ATTACKS ANALYSIS OF TCP AND UDP OF UNSW-NB15 DATASET

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the most important protocols in complete protocol architecture. There are many types of attacks that can block the communication or reduce the performance of a protocol. This study provides a detail analysis of TCP and UDP attacks and their application layer protocols. The authors will also suggest that where the security administrator should focus for providing best security. The old datasets such as KDD99 and NSLKDD has many limitations. This study uses UNSW-NB15 dataset which has recently been generated.


Introduction.
A device can never communicate over the internet without protocol architecture. Complete protocol architecture has all the necessary protocol for communication. There are layers in protocol architecture and each layer many protocols. A protocol is used to make a communication both possible and efficient. Transport layer is used to provide process to process communication and many other services such as segmentation and reassembly, port addressing, flow control, error control, congestion control and many more services. There are two main protocols used in transport layer and perform all the functions of transport layer. These protocols are TCP and UDP [1].
TCP is a secure protocol. It performs three way hand shake. It provides a reliable communication to the upper layer. It has a good system of acknowledgement. Despite its many benefits this protocol is complex and slow. On the other hand if we talk about UDP which is not reliable but simple and fast. UDP is a best effort delivery protocol.
It is very clear that attacks are everywhere and anytime in internet. Attacks are always on services provided on the internet. Attacks can be associated to any protocol. This study mainly focuses on the attacks on TCP and UDP which are mostly used protocols. Researchers have worked a lot on KDD99 and NSLKDD dataset. NSLKDD dataset is the improved version of KDD99 [2]. These are older datasets and do not give us satisfactory results [3]. UNSW-NB15 [4] is a complex and recently generated dataset. It is a comprehensive dataset. It is for Network Intrusion Detection System (NIDS) [5]. It has nine types of attacks. This study will analyze all these attacks for TCP and UDP. This study will also analyze attacks for application layer protocols associated with UDP and TCP.
2. Attack Types. UNSW-NB15 dataset has nine types of attacks [3,5]. This section will discuss these all nine types of attack and then will analyze it for different types of protocols. The older dataset analysis with 4 to 5 types of attacks are also discussed in [6].
 Denial of services: It is an intrusion. It disrupts the resources to make it unavailable to users on the internet. It keeps the device extremely busy that even the authorized user will have no access.  Exploits: The attacker has previous knowledge of the system or network and exploits the vulnerability.  Reconnaissance: It is an attack which gets information of the system to get a control of the system.  Worm: It replicates itself with authentic users' information and get into the system. Spread itself and get access of the system.  Fuzzers: This attack tries to acquire about security loopholes. It input a huge random data to crash the system.  Analysis: This intrusion gets into a system through a web application through an open port.  Backdoors: This type of attack bypasses the security mechanism of a system and gets access to system or data.  Shellcode: The attacker sends a small piece of code. It run in shell and get a control of a system.  Generic: This is an attack on all kind of block ciphers.
3. Analysis of Protocols and attacks. UDP and TCP are both important protocols. There are many attacks on it. Table I shows that the total attacks on TCP is 58184 and UDP is 223750. UDP got high number of attacks then TCP.  Figure 1 show the relationship of TCP and UDP. If we look at figure 1 it show clearly that the TCP has more entries than UDP but attacks rate of UDP is higher than TCP. It seems that TCP is a secure protocol because it has less attacks. This section will discuss TCP in detail. Table 2 has 9 types of attacks. These nine types of attacks are discussed in attack types. Table 2 indicate entries of all these nine attacks. If we look at the table the most accruing attack is Exploit and the less accruing attack is worms. Diagrammatic representation of all types of attacks are displayed in Figure 2. In this figure it is clearly shown that Exploit attack has occurred the most and Worms attack has occurred the least.  Table 3 shows us all types of attacks occurred in UDP. UDP case is different from TCP. It can be clearly seen that generic attack has occurred the most. Analysis attack has not happened at all.  Table 3 has diagrammatically shown in figure 3. It can be clearly seen in the figure that generic attack is a big thread for UDP.   The application layer applications and associated transport layer protocol and its associated attacks are written in table 5.  Classifiers of Intrusion Detection System still have many drawbacks [7]. Therefore it is not good to only relay on IDS. IDS can never give complete security [8]. The attackers perform malicious activities and disorder the system management [9]. The network administrator must thing about alternative ways.
All those applications that communicate over a network must use a port number. It means that at transport layer they uses TCP or UDP. Transport layer provide port addresses to the application layer. It means that the assigned port address is an opening to the system. The attackers try to find week point in system or network [10,11]. If we secure TCP and UDP which means securing transport layer and securing transport layer means securing applications and systems. Table IV and V illustrates all the attacks related to TCP and UDP. It also illustrate the attacks related to applications. This study tells you that what the focus area is for hackers. Most of the applications will use either TCP or UDP but there are some applications which used both TCP and UDP. The entries are on both sides for those applications which use both TCP and UDP. Entries are on one side for those applications which uses one of them. For TCP protocols the high number of attacks are received for HTTP and on the UDP side there are high number of records on DNS. It is not only important to secure the system and network but the network administrator should protect each protocol by identify the intruders. A good analysis of the attacks are very important for security implementers.

Conclusion.
This study focuses on latest dataset and analyzes it for different attacks related to transport layer protocols and application layer protocols. Potential threads for UDP, TCP and application layer protocols are specified. It is suggested that a potential thread should be identified and then the preventing maintenance should be provided. UDP has high no. of Generic Attacks while TCP has high no. of Exploits and Fuzzers attacks. HTTP using TCP has high no. of attacks while DNS using UDP has high no of attacks.