Detection of Denial of Service Attack in Wireless Network using Dominance based Rough Set

Denial-of-service (DoS) attack is aim to block the services of victim system either temporarily or permanently by sending huge amount of garbage traffic data in various types of protocols such as transmission control protocol, user datagram protocol, internet connecting message protocol, and hypertext transfer protocol using single or multiple attacker nodes. Maintenance of uninterrupted service system is technically difficult as well as economically costly. With the invention of new vulnerabilities to system new techniques for determining these vulnerabilities have been implemented. In general, probabilistic packet marking (PPM) and deterministic packet marking (DPM) is used to identify DoS attacks. Later, intelligent decision prototype was proposed. The main advantage is that it can be used with both PPM and DPM. But it is observed that, data available in the wireless network information system contains uncertainties. Therefore, an effort has been made to detect DoS attack using dominance based rough set. The accuracy of the proposed model obtained over the KDD cup dataset is 99.76 and it is higher than the accuracy achieved by resilient back propagation (RBP) model. Keywords—Denial of service; Rough set; Lower and upper approximation; Dominance relation; Data analysis


I. INTRODUCTION
Denial-of-service attack is one of the most threatening security issues in wireless networks.Over the past few years, it is observed that while surfing websites on the internet a computer in the network host may have been the target of denial-of-service attacks using various protocols such as TCP, UDP, ICMP, and HTTP.Among which TCP flooding is the most prevalent [1].This results in disruption of services at high cost.The main objective of denial-of-service attack is to consume a large amount of resources, thus preventing legitimate users from receiving service with some minimum performance.TCP flooding [1] exploits TCPs three-way handshake procedure, and specifically its limitation in maintaining half-open connections.Denial of service attack is a technique to make a host or network resource block to its intended users.The attack temporarily or permanently interrupts or suspends services of a computer in the network host connected to the Internet.A permanent denial-of-service attack damages a system so badly that it requires replacement or reinstallation of hardware such as routers, printers, or other network hardware.Hence in general, detection is required before the spread of this attack.Detection of such an attack is often a part of information security [2,3].Therefore, it is essential to secure wireless networks from such an attack.
A distributed denial of service (DDoS) attack is a simultaneous network attack on a victim from a large number of compromised hosts, which may be distributed widely among different, independent networks [4].By exploiting asymmetry between network wide resources, and local capacities of a victim a DDoS attack can build up an intended congestion very quickly.The Internet routing infrastructure, which is stateless and based mainly on destination addresses, appears extremely vulnerable to such coordinated attacks.It is a type of cyber attacks in which the victim will be overloaded and will not able to perform any normal functions.Many researchers have presented their work in various directions.Gavrilis and Dermatas uses radial basis function neural network and statistical features to achieve accurate classification of abnormal activity under DDoS attack without interfering normal traffic [5].The advantage of this method is that it can block the traffic selectively based on the attack.Wang et al. introduced a queuing model for the evaluation of the denial of service attacks in computer networks.The network is characterized by a two-dimensional embedded Markov chain model.It helps in developing a memory-efficient algorithm for finding the stationary probability distribution which can be used to find other interesting performance metrics such as connection loss probability and buffer occupancy percentages of half-open connections [6].Gelenbe and Lukes proposed a model to defense denial of service attack using cognitive packet network infrastructure.The technique uses smart packets to select paths based on quality of service [7].
Mell introduces resistant intrusion detection system architecture to counter denial of service attack.The components of intrusion detection system architecture are invisible to the attacker and also this architecture relocates intrusion detection system components from attacked hosts.This is achieved by using mobile agent technology [8].Hamdi uses outbound and inbound demilitarized zone to detect denial of service attack.The major advantage is that it also identifies synchronizeflooding attack [9].Later, Chen et al., applied targeted filtering method to identify a distributed denial of service attack.The advantage is that it can be deployed at a local firewall.But, it takes extra time to detect the attack [10].Rajkumar and Selvakumar proposed a model using Resilient back propagation (RBP) algorithm as the base classifier for the detection of denial of service attack [11].From the literature survey, it is understood that much research is carried out for the detection of denial of service attack and distributed denial of service attack.www.ijacsa.thesai.orgDenial-of-service attacks commonly block the services of legitimate user in a wireless network either temporarily oe permanently by supplying either short term orlong term harmful artificial traffic.Additionally, it is observed that the information system pertaining to denial-of-service attack in wireless network contains uncertainties and the attributes involved in the information system have some specific order.To deal with such uncertainties, criteria, and specific order the concept of dominance based rough set can be used.This motivation help us to think a alternative approach using dominance based rough set.
In this paper, we propose an alternative method using dominance based rough set for the detection of denial of service attack.The rest of the paper is organized as follows: we discuss basic concepts of dominance based rough set in section 2. Section 3 discusses dominance principle.A case study is presented in section 4 to analyze and track denial of service attack using dominance based rough set.Finally, the paper is concluded with a conclusion.

