Hyper Sphere Multi-Class SVM And Its Applications On Detecting DDoS Attacks

An attacker launches Distributed Denial of Service (DDoS) attacks by the BotNet, which send lots of garbage IP packets to the victim. Because the victim receives the garbage IP packets exceeding over that it can't deal with, it will determine the services to the legitimate uses. BotNet is composed of the computers all over the Internet with security weakness. An attacker will be relative safe if he/she commands BotNet to start a DDoS attack with bogus source IP addresses. As a result, launching DDoS attack on Internet is so easy that it becomes a severe threat to the Internet security. So the researchers must find some measures to limit or stop DDoS attacks overflow on Internet. In order to defeat DDoS attacks efficiently, the first case is precisely detecting DDoS attacks. There are some troubles to detecting DDoS attacks, because DDoS attacks may exploit bogus source IP addresses and the TCP/IP protocol doesn't implement authentications to these source IP addresses.For DDoS attacks detection is a research focus in the area of network security, many detection algorithms have been already proposed in recent years. These detecting algorithms have a common character that they identify DDoS attacks according to certain numeric feature of DDoS flow. However, the detecting effects of these algorithms with sole feature are doubtful because of the randomicity and complexity of the network flow and variety of attacks flow. They likely regard gusty normal data flow as attack, so their false positive rates are usually high. In a word, several features are required in order to detect DDoS precisely. On the other hand, for defeating DDoS attacks, the more information about DDoS should be distilled at detection phase, such as attacks intensity, attacks pattern and attacks protocol. Then defenders can deal with the DDoS attacks according to the information. Pattern recognition algorithm can be used to implement the detecting scheme. All attacks are classified into 24 categories according to attacks intensity, attacks pattern and attacks protocol. Then find a group of features to distinguish these attacks. Sample the attacks flow with the features to compose the training set and use it to train the multi-class classifiers. At the testing phase, sample the networks flow to form the test data and obtain its category label by trained classifier. Using the category label, one can judge whether attacks are present and the information about attacks intensity, attacks pattern and attacks protocol.Support Vector Machines (SVM) is a novel learning machines based on the Statistical Learning Theory (SLT). Concentrating several good technologies such as maximum margin hyper plane, Mercer kernel, convex quadratic programming, spare solutions and slack variables, SVM is a good learning machine, which can overcome the shortages of traditional classifiers—local minimization, curse of dimension and overfitting. Standard SVM is a binary classifier for pattern recognition. For learning a multi-class problem, SVM must be extended to multi-class classifier. Current the main idea to extend SVM to multi-class is to translate the multi-class problem into a series of binary class problems, and a SVM solves a binary class problem. For example, 1-v-r and 1-v-1 are the multi-class classifiers following this idea. They can carry out multi-class classifying capacity. However, because these classifiers are constructed by an indirect manner, too many SVMs are training at the training phase. As a result, their learning efficiency is low and they aren't fit to the classifying problem with too many class categories and large scale training set, so indirect multi-class classifiers aren't fit to the problem of DDoS detection.A higher efficient direct multi-class learning machine is necessary because DDoS detection has a large number of categories to classify. Following and extending former research, a novel direct multi-class classifier—Hyper Sphere Multi-Class Support Vector Machine (HSMC-SVM) is proposed in the paper. In a multi-class problem, one finds the minimum radius hyper sphere including the majority of the examples for every category of examples. N hyper spheres would be constructed for N classes of examples. All of the hyper spheres form a soap-bubble-shaped classification frame in the examples space. At testing phase, the testing point would belong to the class whose sphere is the closest to the point. Based on direct classifying principle, HSMC-SVM have some advantages than indirect classifiers, such as large learning capacity, fast training process and good expansibility. One will solve a convex QP problem to calculate a hyper sphere. For the SMO algorithm training SVM successfully, the SMO algorithm is proposed for training HSMC-SVM and second order information measure for working set selection. The two measures further enhance the training speed. Further, "shrink" and "caching" are also used to improve the training speed. Through theoretic analysis, it is proved that the classification error of HSMC-SVM is bound. Shown in our numeric experiments, HSMC-SVM has faster training and testing speed than 1-v-r and 1-v-1, but its learning precision is low than them.For improving training speed and learning precision again, least square measure is introduced to HSMC-SVM and form the new learning machine—Least Square Hyper Sphere Multi-Class SVM (LSHS-MCSVM). Comparing to HSMC-SVM, LSHS-MCSVM exploits second norm in object function, replaces the inequation constrains with equation constrains and gets rid of the limitation of Lagrange multipliers. These differences cause faster multipliers scanning and optimization calculation in LSHS-MCSVM, so it has faster convergence speed than HSMC-SVM. LSHS-MCSVM can also use SMO algorithm to train. Under working set selection of first order information and second order information, the training speed of LSHS-MCSVM is faster than empirical working set selection. For both of HSMC-SVM and LSHS-MCSVM are based on hyper sphere classification frame, they have similar theoretic error upper bound. The numeric experiments show that the training speed of LSHS-MCSVM is faster than that of HSMC-SVM on same learning precision. Moreover, on certain datasets, the learning precision of LSHS-MCSVM is even higher than HSMC-SVM.In order to detect DDoS attacks with HSMC-SVM and LSHS-MCSVM, a 9-dimension relative value (RV) feature vector is distilled via analyzing DDoS attacks flow. The numeric experiments show that the RV features can distinguish all kinds of the attacks precisely and efficiently identify the DDoS attacks launching by real attack tools. The experiment results are the two classifiers can identify the class label of the real DDoS attacks. According to the class label, the net administrators can obtain the attacks intensity, attacks pattern and attacks protocol when some attacks are present, which are important information for defeating the DDoS attacks successfully.