Dynamic Approaches for Detection of DDoS Threats using Machine Learning
Tarun Dhamor, Computer Science & Engineering, SRM Institute of Science and Technology, Kattankulathur, Siddharth Bhat, Computer Science & Engineering, SRM Institute of Science and Technology,
Dr. S. Thenmalar, Asst. Prof., Computer Science & Engineering„ SRM Institute of Science Technology, Kattankulathur
Distributed Denial of Service (DDoS) attacks has become one of the major and fastest growing threats on the Internet. DDoS attacks are a type of cyber attack which targets a specific machine or network in an attempt to make it unavailable, unusable for a period of time. So detecting different types of DDoS cyber threats with better algorithms and higher accuracies while keeping the computational cost at check has become the most important aspect in detecting DDoS attacks. Determining the type of DDoS attack is of paramount importance in effectively defending the targeted network or the system. This paper presents several ensemble classification techniques that combine the performance of various algorithms and compares it with existing Machine Learning Algorithms in effectively detecting the types of DDoS attacks using accuracy, F1 scores and ROC curves.
Distributed Denial of Service, Neural Network, Support Vector Machine, Decision Tree, Random Forests, Multilayer Perceptron, LSTM, XGBoost, AdaBoost
DDoS attack detection is the process that is used to deter- mine normal traffic from attack traffic or botnet traffic. These attacks can be done internally or externally and can target different layers of the OSI model. The traffic may contain incoming messages, connection requests, or fake packets. DDoS attack detection using Machine Learning techniques mainly involve three steps that are taking network samples, processing the network data and classification of network samples.
The computer network consists of various layers of the OSI model. Different types of DDoS attacks target on specific layers. The Network Layer can be exploited using ICMP Floods, Smurf Attacks, and IP/ICMP Fragmentation attacks. The Transport layer can be exploited using UDP Floods, TCP Connection Exhaustion, and SYN Floods. The application layer can be exploited using HTTP-encrypted attacks.
The attackers use botnets to generate HTTP or HTTPS flood. The botnets are utilized by posing as legitimate HTTP or HTTPS requests by flooding the web-server. HTTP is the protocol that controls how message requests are encrypted and transmitted.
The two most commonly occurring types of attacks are Reflection based and Exploitation based and each of the DDoS attack fall in either of these two categories. In reflection based DDoS attacks the attacker hides its identity by utilizing third party tools and components.
The attack is initiated by transmitting packets to a reflective server which contains the source IP address of the victim. Such attacks are performed in the Application Layer utilizing either Transport Control Protocol (TCP), User Datagram Protocol (UDP) or using them both simultaneously.
Exploitation Based Attacks utilize similar techniques to that of Reflection Based Attacks in which they use third party software and components to remain hidden when the attack is initiated. It has both TCP based and UDP based attacks.
13664 Figure: Types of DDoS attacks
The exigency of the situation makes it an important aspect of network security and earlier various statistical analysis methods, knowledge based methods, decision entropy based were used which are time consuming and aren’t really effective as networks are constantly evolving and are under various threats. Many researchers use ML and AI techniques to detect the DDoS attack effectively.
There is a need to classify the DDoS attacks into various types, for example majority of the DDoS attacks done are SYN Flood attacks which is a type of Exploitation based attack. The ML and AI models can be updated with greater convenience. Since the dataset is large and has 84 features the computational complexity raises and time taken to predict also increases. To combat this we have applied feature selection as ExtraTrees classifier technique to select the best relevant 20 features.
II. RELATED WORK
Liguo Chena et al , worked on a model which is dependent on Random Forest applied to traffic classification with a precision of 99.2% on Spark. The outcome shows that the model could be utilized to manage large scale DNS query streams, which is sufficiently quick to be utilized by.
Ömer KASIMa . In the proposed approach, the deliberate values obtained from the network are normalized somewhere in the range of 0 and 1. These values applied to the auto encoder model prepared with ideal hyper boundaries. This model adds to feature learning and dimensional decrease. Support vector machines successfully separate among normal and DDOS attack traffic by utilizing these features.
Marcos V.O. de Assis et al  propose a real-time SDN detection tool that works on the source-end network and avoid the DDoS threats. They utilize CNN for DDoS detection and mitigation of attacks. The results that were obtained were used in two test situations, and the further results brought up that the approach is useful in detecting future DDoS attacks.
