Machine Learning based Application Layer DDoS
Attack detection using Firefly Classification
Algorithm Alekhya kaliki
1, K Munivara prasad
2
1Dept of Computer Science , Tirupati,India.
Email:[email protected] 2Dept of computer Science,Tirupati,India.
Email:[email protected]
Abstract. The internet network is mostly
victimized to the Distributed Denial of Service
(DDoS) Attack, which is one that intentionally
occupies the computing resources and bandwidth in
order to deny that services to potential users. The
attack scenario is to flood the packets immensely. If
the attack source is single, then the attack is referred
as denial of service (DoS) and if attack is sourced
from divergent servers, then it is referred as DDoS.
Over a decade many of the researchers considered
the detection and prevention of DDoS attack as
research objective and succeeded to deliver few
significant DDOS detection and prevention
strategies. How fast and early detection of DDoS
attack is done in streaming network transactions is
still a significant research objective in present level
of internet usage. Unfortunately the current
benchmarking DDoS attack detection strategies are
failing to justify the objective called “fast and early
detection of DDoS attack”.
International Journal of Pure and Applied MathematicsVolume 118 No. 17 2018, 635-645ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version)url: http://www.ijpam.euSpecial Issue ijpam.eu
635
In order to this, in this paper we devised a Bio-
Inspired Anomaly based App-DDoS Attack
detection that is in the aim of achieving fast and
early detection. The proposed model is a bio-
inspired approach that used to achieve the fast and
early detection of the App-DDoS by HTTP flood.
The experiments were carried out on bench marking
CAIDA dataset and the results delivered are
boosting the significance of the proposed model to
achieve the objective of the paper.
Keywords: Denial of Service (DoS),
Distributed Denial of Service (DDoS), Application
layer DDoS attacks and Bio-inspired approaches.
1. Introduction Global network of computers interconnected through different media using a standard
protocol is called internet. Modern human beings rely on the Internet for their
education, trade, socialization and entertainment, among many other important
aspects of human life. Information sharing, E-commerce and entertainment have
taken a new dimension. Evidently, the Internet is the biggest revolution in the
computing and communications world. Web threats pose a broad range of risks,
including financial damages, identity theft, loss of confidential information or data,
theft of network resources, damaged brand/personal reputation, and erosion of
consumer confidence in e-commerce and online banking.
DoS attack is an intentional attempt by malicious users to completely disrupt or
degrade the availability of services/resources to legitimate users. Distributed denial of
service (DDoS) attack is a form of DoS attack which slowdowns the server in
responding to the client / refuses the client request. The recent familiar victims of
DDOS attack are explored in [1, 2] and strategies for successful attack mitigating are
explored in [3]. In [4], the DDoS attacks are classified based on different factors.
An Application layer DDoS attack overloads an application server by creating
excessive login, information search or search requests. Application
attacks are tougher to detect than other forms of DDoS attacks. Application Layer
DDoS attack is a DDoS attack that sends out requests following the communication
protocol, thus these requests are indistinguishable from legitimate requests in the
network layer .Consequently, traditional defense systems become less or even not
applicable for application layer DDoS attacks which make use of the asymmetric
computation between client and server, as they are proper-looking requests from the
protocol and traffic [5].The main impact of application layer DDoS attacks are
:unusually slow network performance (opening files or accessing web
sites),unavailability of a particular web site, inability to access any web site, dramatic
increase in the number of spam emails received[6] .
2. Related Work
S. Umarani et.al [7] proposed a novel method to classify the traffic flow into
DDoS attacks and legitimate access by creating the access matrix from the HTTP
International Journal of Pure and Applied Mathematics Special Issue
636
traces. In order to classify the traffic as normal or abnormal, Naive Bayes and K-
Nearest neighborhood classifiers are used. Detection Rate and False Positive Rate are
compared for analyzing the performance of the proposed classification and proved
that with the PCA selected attributes, average Detection rate and average FPR are
increased by 0.9% and 4.11% respectively. Fadir Salmen et.al [8] created digital
signature of network segment for flow analysis by using two meta-heuristic
approaches. S. Yu, S. Guo et.al [9] has been proved that bots can even resist the
underlying logic by mimicking the behavioral patterns of legitimate users to
maximum extent. D. Shona et.al [10] proposed a new model consists of two stages for
detecting the intrusions. In the first stage firefly algorithm was implemented in
MATLAB to remove the redundancy and in the second stage incomplete dataset is
converted to complete dataset by using missing value imputation in Rapid Miner.
