ArticlePDF Available

Detection of Different DDoS Attacks Using Machine Learning Classification Algorithms

Authors:
Dasari Kishore at Kalasalingam University
Dasari Kishore
Nagaraju Devarakonda at VIT-AP University
Nagaraju Devarakonda
  • VIT-AP University
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Cyber attacks are one of the world's most serious challenges nowadays. A Distributed Denial of Service (DDoS) attack is one of the most common cyberattacks that has affected availability, which is one of the most important principles of information security. It leads to so many negative consequences in terms of business, production, reputation, data theft, etc. It shows the importance of effective DDoS detection mechanisms to reduce losses. In order to detect DDoS attacks, statistical and data mining methods have not been given good accuracy values. Researchers get good accuracy values while detecting DDoS attacks by using classification algorithms. But researchers, use individual classification algorithms on generalized DDoS attacks. This study used six machine learning classification algorithms to detect eleven different DDoS attacks on different DDoS attack datasets. We used the CICDDoS2019 dataset which is collected from the Canadian Institute of Cyber security in this study. It contains eleven different DDoS attack datasets in CSV file format. On each DDoS attack, we evaluated the effectiveness of the classification methods Logistic regression, Decision tree, Random Forest, Ada boost, KNN, and Naive Bayes, and determined the best classification algorithms for detection.
Figures - uploaded by Dasari Kishore
Author content
All figure content in this area was uploaded by Dasari Kishore
Content may be subject to copyright.
Content uploaded by Dasari Kishore
Author content
All content in this area was uploaded by Dasari Kishore on Feb 03, 2022
Content may be subject to copyright.
Detection of Different DDoS Attacks Using Machine Learning Classification Algorithms
Kishore Babu Dasari1*, Nagaraju Devarakonda2
1 Department of CSE, Acharya Nagarjuna University, Guntur 522510, Andhra Pradesh, India
2 School of Computer Science and Engineering, VIT-AP University, Amaravati 522237, India
Corresponding Author Email: dasari2kishore@gmail.com
https://doi.org/10.18280/isi.260505
ABSTRACT
Received: 23 September 2021
Accepted: 25 October 2021
Cyber attacks are one of the world's most serious challenges nowadays. A Distributed
Denial of Service (DDoS) attack is one of the most common cyberattacks that has affected
availability, which is one of the most important principles of information security. It leads
to so many negative consequences in terms of business, production, reputation, data theft,
etc. It shows the importance of effective DDoS detection mechanisms to reduce losses. In
order to detect DDoS attacks, statistical and data mining methods have not been given good
accuracy values. Researchers get good accuracy values while detecting DDoS attacks by
using classification algorithms. But researchers, use individual classification algorithms on
generalized DDoS attacks. This study used six machine learning classification algorithms
to detect eleven different DDoS attacks on different DDoS attack datasets. We used the
CICDDoS2019 dataset which is collected from the Canadian Institute of Cyber security in
this study. It contains eleven different DDoS attack datasets in CSV file format. On each
DDoS attack, we evaluated the effectiveness of the classification methods Logistic
regression, Decision tree, Random Forest, Ada boost, KNN, and Naive Bayes, and
determined the best classification algorithms for detection.
Keywords:
CICDDoS2019, classification algorithms,
DDoS attacks
1. INTRODUCTION
A Distributed Denial of Service (DDoS) attacks [1] to
prevent legitimate users from accessing an online service or
applications by suspending the hosting servers. To generate
the attack, the attackers use numerous compromised or
controlled sources to generate massive amounts of packets or
requests. These requests cause the target system to become
overburdened, causing it to operate poorly and become
inaccessible to legitimate users.
Based on TCP/UDP protocols, DDoS attacks are divided
into reflection-based attacks and exploit-based attacks.
1.1 Reflection-based DDoS attacks
The attacker’s identity is hidden in reflection-based DDoS
attacks because legitimate third-party components are used.
Attackers send packets to reflector servers with the target
victim's IP address as the source IP address to overwhelm the
victim with response packets. The Transmission Control
Protocol (TCP), the User Datagram Protocol (UDP), or a
combination can be used in these attacks. SSDP and MSSQL
are TCP-based attacks, while NTP TFTP and CharGEN are
UDP-based attacks. SNMP, NETBIOS, LDAP, and DNS are
examples of attacks that can be carried out using either TCP or
UDP.
Simple Service Discovery Protocol (SSDP) [2]
amplification floods can be sent to a target system using
Universal Plug and Play (UPnP) devices which can access the
network devices. Microsoft SQL (MSSQL) [3] Server
Resolution protocol is used for database instance enumeration
service. The service is vulnerable to reflection-based DDoS
attacks. Large response messages consume server resources,
disrupting the service.
The Network Time Protocol (NTP) [4] is also amplified by
sending small packets to internet-connected devices running
NTP with a fake IP address of the target. For downloading and
uploading files, the Trivial File Transfer Protocol (TFTP) [5]
is utilized. A buffer overflow may occur if the attacker tries to
read/write excessively long names from/to the server. It's also
susceptible to flaws in the format strings. In this vulnerability,
the attacker sends a predetermined string as a file name, which
can be used to execute malicious code or leak protected data.
CHARGEN is used as an amplifier in a Character Generator
Protocol (CharGEN) attack [6], which sends small request
packets to the target system with a spoofed IP address.
The attacker uses the Simple Network Management
Protocol (SNMP) [7] to send a huge number of SNMP queries
to a huge number of connected devices, each of which
responded with the falsified address. As more devices respond,
the attack volume rises until the target network is brought
down by the cumulative volume of these SNMP responses.
NetBIOS [8] is to allow applications on different computers to
communicate and establish sessions to access shared resources
and communicate with one another through a local area
network. On a this-aware network, the NetBIOS Name Service
(NBNS) allows for hostname and address mapping. With the
lack of an authentication technique in the NetBIOS TCP/IP
protocols, workstations running NetBIOS services are
vulnerable to spoofing attacks. An attacker might compel a
victim system to delete its legitimate name from its name table
and not reply to further NetBIOS requests by delivering
spoofed "Name Release" or "Name Conflict" messages to it.
A denial-of-service attack occurs when the victim is unable to
Ingénierie des Systèmes d’Information
Vol. 26, No. 5, October, 2021, pp. 461-468
Journal homepage: http://iieta.org/journals/isi
461
communicate with other NetBIOS hosts. In Lightweight
Directory Access Protocol (LDAP) DDoS attack [8], the
attacker sends an LDAP request to an LDAP server to produce
large replies, with a spoofed sender IP address. Domain Name
System (DNS) [9] amplification is a reflection-based DDoS
attack, which manipulates domain name systems and makes
them flood the target system with large quantities of UDP
packets, which bring down the target servers.