II. FOUNDATION OF INFORMATION SYSTEM
An information system provides an expedient to describe a finite set of objects called the universe with a finite set of attributes thereby represents all the available information and knowledge.Formally, it is defined as a four tuple where V a is the set of attribute values that an attribute a may take.The component f : (U × A) → V is an information function.The information system is said to be a decision system if A = C ∪ {d} , C = φ, {d} = φ and C ∩ {d} = φ where C is a set of conditional attributes and d is the decision [12].
Let B ⊆ A. Two objects x i and x j are said to be Bindiscrinble if f (x i , a) = f (x j , a) for all a ∈ B. Mathematically, we denote it as IN D(B) is defined as below and we write If (x i , x j ) ∈ dm(Q), then we write x j D Q x i .Let P ⊆ C is a criteria set.Let us define D + P (x i ), P -dominating x i as below.
Similarly, we define a set D − P (x i ), P -dominated by x i as below.
Two object x i and x j are said to be inconsistent, if their criterion do not satisfy dominance principle with ordered decision class [13].

III. DOMINANCE BASED ROUGH SET
Rough set of Pawlak is a mathematical tool used in data analysis in particular to analyze uncertainties [14].But it fails to analyze data containing preference order and may lead to loss of information.To overcome the limitations the concept of dominance based rough set is introduced [15,16,17].In dominance based rough set, given a set of objects, there is a criterion at least among condition attributes.Additionally attributes like color, country may not be of preference ordered.Therefore, criteria attributes are divided into ordered decision classes based on decision attribute.Also criteria in condition attributes are correlated semantically with ordered decision attribute by means of dominance relation.
Formally, dominance based rough set (DRS) is based on the concept of dominance principle to extract knowledge from the information system.Here, the classification is carried out based on decision class (d).Therefore, the decision (d) divides the universe U into finite number of classes, CL, such as Additionally, these classes are ordered.It means that, if r, s ∈ T and r > s, then the objects of class Cl r are preferred then the objects of class Cl s .The upward and downward unions of every element Cl i of CL is given as Cl ≥ i and Cl ≤ i respectively.Mathematically, it is defined as Let Q ⊆ C, objects certainly belongs to Cl ≥ i and Cl ≤ i are in their lower approximations Q(Cl ≥ i ) and Q(Cl ≤ i ) respectively.The lower approximations are defined as below.
Similarly, objects possibly belong to Cl ≥ i and Cl ≤ i are in their upper approximations Q(Cl ≥ i ) and Q(Cl ≤ i ) respectively.It is defined as below.
The boundary region of Cl ≥ i and Cl ≥ i , which contains ambiguous elements are defined as below

A. Dominance Relation Based Rule Formation
For a given information system, the dominance principle is capable of deducing more generalized description of objects.This can be done by means of upward and downward union of rough approximation.This is a fundamental concept in a knowledge discovery.
Let Q ⊆ C be a conditional attributes.Based on the rough approximation, the Q-lower and Q-upper approximations are computed on criterion attribute to extract the knowledge.The rules generated from criterion attribute using upward and downward union of Q-lower, Q-upper approximations are of the form "If Condition then Decision".
In real life situation, the data collected may be uncertain, vague and imprecise which may leads to inconsistency.The inconsistency data are identified in rough set by means of indiscernible relation.Likewise the inconsistency presents in the collected data are identified in dominance based rough set on employing dominance relation.The two objects are said to be inconsistent when the criteria attributes do not satisfy dominance principle with decision attribute.Further such inconsistency exists in logic must be removed try as it leads to error decision.The simplest way to remove such inconsistency is to omit the inconsistent objects.The five kinds of determinate rules associated with dominance based rough set are defined as follows [13].
Rules generated in such way called as certain D ≥ decision rules.These rules are obtained from Q(Cl ≥ t ).

