[20] W. Wang, X. Zhang, S. Gombault, and S. J. Knapskog, “At-tribute Normalization in Network Intrusion Detection,” The 10thInternational Symposium on Pervasive Systems, Algorithms, andNetworks (ISPAN), 2009, pp. 448-453.

[21] M. Tavallaee, E. Bagheri, L. Wei, and A. A. Ghorbani, “A DetailedAnalysis of the KDD Cup 99 Data Set,” The The Second IEEE In-ternational Conference on Computational Intelligence for Securityand Defense Applications, 2009, pp. 1-6.

[22] D. E. Knuth, The art of computer programming vol I: Fundamen-tal Algorithms Addison-Wesley, 1973.

Zhiyuan Tan is a PhD student at the Faculty ofEngineering and Information Technology (FEIT)of the University of Technology, Sydney (UTS),also a research member of Research Centrefor Innovation in IT Services and Applications(iNEXT). His research interests are network se-curity, pattern recognition, machine learning andP2P overlay network.

Aruna Jamdagni received her PhD degree fromUniversity of Technology Sydney, Australia in2012. She is a lecturer in the School of Comput-ing and Mathematics, University of Western Syd-ney (UWS), Australia, and a research memberof Research Centre for Innovation in IT Servicesand Applications (iNEXT) at University of Tech-nology Sydney (UTS), Australia. Her researchinterests include Computer and Network Secu-rity and on Pattern Recognition techniques andfuzzy set theory.

Xiangjian He is a Professor of Computer Sci-ence, School of Computing and Communica-tions. He is also Director of Computer Vision andRecognition Laboratory, the leader of NetworkSecurity Research group, and a Deputy Directorof Research Centre for Innovation in IT Servicesand Applications (iNEXT) at the University ofTechnology, Sydney (UTS). He is an IEEE Se-nior Member. He has been awarded Internation-ally Registered Technology Specialist by Inter-national Technology Institute (ITI). His research

interests are network security, image processing, pattern recognitionand computer vision.

Priyadarsi Nanda is a Senior Lecturer in theSchool of Computing and Communications, andis a Core Research Member at the Centre forInnovation in IT Services Applications (iNEXT).His research interests are network QoS, networksecurities, assisted health care using sensornetworks, and wireless networks. Dr Nanda hasover 23 years of experience in teaching andresearch, and has over 40 research publications.

Ren Ping Liu is a principal scientist of net-working technology in CSIRO ICT Centre. Hisresearch interests are Markov chain modelling,QoS scheduling, and security analysis of com-munication networks. He has published morethan 70 papers in these areas in top journalsand conferences. In addition to his research, DrLiu has also been heavily involved in and leda number of commercial projects. As a CSIROconsultant, he delivered networking solutions togovernment and industrial customers, including

Optus, AARNet, Nortel, Queensland Health, CityRail, Rio Tinto, andDBCDE.