The results are verified and validated against KDD world cup data and compared with
existing techniques. The datasets shows only the network and transport layer data and
they are not discussed about how the application layer attacks are detected.
J.senthilnath et.al [11] explored the use of firefly algorithm for clustering. Local
Minima is obtained by using the k-means clustering and this drawback was overcome
by the firefly algorithm. Global Optima is obtained by using the randomization
parameter and nature of attractiveness in clustering process.
Satyajit Yadav et.al [12] proposed a new model called Stacked AutoEncoder which
classifies the Application layer DDoS attack traffic using the feature learning.
Mikhail Zolotukhin et.al [13] proposed a model that detect intermediate and trivial
application layer DDoS attacks which are in form of encrypted network traffic.Sheng
Wen et.al [14] proposed defense mechanism is to protect web servers against
application layer DDoS attacks that pretend as flash crowds called CALD. Chengxu
Ye et.al [15] The main aim of clustering method is to cluster users’ session and
calculate the deviation between sessions and normal clusters in order to defend the
attack.
K.Munivara Prasad et.al [16] defined machine learning strategy called Anomaly
based Real Time Prevention (ARTP) of under rated App-DDoS attacks. Features have
to be extracted at absolute time interval rather than request level in order to identify
whether the traffic contains attack packets by using the defined thresholds. The
proposal is tested against benchmark dataset LLDOS dataset. The complexity of the
process reduced and attained maximum detection accuracy compared to other existing
machine learning approaches. The results are good but still it can be improved
further. From the above observations, it is observed that the existing detection
mechanisms have following drawbacks.
Detection process at request level is easy but it takes lot of time for checking
each and every request in busy networks. The time complexity will be reduced
if the detection is done at flow level rather than in request level.
Most of the approaches used statistical approaches for detecting the attacks. It is
not applicable for application layer DDoS attacks as the attack strategy and
signatures are changing very frequently now-a- days. Detection of known and
unknown attacks is to be done by using best machine learning approaches.
Clustering methods used for detecting the attacks are not generating the global
optima. Meta-heuristics approach in combination of the machine learning
metrics generates the global optima.
International Journal of Pure and Applied Mathematics Special Issue
637
Defense mechanism should minimize the problem of false positive and false
negatives rate and maximize the detection accuracy.
3. Preprocessing the Dataset using Machine Learning Metrics The transactions observed from the network are labeled as Normal or Flood at server
gateway will be used to train the proposed approach. Collected data has to be
preprocessed by using machine learning metrics, which will be used further to train
and detect the application layer distributed denial of service attacks.
3.1 Time Interval (ti)
Detection process was done at flow level rather than at request level that helps to
maximize the speed of the detection process which in turn overcomes the problem of
server degradation. In order to carry out the detection process at request stream level,
the collected records have to be formed into sessions and then into clusters by using
k-means algorithm. Average of cluster’s duration gives the time interval helps to
detect the application layer DDoS attacks. For each normal and flood transactions set
DSN and DSD respectively, divide them into sessions and then partition the sessions
into set of clusters C, which is based on session begin times. The cluster ic contains
sessions i1 i2 in{c ,c ,.....c }such that all of these sessions contains approximately similar
session duration times. Let 1 2 3 |S|S = {s ,s ,s .......s } be the set of all possible sessions in
given transactions set, which are in the ascending order of their session begin time are
grouped as clusters 1 2 |G|C = {c ,c ,.......c } by using k-means clustering algorithm
[17].For each cluster begin
Find the duration of cluster as follows: i i it(c ) = max(end(c )) - min(begin(c ))
End
C
i
i=1
t(c )
TimeInterval(ti) =C
The total observation time of the complete dataset will be partitioned into sub
intervals of Time Interval size.
3.2 Maximum number of Sessions (ms) All transactions are formed into sessions that can be either random or variable
timings. Their exists different number of sessions for each time interval. Count of
number of sessions observed in one time interval gives maximum number of sessions
of that time interval which helps in observing the user sessions to detect application
layer DDoS attacks.