2) For all criteria a
Rules generated in such way called as possible D ≥ decision rules.These rules are obtained from Q(Cl ≥ t ).

3) For all criteria a
Rules generated in such way called as certain D ≤ decision rules.These rules are obtained from Rules generated in such way called as possible D ≤ decision rules.These rules are obtained from Rules generated in such way called as approximate D ≥≤ decision rules.These rules are obtained from The rules 1 and 3 represent certain knowledge whereas rules 2 and 4 represent possible knowledge that can be ex-tracted from the information system.The rules 5 represent ambiguous knowledge.
ai , then y is called as basis of the rule.An object which matches both condition and decision parts of a rule supports the decision rule.An object which meets only condition part of a rule is covered by a decision rule.Decision rules either certain or approximate is said to be complete if it satisfies following conditions.
It means that, the set of rules must cover all objects of the information system.Additionally, it assigns consistent objects to their original classes and inconsistent objects to clusters of classes pertaining to this inconsistency.

IV. PROPOSED RESEARCH DESIGN
A common type of attack used to block the service of the wireless network in recent years is denial of service attack.Therefore, recognizing such an attack is of great challenge.To this end, in this section, we purpose our research design for detecting dos attack.The following Figure 1 depicts an abstract view of the model.The initial step of any model development is problem identification that includes basic knowledge of the problem undertaken.The data collected initially preprocessed.The main objective is to transform the raw input data into an appropriate format for subsequent analysis.The various steps involved are merging of data from data repositories, data cleaning which removes noise and duplicate observations and then selecting relevant observations as per the requirement of the problem undertaken.The selection of observations is done in order to analyze only one decision denial-of-service.The processed data is partitioned into two categories such as training data of 55% and testing data of 45%.The training data is analyzed using dominance based rough set to identify the decision class that effects the decision.We apply DOMLEM algorithm to obtain the rules.algorithm:

A. DOMLEM Algorithm
In rough set theory several algorithms are proposed for induction of decision rules [18,19,20].Some of these algorithms also generate minimum number of rules.Generally, we use heuristic approach to deduce rules because of NP-hard nature [18].In this paper we use DOMLEM algorithm as proposed by Greco et al [13] for the detection of denial-of-service attack.The algorithm is repeatedly applied for all lower or upper approximations of the upward (downward) unions of decision classes.Considering preference order of decision classes and of getting minimum rules, the algorithm is applied repeatedly starting from the strongest union of classes.Therefore, decision rules of the lower approximations of upward unions of classes for each e k ∈ Cond, do end for end while for each

