26.7 TRAFFIC FLOW OBSERVATION TABLE
After the expected initial threshold values for a set of target nodes are generated, the attack detection scheme is trained with these values to facilitate learning of normal network traffic flow patterns. Subsequently, comparisons of statistical features extracted from observed traffic flow in the network help the base station to make a decision on whether an attack is in progress or not. These features define the intensity of traffic flow in the network toward a set of r target nodes for classification of flooding attacks by the attack detection scheme. The features to be extracted from the traffic constitute the pattern vectors that need to be compared during the pattern-matching process of the detection scheme. These traffic features are given by:
- percentage of packets with destination address = d, where d ∈ T,
- percentage of packets with source address = {s | ∀r, Euclidean(s, r) > threuc}, where threuc is the threshold on maximum permissible distance between the detector and the target nodes, and
- percentage of packets with source address = {s | s ∉ clusterd, where d ∈ T, s ∈ N}.
Definition 26.1. ∀ patterns pr, length(pr) = 2r.
For a centralized approach toward attack detection, that is, without the presence of localized decision making in the network, the total number of pattern vectors expected by a base station for classification purposes at the end of a time epoch Δ is equal to n. The length of each pattern vector, as can be seen from ...
Get Mobile Intelligence now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