3.3 Average Session Time (ast) Each session will have different session duration time. Each time interval contains
group of sessions for which the average of all the session’s duration contained in it
gives its average session time that helps to observe how much time the session is
consumed. Let Sd={sd1,sd2….} be the Session duration which is the difference
between maximum ending time and minimum starting time.
ms
i
i=1
sd
AverageSessionTime(ast) =ms
International Journal of Pure and Applied Mathematics Special Issue
638
3.4 Page access count (pac)
User will access multiple pages in different sessions of time interval. How many
pages are accessed in one time interval helps in observing whether the environment in
network is malicious or normal. Page access count of absolute time interval is the
number of web pages accessed in that time interval. 3.5 Minimum time interval between two pages (mti)
This feature is calculated for two page requests which are in sequence of absolute
time interval. How frequently the web pages are accessed by the user and the least
amount of time gap that is required between two pages is measured that will help in
observing the user behavior. Average of unique time gaps between two page requests
which are in sequence of absolute time interval gives its minimum time interval. Let
the unique time gap set of interval be 1 2tg ={tg , tg ,...}
tg
i
i=1
tg
MinimumTimeInterval(mti) =tg
3.6 Ratio of divergent familiar sources (dfs) The source address of the packets from normal and attack training set are marked as
known sources of normal and malicious respectively. Source of the testing record is
compared with the ratio of known sources to the unknown sources to find out whether
the traffic contains malicious traffic. Ratio of sources observed in that interval to all
sources observed earlier gives divergent familiar sources. ObservedSources
DivergentFamiliarSource(dfs) =EarlierSources
3.7 Packets observed per each type of packet (pc) Request can be sent through any of the packets like HTTP, FTP, SMTP etc., . Each
time interval contains different type of packets for which count of each packet is
measured. The deviation in count of packets from one time interval to another time
interval signifies the attack packet presence in the traffic.1 2 3p ={p ,p ,p ....} be the
packets observed in that interval and 1 2 3pc ={p c,p c,p c....}be the number of packets
observed for each type of packet.
3.8 Maximum bandwidth consumption (mbc) Each request consumes source bytes to send data from source to destination. Each
time interval contains number of requests. Measuring the total bandwidth required in
each time interval helps to identify the attack traffic easily. Ratio of total bandwidth
to absolute time interval gives the maximum bandwidth consumption.
3.9 The dataset preparation For given Normal and Attack transaction sets
NDS and DDS the record sets RSN and
RSD can be formed as follow: Maximum
number of
sessions
Page
access
count
Minimum
time interval
between two
pages
Ratio of
divergent
familiar
sources
Maximum
bandwidth
consumption
Packets
for each
type of
packet
Average
session
time
Each absolute time interval is considered as one record that contains the values of
attributes in order of above defined machine learning metrics. As there was no
International Journal of Pure and Applied Mathematics Special Issue
639
difference in the values of last two parameters of attack and normal traffic, the
experiment was carried out by excluding them.
4. Bio-inspired based Application layer DDoS attack detection Development of novel problem solving techniques has been made possible from the
inspiration of nature that is through bio inspired approach. The applications of
intelligent meta-heuristics algorithms are used in wider area, which are used in
solving difficult problems. Among all the Meta heuristics algorithms, the bio inspired
solving techniques are progressively achieving their importance because these are
very intellectual and can also be adaptable similar to biological organisms. This type
of algorithms creates awareness and they draw attention from scientific area owing to
the growth in the complicated problems, growth in variety of possible results in multi
dimensional hyper planes and inadequate content intended for the decision
making[18].
4.1 Firefly Approach
Various researches are made on the firefly algorithm to provide novel problem
solving approaches. Most of the papers [19] proved that Firefly algorithm is used for
clustering purpose by finding the global optima. Applications of firefly algorithm has
been observed for solving problems with multi-modal functions, continuous and
discrete search based problems, multi search problems, parallel computational
problems and NP hard problems. In proposed approach firefly algorithm is used to
classify the attack traffic and normal traffic.
4.2 Nature of Fireflies
In the summer sky, the flashing light of fireflies is an incredible sight within
the tropical and temperate regions. Most of the fireflies produce short
and swinging flashes. The pattern of flashes is commonly distinctive for a
specific species. The flashing light is made by a method of luminescence, and
therefore the true functions of such signaling are still debating. Draw in pairing
partners for communication and draw in potential prey are two elementary functions
of flashing light[20].