An Illustration of DOMLEM Algorithm
This section explains how the above concepts can be applied in analyzing denial-of-service attack in a wireless network.To analyze the above concepts, we have considered the dataset discussed by various authors in their papers [15,21,22,23].We present the dataset in the following Table 1.The various attributes considered are packets received or sent per seconds (Mbps), number of attacker nodes, types of protocol, service block period, and damage.We denote these attributes as a 1 , a 2 , a 3 , a 4 , and a 5 respectively.The attribute a 3 may take values TCP, UDP, or ICMP.Similarly, different values the attribute a 4 may take are zero (Zo), short (So), long (Lo), or permanent (Pt).Finally, the different values that the attribute a 5 may take are hardware fail (HF), software fail (SF), system hang (SH), system reset (SR), time waste (TW), or no damage (ND).The decision attribute (d) describes category of denial of service attack such as permanent denial of service attack (PDA), distributed denial of service attack (DDA), simple denial of service attack (SDA), and no attack (NA).Consider the attributes Q = {a 1 , a 2 , a 4 } as criteria among all conditional attributes a 1 , a 2 , a 3 , a 4 , a 5 .
The above table contains 13 objects of denial-of-service attack in a wireless network and its various conditional attribute values, where U denotes node number.For analysis purpose, the dataset is divided into two training dataset of 7 objects (55%) and testing dataset of 6 objects (45%).We employ dominance based rough set data analysis on training dataset to obtain candidacy classes.The testing dataset is used to detect over fitting of the decision classes based on the predefined threshold value 70%.The decision divides the training dataset of universe into finite number of classes, CL, as below.
Similarly, the upward unions of training dataset element Cl i , i = 4, 3, 2 of CL are given below.
Let us consider the downward union Cl ≤ 1 = {x 1 , x 7 } on considering the criteria Q = {a 1 , a 2 , a 4 } ⊆ C, the lower and upper approximations are given as Q(Cl ≤ 1 ) = {x 1 } and Q(Cl ≤ 1 ) = {x 1 , x 2 , x 7 } respectively.Therefore, the boundary objects are BN Q (Cl ≤ 1 ) = {x 2 , x 7 }.It is because the objects x 2 and x 7 violates the dominance principle.This can be seen from the information system presented in Table I.From Table 1, it is clear that object x 7 dominates object x 2 on criteria Q, but the decision corresponding to the object x 7 is finer then the decision corresponding to the object x 2 .Hence, they are inconsistent.Also, it can be shown that objects x 3 and x 6 are also inconsistent.Similarly the lower, upper approximations, and boundary of downward and upward unions of other classes are presented below.
Next, we can pick the elementary condition e 10 because of the highest first and second measure which covers the object x 5 .Thus no need to proceed further and the rule can be written as: 2 ) to obtain the rules for the class x ∈ Cl ≥ 2 .On employing the DOMLEM algorithm we get the following elimentary conditions.The elementary conditions e 2 , e 5 , e 6 , , e 8 , and e 9 have the highest first measure but the elimentary condition e 9 has the highest second measure and so we choose the elementary condition e 9 .Further [e 9 ] is subset of Q(Cl ≥ 2 ) and covers all positive examples.Thus the process terminates and the rule can be written as: Likewise, we explain how certain D ≤ decision rules are induced for the downward union.Let us consider the class Cl ≤ 1 and the lower approximation Q(Cl ≤ 1 ) = {x 1 } for obtaining D ≤ decision rules.The elementary conditions obtained are given below.
The elementary conditions e 1 , and e 2 have the highest first measure and covers all the positive examples.Further both [e 1 ], [e 2 ] are subsets of Q(Cl ≤ 1 ).Therefore, the process terminates and the rules can be stated as: 2 ) = {x 1 , x 2 , x 7 } to obtain the rules for the class Cl ≤ 2 .The elementary conditions obtained are listed below.2 ).Therefore, the process terminates and the rule can be stated as:  3 ).Therefore, we can choose either of the elementary conditions e 7 and e 11 .Let us choose the elementary condition e 7 that covers objects x 1 , x 2 , and x 7 .To proceed further, the objects x 1 , x 2 , and x 7 are removed from G and the process is repeated.The remaining objects are to be covered are x 3 , and x 6 .Therefore, the above elementry conditions leads to 7 elementary conditions as below.e 13 = {f (x, a 1 ) ≤ 2.67} = {x 3 , x 5 , x 6 } ; 2/3; 2 e 14 = {f (x, a 1 ) ≤ 2.6} = {x 3 , x 5 , x 6 } ; 2/3; 2 e 15 = {f (x, a 1 ) ≤ 2.68} = {x 3 , x 5 , x 6 } ; 2/3; 2 e 16 = {f (x, a 1 ) ≤ 2.5} = {x 3 , x 5 } ; 1/2; 1 The elementary conditions e 13 , e 14 , e 15 , and e 19 have the highest first measure.Also, the second measure of these conditions are same.But, it is not sufficient to create decision rules using any of the conditions because all these conditions cover objects either x 5 or x 4 which is a negative example.Therefore, one has to consider complexes (e 13 ∩ e 19 ), (e 14 ∩ e 19 ), and (e 15 ∩ e 19 ).All the complexes have highest first measure and covers positive examples.Therefore, we get the following decision rules.
The elementary conditions obtained are listed below.
The elementary conditions e 1 , and e 6 produces the highest first measure.But, both elementary conditions e 1 and e 6 covers www.ijacsa.thesai.org the positive and negative example.Further both [e 1 ], [e 6 ] are not the subsets of Q(Cl ≤ 1 )∩Q(Cl ≥ 2 ).Thus one has to consider complex (e 1 ∩ e 6 ).It is also a subset of Q(Cl ≤ 1 ) ∩ Q(Cl ≤ 1 ).Additionally, it produces the highest first and second measure.Therefore, the rule can be stated as below: 3 ) = {x 3 , x 6 } and O 1 , O 2 as stated above, the approximate D ≥≤ rules are computed.The elementary conditions obtained are listed below.
The elementary condition e 4 produces the highest first measure, covers positive example, and [e 4 ] is a subsets of . Therefore, the elementary condition e 4 is considered to generate rule.Further, the object x 6 is removed and elementary conditions are obtained to include the object x 3 .
The elementary conditions e 6 produces the highest first measure, covers both positive and negative example, and is not a subset of ).Thus we have to consider the complex (e 6 ∩ e 7 ) to cover the positive example x 3 .The rules generated in this way are listed below.
Now, collectively we write the decision rules obtained as below.
Finally, the rules obtained are validated with the testing dataset on computing the accuracy (Acc.)basing on precision (Prec.)and recall (Rec.).The precision, recall, and accuracy are computed using the equations ( 8), (9), and (10).The notation T P is used for correct classification of cases to decisions whereas F P is used for incorrect classification of cases to decisions.The notation T N is the number of cases which correctly classified as negative whereas F N is the number of incorrect cases classified as positive.Additionally a rule is also discarded if the accuracy falls less than the predefined threshold value 70%.
The computation of precision, recall, and accuracy for the testing objects is presented in Table II.It is clear that the accuracy of rules 1, 5, 8, 9, 10, 11, 12, 14, and 15 are less than the predefined threshold value and hence discarded.