1.2 Exploitation-based DDoS attacks
These attacks can also be carried out utilizing the
exploitation of transport layer protocols. SYN flood is TCP-
based, and UDP-Lag and UDP flood are UDP-based
exploitation attacks.
SYN flood [7] attack exploits TCP three-way handshake by
sending SYN packets rapidly to the victim server. It consumes
network bandwidth and deteriorates system performance. The
UDP-Lag [10] attack attempts to break the client-server
connection. It was carried out using either a lag switch or a
network-based program to consume other users' bandwidth.
The attacker launches a UDP flood [8] attack by rapidly
transmitting a large number of UDP packets to random ports
on the remote server. It consumes network bandwidth and
deteriorates system performance.
The rest of this paper contains methodology in section 2,
results and discussion in section 3, and conclusion in section
4.
2. METHODOLOGY
2.1 Dataset
In this paper, we evaluate classification models on the
CICDDoS2019 dataset. The CICDDoS2019 dataset is chosen
for this study because it has been evaluated to fill in the gaps
in existing DDoS attack datasets. It contains eleven different
DDoS attacks datasets [11]. Each data set contains 88 features
and millions of records.
2.2 CICFlowMeter
CICFlowMeter is also known as ISCXFlowMeter. It is a bi-
flow generator and analyzer for Ethernet network traffic. It can
calculate network traffic features in both the forward and
backward directions. It generates CSV files from packet
capture (PCAP) files.
2.3 Data preprocessing
Preprocessing prepares the data in such a way that it is ready
for the training model. First, delete six socket features which
are not influencing the target because they differ from
network-to-network values. Then, in order to acquire more
accurate results, records with missing or infinite are removed.
Some machine learning algorithms [12] working with
numerical values, so BENIGN and attack labels are encoded
with 0 and 1 binary values respectively. Standardize the data
using StandardScaler to reduce the training time.
2.4 Classification algorithms
Regression and Classification Algorithms are the two
primary categories of supervised machine learning algorithms
used for prediction. Regression techniques predict the output
continuous values, while classification methods [13] predict
the output categorical values. The main objective of this
research is prediction of categorical values of Benign and
DDoS attacks of target labels in the CICDDoS2019 dataset. In
this research, machine learning classification algorithms used
to detect DDoS attacks on CICDDoS2019 dataset. Training
and testing are two steps in the classification process. Logistic
regression, Decision tree, Random Forest, K-Nearest
Neighbor, Naive Bayes, and AdaBoost are some of the most
common algorithms in the classification. These methods are
significantly more accurate than conventional methods for
detecting a DDoS attack, in addition to being faster.
2.4.1 Logistic regression
Logistic regression [14] is a classification algorithm for
predicting binary classes. The value of the outcome or target
variable is categorical. It predicts the probability of binary
classes occurring using a logistic function. The logistic
function also called the sigmoid function.
Logistic Function:


Here y is the dependent variable and X1, X2,...., Xn are
dependent variables.
2.4.2 Decision tree
The Decision tree [15] is a tree-structured classifier, where
internal nodes hold dataset features, branches provide decision
rules, and the leaf nodes contain class labels. The features and
criteria may vary depending on the data and the problem's
complexity, but the general concept remains the same. Based
on the feature set, a decision tree makes a series of decisions
to produce an outcome.
2.4.3 Random forest
Random forest [16] is a collection of decision trees trained
on different dataset subsets and then averaged to increase
predictive accuracy. It is created randomly with a collection of
decision trees. Here each node selects a set of features at
random to calculate the outcome. The output of individual
decision trees is combined in the random forest to produce the
outcome.
2.4.4 K-Nearest neighbors
The k-nearest neighbors (KNN) [17] is a supervised
machine learning algorithm. It is a similarity-based classifier
that assumes that every data point that’s close to another is in
the same class. The standard Euclidean distance between
instances x and y is:


Here n indicates the total number of features, xk, yk are the
kth features in x and y respectively.
462
2.4.5 Naive Bayes
Naive Bayes [18-20] is a supervised machine learning
algorithm for classification that is based on the Bayes theorem.
Bayes’ theorem states the relationship between dependent
class variable y and independent feature vector X1, X2,...,Xn:
 


2.4.6 AdaBoost
AdaBoost (Adaptive Boosting) [21] is a machine learning
ensemble model for constructing a strong classifier from a
collection of weak classifiers. In supervised learning, boost is
used to reduce bias and variance. It works on the principle of
learners growing sequentially. It generates several decision
trees during the training time. Resulting in the creation of the
first decision tree, the records that were mistakenly
categorized are given precedence and transmitted as input to
the second model. The process is repeated until a set of base
learners to work with.
We executed all experiments on Google Colab notebook
with 12GB Ram and TPU hardware accelerator.
3. RESULTS AND DISCUSSION
The efficiency of the machine learning classification
algorithms is measured with accuracy, precision, recall, F1
score, specificity, and ROC score evaluation metrics.
There are four important terms used in evaluation metrics.
True Positives (TP): In this case, both the predicted and
actual values are Positive.
True Negatives (TN): Predicted, and actual values are
Negative in this case.
False Positives (FP): In this case, the actual value is
Negative but the predicted value is Positive.
False Negatives (FN): In this case, the actual value is
Positive but the predicted value is Negative.
3.1 Confusion matrix
The confusion matrix is a key concept in machine learning
classification performance. It represents actual and predicted
values in tabular form. Predicted and actual values are
represented by rows and columns respectively in the table.
3.2 Accuracy
Accuracy is the ratio of the number of correct predictions to
the number of all predictions by the classifier. Accuracy tells
the proposition of correct predictions out of total predictions.


3.3 Precision
Precision is the ratio between the number of True Positives
and the number of predicted positives by the classifier.
Precision tells the proposition of predicted trues are actually
true.


3.4 Recall
Recall or True Positive Rate (TPR) is the ratio between the
number of True Positives and the number of all relevant
samples. Recall tells the proposition of actually trues are
predicted as true.
  


3.5 F1 score
F1 score is a harmonic mean of precision and recall.


3.6 Specificity
Specificity is the ratio between the number of True
Negatives and the number of all relevant samples. It is also
called True Negative Rate (TNR).
 


3.7 AUC-ROC curve
AUC-ROC (Area Under the Curve-Receiver Operating
Characteristics) curve is the most important metric for
evaluating the effectiveness of classifiers. The ROC curve
plots True Positive Rate (TPR) on the y-axis and False Positive
Rate (FPR) on the x-axis. AUC score is between 0 and 1. The
classification model can accurately distinguish all classes
accordingly if the AUC score is 1. The classification model
would predict all positives to be negative and all negatives to
be positives if the AUC score is 0.