Swati Sahu et al  proposes work which identifies the Level 2 attacks that is in the ISP domain, utilizing ML algorithm to find better approach for DDoS attack as well and afterward diverting the dubious traffic to honey pot for additional assessment of the traffic.
Naiji Zhang et al  Low-rate DoS (LDoS) attack misuses the vulnerability of TCP's blockage control mechanism by sending malevolent traffic at the low consistent rate and endeavors retransmission timeout mechanism to lessen the throughput. Contrast with DDoS attacks, LDoS as a rule have low attack volume, this conduct makes it difficult to be recognized by the traditional.
Saikat Das et al . This paper proposes a NIDS which can recognize existing just as new kinds of DDoS
DNS LDAP NETBIOS
TCP Based SYN Flood
UDP Flood UDP Lag
13665 assaults. The critical component of the NIDS is that it consolidates various classifiers utilizing ensemble models, with the idea that every classifier can target explicit perspectives/kinds of intrusions.
KVVNL Sai Kirana et al . This paper proposes to work on models which detect threats on IOT devices.
They create an IOT environment using various sensors. So during the normal functioning the sensors capture the data and transfer it to ThinkSpeak platform. During the attack simulation the attacker discretely modifies the data that is been transmitted. So to counter this they utilize ML techniques such as SVM, Decision Trees, Adaboost, SVM to categorize the incoming data into normal and attacker data.
Saurabh Deya et al . This paper targets mobile cloud networks by designing a machine learning detection system. The specialty of the system is that rule updation doesn’t need to be present and the functioning can be modified according to the client’s network. The planned work includes two stages; multi- layer traffic screening and choice based Virtual Machine.
Mohamed Amine Ferraga et al . This paper presents a study for several of deep learning methods for intrusion detection systems, and a analysis report. The dataset assumes a significant function in intrusion detection; they depict 35 datasets and classify them into 7 different categories. Further they cover multiple deep learning models such as deep neural networks, CNN, auto encoders, etc.
Luis A. Trejo et al . The present their model as DNS Anomaly Detection Visual Platform, that gives a novel visualization in coordinated way which portrays current DNS traffic, and single class classifier which manages abnormal traffic detection. Because of the profoundly powerful nature of DNS traffic, our order strategy persistently refreshes what considers typical conduct; it was tried on fabricated attacks, with 83% of the area under the curve (AUC).
III. PROPOSED SOLUTION
There is no one framework or approach for detection and mitigation of DDoS attacks. There are several algorithms that are relatively different from each other. The algorithms for various types of DDoS attack detection are chosen on the basis of the computational complexity of the ML algorithms. This helps in choosing the algorithms with low computational complexity when the performance is similar to each other.
Table 1- Computational Complexity of ML Algorithms
In Table 1, n is the number of training samples, f being the total number of features in the training data. For neural network nl1 is the numbers of neurons in layer i for a given network.
The dataset used in this study is CICDDoS2019; this dataset is an improvement on its predecessor and improves most of the shortcomings from the previous dataset. The main benefit of using this dataset is that it has inspected emerging attacks which are mainly done using the TCP/UDP protocols in the Application layer.
The dataset divides different types of attack mainly into two categories Reflective and Exploitative Attacks. It is divided into different categories based on the protocols used.
13666 Using this dataset for multi-class classification for AI and ML algorithms approach is a challenging task as there are many categories of attacks and hardly anyone has used this dataset for multi-class classification for various types of DDoS Attacks detection.
In addition, the size of the dataset is almost 26 GB which cannot be directly used for this study on standard machines as to process this amount of data more computation resources are required. So it is of paramount importance to reduce the dataset to effectively train AI and ML models. For reducing the dataset while maintaining the integrity of data along with the distribution Scikit-learn Python Library is used.
B. Data Preprocessing
The preprocessing was done in multiple steps. To make the dataset appropriate for the model and ensemble learning methods, various preprocessing is applied on the dataset. The operations performed are as follows:
1. Remove Socket Information: Since the detection needs to be fair it is vital that the port number as well as the IP address of both the source and destination needs to be eliminated. If this data is used while training the model it may over fit. The model should be familiar with the features of the packet so as to find any similar packet.
2. Label Encoding: All the labels in the dataset that are multi-class have string values as their attack’s names. Encoding such values into numerical values becomes a important step. However this process is restricted to multi-class labels since binary labels can be easily transformed into 0-1 formation.
3. Replace null and infinity values: The dataset consists various rows as null or infinity values. This is addressed by replacing the infinity values as maximum values and missing values as average value.