4.3 Classification using firefly algorithm An initial population of fireflies is generated. After this initialization, modify the
parameters needed for fitness, and subsequently the fitness is evaluated for each
firefly in the population. Subsequently, the fireflies may be ranked and best
individuals of a solution may be taken forward for the next round of evaluation.
Number of computations decided in advance can be helpful in controlling the
iterations.
International Journal of Pure and Applied Mathematics Special Issue
640
Firefly Algorithm for classification.
Step1:Generate initial population of firefly Xi, where i=1,2,3,……n, n=number of fireflies
Step2: Define Objective function O(x)
Step3:Define Light Absorption coefficient =1, Randomization parameter =0.2,
Initial Attractiveness 0 =1.0.
Step4: Define Light intensity I is determined by O(x).
Step5: while t < Number of Iterations
Step6: For i=1 to N
Step7: For j=1 to N
Step8: If (Ii < Ij )
Step9: If ( cosine similarity(i,j)>=0.98)
Step10: For each attribute
Step11: Calculate Cartesian Distance as 2
ij i jr = (X - X )
Step12: Calculate Attractiveness using equation 2(-γrij )
0β = β exp
Step13: Move document i to j using equations
i i j i iX = X +β*(X -X )+αε where
i1ε = (rand - )
2
Step14: End for j
Step 15: End for i
Step 16: End while
Step 17: Rank the fireflies and find the current best.
4.4 Application layer DDoS Attack Detection Testing dataset has to be preprocessed by using the dataset preprocessing process.
Prepare the dataset with five attributes as like in the dataset preparation. Calculate the
total weight (light intensity) of the testing records individually. Calculate the cosine
similarity of testing record with both normal and attack signatures and declare
whether the testing record is attack or normal by using the following rules as shown
in table1.
5. Experimental Results 5.1 CAIDA Dataset The proposed technique is tested against CAIDA (Center for Applied Internet Data
Analysis) dataset 2007. Core Objectives of this dataset are collection and sharing of
data for research or scientific analysis of internet traffic, topology, routing,
performance and security related events. Dataset contains the parameters like server
IP address, Timestamp, Time Zone, Object ID/URL of the web page, Response
code/status, Number of bytes sent [22].
5.2 Training & Testing Process
The total number of transactions considered for experiments were 142044 which
includes N (normal-62776) and D (DDoS attack-79268). The total transactions are
partitioned for training and testing into 60%(85226) and 40%(56818) respectively.
Each metric is calculated on the dataset DS which includes N (normal) as DSN and D
(DDoS attack) as DSD and its detection accuracy is assessed. Number of intervals are
267. The number of intervals in normal dataset DSN is 118 in which 60% of
transactions i.e, 72 are considered for the training process and 40% of transactions i.e,
46 for the testing process. The total number of intervals in attack dataset DSD is 149
in which 60% of transactions i.e, 90 are considered for the training process and 40%
of transactions i.e, 59 for the testing process as shown in table2.
International Journal of Pure and Applied Mathematics Special Issue
641
Table 1: Rules defined for attack and normal traffic detection Rule
1
weight of the testing time
interval is less than the normal
classifier weight and greater
than the attack weight
A(w) < T(w) N(w) Normal
Rule2 similarity of testing record with
the normal classifier is more
than 98 percent
similarity(test,normal) 98%
Normal
similarity of testing record with
the attack classifier is more
than 98 percent
similarity(test,attack) 98%
Attack
Rule3 similarity of testing record with
normal classifier is more than
the similarity of testing record
with attack classifier
similarity(test,normal) >
similarity(test,attack)
Normal
Rule4 All the above conditions are
failed
suspicious
Training dataset of DSN is formed into sessions that are of either random or same
timings. Then K-Means algorithm is applied on the training set of normal to prepare
clusters. Clusters have to be grouped to find the time interval value as explained in
machine learning metrics. Now divide the sessions with respective of absolute time
interval value.
Each time interval is considered as one record that contains the value of attributes
defined in metrics. Now the records are given to firefly algorithm to generate single
normal signature. The same process is repeated for attack training dataset to generate
attack signature. Testing dataset is mixture of both normal and attack traffic.