3.8 Cross fold validation
For evaluating machine learning models, cross-validation is
a single parameter (k) re-sampling approach. The parameter
specifies how many groups the sample data must be divided
into. This validation process data set was shuffled and divided
into k groups. To test a group data set, consider remaining
groups as a training data set. Fit the model like this for training
and tests. In this paper, we performed cross-validation with
k=5 and calculated accuracy of mean and standard deviation
scores.
Tables demonstrate the classification algorithm evaluation
metrics accuracy, cross-fold validation, precision, recall, F
score, specificity, and ROC-AUC scores for DDOS attack
detection.
Table 1 shows the classification algorithms evaluation
metrics on the DrDoS_MSSQL dataset. Logistic Regression
(LR), AdaBoost, KNN, Naïve Bayes (NB) give better
accuracy than others. All classification algorithms give the
same precision, recall, F-score values. LR and NB give the
best specificity values. LR, NB, and AdaBoost give the best
ROC-AUC scores.
Table 2 shows the classification algorithms evaluation
463
metrics on the DrDoS_SSDP dataset. AdaBoost gives the best
accuracy, next KNN gives better accuracy. LR and NB also
give good accuracy. LR and NB give the best precision.
AdaBoost gives the best recall. AdaBoost, KNN gives the best
F-score. LR and NB give the best specificity values. AdaBoost
gives the best and LR and NB give better ROC-AUC scores.
Table 3 shows the classification algorithms evaluation
metrics on the DrDoS_NTP dataset. LR gives the best
accuracy, best precision, best F-score, and best specificity.
AdaBoost gives the best recall and best ROC-AUC, but it
gives the worst specificity value. NB gives better values in all
evaluation metrics.
Table 4 shows evaluation metrics of the classification
algorithms on the DrDoS_TFTP attack dataset. LR and NB
give the best accuracy, best precision, and best specificity
values. AdaBoost gives the best ROC-AUC score. LR,
AdaBoost, KNN, and NB give the best values in recall and F-
score.
Table 5 shows the classification algorithms evaluation
metrics on the DrDoS_DNS attack dataset. LR and NB give
the best accuracy, best precision, best specificity values, and
better ROC-AUC score. AdaBoost and KNN give the best
recall and best F-score values. AdaBoost gives the best ROC-
AUC score.
Table 6 shows evaluation metrics of the classification
algorithms on the DrDoS_LDAP attack dataset. LR and NB
give the best accuracy, best precision, best F-score, and best
specificity values. AdaBoost and KNN give the best recall
values. NB gives the best ROC-AUC score.
Table 7 shows evaluation metrics of the classification
algorithms on the DrDoS_NetBIOS attack dataset. LR,
AdaBoost, KNN, and NB give the best accuracy and best F-
score values. LR and NB give the best precision and specificity
values. AdaBoost gives the best recall and best ROC-AUC
score values.
Table 1. Evaluation results of DrDoS_MSSQL attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.97
0.9999
0.9998
0.9999
99.9739 (0.0027)
0.87
0.9691
Decision Tree
99.82
0.9999
0.9984
0.9991
99.8532 (0.0042)
0.66
0.8291
Random Forest
99.82
0.9999
0.9984
0.9991
99.8538 (0.0039)
0.66
0.9417
AdaBoost
99.97
0.9999
0.9999
0.9999
99.9710 (0.0021)
0.66
0.9643
KNN
99.97
0.9998
0.9999
0.9999
99.9631 (0.0016)
0.64
0.9396
Naive Bayes
99.97
0.9999
0.9998
0.9999
99.9739 (0.0027)
0.87
0.9691
Table 2. Evaluation results of DrDoS_SSDP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.95
0.9999
0.9995
0.9997
99.9569 (0.0036)
0.82
0.9413
Decision Tree
99.91
0.9998
0.9992
0.9995
99.9205 (0.0016)
0.47
0.7325
Random Forest
99.91
0.9998
0.9993
0.9995
99.9204 (0.0016)
0.47
0.9115
AdaBoost
99.97
0.9997
0.9999
0.9998
99.9728 (0.0008)
0.19
0.9423
KNN
99.96
0.9998
0.9998
0.9998
99.9698 (0.0027)
0.37
0.9086
Naive Bayes
99.95
0.9999
0.9995
0.9997
99.9569 (0.0036)
0.82
0.9413
Table 3. Evaluation results of DrDoS_NTP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.66
0.9989
0.9976
0.9983
99.6490 (0.0055)
0.91
0.9601
Decision Tree
98.70
0.9976
0.9892
0.9934
98.7887 (0.0233)
0.80
0.8885
Random Forest
99.32
0.9976
0.9955
0.9966
99.1769 (0.0572)
0.80
0.9561
AdaBoost
99.35
0.9941
0.9993
0.9967
99.3448 (0.0247)
0.50
0.9705
KNN
99.64
0.9984
0.9980
0.9982
99.6241 (0.0051)
0.86
0.9623
Naive Bayes
99.65
0.9985
0.9980
0.9982
99.6311 (0.0037)
0.87
0.9668
Table 4. Evaluation results of DrDoS_TFTP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation Mean
(STD) scores (%)
Specificity
ROC_AUC
Score
Logistic Regression
99.95
0.9997
0.9998
0.9997
99.9504 (0.0014)
0.82
0.9240
Decision Tree
99.81
0.9995
0.9986
0.999
99.8500 (0.0109)
0.67
0.8323
Random Forest
99.81
0.9995
0.9986
0.999
99.8507 (0.0101)
0.67
0.9117
AdaBoost
99.94
0.9996
0.9998
0.9997
99.9350 (0.0068)
0.74
0.9566
KNN
99.94
0.9996
0.9998
0.9997
99.9467 (0.0039)
0.73
0.9119
Naive Bayes
99.95
0.9997
0.9998
0.9997
99.9504 (0.0014)
0.82
0.9520
464
Table 5. Evaluation results of DrDoS_DNS attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.90
0.9998
0.9992
0.9950
99.8944 (0.0074)
0.83
0.9768
Decision Tree
98.43
0.9995
0.9848
0.9921
98.6987 (0.0180)
0.61
0.8018
Random Forest
98.47
0.9995
0.9852
0.9923
98.7169 (0.0155)
0.61
0.9240
AdaBoost
99.89
0.9994
0.9995
0.9994
99.8864 (0.0050)
0.53
0.9775
KNN
99.89
0.9994
0.9995
0.9995
99.8957 (0.0069)
0.55
0.9066
Naive Bayes
99.90
0.9998
0.9992
0.9995
99.8944 (0.0074)
0.83
0.9768
Table 6. Evaluation results of DrDoS_LDAP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.92
0.9998
0.9994
0.9996
99.9210 (0.0023)
0.84
0.9535
Decision Tree
99.59
0.9996
0.9963
0.9979
99.6342 (0.0080)
0.66
0.8303
Random Forest
99.59
0.9996
0.9963
0.9979
99.6358 (0.0069)
0.66
0.9440
AdaBoost
99.91
0.9994
0.9996
0.9995
99.8996 (0.0049)
0.53
0.9501
KNN