The architecture diagram in Fig. 2 consists of applying preprocessing methods to the dataset followed by the data being fetched into the classifier.
These classifiers then determine the type of attack and Majority Voting is used to determine whether it is DDoS traffic or normal traffic.
Figure 2 – DDoS Detection Architecture
13667 D. Machine Learning Algorithms
Support Vector Machine (SVM): It is a supervised learning algorithm; it separates the different classes by a hyper plane and builds a model which is able to detect the unseen examples. LinearSVC was used from Sci-Kit Learn with a parameter “ovr” one-vs-rest for multilabel classification. Square hinge was used as loss function as it gives computationally effective outputs. The regularization and cost parameter are taken as 1 so as to reduce the margin.
Decision Tree: They are supervised learning algorithm which sorts the tree from root node to leaf node.
The leaf node gives the classification as label names. It uses hyperplanes that divide the feature space into the classification. They are not prone to outliers so less data processing is needed. To implement Decision Trees we used Gini Index as the splitting criteria. We took the sample split value as 3.
Pruning was avoided to reduce cost complexity.
Random Forest: It is a set of decision trees that are randomly selected from a training set and then a vote is aggregated from all the decision trees randomly and final object tested is given. The classifier is mainly used as it works well with big datasets and can handle large number of input variables. The parameter which give the best accuracy score for this classifier are 100 number of estimators,
minimum sample leaves as 1, Gini criterion to split and measure its quality.
Xtreme Gradient Boosting: XGBoost is a powerful algorithm and it works well for unstructured data. In this gradient descent algorithm is used to minimize the errors. XGBoost optimized by using parallelization, hardware optimization, pruning, regularization and cross-validation. This is a scalable and has higher computational speed. “Friedman mse” was used to measure quality of split.
Adaptive Boosting: It is an ensemble learning algorithm which learns from weak classifier’s faults and makes it into strong classifiers by using iterative strategy. This makes the algorithm better than doing random predictions. AdaBoost helps in increasing the accuracy of base estimator which is Decision Trees. Gini criterion is used to measure the quality of split.
Majority Vote Classifier: It selects the class label that has been predicted by majority of the classifiers if a class label has received more than 50% of the votes. We combine the 4 top performing classifiers and get the best approximate for the different class label for various DDoS attacks. The classifier is called MV-4 classifier.
Multi Layer Perceptron (MLP): It is a supervised learning algorithm which uses Backpropogation learning method. It has the ability to learn non-linear functions in real-time which increases the application area of MLP. The optimizer used is adadelta as well as categorical cross entropy as the loss function. To achieve multiclass classification the Softmax activation function on the output layer and relu function in hidden layers are used to generate maximum accuracy score.
Long Short Term Memory (LSTM): LSTM is based on Recurrent Neural Network (RNN) which is used in Deep Learning with feedback connections. It works well for classification, processing. The model uses adam as an optimizer. For generating good accuracy score 2 layers of LSTM were used each with 8 units with softmax as the output layer for prediction of multiclass labels.
IV. EVALUATION METRICS The parameters used for evaluating the ML models are mentioned below:
Accuracy Score: It gives the measure of closeness to a specific value. The formula for accuracy score is mentioned below:
13668 In this equation, y is the true label, y’ is the predicted label which is given after prediction. For multilabel classification, the accuracy score gives us the accuracy of the subset. When the entire set of predicted values matches the true label the accuracy score is given as 1.0, otherwise 0.0.
F1-Score: It is the measure of Test Set accuracy. It calculates the harmonic mean of precision (P) and recall(R) to find the score. The formula is given below:
he maximum value of F1 Score is 1.
Receiver Operating Characteristic Curve: The ROC curve is used to evaluate a model for classification based on their performance by considering the False Positive Rate (FPR) and True Positive Rate (TPR).
The values of TPR and FPR are computed by shifting the decision threshold of the classifier. The TPR feature lies on Y-axis and FPR feature lies on X-axis, The ideal result for the classifier is at the top left where FPR is zero and TPR is 1 which makes the classifier ideal. The larger area under the curve greater the performance.
V. RESULTS AND ANALYSIS
In this section, we analyze the results obtained from different algorithms on the dataset.
Support Vector Machine has an accuracy score of 92.75%. It is lower than Decision Tree and XGBoost. It is lowest among all the algorithms mentioned.