V. EMPIRICAL STUDY OF DOS ATTACK
This section describes how the proposed technique is used for a dataset.The dataset is preprocessed so that it may be able to give as an input to our developed system.Collection of data is a critical problem.This can be done by three ways as by using real traffic, by using sanitized traffic, and by using simulated traffic.However difficulties exist in using these approaches.Real traffic approach is very costly while sanitized approach is risky.The creating of simulation is also a difficult task.Further, in order to model various wireless networks, different types of traffic is needed.In order to avoid dealing with these difficulties, Knowledge Discovery Dataset (KDD)cup dataset is considered for experimental analysis.
The dataset contains 11,160 records in which decisions for 3,260 records are normal whereas for 7,900 recorrds are various dos attacks such as neptune, udp storm, smurf, ping of death (PoD), back, teardrop, land, mailbomb, process table.Each sample of the dataset represents a connection between two wireless network hosts according to network protocols.It is described by 42 features as depicted in Table III.Out of 42 features, 41 are conditional features and one is decision.The set of 41 features are divided into four subsets such as basic feature set, data flow feature set, host based feature set, and content feature set.The basic feature set, a 1 to a 9 , is used to check the status of the flags, number of source bytes, number of destination bytes, types of protocols used, and duration of the period while information is communicated.The content feature set, a 10 to a 22 , is used to check the number of logins failed, number of compromised, number of loggedin, and number of guest login etc. Likewise the data flow feature set, a 23 to a 31 , is used to verify the sending and receiving errors during communication between source and destination.Similarly, the host based feature set, a 32 to a 41 , is used to get the information of receiving host and sending host errors while communication.From 41 features, 38 features are continuous or discrete (quantitative) and remaining 3 features are qualitative or categorical.
Each sample of decision feature is labeled as either normal or various dos attack.The dataset contains 10 class labels out of which one class is normal and remaining classes are different dos attacks such as neptune, udp storm, smurf, pod, back, teardrop, land, mail bomb, process table respectively.Some dos attacks such as mail bomb, neptune, or smurf abuse a perfectly legitimate feature.The teardrop, pod create malformed packets that confuse the TCP/IP stack of the machine that is trying to reconstruct the packet.The other dos attacks such as back, land takes the advantage of bugs in a particular network daemon.