99.91
0.9995
0.9996
0.9995
99.9193 (0.0033)
0.62
0.9334
Naive Bayes
99.92
0.9998
0.9994
0.9996
99.9210 (0.0023)
0.84
0.9552
Table 7. Evaluation results of DrDoS_NetBIOS attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.96
0.9999
0.9997
0.9998
99.9555 (0.0028)
0.82
0.9430
Decision Tree
99.90
0.9998
0.9992
0.9995
99.9124 (0.0037)
0.60
0.8011
Random Forest
99.90
0.9998
0.9992
0.9995
99.9119 (0.0024)
0.61
0.9285
AdaBoost
99.96
0.9996
1.0
0.9998
99.9559 (0.0012)
0.27
0.9502
KNN
99.96
0.9998
0.9998
0.9998
99.9698 (0.0027)
0.56
0.9186
Naive Bayes
99.96
0.9999
0.9997
0.9998
99.9555 (0.0028)
0.82
0.9430
Table 8. Evaluation results of DrDoS_SNMP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.95
0.9999
0.9996
0.9998
99.9506 (0.0030)
0.85
0.9017
Decision Tree
99.77
0.9998
0.9979
0.9988
99.7966 (0.0038)
0.6
0.7981
Random Forest
99.77
0.9998
0.9979
0.9988
99.7974 (0.0047)
0.6
0.9176
AdaBoost
99.95
0.9997
0.9997
0.9998
99.9512 (0.0014)
0.32
0.9726
KNN
99.97
0.9998
0.9999
0.9998
99.9631 (0.0016)
0.55
0.9026
Naive Bayes
99.95
0.9999
0.9996
0.9998
99.9506 (0.0030)
0.85
0.9736
Table 9. Evaluation results of DrDoS_SYN attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.98
0.9999
0.9999
0.9999
99.9787 (0.0023)
0.81
0.9433
Decision Tree
99.97
0.9999
0.9998
0.9998
99.9730 (0.0029)
0.6
0.8024
Random Forest
99.97
0.9999
0.9998
0.9998
99.9731 (0.0027)
0.6
0.9505
AdaBoost
99.98
0.9998
1.0
0.9999
99.9750 (0.0020)
0.42
0.9505
KNN
99.98
0.9999
0.9999
0.9999
99.9770 (0.0013)
0.68
0.9505
Naive Bayes
99.98
0.9999
0.9999
0.9999
99.9787 (0.0023)
0.81
0.9433
Table 8 shows evaluation metrics of the classification
algorithms on the DrDoS_SNMP attack dataset. KNN gives
the best accuracy and best recall values. LR and NB give the
best precision and specificity values. LR, AdaBoost, KNN,
and NB give the best F-score value. The finest ROC-AUC
score value is given by NB.
Table 9 shows the classification algorithms evaluation
metrics on the DrDoS_Syn attack dataset. LR, AdaBoost,
KNN, and NB give the best accuracy and best F-score values.
LR and NB give the best specificity values. AdaBoost gives
the best recall value. KNN gives the best ROC-AUC score
value. All algorithms give the best precision value.
Table 10 shows the classification algorithms evaluation
metrics on the DrDoS_UDP attack dataset. AdaBoost gives the
best accuracy, best recall, best F-score values, but it gives poor
specificity values. Both LR and NB give the best precision and
465
best specificity values. In the ROC-AUC score, LR gives the
best value, AdaBoost and NB give better results.
Table 11 shows the classification algorithms evaluation
metrics on the DrDoS_UDPLAG attack dataset. LR,
AdaBoost, KNN, and NB give the best accuracy and F-score
values. LR, AdaBoost, and NB give the best precision values.
AdaBoost gives the best specificity and ROC-AUC score. LR
and NB give better values in both specificity and ROC-AUC
scores.
Figure 1 to Figure 11 shows the Roc_Auc score curves of
the classification algorithms on eleven different DDoS attacks.
In ROC area blue line curve going along 45 degrees diagonal
line is called baseline curve, it shows random classifier.
Curves above the base line shows better performance, curves
below the base line shows poor performance. In ROC_AUC
curves, Top-left corner closer curves give the best
performance in classification. Hence, Logistic regression, Ada
boost and Naive Bayes classifiers show the best performance,
KNN and Random Forest classifiers shows moderate
performance, while Decision tree classifier shows poor
performance in all attacks.
Table 10. Evaluation results of DrDoS_UDP attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.92
0.9999
0.9993
0.9996
99.9238 (0.0029)
0.8
0.9477
Decision Tree
99.76
0.9997
0.9979
0.9988
99.7974(0.0035)
0.54
0.7711
Random Forest
99.76
0.9997
0.9979
0.9988
99.7985 (0.0043)
0.54
0.9024
AdaBoost
99.94
0.9995
1.0
0.9997
99.9380 (0.0015)
0.25
0.9475
KNN
99.93
0.9996
0.9997
0.9997
99.9367 (0.0049)
0.47
0.8946
Naive Bayes
99.92
0.9999
0.9993
0.9996
99.9238 (0.0029)
0.8
0.9475
Table 11. Evaluation results of DrDoS_UDPLAG attack detection
Classification
Algorithms
Accuracy
(%)
Precision
Recall
F-
score
Crossfold Validation
Mean (STD) scores
(%)
Specificity
ROC_AUC
Score
Logistic Regression
99.61
0.9982
0.9978
0.998
99.6135 (0.0202)
0.84
0.9551
Decision Tree
99.46
0.9972
0.9973
0.9973
99.4450 (0.0310)
0.76
0.8764
Random Forest
99.46
0.9972
0.9973
0.9973
99.4450 (0.0310)
0.76
0.9512
AdaBoost
99.61
0.9982
0.9978
0.998
99.6139 (0.0317)
0.85
0.9542
KNN
99.61
0.9981
0.998
0.998
99.6030 (0.019%)
0.83
0.9514
Naive Bayes
99.61
0.9982
0.9978
0.998
99.6135 (0.0202)
0.84
0.9551
Figure 1. Classifiers ROC curves of DrDoS_MSSQL attack
Figure 2. Classifiers ROC curves of DrDoS_SSDP attack
Figure 3. Classifiers ROC curves of DrDoDS_NTP attack
Figure 4. Classifiers ROC curves of DrDoS_TFTP attack
466
Figure 5. Classifiers ROC curves of DrDoS_DNS attack
Figure 6. Classifiers ROC curves of DrDoS_LDAP attack
Figure 7. Classifiers ROC curves of DrDoS_NetBIOS attack
Figure 8. Classifiers ROC curves of DrDoS_SNMP attack
Figure 9. Classifiers ROC curves of DrDoS_Syn attack
Figure 10. Classifiers ROC curves of DrDoS_UDP attack
Figure 11. Classifiers ROC curves of DrDoS_UDPLAG
attack
4. CONCLUSIONS
This paper presented a comparison of the performance of
six machine learning classification algorithms on eleven
individual different DDoS attacks datasets. Unfortunately, the
most common effective DDoS attack detection method for all
DDoS attacks has yet to be identified. Some DDoS attacks
have common effective methods and some attacks have
different effective methods. Decision tree and random forest
467
algorithms gave poorer results than others. Logistic regression,
Ada Boost, KNN, and NB show good results.