Calculate all the attributes for each interval. Testing time interval Cosine similarity is
calculated with both attack and normal signatures and at last classify the testing time
interval according to proposed rules.
5.3 Performance evaluation The performance of proposed approach is evaluated and results shown in table3.
K.Munivara Prasad proposed ARTP[16] for Detecting Application layer DDoS
attacks by using the Machine learning approach. V Jyothsna, Prasad VV proposed
FAIS [23] and FCAAIS [24] for detecting DDoS attacks. The experiments in above
papers are conducted on the same dataset and results are indicating that these models
are also scalable and robust towards forecasting the DDoS attacks scope of a network
transaction (observed detection accuracy is approx. 91%), but the major obstacle
observed these models are that compared to the proposed model is process
complexity, which influence the statistical metrics defined for measuring the
performance. As per these results, the accuracy of our proposed model was improved
when compared to FCAAIS, ARTP and also attained maximum prediction accuracy
which is shown in Table3 and figure1.
6. Conclusion
Application Layer based HTTP Flood is devised here in this article. In regard to this
we adopted a bio-inspired approach called Firefly algorithm. The initial contribution
is define feature metrics to identify the request stream behavior is of attack intension
or not. Unlike traditional approaches, the feature metrics were assessed on the stream
of requests observed in an absolute time interval rather in a session. Finally the
Firefly algorithm is used to train and Test the records.
International Journal of Pure and Applied Mathematics Special Issue
642
Table 2: Performance metrics evaluation
Total Number of records consider for training and testing 142044
Total Number of intervals consider for training and testing 267
Number of intervals used for training (Normal + Attack) 162
(72+90)
Number of intervals used for testing (Normal + Attack) 105
(46+59)
True Positive(tp) The number of transactions identified as intruded, which
are actually intruded
57
False Positive(fp) The number of transactions identified as normal, which
are actually intruded
2
True Negative(tn) The number of transactions identified as normal, which
are actually normal
43
False Negative(fn) The number of transactions identified as intruded, which
are actually normal.
3
Precision tp
tp + fp
0.966
Recall/sensitivity tp
tp + fn
0.95
Specificity tn
tn + fp
0.955
Accuracy tn + tp
tp + tn + fp + fn 0.952
3
F-Measure recall*precision2*
recall + precision
0.957
8
The devised Firefly algorithm amplified the detection accuracy with minimal process
complexity. The experiments were done using benchmarking dataset CAIDA (Center
for Applied Internet Data Analysis, 2014). Further the training records with machine
learning attributes are used to define the Classifiers to detect the traffic as Normal or
Attack. Overall process observed to be robust and is with minimal process
complexity. Hence the model devised here in this paper is significantly minimized the
computational overhead and retains the maximal prediction accuracy. References
1. Udhayan, J., & Anitha, R. . “Demystifying and Rate Limiting ICMP hosted DoS/DDOS Flooding Attacks with Attack Productivity Analysis”, IEEE international conference on Advance Computing, pp:558-564., 2009.
2. Chun-Tao Xia, X.-H. D.-F.-C. “An Algorithm of Detecting and Defending CC Attack in Real Time.”, International Conference on Industrial Control and Electronics Engineering, pp:1804-1806, 2012.
Table 3. Comparison of the firefly approach with
ARTP and Others
Firefly
algorithm
ARTP FCAAIS
Precision 0.966 0.895 0.869
Recall 0.95 0.985 0.942
Specificity 0.955 0.914 0.894
Accuracy 0.9523 0.944 0.917
F-measure 0.9578 0.938 0.855
Figure 1. Comparison of Firefly with ARTP and
FCAAAIS
International Journal of Pure and Applied Mathematics Special Issue
643
3. Lee, S. M. . “Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures.”, Proceedings of the International Workshop on Security in Parallel and Distributed Systems, pp: 543-550. San Francisco, 2004.
4. Raj kumar, ManishaJitendra Nene, “A survey on latest DoS attacks:classification and defense mechanisms” in the proceedings of International Journal of Innovative Research in Computer and Communication Engineering.vol 1, Issue 8,October 2013.
5. Yadong Wang,Lianzhong Liu et.al, "A survey of defense mechanisms against Application layer distributed denial of service (DDoS) attacks."Communications Surveys & Tutorials, IEEE ,2015.