A. Experimental Analysis
We implement wireless network dos detection system with C programming language and perform experiments in a computer with 2.67 GHz Intel core i3 processor, and 2 GB RAM.Total 11,600 records are divided into two categories such as training dataset of 6,138 (55%) records and testing dataset of 5022 (45%) records.The details of training, testing, total dataset and its various classifications are given in Table IV.Out of 41 conditional features 18 features such as a 1 , a 3 , a 4 , a 6 , a 13 , a 14 , a 16 , a 17 , a 19 , a 20 , a 21 , a 22 , a 33 , a 34 , a 35 , a 37 , a 40 , a 41 are considered as criterion as suggested by various authors [24,25].For better visualization of the dataset, a graphical representation is shown in Figure 2.
Experimental analysis is carried out on each class of training dataset.Initially, we employed DOMLEM algorithm on 1887 records that are falling under the category normal.The total number of rules generated are 23.The rules generated are presented on Table V.These rules are further validated with 1373 records of testing dataset and found that rules 6, 9, 10, 16 and 18 are having accuracy less than the predefined threshold value.Hence, these rules are discarded.A graphical representation is shown in Figure 3. Likewise 740 records of data that are falling under the category of neptune, 767 records of data of udp storm, 762 records of data of smurf, 1042 records of data of pod, 188 records of data of back, 285 records of of tear-drop, 155 records of data of land, 162 records of data of mail-bomb, and 150 of data of

B. Comparison with different approach
In this section, we compare results of proposed model with five different models such as resilient back propagation (RBP) [11], markov chain model (MCM) [6], radial basis function (RBF) [5], resistant architecture model (RAM) [8], and wavelet transform model (WTM) [9].Unlike Table XV, the computation is carried out for each case across each technique.The following TABLE XVI presents the comparative analysis of all the techniques mentioned above.The accuracy of the proposed model over the KDD cup dataset is 99.76 whereas www.ijacsa.thesai.org  the accuracy of the RBP model over the same dataset is 99.35.It indicates that the accuracy of the proposed model is 0.41 higher than the RBP model.For better visualization, a graphical representation of the comparative analysis is shown in Figure 4. Figure 5 depicts the number of rules generated, number of rules discarded, and the number of rules finally selected for each class.The total number of rules generated are 169, and 18% number of rules are discarded through validation.This results the number of rules minimized to 82%.Denial-of-service attack is one of the key security threats in wireless networks.Defending against DoS attack is of prime importance for industries, and internet service providers.To overcome this attack many techniques are proposed by various researchers [5,6,8,9,11].In this paper, we propose a model for the detection of denial of service attack in wireless networks using dominance based rough set.The proposed model is analyzed with the help of KDD cup dataset.The total number of rules generated are 169, and 18% number of rules are discarded through validation.This results the number of rules minimized to 82%.Additionally, it is compared with existing techniques and found better accuracy.The accuracy of the proposed model is 99.76 whereas the accuracy of the RBP model is 99.35.This shows that the proposed model is 0.41 higher than the RBP model.

x 7 }
to obtain the decision rules for the class Cl ≤ 3 .The elementary conditions obtained are listed below.

Fig. 5 :
Fig. 5: Graphical view of numbers of rules selected

TABLE I :
An information system of denial-of-service attack in a wireless network 3; Cl 3 has more delay than Cl 2 ; and Cl 2 has more delay than Cl 1 .The downward unions of every element Cl i , i = 1, 2, 3 of CL are given below.

TABLE II :
Rule validation of denial-of-service attacks in a wireless network

TABLE III :
Features set of denial-of-dervice attack category smurf generated 17 rules, category pod generated 20 rules, category back generated 15 rules, category tear-drop generated 12 rules, category land generated 10 rules, category mail bomb generated 13 rules, and the category process table generated 11 rules.These rules are further validated with the testing dataset as mentioned in TableIV.The number of rules discarded for the categories naptune, udp storm, smurf, pod, www.ijacsa.thesai.org

TABLE IV :
Training, testing classification of datasets Fig. 2: Characteristics of Dataset

TABLE V :
Selected list of normal rules Graphical view of precision, recall, accuracy back, tear-drop, land, mail and process table are 6, 3, 2, 2, 3, 2, 2, 3, and 3 respectively.The final rules selected for various categories naptune, udp storm, smurf, pod, back, tear-drop, land, mail bomb, and process table are presented in Table VI, Table VII, Table VIII, Table IX, Table X, Table XI, Table XII, Table XIII, and Table XIV respectively.

TABLE XIV :
Selected list of process table rules

TABLE XV :
Precision, recall, accuracy of denial-of-service attack

TABLE XVI :
Comparative analysis