In this paper, classification algorithms applied to different
individual DDoS attack datasets get the best scores in all
metrics with google colab TPU processor which is a powerful
hardware accelerator and 12GB RAM. This configuration is
more expensive. All datasets are big data size. The idea of next
research would be to use feature selection to reduce data [22]
and detect DDoS attacks using low-cost hardware.
REFERENCES
[1] Dasari, K.B., Devarakonda, N. (2018). Distributed denial
of service attacks, tools and defense mechanisms.
International Journal of Pure and Applied Mathematics,
120(6): 3423-3437. http://dx.doi.org/10.1007/978-3-
319-97643-3_3
[2] Kwang, P. (2017). A countermeasure technique for
attack of reflection SSDP in Home IoT. Journal of
Convergence for Information Technology.
https://doi.org/10.22156/CS4SMB.2017.7.2.001
[3] Kshirsagar, D., Kumar, S. (2021). A feature reduction
based reflected and exploited the DDoS attack detection
system. Journal of Ambient Intelligence and Humanized
Computing. https://doi.org/10.1007/s12652-021-02907-
5
[4] Suvra, D.K.S., Sen, T., Hossain, M.I., Rahman, A., Mou,
M.M. (2020). Real-time performance analysis on DDoS
attack detection using machine learning. Brac University.
http://hdl.handle.net/10361/14730.
[5] Tuan, T.A., Long, H.V., Son, L.H., Kumar, R.,
Priyadarshini, I., Son, N.T.K. (2020). Performance
evaluation of Botnet DDoS attack detection using
machine learning. Evolutionary Intelligence, 13: 283-
294. https://doi.org/10.1007/s12065-019-00310-w
[6] Mirchev, M.J., Mirtchev, S.T. (2020). System for DDoS
attack mitigation by discovering the attack vectors
through statistical traffic analysis. International Journal
of Information and Computer Security, 13(3-4): 309-321.
http://dx.doi.org/10.1504/IJICS.2020.10029285
[7] Chen, W.W., Zhang, H.Y., Zhou, X.S., Weng, Y.J.
(2021). Intrusion detection for modern DDoS attacks
classification based on convolutional neural networks.
Computer and Information Science, 45-60.
https://doi.org/10.1007/978-3-030-79474-3_4
[8] Amaizu, G.C., Nwakanma, C.I., Bhardwaj, S., Lee, J.M.,
Kim, D.S. (2021). Composite and efficient DDoS attack
detection framework for B5G networks. Computer
Networks, 188: 107871.
https://doi.org/10.1016/j.comnet.2021.107871
[9] Moubayed, A., Aqeeli, E., Shami, A. (2020). Ensemble-
based feature selection and classification model for DNS
typo-squatting detection. IEEE Canadian Conference on
Electrical and Computer Engineering (CCECE).
https://doi.org/10.1109/CCECE47787.2020.9255697
[10] Swami, R., Dave, M., Ranga, V. (2021). Detection and
analysis of TCP-SYN DDoS attack in software-defined
networking. Wireless Personal Communications,
118(100): 2295-2317. http://dx.doi.org/10.1007/s11277-
021-08127-6
[11] Singh, K.J., Thongam, K., De, T. (2018). Detection and
differentiation of application-layer DDoS attack from
flash events using fuzzy-GA computation. IET Info.
Secure, 12(6): 502-512. https://doi.org/10.1049/iet-
ifs.2017.0500
[12] Durgam, R., Devarakonda, N., Nayyar, A., Eluri, R.
(2021). Improved genetic algorithm using machine
learning approaches to feature modelled for
microarray gene data. In book: Soft Computing for
Security Applications (pp. 859-872).
http://dx.doi.org/10.1007/978-981-16-5301-8_60
[13] Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani. A.A.
(2019). Developing realistic distributed denial of service
(DDoS) attack dataset and taxonomy. IEEE 53rd
International Carnahan Conference on Security
Technology, Chennai, India, pp. 1-8.
https://doi.org/10.1109/CCST.2019.8888419
[14] Yan, Y.D., Tang, D., Zhan, S.J., Dai, R., Chen, J.W., Zhu,
N.B. (2019). Low-rate dos attack detection based on
improved logistic regression. IEEE21st International
Conference on High-Performance Computing and
Communications, pp. 468-476.
https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.000
76
[15] Lakshminarasimman, S., Ruswin, S., Sundarakandam, K.
(2017). Detecting DDoS attacks using decision tree
algorithm. Fourth International Conference on Signal
Processing, Communication and Networking (ICSCN),
pp. 1-6. https://doi.org/10.1109/ICSCN.2017.8085703
[16] Chen, Y., Hou, J., Li, Q.M., Long, H.Q. (2020). DDoS
attack detection based on random forest. 2020 IEEE
International Conference on Progress in Informatics and
Computing (PIC), pp. 328-334.
https://doi.org/10.1109/PIC50277.2020.9350788
[17] Dong, S., Sarem, M. (2019). DDoS attack detection
method based on improved KNN with the degree of
DDoS attack in software-defined networks. IEEE Access,
8: 5039-5048.
https://doi.org/10.1109/ACCESS.2019.2963077
[18] Singh, N.A., Singh, K.J., De, T. (2016). Distributed
denial of service attack detection using Naive Bayes
classifier through info gain feature selection. ICIA-16:
Proceedings of the International Conference on
Informatics and Analytics, pp. 1-9.
https://doi.org/10.1145/2980258.2980379
[19] Peneti, S., Hemalatha, E. (2021). DDOS attack
identification using machine learning techniques.
International Conference on Computer Communication
and Informatics (ICCCI), pp. 1-5.
https://doi.org/10.1109/ICCCI50826.2021.9402441
[20] Mishra, P., Varadharajan, V., Tupakula, U., Pilli, E.S.
(2019). A detailed investigation and analysis of using
machine learning techniques for intrusion detection.