In the Table 3 it shows the F1 score for all the DDoS attacks. SVM is able to detect SYN Flood attack perfectly. WebDDoS has an F1-score of 0.52 which depicts SVM isn’t able to detect it properly. For other attacks like Benign Traffic, SSDP attack which have an F1 score of 0.90 and 0.80 respectively, it shows that algorithm is able to differentiate between normal and attack traffic. The ROC curves in Fig 3 depicts that some attacks like DNS, NetBIOS have higher area under the curve while few have lower area under the curve.
The macro-average for SVM is 0.98. The higher area under the curve shows better performance of the algorithm.
Table 2- Accuracy Score for various models
The accuracy score for Decision Tree is 98.99% which is higher than SVM. The F1 score for Decision Tree is better for all attack types except WebDDoS. It can detect SYN attack perfectly and can detect Benign attack
13669 with a score of 0.90. The other attacks have F1 score of 0.99 which is an improved score. In Fig. 4 the RoC curve for different attack types for Decision Tree algorithm is shown and area under the curve is 0.99 and macro average is 0.99.
The XGBoost algorithm has a accuracy of 98.59% which is higher than SVM and bit lower than Decision Tree. The F1 score is given below and it doesn’t detect WebDDoS and Benign attack properly. The SYN attack is perfectly detected. The other attacks have F1 score of 0.98 or 0.99. The RoC curve for this algorithm is shown in Fig 5. The macro average for area under the curve is 0.8 which is lower than both SVM and Decision Tree.
Table 3- F1 score for various attacks
Random Forest has an accuracy score of 99.24% which is higher among all the algorithms. It is closely matched by Decision Tree. It boasts the best F1 scores in all the algorithms used. It can detect NTP, Syn, and UDP-Lag perfectly. It has the highest F1 score for Benign traffic and an improved score for WebDDoS attack.
The ROC curve for Random Forest given in Fig 6. Looks like an ideal classifier for this dataset as area under the curve for detecting all types of attack is 1.00.
Adaptive Boosting algorithm is ensemble learning technique and it uses Decision Tree as base
estimator. The accuracy score for it is 99.01% which is higher than SVM, Decision Tree and XGBoost but bit lower than Random Forest. The F1 score for Benign is 0.90 which is also better than most of the other
algorithms. The other attacks have nearly perfect F1 score which means they are well detected by the
algorithm. The ROC curve given in Fig 7, the area under the curve for WebDDoS is 0.62 which is lower than Random Forest. This algorithm performs better than SVM, Decision Tree and XGBoost but slightly lower than Random Forest.
The Majority Voting Classifier (MV4) combines the performance of Random Forest, Adaboost, Decision Tree and XGBoost algorithms which gives an accuracy score of 99.01% which is same as of AdaBoost and slightly lower than that of Random Forest. The F1 scores tables shows most attacks have F1 score of 0.99. WebDDoS attack has lower score of 0.38 and Benign has score of 0.90 which is only lower to Random Forest. The RoC curve for MV-4 is given in Fig. 8. The area under the curve for micro and macro average is 1.00 which depicts it as an ideal classifier for the dataset.
The performance of MLP and LSTM is slightly lower as compared to other ML algorithms. The accuracy score for MLP is 97.33%. It cannot detect WebDDoS cyber threat as F1 score is 0.00. Benign attack has F1 score of 0.92 which is lower than Random Forest. The other attacks have good F1 score. The RoC curve for MLP is shown in Fig. 9. The area under the curve for WebDDoS is 0.52 which lowers the macro average to 0.96.
The accuracy score for LSTM is 98.16% which is better than MLP. It is slightly lower than that of Random Forest. The LSTM performs better to MLP in most of the cases except Benign traffic as it decreases to 0.92 to 0.89 from MLP to LSTM. The WebDDoS attack has F1 score of 0.00 which is same as that of MLP.
The ROC curve shows that area under the curve for all cyber threats is 1.00. The micro and macro average scores are also 1.00 which is similar to Random Forest. The ROC curve in Fig. 10 shows that the performance
13670 of LSTM is close to an ideal classifier similar to that of Random Forest.
The multiclass classification for DDoS attacks was conducted by using different algorithms and each of the threats were individually identified and validated by using different metrics. An ensemble classifier MV-4 was tested for multiclass DDoS attack detection which has an accuracy score of 99.01%. A deep analysis of different AI and ML algorithms was done and among all the algorithms Random Forest Classifier has the highest accuracy score of 99.24% followed by MV-4 and AdaBoost both of which have an accuracy score of 99.01%.