6. Saman Taghavi Zargar , James Joshi, David Tipper “A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks”, IEEE communications surveys & tutorials, accepted for publication,2013.
7. S.Umarani, D. Sharmila , “Predicting Application Layer DDoS Attacks Using Machine Learning Algorithms” World Academy of Science, Engineering and Technology ,International Journal of Computer, Electrical, Automation, Control and Information Engineering Vol:8, No:10, 2014.
8. Fadir Salmen, Paulo R. Galego Hernandes Jr et.al “Using Firefly and Genetic Metaheuristics for Anomaly Detection based on Network Flows”, AICT : The Eleventh Advanced International Conference on Telecommunications.2015.
9. S. Yu, S. Guo, and I. Stojmenovic, “Fool me if you can: Mimicking attacks and anti-attacks in cyberspace,” IEEE Trans. Comput., vol. 64, no. 1, pp. 139-151, Jan. 2015.
10. D. Shona, Dr. M. Senthilkumar “An Ensemble Data Preprocessing Approach for Intrusion Detection System Using variant Firefly and Bk-NN Techniques”, International Journal of Applied Engineering Research ISSN 0973-4562 Volume 11, Number 6 pp 4161-4166,2016.
11. J.Senthilnath , S.N.Omkar, V.Mani “Clustering using firefly algorithm: performance study” ELSEVIER, Swarm and Evolutionary Computation 1, 164-171,2011.
12. Satyajit Yadav, Selvakumar Subramanian “Detection of Application Layer DDoS Attack by Feature Learning Using Stacked Autoencoder” IEEE, International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT),2016.
13. Mikhail Zolotukhin, Timo Hamalainen et.al “Increasing Web Service Availability by Detecting Application-Layer DDoS Attacks in Encrypted Traffic” IEEE, 23rd International Conference on Telecommunications (ICT),2016.
14. Wen, S., Jia, W., Zhou, W., Zhou, W., & Xu, C. "Cald: Surviving various application-layer ddos attacks that mimic flash crowd." Network and System Security (NSS), 2010 4th International Conference on. IEEE, 2010.
15. Ye, Chengxu, Kesong Zheng, and Chuyu She. "Application layer DDoS detection using clustering analysis." Computer Science and Network Technology (ICCSNT), 2012 2nd International Conference on. IEEE, 2012.
16. K.Munivara Prasad, A.Rama Mohan Reddy, K.Venugopal Rao, “Anomaly based Real Time Prevention of under Rated App-DDoS Attacks on Web: An Experiential Metrics based Machine Learning Metrics” ,Indian Journal of Science and Technology , Vol 9(27), DOI:10.17485/ijst/2016/v9i27/87872 ,july 2016.
17. Hartigan, J. A. Algorithm AS 136: “A k-means clustering algorithm.”, Journal of the Royal Statistical Society. Series C (Applied Statistics) , 100-108, 1979.
18. Arpan Kumar Kar , “Bio Inspired Computing – A Review of Algorithms and Scope of Applications”, Expert Systems With Applications (2016), doi: 10.1016/j.eswa.2016.04.018
19. Athraa Jasim Mohammed, Yuhanis Yusof et.al “Determining Number of Clusters using Firefly Algorithm with Cluster Merging for Text Clustering” ,Springer International publishing Switzerland, 2015.
20. Xin-She Yang “Firefly Algorithms for Multimodal Optimization” ,Springer –Verlag Berlin Heidelberg, 2009.
21. W. H. Gomaa, “A Survey of Text Similarity Approaches,” International Journal of Computer Applications , vol. 68, no. 13, pp. 13–18, 2013.
22. TheCAIDAUCSD"DDoSAttack2007"Dataset
http://www.caida.org/data/passive/ddos-20070804_dataset.xml
23. V.Jyothsna, V V Rama Prasad; “ Anomaly based Network Intrusion Detection through assessing Feature Association Impact Scale (FAIS); “,Inderscience, International Journal of Information and Computer Security (IJICS), 2016 (*in forthcoming article).
24. V.Jyothsna, V V Rama Prasad; “ FCAAIS: Anomaly based network intrusion detection through feature correlation analysis and association impact scale,”, ICT Express, The Korean Institute of Communications Information Sciences, Elsevier, August 2016 (Article in press)
International Journal of Pure and Applied Mathematics Special Issue
644
645
646