IEEE Commun. Surv. Tutor., 21(1): 686-728.
https://doi.org/10.1109/COMST.2018.2847722
[21] Vuong, T.H., Nguyen, V., Ha, Q.T. (2021). N-Tier
machine learning-based architecture for DDoS attack
detection. Intelligent Information and Database Systems,
375-385.http://dx.doi.org/10.1007/978-3-030-73280-
6_30
[22] Mekala, S., Rani, B.P. (2020). Kernel PCA based
dimensionality reduction techniques for preprocessing of
Telugu text documents for cluster analysis. International
Journal of Advanced Research in Engineering and
Technology, 11(11): 1337-1352.
https://doi.org/10.34218/IJARET.11.11.2020.121
468
... This researcher solves the problem of a Graduation project, which is a form or work requested by the study authority from the student to measure what he made during the study [3]. Distributed Denial of Service (DDoS) attacks are still attacking in terms of business, production, reputation, data theft, etc. [4]. A fuzzy expert system (FES) approach for FCPTL locate the inter-circuit faults and improve shunt fault location accuracy [5]. ...
... 5.66. Using the same formula, namely to (3) and to (4).  Calculating percentage value. ...
... Calculate the number of bayes disease one using formulae(4) ...
Application of Forward Chaining Method, Certainty Factor, and Bayes Theorem for Cattle Disease
Article
Full-text available
  • Feb 2024
Indonesia is a country that has many natural resources, especially mammals. The Papua and West Papua regions are large provinces with abundant natural resources and tremendous livestock potential. The availability of natural resources in the form of live cattle provides a great opportunity to develop animal husbandry in West Papua province. This research was conducted to create a new expert system with a knowledge base to solve the problems that occur and be useful for the community, especially cattle breeders. The current problem is the delay and lack of medical personnel in diagnosing cattle diseases, the distance that must be traveled, which is still very difficult to travel, and the lack of understanding of farmers in early handling when implications indicate animals. So, the Certainty Factor Method and Bayes Theorem with Forward-Chaining search are used to handle current problems. From the results of manual calculations, Certainty Factor Forward Chaining search is a method that has an uncertainty value of 99.84% for 3-day fever compared to Bayes Theorem Forward Chaining search with a value of 50% for worms, 50% for 3-day fever and 50% for nail rot, if applied then Certainty Factor Forward Chaining search is the most appropriate. Likewise, updating the knowledge base must be done from time to time. So that in the future, it can be compared with other methods and Android-based to facilitate current breeders.
View
... Akurasi adalah rasio jumlah prediksi yang benar terhadap jumlah semua prediksi oleh pengklasifikasi [21]. Akurasi digunakan untuk mengukur seberapa tepat model dapat mengklasifikasikan data dengan menghitung rasio jumlah prediksi yang benar (positif dan negatif) terhadap total data. ...
... Recall atau True Positive Rate (TPR) merupakan perbandingan antara jumlah True Positives dan total sampel yang relevan [21]. Ini mencerminkan proporsi contoh yang sebenarnya positif dan diidentifikasi sebagai positif. ...
Perbandingan Metode Random Forest, Convolutional Neural Network, dan Support Vector Machine Untuk Klasifikasi Jenis Mangga
Article
Full-text available
  • May 2024
Mango is a fruit known as the "King of Fruit" due to its rich flavor, vast variability, and high nutritional value. Classifying mangoes based on their external appearance is the initial step in the process of identifying and categorizing mango types conventionally. The classification process can be performed by examining external features such as fruit color, shape, and size. Classifying different types of mango fruits accurately can assist researchers in developing superior varieties and also aid farmers for cultivation purposes, sales, distribution, and selecting the right varieties for local growth and weather conditions. This research conducts the classification of mango types based on color from mango images using machine learning. The study compares three methods, namely Random Forest, Support Vector Machine (SVM), and Convolutional Neural Network (CNN), to determine the best method for classifying mango types based on their images. The dataset underwent preprocessing, where image sizes were standardized to 300 x 300 pixels, and color was changed to grayscale. The dataset was then divided into training and testing data with a ratio of 70:30. Subsequently, the dataset was processed using three methods, and their accuracy results were compared. The findings indicate that the Random Forest method yielded the highest accuracy compared to the other methods, with an accuracy rate of 96%. The accuracy of the SVM method was 95%, and the accuracy of the CNN method was 33%. From these results, it can be concluded that the Random Forest method is highly effective for classifying mango types based on their image compared to SVM and CNN methods.
View
... The UDP-Lag attack [4] is a sneaky trick used by some gamers to slow down their opponents. It disrupts the connection between a player and the game server, giving the attacker an unfair advantage. ...
View
... PENDAHULUAN [4].KNN adalah salah satu algoritma klasifikasi yang sederhana dan efisien [5], sementara DT adalah algoritma pembelajaran mesin yang digunakan untuk tugas regresi dan klasifikasi [6]. Decision tree terdiri dari akar (root), brach node, dan leaf node . ...
Perbandingan Kinerja Algoritma K-Nearest Neighbors (K-NN) Dan Decision Tree dalam Deteksi Paket Malis pada Jaringan
Article
Full-text available
  • Apr 2024
This research aims to classify malicious packet data and compare the performance of two algorithms, namely K-Nearest Neighbor (K-NN) and Decision Tree (DT). The UNSW-NB15 dataset used in this study has undergone preprocessing, feature selection, and data split stages. The preprocessing stage includes data transformation and selection of relevant features to detect malicious packets. Subsequently, experiments were conducted to test various values of K in K-NN and measure accuracy, recall, precision, and F1-Score. The results show that K-NN has an accuracy of 91.54%, while DT has 92.41%. The conclusion of this research indicates that the Decision Tree (DT) algorithm performs slightly better than K-Nearest Neighbor (K-NN) in detecting malicious packets. Therefore, in selecting an algorithm for network security detection, it is important to consider the specific needs and goals of the research as well as the characteristics of the data used.
View
... To detect DDoS attacks, Dasari and Devarakonda suggested yet another ML-based model. They used different single ML-based classifiers [24]. The model with logistic regression produced the best result from the performance study, with an accuracy of 99.61 %. ...
Enhancing DDoS attack detection with hybrid feature selection and ensemble-based classifier: A promising solution for robust cybersecurity
Article
Full-text available
  • Feb 2024
Distributed denial-of-service (DDoS) attacks pose a significant threat to computer networks and systems by disrupting services through the saturation of targeted systems with traffic from multiple sources. Real-time detection of these attacks has become a critical cybersecurity task. However, current DDoS attack detection methods suffer from high false positive rates and limited ability to capture the complex patterns of attack traffic. This research proposes an enhanced approach for detecting DDoS attacks using a hybrid feature selection technique in combination with an ensemble-based classifiers. The ensemble-based approach aggregates many decision trees to increase classification accuracy and reduce overfitting and model robustness. The feature selection technique uses correlation analysis, mutual information, and principal component analysis to identify the most useful characteristics for attack detection. The ensemble-based Random Forest classifier from the various ensemble-based approaches with the specified relevant features produces the best detection rates. Many datasets related to identifying DDoS attacks are used to evaluate the proposed model, and experimental findings demonstrate that it surpasses existing techniques in terms of accuracy, recall, precision, f1-score, and false positive rate, with other evaluation metrics. The proposed approach achieves almost 100 % accuracy, 100 % true positive rate, and 0 % error rate making it a promising solution for DDoS attack detection.