However the F1 score shows Adaboost is little behind Random Forest and MV-4 as it cannot detect few attack properly. The F1 scores of Random Forest and MV-4 are similar; Random Forest has a little advantage as it detects few threats better. The ROC curves for all the algorithms were presented in the paper for further analysis. The RoC curve given below depicts that Random Forest and MV-4 behave as an ideal classifier on the dataset.
Detection of different types of DDoS attacks is successfully implemented which was the main aim. For future work, the different solutions can be deployed to defend the network from such cyber attacks. Further using these powerful algorithms a system can be developed which successfully detects the DDoS cyber threats and deploy counter measures to prevent such threats which can cause potential damage to the network.
Fig. 3 - RoC Curve for SVM
Fig 4 - RoC Curve for Random Forest
Fig 5 - RoC Curve for AdaBoost
 S. Sahu and A. Verma, “DDoS attack detection in ISP domain using machine learning.”
 R. S. S. Theja and G. K. Shyam, “A Machine Learning based Attack Detection and Mitigation using a Secure SaaS Framework.”
 M. A. Ferraga, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study.”
 O. KASIMa, “An Efficient and Robust Deep Learning based Network Anomaly Detection against Distributed Denial of Service Attacks.”
Fig. 6 - RoC Curve for MV-4
Fig. 7 - RoC Curve for MLP
Fig. 8 - RoC Curve for LSTM
 K. S. Sahoo, K. Bata, K. Naik, S. Ramasubbareddy, B. Balusamy, M. Khari, and D.
Burgos, “An Evolutionary SVM Model for DDOS Attack in SDN.”
 S. Velliangiri and H. M. Pandey, “Fuzzy-Taylor-elephant herd opti- mization inspired Deep Belief Network for DDoS attack detection and comparison with state-of-the-arts algorithms.”
 L. Chena, Y. Zhangb, Q. Zhaob, G. Gengb, and Z. Yanb, “Detection of DNS DDoS Attacks with Random Forest Algorithm on Spark.”
 M. V. de Assis, L. F. Carvalho, J. J. Rodrigues, J. Lloret, and M. L. P. Jr, “Near real- time security system applied to SDN environments in IoT networks using convolutional neural network.”
 Z. Liu, X. Yin, and Y. Hu, “CPSS LR-DDoS Detection and Defense in Edge Computing Utilizing DCNN Q-Learning.”
 Y. Gu, K. Li, Z. Guo, and Y. Wang, “Semi-Supervised K-Means DDoS Detection
Method Using Hybrid Feature Selection Algorithm.”
 L. A. Trejo, V. Ferman, M. A. Medina-Pérez, F. Miguel, A. Giacinti,
R. Monroy, J. Emanuel, and Ramírez-Márquez, “DNS-ADVP: A Ma- chine Learning Anomaly Detection and Visual Platform to Protect Top- Level Domain Servers Against DDoS Attacks.”
 H. Haider, A. Akhunzada, I. Mustafa, T. B. Patel, A. Fernandez, K.-K. R. Choo, and J.
Iqbal, “A Deep CNN Ensemble Framework for Efficient DDoS Attack Detection in Software Defined Networks,”
 E. A. Pérez-Díaz, I. A. Valdovinos, K.-K. R. Choo, and D. Zhu, “A Flexible SDN- based architecture for Identifying and Mitigating Low- Rate DDoS Attacks using Machine Learning.”
 N. Ravi and M. Shalinie, “Learning-Driven Detection and Mitigation of DDoS Attack
in IoT via SDN-Cloud Architecture.”
 R. Priyadarshini and R. K. Barik, “A deep learning based intelligent framework to mitigate DDoS attack in Fog environment.”
 K. V. V. N. S. Kirana, R. N. K. Devisettya, N. Kalyana, K. Mukun- dinia, and R.
Karthia, “Building a Intrusion Detection System for IoT Environment using Machine Learning Techniques.”
 S. Deya, Q. Ye, and S. Sampalli, “A machine learning based intrusion detection scheme
for data fusion in mobile clouds involving heteroge- neous client networks.”
 H. Haider, A. Akhunzada, I. Mustafa, B. Patel, A. Fernandez, K.-K. R. Choo, and J.
 S. Das, A. M. Mahfouz, D. Venugopal, and S. Shiva, “DDoS Intrusion Detection through Machine Learning Ensemble.”
 N. Zhang, F. Jaafar, and Y. Malik, “Low-Rate DoS Attack Detection Using PSD based
Entropy and Machine Learning.”