View
... The constructed trees vote in a majority-only fashion to determine the classification outcome. The outcome is then generated using a random forest, which incorporates the outcomes from each decision tree [24]. ...
Detection of Distributed Denial of Service Attacks in Software Defined Networks by Using Machine Learning
Article
Full-text available
  • Nov 2023
Within the sphere of Software-Defined Networking (SDN) — an innovative architectural paradigm that segregates the control plane from the data plane — a paramount concern is the defense against Distributed Denial of Service (DDoS) assaults. These attacks pose a significant threat to the integrity and operational sustainability of SDN infrastructures, potentially leading to extensive system disruptions and financial losses.To address this challenge, our study introduces an innovative approach utilizing machine learning strategies to enhance the detection of DDoS threats. We employed a trio of classification algorithms: Random Forest (RF), Support Vector Machine (SVM), and K-Nearest Neighbors (KNN), applied to a publicly available SDN dataset specific to DDoS attacks. Our methodology integrates a blend of feature selection techniques, including Recursive Feature Elimination (RFE), Principal Component Analysis (PCA), and t-Distributed Stochastic Neighbor Embedding (t-SNE), with the aim of refining the accuracy of our classifications.In a comparative analysis with existing models, our innovative application of KNN in conjunction with RFE demonstrated exceptional performance, achieving an accuracy of 99.97%, a precision of 99.98%, a recall of 99.96%, and an F1-score of 99.97%. This breakthrough indicates a significant advancement in the field of SDN security.
View
... The core intention of this research is speaker segmentation and speaker diarization using proposed FEOSA, which is the integration of FC [21] and EOSA [22]. Initially, the input audio sample taken from Telugu dataset specified in the study [23] is allowed for the process of feature extraction. ...
View
Syn Flood DDoS Attack Detection with Different Multilayer Perceptron Optimization Techniques Using Uncorrelated Feature Subsets Selected by Different Correlation Methods
Chapter
  • Dec 2023
Cyber attackers widely used Distributed Denial of Service (DDoS) attacks to saturate servers with network traffic, preventing authorized clients to access network resources and ensuing massive losses in all aspects of the organizations. With the use of ADAM, SGD, and LBFGS optimization techniques, this paper evaluates a Multilayer Perceptron (MLP) classification algorithm for Syn flood DDoS attack detection using various uncorrelated features chosen with Pearson, Spearman, and Kendall correlation methods. Dataset for a Syn flood DDoS attack was taken from the CIC-DDoS2019 dataset. Experiment results conclude that among optimization techniques, ADAM optimization gives better results and among uncorrelation feature sets and Pearson uncorrelated feature subset produce the best results. Multilayer Perceptron produces the best classification results with ADAM optimization and Pearson uncorrelation subset on Syn flood DDoS attack.
View
UDP Flood DDoS Attack Detection Using Multilayer Perceptron Different Optimization Techniques with Pearson, Spearman and Kendall Uncorrelated Feature Subsets
Chapter
  • Sep 2023
The main challenge of the Internet is security. Distributed Denial of Service (DDoS) attacks is a major Internet security threat nowadays. Traditional detection methods are difficult to detect DDoS attacks because attackers use legitimate packets and frequently change package information. This research proposed a detection methodology with multilayer perceptron classification algorithm using feature selection correlation methods. And it is a quantitative study comparing a Multilayer Perceptron (MLP) classification algorithm ADAM, SGD, and LBFGS optimal approaches with distinct uncorrelated feature subsets for detecting UDP-flood DDoS attacks. Pearson, Spearman, and Kendall correlation methods are used to determine features. UDP-flood attack dataset collected from the Canadian CIC-DDoS2019 evaluation datasets. Experiment results conclude that all optimization techniques give more equal better results with all uncorrelation feature subsets.
View
Machine Learning Based Classification Model for Network Traffic Anomaly Detection
Article
  • Jul 2023
In current days, cloud environments are facing a huge challenge from the attackers in terms of various attacks thrown to the cloud service providers. In both industry and academics, the problem of detection and mitigation of DDoS attacks is now a challenging issue. Detecting Distributed Denial of Service (DDos) threats is mainly a classification problem that can be addressed using data mining, machine learning and deep learning techniques. DDoS attacks can occur in any of the seven-layer OSI model's network. Hence, detecting the DDoS attacks is an important task for cloud service providers to overcome dangerous attacks and loss incurred to stake holders and also the provider.
View
Improved Genetic Algorithm Using Machine Learning Approaches to Feature Modelled for Microarray Gene Data
Chapter
Full-text available
  • Jan 2022
One of the most controversial and emerging applications of microarray-based cancer research is the identification of the pathology that are canons and genetic pathway alterations. Though microarray-based classifications of cancer diagnosis continue to be a concern, cancer orthodox has not advanced very far. The primary explanation for this is the vast number of available genes for training proportionately to the number of samples accessible. In this paper, we present a hybrid machine learning approach scenario on genetic algorithms as an improved characteristic set of data sets such as lymphoma, lung, MLL, breast and colon cancers utilized to provide characteristic features on each algorithm proposed. The classification methods such as XG-boost, RFR and extra tree classifications have been implemented with GA and without GA, providing the list of genes until it has reduced the number of features to the machine learning classifier which are trained and tested. These experimental results show that the hybrid model on GA in a few cases with ML approaches increases the accuracy and in others reduces the number of successful levels while providing higher classification accuracy.
View
Detection and Analysis of TCP-SYN DDoS Attack in Software-Defined Networking
Article
Full-text available
  • Jun 2021
  • WIRELESS PERS COMMUN
Software-defined networking (SDN) is an advanced networking technology that yields flexibility with cost-efficiency as per the business requirements. SDN breaks the vertical integration of control and data plane and promotes centralized network management. SDN allows data intensive applications to work more efficiently by making the network dynamically configurable. With the growing development of SDN technology, the issue of security becomes critical because of its architectural characteristics. Currently, Distributed denial of service (DDoS) is one of the most powerful attacks that cause the services to be unavailable for normal users. DDoS seeks to consume the resources of the SDN controller with the intention to slow down working of the network. In this paper, a detailed analysis of the effect of spoofed and non-spoofed TCP-SYN flooding attacks on the controller resources in SDN is presented. We also suggest a machine learning based intrusion detection system. Five different classification models belong to a variety of families are used to classify the traffic, and evaluated using different performance indicators. Cross-validation technique is used to validate the classification models. This work enables better features to be extracted and classify the traffic efficiently. The experimental results reveal significantly good performance with all the considered classification models.
View
A feature reduction based reflected and exploited DDoS attacks detection system
Article
Full-text available
  • Jan 2022
The hacker attempts distributed denial of service (DDoS) attacks towards network resources to disturb or deny services. The hacker degrades the quality of service to legitimate users by performing reflection and exploitation based DDoS attacks with a trusted third party server that hides information of the attacker. It is, therefore, necessary to propose an intelligent intrusion detection system to detect reflection and exploitation based DDoS attacks efficiently and effectively. The present study proposes a feature reduction method by the combination of information gain (IG) and correlation (CR) feature selection techniques. This study presents a DDoS attack detection framework to detect reflection and exploitation based DDoS attacks in an efficient manner. The framework is tested on the latest DDoS evaluation (CICDDoS2019) dataset with J48 classifier. The feature reduction method obtains minimum and maximum reduction by 56 and 82.92% respectively, of the original features. The experimentation results show that the proposed framework outperforms using a reduced features subset. The validation of the proposed framework on knowledge discovery and data mining (KDD Cup 1999) dataset provides improvement in performance for binary and multi-level classification using feature reduction by 60.97% of the original features. The proposed feature reduction method is also compared to the relevant existing feature selection methods used for intrusion detection on CICDoS 2019 and KDD Cup 1999 datasets.
View
DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks
Article
Full-text available
  • Dec 2019
The Distributed Denial of Service (DDoS) attack has seriously impaired network availability for decades and still there is no effective defense mechanism against it. However, the emerging Software Defined Networking (SDN) provides a new way to reconsider the defense against DDoS attacks. In this paper, we propose two methods to detect the DDoS attack in SDN. One method adopts the degree of DDoS attack to identify the DDoS attack. The other method uses the improved K-Nearest Neighbors (KNN) algorithm based on Machine Learning (ML) to discover the DDoS attack. The results of the theoretical analysis and the experimental results on datasets show that our proposed methods can better detect the DDoS attack compared with other methods.
View
Performance evaluation of Botnet DDoS attack detection using machine learning
Article
Full-text available
  • Jun 2020
Botnet is regarded as one of the most sophisticated vulnerability threats nowadays. A large portion of network traffic is dominated by Botnets. Botnets are conglomeration of trade PCs (Bots) which are remotely controlled by their originator (BotMaster) under a Command and-Control (C&C) foundation. They are the keys to several Internet assaults like spams, Distributed Denial of Service Attacks (DDoS), rebate distortions, malwares and phishing. To over the problem of DDoS attack, various machine learning methods typically Support Vector Machine (SVM), Artificial Neural Network (ANN), Naïve Bayes (NB), Decision Tree (DT), and Unsupervised Learning (USML) (K-means, X-means etc.) were proposed. With the increasing popularity of Machine Learning in the field of Computer Security, it will be a remarkable accomplishment to carry out performance assessment of the machine learning methods given a common platform. This could assist developers in choosing a suitable method for their case studies and assist them in further research. This paper performed an experimental analysis of the machine learning methods for Botnet DDoS attack detection. The evaluation is done on the UNBS-NB 15 and KDD99 which are well-known publicity datasets for Botnet DDoS attack detection. Machine learning methods typically Support Vector Machine (SVM), Artificial Neural Network (ANN), Naïve Bayes (NB), Decision Tree (DT), and Unsupervised Learning (USML) are investigated for Accuracy, False Alarm Rate (FAR), Sensitivity, Specificity, False positive rate (FPR), AUC, and Matthews correlation coefficient (MCC) of datasets. Performance of KDD99 dataset has been experimentally shown to be better as compared to the UNBS-NB 15 dataset. This validation is significant in computer security and other related fields.
View
N-Tier Machine Learning-Based Architecture for DDoS Attack Detection
Chapter
  • Apr 2021
Distributed Denial of Service (DDoS) attack is a menace to network security that aims at exhausting the target networks with malicious traffic. With simple but powerful attack mechanisms, it introduces an immense threat to the current Internet community. In this paper, we propose a novel multi-tier architecture intrusion detection model based on a machine learning method that possibly detects DDoS attacks. We evaluate our model using the newly released dataset CICDDoS2019, which contains a comprehensive variety of DDoS attacks and address the gaps of the existing current datasets. Experimental results indicated that the proposed method is more efficient than other existing ones. The experiments demonstrated that the proposed model accurately recognize DDoS attacks outperforming the state-of-the-art by F1-score.
View
View
Composite and efficient DDoS attack detection framework for B5G networks
Article
  • Apr 2021
  • COMPUT NETW
Distributed denial-of-service (DDoS) remains an ever-growing problem that has affected and continues to affect a host of web applications, corporate bodies, and governments. With the advent of fifth-generation (5G) network and beyond 5G (B5G) networks, the number and frequency of occurrence of DDoS attacks are predicted to soar as time goes by, hence there is a need for a sophisticated DDoS detection framework to enable the swift transition to 5G and B5G networks without worrying about the security issues and threats. A range of schemes has been deployed to tackle this issue, but along the line, few limitations have been noticed by the research community about these schemes. Owing to these limitations/drawbacks, this paper proposes a composite and efficient DDoS attack detection framework for 5G and B5G. The proposed detection framework consists of a composite multilayer perceptron which was coupled with an efficient feature extraction algorithm and was built not just to detect a DDoS attack, but also, return the type of DDoS attack it encountered. At the end of the simulations and after testing the proposed framework with an industry-recognized dataset, results showed that the framework is capable of detecting DDoS attacks with a high accuracy score of 99.66% and a loss of 0.011. Furthermore, the results of the proposed detection framework were compared with their contemporaries.
View
Ensemble-based Feature Selection and Classification Model for DNS Typo-squatting Detection
Conference Paper
  • Sep 2020
Domain Name System (DNS) plays in important role in the current IP-based Internet architecture. This is because it performs the domain name to IP resolution. However, the DNS protocol has several security vulnerabilities due to the lack of data integrity and origin authentication within it. This paper focuses on one particular security vulnerability, namely typo-squatting. Typo-squatting refers to the registration of a domain name that is extremely similar to that of an existing popular brand with the goal of redirecting users to malicious/suspicious websites. The danger of typo-squatting is that it can lead to information threat, corporate secret leakage, and can facilitate fraud. This paper builds on our previous work in [1], which only proposed majority voting based classifier, by proposing an ensemble-based feature selection and bagging classification model to detect DNS typo-squatting attack. Experimental results show that the proposed framework achieves high accuracy and precision in identifying the malicious/suspicious typo-squatting domains (a loss of at most 1.5% in accuracy and 5% in precision when compared to the model that used the complete feature set) while having a lower computational complexity due to the smaller feature set (a reduction of more than 50% in feature set size).
View
View